pax_global_header00006660000000000000000000000064132724234550014521gustar00rootroot0000000000000052 comment=74e45ee0373d2c8f06dfc3fa66e6b83660cfce2a scap-security-guide-0.1.39/000077500000000000000000000000001327242345500155015ustar00rootroot00000000000000scap-security-guide-0.1.39/.cico.yaml000066400000000000000000000053751327242345500173720ustar00rootroot00000000000000- trigger: name: periodic triggers: - timed: "@daily" - scm: name: git-scm scm: - git: url: "{git_url}" skip-tag: True git-tool: ci-git - job-template: name: '{ci_project}-{git_repo}' description: | Managed by Jenkins Job Builder, do not edit manually! node: "{ci_project}" properties: - github: url: https://github.com/{git_username}/{git_repo}/ scm: - git-scm: git_url: https://github.com/{git_username}/{git_repo}.git triggers: - periodic builders: - shell: | set +e export CICO_API_KEY=$(cat ~/duffy.key ) # get node n=1 while true do cico_output=$(cico node get -f value -c ip_address -c comment) if [ $? -eq 0 ]; then read CICO_hostname CICO_ssid <<< $cico_output if [ ! -z "$CICO_hostname" ]; then # we got hostname from cico break fi echo "'cico node get' succeed, but can't get hostname from output" fi if [ $n -gt 5 ]; then # give up after 5 tries echo "giving up on 'cico node get'" exit 1 fi echo "'cico node get' failed, trying again in 60s ($n/5)" n=$[$n+1] sleep 60 done sshopts="-t -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -l root" ssh_cmd="ssh $sshopts $CICO_hostname" # Save the jenkins environment if needed env > jenkins-env $ssh_cmd yum -y install rsync rsync -e "ssh $sshopts" -Ha $(pwd)/ $CICO_hostname:payload \ && /usr/bin/timeout {timeout} $ssh_cmd -t "cd payload && {ci_cmd}" rtn_code=$? if [ $rtn_code -eq 0 ]; then cico node done $CICO_ssid else if [[ $rtn_code -eq 124 ]]; then echo "BUILD TIMEOUT"; cico node done $CICO_ssid else # fail mode gives us 12 hrs to debug the machine curl "http://admin.ci.centos.org:8080/Node/fail?key=$CICO_API_KEY&ssid=$CICO_ssid" fi fi exit $rtn_code - project: name: openscap jobs: - '{ci_project}-{git_repo}': git_username: openscap git_repo: scap-security-guide ci_project: '{name}' ci_cmd: "yum -y install install cmake openscap-utils git && cd build && cmake ../ && make -j4 validate" timeout: '20m' scap-security-guide-0.1.39/.dockerignore000066400000000000000000000000051327242345500201500ustar00rootroot00000000000000.git scap-security-guide-0.1.39/.github/000077500000000000000000000000001327242345500170415ustar00rootroot00000000000000scap-security-guide-0.1.39/.github/issue_template.md000066400000000000000000000003501327242345500224040ustar00rootroot00000000000000#### Description of problem: #### SCAP Security Guide Version: #### Operating System Version: #### Steps to Reproduce: 1. 2. 3. 4. #### Actual Results: #### Expected Results: #### Addition Information/Debugging Steps: scap-security-guide-0.1.39/.github/pull_request_template.md000066400000000000000000000004031327242345500237770ustar00rootroot00000000000000#### Description: - _Description here. Replace this text. Don't use the italics format!_ #### Rationale: - _Rationale here. Replace this text. Don't use the italics format!_ - Fixes # _Issue number here (e.g. #26) or remove this line if no issue exists._ scap-security-guide-0.1.39/.gitignore000066400000000000000000000012161327242345500174710ustar00rootroot00000000000000# Files and directories not to track in git tree # Global files for the entire tree *.swp *~ *.pyc # Build files rpmbuild scap-security-guide.spec container_build/ build/ # Ignore docs tmp directories docs/Developer_Guide/tmp docs/SCAP_and_STIG_Workshop/tmp docs/User_Guide/tmp # Ignore docs publish directories docs/Developer_Guide/publish docs/SCAP_and_STIG_Workshop/publish docs/User_Guide/publish # Ignore docs SCAP_Security_Guide directory docs/html/en-US/SCAP_Security_Guide # Ignore PCI_DSS_v3-1.pdf shared/transforms/pcidss/PCI_DSS_v3-1.pdf # Ignore zipfile and tarball dirs zipfile/ tarball/ # Ignore QtCreator files CMakeLists.txt.user scap-security-guide-0.1.39/.pep8speaks.yml000066400000000000000000000000451327242345500203640ustar00rootroot00000000000000pycodestyle: max-line-length: 99 scap-security-guide-0.1.39/BUILD.md000066400000000000000000000107231327242345500166650ustar00rootroot00000000000000# Building SCAP Security Guide ## From source 1. On Red Hat Enterprise Linux and Fedora make sure the packages `cmake`, `openscap-utils`, and their dependencies are installed. We require version `1.0.8` or later of `openscap-utils` (available in Red Hat Enterprise Linux) as well as `git`. `# yum -y install cmake openscap-utils git PyYAML python-jinja2` On Ubuntu, make sure the packages `expat`, `libopenscap8`, `libxml2-utils`, `xsltproc`, and their dependencies are installed as well as `git`. `$ sudo apt -y install cmake expat libopenscap8 libxml2-utils xsltproc git python-jinja2` On Fedora, install the python2-jinja2 package `# dnf -y install python2-jinja2` Optional: Install the ShellCheck package. `# dnf -y install ShellCheck` Optional: If you want to use the Ninja build system, install the ninja-build package `# dnf -y install ninja-build` 2. Download the source code `$ git clone https://github.com/OpenSCAP/scap-security-guide.git` 3. Build the source code * To build all the content: `$ cd scap-security-guide/` `$ cd build/` `$ cmake ../` `$ make -j4` * To build everything only for one specific product: `$ cd scap-security-guide/` `$ cd build/` `$ cmake ../` `$ make -j4 rhel7` * Other targets only for one specific product: `$ cd scap-security-guide/` `$ cd build/` `$ cmake ../` `$ make -j4 rhel7-content # SCAP XML files for RHEL7` `$ make -j4 rhel7-guides # HTML guides for RHEL7` `$ make -j4 rhel7-tables # HTML tables for RHEL7` `$ make -j4 rhel7-roles # remediation roles for RHEL7` `$ make -j4 rhel7 # everything above for RHEL7` * Configure options before building `$ cd scap-security-guide/` `$ cd build/` `$ cmake-gui ../` `$ make -j4` * Using the ninja-build system (requires ninja-build on the system) `$ cd scap-security-guide/` `$ cd build/` `$ cmake -G Ninja ../` `$ ninja-build` When the build has completed, the output will be in the build folder. That can be any folder you choose but if you followed the examples above it will be the `scap-security-guide/build` folder. The SCAP XML files will be called `ssg-${PRODUCT}-${TYPE}.xml`. For example `ssg-rhel7-ds.xml` is the Red Hat Enterprise Linux 7 source datastream. The human readable HTML guide index files will be called `ssg-${PRODUCT}-guide-index.html`. For example `ssg-rhel7-guide-index.html`. 4. Discover the following: * A pretty prose guide **in ssg-rhel7-guide-index.html** containing practical, actionable information for administrators * A concise spreadsheet representation (potentially useful as the basis for an SRTM document) in **table-rhel7-nistrefs-stig-rhel7-disa.html** * Files that can be ingested by SCAP-compatible scanning tools, to enable automated checking: * **ssg-rhel7-xccdf.xml** * **ssg-rhel7-oval.xml** * **ssg-rhel7-ds.xml** 5. Install * Custom location `$ cd scap-security-guide/` `$ cd build/` `$ cmake ../` `$ make -j4` `$ make DESTDIR=/opt/absolute/path/to/ssg/ install` * System-wide installation `$ cd scap-security-guide/` `$ cd build/` `$ cmake ../` `$ make -j4` `$ make install` * System-wide installation using ninja `$ cd scap-security-guide/` `$ cd build/` `$ cmake -G Ninja ../` `$ ninja-build` `$ ninja-build install` ### Building tarball, package and archive zipfile 1. To build a tarball with all the source code. `make package_source` 2. To build a package with testing purposes. * Disable any product you would not like to bundle in the package. For example: `cmake -DSSG_PRODUCT_JBOSS_EAP5:BOOL=OFF../` * Build the package. `make package` Currently, RPM and DEB packages are built. 3. To build a zip file with all generated source data streams and kickstarts. `make zipfile` ## Using Docker Use the [Dockerfile](Dockerfile) present in the top directory and build the image. `$ docker build --no-cache --file Dockerfile --tag oscap:$(date -u +%Y%m%d%H%M) --tag oscap:latest .` To build all the content, run a container without any flags. `$ docker run --cap-drop=all --name scap-security-guide oscap:latest` To build content only for a specific distribution, add the relevant name as a flag: `$ docker run --cap-drop=all --name scap-security-guide oscap:latest firefox` Using `docker cp` to copy all the generated content to the your host: `$ docker cp scap-security-guide:/home/oscap/scap-security-guide/build $(pwd)/container_build` scap-security-guide-0.1.39/CMakeLists.txt000066400000000000000000000316331327242345500202470ustar00rootroot00000000000000cmake_minimum_required(VERSION 2.8) project(scap-security-guide NONE) set (CMAKE_MODULE_PATH ${CMAKE_MODULE_PATH} "${PROJECT_SOURCE_DIR}/cmake") # This is set to silence GNUInstallDirs warning about no language being used with cmake set(CMAKE_INSTALL_LIBDIR "/nowhere") include(GNUInstallDirs) include(FindPythonModule) set(SSG_CONTENT_INSTALL_DIR "${CMAKE_INSTALL_DATADIR}/xml/scap/ssg/content") set(SSG_GUIDE_INSTALL_DIR "${CMAKE_INSTALL_DOCDIR}/guides") set(SSG_TABLE_INSTALL_DIR "${CMAKE_INSTALL_DOCDIR}/tables") set(SSG_ANSIBLE_ROLE_INSTALL_DIR "${CMAKE_INSTALL_DATADIR}/scap-security-guide/ansible") set(SSG_BASH_ROLE_INSTALL_DIR "${CMAKE_INSTALL_DATADIR}/scap-security-guide/bash") set(SSG_KICKSTART_INSTALL_DIR "${CMAKE_INSTALL_DATADIR}/scap-security-guide/kickstart") set(SSG_MAJOR_VERSION 0) set(SSG_MINOR_VERSION 1) set(SSG_PATCH_VERSION 39) set(SSG_VERSION "${SSG_MAJOR_VERSION}.${SSG_MINOR_VERSION}.${SSG_PATCH_VERSION}") set(SSG_VENDOR "ssgproject" CACHE STRING "Specify the XCCDF 1.2 vendor string.") option(SSG_OVAL_511_ENABLED "If enabled, OVAL 5.11 and OVAL 5.10 checks will be used in the final content. Otherwise only 5.10 checks will be used." TRUE) option(SSG_OVAL_SCHEMATRON_VALIDATION_ENABLED "If enabled, schematron validation will be performed as part of the ctest tests. Schematron takes a lot of time to complete but can find more issues than just plain XSD validation." TRUE) option(SSG_SHELLCHECK_BASH_FIXES_VALIDATION_ENABLED "If enabled, shellcheck validation of bash fixes will be performed as part of the ctest tests. Shellcheck tests don't pass right now, this option is discouraged until that's fixed." FALSE) option(SSG_LINKCHECKER_VALIDATION_ENABLED "If enabled, linkchecker will be used to validate URLs in all the HTML guides and tables." TRUE) option(SSG_SVG_IN_XCCDF_ENABLED "If enabled, the built XCCDFs will include the SVG SCAP Security Guide logo." TRUE) option(SSG_PRODUCT_CHROMIUM "If enabled, the Chromium SCAP content will be built" TRUE) option(SSG_PRODUCT_DEBIAN8 "If enabled, the Debian8 SCAP content will be built" TRUE) option(SSG_PRODUCT_FEDORA "If enabled, the Fedora SCAP content will be built" TRUE) option(SSG_PRODUCT_FIREFOX "If enabled, the Firefox SCAP content will be built" TRUE) option(SSG_PRODUCT_JBOSS_EAP6 "If enabled, the JBoss EAP6 SCAP content will be built" TRUE) option(SSG_PRODUCT_JBOSS_FUSE6 "If enabled, the JBoss Fuse6 SCAP content will be built" TRUE) option(SSG_PRODUCT_JRE "If enabled, the JRE SCAP content will be built" TRUE) option(SSG_PRODUCT_OCP3 "If enabled, the RHOCP3 SCAP content will be built" TRUE) option(SSG_PRODUCT_OPENSUSE "If enabled, the openSUSE SCAP content will be built" TRUE) option(SSG_PRODUCT_OSP7 "If enabled, the RHOSP7 SCAP content will be built" TRUE) option(SSG_PRODUCT_RHEL6 "If enabled, the RHEL6 SCAP content will be built" TRUE) option(SSG_PRODUCT_RHEL7 "If enabled, the RHEL7 SCAP content will be built" TRUE) option(SSG_PRODUCT_SUSE11 "If enabled, the SLE11 SCAP content will be built" TRUE) option(SSG_PRODUCT_SUSE12 "If enabled, the SLE12 SCAP content will be built" TRUE) option(SSG_PRODUCT_UBUNTU14 "If enabled, the Ubuntu14 SCAP content will be built" TRUE) option(SSG_PRODUCT_UBUNTU16 "If enabled, the Ubuntu16 SCAP content will be built" TRUE) option(SSG_PRODUCT_WRLINUX "If enabled, the WRLinux SCAP content will be built" TRUE) option(SSG_PRODUCT_OL7 "If enabled, the Oracle Linux 7 SCAP content will be built" TRUE) option(SSG_CENTOS_DERIVATIVES_ENABLED "If enabled, CentOS derivative content will be built from the RHEL content" TRUE) option(SSG_SCIENTIFIC_LINUX_DERIVATIVES_ENABLED "If enabled, Scientific Linux derivative content will be built from the RHEL content" TRUE) set(SSG_SHARED "${CMAKE_SOURCE_DIR}/shared") set(SSG_SHARED_REFS "${SSG_SHARED}/references") set(SSG_SHARED_TRANSFORMS "${SSG_SHARED}/transforms") set(SSG_SHARED_UTILS "${SSG_SHARED}/utils") message(STATUS "SCAP Security Guide ${SSG_VERSION}") message(STATUS "(see ${CMAKE_SOURCE_DIR}/BUILD.md for build instructions)") message(STATUS "") # Strictly speaking in-source will work but will be very messy, let's # discourage our users from using them if ("${CMAKE_SOURCE_DIR}" STREQUAL "${CMAKE_BINARY_DIR}") message(FATAL_ERROR "In-source builds are not supported! Please use out of source builds:\n" "$ cd scap-security-guide\n" "$ rm CMakeCache.txt\n" "$ cd build\n" "$ cmake ../\n" "$ make -j4" ) endif() find_package(PythonInterp 2 REQUIRED) find_python_module(yaml REQUIRED) find_python_module(jinja2 REQUIRED) find_package(OpenSCAP REQUIRED) if (SSG_OVAL_511_ENABLED AND NOT "${OSCAP_V_OUTPUT}" MATCHES "OVAL Version: 5.11") set(SSG_OVAL_511_ENABLED OFF CACHE BOOL "OVAL 5.11 disabled because your version of OpenSCAP doesn't support it" FORCE) message(WARNING "Your version of OpenSCAP does not support OVAL 5.11, disabling OVAL 5.11 for the SSG build.") endif() execute_process( COMMAND "${PYTHON_EXECUTABLE}" "${SSG_SHARED_UTILS}/oscap-svg-support.py" "${OPENSCAP_OSCAP_EXECUTABLE}" RESULT_VARIABLE OSCAP_SVG_SUPPORT_RESULT ) # OSCAP_SVG_SUPPORT_RESULT == 0 means SVG is supported if (SSG_SVG_IN_XCCDF_ENABLED AND NOT OSCAP_SVG_SUPPORT_RESULT EQUAL 0) set(SSG_SVG_IN_XCCDF_ENABLED OFF CACHE BOOL "SVG in XCCDF disabled because your version OpenSCAP doesn't support it" FORCE) message(WARNING "Your version of OpenSCAP does not support having the SVG logo in the XCCDF, disabling SVG logo.") endif() find_program(XSLTPROC_EXECUTABLE NAMES xsltproc) if (NOT XSLTPROC_EXECUTABLE) message(SEND_ERROR "xsltproc is required!") endif() find_program(XMLLINT_EXECUTABLE NAMES xmllint) if (NOT XMLLINT_EXECUTABLE) message(SEND_ERROR "xmllint is required!") endif() find_program(XMLWF_EXECUTABLE NAMES xmlwf) if (NOT XMLWF_EXECUTABLE) message(SEND_ERROR "xmlwf is required!") endif() find_program(SED_EXECUTABLE NAMES sed) if (NOT SED_EXECUTABLE) message(SEND_ERROR "sed is required!") endif() find_program(SHELLCHECK_EXECUTABLE NAMES shellcheck) find_program(LINKCHECKER_EXECUTABLE NAMES linkchecker) find_program(GREP_EXECUTABLE NAMES grep) configure_file("${CMAKE_SOURCE_DIR}/oval.config.in" "${CMAKE_BINARY_DIR}/oval.config") message(STATUS "CMake:") message(STATUS "generator: ${CMAKE_GENERATOR}") message(STATUS "source directory: ${CMAKE_SOURCE_DIR}") message(STATUS "build directory: ${CMAKE_BINARY_DIR}") message(STATUS " ") message(STATUS "Tools:") message(STATUS "python: ${PYTHON_EXECUTABLE} (version: ${PYTHON_VERSION_STRING})") message(STATUS "python yaml module: ${PY_YAML}") message(STATUS "python jinja2 module: ${PY_JINJA2}") message(STATUS "oscap: ${OPENSCAP_OSCAP_EXECUTABLE} (version: ${OSCAP_VERSION})") message(STATUS "xsltproc: ${XSLTPROC_EXECUTABLE}") message(STATUS "xmllint: ${XMLLINT_EXECUTABLE}") message(STATUS "xmlwf: ${XMLWF_EXECUTABLE}") message(STATUS "sed: ${SED_EXECUTABLE}") message(STATUS "shellcheck (optional): ${SHELLCHECK_EXECUTABLE}") message(STATUS "linkchecker (optional): ${LINKCHECKER_EXECUTABLE}") message(STATUS "grep (optional): ${GREP_EXECUTABLE}") message(STATUS " ") message(STATUS "Build options:") message(STATUS "SSG vendor string: ${SSG_VENDOR}") message(STATUS "OVAL 5.11: ${SSG_OVAL_511_ENABLED}") message(STATUS "OVAL schematron validation: ${SSG_OVAL_SCHEMATRON_VALIDATION_ENABLED}") message(STATUS "shellcheck bash fixes validation: ${SSG_SHELLCHECK_BASH_FIXES_VALIDATION_ENABLED}") message(STATUS "SVG logo in XCCDFs: ${SSG_SVG_IN_XCCDF_ENABLED}") message(STATUS " ") message(STATUS "Products:") message(STATUS "Chromium: ${SSG_PRODUCT_CHROMIUM}") message(STATUS "Debian 8: ${SSG_PRODUCT_DEBIAN8}") message(STATUS "Fedora: ${SSG_PRODUCT_FEDORA}") message(STATUS "Firefox: ${SSG_PRODUCT_FIREFOX}") message(STATUS "JBoss EAP 6: ${SSG_PRODUCT_JBOSS_EAP6}") message(STATUS "JBoss Fuse 6: ${SSG_PRODUCT_JBOSS_FUSE6}") message(STATUS "JRE: ${SSG_PRODUCT_JRE}") message(STATUS "openSUSE: ${SSG_PRODUCT_OPENSUSE}") message(STATUS "RHOCP3: ${SSG_PRODUCT_OCP3}") message(STATUS "RHEL-OSP7: ${SSG_PRODUCT_OSP7}") message(STATUS "RHEL 6: ${SSG_PRODUCT_RHEL6}") message(STATUS "RHEL 7: ${SSG_PRODUCT_RHEL7}") message(STATUS "SUSE 11: ${SSG_PRODUCT_SUSE11}") message(STATUS "SUSE 12: ${SSG_PRODUCT_SUSE12}") message(STATUS "Ubuntu 14: ${SSG_PRODUCT_UBUNTU14}") message(STATUS "Ubuntu 16: ${SSG_PRODUCT_UBUNTU16}") message(STATUS "WRLinux: ${SSG_PRODUCT_WRLINUX}") message(STATUS "Oracle Linux 7: ${SSG_PRODUCT_OL7}") message(STATUS " ") enable_testing() include(SSGCommon) # Targets 'stats', 'profile-stats' and 'zipfile' need to be added # before any product because they will receive dependencies from products added add_custom_target(stats) add_custom_target(profile-stats) ssg_build_bash_remediation_functions() # ZIP only contains source datastreams and kickstarts, people who # want sources to build from should get the tarball instead. if(SSG_OVAL_511_ENABLED) ssg_build_zipfile("scap-security-guide-${SSG_VERSION}") ssg_build_nist_zipfile("scap-security-guide-${SSG_VERSION}") else() ssg_build_zipfile("scap-security-guide-${SSG_VERSION}-oval-5.10") ssg_build_nist_zipfile("scap-security-guide-${SSG_VERSION}-oval-5.10") endif() if (SSG_PRODUCT_CHROMIUM) add_subdirectory("chromium") endif() if (SSG_PRODUCT_DEBIAN8) add_subdirectory("debian8") endif() if (SSG_PRODUCT_FEDORA) add_subdirectory("fedora") endif() if (SSG_PRODUCT_FIREFOX) add_subdirectory("firefox") endif() if (SSG_PRODUCT_JBOSS_EAP6) add_subdirectory("eap6") endif() if (SSG_PRODUCT_JBOSS_FUSE6) add_subdirectory("fuse6") endif() if (SSG_PRODUCT_JRE) add_subdirectory("jre") endif() if (SSG_PRODUCT_OCP3) #add_subdirectory("ocp3") endif() if (SSG_PRODUCT_OPENSUSE) add_subdirectory("opensuse") endif() if (SSG_PRODUCT_OSP7) add_subdirectory("rhel-osp7") endif() if (SSG_PRODUCT_RHEL6) add_subdirectory("rhel6") endif() if (SSG_PRODUCT_RHEL7) add_subdirectory("rhel7") endif() if (SSG_PRODUCT_SUSE11) add_subdirectory("sle11") endif() if (SSG_PRODUCT_SUSE12) add_subdirectory("sle12") endif() if (SSG_PRODUCT_UBUNTU14) add_subdirectory("ubuntu1404") endif() if (SSG_PRODUCT_UBUNTU16) add_subdirectory("ubuntu1604") endif() if (SSG_PRODUCT_WRLINUX) add_subdirectory("wrlinux") endif() if (SSG_PRODUCT_OL7) add_subdirectory("ol7") endif() ssg_define_guide_and_table_tests() install(FILES "${CMAKE_SOURCE_DIR}/LICENSE" DESTINATION ${CMAKE_INSTALL_DOCDIR}) install(FILES "${CMAKE_SOURCE_DIR}/README.md" DESTINATION ${CMAKE_INSTALL_DOCDIR}) install(FILES "${CMAKE_SOURCE_DIR}/Contributors.md" DESTINATION ${CMAKE_INSTALL_DOCDIR}) install(FILES "docs/scap-security-guide.8" DESTINATION "${CMAKE_INSTALL_MANDIR}/man8") # We use CPack to generate the tarball with all sources and # packages for testing # only CPack should follow set(CPACK_CMAKE_GENERATOR "Unix Makefiles") set(CPACK_SOURCE_GENERATOR "TBZ2") set(CPACK_SOURCE_PACKAGE_FILE_NAME "scap-security-guide-${SSG_VERSION}" CACHE INTERNAL "tarball basename") set(CPACK_SOURCE_IGNORE_FILES "\\\\.git.*" "build/" "~$" "\\\\CMakeLists.txt.user" ) # Common definitions for RPM and DEB packages set(CPACK_PACKAGE_VERSION ${SSG_VERSION}) set(CPACK_PACKAGE_DESCRIPTION_SUMMARY "Security guidance and baselines in SCAP formats") set(CPACK_PACKAGE_VENDOR "scap-security-guide") # The package contact is needed to build the deb package set(CPACK_PACKAGE_CONTACT "open-scap-list@redhat.com") set(CPACK_PACKAGE_RELOCATABLE FALSE) # This adds "${?dist} to Release field in spec file set(CPACK_RPM_PACKAGE_RELEASE "1%{?dist}") set(CPACK_RPM_EXCLUDE_FROM_AUTO_FILELIST_ADDITION "/usr/share/xml;/usr/share/man;/usr/share/man/man8") set(CPACK_RPM_PACKAGE_GROUP "Applications/System") set(CPACK_RPM_PACKAGE_LICENSE "BSD-3-Clause") set(CPACK_RPM_PACKAGE_URL "https://www.open-scap.org/security-policies/scap-security-guide/") set(CPACK_RPM_PACKAGE_ARCHITECTURE "noarch") set(CPACK_RPM_PACKAGE_REQUIRES "xml-common, openscap-utils >= 1.0.8") set(CPACK_RPM_PACKAGE_PROVIDES "openscap-content") set(CPACK_RPM_PACKAGE_DESCRIPTION "The %{name} project provides a guide for configuration of the system from the final system's security point of view. The guidance is specified in the Security Content Automation Protocol (SCAP) format and constitutes a catalog of practical hardening advice, linked to government requirements where applicable. The project bridges the gap between generalized policy requirements and specific implementation guidelines. The system administrator can use the oscap command-line tool from the openscap-utils package to verify that the system conforms to provided guidelines. The %{name} package also contains HTML formatted documents containing hardening guidances that have been generated from XCCDF benchmarks. ") # Change the default file name of the RPMs # %{release} includes release number and dist type # This only has effect with cmake v3.6 or higher set(CPACK_RPM_FILE_NAME "%{name}-%{version}-%{release}.rpm") # For older versions of cmake (e.g. v2.8) file name is defined like below set(CPACK_PACKAGE_FILE_NAME "scap-security-guide-${SSG_VERSION}") set(CPACK_GENERATOR "RPM;DEB") include(CPack) scap-security-guide-0.1.39/Contributors.md000066400000000000000000000113701327242345500205220ustar00rootroot00000000000000 The following people have contributed to the SCAP Security Guide project (listed in alphabetical order): * Frank J Cameron (CAM1244) * 0x66656c6978 <0x66656c6978@users.noreply.github.com> * Gabe Alford * Firas AlShafei * Christopher Anderson * Chuck Atkins * Ryan Ballanger * Molly Jo Bault * Alexander Bergmann * Jose Luis BG * Joseph Bisch * Jeffrey Blank * Olivier Bonhomme * Ted Brunell * Blake Burkhart * Patrick Callahan * Nick Carboni * James Cassell * Frank Caviggia * Eric Christensen * Caleb Cooper * Deric Crago * Maura Dailey * Klaas Demter * Jean-Baptiste Donnette * drax * Greg Elin * Leah Fisher * Andrew Gilmore * Joshua Glemza * Loren Gordon * Steve Grubb * Marek Haicman * Rebekah Hayes * Trey Henefield * hex2a * John Hooks * Robin Price II * Jeremiah Jahn * Stephan Joerrens * Kai Kang * Charles Kernstock * Yuli Khodorkovskiy * Luke Kordell * kspargur * Fen Labalme * Ian Lee * Jan Lieskovsky * Šimon Lukašík * Milan Lysonek * Matus Marhefka * Jamie Lorwey Martin * Michael McConachie * Khary Mendez * Rodney Mercer * Matt Micene * Brian Millett * mmosel * Zbynek Moravec * Kazuo Moriwaka * Michael Moseley * Joe Nall * Neiloy * Michele Newman * Sean O'Keeffe * Ilya Okomin * Kaustubh Padegaonkar * Michael Palmiotto * Max R.D. Parmer * pcactr * Kenneth Peeples * Nathan Peters * Frank Lin PIAT * Stefan Pietsch * Martin Preisler * Wesley Ceraso Prudencio * Raphael Sanchez Prudencio * T.O. Radzy Radzykewycz * Kenyon Ralph * Rick Renshaw * Chris Reynolds * Pat Riehecky * rlucente-se-jboss * Joshua Roys * rrenshaw * Chris Ruffalo * Ray Shaw (Cont ARL/CISD) rvshaw * Willy Santos * Gautam Satish * Watson Sato * Satoru SATOH * Spencer Shimko * Thomas Sjögren * Francisco Slavin * David Smith * Kevin Spargur * Kenneth Stailey * Leland Steinke * Brian Stinson * Philippe Thierry * Paul Tittle * Jeb Trayer * Matěj Týč * VadimDor <29509093+VadimDor@users.noreply.github.com> * Shawn Wells * Roy Williams * Rob Wilmoth * Lucas Yamanishi * Xirui Yang * Kevin Zimmerman * Jan Černý * Michal Šrubař scap-security-guide-0.1.39/Contributors.xml000066400000000000000000000200531327242345500207200ustar00rootroot00000000000000 Frank J Cameron (CAM1244) <cameron@ctc.com> 0x66656c6978 <0x66656c6978@users.noreply.github.com> Gabe Alford <redhatrises@gmail.com> Firas AlShafei <firas.alshafei@us.abb.com> Christopher Anderson <cba@fedoraproject.org> Chuck Atkins <chuck.atkins@kitware.com> Ryan Ballanger <root@rballang-admin-2.fastenal.com> Molly Jo Bault <Molly.Jo.Bault@ballardtech.com> Alexander Bergmann <abergmann@suse.com> Jose Luis BG <bgjoseluis@gmail.com> Joseph Bisch <joseph.bisch@gmail.com> Jeffrey Blank <blank@eclipse.ncsc.mil> Olivier Bonhomme <ptitoliv@ptitoliv.net> Ted Brunell <tbrunell@redhat.com> Blake Burkhart <blake.burkhart@us.af.mil> Patrick Callahan <pmc@patrickcallahan.com> Nick Carboni <ncarboni@redhat.com> James Cassell <james.cassell@ll.mit.edu> Frank Caviggia <fcaviggi@ra.iad.redhat.com> Eric Christensen <echriste@redhat.com> Caleb Cooper <coopercd@ornl.gov> Deric Crago <deric.crago@gmail.com> Maura Dailey <maura@eclipse.ncsc.mil> Klaas Demter <demter@atix.de> Jean-Baptiste Donnette <jean-baptiste.donnette@epita.fr> drax <applezip@gmail.com> Greg Elin <gregelin@gitmachines.com> Leah Fisher <lfisher047@gmail.com> Andrew Gilmore <agilmore2@gmail.com> Joshua Glemza <jglemza@nasa.gov> Loren Gordon <lorengordon@users.noreply.github.com> Steve Grubb <sgrubb@redhat.com> Marek Haicman <mhaicman@redhat.com> Rebekah Hayes <rhayes@corp.rivierautilities.com> Trey Henefield <thenefield@gmail.com> hex2a <hex2a@users.noreply.github.com> John Hooks <hooksie11@gmail.com> Robin Price II <robin@redhat.com> Jeremiah Jahn <jeremiah@goodinassociates.com> Stephan Joerrens <Stephan.Joerrens@fiduciagad.de> Kai Kang <kai.kang@windriver.com> Charles Kernstock <charles.kernstock@ultra-ats.com> Yuli Khodorkovskiy <ykhodorkovskiy@tresys.com> Luke Kordell <luke.t.kordell@lmco.com> kspargur <kspargur@kspargur.csb> Fen Labalme <fen@civicactions.com> Ian Lee <lee1001@llnl.gov> Jan Lieskovsky <jlieskov@redhat.com> Šimon Lukašík <slukasik@redhat.com> Milan Lysonek <mlysonek@redhat.com> Matus Marhefka <mmarhefk@redhat.com> Jamie Lorwey Martin <jlmartin@redhat.com> Michael McConachie <michael@redhat.com> Khary Mendez <kharyam@gmail.com> Rodney Mercer <rmercer@harris.com> Matt Micene <nzwulfin@gmail.com> Brian Millett <bmillett@gmail.com> mmosel <mmosel@kde.example.com> Zbynek Moravec <zmoravec@redhat.com> Kazuo Moriwaka <moriwaka@users.noreply.github.com> Michael Moseley <michael@eclipse.ncsc.mil> Joe Nall <joe@nall.com> Neiloy <neiloy@redhat.com> Michele Newman <mnewman@redhat.com> Sean O'Keeffe <seanokeeffe797@gmail.com> Ilya Okomin <ilya.okomin@oracle.com> Kaustubh Padegaonkar <theTuxRacer@gmail.com> Michael Palmiotto <mpalmiotto@tresys.com> Max R.D. Parmer <maxp@trystero.is> pcactr <paul.c.arnold4.ctr@mail.mil> Kenneth Peeples <kennethwpeeples@gmail.com> Nathan Peters <Nathaniel.Peters@ca.com> Frank Lin PIAT <fpiat@klabs.be> Stefan Pietsch <mail.ipv4v6+gh@gmail.com> Martin Preisler <mpreisle@redhat.com> Wesley Ceraso Prudencio <wcerasop@redhat.com> Raphael Sanchez Prudencio <rsprudencio@redhat.com> T.O. Radzy Radzykewycz <radzy@windriver.com> Kenyon Ralph <kenyon@kenyonralph.com> Rick Renshaw <Richard_Renshaw@xtoenergy.com> Chris Reynolds <c.reynolds82@gmail.com> Pat Riehecky <riehecky@fnal.gov> rlucente-se-jboss <rlucente@redhat.com> Joshua Roys <roysjosh@gmail.com> rrenshaw <bofh69@yahoo.com> Chris Ruffalo <chris.ruffalo@gmail.com> Ray Shaw (Cont ARL/CISD) rvshaw <rvshaw@esme.arl.army.mil> Willy Santos <wsantos@redhat.com> Gautam Satish <gautams@hpe.com> Watson Sato <wsato@redhat.com> Satoru SATOH <satoru.satoh@gmail.com> Spencer Shimko <sshimko@tresys.com> Thomas Sjögren <konstruktoid@users.noreply.github.com> Francisco Slavin <fslavin@tresys.com> David Smith <dsmith@eclipse.ncsc.mil> Kevin Spargur <kspargur@redhat.com> Kenneth Stailey <kstailey.lists@gmail.com> Leland Steinke <leland.j.steinke.ctr@mail.mil> Brian Stinson <brian@bstinson.com> Philippe Thierry <phil@reseau-libre.net> Paul Tittle <ptittle@cmf.nrl.navy.mil> Jeb Trayer <jeb.d.trayer@uscg.mil> Matěj Týč <matyc@redhat.com> VadimDor <29509093+VadimDor@users.noreply.github.com> Shawn Wells <shawn@redhat.com> Roy Williams <roywilli@roywilli.redhat.com> Rob Wilmoth <rwilmoth@redhat.com> Lucas Yamanishi <lucas.yamanishi@onyxpoint.com> Xirui Yang <xirui.yang@oracle.com> Kevin Zimmerman <kevin.zimmerman@kitware.com> Jan Černý <jcerny@redhat.com> Michal Šrubař <msrubar@redhat.com> scap-security-guide-0.1.39/DISCLAIMER000066400000000000000000000017341327242345500170450ustar00rootroot00000000000000The upstream STIG for any STIG profile the SCAP Security Guide project is developed under the DoD consensus model and DISA FSO Vendor STIG process, serving as the upstream development environment for Red Hat Product STIGS. As a result of the upstream/downstream relationship between the SCAP Security Guide project and the official DISA FSO STIG baseline, users should expect variance between SSG and DISA FSO content. For official DISA FSO STIG content, refer to http://iase.disa.mil/stigs/Pages/index.aspx. While this profile is packaged by Red Hat as part of the SCAP Security Guide package, please note that commercial support of this SCAP content is NOT available. This profile is provided as example SCAP content with no endorsement for suitability or production readiness. Support for this profile is provided by the upstream SCAP Security Guide community on a best-effort basis. The upstream project homepage is https://www.open-scap.org/security-policies/scap-security-guide/. scap-security-guide-0.1.39/Dockerfile000066400000000000000000000011101327242345500174640ustar00rootroot00000000000000FROM centos:7 ENV OSCAP_USERNAME oscap ENV OSCAP_DIR scap-security-guide ENV BUILD_JOBS 4 RUN yum -y upgrade && \ yum -y install make cmake openscap-utils && \ mkdir -p /home/$OSCAP_USERNAME && \ yum clean all && \ rm -rf /usr/share/doc /usr/share/doc-base \ /usr/share/man /usr/share/locale /usr/share/zoneinfo WORKDIR /home/$OSCAP_USERNAME COPY . $OSCAP_DIR/ # clean the build dir in case the user is also building SSG locally RUN rm -rf $OSCAP_DIR/build/* WORKDIR /home/$OSCAP_USERNAME/$OSCAP_DIR/build RUN cmake .. CMD /usr/bin/make -j $BUILD_JOBS scap-security-guide-0.1.39/LICENSE000066400000000000000000000030071327242345500165060ustar00rootroot00000000000000SPDX license identifier: BSD-3-Clause Copyright (c) 2012-2017, Red Hat, Inc. All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: * Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission. THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. scap-security-guide-0.1.39/README.md000066400000000000000000000127741327242345500167730ustar00rootroot00000000000000## Welcome! The purpose of this project is to create *SCAP content* for various platforms -- Red Hat Enterprise Linux 6, Red Hat Enterprise Linux 7, Fedora, and others. *"SCAP content"* refers to documents in the *XCCDF*, *OVAL* and *Source DataStream* formats. These documents can be presented in different forms and by different organizations to meet their security automation and technical implementation needs. This project is an attempt to allow multiple organizations to efficiently develop such content by avoiding redundancy, which is possible by taking advantage of features of the *SCAP standards*. First, *SCAP content* is easily transformed programmatically. XCCDF also supports selection of subsets of content through a "profile" and granular adjustment of settings through a "refine-value." The goal of this project to enable the creation of multiple security baselines from a single set of high-quality SCAP content. The SSG homepage is https://www.open-scap.org/security-policies/scap-security-guide/ * User Manual: [SSG User Manual](https://github.com/OpenSCAP/scap-security-guide/blob/master/docs/manual/user_guide.adoc) * Developer Guide: [SSG Developer Guide](https://github.com/OpenSCAP/scap-security-guide/blob/master/docs/manual/developer_guide.adoc) ## Installation The preferred method of installation is via the package manager of your distribution. On RHEL and Fedora you can use: `yum install scap-security-guide`. On Debian (sid), you can use: `apt install ssg-debian` for Debian guides. `apt install ssg-debderived` for Debian-based distributions (e.g. Ubuntu) guides. `apt install ssg-nondebian` for other distributions guides (RHEL, Fedora, etc.). `apt install ssg-applications` for application-oriented guides (Firefox,JBoss, etc.). If SCAP Security Guide is not packaged in your distribution or if the version that is packaged is too old, you need to build the content yourself and install it via `make install`. Please see the [BUILD.md](BUILD.md) document for more info. Or you can download pre-built SSG zip archive from [latest release](https://github.com/OpenSCAP/scap-security-guide/releases/latest). ## Build from the source Please see the [BUILD.md](BUILD.md) document for build instructions. ## Usage We assume you have installed SCAP Security Guide system-wide into a standard location as instructed in the previous section. There are several ways to consume SCAP Security Guide content, we will only go through a few of them here. ### `oscap` tool The `oscap` tool is a low-level command line interface that comes from the OpenSCAP project. It can be used to scan the local machine. ``` # oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_usgcb-rhel6-server --results-arf arf.xml --report report.html /usr/share/xml/scap/ssg/content/ssg-rhel6-ds.xml ``` After evaluation, the `arf.xml` file will contain all results in a reusable *Result DataStream* format, `report.html` will contain a human readable report that can be opened in a browser. Replace the profile with other profile of your choice, you can display all possible choices using: ``` # oscap info /usr/share/xml/scap/ssg/content/ssg-rhel6-ds.xml ``` Please see the [User Manual](https://static.open-scap.org/openscap-1.2/oscap_user_manual.html) for more info. ### SCAP Workbench The SCAP Workbench is a graphical user interface for SCAP evaluation and customization. It is suitable for scanning a single machine, either local or remote (via SSH). New versions of SCAP Workbench have SSG integration and will automatically offer it when the application is started. Please see the [User Manual](https://static.open-scap.org/scap-workbench-1.1/) for more info. ### `oscap-ssh` tool `oscap-ssh` comes bundled with OpenSCAP 1.2.3 and later. It allows scanning a remote machine via SSH with an interface resembling the `oscap` tool. The following command evaluates machine with IP `192.168.1.123` with content stored on local machine. Keep in mind that `oscap` has to be installed on the remote machine but the SSG content doesn't need to be. ``` # oscap-ssh root@192.168.1.123 22 xccdf eval --profile xccdf_org.ssgproject.content_profile_usgcb-rhel6-server --results-arf arf.xml --report report.html /usr/share/xml/scap/ssg/content/ssg-rhel6-ds.xml ``` ## Deprecated Content For a list of deprecated content, review the [Deprecated Content Table](https://github.com/OpenSCAP/scap-security-guide/blob/master/docs/manual/user_guide.adoc#deprecated-content) in the User Guide. ## Support The SSG mailing list can be found at [https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide](https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide). If you encounter issues with OpenSCAP or SCAP Workbench, use [https://www.redhat.com/mailman/listinfo/open-scap-list](https://www.redhat.com/mailman/listinfo/open-scap-list) You can also join the `#openscap` IRC channel on `chat.freenode.net`. ## COPR Repo We have created a new COPR repository that provides unofficial builds of latest versions of openscap, scap-security-guide, scap-workbench and openscap-daemon packages. The packages are suitable for use on Red Hat Enterprise Linux 6 and 7 and CentOS 6 and 7. The COPR repository is located on: https://copr.fedorainfracloud.org/coprs/openscapmaint/openscap-latest/ The repo enables you to test the latest greatest OpenSCAP bits on RHEL and CentOS. #### Health Checks * Python Code via landscape.io: [![Code Health](https://landscape.io/github/OpenSCAP/scap-security-guide/master/landscape.png)](https://landscape.io/github/OpenSCAP/scap-security-guide/master) scap-security-guide-0.1.39/build/000077500000000000000000000000001327242345500166005ustar00rootroot00000000000000scap-security-guide-0.1.39/build/.gitkeep000066400000000000000000000000001327242345500202170ustar00rootroot00000000000000scap-security-guide-0.1.39/chromium/000077500000000000000000000000001327242345500173245ustar00rootroot00000000000000scap-security-guide-0.1.39/chromium/CMakeLists.txt000066400000000000000000000004641327242345500220700ustar00rootroot00000000000000# Sometimes our users will try to do: "cd chromium; cmake ." That needs to error in a nice way. if ("${CMAKE_SOURCE_DIR}" STREQUAL "${CMAKE_CURRENT_SOURCE_DIR}") message(FATAL_ERROR "cmake has to be used on the root CMakeLists.txt, see BUILD.md for more details!") endif() ssg_build_product("chromium") scap-security-guide-0.1.39/chromium/checks/000077500000000000000000000000001327242345500205645ustar00rootroot00000000000000scap-security-guide-0.1.39/chromium/checks/oval/000077500000000000000000000000001327242345500215255ustar00rootroot00000000000000scap-security-guide-0.1.39/chromium/checks/oval/chromium_blacklist_extension_installation.xml000066400000000000000000000022741327242345500330040ustar00rootroot00000000000000 Blacklist Extension Installation Google Chromium Browser Extensions installation must be blacklisted by default. /etc/chromium/policies/managed/.*\.json ^\{([^\n]*\n+)+[\s]+\"ExtensionInstallBlacklist\"\:[\s]+\[\"\*\"\], 1 scap-security-guide-0.1.39/chromium/checks/oval/chromium_block_desktop_notifications.xml000066400000000000000000000022371327242345500317320ustar00rootroot00000000000000 Block Desktop Notifications Google Chromium Browser Sites ability for showing desktop notifications must be disabled. /etc/chromium/policies/managed/.*\.json ^\{([^\n]*\n+)+[\s]+\"DefaultNotificationsSetting\"\:[\s]+2, 1 scap-security-guide-0.1.39/chromium/checks/oval/chromium_check_cert_revocation.xml000066400000000000000000000022151327242345500304750ustar00rootroot00000000000000 Check Certificate Revocation Google Chromium Browser Online revocation checks must be done. /etc/chromium/policies/managed/.*\.json ^\{([^\n]*\n+)+[\s]+\"EnableOnlineRevocationChecks\"\:[\s]+true, 1 scap-security-guide-0.1.39/chromium/checks/oval/chromium_default_block_plugins.xml000066400000000000000000000022361327242345500305140ustar00rootroot00000000000000 Block Plugin Execution By Default Google Chromium Browser Default behavior must block webpages from automatically running plugins. /etc/chromium/policies/managed/.*\.json ^\{([^\n]*\n+)+[\s]+\"DefaultPluginsSetting\"\:[\s]+3, 1 scap-security-guide-0.1.39/chromium/checks/oval/chromium_default_search_provider.xml000066400000000000000000000022371327242345500310410ustar00rootroot00000000000000 Enable Default Search Provider Google Chromium Browser Default search provider must be enabled. /etc/chromium/policies/managed/.*\.json ^\{([^\n]*\n+)+[\s]+\"DefaultSearchProviderEnabled\"\:[\s]+true, 1 scap-security-guide-0.1.39/chromium/checks/oval/chromium_default_search_provider_name.xml000066400000000000000000000030611327242345500320350ustar00rootroot00000000000000 Set Default Search Provider Name Google Chromium Browser The default search providers name must be set. /etc/chromium/policies/managed/.*\.json ^[\s]+"DefaultSearchProviderName"\:[\s]+"(\S+)",$ 1 scap-security-guide-0.1.39/chromium/checks/oval/chromium_disable_3d_graphics_api.xml000066400000000000000000000021701327242345500306540ustar00rootroot00000000000000 Disable 3D Graphics APIs Google Chromium Browser 3D Graphics APIs must be disabled. /etc/chromium/policies/managed/.*\.json ^\{([^\n]*\n+)+[\s]+\"Disable3DAPIs\"\:[\s]+true, 1 scap-security-guide-0.1.39/chromium/checks/oval/chromium_disable_autocomplete.xml000066400000000000000000000021661327242345500303430ustar00rootroot00000000000000 Disable Autocomplete For Forms Google Chromium Browser AutoFill must be disabled. /etc/chromium/policies/managed/.*\.json ^\{([^\n]*\n+)+[\s]+\"AutoFillEnabled\"\:[\s]+false, 1 scap-security-guide-0.1.39/chromium/checks/oval/chromium_disable_automatic_installation.xml000066400000000000000000000024021327242345500324020ustar00rootroot00000000000000 Disable Automatic Plugin Search And Installation Google Chromium Browser Automated installation of missing plugins must be disabled. /etc/chromium/policies/managed/.*\.json ^\{([^\n]*\n+)+[\s]+\"DisablePluginFinder\"\:[\s]+true, 1 scap-security-guide-0.1.39/chromium/checks/oval/chromium_disable_background_processing.xml000066400000000000000000000022631327242345500322130ustar00rootroot00000000000000 Disable Background Processing Google Chromium Browser Background processing must be disabled. /etc/chromium/policies/managed/.*\.json ^\{([^\n]*\n+)+[\s]+\"BackgroundModeEnabled\"\:[\s]+false, 1 scap-security-guide-0.1.39/chromium/checks/oval/chromium_disable_cleartext_passwords.xml000066400000000000000000000023051327242345500317350ustar00rootroot00000000000000 Disable Cleartext Passwords Google Chromium Browser Cleartext passwords in the Password Manager must be disabled. /etc/chromium/policies/managed/.*\.json ^\{([^\n]*\n+)+[\s]+\"PasswordManagerAllowShowPasswords\"\:[\s]+false, 1 scap-security-guide-0.1.39/chromium/checks/oval/chromium_disable_cloud_print_sharing.xml000066400000000000000000000022421327242345500316720ustar00rootroot00000000000000 Disable Cloud Print Sharing Google Chromium Browser Cloud print sharing must be disabled. /etc/chromium/policies/managed/.*\.json ^\{([^\n]*\n+)+[\s]+\"CloudPrintProxyEnabled\"\:[\s]+false, 1 scap-security-guide-0.1.39/chromium/checks/oval/chromium_disable_firewall_traversal.xml000066400000000000000000000022351327242345500315270ustar00rootroot00000000000000 Disable Firewall Traversal Google Chromium Browser Firewall traversal from remote host must be disabled. /etc/chromium/policies/managed/.*\.json ^\{([^\n]*\n+)+[\s]+\"RemoteAccessHostFirewallTraversal\"\:[\s]+false, 1 scap-security-guide-0.1.39/chromium/checks/oval/chromium_disable_google_sync.xml000066400000000000000000000021711327242345500301460ustar00rootroot00000000000000 Disable Google Data Synchronization Google Chromium Browser Google Data Synchronization must be disabled. /etc/chromium/policies/managed/.*\.json ^\{([^\n]*\n+)+[\s]+\"SyncDisabled\"\:[\s]+true, 1 scap-security-guide-0.1.39/chromium/checks/oval/chromium_disable_incognito_mode.xml000066400000000000000000000021641327242345500306350ustar00rootroot00000000000000 Disable Incognito Mode Google Chromium Browser Incognito mode must be disabled. /etc/chromium/policies/managed/.*\.json ^\{([^\n]*\n+)+[\s]+\"IncognitoModeAvailability\"\:[\s]+1, 1 scap-security-guide-0.1.39/chromium/checks/oval/chromium_disable_metrics_reporting.xml000066400000000000000000000022331327242345500313740ustar00rootroot00000000000000 Disable Metrics Reporting Google Chromium Browser Metrics reporting to Google must be disabled. /etc/chromium/policies/managed/.*\.json ^\{([^\n]*\n+)+[\s]+\"MetricsReportingEnabled\"\:[\s]+false, 1 scap-security-guide-0.1.39/chromium/checks/oval/chromium_disable_network_prediction.xml000066400000000000000000000022301327242345500315430ustar00rootroot00000000000000 Disable Network Prediction Google Chromium Browser Network prediction must be disabled. /etc/chromium/policies/managed/.*\.json ^\{([^\n]*\n+)+[\s]+\"DnsPrefetchingEnabled\"\:[\s]+false, 1 scap-security-guide-0.1.39/chromium/checks/oval/chromium_disable_outdated_plugins.xml000066400000000000000000000022241327242345500312070ustar00rootroot00000000000000 Disable Outdated Plugins Google Chromium Browser The running of outdated plugins must be disabled. /etc/chromium/policies/managed/.*\.json ^\{([^\n]*\n+)+[\s]+\"AllowOutdatedPlugins\"\:[\s]+false, 1 scap-security-guide-0.1.39/chromium/checks/oval/chromium_disable_password_manager.xml000066400000000000000000000022131327242345500311670ustar00rootroot00000000000000 Disable Password Manager Google Chromium Browser The Password Manager must be disabled. /etc/chromium/policies/managed/.*\.json ^\{([^\n]*\n+)+[\s]+\"PasswordManagerEnabled\"\:[\s]+false, 1 scap-security-guide-0.1.39/chromium/checks/oval/chromium_disable_plugin_blacklist.xml000066400000000000000000000021441327242345500311640ustar00rootroot00000000000000 Blacklist Plugins Google Chromium Browser Plugins must be disabled by default. /etc/chromium/policies/managed/.*\.json ^\{([^\n]*\n+)+[\s]+\"DisabledPlugins\"\:[\s]+\[\"\*\"\], 1 scap-security-guide-0.1.39/chromium/checks/oval/chromium_disable_popups.xml000066400000000000000000000021011327242345500271550ustar00rootroot00000000000000 Disable Pop-ups Google Chromium Browser Sites ability to show pop-ups must be disabled. /etc/chromium/policies/managed/.*\.json ^\{([^\n]*\n+)+[\s]+\"DefaultPopupsSetting\"\:[\s]+2, 1 scap-security-guide-0.1.39/chromium/checks/oval/chromium_disable_protocol_schemas.xml000066400000000000000000000030571327242345500312060ustar00rootroot00000000000000 Disable Javascript URL Protocol Schemas Google Chromium Browser The URL protocol schema javascript must be disabled. /etc/chromium/policies/managed/.*\.json ^[\s]+\"URLBlacklist\"\:[\s]+\[\"(\S+)"\], 1 scap-security-guide-0.1.39/chromium/checks/oval/chromium_disable_saved_passwords.xml000066400000000000000000000022471327242345500310510ustar00rootroot00000000000000 Disable Importing Saved Passwords Google Chromium Browser Importing of saved passwords must be disabled. /etc/chromium/policies/managed/.*\.json ^\{([^\n]*\n+)+[\s]+\"ImportSavedPasswords\"\:[\s]+false, 1 scap-security-guide-0.1.39/chromium/checks/oval/chromium_disable_search_suggestions.xml000066400000000000000000000022271327242345500315370ustar00rootroot00000000000000 Disable Search Suggestopms Google Chromium Browser Search suggestions must be disabled. /etc/chromium/policies/managed/.*\.json ^\{([^\n]*\n+)+[\s]+\"SearchSuggestEnabled\"\:[\s]+false, 1 scap-security-guide-0.1.39/chromium/checks/oval/chromium_disable_session_cookies.xml000066400000000000000000000022231327242345500310330ustar00rootroot00000000000000 Disable Per Session Cookies Google Chromium Browser Session only based cookies must be disabled. /etc/chromium/policies/managed/.*\.json ^[\s]+\"CookiesSessionOnlyForUrls\"\:[\s]+\[\"(none|)"\], 1 scap-security-guide-0.1.39/chromium/checks/oval/chromium_disable_thirdparty_cookies.xml000066400000000000000000000022271327242345500315460ustar00rootroot00000000000000 Disable Third Party Cookies Google Chromium Browser Third party cookies must be blocked. /etc/chromium/policies/managed/.*\.json ^\{([^\n]*\n+)+[\s]+\"BlockThirdPartyCookies\"\:[\s]+true, 1 scap-security-guide-0.1.39/chromium/checks/oval/chromium_disallow_location_tracking.xml000066400000000000000000000021761327242345500315500ustar00rootroot00000000000000 Disallow Location Tracking Google Chromium Browser Site tracking users location must be disabled. /etc/chromium/policies/managed/.*\.json ^\{([^\n]*\n+)+[\s]+\"DefaultGeolocationSetting\"\:[\s]+2, 1 scap-security-guide-0.1.39/chromium/checks/oval/chromium_enable_approved_plugins.xml000066400000000000000000000022101327242345500310340ustar00rootroot00000000000000 Enable Approved Plugins Google Chromium Browser Plugins approved for use must be enabled. /etc/chromium/policies/managed/.*\.json ^[\s]+\"EnabledPlugins\"\:[\s]+\[\"((none|[a-zA-Z]*)|!*)\"\], 1 scap-security-guide-0.1.39/chromium/checks/oval/chromium_enable_browser_history.xml000066400000000000000000000021711327242345500307250ustar00rootroot00000000000000 Enable Browser History Google Chromium Browser Browser history must be saved. /etc/chromium/policies/managed/.*\.json ^\{([^\n]*\n+)+[\s]+\"SavingBrowserHistoryDisabled\"\:[\s]+false, 1 scap-security-guide-0.1.39/chromium/checks/oval/chromium_enable_encrypted_searching.xml000066400000000000000000000030571327242345500315050ustar00rootroot00000000000000 Enable Encrypted Searching Google Chromium Browser The default search provider URL must be set to perform encrypted searches. /etc/chromium/policies/managed/.*\.json ^[\s]+\"DefaultSearchProviderSearchURL\"\:[\s]+\"(\S+)", 1 scap-security-guide-0.1.39/chromium/checks/oval/chromium_enable_safe_browsing.xml000066400000000000000000000021411327242345500303060ustar00rootroot00000000000000 Enable Safe Browsing Google Chromium Browser Safe Browsing must be enabled. /etc/chromium/policies/managed/.*\.json ^\{([^\n]*\n+)+[\s]+\"SafeBrowsingEnabled\"\:[\s]+true, 1 scap-security-guide-0.1.39/chromium/checks/oval/chromium_extension_whitelist.xml000066400000000000000000000030041327242345500302570ustar00rootroot00000000000000 Extension Whitelist Google Chromium Browser Extensions that are approved for use must be whitelisted. /etc/chromium/policies/managed/.*\.json ^[\s]+\"ExtensionInstallWhitelist\"\:[\s]+\[\"(\S+)\"], 1 scap-security-guide-0.1.39/chromium/checks/oval/chromium_http_authentication.xml000066400000000000000000000027541327242345500302400ustar00rootroot00000000000000 HTTP Authentication Google Chromium Browser The HTTP Authentication must be set to negotiate. /etc/chromium/policies/managed/.*\.json ^[\s]+\"AuthSchemes\"\:[\s]+\"(\S+)\", 1 scap-security-guide-0.1.39/chromium/checks/oval/chromium_plugins_require_authorization.xml000066400000000000000000000023111327242345500323440ustar00rootroot00000000000000 Plugins Require Authentication Google Chromium Browser Plugins requiring authorization must ask for user permission. /etc/chromium/policies/managed/.*\.json ^\{([^\n]*\n+)+[\s]+\"AlwaysAuthorizePlugins\"\:[\s]+false, 1 scap-security-guide-0.1.39/chromium/checks/oval/chromium_policy_file.xml000066400000000000000000000021041327242345500264450ustar00rootroot00000000000000 Chromium Policy File Exists Google Chromium Browser The Chromium policy file must exist and be configured correctly. /etc/chromium/policies/managed/.*\.json ^\{([^\n]*\n+)+[\s]+\".*\"\:[\s]+.*,([^\n]*\n+)+\} 1 scap-security-guide-0.1.39/chromium/checks/oval/chromium_trusted_home_page.xml000066400000000000000000000027351327242345500276570ustar00rootroot00000000000000 Set Trusted Homepage URL Google Chromium Browser The homepage must be set to a trusted site. /etc/chromium/policies/managed/.*\.json ^[\s]+\"HomepageLocation\"\:[\s]+\"(\S+)\", 1 scap-security-guide-0.1.39/chromium/checks/oval/chromium_whitelist_plugin_urls.xml000066400000000000000000000022021327242345500306050ustar00rootroot00000000000000 Configure Whitelisted Plugins For Use Google Chromium Browser URLs must be whitelisted for plugin use. /etc/chromium/policies/managed/.*\.json ^[\s]+\"PluginsAllowedForUrls\"\:[\s]+\[\"(none|!*)\"\], 1 scap-security-guide-0.1.39/chromium/checks/oval/installed_OS_is_part_of_Unix_family.xml000066400000000000000000000020271327242345500314010ustar00rootroot00000000000000 Installed operating system is part of the Unix family Google Chromium Browser The operating system installed on the system is part of the Unix OS family unix scap-security-guide-0.1.39/chromium/checks/oval/installed_app_is_chromium.xml000066400000000000000000000031761327242345500274730ustar00rootroot00000000000000 Google Chromium Browser Google Chromium Browser The application installed on the system is the Google Chromium Browser chromium-browser chromium scap-security-guide-0.1.39/chromium/cpe/000077500000000000000000000000001327242345500200735ustar00rootroot00000000000000scap-security-guide-0.1.39/chromium/cpe/chromium-cpe-dictionary.xml000066400000000000000000000012311327242345500253450ustar00rootroot00000000000000 Google Chromium Browser installed_app_is_chromium scap-security-guide-0.1.39/chromium/fixes/000077500000000000000000000000001327242345500204425ustar00rootroot00000000000000scap-security-guide-0.1.39/chromium/fixes/bash/000077500000000000000000000000001327242345500213575ustar00rootroot00000000000000scap-security-guide-0.1.39/chromium/fixes/bash/chromium_blacklist_extension_installation.sh000066400000000000000000000010021327242345500324340ustar00rootroot00000000000000# platform = Google Chromium Browser CHROME_POL_FILE="chrome_stig_policy.json" CHROME_POL_DIR="/etc/chromium/policies/managed/" POL_SETTING="ExtensionInstallBlacklist" POL_SETTING_VAL="\[\"*\"\]" grep -q ${POL_SETTING} ${CHROME_POL_DIR}/${CHROME_POL_FILE} if ! [ $? -eq 0 ] ; then sed -i -e '/{/a \ "'${POL_SETTING}'": '${POL_SETTING_VAL}',' ${CHROME_POL_DIR}/${CHROME_POL_FILE} else sed -i -e 's/\"'${POL_SETTING}'.*/\"'${POL_SETTING}'\": '${POL_SETTING_VAL}',/g' ${CHROME_POL_DIR}/${CHROME_POL_FILE} fi scap-security-guide-0.1.39/chromium/fixes/bash/chromium_block_desktop_notifications.sh000066400000000000000000000007741327242345500314020ustar00rootroot00000000000000# platform = Google Chromium Browser CHROME_POL_FILE="chrome_stig_policy.json" CHROME_POL_DIR="/etc/chromium/policies/managed/" POL_SETTING="DefaultNotificationsSetting" POL_SETTING_VAL="2" grep -q ${POL_SETTING} ${CHROME_POL_DIR}/${CHROME_POL_FILE} if ! [ $? -eq 0 ] ; then sed -i -e '/{/a \ "'${POL_SETTING}'": '${POL_SETTING_VAL}',' ${CHROME_POL_DIR}/${CHROME_POL_FILE} else sed -i -e 's/\"'${POL_SETTING}'.*/\"'${POL_SETTING}'\": '${POL_SETTING_VAL}',/g' ${CHROME_POL_DIR}/${CHROME_POL_FILE} fi scap-security-guide-0.1.39/chromium/fixes/bash/chromium_check_cert_revocation.sh000066400000000000000000000010001327242345500301300ustar00rootroot00000000000000# platform = Google Chromium Browser CHROME_POL_FILE="chrome_stig_policy.json" CHROME_POL_DIR="/etc/chromium/policies/managed/" POL_SETTING="EnableOnlineRevocationChecks" POL_SETTING_VAL="true" grep -q ${POL_SETTING} ${CHROME_POL_DIR}/${CHROME_POL_FILE} if ! [ $? -eq 0 ] ; then sed -i -e '/{/a \ "'${POL_SETTING}'": '${POL_SETTING_VAL}',' ${CHROME_POL_DIR}/${CHROME_POL_FILE} else sed -i -e 's/\"'${POL_SETTING}'.*/\"'${POL_SETTING}'\": '${POL_SETTING_VAL}',/g' ${CHROME_POL_DIR}/${CHROME_POL_FILE} fi scap-security-guide-0.1.39/chromium/fixes/bash/chromium_default_block_plugins.sh000066400000000000000000000007661327242345500301660ustar00rootroot00000000000000# platform = Google Chromium Browser CHROME_POL_FILE="chrome_stig_policy.json" CHROME_POL_DIR="/etc/chromium/policies/managed/" POL_SETTING="DefaultPluginsSetting" POL_SETTING_VAL="3" grep -q ${POL_SETTING} ${CHROME_POL_DIR}/${CHROME_POL_FILE} if ! [ $? -eq 0 ] ; then sed -i -e '/{/a \ "'${POL_SETTING}'": '${POL_SETTING_VAL}',' ${CHROME_POL_DIR}/${CHROME_POL_FILE} else sed -i -e 's/\"'${POL_SETTING}'.*/\"'${POL_SETTING}'\": '${POL_SETTING_VAL}',/g' ${CHROME_POL_DIR}/${CHROME_POL_FILE} fi scap-security-guide-0.1.39/chromium/fixes/bash/chromium_default_search_provider.sh000066400000000000000000000010001327242345500304700ustar00rootroot00000000000000# platform = Google Chromium Browser CHROME_POL_FILE="chrome_stig_policy.json" CHROME_POL_DIR="/etc/chromium/policies/managed/" POL_SETTING="DefaultSearchProviderEnabled" POL_SETTING_VAL="true" grep -q ${POL_SETTING} ${CHROME_POL_DIR}/${CHROME_POL_FILE} if ! [ $? -eq 0 ] ; then sed -i -e '/{/a \ "'${POL_SETTING}'": '${POL_SETTING_VAL}',' ${CHROME_POL_DIR}/${CHROME_POL_FILE} else sed -i -e 's/\"'${POL_SETTING}'.*/\"'${POL_SETTING}'\": '${POL_SETTING_VAL}',/g' ${CHROME_POL_DIR}/${CHROME_POL_FILE} fi scap-security-guide-0.1.39/chromium/fixes/bash/chromium_default_search_provider_name.sh000066400000000000000000000011731327242345500315030ustar00rootroot00000000000000# platform = Google Chromium Browser populate var_default_search_provider_name CHROME_POL_FILE="chrome_stig_policy.json" CHROME_POL_DIR="/etc/chromium/policies/managed/" POL_SETTING="DefaultSearchProviderName" POL_SETTING_VAL=$(echo ${var_default_search_provider_name} | sed 's/\//\\\/\\/') grep -q ${POL_SETTING} ${CHROME_POL_DIR}/${CHROME_POL_FILE} if ! [ $? -eq 0 ] ; then sed -i -e '/{/a \ "'${POL_SETTING}'": "'${var_default_search_provider_name}'",' ${CHROME_POL_DIR}/${CHROME_POL_FILE} else sed -i -e 's/\"'${POL_SETTING}'\".*/\"'${POL_SETTING}'\": \"'${POL_SETTING_VAL}'\",/g' ${CHROME_POL_DIR}/${CHROME_POL_FILE} fi scap-security-guide-0.1.39/chromium/fixes/bash/chromium_disable_3d_graphics_api.sh000066400000000000000000000007611327242345500303240ustar00rootroot00000000000000# platform = Google Chromium Browser CHROME_POL_FILE="chrome_stig_policy.json" CHROME_POL_DIR="/etc/chromium/policies/managed/" POL_SETTING="Disable3DAPIs" POL_SETTING_VAL="true" grep -q ${POL_SETTING} ${CHROME_POL_DIR}/${CHROME_POL_FILE} if ! [ $? -eq 0 ] ; then sed -i -e '/{/a \ "'${POL_SETTING}'": '${POL_SETTING_VAL}',' ${CHROME_POL_DIR}/${CHROME_POL_FILE} else sed -i -e 's/\"'${POL_SETTING}'.*/\"'${POL_SETTING}'\": '${POL_SETTING_VAL}',/g' ${CHROME_POL_DIR}/${CHROME_POL_FILE} fi scap-security-guide-0.1.39/chromium/fixes/bash/chromium_disable_autocomplete.sh000066400000000000000000000007641327242345500300110ustar00rootroot00000000000000# platform = Google Chromium Browser CHROME_POL_FILE="chrome_stig_policy.json" CHROME_POL_DIR="/etc/chromium/policies/managed/" POL_SETTING="AutoFillEnabled" POL_SETTING_VAL="false" grep -q ${POL_SETTING} ${CHROME_POL_DIR}/${CHROME_POL_FILE} if ! [ $? -eq 0 ] ; then sed -i -e '/{/a \ "'${POL_SETTING}'": '${POL_SETTING_VAL}',' ${CHROME_POL_DIR}/${CHROME_POL_FILE} else sed -i -e 's/\"'${POL_SETTING}'.*/\"'${POL_SETTING}'\": '${POL_SETTING_VAL}',/g' ${CHROME_POL_DIR}/${CHROME_POL_FILE} fi scap-security-guide-0.1.39/chromium/fixes/bash/chromium_disable_automatic_installation.sh000066400000000000000000000007671327242345500320620ustar00rootroot00000000000000# platform = Google Chromium Browser CHROME_POL_FILE="chrome_stig_policy.json" CHROME_POL_DIR="/etc/chromium/policies/managed/" POL_SETTING="DisablePluginFinder" POL_SETTING_VAL="true" grep -q ${POL_SETTING} ${CHROME_POL_DIR}/${CHROME_POL_FILE} if ! [ $? -eq 0 ] ; then sed -i -e '/{/a \ "'${POL_SETTING}'": '${POL_SETTING_VAL}',' ${CHROME_POL_DIR}/${CHROME_POL_FILE} else sed -i -e 's/\"'${POL_SETTING}'.*/\"'${POL_SETTING}'\": '${POL_SETTING_VAL}',/g' ${CHROME_POL_DIR}/${CHROME_POL_FILE} fi scap-security-guide-0.1.39/chromium/fixes/bash/chromium_disable_background_processing.sh000066400000000000000000000007721327242345500316620ustar00rootroot00000000000000# platform = Google Chromium Browser CHROME_POL_FILE="chrome_stig_policy.json" CHROME_POL_DIR="/etc/chromium/policies/managed/" POL_SETTING="BackgroundModeEnabled" POL_SETTING_VAL="false" grep -q ${POL_SETTING} ${CHROME_POL_DIR}/${CHROME_POL_FILE} if ! [ $? -eq 0 ] ; then sed -i -e '/{/a \ "'${POL_SETTING}'": '${POL_SETTING_VAL}',' ${CHROME_POL_DIR}/${CHROME_POL_FILE} else sed -i -e 's/\"'${POL_SETTING}'.*/\"'${POL_SETTING}'\": '${POL_SETTING_VAL}',/g' ${CHROME_POL_DIR}/${CHROME_POL_FILE} fi scap-security-guide-0.1.39/chromium/fixes/bash/chromium_disable_cleartext_passwords.sh000066400000000000000000000010061327242345500313760ustar00rootroot00000000000000# platform = Google Chromium Browser CHROME_POL_FILE="chrome_stig_policy.json" CHROME_POL_DIR="/etc/chromium/policies/managed/" POL_SETTING="PasswordManagerAllowShowPasswords" POL_SETTING_VAL="false" grep -q ${POL_SETTING} ${CHROME_POL_DIR}/${CHROME_POL_FILE} if ! [ $? -eq 0 ] ; then sed -i -e '/{/a \ "'${POL_SETTING}'": '${POL_SETTING_VAL}',' ${CHROME_POL_DIR}/${CHROME_POL_FILE} else sed -i -e 's/\"'${POL_SETTING}'.*/\"'${POL_SETTING}'\": '${POL_SETTING_VAL}',/g' ${CHROME_POL_DIR}/${CHROME_POL_FILE} fi scap-security-guide-0.1.39/chromium/fixes/bash/chromium_disable_cloud_print_sharing.sh000066400000000000000000000007731327242345500313450ustar00rootroot00000000000000# platform = Google Chromium Browser CHROME_POL_FILE="chrome_stig_policy.json" CHROME_POL_DIR="/etc/chromium/policies/managed/" POL_SETTING="CloudPringProxyEnabled" POL_SETTING_VAL="false" grep -q ${POL_SETTING} ${CHROME_POL_DIR}/${CHROME_POL_FILE} if ! [ $? -eq 0 ] ; then sed -i -e '/{/a \ "'${POL_SETTING}'": '${POL_SETTING_VAL}',' ${CHROME_POL_DIR}/${CHROME_POL_FILE} else sed -i -e 's/\"'${POL_SETTING}'.*/\"'${POL_SETTING}'\": '${POL_SETTING_VAL}',/g' ${CHROME_POL_DIR}/${CHROME_POL_FILE} fi scap-security-guide-0.1.39/chromium/fixes/bash/chromium_disable_firewall_traversal.sh000066400000000000000000000010061327242345500311660ustar00rootroot00000000000000# platform = Google Chromium Browser CHROME_POL_FILE="chrome_stig_policy.json" CHROME_POL_DIR="/etc/chromium/policies/managed/" POL_SETTING="RemoteAccessHostFirewallTraversal" POL_SETTING_VAL="false" grep -q ${POL_SETTING} ${CHROME_POL_DIR}/${CHROME_POL_FILE} if ! [ $? -eq 0 ] ; then sed -i -e '/{/a \ "'${POL_SETTING}'": '${POL_SETTING_VAL}',' ${CHROME_POL_DIR}/${CHROME_POL_FILE} else sed -i -e 's/\"'${POL_SETTING}'.*/\"'${POL_SETTING}'\": '${POL_SETTING_VAL}',/g' ${CHROME_POL_DIR}/${CHROME_POL_FILE} fi scap-security-guide-0.1.39/chromium/fixes/bash/chromium_disable_google_sync.sh000066400000000000000000000007601327242345500276140ustar00rootroot00000000000000# platform = Google Chromium Browser CHROME_POL_FILE="chrome_stig_policy.json" CHROME_POL_DIR="/etc/chromium/policies/managed/" POL_SETTING="SyncDisabled" POL_SETTING_VAL="true" grep -q ${POL_SETTING} ${CHROME_POL_DIR}/${CHROME_POL_FILE} if ! [ $? -eq 0 ] ; then sed -i -e '/{/a \ "'${POL_SETTING}'": '${POL_SETTING_VAL}',' ${CHROME_POL_DIR}/${CHROME_POL_FILE} else sed -i -e 's/\"'${POL_SETTING}'.*/\"'${POL_SETTING}'\": '${POL_SETTING_VAL}',/g' ${CHROME_POL_DIR}/${CHROME_POL_FILE} fi scap-security-guide-0.1.39/chromium/fixes/bash/chromium_disable_incognito_mode.sh000066400000000000000000000007761327242345500303100ustar00rootroot00000000000000# platform = Google Chromium Browser CHROME_POL_FILE="chrome_stig_policy.json" CHROME_POL_DIR="/etc/chromium/policies/managed/" POL_SETTING="IncognitoModeAvailability" POL_SETTING_VAL="false" grep -q ${POL_SETTING} ${CHROME_POL_DIR}/${CHROME_POL_FILE} if ! [ $? -eq 0 ] ; then sed -i -e '/{/a \ "'${POL_SETTING}'": '${POL_SETTING_VAL}',' ${CHROME_POL_DIR}/${CHROME_POL_FILE} else sed -i -e 's/\"'${POL_SETTING}'.*/\"'${POL_SETTING}'\": '${POL_SETTING_VAL}',/g' ${CHROME_POL_DIR}/${CHROME_POL_FILE} fi scap-security-guide-0.1.39/chromium/fixes/bash/chromium_disable_metrics_reporting.sh000066400000000000000000000007741327242345500310500ustar00rootroot00000000000000# platform = Google Chromium Browser CHROME_POL_FILE="chrome_stig_policy.json" CHROME_POL_DIR="/etc/chromium/policies/managed/" POL_SETTING="MetricsReportingEnabled" POL_SETTING_VAL="false" grep -q ${POL_SETTING} ${CHROME_POL_DIR}/${CHROME_POL_FILE} if ! [ $? -eq 0 ] ; then sed -i -e '/{/a \ "'${POL_SETTING}'": '${POL_SETTING_VAL}',' ${CHROME_POL_DIR}/${CHROME_POL_FILE} else sed -i -e 's/\"'${POL_SETTING}'.*/\"'${POL_SETTING}'\": '${POL_SETTING_VAL}',/g' ${CHROME_POL_DIR}/${CHROME_POL_FILE} fi scap-security-guide-0.1.39/chromium/fixes/bash/chromium_disable_network_prediction.sh000066400000000000000000000007721327242345500312200ustar00rootroot00000000000000# platform = Google Chromium Browser CHROME_POL_FILE="chrome_stig_policy.json" CHROME_POL_DIR="/etc/chromium/policies/managed/" POL_SETTING="DnsPrefetchingEnabled" POL_SETTING_VAL="false" grep -q ${POL_SETTING} ${CHROME_POL_DIR}/${CHROME_POL_FILE} if ! [ $? -eq 0 ] ; then sed -i -e '/{/a \ "'${POL_SETTING}'": '${POL_SETTING_VAL}',' ${CHROME_POL_DIR}/${CHROME_POL_FILE} else sed -i -e 's/\"'${POL_SETTING}'.*/\"'${POL_SETTING}'\": '${POL_SETTING_VAL}',/g' ${CHROME_POL_DIR}/${CHROME_POL_FILE} fi scap-security-guide-0.1.39/chromium/fixes/bash/chromium_disable_outdated_plugins.sh000066400000000000000000000007711327242345500306600ustar00rootroot00000000000000# platform = Google Chromium Browser CHROME_POL_FILE="chrome_stig_policy.json" CHROME_POL_DIR="/etc/chromium/policies/managed/" POL_SETTING="AllowOutdatedPlugins" POL_SETTING_VAL="false" grep -q ${POL_SETTING} ${CHROME_POL_DIR}/${CHROME_POL_FILE} if ! [ $? -eq 0 ] ; then sed -i -e '/{/a \ "'${POL_SETTING}'": '${POL_SETTING_VAL}',' ${CHROME_POL_DIR}/${CHROME_POL_FILE} else sed -i -e 's/\"'${POL_SETTING}'.*/\"'${POL_SETTING}'\": '${POL_SETTING_VAL}',/g' ${CHROME_POL_DIR}/${CHROME_POL_FILE} fi scap-security-guide-0.1.39/chromium/fixes/bash/chromium_disable_password_manager.sh000066400000000000000000000007731327242345500306440ustar00rootroot00000000000000# platform = Google Chromium Browser CHROME_POL_FILE="chrome_stig_policy.json" CHROME_POL_DIR="/etc/chromium/policies/managed/" POL_SETTING="PasswordManagerEnabled" POL_SETTING_VAL="false" grep -q ${POL_SETTING} ${CHROME_POL_DIR}/${CHROME_POL_FILE} if ! [ $? -eq 0 ] ; then sed -i -e '/{/a \ "'${POL_SETTING}'": '${POL_SETTING_VAL}',' ${CHROME_POL_DIR}/${CHROME_POL_FILE} else sed -i -e 's/\"'${POL_SETTING}'.*/\"'${POL_SETTING}'\": '${POL_SETTING_VAL}',/g' ${CHROME_POL_DIR}/${CHROME_POL_FILE} fi scap-security-guide-0.1.39/chromium/fixes/bash/chromium_disable_plugin_blacklist.sh000066400000000000000000000007701327242345500306330ustar00rootroot00000000000000# platform = Google Chromium Browser CHROME_POL_FILE="chrome_stig_policy.json" CHROME_POL_DIR="/etc/chromium/policies/managed/" POL_SETTING="DisabledPlugins" POL_SETTING_VAL="\[\"*\"\]" grep -q ${POL_SETTING} ${CHROME_POL_DIR}/${CHROME_POL_FILE} if ! [ $? -eq 0 ] ; then sed -i -e '/{/a \ "'${POL_SETTING}'": '${POL_SETTING_VAL}',' ${CHROME_POL_DIR}/${CHROME_POL_FILE} else sed -i -e 's/\"'${POL_SETTING}'.*/\"'${POL_SETTING}'\": '${POL_SETTING_VAL}',/g' ${CHROME_POL_DIR}/${CHROME_POL_FILE} fi scap-security-guide-0.1.39/chromium/fixes/bash/chromium_disable_popups.sh000066400000000000000000000007651327242345500266370ustar00rootroot00000000000000# platform = Google Chromium Browser CHROME_POL_FILE="chrome_stig_policy.json" CHROME_POL_DIR="/etc/chromium/policies/managed/" POL_SETTING="DefaultPopupsSetting" POL_SETTING_VAL="2" grep -q ${POL_SETTING} ${CHROME_POL_DIR}/${CHROME_POL_FILE} if ! [ $? -eq 0 ] ; then sed -i -e '/{/a \ "'${POL_SETTING}'": '${POL_SETTING_VAL}',' ${CHROME_POL_DIR}/${CHROME_POL_FILE} else sed -i -e 's/\"'${POL_SETTING}'.*/\"'${POL_SETTING}'\": '${POL_SETTING_VAL}',/g' ${CHROME_POL_DIR}/${CHROME_POL_FILE} fi scap-security-guide-0.1.39/chromium/fixes/bash/chromium_disable_protocol_schemas.sh000066400000000000000000000011061327242345500306430ustar00rootroot00000000000000# platform = Google Chromium Browser populate var_url_blacklist CHROME_POL_FILE="chrome_stig_policy.json" CHROME_POL_DIR="/etc/chromium/policies/managed/" POL_SETTING="URLBlacklist" POL_SETTING_VAL=$(echo ${var_url_blacklist}| sed 's/\//\\\/\\/') grep -q ${POL_SETTING} ${CHROME_POL_DIR}/${CHROME_POL_FILE} if ! [ $? -eq 0 ] ; then sed -i -e '/{/a \ "'${POL_SETTING}'": \["'${var_url_blacklist}'"\],' ${CHROME_POL_DIR}/${CHROME_POL_FILE} else sed -i -e 's/\"'${POL_SETTING}'.*/\"'${POL_SETTING}'\": \[\"'${POL_SETTING_VAL}'\"\],/g' ${CHROME_POL_DIR}/${CHROME_POL_FILE} fi scap-security-guide-0.1.39/chromium/fixes/bash/chromium_disable_saved_passwords.sh000066400000000000000000000007711327242345500305150ustar00rootroot00000000000000# platform = Google Chromium Browser CHROME_POL_FILE="chrome_stig_policy.json" CHROME_POL_DIR="/etc/chromium/policies/managed/" POL_SETTING="ImportSavedPasswords" POL_SETTING_VAL="false" grep -q ${POL_SETTING} ${CHROME_POL_DIR}/${CHROME_POL_FILE} if ! [ $? -eq 0 ] ; then sed -i -e '/{/a \ "'${POL_SETTING}'": '${POL_SETTING_VAL}',' ${CHROME_POL_DIR}/${CHROME_POL_FILE} else sed -i -e 's/\"'${POL_SETTING}'.*/\"'${POL_SETTING}'\": '${POL_SETTING_VAL}',/g' ${CHROME_POL_DIR}/${CHROME_POL_FILE} fi scap-security-guide-0.1.39/chromium/fixes/bash/chromium_disable_search_suggestions.sh000066400000000000000000000007711327242345500312050ustar00rootroot00000000000000# platform = Google Chromium Browser CHROME_POL_FILE="chrome_stig_policy.json" CHROME_POL_DIR="/etc/chromium/policies/managed/" POL_SETTING="SearchSuggestEnabled" POL_SETTING_VAL="false" grep -q ${POL_SETTING} ${CHROME_POL_DIR}/${CHROME_POL_FILE} if ! [ $? -eq 0 ] ; then sed -i -e '/{/a \ "'${POL_SETTING}'": '${POL_SETTING_VAL}',' ${CHROME_POL_DIR}/${CHROME_POL_FILE} else sed -i -e 's/\"'${POL_SETTING}'.*/\"'${POL_SETTING}'\": '${POL_SETTING_VAL}',/g' ${CHROME_POL_DIR}/${CHROME_POL_FILE} fi scap-security-guide-0.1.39/chromium/fixes/bash/chromium_disable_session_cookies.sh000066400000000000000000000010131327242345500304730ustar00rootroot00000000000000# platform = Google Chromium Browser CHROME_POL_FILE="chrome_stig_policy.json" CHROME_POL_DIR="/etc/chromium/policies/managed/" POL_SETTING="CookiesSessionOnlyForUrls" POL_SETTING_VAL="none" grep -q ${POL_SETTING} ${CHROME_POL_DIR}/${CHROME_POL_FILE} if ! [ $? -eq 0 ] ; then sed -i -e '/{/a \ "'${POL_SETTING}'": \["'${POL_SETTING_VAL}'"\],' ${CHROME_POL_DIR}/${CHROME_POL_FILE} else sed -i -e 's/\"'${POL_SETTING}'.*/\"'${POL_SETTING}'\": \[\"'${POL_SETTING_VAL}'\"\],/g' ${CHROME_POL_DIR}/${CHROME_POL_FILE} fi scap-security-guide-0.1.39/chromium/fixes/bash/chromium_disable_thirdparty_cookies.sh000066400000000000000000000007721327242345500312150ustar00rootroot00000000000000# platform = Google Chromium Browser CHROME_POL_FILE="chrome_stig_policy.json" CHROME_POL_DIR="/etc/chromium/policies/managed/" POL_SETTING="BlockThirdPartyCookies" POL_SETTING_VAL="true" grep -q ${POL_SETTING} ${CHROME_POL_DIR}/${CHROME_POL_FILE} if ! [ $? -eq 0 ] ; then sed -i -e '/{/a \ "'${POL_SETTING}'": '${POL_SETTING_VAL}',' ${CHROME_POL_DIR}/${CHROME_POL_FILE} else sed -i -e 's/\"'${POL_SETTING}'.*/\"'${POL_SETTING}'\": '${POL_SETTING_VAL}',/g' ${CHROME_POL_DIR}/${CHROME_POL_FILE} fi scap-security-guide-0.1.39/chromium/fixes/bash/chromium_disallow_location_tracking.sh000066400000000000000000000007721327242345500312140ustar00rootroot00000000000000# platform = Google Chromium Browser CHROME_POL_FILE="chrome_stig_policy.json" CHROME_POL_DIR="/etc/chromium/policies/managed/" POL_SETTING="DefaultGeolocationSetting" POL_SETTING_VAL="2" grep -q ${POL_SETTING} ${CHROME_POL_DIR}/${CHROME_POL_FILE} if ! [ $? -eq 0 ] ; then sed -i -e '/{/a \ "'${POL_SETTING}'": '${POL_SETTING_VAL}',' ${CHROME_POL_DIR}/${CHROME_POL_FILE} else sed -i -e 's/\"'${POL_SETTING}'.*/\"'${POL_SETTING}'\": '${POL_SETTING_VAL}',/g' ${CHROME_POL_DIR}/${CHROME_POL_FILE} fi scap-security-guide-0.1.39/chromium/fixes/bash/chromium_enable_approved_plugins.sh000066400000000000000000000011431327242345500305040ustar00rootroot00000000000000# platform = Google Chromium Browser populate var_enable_approved_plugins CHROME_POL_FILE="chrome_stig_policy.json" CHROME_POL_DIR="/etc/chromium/policies/managed/" POL_SETTING="EnabledPlugins" POL_SETTING_VAL=$(echo ${var_enable_approved_plugins} | sed 's/\//\\\/\\/') grep -q ${POL_SETTING} ${CHROME_POL_DIR}/${CHROME_POL_FILE} if ! [ $? -eq 0 ] ; then sed -i -e '/{/a \ "'${POL_SETTING}'": \['${var_enable_approved_plugins}'\],' ${CHROME_POL_DIR}/${CHROME_POL_FILE} else sed -i -e 's/\"'${POL_SETTING}'\".*/\"'${POL_SETTING}'\": \['${POL_SETTING_VAL}'\],/g' ${CHROME_POL_DIR}/${CHROME_POL_FILE} fi scap-security-guide-0.1.39/chromium/fixes/bash/chromium_enable_browser_history.sh000066400000000000000000000010011327242345500303600ustar00rootroot00000000000000# platform = Google Chromium Browser CHROME_POL_FILE="chrome_stig_policy.json" CHROME_POL_DIR="/etc/chromium/policies/managed/" POL_SETTING="SavingBrowserHistoryDisabled" POL_SETTING_VAL="false" grep -q ${POL_SETTING} ${CHROME_POL_DIR}/${CHROME_POL_FILE} if ! [ $? -eq 0 ] ; then sed -i -e '/{/a \ "'${POL_SETTING}'": '${POL_SETTING_VAL}',' ${CHROME_POL_DIR}/${CHROME_POL_FILE} else sed -i -e 's/\"'${POL_SETTING}'.*/\"'${POL_SETTING}'\": '${POL_SETTING_VAL}',/g' ${CHROME_POL_DIR}/${CHROME_POL_FILE} fi scap-security-guide-0.1.39/chromium/fixes/bash/chromium_enable_encrypted_searching.sh000066400000000000000000000011721327242345500311450ustar00rootroot00000000000000# platform = Google Chromium Browser populate var_enable_encrypted_searching CHROME_POL_FILE="chrome_stig_policy.json" CHROME_POL_DIR="/etc/chromium/policies/managed/" POL_SETTING="DefaultSearchProviderSearchURL" POL_SETTING_VAL=$(echo ${var_enable_encrypted_searching} | sed 's/\//\\\/\\/') grep -q ${POL_SETTING} ${CHROME_POL_DIR}/${CHROME_POL_FILE} if ! [ $? -eq 0 ] ; then sed -i -e '/{/a \ "'${POL_SETTING}'": "'${var_enable_encrypted_searching}'",' ${CHROME_POL_DIR}/${CHROME_POL_FILE} else sed -i -e 's;\"'${POL_SETTING}'\".*;\"'${POL_SETTING}'\": \"'${POL_SETTING_VAL}'\",;g' ${CHROME_POL_DIR}/${CHROME_POL_FILE} fi scap-security-guide-0.1.39/chromium/fixes/bash/chromium_enable_safe_browsing.sh000066400000000000000000000007671327242345500277660ustar00rootroot00000000000000# platform = Google Chromium Browser CHROME_POL_FILE="chrome_stig_policy.json" CHROME_POL_DIR="/etc/chromium/policies/managed/" POL_SETTING="SafeBrowsingEnabled" POL_SETTING_VAL="true" grep -q ${POL_SETTING} ${CHROME_POL_DIR}/${CHROME_POL_FILE} if ! [ $? -eq 0 ] ; then sed -i -e '/{/a \ "'${POL_SETTING}'": '${POL_SETTING_VAL}',' ${CHROME_POL_DIR}/${CHROME_POL_FILE} else sed -i -e 's/\"'${POL_SETTING}'.*/\"'${POL_SETTING}'\": '${POL_SETTING_VAL}',/g' ${CHROME_POL_DIR}/${CHROME_POL_FILE} fi scap-security-guide-0.1.39/chromium/fixes/bash/chromium_extension_whitelist.sh000066400000000000000000000011401327242345500277220ustar00rootroot00000000000000# platform = Google Chromium Browser populate var_extension_whitelist CHROME_POL_FILE="chrome_stig_policy.json" CHROME_POL_DIR="/etc/chromium/policies/managed/" POL_SETTING="ExtensionInstallWhitelist" POL_SETTING_VAL=$(echo ${var_extension_whitelist} | sed 's/\//\\\/\\/') grep -q ${POL_SETTING} ${CHROME_POL_DIR}/${CHROME_POL_FILE} if ! [ $? -eq 0 ] ; then sed -i -e '/{/a \ "'${POL_SETTING}'": "'${var_extension_whitelist}'",' ${CHROME_POL_DIR}/${CHROME_POL_FILE} else sed -i -e 's/\"'${POL_SETTING}'\".*/\"'${POL_SETTING}'\": \"'${POL_SETTING_VAL}'\",/g' ${CHROME_POL_DIR}/${CHROME_POL_FILE} fi scap-security-guide-0.1.39/chromium/fixes/bash/chromium_http_authentication.sh000066400000000000000000000007731327242345500277030ustar00rootroot00000000000000# platform = Google Chromium Browser populate var_auth_schemes CHROME_POL_FILE="chrome_stig_policy.json" CHROME_POL_DIR="/etc/chromium/policies/managed/" POL_SETTING="AuthSchemes" grep -q ${POL_SETTING} ${CHROME_POL_DIR}/${CHROME_POL_FILE} if ! [ $? -eq 0 ] ; then sed -i -e '/{/a \ "'${POL_SETTING}'": "'${var_auth_schemes}'",' ${CHROME_POL_DIR}/${CHROME_POL_FILE} else sed -i -e 's/\"'${POL_SETTING}'.*/\"'${POL_SETTING}'\": \"'${var_auth_schemes}'\",/g' ${CHROME_POL_DIR}/${CHROME_POL_FILE} fi scap-security-guide-0.1.39/chromium/fixes/bash/chromium_plugins_require_authorization.sh000066400000000000000000000007731327242345500320220ustar00rootroot00000000000000# platform = Google Chromium Browser CHROME_POL_FILE="chrome_stig_policy.json" CHROME_POL_DIR="/etc/chromium/policies/managed/" POL_SETTING="AlwaysAuthorizePlugins" POL_SETTING_VAL="false" grep -q ${POL_SETTING} ${CHROME_POL_DIR}/${CHROME_POL_FILE} if ! [ $? -eq 0 ] ; then sed -i -e '/{/a \ "'${POL_SETTING}'": '${POL_SETTING_VAL}',' ${CHROME_POL_DIR}/${CHROME_POL_FILE} else sed -i -e 's/\"'${POL_SETTING}'.*/\"'${POL_SETTING}'\": '${POL_SETTING_VAL}',/g' ${CHROME_POL_DIR}/${CHROME_POL_FILE} fi scap-security-guide-0.1.39/chromium/fixes/bash/chromium_policy_file.sh000066400000000000000000000014231327242345500261140ustar00rootroot00000000000000# platform = Google Chromium Browser CHROME_POL_FILE="chrome_stig_policy.json" CHROME_POL_DIR="/etc/chromium/policies/managed/" if [ ! -d ${CHROME_POL_DIR} ] ; then mkdir -p -m 755 ${CHROME_POL_DIR} fi if [ ! -f ${CHROME_POL_DIR}/${CHROME_POL_FILE} ] ; then touch ${CHROME_POL_DIR}/${CHROME_POL_FILE} chmod 644 ${CHROME_POL_DIR}/${CHROME_POL_FILE} fi grep -q -E '^\{' ${CHROME_POL_DIR}/${CHROME_POL_FILE} if ! [ $? -eq 0 ] ; then if [ -s ${CHROME_POL_DIR}/${CHROME_POL_FILE} ] ; then sed -i '1s/^/\{\n/' ${CHROME_POL_DIR}/${CHROME_POL_FILE} else echo -e "{" >> ${CHROME_POL_DIR}/${CHROME_POL_FILE} fi fi tail -1 ${CHROME_POL_DIR}/${CHROME_POL_FILE} | grep -q -E '^\}' if ! [ $? -eq 0 ] ; then echo -e "}" >> ${CHROME_POL_DIR}/${CHROME_POL_FILE} fi scap-security-guide-0.1.39/chromium/fixes/bash/chromium_trusted_home_page.sh000066400000000000000000000011211327242345500273070ustar00rootroot00000000000000# platform = Google Chromium Browser populate var_trusted_home_page CHROME_POL_FILE="chrome_stig_policy.json" CHROME_POL_DIR="/etc/chromium/policies/managed/" POL_SETTING="HomepageLocation" POL_SETTING_VAL=$(echo ${var_trusted_home_page} | sed 's/\//\\\/\\/') grep -q ${POL_SETTING} ${CHROME_POL_DIR}/${CHROME_POL_FILE} if ! [ $? -eq 0 ] ; then sed -i -e '/{/a \ "'${POL_SETTING}'": "'${var_trusted_home_page}'",' ${CHROME_POL_DIR}/${CHROME_POL_FILE} else sed -i -e 's/\"'${POL_SETTING}'\".*/\"'${POL_SETTING}'\": \"'${POL_SETTING_VAL}'\",/g' ${CHROME_POL_DIR}/${CHROME_POL_FILE} fi scap-security-guide-0.1.39/chromium/fixes/bash/chromium_whitelist_plugin_urls.sh000066400000000000000000000010011327242345500302450ustar00rootroot00000000000000# platform = Google Chromium Browser CHROME_POL_FILE="chrome_stig_policy.json" CHROME_POL_DIR="/etc/chromium/policies/managed/" POL_SETTING="PluginsAllowedForUrls" POL_SETTING_VAL="none" grep -q ${POL_SETTING} ${CHROME_POL_DIR}/${CHROME_POL_FILE} if ! [ $? -eq 0 ] ; then sed -i -e '/{/a \ "'${POL_SETTING}'": "'${POL_SETTING_VAL}'",' ${CHROME_POL_DIR}/${CHROME_POL_FILE} else sed -i -e 's/\"'${POL_SETTING}'\".*/\"'${POL_SETTING}'\": \"'${POL_SETTING_VAL}'\",/g' ${CHROME_POL_DIR}/${CHROME_POL_FILE} fi scap-security-guide-0.1.39/chromium/guide.xslt000066400000000000000000000034101327242345500213330ustar00rootroot00000000000000 A conditional clause for check statements. A conditional clause for check statements. This is a placeholder. scap-security-guide-0.1.39/chromium/guide/000077500000000000000000000000001327242345500204215ustar00rootroot00000000000000scap-security-guide-0.1.39/chromium/guide/chromium/000077500000000000000000000000001327242345500222445ustar00rootroot00000000000000scap-security-guide-0.1.39/chromium/guide/chromium/chromium.group000066400000000000000000000012151327242345500251440ustar00rootroot00000000000000documentation_complete: true title: Chromium description: "Chromium is an open-source web browser, powered by WebKit (Blink),\nand developed by Google. Web browsers such as Chromium are used for a number of\nreasons. This section provides settings for configuring Chromium policies to \nmeet compliance settings for Chromium running on Red Hat Enterprise Linux \nsystems.\n\nRefer to
  • https://www.chromium.org/administrators/policy-list-3
for\na list of currently supported Chromium policies.\nRefer to
  • https://www.chromium.org/administrators/policy_templates
for \npre-created Chromium JSON policy files." scap-security-guide-0.1.39/chromium/guide/chromium/chromium_blacklist_extension_installation.rule000066400000000000000000000020041327242345500336610ustar00rootroot00000000000000documentation_complete: true title: 'Disable All Extensions by Default' description: "Extensions are developed by third party sources and are designed to extend \nGoogle Chromium's functionality. As an extension can be made by anyone, all extensions\nshould be blacklisted from installation by default. To blacklist all extensions, set the \nExtensionInstallBlacklist to * in the Chromium policy file." rationale: |- Extensions can access almost anything on a system. This means they pose a high risk to any system that would allow all extensions to be installed by default. severity: unknown identifiers: cce: "" references: disa: "" nist: "" stigid: DTBC0006 ocil_clause: 'extensions are not blacklisted' ocil: |- To verify that all extensions are blacklisted from installing, run the following command: 
$ grep ExtensionInstallBlacklist /etc/chromium/policies/managed/*.json
The output should contain: 
"ExtensionInstallBlacklist": ["*"],
scap-security-guide-0.1.39/chromium/guide/chromium/chromium_block_desktop_notifications.rule000066400000000000000000000016261327242345500326210ustar00rootroot00000000000000documentation_complete: true title: 'Prevent Desktop Notifications' description: |- Chromium by default allows websites to display notifications on the desktop. To disable this setting, set DefaultNotificationsSetting to 2 in the Chromium policy file. rationale: "Disabling Chromium's ability to display notifications on the desktop helps prevent \nmalicious websites from controlling desktop notifications or fooling users into\nclicking on a potentially compromised notification." severity: unknown identifiers: cce: "" references: disa: "" nist: "" stigid: DTBC0003 ocil_clause: 'it is not disabled' ocil: |- To verify that desktop notification is disabled, run the following command: 
$ grep DefaultNotificationsSetting /etc/chromium/policies/managed/*.json
The output should contain: 
"DefaultNotificationsSetting": 2,
scap-security-guide-0.1.39/chromium/guide/chromium/chromium_check_cert_revocation.rule000066400000000000000000000016521327242345500313670ustar00rootroot00000000000000documentation_complete: true title: 'Enable Online OCSP/CRL Certificate Checks' description: |- Certificates can become compromised, and Chromium should check that the certificates in its store are valid by setting EnableOnlineRevocationChecks to true in the Chromium policy file. rationale: |- Certificates are revoked when they have been compromised or are no longer valid, and this option protects users from submitting confidential data to a site that may be fraudulent or not secure. severity: unknown identifiers: cce: "" references: disa: "" nist: "" stigid: DTBC0037 ocil_clause: 'it is not enabled' ocil: |- To verify that online OCSP/CRL checks are enabled, run the following command: 
$ grep EnableOnlineRevocationChecks /etc/chromium/policies/managed/*.json
The output should contain: 
"EnableOnlineRevocationChecks": true,
scap-security-guide-0.1.39/chromium/guide/chromium/chromium_default_block_plugins.rule000066400000000000000000000014671327242345500314070ustar00rootroot00000000000000documentation_complete: true title: 'Block Plugins by Default' description: |- By default, websites are allowed to automatically run plugins. Users should be prompted to allow plugins to execute plugins by setting DefaultPluginsSetting to 3 in the Chromium policy file. rationale: |- Websites should not be allowed to automatically run plugins as the plugins may be outdated or compromised. severity: unknown identifiers: cce: "" references: disa: "" nist: "" stigid: DTBC0040 ocil_clause: 'it is not set correctly' ocil: |- To verify that plugins cannot run automatically, run the following command: 
$ grep DefaultPluginsSetting /etc/chromium/policies/managed/*.json
The output should contain: 
"DefaultPluginsSetting": 3,
scap-security-guide-0.1.39/chromium/guide/chromium/chromium_default_search_provider.rule000066400000000000000000000015451327242345500317300ustar00rootroot00000000000000documentation_complete: true title: 'Enable the Default Search Provider' description: |- By default users, can change search provider settings. To disable this, set DefaultSearchProviderEnabled to true in the Chromium policy file. rationale: |- A default search is performed when the user types text in the omnibox that is not a URL. This should be organizationally defined and not allowed to be changed by a user. severity: unknown identifiers: cce: "" references: disa: "" nist: "" stigid: DTBC0009 ocil_clause: 'it is not enabled' ocil: |- To verify that users cannot change the default search provider, run the following command: 
$ grep DefaultSearchProviderEnabled /etc/chromium/policies/managed/*.json
The output should contain: 
"DefaultSearchProviderEnabled": true,
scap-security-guide-0.1.39/chromium/guide/chromium/chromium_default_search_provider_name.rule000066400000000000000000000017071327242345500327300ustar00rootroot00000000000000documentation_complete: true title: 'Set the Default Search Provider''s URL' description: "Specifies the URL of the default search provider that is to be used. To set the \nURL of the default search provider, set DefaultSearchProviderName to \n in the Chromium policy file." rationale: |- When doing internet searches, it is important to set an organizationally approved search provider as well as use an encrypted connection via https. severity: unknown identifiers: cce: "" references: disa: "" nist: "" stigid: DTBC0007 ocil_clause: 'a default search provider is not set' ocil: |- To verify that a default search provider is set, run the following command: 
$ grep DefaultSearchProviderName /etc/chromium/policies/managed/*.json
The output should contain: 
"DefaultSearchProviderName": "",
scap-security-guide-0.1.39/chromium/guide/chromium/chromium_disable_3d_graphics_api.rule000066400000000000000000000016051327242345500315440ustar00rootroot00000000000000documentation_complete: true title: 'Disable the 3D Graphics APIs' description: |- Chromium uses WebGL to render graphics using the GPU which allows website access to the GPU. This should be disabled by setting Disable3DAPIs to true in the Chromium policy file. rationale: |- This setting prevents web pages from accessing the graphics processing unit (GPU). Specifically, web pages cannot access the WebGL API and plugins cannot use the Pepper 3D API in order to reduce the attack surface. severity: unknown identifiers: cce: "" references: disa: "" nist: "" stigid: DTBC0019 ocil_clause: 'it is not disabled' ocil: |- To verify that 3D graphics are disabled, run the following command: 
$ grep Disable3DAPIs /etc/chromium/policies/managed/*.json
The output should contain: 
"Disable3DAPIs": true,
scap-security-guide-0.1.39/chromium/guide/chromium/chromium_disable_autocomplete.rule000066400000000000000000000015661327242345500312340ustar00rootroot00000000000000documentation_complete: true title: 'Disable the AutoFill Feature' description: |- The AutoFill feature suggests possible matches when users are filling in forms. To disable the AutoFill feature, set AutoFillEnabled to false in the Chromium policy file. rationale: |- It is possible with the AutoFill feature that it will cache sensitive data and store it in the user's profile, where it might not be protected as rigorously as required by organizational policy. severity: unknown identifiers: cce: "" references: disa: "" nist: "" stigid: DTBC0022 ocil_clause: 'it is not disabled' ocil: |- To verify that the AutoFill feature is disabled, run the following command: 
$ grep AutoFillEnabled /etc/chromium/policies/managed/*.json
The output should contain: 
"AutoFillEnabled": false,
scap-security-guide-0.1.39/chromium/guide/chromium/chromium_disable_automatic_installation.rule000066400000000000000000000017001327242345500332700ustar00rootroot00000000000000documentation_complete: true title: 'Disable Automatic Search And Installation of Plugins' description: |- Chromium will automatically detect, search, and install plugins as required. This should be disabled by setting DisablePluginFinder to true in the Chromium policy file. rationale: |- The automatic search and installation of missing or not installed plugins should be disabled as this can cause significant risk if a unapproved or vulnerable plugin were to be installed without proper permissions or authorization. severity: unknown identifiers: cce: "" references: disa: "" nist: "" stigid: DTBC0036 ocil_clause: 'it is not disabled' ocil: |- To verify that plugins cannot be automatically installed, run the following command: 
$ grep DisablePluginFinder /etc/chromium/policies/managed/*.json
The output should contain: 
"DisablePluginFinder": true,
scap-security-guide-0.1.39/chromium/guide/chromium/chromium_disable_background_processing.rule000066400000000000000000000016741327242345500331060ustar00rootroot00000000000000documentation_complete: true title: 'Disable Background Processing' description: |- Chromium can be set to run at all times and process in the background. This should be disabled by setting BackgroundModeEnabled to false in the Chromium policy file. rationale: |- There is two reasons that this is not wanted. First, it can tie up system resources that might otherwise be needed. Second, it does not make it obvious to the user that it is running and poorly written extensions could cause instability on the system. severity: unknown identifiers: cce: "" references: disa: "" nist: "" stigid: DTBC0017 ocil_clause: 'it is not disabled' ocil: |- To verify that background processing is disabled, run the following command: 
$ grep BackgroundModeEnabled /etc/chromium/policies/managed/*.json
The output should contain: 
"BackgroundModeEnabled": false,
scap-security-guide-0.1.39/chromium/guide/chromium/chromium_disable_cleartext_passwords.rule000066400000000000000000000015041327242345500326230ustar00rootroot00000000000000documentation_complete: true title: 'Disable Use of Cleartext Passwords' description: "Chromium allows users to import and store passwords in cleartext. This should be \ndisabled by setting PasswordManagerAllowShowPasswords to false\nin the Chromium policy file." rationale: 'Cleartext passwords would allow another individual to see password via shoulder surfing.' severity: unknown identifiers: cce: "" references: disa: "" nist: "" stigid: DTBC0010 ocil_clause: 'use of cleartext passwords are not disabled' ocil: |- To verify that the use of cleartext passwords is disabled, run the following command: 
$ grep PasswordManagerAllowShowPasswords /etc/chromium/policies/managed/*.json
The output should contain: 
"PasswordManagerAllowShowPasswords": false,
scap-security-guide-0.1.39/chromium/guide/chromium/chromium_disable_cloud_print_sharing.rule000066400000000000000000000017121327242345500325610ustar00rootroot00000000000000documentation_complete: true title: 'Disable Cloud Print Sharing' description: |- Chromium has cloud sharing capabilities including sharing printers connected to the system. This is done via a proxy. To disable printer sharing, set CloudPrintProxyEnabled to false in the Chromium policy file. rationale: |- Google Chromium has the capability to act as a proxy between Google Cloud Print and legacy printers connected to the machine. Users can then enable the cloud print proxy by authentication with their Google account. severity: unknown identifiers: cce: "" references: disa: "" nist: "" stigid: DTBC0023 ocil_clause: 'it is not disabled' ocil: |- To verify that the Cloud Print Sharing feature is disabled, run the following command: 
$ grep CloudPrintProxyEnabled /etc/chromium/policies/managed/*.json
The output should contain: 
"CloudPrintProxyEnabled": false,
scap-security-guide-0.1.39/chromium/guide/chromium/chromium_disable_firewall_traversal.rule000066400000000000000000000016211327242345500324130ustar00rootroot00000000000000documentation_complete: true title: 'Disable Chromium''s Ability to Traverse Firewalls' description: "Chromium has the ability to bypass and ignore the system firewall. This\nability should be disabled. To disable this setting, set \nRemoteAccessHostFirewallTraversal to false in the \nChromium policy file." rationale: |- Remote connections should never be allowed to bypass the system firewall as there is no way to verify if they can be trusted. severity: unknown identifiers: cce: "" references: disa: "" nist: "" stigid: DTBC0001 ocil_clause: 'it is not disabled' ocil: "To verify that Chromium's abililty to traverse the system firewall is \ndisabled, run the following command:\n
$ grep RemoteAccessHostFirewallTraversal /etc/chromium/policies/managed/*.json
\nThe output should contain:\n
\"RemoteAccessHostFirewallTraversal\": false,
" scap-security-guide-0.1.39/chromium/guide/chromium/chromium_disable_google_sync.rule000066400000000000000000000016021327242345500310320ustar00rootroot00000000000000documentation_complete: true title: 'Disable Data Synchronization to Google' description: 'SyncDisabled to true in the Chromium policy file.' rationale: |- Google Sync is used to sync information between different user devices, this data is then stored on Google owned servers. The synced data may consist of information such as email, calendars, viewing history, etc. This feature must be disabled because the organization does not have control over the servers the data is stored on. severity: unknown identifiers: cce: "" references: disa: "" nist: "" stigid: DTBC0020 ocil_clause: 'it is not disabled' ocil: |- To verify that data synchronization is disabled, run the following command: 
$ grep SyncDisabled /etc/chromium/policies/managed/*.json
The output should contain: 
"SyncDisabled": true,
scap-security-guide-0.1.39/chromium/guide/chromium/chromium_disable_incognito_mode.rule000066400000000000000000000017001327242345500315160ustar00rootroot00000000000000documentation_complete: true title: 'Disable Incognito Mode' description: |- Incognito Mode allows users to browse in private which prevents monitoring and validating user browsing habits. This capability should be disabled by setting IncognitoModeAvailability to 1 in the Chromium policy file. rationale: |- Incognito mode allows the user to browse the Internet without recording their browsing history/activity. From a forensics perspective, this is unacceptable. Best practice requires that browser history is retained. severity: unknown identifiers: cce: "" references: disa: "" nist: "" stigid: DTBC0030 ocil_clause: 'it is not disabled' ocil: |- To verify that incognito mode is disabled, run the following command: 
$ grep IncognitoModeAvailability /etc/chromium/policies/managed/*.json
The output should contain: 
"IncognitoModeAvailability": 1,
scap-security-guide-0.1.39/chromium/guide/chromium/chromium_disable_metrics_reporting.rule000066400000000000000000000015131327242345500322620ustar00rootroot00000000000000documentation_complete: true title: 'Disable Metrics Reporting' description: "Whenever Chromium crashes, it sends its usage and crash-related data to Google.\nThis should be disabled by setting MetricsReportingEnabled to \nfalse in the Chromium policy file." rationale: |- Anonymous reporting of usage and crash-related data is sent to Google. A crash report could contain sensitive information from the computer's memory. severity: unknown identifiers: cce: "" references: disa: "" nist: "" stigid: DTBC0026 ocil_clause: 'it is not disabled' ocil: |- To verify that metrics reporting is disabled, run the following command: 
$ grep MetricsReportingEnabled /etc/chromium/policies/managed/*.json
The output should contain: 
"MetricsReportingEnabled": false,
scap-security-guide-0.1.39/chromium/guide/chromium/chromium_disable_network_prediction.rule000066400000000000000000000013341327242345500324350ustar00rootroot00000000000000documentation_complete: true title: 'Disable Network Prediction' description: |- To disable the network prediction feature, set DnsPrefetchingEnabled to false in the Chromium policy file. rationale: |- This controls not only DNS prefetching but also TCP and SSL preconnection and prerendering of web pages. severity: unknown identifiers: cce: "" references: disa: "" nist: "" stigid: DTBC0025 ocil_clause: 'it is not disabled' ocil: |- To verify that network prediction is disabled, run the following command: 
$ grep DnsPrefetchingEnabled /etc/chromium/policies/managed/*.json
The output should contain: 
"DnsPrefetchingEnabled": false,
scap-security-guide-0.1.39/chromium/guide/chromium/chromium_disable_outdated_plugins.rule000066400000000000000000000014561327242345500321030ustar00rootroot00000000000000documentation_complete: true title: 'Disable Outdated Plugins' description: |- Outdated plugins should be disabled by setting AllowOutdatedPlugins to false in the Chromium policy file. rationale: |- Running outdated plugins could lead to system compromise through the use of known exploits. Having plugins updated to the most current version ensures the smallest attack surfuce possible. severity: unknown identifiers: cce: "" references: disa: "" nist: "" stigid: DTBC0013 ocil_clause: 'it is not disabled' ocil: |- To verify that outdated plugins are disabled, run the following command: 
$ grep AllowOutdatedPlugins /etc/chromium/policies/managed/*.json
The output should contain: 
"AllowOutdatedPlugins": false,
scap-security-guide-0.1.39/chromium/guide/chromium/chromium_disable_password_manager.rule000066400000000000000000000016001327242345500320540ustar00rootroot00000000000000documentation_complete: true title: 'Disable Chromium Password Manager' description: "Chromium Password Manager allows the saving and using of passwords in Chromium. This\nshould be disabled by setting PasswordManagerEnabled to false in \nthe Chromium policy file." rationale: |- Enables saving passwords and using saved passwords in Google Chromium. Malicious sites may take advantage of this feature by using hidden fields gain access to the stored information. severity: unknown identifiers: cce: "" references: disa: "" nist: "" stigid: DTBC0011 ocil_clause: 'it is not disabled' ocil: |- To verify that the use of Password Manager is disabled, run the following command: 
$ grep PasswordManagerEnabled /etc/chromium/policies/managed/*.json
The output should contain: 
"PasswordManagerEnabled": false,
scap-security-guide-0.1.39/chromium/guide/chromium/chromium_disable_plugin_blacklist.rule000066400000000000000000000017121327242345500320520ustar00rootroot00000000000000documentation_complete: true title: 'Disable All Plugins by Default' description: "Plugins are developed internally or by third party sources and are designed to extend\nGoogle Chromium's functionality. All plugins should be blacklisted from \ninstallation by default. To blacklist all plugins set DisabledPlugins\nto * in the Chromium policy file." rationale: |- Plugins can access almost anything on a system and users can enable or install them at will. This means they pose a high risk to any system that would allow all plugins to be installed by default. severity: unknown identifiers: cce: "" references: disa: "" nist: "" stigid: DTBC0034 ocil_clause: 'they are not disabled' ocil: |- To verify that all plugins are blacklisted, run the following command: 
$ grep DisabledPlugins /etc/chromium/policies/managed/*.json
The output should contain: 
"DisabledPlugins": ["*"],
scap-security-guide-0.1.39/chromium/guide/chromium/chromium_disable_popups.rule000066400000000000000000000014261327242345500300540ustar00rootroot00000000000000documentation_complete: true title: 'Disable Popups' description: "Chromium allows you to manage whether or not unwanted pop-up windows appear.\nTo disable pop-ups, set DefaultPopupsSetting to 2 \nin the Chromium policy file." rationale: |- Pop-up windows should be disabled to prevent malicious websites from controlling pop-up windows or fooling users into clicking on the wrong window. severity: unknown identifiers: cce: "" references: disa: "" nist: "" stigid: DTBC0004 ocil_clause: 'it is not disabled' ocil: |- To verify that pop-ups are disabled, run the following command: 
$ grep DefaultPopupsSetting /etc/chromium/policies/managed/*.json
The output should contain: 
"DefaultPopupsSetting": 2,
scap-security-guide-0.1.39/chromium/guide/chromium/chromium_disable_protocol_schemas.rule000066400000000000000000000023101327242345500320630ustar00rootroot00000000000000documentation_complete: true title: 'Disable Insecure And Obsolete Protocol Schemas' description: |- Each access to a URL is handled by the browser according to the URL's "scheme". The "scheme" of a URL is the section before the ":". The term "protocol" is often mistakenly used for a "scheme". The difference is that the scheme is how the browser handles a URL and the protocol is how the browser communicates with a service. To disable insecure and obsolete protocol schema, set URLBlacklist to in the Chromium policy file. rationale: |- If a scheme or its associated protocol used by a browser is insecure or obsolete, vulnerabilities can be exploited resulting in exposed data or unrestricted access to the browser's system. severity: unknown identifiers: cce: "" references: disa: "" nist: "" stigid: DTBC0021 ocil_clause: 'it is not disabled' ocil: |- To verify that data synchronization is disabled, run the following command: 
$ grep URLBlacklist /etc/chromium/policies/managed/*.json
The output should contain: 
"URLBlacklist": [""],
scap-security-guide-0.1.39/chromium/guide/chromium/chromium_disable_saved_passwords.rule000066400000000000000000000013601327242345500317320ustar00rootroot00000000000000documentation_complete: true title: 'Disable Saved Passwords' description: |- Disable by setting ImportSavedPasswords to false in the Chromium policy file. rationale: |- Importing of saved passwords should be disabled as it could lead to unencrypted account passwords stored on the system from another browser to be viewed. severity: unknown identifiers: cce: "" references: disa: "" nist: "" stigid: DTBC0029 ocil_clause: 'it is not disabled' ocil: |- To verify that importing passwords is disabled, run the following command: 
$ grep ImportSavedPasswords /etc/chromium/policies/managed/*.json
The output should contain: 
"ImportSavedPasswords": false,
scap-security-guide-0.1.39/chromium/guide/chromium/chromium_disable_search_suggestions.rule000066400000000000000000000014761327242345500324320ustar00rootroot00000000000000documentation_complete: true title: 'Disable Search Suggestion' description: "Chromium tries to guess what users are searching for when users enter\nsearch data in the search Omnibox. This should be disabled by \nsetting SearchSuggestEnabled to false in the Chromium \npolicy file." rationale: |- Search suggestion should be disabled as it could lead to searches being conducted that were never intended to be made. severity: unknown identifiers: cce: "" references: disa: "" nist: "" stigid: DTBC0027 ocil_clause: 'it is not disabled' ocil: |- To verify that search suggestion is disabled, run the following command: 
$ grep SearchSuggestEnabled /etc/chromium/policies/managed/*.json
The output should contain: 
"SearchSuggestEnabled": false,
scap-security-guide-0.1.39/chromium/guide/chromium/chromium_disable_session_cookies.rule000066400000000000000000000014231327242345500317220ustar00rootroot00000000000000documentation_complete: true title: 'Disable Session Cookies' description: |- To disable session only cookies sites, set CookiesSessionOnlyForUrls to none in the Chromium policy file. rationale: "Cookies should only be allowed per session and only for approved URLs as \npermanently stored cookies can be used for malicious intent." severity: unknown identifiers: cce: "" references: disa: "" nist: "" stigid: DTBC0045 ocil_clause: 'it is not disabled' ocil: |- To verify that sessions cookies for approved sites only are enabled, run the following command: 
$ grep CookiesSessionOnlyForUrls /etc/chromium/policies/managed/*.json
The output should contain: 
"CookiesSessionOnlyForUrls": ["none"],
scap-security-guide-0.1.39/chromium/guide/chromium/chromium_disable_thirdparty_cookies.rule000066400000000000000000000016461327242345500324400ustar00rootroot00000000000000documentation_complete: true title: 'Disable 3rd Party Cookies' description: |- Third party cookies should be be enabled. To disable third party cookies, set BlockThirdPartyCookies to true in the Chromium policy file. rationale: |- Third party cookies are cookies which can be set by web page elements that are not from the domain that is in the browser's address bar. This prevents cookies from being set by web page elements that are not from the domain that is in the browser's address bar. severity: unknown identifiers: cce: "" references: disa: "" nist: "" stigid: DTBC0015 ocil_clause: 'it is not disabled' ocil: |- To verify that third party cookies are disabled, run the following command: 
$ grep BlockThirdPartyCookies /etc/chromium/policies/managed/*.json
The output should contain: 
"BlockThirdPartyCookies": true,
scap-security-guide-0.1.39/chromium/guide/chromium/chromium_disallow_location_tracking.rule000066400000000000000000000020751327242345500324340ustar00rootroot00000000000000documentation_complete: true title: 'Disable Location Tracking' description: "Location tracking is enabled by default and can track user's browsing habits.\nLocation tracking should be disabled by setting DefaultGeolocationSetting \nto 2 in the Chromium policy file." rationale: "Website tracking is the practice of gathering information as to which websites\nwere accesses by a browser. The common method of doing this is to have a website\ncreate a tracking cookie on the browser. If the information of what sites are\nbeing accessed is made available to unauthorized persons, this violates \nconfidentiality requirements, and over time poses a significant OPSEC issue." severity: unknown identifiers: cce: "" references: disa: "" nist: "" stigid: DTBC0002 ocil_clause: 'it is not disabled' ocil: |- To verify that location tracking is disabled, run the following command: 
$ grep DefaultGeolocationSetting /etc/chromium/policies/managed/*.json
The output should contain: 
"DefaultGeolocationSetting": 2,
scap-security-guide-0.1.39/chromium/guide/chromium/chromium_enable_approved_plugins.rule000066400000000000000000000017261327242345500317350ustar00rootroot00000000000000documentation_complete: true title: 'Enable Only Approved Plugins' description: |- An organization might need to use an internal or third party developed plugins. Any organizationally approved plugin should be enabled. To enable approved plugins, set EnabledPlugins to the list of organizationally approved plugins in the Chromium policy file. rationale: |- The whitelist should only contain organizationally approved plugins. This is to prevent a user from accidently whitelisitng a malicious plugin. severity: unknown identifiers: cce: "" references: disa: "" nist: "" stigid: DTBC0035 ocil_clause: 'no plugins exist or it is not set to none' ocil: |- To verify that approved plugins are set, run the following command: 
$ grep EnabledPlugins /etc/chromium/policies/managed/*.json
The output should contain: 
"EnabledPlugins": ["approved_plugin1", "approved_plugin2"],
scap-security-guide-0.1.39/chromium/guide/chromium/chromium_enable_browser_history.rule000066400000000000000000000014171327242345500316150ustar00rootroot00000000000000documentation_complete: true title: 'Enable Saving the Browser History' description: |- Users can enable or disable the saving of browser history in Chromium. Browser history should be retained by setting SavingBrowserHistoryDisabled to false in the Chromium policy file. rationale: 'Best practice requires that browser history is retained.' severity: unknown identifiers: cce: "" references: disa: "" nist: "" stigid: DTBC0039 ocil_clause: 'it is not enabled' ocil: |- To verify that saving the browser history is enabled, run the following command: 
$ grep SavingBrowserHistoryDisabled /etc/chromium/policies/managed/*.json
The output should contain: 
"SavingBrowserHistoryDisabled": false,
scap-security-guide-0.1.39/chromium/guide/chromium/chromium_enable_encrypted_searching.rule000066400000000000000000000016661327242345500323770ustar00rootroot00000000000000documentation_complete: true title: 'Enable Encrypted Searching' description: |- Specifies the URL of the search engine used when doing a default search. The URL should contain the string {searchTerms}. To set the URL of the search engine, set DefaultSearchProviderSearchURL to in the Chromium policy file. rationale: 'When doing internet searches, it is important to use an encrypted connection via https.' severity: unknown identifiers: cce: "" references: disa: "" nist: "" stigid: DTBC0008 ocil_clause: 'it is not set' ocil: |- To verify that the URL of the search engine is set, run the following command: 
$ grep DefaultSearchProviderSearchURL /etc/chromium/policies/managed/*.json
The output should contain: 
"DefaultSearchProviderSearchURL": "",
scap-security-guide-0.1.39/chromium/guide/chromium/chromium_enable_safe_browsing.rule000066400000000000000000000015541327242345500312030ustar00rootroot00000000000000documentation_complete: true title: 'Enable the Safe Browsing Feature' description: "Chromium has the capability to check URLs for known malware and phishing \nassociated with websites through the Safe Browsing Feature. This can be \nenabled by setting SafeBrowsingEnabled to true in the Chromium\npolicy file." rationale: |- Safe browsing uses a signature database to test sites when they are be loaded to ensure that sites do not contain any known malware. severity: unknown identifiers: cce: "" references: disa: "" nist: "" stigid: DTBC0038 ocil_clause: 'it is not enabled' ocil: |- To verify that the safe browsing feature is enabled, run the following command: 
$ grep SafeBrowsingEnabled /etc/chromium/policies/managed/*.json
The output should contain: 
"SafeBrowsingEnabled": true,
scap-security-guide-0.1.39/chromium/guide/chromium/chromium_extension_whitelist.rule000066400000000000000000000022441327242345500311520ustar00rootroot00000000000000documentation_complete: true title: 'Enable Only Approved Extensions' description: |- An organization might need to use an internal or third party developed extension. Any organizationally approved extenstion should be enabled. To enable approved extensions, set ExtensionInstallWhitelist to in the Chromium policy file. If there are no approved extensions, ExtensionInstallWhitelist should be set to . rationale: |- The whitelist should only contain organizationally approved extensions. This is to prevent a user from accidently whitelisitng a malicious extension. severity: unknown identifiers: cce: "" references: disa: "" nist: "" stigid: DTBC0003 ocil_clause: 'approved extensions are not set' ocil: |- To verify that approved extensions are whitelisted, run the following command: 
$ grep ExtensionInstallWhitelist /etc/chromium/policies/managed/*.json
The output should contain: 
"ExtensionInstallWhitelist": [""],
scap-security-guide-0.1.39/chromium/guide/chromium/chromium_http_authentication.rule000066400000000000000000000013601327242345500311160ustar00rootroot00000000000000documentation_complete: true title: 'Set Chromium''s HTTP Authentication Scheme' description: "To set the default Chromium's HTTP Authentication Scheme, set \nAuthSchemes to in the \nChromium policy file." rationale: 'Specifies which HTTP Authentication schemes are supported by Google Chromium.' severity: unknown identifiers: cce: "" references: disa: "" nist: "" stigid: DTBC0012 ocil_clause: 'it is not set' ocil: |- To verify that the HTTP Authentication Scheme is set, run the following command: 
$ grep AuthSchemes /etc/chromium/policies/managed/*.json
The output should contain: 
"AuthSchemes": "",
scap-security-guide-0.1.39/chromium/guide/chromium/chromium_plugins_require_authorization.rule000066400000000000000000000014521327242345500332370ustar00rootroot00000000000000documentation_complete: true title: 'Require Outdated Plugins to be Authorized' description: |- Chromium should prompt users for authorization to run outdated plugins. This can be enabled by setting AlwaysAuthorizePlugins to false in the Chromium policy file. rationale: |- Outdated plugins can compromise security and should request authorization from the user before running. severity: unknown identifiers: cce: "" references: disa: "" nist: "" stigid: DTBC0014 ocil_clause: 'it is not set' ocil: |- To verify that plugins require authorization to run, run the following command: 
$ grep AlwaysAuthorizePlugins /etc/chromium/policies/managed/*.json
The output should contain: 
"AlwaysAuthorizePlugins": false,
scap-security-guide-0.1.39/chromium/guide/chromium/chromium_policy_file.rule000066400000000000000000000025321327242345500273400ustar00rootroot00000000000000documentation_complete: true title: 'Ensure the Chromium Policy Configuration File Exists' description: "Chromium can be configured with numerous policies and settings. These\nsettings can be set so that a user is unable to edit or change them.\nTo prevent users from setting or changing Chromium settings, a \nJavaScript Object Notation (JSON) file (contains the .json\nextension) must exist in /etc/chromium/policies/managed.\n

\n
  • Refer to https://www.chromium.org/administrators/policy-list-3 for\na list of currently supported Chromium policies.
\n
  • Refer to https://www.chromium.org/administrators/policy_templates for\npre-created Chromium JSON policy files.
\n
" rationale: "The Chromium policy file must exist as this file contains configuration \nsettings set by the System's Administrator to meet organization and/or \nsecurity requirements." severity: unknown identifiers: cce: "" references: disa: "" nist: "" stigid: "" ocil_clause: 'it does not exist or is not configured correctly' ocil: |- To verify that the Chromium policy file exists, run the following command: 
$ ls /etc/chromium/policies/managed
The output should show file(s) ending in .json extension. For example: 
chrome-stig-policy.json
scap-security-guide-0.1.39/chromium/guide/chromium/chromium_trusted_home_page.rule000066400000000000000000000020401327242345500305320ustar00rootroot00000000000000documentation_complete: true title: 'Set the Default Home Page' description: |- When a browser is started the first web page displayed is the "home page". While the home page can be selected by the user, the default home page needs to be defined to display an approved page. To set the default home page, set HomepageLocation to in the Chromium policy file. rationale: |- If no home page is defined then there is a possibility that a URL to a malicious site may be used as a home page which could effectively cause a denial of service to the browser. severity: unknown identifiers: cce: "" references: disa: "" nist: "" stigid: DTBC0048 ocil_clause: 'it is not set correctly' ocil: |- To verify that the defaut home page is set, run the following command: 
$ grep HomepageLocation /etc/chromium/policies/managed/*.json
The output should contain: 
"HomepageLocation": "",
scap-security-guide-0.1.39/chromium/guide/chromium/chromium_whitelist_plugin_urls.rule000066400000000000000000000017511327242345500315030ustar00rootroot00000000000000documentation_complete: true title: 'Enable Plugins for Only Approved URLs' description: |- In some cases, plugins utilized by organizationally approved websites may be allowed to be used by those websites, configure the approved URLs allowed to run plugins by setting PluginsAllowedForUrls to organizationally approved URLs in the Chromium policy file. If there are no approved URLs, this should be set to none rationale: 'Only approved plugins for approved sites should be allowed to be utilized.' severity: unknown identifiers: cce: "" references: disa: "" nist: "" stigid: DTBC0051 ocil_clause: 'no urls exist or it is not set to none' ocil: "To verify that plugins are allowed for only approved URLs, \nrun the following command:\n
$ grep PluginsAllowedForUrls /etc/chromium/policies/managed/*.json
\nThe output should contain:\n
\"PluginsAllowedForUrls\": [\"[*.]mil\", \"[*.]example.com\", \"www.example.com\"],
" scap-security-guide-0.1.39/chromium/guide/chromium/var_auth_schema.var000066400000000000000000000004761327242345500261160ustar00rootroot00000000000000documentation_complete: true title: 'Chromium HTTP Authentication Setting' description: 'Chromium HTTP Authentication Types' type: string operator: interactive: false options: all: basic,digest,ntlm,negotiate basic: basic default: negotiate digest: digest negotiate: negotiate ntlm: ntlm scap-security-guide-0.1.39/chromium/guide/chromium/var_default_search_provider_name.var000066400000000000000000000005211327242345500315070ustar00rootroot00000000000000documentation_complete: true title: 'The Default Search provider in Chromium' description: 'The URL for the Default Search provider in Chromium' type: string operator: interactive: false options: bing: https://www.bing.com default: https://www.google.com google: https://www.google.com yahoo: https://www.yahoo.com scap-security-guide-0.1.39/chromium/guide/chromium/var_enable_encrypted_searching.var000066400000000000000000000006311327242345500311540ustar00rootroot00000000000000documentation_complete: true title: 'Encrypted Chromium Search URLs' description: 'Encrypted search URL for the Default Search Provider' type: string operator: interactive: false options: bing: https://www.bing.com/search?q={searchTerms} default: https://www.google.com/#q={searchTerms} google: https://www.google.com/#q={searchTerms} yahoo: https://www.yahoo.com/search?q={searchTerms} scap-security-guide-0.1.39/chromium/guide/chromium/var_extension_whitelist.var000066400000000000000000000004151327242345500277360ustar00rootroot00000000000000documentation_complete: true title: 'Whitelisted Chromium Extenstions' description: 'Chromium extensions approved for use' type: string operator: interactive: false options: default: oiigbmnaadbkfbmpbfijlflahbdbdgdf none: oiigbmnaadbkfbmpbfijlflahbdbdgdf scap-security-guide-0.1.39/chromium/guide/chromium/var_trusted_home_page.var000066400000000000000000000003341327242345500273240ustar00rootroot00000000000000documentation_complete: true title: 'Default Chromium Homepage' description: 'Default homepage for Chromium users' type: string operator: interactive: false options: blank: about:blank default: about:blank scap-security-guide-0.1.39/chromium/guide/chromium/var_url_blacklist.var000066400000000000000000000003611327242345500264600ustar00rootroot00000000000000documentation_complete: true title: 'Blacklisted Chromium Protocols' description: 'Blacklisted Protocol Schemas in Chromium' type: string operator: interactive: false options: default: javascript://* javascript: javascript://* scap-security-guide-0.1.39/chromium/guide/guide.benchmark000066400000000000000000000054321327242345500233760ustar00rootroot00000000000000--- documentation_complete: true title: Guide to the Secure Configuration of status: draft description: | This guide presents a catalog of security-relevant configuration settings for . It is a rendering of content structured in the eXtensible Configuration Checklist Description Format (XCCDF) in order to support security automation. The SCAP content is is available in the config_item="scap-security-guide" package which is developed at .

Providing system administrators with such guidance informs them how to securely configure systems under their control in a variety of network roles. Policy makers and baseline creators can use this catalog of settings, with its associated references to higher-level security control catalogs, in order to assist them in security baseline creation. This guide is a italics="catalog, not a checklist," and satisfaction of every item is not likely to be possible or sensible in many operational scenarios. However, the XCCDF format enables granular selection and adjustment of settings, and their association with OVAL and OCIL content provides an automated checking capability. Transformations of this document, and its associated automated checking content, are capable of providing baselines that meet a diverse set of policy objectives. Some example XCCDF italics="Profiles", which are selections of items that form checklists and can be used as baselines, are available with this guide. They can be processed, in an automated fashion, with tools that support the Security Content Automation Protocol (SCAP). The DISA STIG for , which provides required settings for US Department of Defense systems, is one example of a baseline created from this guidance. notice: id: terms_of_use description: | Do not attempt to implement any of the settings in this guide without first testing them in a non-operational environment. The creators of this guidance assume no responsibility whatsoever for its use by other parties, and makes no guarantees, expressed or implied, about its quality, reliability, or any other characteristic. front-matter: | The SCAP Security Guide Project
rear-matter: | Red Hat and Red Hat Enterprise Linux are either registered trademarks or trademarks of Red Hat, Inc. in the United States and other countries. All other names are registered trademarks or trademarks of their respective companies. cpes: - version: 0.9 scap-security-guide-0.1.39/chromium/overlays/000077500000000000000000000000001327242345500211705ustar00rootroot00000000000000scap-security-guide-0.1.39/chromium/overlays/stig_overlay.xml000066400000000000000000000217171327242345500244310ustar00rootroot00000000000000 Firewall traversal from remote host must be disabled. Sites ability for showing desktop notifications must be disabled. Sites ability to show pop-ups must be disabled. Site tracking users location must be disabled. Extensions installation must be blacklisted by default. Extensions that are approved for use must be whitelisted. The default search providers name must be set. The default search provider URL must be set to perform encrypted searches. Default search provider must be enabled. Use of cleartext passwords in Password Manager must be disabled. The Password Manager must be disabled. The HTTP Authentication must be set to negotiate. The running of outdated plugins must be disabled. Plugins requiring authorization must ask for user permission. Third party cookes must be blocked. Background processing must be disabled. 3D Graphics APIs must be disabled. Google Data Synchronization must be disabled. The URL protocol schema javascript must be disabled. Autofill must be disabled. Cloud print mush be disabled. Network prediction must be disabled. Metrics reporting to Google must be disabled. Search suggestions must be disabled. Importing of saved passwords must be disabled. Metrics reporting to Google must be disabled. Plugins must be disabled by default. Plugins approved for use must be enabled. Automated installation of missing plugins must be disabled. Online revocation checks must be done. Safe Browsing must be enabled. Browser history must be saved. Default behavior must block webpages from automatically running plugins. Session only based cookies must be disabled. The home page must be set to a trusted site. URLs must be whitelisted for plugin use. scap-security-guide-0.1.39/chromium/product.yml000066400000000000000000000001121327242345500215210ustar00rootroot00000000000000product: chromium benchmark_root: "./guide" profiles_root: "./profiles" scap-security-guide-0.1.39/chromium/profiles/000077500000000000000000000000001327242345500211475ustar00rootroot00000000000000scap-security-guide-0.1.39/chromium/profiles/stig-chromium-upstream.profile000066400000000000000000000053471327242345500271670ustar00rootroot00000000000000documentation_complete: true title: 'Upstream STIG for Google Chromium' description: |- This profile is developed under the DoD consensus model and DISA FSO Vendor STIG process, serving as the upstream development environment for the Google Chromium STIG. As a result of the upstream/downstream relationship between the SCAP Security Guide project and the official DISA FSO STIG baseline, users should expect variance between SSG and DISA FSO content. For official DISA FSO STIG content, refer to http://iase.disa.mil/stigs/app-security/browser-guidance/Pages/index.aspx. While this profile is packaged by Red Hat as part of the SCAP Security Guide package, please note that commercial support of this SCAP content is NOT available. This profile is provided as example SCAP content with no endorsement for suitability or production readiness. Support for this profile is provided by the upstream SCAP Security Guide community on a best-effort basis. The upstream project homepage is https://www.open-scap.org/security-policies/scap-security-guide/. selections: - var_default_search_provider_name=google - var_url_blacklist=javascript - var_enable_encrypted_searching=google - var_extension_whitelist=none - var_auth_schema=negotiate - var_trusted_home_page=blank - chromium_policy_file - chromium_disable_firewall_traversal - chromium_block_desktop_notifications - chromium_disable_popups - chromium_disallow_location_tracking - chromium_blacklist_extension_installation - chromium_extension_whitelist - chromium_default_search_provider_name - chromium_enable_encrypted_searching - chromium_default_search_provider - chromium_disable_cleartext_passwords - chromium_disable_password_manager - chromium_http_authentication - chromium_disable_outdated_plugins - chromium_plugins_require_authorization - chromium_disable_thirdparty_cookies - chromium_disable_background_processing - chromium_disable_3d_graphics_api - chromium_disable_google_sync - chromium_disable_protocol_schemas - chromium_disable_autocomplete - chromium_disable_cloud_print_sharing - chromium_disable_network_prediction - chromium_disable_metrics_reporting - chromium_disable_search_suggestions - chromium_disable_saved_passwords - chromium_disable_incognito_mode - chromium_disable_plugin_blacklist - chromium_enable_approved_plugins - chromium_disable_automatic_installation - chromium_check_cert_revocation - chromium_enable_safe_browsing - chromium_enable_browser_history - chromium_default_block_plugins - chromium_disable_session_cookies - chromium_trusted_home_page - chromium_whitelist_plugin_urls scap-security-guide-0.1.39/chromium/transforms/000077500000000000000000000000001327242345500215225ustar00rootroot00000000000000scap-security-guide-0.1.39/chromium/transforms/cci2html.xsl000066400000000000000000000004661327242345500237650ustar00rootroot00000000000000 scap-security-guide-0.1.39/chromium/transforms/constants.xslt000066400000000000000000000021421327242345500244510ustar00rootroot00000000000000 Google Chromium Chromium CHROMIUM_STIG chromium empty CHROMIUM cpe:/a:google:chromium-browser DISA FSO scap-security-guide-0.1.39/chromium/transforms/shorthand2xccdf.xslt000066400000000000000000000005151327242345500255230ustar00rootroot00000000000000 unknown unlinked-chromium-oval.xml scap-security-guide-0.1.39/chromium/transforms/table-add-srgitems.xslt000066400000000000000000000010761327242345500261120ustar00rootroot00000000000000 scap-security-guide-0.1.39/chromium/transforms/table-sortbyref.xslt000066400000000000000000000005551327242345500255470ustar00rootroot00000000000000 scap-security-guide-0.1.39/chromium/transforms/table-srgmap.xslt000066400000000000000000000011401327242345500250100ustar00rootroot00000000000000 scap-security-guide-0.1.39/chromium/transforms/table-style.xslt000066400000000000000000000002511327242345500246610ustar00rootroot00000000000000 scap-security-guide-0.1.39/chromium/transforms/xccdf-apply-overlay-stig.xslt000066400000000000000000000007511327242345500272760ustar00rootroot00000000000000 scap-security-guide-0.1.39/chromium/transforms/xccdf2csv-stig.py000077500000000000000000000003651327242345500247340ustar00rootroot00000000000000#!/usr/bin/env python2 import sys # always use shared/modules version SHARED_MODULE_PATH = "../../shared/modules" sys.path.insert(0, SHARED_MODULE_PATH) import xccdf2csv_stig_module if __name__ == "__main__": xccdf2csv_stig_module.main() scap-security-guide-0.1.39/chromium/transforms/xccdf2stigformat.xslt000066400000000000000000000006751327242345500257170ustar00rootroot00000000000000 scap-security-guide-0.1.39/chromium/transforms/xccdf2table-byref.xslt000066400000000000000000000006741327242345500257330ustar00rootroot00000000000000 scap-security-guide-0.1.39/chromium/transforms/xccdf2table-cce.xslt000066400000000000000000000007331327242345500253520ustar00rootroot00000000000000 scap-security-guide-0.1.39/chromium/transforms/xccdf2table-profileccirefs.xslt000066400000000000000000000014111327242345500276110ustar00rootroot00000000000000 scap-security-guide-0.1.39/chromium/transforms/xccdf2table-profilecisrefs.xslt000066400000000000000000000007051327242345500276360ustar00rootroot00000000000000 scap-security-guide-0.1.39/chromium/transforms/xccdf2table-profilenistrefs.xslt000066400000000000000000000007051327242345500300350ustar00rootroot00000000000000 scap-security-guide-0.1.39/chromium/transforms/xccdf2table-stig.xslt000066400000000000000000000006731327242345500255710ustar00rootroot00000000000000 scap-security-guide-0.1.39/cmake/000077500000000000000000000000001327242345500165615ustar00rootroot00000000000000scap-security-guide-0.1.39/cmake/Copyright.txt000066400000000000000000000051401327242345500212720ustar00rootroot00000000000000CMake - Cross Platform Makefile Generator Copyright 2000-2016 Kitware, Inc. Copyright 2000-2011 Insight Software Consortium All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: * Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. * Neither the names of Kitware, Inc., the Insight Software Consortium, nor the names of their contributors may be used to endorse or promote products derived from this software without specific prior written permission. THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. ------------------------------------------------------------------------------ The above copyright and license notice applies to distributions of CMake in source and binary form. Some source files contain additional notices of original copyright by their contributors; see each source for details. Third-party software packages supplied with CMake under compatible licenses provide their own copyright notices documented in corresponding subdirectories. ------------------------------------------------------------------------------ CMake was initially developed by Kitware with the following sponsorship: * National Library of Medicine at the National Institutes of Health as part of the Insight Segmentation and Registration Toolkit (ITK). * US National Labs (Los Alamos, Livermore, Sandia) ASC Parallel Visualization Initiative. * National Alliance for Medical Image Computing (NAMIC) is funded by the National Institutes of Health through the NIH Roadmap for Medical Research, Grant U54 EB005149. * Kitware, Inc. scap-security-guide-0.1.39/cmake/FindOpenSCAP.cmake000066400000000000000000000024771327242345500217460ustar00rootroot00000000000000set(OPENSCAP_POSSIBLE_ROOT_DIRS "${OPENSCAP_ROOT_DIR}" "$ENV{OPENSCAP_ROOT_DIR}" "$ENV{ProgramFiles}" "/usr" "/usr/bin" "/usr/sbin" "/usr/local" "/usr/share/" "/usr/local/share" "/opt" "/opt/local" ) foreach(NAME ${OPENSCAP_POSSIBLE_ROOT_DIRS}) FIND_FILE(OPENSCAP_XCCDF_XSL_1_2 NAMES xccdf_1.1_to_1.2.xsl PATHS "${NAME}" PATH_SUFFIXES "share/openscap/xsl/" ) endforeach() foreach(NAME ${OPENSCAP_POSSIBLE_ROOT_DIRS}) FIND_PROGRAM(OPENSCAP_OSCAP_EXECUTABLE NAMES oscap PATHS "${NAME}" PATH_SUFFIXES "bin/" ) endforeach() if (NOT EXISTS "${OPENSCAP_XCCDF_XSL_1_2}") MESSAGE(SEND_ERROR "ERROR: The OPENSCAP XSL XCCDF file was not found. Please specify the OPENSCAP ROOT DIR with the OPENSCAP_ROOT_DIR environment variable.") endif() if (NOT EXISTS "${OPENSCAP_OSCAP_EXECUTABLE}") MESSAGE(SEND_ERROR "ERROR: The OPENSCAP executable was not found. Please specify the OPENSCAP ROOT DIR with the OPENSCAP_ROOT_DIR environment variable.") endif() execute_process( COMMAND "${OPENSCAP_OSCAP_EXECUTABLE}" --v OUTPUT_VARIABLE OSCAP_V_OUTPUT ) if("${OSCAP_V_OUTPUT}" MATCHES "^OpenSCAP command line tool \\(oscap\\) ([0-9\\.]+)") set(OSCAP_VERSION "${CMAKE_MATCH_1}") else() set(OSCAP_VERSION "unknown") endif() scap-security-guide-0.1.39/cmake/FindPythonModule.cmake000066400000000000000000000020141327242345500230100ustar00rootroot00000000000000# Find if a Python module is installed # Found at http://www.cmake.org/pipermail/cmake/2011-January/041666.html # To use do: find_python_module(PyQt4 REQUIRED) function(find_python_module module) string(TOUPPER ${module} module_upper) if(NOT PY_${module_upper}) if(ARGC GREATER 1 AND ARGV1 STREQUAL "REQUIRED") set(PY_${module}_FIND_REQUIRED TRUE) endif() # A module's location is usually a directory, but for binary modules # it's a .so file. execute_process(COMMAND "${PYTHON_EXECUTABLE}" "-c" "import re, ${module}; print(re.compile('/__init__.py.*').sub('',${module}.__file__))" RESULT_VARIABLE _${module}_status OUTPUT_VARIABLE _${module}_location ERROR_QUIET OUTPUT_STRIP_TRAILING_WHITESPACE) if(NOT _${module}_status) set(PY_${module_upper} ${_${module}_location} CACHE STRING "Location of Python module ${module}") endif(NOT _${module}_status) endif(NOT PY_${module_upper}) find_package_handle_standard_args(PY_${module} DEFAULT_MSG PY_${module_upper}) endfunction(find_python_module) scap-security-guide-0.1.39/cmake/GNUInstallDirs.cmake000066400000000000000000000162661327242345500224000ustar00rootroot00000000000000# - Define GNU standard installation directories # Provides install directory variables as defined for GNU software: # http://www.gnu.org/prep/standards/html_node/Directory-Variables.html # Inclusion of this module defines the following variables: # CMAKE_INSTALL_ - destination for files of a given type # CMAKE_INSTALL_FULL_ - corresponding absolute path # where is one of: # BINDIR - user executables (bin) # SBINDIR - system admin executables (sbin) # LIBEXECDIR - program executables (libexec) # SYSCONFDIR - read-only single-machine data (etc) # SHAREDSTATEDIR - modifiable architecture-independent data (com) # LOCALSTATEDIR - modifiable single-machine data (var) # LIBDIR - object code libraries (lib or lib64 or lib/ on Debian) # INCLUDEDIR - C header files (include) # OLDINCLUDEDIR - C header files for non-gcc (/usr/include) # DATAROOTDIR - read-only architecture-independent data root (share) # DATADIR - read-only architecture-independent data (DATAROOTDIR) # INFODIR - info documentation (DATAROOTDIR/info) # LOCALEDIR - locale-dependent data (DATAROOTDIR/locale) # MANDIR - man documentation (DATAROOTDIR/man) # DOCDIR - documentation root (DATAROOTDIR/doc/PROJECT_NAME) # Each CMAKE_INSTALL_ value may be passed to the DESTINATION options of # install() commands for the corresponding file type. If the includer does # not define a value the above-shown default will be used and the value will # appear in the cache for editing by the user. # Each CMAKE_INSTALL_FULL_ value contains an absolute path constructed # from the corresponding destination by prepending (if necessary) the value # of CMAKE_INSTALL_PREFIX. #============================================================================= # Copyright 2011 Nikita Krupen'ko # Copyright 2011 Kitware, Inc. # # Distributed under the OSI-approved BSD License (the "License"); # see accompanying file Copyright.txt for details. # # This software is distributed WITHOUT ANY WARRANTY; without even the # implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. # See the License for more information. #============================================================================= # (To distribute this file outside of CMake, substitute the full # License text for the above reference.) # Installation directories # if(NOT DEFINED CMAKE_INSTALL_BINDIR) set(CMAKE_INSTALL_BINDIR "bin" CACHE PATH "user executables (bin)") endif() if(NOT DEFINED CMAKE_INSTALL_SBINDIR) set(CMAKE_INSTALL_SBINDIR "sbin" CACHE PATH "system admin executables (sbin)") endif() if(NOT DEFINED CMAKE_INSTALL_LIBEXECDIR) set(CMAKE_INSTALL_LIBEXECDIR "libexec" CACHE PATH "program executables (libexec)") endif() if(NOT DEFINED CMAKE_INSTALL_SYSCONFDIR) set(CMAKE_INSTALL_SYSCONFDIR "etc" CACHE PATH "read-only single-machine data (etc)") endif() if(NOT DEFINED CMAKE_INSTALL_SHAREDSTATEDIR) set(CMAKE_INSTALL_SHAREDSTATEDIR "com" CACHE PATH "modifiable architecture-independent data (com)") endif() if(NOT DEFINED CMAKE_INSTALL_LOCALSTATEDIR) set(CMAKE_INSTALL_LOCALSTATEDIR "var" CACHE PATH "modifiable single-machine data (var)") endif() if(NOT DEFINED CMAKE_INSTALL_LIBDIR) set(_LIBDIR_DEFAULT "lib") # Override this default 'lib' with 'lib64' iff: # - we are on Linux system but NOT cross-compiling # - we are NOT on debian # - we are on a 64 bits system # reason is: amd64 ABI: http://www.x86-64.org/documentation/abi.pdf # For Debian with multiarch, use 'lib/${CMAKE_LIBRARY_ARCHITECTURE}' if # CMAKE_LIBRARY_ARCHITECTURE is set (which contains e.g. "i386-linux-gnu" # See http://wiki.debian.org/Multiarch if(CMAKE_SYSTEM_NAME MATCHES "Linux" AND NOT CMAKE_CROSSCOMPILING) if (EXISTS "/etc/debian_version") # is this a debian system ? if(CMAKE_LIBRARY_ARCHITECTURE) set(_LIBDIR_DEFAULT "lib/${CMAKE_LIBRARY_ARCHITECTURE}") endif() else() # not debian, rely on CMAKE_SIZEOF_VOID_P: if(NOT DEFINED CMAKE_SIZEOF_VOID_P) message(AUTHOR_WARNING "Unable to determine default CMAKE_INSTALL_LIBDIR directory because no target architecture is known. " "Please enable at least one language before including GNUInstallDirs.") else() if("${CMAKE_SIZEOF_VOID_P}" EQUAL "8") set(_LIBDIR_DEFAULT "lib64") endif() endif() endif() endif() set(CMAKE_INSTALL_LIBDIR "${_LIBDIR_DEFAULT}" CACHE PATH "object code libraries (${_LIBDIR_DEFAULT})") endif() if(NOT DEFINED CMAKE_INSTALL_INCLUDEDIR) set(CMAKE_INSTALL_INCLUDEDIR "include" CACHE PATH "C header files (include)") endif() if(NOT DEFINED CMAKE_INSTALL_OLDINCLUDEDIR) set(CMAKE_INSTALL_OLDINCLUDEDIR "/usr/include" CACHE PATH "C header files for non-gcc (/usr/include)") endif() if(NOT DEFINED CMAKE_INSTALL_DATAROOTDIR) set(CMAKE_INSTALL_DATAROOTDIR "share" CACHE PATH "read-only architecture-independent data root (share)") endif() #----------------------------------------------------------------------------- # Values whose defaults are relative to DATAROOTDIR. Store empty values in # the cache and store the defaults in local variables if the cache values are # not set explicitly. This auto-updates the defaults as DATAROOTDIR changes. if(NOT CMAKE_INSTALL_DATADIR) set(CMAKE_INSTALL_DATADIR "" CACHE PATH "read-only architecture-independent data (DATAROOTDIR)") set(CMAKE_INSTALL_DATADIR "${CMAKE_INSTALL_DATAROOTDIR}") endif() if(NOT CMAKE_INSTALL_INFODIR) set(CMAKE_INSTALL_INFODIR "" CACHE PATH "info documentation (DATAROOTDIR/info)") set(CMAKE_INSTALL_INFODIR "${CMAKE_INSTALL_DATAROOTDIR}/info") endif() if(NOT CMAKE_INSTALL_LOCALEDIR) set(CMAKE_INSTALL_LOCALEDIR "" CACHE PATH "locale-dependent data (DATAROOTDIR/locale)") set(CMAKE_INSTALL_LOCALEDIR "${CMAKE_INSTALL_DATAROOTDIR}/locale") endif() if(NOT CMAKE_INSTALL_MANDIR) set(CMAKE_INSTALL_MANDIR "" CACHE PATH "man documentation (DATAROOTDIR/man)") set(CMAKE_INSTALL_MANDIR "${CMAKE_INSTALL_DATAROOTDIR}/man") endif() if(NOT CMAKE_INSTALL_DOCDIR) set(CMAKE_INSTALL_DOCDIR "" CACHE PATH "documentation root (DATAROOTDIR/doc/PROJECT_NAME)") set(CMAKE_INSTALL_DOCDIR "${CMAKE_INSTALL_DATAROOTDIR}/doc/${PROJECT_NAME}") endif() #----------------------------------------------------------------------------- mark_as_advanced( CMAKE_INSTALL_BINDIR CMAKE_INSTALL_SBINDIR CMAKE_INSTALL_LIBEXECDIR CMAKE_INSTALL_SYSCONFDIR CMAKE_INSTALL_SHAREDSTATEDIR CMAKE_INSTALL_LOCALSTATEDIR CMAKE_INSTALL_LIBDIR CMAKE_INSTALL_INCLUDEDIR CMAKE_INSTALL_OLDINCLUDEDIR CMAKE_INSTALL_DATAROOTDIR CMAKE_INSTALL_DATADIR CMAKE_INSTALL_INFODIR CMAKE_INSTALL_LOCALEDIR CMAKE_INSTALL_MANDIR CMAKE_INSTALL_DOCDIR ) # Result directories # foreach(dir BINDIR SBINDIR LIBEXECDIR SYSCONFDIR SHAREDSTATEDIR LOCALSTATEDIR LIBDIR INCLUDEDIR OLDINCLUDEDIR DATAROOTDIR DATADIR INFODIR LOCALEDIR MANDIR DOCDIR ) if(NOT IS_ABSOLUTE ${CMAKE_INSTALL_${dir}}) set(CMAKE_INSTALL_FULL_${dir} "${CMAKE_INSTALL_PREFIX}/${CMAKE_INSTALL_${dir}}") else() set(CMAKE_INSTALL_FULL_${dir} "${CMAKE_INSTALL_${dir}}") endif() endforeach() scap-security-guide-0.1.39/cmake/SSGCommon.cmake000066400000000000000000001714141327242345500214000ustar00rootroot00000000000000# Important developer notes: # Minimal build targets # ============================================================================ # # For the build system to be efficient it makes sense to separate build # targets as much as possible. Please do not be lazy and group multiple # files into one add_custom_command. This prevents parallelization and slows # down the builds! # # # Avoid input output overlap # ============================================================================ # # If there is any overlap in inputs and/or outputs of build targets the build # system will needlessly rebuild the target every time you run the build. # Please avoid this because it slows down incremental builds. Incremental # builds are done all the time by SSG developers so it makes sense to have # them as fast as possible. # # # Wrapper targets # ============================================================================ # # Notice that most (if not all) add_custom_command calls are immediately # followed with a wrapper add_custom_target. We do that to generate proper # dependency directed graphs so that dependencies can be shared. Without # this wrapper you wouldn't have been able to do parallel builds of multiple # targets at once. E.g.: # # $ make -j 4 rhel7-guides rhel7-stats # # Without the wrapper targets the command above would start generating the # XCCDF, OVAL and OCIL files 2 times in parallel which would result in # broken files. # # Please keep this in mind when modifying the build system. # # Read: # https://samthursfield.wordpress.com/2015/11/21/cmake-dependencies-between-targets-and-files-and-custom-commands/ # for more info. # # # Folders should not be build inputs or outputs # ============================================================================ # # It may be tempting to mark an entire folder as build output but doing that # has unexpected consequences. Please avoid that and always list the files. # # # Good luck hacking the SCAP Security Guide build system! # OSCAP_OVAL_VERSION is passed into generate-from-templates.py and it specifies # the highest OVAL version we can use. if(SSG_OVAL_511_ENABLED) set(OSCAP_OVAL_VERSION "5.11") else() set(OSCAP_OVAL_VERSION "5.10") endif() if(SSG_OVAL_SCHEMATRON_VALIDATION_ENABLED) set(OSCAP_OVAL_SCHEMATRON_OPTION "--schematron") else() set(OSCAP_OVAL_SCHEMATRON_OPTION "") endif() set(SSG_HTML_GUIDE_FILE_LIST "") set(SSG_HTML_TABLE_FILE_LIST "") macro(ssg_build_bash_remediation_functions) file(GLOB BASH_REMEDIATION_FUNCTIONS "${CMAKE_SOURCE_DIR}/shared/bash_remediation_functions/*.sh") add_custom_command( OUTPUT "${CMAKE_BINARY_DIR}/bash-remediation-functions.xml" COMMAND "${PYTHON_EXECUTABLE}" "${SSG_SHARED_UTILS}/generate-bash-remediation-functions.py" --input "${SSG_SHARED}/bash_remediation_functions" --output "${CMAKE_BINARY_DIR}/bash-remediation-functions.xml" DEPENDS ${BASH_REMEDIATION_FUNCTIONS} DEPENDS "${SSG_SHARED_UTILS}/generate-bash-remediation-functions.py" COMMENT "[bash-remediation-functions] generating bash-remediation-functions.xml" ) add_custom_target( generate-internal-bash-remediation-functions.xml DEPENDS "${CMAKE_BINARY_DIR}/bash-remediation-functions.xml" ) endmacro() macro(ssg_build_shorthand_xml PRODUCT) execute_process( COMMAND "${PYTHON_EXECUTABLE}" "${SSG_SHARED_UTILS}/yaml-to-shorthand.py" --product-yaml "${CMAKE_CURRENT_SOURCE_DIR}/product.yml" --bash_remediation_fns "${CMAKE_BINARY_DIR}/bash-remediation-functions.xml" --output "${CMAKE_CURRENT_BINARY_DIR}/shorthand.xml" list-inputs OUTPUT_VARIABLE SHORTHAND_INPUTS_STR ) string(REPLACE "\n" ";" SHORTHAND_INPUTS "${SHORTHAND_INPUTS_STR}") add_custom_command( OUTPUT "${CMAKE_CURRENT_BINARY_DIR}/shorthand.xml" COMMAND "${PYTHON_EXECUTABLE}" "${SSG_SHARED_UTILS}/yaml-to-shorthand.py" --product-yaml "${CMAKE_CURRENT_SOURCE_DIR}/product.yml" --bash_remediation_fns "${CMAKE_BINARY_DIR}/bash-remediation-functions.xml" --output "${CMAKE_CURRENT_BINARY_DIR}/shorthand.xml" build COMMAND "${XMLLINT_EXECUTABLE}" --format --output "${CMAKE_CURRENT_BINARY_DIR}/shorthand.xml" "${CMAKE_CURRENT_BINARY_DIR}/shorthand.xml" DEPENDS ${SHORTHAND_INPUTS} DEPENDS generate-internal-bash-remediation-functions.xml DEPENDS "${CMAKE_BINARY_DIR}/bash-remediation-functions.xml" DEPENDS "${SSG_SHARED_UTILS}/yaml-to-shorthand.py" COMMENT "[${PRODUCT}-content] generating shorthand.xml" ) add_custom_target( generate-internal-${PRODUCT}-shorthand.xml DEPENDS "${CMAKE_CURRENT_BINARY_DIR}/shorthand.xml" ) endmacro() macro(ssg_build_xccdf_unlinked PRODUCT) file(GLOB STIG_REFERENCE_FILE_LIST "${SSG_SHARED_REFS}/disa-stig-${PRODUCT}-*-xccdf-manual.xml") list(APPEND STIG_REFERENCE_FILE_LIST "not-found") list(GET STIG_REFERENCE_FILE_LIST 0 STIG_REFERENCE_FILE) add_custom_command( OUTPUT "${CMAKE_CURRENT_BINARY_DIR}/xccdf-unlinked-resolved.xml" COMMAND "${XSLTPROC_EXECUTABLE}" --stringparam ssg_version "${SSG_VERSION}" --output "${CMAKE_CURRENT_BINARY_DIR}/xccdf-unlinked-resolved.xml" "${CMAKE_CURRENT_SOURCE_DIR}/transforms/shorthand2xccdf.xslt" "${CMAKE_CURRENT_BINARY_DIR}/shorthand.xml" COMMAND "${OPENSCAP_OSCAP_EXECUTABLE}" xccdf resolve -o "${CMAKE_CURRENT_BINARY_DIR}/xccdf-unlinked-resolved.xml" "${CMAKE_CURRENT_BINARY_DIR}/xccdf-unlinked-resolved.xml" COMMAND "${PYTHON_EXECUTABLE}" "${SSG_SHARED_UTILS}/add_stig_references.py" --disa-stig "${STIG_REFERENCE_FILE}" --unlinked-xccdf "${CMAKE_CURRENT_BINARY_DIR}/xccdf-unlinked-resolved.xml" DEPENDS generate-internal-${PRODUCT}-shorthand.xml DEPENDS "${CMAKE_CURRENT_BINARY_DIR}/shorthand.xml" DEPENDS "${CMAKE_CURRENT_SOURCE_DIR}/transforms/shorthand2xccdf.xslt" DEPENDS "${CMAKE_CURRENT_SOURCE_DIR}/transforms/constants.xslt" DEPENDS "${SSG_SHARED_TRANSFORMS}/shared_constants.xslt" COMMENT "[${PRODUCT}-content] generating xccdf-unlinked-resolved.xml" ) add_custom_target( generate-internal-${PRODUCT}-xccdf-unlinked-resolved.xml DEPENDS "${CMAKE_CURRENT_BINARY_DIR}/xccdf-unlinked-resolved.xml" ) endmacro() macro(ssg_build_ocil_unlinked PRODUCT) add_custom_command( OUTPUT "${CMAKE_CURRENT_BINARY_DIR}/ocil-unlinked.xml" COMMAND "${XSLTPROC_EXECUTABLE}" --stringparam ssg_version "${SSG_VERSION}" --output "${CMAKE_CURRENT_BINARY_DIR}/ocil-unlinked.xml" "${SSG_SHARED_TRANSFORMS}/xccdf-create-ocil.xslt" "${CMAKE_CURRENT_BINARY_DIR}/xccdf-unlinked-resolved.xml" COMMAND "${XMLLINT_EXECUTABLE}" --format --output "${CMAKE_CURRENT_BINARY_DIR}/ocil-unlinked.xml" "${CMAKE_CURRENT_BINARY_DIR}/ocil-unlinked.xml" DEPENDS generate-internal-${PRODUCT}-xccdf-unlinked-resolved.xml DEPENDS "${CMAKE_CURRENT_BINARY_DIR}/xccdf-unlinked-resolved.xml" DEPENDS "${SSG_SHARED_TRANSFORMS}/xccdf-create-ocil.xslt" COMMENT "[${PRODUCT}-content] generating ocil-unlinked.xml" ) add_custom_target( generate-internal-${PRODUCT}-ocil-unlinked.xml DEPENDS "${CMAKE_CURRENT_BINARY_DIR}/ocil-unlinked.xml" ) add_custom_command( OUTPUT "${CMAKE_CURRENT_BINARY_DIR}/xccdf-unlinked-ocilrefs.xml" COMMAND "${XSLTPROC_EXECUTABLE}" --stringparam product ${PRODUCT} --output "${CMAKE_CURRENT_BINARY_DIR}/xccdf-unlinked-ocilrefs.xml" "${SSG_SHARED_TRANSFORMS}/xccdf-ocilcheck2ref.xslt" "${CMAKE_CURRENT_BINARY_DIR}/xccdf-unlinked-resolved.xml" DEPENDS generate-internal-${PRODUCT}-xccdf-unlinked-resolved.xml DEPENDS "${CMAKE_CURRENT_BINARY_DIR}/xccdf-unlinked-resolved.xml" DEPENDS generate-internal-${PRODUCT}-ocil-unlinked.xml DEPENDS "${CMAKE_CURRENT_BINARY_DIR}/ocil-unlinked.xml" DEPENDS "${SSG_SHARED_TRANSFORMS}/xccdf-ocilcheck2ref.xslt" COMMENT "[${PRODUCT}-content] generating xccdf-unlinked-ocilrefs.xml" ) add_custom_target( generate-internal-${PRODUCT}-xccdf-unlinked-ocilrefs.xml DEPENDS "${CMAKE_CURRENT_BINARY_DIR}/xccdf-unlinked-ocilrefs.xml" ) endmacro() macro(_ssg_build_remediations_for_language PRODUCT LANGUAGE) set(BUILD_REMEDIATIONS_DIR "${CMAKE_CURRENT_BINARY_DIR}/fixes") execute_process( COMMAND "${PYTHON_EXECUTABLE}" "${SSG_SHARED_UTILS}/generate-from-templates.py" --shared "${SSG_SHARED}" --oval_version "${OSCAP_OVAL_VERSION}" --input "${CMAKE_CURRENT_SOURCE_DIR}/templates" --output "${BUILD_REMEDIATIONS_DIR}" --language ${LANGUAGE} list-inputs OUTPUT_VARIABLE LANGUAGE_REMEDIATIONS_DEPENDS_STR ) string(REPLACE "\n" ";" LANGUAGE_REMEDIATIONS_DEPENDS "${LANGUAGE_REMEDIATIONS_DEPENDS_STR}") execute_process( COMMAND "${PYTHON_EXECUTABLE}" "${SSG_SHARED_UTILS}/generate-from-templates.py" --shared "${SSG_SHARED}" --oval_version "${OSCAP_OVAL_VERSION}" --input "${CMAKE_CURRENT_SOURCE_DIR}/templates" --output "${BUILD_REMEDIATIONS_DIR}" --language ${LANGUAGE} list-outputs OUTPUT_VARIABLE LANGUAGE_REMEDIATIONS_OUTPUTS_STR ) string(REPLACE "\n" ";" LANGUAGE_REMEDIATIONS_OUTPUTS "${LANGUAGE_REMEDIATIONS_OUTPUTS_STR}") execute_process( COMMAND "${PYTHON_EXECUTABLE}" "${SSG_SHARED_UTILS}/generate-from-templates.py" --shared "${SSG_SHARED}" --oval_version "${OSCAP_OVAL_VERSION}" --input "${SSG_SHARED}/templates" --output "${BUILD_REMEDIATIONS_DIR}/shared" --language ${LANGUAGE} list-inputs OUTPUT_VARIABLE SHARED_LANGUAGE_REMEDIATIONS_DEPENDS_STR ) string(REPLACE "\n" ";" SHARED_LANGUAGE_REMEDIATIONS_DEPENDS "${SHARED_LANGUAGE_REMEDIATIONS_DEPENDS_STR}") execute_process( COMMAND "${PYTHON_EXECUTABLE}" "${SSG_SHARED_UTILS}/generate-from-templates.py" --shared "${SSG_SHARED}" --oval_version "${OSCAP_OVAL_VERSION}" --input "${SSG_SHARED}/templates" --output "${BUILD_REMEDIATIONS_DIR}/shared" --language ${LANGUAGE} list-outputs OUTPUT_VARIABLE SHARED_LANGUAGE_REMEDIATIONS_OUTPUTS_STR ) string(REPLACE "\n" ";" SHARED_LANGUAGE_REMEDIATIONS_OUTPUTS "${SHARED_LANGUAGE_REMEDIATIONS_OUTPUTS_STR}") file(GLOB EXTRA_LANGUAGE_DEPENDS "${CMAKE_CURRENT_SOURCE_DIR}/fixes/${LANGUAGE}/*") file(GLOB EXTRA_SHARED_LANGUAGE_DEPENDS "${SSG_SHARED}/fixes/${LANGUAGE}/*") add_custom_command( OUTPUT "${CMAKE_CURRENT_BINARY_DIR}/${LANGUAGE}-fixes.xml" OUTPUT ${LANGUAGE_REMEDIATIONS_OUTPUTS} OUTPUT ${SHARED_LANGUAGE_REMEDIATIONS_OUTPUTS} # We have to remove the entire dir to avoid keeping remediations when user removes something from the CSV COMMAND "${CMAKE_COMMAND}" -E remove_directory "${BUILD_REMEDIATIONS_DIR}/${LANGUAGE}" COMMAND "${PYTHON_EXECUTABLE}" "${SSG_SHARED_UTILS}/generate-from-templates.py" --shared "${SSG_SHARED}" --oval_version "${OSCAP_OVAL_VERSION}" --input "${CMAKE_CURRENT_SOURCE_DIR}/templates" --output "${BUILD_REMEDIATIONS_DIR}" --language ${LANGUAGE} build # We have to remove the entire dir to avoid keeping remediations when user removes something from the CSV COMMAND "${CMAKE_COMMAND}" -E remove_directory "${BUILD_REMEDIATIONS_DIR}/shared/${LANGUAGE}" COMMAND "${PYTHON_EXECUTABLE}" "${SSG_SHARED_UTILS}/generate-from-templates.py" --shared "${SSG_SHARED}" --oval_version "${OSCAP_OVAL_VERSION}" --input "${SSG_SHARED}/templates" --output "${BUILD_REMEDIATIONS_DIR}/shared" --language ${LANGUAGE} build COMMAND "${PYTHON_EXECUTABLE}" "${SSG_SHARED_UTILS}/combine-remediations.py" --product-yaml "${CMAKE_CURRENT_SOURCE_DIR}/product.yml" --remediation_type "${LANGUAGE}" --build_dir "${CMAKE_BINARY_DIR}" --output "${CMAKE_CURRENT_BINARY_DIR}/${LANGUAGE}-fixes.xml" "${BUILD_REMEDIATIONS_DIR}/shared/${LANGUAGE}" "${SSG_SHARED}/fixes/${LANGUAGE}" "${BUILD_REMEDIATIONS_DIR}/${LANGUAGE}" "${CMAKE_CURRENT_SOURCE_DIR}/fixes/${LANGUAGE}" DEPENDS generate-internal-bash-remediation-functions.xml DEPENDS "${CMAKE_BINARY_DIR}/bash-remediation-functions.xml" DEPENDS ${LANGUAGE_REMEDIATIONS_DEPENDS} DEPENDS ${SHARED_LANGUAGE_REMEDIATIONS_DEPENDS} DEPENDS ${EXTRA_LANGUAGE_DEPENDS} DEPENDS ${EXTRA_SHARED_LANGUAGE_DEPENDS} DEPENDS "${SSG_SHARED_UTILS}/generate-from-templates.py" DEPENDS "${SSG_SHARED_UTILS}/combine-remediations.py" COMMENT "[${PRODUCT}-content] generating ${LANGUAGE}-fixes.xml" ) add_custom_target( generate-internal-${PRODUCT}-${LANGUAGE}-fixes.xml DEPENDS "${CMAKE_CURRENT_BINARY_DIR}/${LANGUAGE}-fixes.xml" ) if (SSG_SHELLCHECK_BASH_FIXES_VALIDATION_ENABLED AND SHELLCHECK_EXECUTABLE AND "${LANGUAGE}" STREQUAL "bash") file(GLOB BASH_REMEDIATION_FUNCTIONS "${CMAKE_SOURCE_DIR}/shared/bash_remediation_functions/*.sh") add_test( NAME "shellcheck-${PRODUCT}-bash-fixes" # format gcc so that people using IDEs can click on errors to get to the problematic lines # SC1071: ShellCheck only supports sh/bash/ksh scripts # SC1091: Not following: /usr/share/scap-security-guide/remediation_functions # TODO: Stop ignoring the exit code as we fix the bash issues COMMAND "${SHELLCHECK_EXECUTABLE}" --format gcc --shell bash --exclude SC1071,SC1091 ${BASH_REMEDIATION_FUNCTIONS} ${LANGUAGE_REMEDIATIONS_DEPENDS} ${SHARED_LANGUAGE_REMEDIATIONS_DEPENDS} ${EXTRA_LANGUAGE_DEPENDS} ${EXTRA_SHARED_LANGUAGE_DEPENDS} ) endif() endmacro() macro(ssg_build_remediations PRODUCT) message(STATUS "Scanning for dependencies of ${PRODUCT} fixes (bash, ansible, puppet and anaconda)...") _ssg_build_remediations_for_language(${PRODUCT} "bash") _ssg_build_remediations_for_language(${PRODUCT} "ansible") _ssg_build_remediations_for_language(${PRODUCT} "puppet") _ssg_build_remediations_for_language(${PRODUCT} "anaconda") endmacro() macro(ssg_build_xccdf_with_remediations PRODUCT) # we have to encode spaces in paths before passing them as stringparams to xsltproc string(REPLACE " " "%20" CMAKE_CURRENT_BINARY_DIR_NO_SPACES "${CMAKE_CURRENT_BINARY_DIR}") add_custom_command( OUTPUT "${CMAKE_CURRENT_BINARY_DIR}/xccdf-unlinked.xml" COMMAND "${XSLTPROC_EXECUTABLE}" --stringparam bash_remediations "${CMAKE_CURRENT_BINARY_DIR_NO_SPACES}/bash-fixes.xml" --stringparam ansible_remediations "${CMAKE_CURRENT_BINARY_DIR_NO_SPACES}/ansible-fixes.xml" --stringparam puppet_remediations "${CMAKE_CURRENT_BINARY_DIR_NO_SPACES}/puppet-fixes.xml" --stringparam anaconda_remediations "${CMAKE_CURRENT_BINARY_DIR_NO_SPACES}/anaconda-fixes.xml" --output "${CMAKE_CURRENT_BINARY_DIR}/xccdf-unlinked.xml" "${SSG_SHARED_TRANSFORMS}/xccdf-addremediations.xslt" "${CMAKE_CURRENT_BINARY_DIR}/xccdf-unlinked-ocilrefs.xml" COMMAND "${XMLLINT_EXECUTABLE}" --format --output "${CMAKE_CURRENT_BINARY_DIR}/xccdf-unlinked.xml" "${CMAKE_CURRENT_BINARY_DIR}/xccdf-unlinked.xml" DEPENDS generate-internal-${PRODUCT}-xccdf-unlinked-ocilrefs.xml DEPENDS "${CMAKE_CURRENT_BINARY_DIR}/xccdf-unlinked-ocilrefs.xml" DEPENDS generate-internal-${PRODUCT}-bash-fixes.xml DEPENDS "${CMAKE_CURRENT_BINARY_DIR}/bash-fixes.xml" DEPENDS generate-internal-${PRODUCT}-ansible-fixes.xml DEPENDS "${CMAKE_CURRENT_BINARY_DIR}/ansible-fixes.xml" DEPENDS generate-internal-${PRODUCT}-puppet-fixes.xml DEPENDS "${CMAKE_CURRENT_BINARY_DIR}/puppet-fixes.xml" DEPENDS generate-internal-${PRODUCT}-anaconda-fixes.xml DEPENDS "${CMAKE_CURRENT_BINARY_DIR}/anaconda-fixes.xml" DEPENDS "${SSG_SHARED_TRANSFORMS}/xccdf-addremediations.xslt" COMMENT "[${PRODUCT}-content] generating xccdf-unlinked.xml" ) add_custom_target( generate-internal-${PRODUCT}-xccdf-unlinked.xml DEPENDS "${CMAKE_CURRENT_BINARY_DIR}/xccdf-unlinked.xml" ) endmacro() macro(ssg_build_oval_unlinked PRODUCT) file(GLOB EXTRA_OVAL_DEPS "${CMAKE_CURRENT_SOURCE_DIR}/checks/oval/*.xml") file(GLOB EXTRA_SHARED_OVAL_DEPS "${SSG_SHARED}/checks/oval/*.xml") set(BUILD_CHECKS_DIR "${CMAKE_CURRENT_BINARY_DIR}/checks") message(STATUS "Scanning for dependencies of ${PRODUCT} checks (OVAL)...") execute_process( COMMAND "${PYTHON_EXECUTABLE}" "${SSG_SHARED_UTILS}/generate-from-templates.py" --shared "${SSG_SHARED}" --oval_version "${OSCAP_OVAL_VERSION}" --input "${CMAKE_CURRENT_SOURCE_DIR}/templates" --output "${BUILD_CHECKS_DIR}" --language oval list-inputs OUTPUT_VARIABLE OVAL_CHECKS_DEPENDS_STR ) string(REPLACE "\n" ";" OVAL_CHECKS_DEPENDS "${OVAL_CHECKS_DEPENDS_STR}") execute_process( COMMAND "${PYTHON_EXECUTABLE}" "${SSG_SHARED_UTILS}/generate-from-templates.py" --shared "${SSG_SHARED}" --oval_version "${OSCAP_OVAL_VERSION}" --input "${CMAKE_CURRENT_SOURCE_DIR}/templates" --output "${BUILD_CHECKS_DIR}" --language oval list-outputs OUTPUT_VARIABLE OVAL_CHECKS_OUTPUTS_STR ) string(REPLACE "\n" ";" OVAL_CHECKS_OUTPUTS "${OVAL_CHECKS_OUTPUTS_STR}") execute_process( COMMAND "${PYTHON_EXECUTABLE}" "${SSG_SHARED_UTILS}/generate-from-templates.py" --shared "${SSG_SHARED}" --oval_version "${OSCAP_OVAL_VERSION}" --input "${SSG_SHARED}/templates" --output "${BUILD_CHECKS_DIR}/shared" --language oval list-inputs OUTPUT_VARIABLE SHARED_OVAL_CHECKS_DEPENDS_STR ) string(REPLACE "\n" ";" SHARED_OVAL_CHECKS_DEPENDS "${SHARED_OVAL_CHECKS_DEPENDS_STR}") execute_process( COMMAND "${PYTHON_EXECUTABLE}" "${SSG_SHARED_UTILS}/generate-from-templates.py" --shared "${SSG_SHARED}" --oval_version "${OSCAP_OVAL_VERSION}" --input "${SSG_SHARED}/templates" --output "${BUILD_CHECKS_DIR}/shared" --language oval list-outputs OUTPUT_VARIABLE SHARED_OVAL_CHECKS_OUTPUTS_STR ) string(REPLACE "\n" ";" SHARED_OVAL_CHECKS_OUTPUTS "${SHARED_OVAL_CHECKS_OUTPUTS_STR}") if("${PRODUCT}" MATCHES "rhel-osp7") # Don't traverse $(SHARED_OVAL) for the case of RHEL-OSP7 product for now set(OVAL_COMBINE_PATHS "${BUILD_CHECKS_DIR}/shared/oval" "${BUILD_CHECKS_DIR}/oval" "${CMAKE_CURRENT_SOURCE_DIR}/checks/oval") else() set(OVAL_COMBINE_PATHS "${BUILD_CHECKS_DIR}/shared/oval" "${SSG_SHARED}/checks/oval" "${BUILD_CHECKS_DIR}/oval" "${CMAKE_CURRENT_SOURCE_DIR}/checks/oval") endif() add_custom_command( OUTPUT "${CMAKE_CURRENT_BINARY_DIR}/oval-unlinked.xml" OUTPUT ${OVAL_CHECKS_OUTPUTS} OUTPUT ${SHARED_OVAL_CHECKS_OUTPUTS} # We have to remove all old checks in case the user removed something from the CSV files COMMAND "${CMAKE_COMMAND}" -E remove_directory "${BUILD_CHECKS_DIR}/oval" COMMAND "${PYTHON_EXECUTABLE}" "${SSG_SHARED_UTILS}/generate-from-templates.py" --shared "${SSG_SHARED}" --oval_version "${OSCAP_OVAL_VERSION}" --input "${CMAKE_CURRENT_SOURCE_DIR}/templates" --output "${BUILD_CHECKS_DIR}" --language oval build # We have to remove all old shared checks in case the user removed something from the CSV files COMMAND "${CMAKE_COMMAND}" -E remove_directory "${BUILD_CHECKS_DIR}/shared/oval" COMMAND "${PYTHON_EXECUTABLE}" "${SSG_SHARED_UTILS}/generate-from-templates.py" --shared "${SSG_SHARED}" --oval_version "${OSCAP_OVAL_VERSION}" --input "${SSG_SHARED}/templates" --output "${BUILD_CHECKS_DIR}/shared" --language oval build COMMAND "${PYTHON_EXECUTABLE}" "${SSG_SHARED_UTILS}/combine-ovals.py" --ssg_version "${SSG_VERSION}" --product-yaml "${CMAKE_CURRENT_SOURCE_DIR}/product.yml" --oval_config "${CMAKE_BINARY_DIR}/oval.config" --oval_version "${OSCAP_OVAL_VERSION}" --output "${CMAKE_CURRENT_BINARY_DIR}/oval-unlinked.xml" ${OVAL_COMBINE_PATHS} COMMAND "${XMLLINT_EXECUTABLE}" --format --output "${CMAKE_CURRENT_BINARY_DIR}/oval-unlinked.xml" "${CMAKE_CURRENT_BINARY_DIR}/oval-unlinked.xml" DEPENDS ${OVAL_CHECKS_DEPENDS} DEPENDS ${SHARED_OVAL_CHECKS_DEPENDS} DEPENDS ${EXTRA_OVAL_DEPS} DEPENDS ${EXTRA_SHARED_OVAL_DEPS} DEPENDS "${SSG_SHARED_UTILS}/generate-from-templates.py" DEPENDS "${SSG_SHARED_UTILS}/combine-ovals.py" COMMENT "[${PRODUCT}-content] generating oval-unlinked.xml" ) add_custom_target( generate-internal-${PRODUCT}-oval-unlinked.xml DEPENDS "${CMAKE_CURRENT_BINARY_DIR}/oval-unlinked.xml" ) endmacro() macro(ssg_build_cpe_dictionary PRODUCT) set(SSG_CPE_DICTIONARY "${CMAKE_CURRENT_SOURCE_DIR}/cpe/${PRODUCT}-cpe-dictionary.xml") add_custom_command( OUTPUT "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-cpe-dictionary.xml" OUTPUT "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-cpe-oval.xml" COMMAND "${PYTHON_EXECUTABLE}" "${SSG_SHARED_UTILS}/cpe-generate.py" ${PRODUCT} ssg "${CMAKE_BINARY_DIR}" "${CMAKE_CURRENT_BINARY_DIR}/oval-unlinked.xml" "${SSG_CPE_DICTIONARY}" COMMAND "${XMLLINT_EXECUTABLE}" --nsclean --format --output "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-cpe-dictionary.xml" "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-cpe-dictionary.xml" COMMAND "${XMLLINT_EXECUTABLE}" --nsclean --format --output "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-cpe-oval.xml" "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-cpe-oval.xml" DEPENDS generate-internal-${PRODUCT}-oval-unlinked.xml DEPENDS "${CMAKE_CURRENT_BINARY_DIR}/oval-unlinked.xml" DEPENDS "${SSG_CPE_DICTIONARY}" DEPENDS "${SSG_SHARED_UTILS}/cpe-generate.py" COMMENT "[${PRODUCT}-content] generating ssg-${PRODUCT}-cpe-dictionary.xml, ssg-${PRODUCT}-cpe-oval.xml" ) add_custom_target( generate-ssg-${PRODUCT}-cpe-dictionary.xml DEPENDS "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-cpe-dictionary.xml" DEPENDS "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-cpe-oval.xml" ) add_test( NAME "validate-ssg-${PRODUCT}-cpe-dictionary.xml" COMMAND "${OPENSCAP_OSCAP_EXECUTABLE}" cpe validate "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-cpe-dictionary.xml" ) add_test( NAME "validate-ssg-${PRODUCT}-cpe-oval.xml" COMMAND "${OPENSCAP_OSCAP_EXECUTABLE}" oval validate ${OSCAP_OVAL_SCHEMATRON_OPTION} "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-cpe-oval.xml" ) endmacro() macro(ssg_build_link_xccdf_oval_ocil PRODUCT) add_custom_command( OUTPUT "${CMAKE_CURRENT_BINARY_DIR}/xccdf-linked.xml" OUTPUT "${CMAKE_CURRENT_BINARY_DIR}/oval-linked.xml" OUTPUT "${CMAKE_CURRENT_BINARY_DIR}/ocil-linked.xml" COMMAND "${PYTHON_EXECUTABLE}" "${SSG_SHARED_UTILS}/relabel-ids.py" "${CMAKE_CURRENT_BINARY_DIR}/xccdf-unlinked.xml" ssg DEPENDS generate-internal-${PRODUCT}-xccdf-unlinked.xml DEPENDS "${CMAKE_CURRENT_BINARY_DIR}/xccdf-unlinked.xml" DEPENDS generate-internal-${PRODUCT}-oval-unlinked.xml DEPENDS "${CMAKE_CURRENT_BINARY_DIR}/oval-unlinked.xml" DEPENDS generate-internal-${PRODUCT}-ocil-unlinked.xml DEPENDS "${CMAKE_CURRENT_BINARY_DIR}/ocil-unlinked.xml" DEPENDS "${SSG_SHARED_UTILS}/relabel-ids.py" COMMENT "[${PRODUCT}-content] linking IDs, generating xccdf-linked.xml, oval-linked.xml, ocil-linked.xml" ) add_custom_target( generate-internal-${PRODUCT}-linked-xccdf-oval-ocil.xml DEPENDS "${CMAKE_CURRENT_BINARY_DIR}/xccdf-linked.xml" DEPENDS "${CMAKE_CURRENT_BINARY_DIR}/oval-linked.xml" DEPENDS "${CMAKE_CURRENT_BINARY_DIR}/ocil-linked.xml" ) endmacro() macro(ssg_build_xccdf_final PRODUCT) add_custom_command( OUTPUT "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-xccdf.xml" # Remove overlays Groups which are only for use in tables, and not guide output. COMMAND "${XSLTPROC_EXECUTABLE}" --output "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-xccdf.xml" "${CMAKE_SOURCE_DIR}/shared/transforms/shared_xccdf-removeaux.xslt" "${CMAKE_CURRENT_BINARY_DIR}/xccdf-linked.xml" COMMAND "${SED_EXECUTABLE}" -i "s/oval-linked.xml/ssg-${PRODUCT}-oval.xml/g" "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-xccdf.xml" COMMAND "${SED_EXECUTABLE}" -i "s/ocil-linked.xml/ssg-${PRODUCT}-ocil.xml/g" "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-xccdf.xml" COMMAND "${PYTHON_EXECUTABLE}" "${SSG_SHARED_UTILS}/unselect-empty-xccdf-groups.py" --input "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-xccdf.xml" --output "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-xccdf.xml" COMMAND "${OPENSCAP_OSCAP_EXECUTABLE}" xccdf resolve -o "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-xccdf.xml" "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-xccdf.xml" COMMAND "${XMLLINT_EXECUTABLE}" --nsclean --format --output "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-xccdf.xml" "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-xccdf.xml" DEPENDS generate-internal-${PRODUCT}-linked-xccdf-oval-ocil.xml DEPENDS "${CMAKE_CURRENT_BINARY_DIR}/xccdf-linked.xml" DEPENDS "${CMAKE_SOURCE_DIR}/shared/transforms/shared_xccdf-removeaux.xslt" DEPENDS "${SSG_SHARED_UTILS}/unselect-empty-xccdf-groups.py" COMMENT "[${PRODUCT}-content] generating ssg-${PRODUCT}-xccdf.xml" ) add_custom_target( generate-ssg-${PRODUCT}-xccdf.xml DEPENDS "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-xccdf.xml" ) add_test( NAME "validate-ssg-${PRODUCT}-xccdf.xml" COMMAND "${OPENSCAP_OSCAP_EXECUTABLE}" xccdf validate "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-xccdf.xml" ) add_test( NAME "verify-references-ssg-${PRODUCT}-xccdf.xml" COMMAND "${PYTHON_EXECUTABLE}" "${SSG_SHARED_UTILS}/verify-references.py" --rules-with-invalid-checks --ovaldefs-unused "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-xccdf.xml" ) add_test( NAME "verify-ssg-${PRODUCT}-xccdf.xml-override-true-all-profile-titles" COMMAND "${XMLLINT_EXECUTABLE}" --xpath "//*[local-name()=\"Profile\"]/*[local-name()=\"title\"][not(@override=\"true\")]" "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-xccdf.xml" ) add_test( NAME "verify-ssg-${PRODUCT}-xccdf.xml-override-true-all-profile-descriptions" COMMAND "${XMLLINT_EXECUTABLE}" --xpath "//*[local-name()=\"Profile\"]/*[local-name()=\"description\"][not(@override=\"true\")]" "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-xccdf.xml" ) # Sets WILL_FAIL property for all '*-override-true-all-profile-*' tests to # true as it is expected that XPath of a passing test will be empty (and # non-zero exit code is returned in such case). set_tests_properties( "verify-ssg-${PRODUCT}-xccdf.xml-override-true-all-profile-titles" "verify-ssg-${PRODUCT}-xccdf.xml-override-true-all-profile-descriptions" PROPERTIES WILL_FAIL true ) add_custom_command( OUTPUT "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-xccdf-1.2.xml" COMMAND "${XSLTPROC_EXECUTABLE}" --stringparam reverse_DNS "org.${SSG_VENDOR}.content" --output "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-xccdf-1.2.xml" "${OPENSCAP_XCCDF_XSL_1_2}" "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-xccdf.xml" DEPENDS generate-ssg-${PRODUCT}-xccdf.xml DEPENDS "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-xccdf.xml" COMMENT "[${PRODUCT}-content] generating ssg-${PRODUCT}-xccdf-1.2.xml" ) add_custom_target( generate-ssg-${PRODUCT}-xccdf-1.2.xml DEPENDS "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-xccdf-1.2.xml" ) endmacro() macro(ssg_build_oval_final PRODUCT) add_custom_command( OUTPUT "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-oval.xml" COMMAND "${XMLLINT_EXECUTABLE}" --nsclean --format --output "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-oval.xml" "${CMAKE_CURRENT_BINARY_DIR}/oval-linked.xml" DEPENDS generate-internal-${PRODUCT}-linked-xccdf-oval-ocil.xml DEPENDS "${CMAKE_CURRENT_BINARY_DIR}/oval-linked.xml" COMMENT "[${PRODUCT}-content] generating ssg-${PRODUCT}-oval.xml" ) add_custom_target( generate-ssg-${PRODUCT}-oval.xml DEPENDS "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-oval.xml" ) add_test( NAME "validate-ssg-${PRODUCT}-oval.xml" COMMAND "${OPENSCAP_OSCAP_EXECUTABLE}" oval validate ${OSCAP_OVAL_SCHEMATRON_OPTION} "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-oval.xml" ) endmacro() macro(ssg_build_ocil_final PRODUCT) add_custom_command( OUTPUT "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ocil.xml" COMMAND "${XMLLINT_EXECUTABLE}" --nsclean --format --output "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ocil.xml" "${CMAKE_CURRENT_BINARY_DIR}/ocil-linked.xml" DEPENDS generate-internal-${PRODUCT}-linked-xccdf-oval-ocil.xml DEPENDS "${CMAKE_CURRENT_BINARY_DIR}/ocil-linked.xml" COMMENT "[${PRODUCT}-content] generating ssg-${PRODUCT}-ocil.xml" ) add_custom_target( generate-ssg-${PRODUCT}-ocil.xml DEPENDS "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ocil.xml" ) endmacro() macro(ssg_build_pci_dss_xccdf PRODUCT) add_custom_command( OUTPUT "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-pcidss-xccdf-1.2.xml" COMMAND "${PYTHON_EXECUTABLE}" "${SSG_SHARED_TRANSFORMS}/pcidss/transform_benchmark_to_pcidss.py" "${SSG_SHARED_TRANSFORMS}/pcidss/PCI_DSS.json" "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-xccdf-1.2.xml" "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-pcidss-xccdf-1.2.xml" DEPENDS "${SSG_SHARED_TRANSFORMS}/pcidss/transform_benchmark_to_pcidss.py" DEPENDS "${SSG_SHARED_TRANSFORMS}/pcidss/PCI_DSS.json" DEPENDS generate-ssg-${PRODUCT}-xccdf-1.2.xml DEPENDS "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-xccdf-1.2.xml" COMMENT "[${PRODUCT}-content] building ssg-${PRODUCT}-pcidss-xccdf-1.2.xml from ssg-${PRODUCT}-xccdf-1.2.xml (PCI-DSS centered benchmark)" ) add_custom_target( generate-ssg-${PRODUCT}-pcidss-xccdf-1.2.xml DEPENDS "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-pcidss-xccdf-1.2.xml" ) endmacro() macro(ssg_build_sds PRODUCT) if("${PRODUCT}" MATCHES "rhel(6|7)") add_custom_command( OUTPUT "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml" WORKING_DIRECTORY "${CMAKE_BINARY_DIR}" # use --skip-valid here to avoid repeatedly validating everything COMMAND "${OPENSCAP_OSCAP_EXECUTABLE}" ds sds-compose --skip-valid "ssg-${PRODUCT}-xccdf-1.2.xml" "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml" COMMAND "${SED_EXECUTABLE}" -i 's/schematron-version="[0-9].[0-9]"/schematron-version="1.2"/' "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml" COMMAND "${OPENSCAP_OSCAP_EXECUTABLE}" ds sds-add --skip-valid "ssg-${PRODUCT}-cpe-dictionary.xml" "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml" COMMAND "${OPENSCAP_OSCAP_EXECUTABLE}" ds sds-add --skip-valid "ssg-${PRODUCT}-pcidss-xccdf-1.2.xml" "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml" COMMAND "${PYTHON_EXECUTABLE}" "${SSG_SHARED_UTILS}/sds-move-ocil-to-checks.py" "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml" "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml" COMMAND "${XMLLINT_EXECUTABLE}" --nsclean --format --output "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml" "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml" DEPENDS generate-ssg-${PRODUCT}-xccdf-1.2.xml DEPENDS "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-xccdf-1.2.xml" DEPENDS generate-ssg-${PRODUCT}-oval.xml DEPENDS "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-oval.xml" DEPENDS generate-ssg-${PRODUCT}-ocil.xml DEPENDS "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ocil.xml" DEPENDS generate-ssg-${PRODUCT}-cpe-dictionary.xml DEPENDS "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-cpe-dictionary.xml" DEPENDS "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-cpe-oval.xml" DEPENDS generate-ssg-${PRODUCT}-pcidss-xccdf-1.2.xml DEPENDS "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-pcidss-xccdf-1.2.xml" COMMENT "[${PRODUCT}-content] generating ssg-${PRODUCT}-ds.xml" ) else() add_custom_command( OUTPUT "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml" WORKING_DIRECTORY "${CMAKE_BINARY_DIR}" # use --skip-valid here to avoid repeatedly validating everything COMMAND "${OPENSCAP_OSCAP_EXECUTABLE}" ds sds-compose --skip-valid "ssg-${PRODUCT}-xccdf-1.2.xml" "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml" COMMAND "${SED_EXECUTABLE}" -i 's/schematron-version="[0-9].[0-9]"/schematron-version="1.2"/' "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml" COMMAND "${OPENSCAP_OSCAP_EXECUTABLE}" ds sds-add --skip-valid "ssg-${PRODUCT}-cpe-dictionary.xml" "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml" COMMAND "${PYTHON_EXECUTABLE}" "${SSG_SHARED_UTILS}/sds-move-ocil-to-checks.py" "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml" "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml" COMMAND "${XMLLINT_EXECUTABLE}" --nsclean --format --output "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml" "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml" DEPENDS generate-ssg-${PRODUCT}-xccdf-1.2.xml DEPENDS "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-xccdf-1.2.xml" DEPENDS generate-ssg-${PRODUCT}-oval.xml DEPENDS "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-oval.xml" DEPENDS generate-ssg-${PRODUCT}-ocil.xml DEPENDS "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ocil.xml" DEPENDS generate-ssg-${PRODUCT}-cpe-dictionary.xml DEPENDS "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-cpe-dictionary.xml" DEPENDS "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-cpe-oval.xml" COMMENT "[${PRODUCT}-content] generating ssg-${PRODUCT}-ds.xml" ) endif() add_custom_target( generate-ssg-${PRODUCT}-ds.xml DEPENDS "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml" ) add_test( NAME "validate-ssg-${PRODUCT}-ds.xml" COMMAND "${OPENSCAP_OSCAP_EXECUTABLE}" ds sds-validate "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml" ) endmacro() macro(ssg_build_html_guides PRODUCT) add_custom_command( OUTPUT "${CMAKE_BINARY_DIR}/guides/ssg-${PRODUCT}-guide-index.html" COMMAND ${CMAKE_COMMAND} -E make_directory "${CMAKE_BINARY_DIR}/guides" COMMAND "${PYTHON_EXECUTABLE}" "${SSG_SHARED_UTILS}/build-all-guides.py" --input "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml" --output "${CMAKE_BINARY_DIR}/guides" build DEPENDS generate-ssg-${PRODUCT}-ds.xml DEPENDS "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml" COMMENT "[${PRODUCT}-guides] generating HTML guides for all profiles in ssg-${PRODUCT}-ds.xml" ) add_custom_target( generate-ssg-${PRODUCT}-guide-index.html DEPENDS "${CMAKE_BINARY_DIR}/guides/ssg-${PRODUCT}-guide-index.html" ) # despite checking just the index this actually tests all the guides because the index links to them # needs PARENT_SCOPE because this is done across different cmake files via add_directory(..) set(SSG_HTML_GUIDE_FILE_LIST "${SSG_HTML_GUIDE_FILE_LIST};${CMAKE_BINARY_DIR}/guides/ssg-${PRODUCT}-guide-index.html" PARENT_SCOPE) endmacro() macro(ssg_build_remediation_roles PRODUCT TEMPLATE EXTENSION) add_custom_command( OUTPUT "${CMAKE_BINARY_DIR}/roles/all-roles-${PRODUCT}-${EXTENSION}" COMMAND ${CMAKE_COMMAND} -E make_directory "${CMAKE_BINARY_DIR}/roles" COMMAND "${PYTHON_EXECUTABLE}" "${SSG_SHARED_UTILS}/build-all-remediation-roles.py" --input "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-xccdf.xml" --output "${CMAKE_BINARY_DIR}/roles" --template "${TEMPLATE}" --extension "${EXTENSION}" build COMMAND ${CMAKE_COMMAND} -E touch "${CMAKE_BINARY_DIR}/roles/all-roles-${PRODUCT}-${EXTENSION}" DEPENDS generate-ssg-${PRODUCT}-xccdf.xml DEPENDS "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-xccdf.xml" COMMENT "[${PRODUCT}-roles] generating ${TEMPLATE} remediation roles for all profiles in ssg-${PRODUCT}-xccdf.xml" ) add_custom_target( generate-all-roles-${PRODUCT}-${EXTENSION} DEPENDS "${CMAKE_BINARY_DIR}/roles/all-roles-${PRODUCT}-${EXTENSION}" ) endmacro() macro(ssg_make_stats_for_product PRODUCT) add_custom_target(${PRODUCT}-stats COMMAND ${CMAKE_COMMAND} -E echo "Benchmark statistics for '${PRODUCT}':" COMMAND "${PYTHON_EXECUTABLE}" "${SSG_SHARED_UTILS}/profile-stats.py" --benchmark "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-xccdf.xml" --profile all DEPENDS generate-ssg-${PRODUCT}-xccdf.xml DEPENDS "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-xccdf.xml" COMMENT "[${PRODUCT}-stats] generating benchmark statistics" ) add_custom_target(${PRODUCT}-profile-stats COMMAND ${CMAKE_COMMAND} -E echo "Per profile statistics for '${PRODUCT}':" COMMAND "${PYTHON_EXECUTABLE}" "${SSG_SHARED_UTILS}/profile-stats.py" --benchmark "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-xccdf.xml" DEPENDS generate-ssg-${PRODUCT}-xccdf.xml DEPENDS "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-xccdf.xml" COMMENT "[${PRODUCT}-profile-stats] generating per profile statistics" ) endmacro() macro(ssg_build_product PRODUCT) # Enforce folder naming rules, we require SSG contributors to use # scap-security-guide/${PRODUCT}/ for all products. This makes it easier # to find relevant source-code and build just the relevant product. get_filename_component(EXPECTED_CMAKELISTS "${CMAKE_SOURCE_DIR}/${PRODUCT}/CMakeLists.txt" ABSOLUTE) get_filename_component(ACTUAL_CMAKELISTS "${CMAKE_CURRENT_SOURCE_DIR}/CMakeLists.txt" ABSOLUTE) if (NOT "${ACTUAL_CMAKELISTS}" STREQUAL "${EXPECTED_CMAKELISTS}") message(FATAL_ERROR "Expected ${PRODUCT}'s CMakeLists.txt to be at ${EXPECTED_CMAKELISTS}. Instead it's at ${ACTUAL_CMAKELISTS}. Please move it to the correct location.") endif() add_custom_target(${PRODUCT}-content) ssg_build_shorthand_xml(${PRODUCT}) ssg_build_xccdf_unlinked(${PRODUCT}) ssg_build_ocil_unlinked(${PRODUCT}) ssg_build_remediations(${PRODUCT}) ssg_build_xccdf_with_remediations(${PRODUCT}) ssg_build_oval_unlinked(${PRODUCT}) ssg_build_cpe_dictionary(${PRODUCT}) ssg_build_link_xccdf_oval_ocil(${PRODUCT}) ssg_build_xccdf_final(${PRODUCT}) ssg_build_oval_final(${PRODUCT}) ssg_build_ocil_final(${PRODUCT}) if("${PRODUCT}" MATCHES "rhel(6|7)") ssg_build_pci_dss_xccdf(${PRODUCT}) endif() ssg_build_sds(${PRODUCT}) add_custom_target(${PRODUCT} ALL) add_dependencies(${PRODUCT} ${PRODUCT}-content) add_dependencies( ${PRODUCT}-content generate-ssg-${PRODUCT}-xccdf.xml generate-ssg-${PRODUCT}-xccdf-1.2.xml generate-ssg-${PRODUCT}-oval.xml generate-ssg-${PRODUCT}-ocil.xml generate-ssg-${PRODUCT}-cpe-dictionary.xml generate-ssg-${PRODUCT}-ds.xml ) add_dependencies(zipfile "generate-ssg-${PRODUCT}-ds.xml") ssg_build_html_guides(${PRODUCT}) ssg_build_remediation_roles(${PRODUCT} "urn:xccdf:fix:script:ansible" "yml") ssg_build_remediation_roles(${PRODUCT} "urn:xccdf:fix:script:sh" "sh") add_custom_target( ${PRODUCT}-guides DEPENDS generate-ssg-${PRODUCT}-guide-index.html ) add_dependencies(${PRODUCT} ${PRODUCT}-guides) add_custom_target( ${PRODUCT}-tables # dependencies are added later using add_dependency ) add_dependencies(${PRODUCT} ${PRODUCT}-tables) add_custom_target( ${PRODUCT}-roles DEPENDS generate-all-roles-${PRODUCT}-yml DEPENDS generate-all-roles-${PRODUCT}-sh ) add_dependencies(${PRODUCT} ${PRODUCT}-roles) add_dependencies(zipfile "${PRODUCT}-roles") ssg_make_stats_for_product(${PRODUCT}) add_dependencies(stats ${PRODUCT}-stats) add_dependencies(profile-stats ${PRODUCT}-profile-stats) install(FILES "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-xccdf.xml" DESTINATION "${SSG_CONTENT_INSTALL_DIR}") install(FILES "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-oval.xml" DESTINATION "${SSG_CONTENT_INSTALL_DIR}") install(FILES "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ocil.xml" DESTINATION "${SSG_CONTENT_INSTALL_DIR}") install(FILES "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-ds.xml" DESTINATION "${SSG_CONTENT_INSTALL_DIR}") install(FILES "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-cpe-dictionary.xml" DESTINATION "${SSG_CONTENT_INSTALL_DIR}") install(FILES "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-cpe-oval.xml" DESTINATION "${SSG_CONTENT_INSTALL_DIR}") # This is a common cmake trick, we need the globbing to happen at build time # and not configure time. install( # The globbing expression below is made loose so that it can also match # guides for PCIDSS centric benchmarks CODE " file(GLOB GUIDE_FILES \"${CMAKE_BINARY_DIR}/guides/ssg-${PRODUCT}-*.html\") \n if(NOT IS_ABSOLUTE ${SSG_GUIDE_INSTALL_DIR}) file(INSTALL DESTINATION \"\${CMAKE_INSTALL_PREFIX}/${SSG_GUIDE_INSTALL_DIR}\" TYPE FILE FILES \${GUIDE_FILES}) else() file(INSTALL DESTINATION \"${SSG_GUIDE_INSTALL_DIR}\" TYPE FILE FILES \${GUIDE_FILES}) endif() " ) install( CODE " file(GLOB ROLE_FILES \"${CMAKE_BINARY_DIR}/roles/ssg-${PRODUCT}-role-*.yml\") \n if(NOT IS_ABSOLUTE ${SSG_ANSIBLE_ROLE_INSTALL_DIR}) file(INSTALL DESTINATION \"\${CMAKE_INSTALL_PREFIX}/${SSG_ANSIBLE_ROLE_INSTALL_DIR}\" TYPE FILE FILES \${ROLE_FILES}) else() file(INSTALL DESTINATION \"${SSG_ANSIBLE_ROLE_INSTALL_DIR}\" TYPE FILE FILES \${ROLE_FILES}) endif() " ) install( CODE " file(GLOB ROLE_FILES \"${CMAKE_BINARY_DIR}/roles/ssg-${PRODUCT}-role-*.sh\") \n if(NOT IS_ABSOLUTE ${SSG_BASH_ROLE_INSTALL_DIR}) file(INSTALL DESTINATION \"\${CMAKE_INSTALL_PREFIX}/${SSG_BASH_ROLE_INSTALL_DIR}\" TYPE FILE FILES \${ROLE_FILES}) else() file(INSTALL DESTINATION \"${SSG_BASH_ROLE_INSTALL_DIR}\" TYPE FILE FILES \${ROLE_FILES}) endif() " ) # grab all the kickstarts (if any) and install them file(GLOB KICKSTART_FILES "${CMAKE_CURRENT_SOURCE_DIR}/kickstart/ssg-${PRODUCT}-*-ks.cfg") install(FILES ${KICKSTART_FILES} DESTINATION "${SSG_KICKSTART_INSTALL_DIR}") endmacro() macro(ssg_build_derivative_product ORIGINAL SHORTNAME DERIVATIVE) add_custom_target(${DERIVATIVE}-content) add_custom_command( OUTPUT "${CMAKE_BINARY_DIR}/ssg-${DERIVATIVE}-xccdf.xml" COMMAND "${PYTHON_EXECUTABLE}" "${SSG_SHARED_UTILS}/enable-derivatives.py" --enable-${SHORTNAME} -i "${CMAKE_BINARY_DIR}/ssg-${ORIGINAL}-xccdf.xml" -o "${CMAKE_BINARY_DIR}/ssg-${DERIVATIVE}-xccdf.xml" DEPENDS generate-ssg-${ORIGINAL}-xccdf.xml DEPENDS "${CMAKE_BINARY_DIR}/ssg-${ORIGINAL}-xccdf.xml" DEPENDS "${SSG_SHARED_UTILS}/enable-derivatives.py" COMMENT "[${DERIVATIVE}-content] generating ssg-${DERIVATIVE}-xccdf.xml" ) add_custom_target( generate-ssg-${DERIVATIVE}-xccdf.xml DEPENDS "${CMAKE_BINARY_DIR}/ssg-${DERIVATIVE}-xccdf.xml" ) add_test( NAME "validate-ssg-${DERIVATIVE}-xccdf.xml" COMMAND "${CMAKE_COMMAND}" -E touch "${CMAKE_CURRENT_BINARY_DIR}/validation-ssg-${DERIVATIVE}-xccdf.xml" ) add_custom_command( OUTPUT "${CMAKE_BINARY_DIR}/ssg-${DERIVATIVE}-ds.xml" COMMAND "${PYTHON_EXECUTABLE}" "${SSG_SHARED_UTILS}/enable-derivatives.py" --enable-${SHORTNAME} -i "${CMAKE_BINARY_DIR}/ssg-${ORIGINAL}-ds.xml" -o "${CMAKE_BINARY_DIR}/ssg-${DERIVATIVE}-ds.xml" DEPENDS generate-ssg-${ORIGINAL}-ds.xml DEPENDS "${CMAKE_BINARY_DIR}/ssg-${ORIGINAL}-ds.xml" DEPENDS "${SSG_SHARED_UTILS}/enable-derivatives.py" COMMENT "[${DERIVATIVE}-content] generating ssg-${DERIVATIVE}-ds.xml" ) add_custom_target( generate-ssg-${DERIVATIVE}-ds.xml DEPENDS "${CMAKE_BINARY_DIR}/ssg-${DERIVATIVE}-ds.xml" ) add_test( NAME "validate-ssg-${DERIVATIVE}-ds.xml" COMMAND "${OPENSCAP_OSCAP_EXECUTABLE}" ds sds-validate "${CMAKE_BINARY_DIR}/ssg-${DERIVATIVE}-ds.xml" ) add_custom_target(${DERIVATIVE} ALL) add_dependencies(${DERIVATIVE} ${DERIVATIVE}-content) add_dependencies( ${DERIVATIVE}-content generate-ssg-${DERIVATIVE}-xccdf.xml generate-ssg-${DERIVATIVE}-ds.xml ) add_dependencies(zipfile "generate-ssg-${DERIVATIVE}-ds.xml") ssg_build_html_guides(${DERIVATIVE}) ssg_build_remediation_roles(${DERIVATIVE} "urn:xccdf:fix:script:ansible" "yml") ssg_build_remediation_roles(${DERIVATIVE} "urn:xccdf:fix:script:sh" "sh") add_custom_target( ${DERIVATIVE}-guides DEPENDS generate-ssg-${DERIVATIVE}-guide-index.html ) add_dependencies(${DERIVATIVE} ${DERIVATIVE}-guides) add_custom_target( ${DERIVATIVE}-roles DEPENDS generate-all-roles-${DERIVATIVE}-yml DEPENDS generate-all-roles-${DERIVATIVE}-sh ) add_dependencies(${DERIVATIVE} ${DERIVATIVE}-roles) install(FILES "${CMAKE_BINARY_DIR}/ssg-${DERIVATIVE}-xccdf.xml" DESTINATION "${SSG_CONTENT_INSTALL_DIR}") install(FILES "${CMAKE_BINARY_DIR}/ssg-${DERIVATIVE}-ds.xml" DESTINATION "${SSG_CONTENT_INSTALL_DIR}") # This is a common cmake trick, we need the globbing to happen at build time # and not configure time. install( CODE " file(GLOB GUIDE_FILES \"${CMAKE_BINARY_DIR}/guides/ssg-${DERIVATIVE}-guide-*.html\") \n if(NOT IS_ABSOLUTE ${SSG_GUIDE_INSTALL_DIR}) file(INSTALL DESTINATION \"\${CMAKE_INSTALL_PREFIX}/${SSG_GUIDE_INSTALL_DIR}\" TYPE FILE FILES \${GUIDE_FILES}) else() file(INSTALL DESTINATION \"${SSG_GUIDE_INSTALL_DIR}\" TYPE FILE FILES \${GUIDE_FILES}) endif() " ) install( CODE " file(GLOB ROLE_FILES \"${CMAKE_BINARY_DIR}/roles/ssg-${DERIVATIVE}-role-*.yml\") \n if(NOT IS_ABSOLUTE ${SSG_ANSIBLE_ROLE_INSTALL_DIR}) file(INSTALL DESTINATION \"\${CMAKE_INSTALL_PREFIX}/${SSG_ANSIBLE_ROLE_INSTALL_DIR}\" TYPE FILE FILES \${ROLE_FILES}) else() file(INSTALL DESTINATION \"${SSG_ANSIBLE_ROLE_INSTALL_DIR}\" TYPE FILE FILES \${ROLE_FILES}) endif() " ) install( CODE " file(GLOB ROLE_FILES \"${CMAKE_BINARY_DIR}/roles/ssg-${DERIVATIVE}-role-*.sh\") \n if(NOT IS_ABSOLUTE ${SSG_BASH_ROLE_INSTALL_DIR}) file(INSTALL DESTINATION \"\${CMAKE_INSTALL_PREFIX}/${SSG_BASH_ROLE_INSTALL_DIR}\" TYPE FILE FILES \${ROLE_FILES}) else() file(INSTALL DESTINATION \"${SSG_BASH_ROLE_INSTALL_DIR}\" TYPE FILE FILES \${ROLE_FILES}) endif() " ) endmacro() macro(ssg_build_html_table_by_ref PRODUCT REF) add_custom_command( OUTPUT "${CMAKE_BINARY_DIR}/tables/table-${PRODUCT}-${REF}refs.html" COMMAND "${CMAKE_COMMAND}" -E make_directory "${CMAKE_BINARY_DIR}/tables" COMMAND "${XSLTPROC_EXECUTABLE}" -stringparam ref "${REF}" --output "${CMAKE_BINARY_DIR}/tables/table-${PRODUCT}-${REF}refs.html" "${CMAKE_CURRENT_SOURCE_DIR}/transforms/xccdf2table-byref.xslt" "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-xccdf.xml" DEPENDS generate-ssg-${PRODUCT}-xccdf.xml DEPENDS "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-xccdf.xml" DEPENDS "${CMAKE_CURRENT_SOURCE_DIR}/transforms/xccdf2table-byref.xslt" COMMENT "[${PRODUCT}-tables] generating HTML table for ${REF} references" ) add_custom_target( generate-${PRODUCT}-table-by-ref-${REF} DEPENDS "${CMAKE_BINARY_DIR}/tables/table-${PRODUCT}-${REF}refs.html" ) add_dependencies(${PRODUCT}-tables generate-${PRODUCT}-table-by-ref-${REF}) # needs PARENT_SCOPE because this is done across different cmake files via add_directory(..) set(SSG_HTML_TABLE_FILE_LIST "${SSG_HTML_TABLE_FILE_LIST};${CMAKE_BINARY_DIR}/tables/table-${PRODUCT}-${REF}refs.html" PARENT_SCOPE) install(FILES "${CMAKE_BINARY_DIR}/tables/table-${PRODUCT}-${REF}refs.html" DESTINATION "${SSG_TABLE_INSTALL_DIR}") endmacro() macro(ssg_build_html_nistrefs_table PRODUCT PROFILE) add_custom_command( OUTPUT "${CMAKE_BINARY_DIR}/tables/table-${PRODUCT}-nistrefs-${PROFILE}.html" COMMAND "${CMAKE_COMMAND}" -E make_directory "${CMAKE_BINARY_DIR}/tables" COMMAND "${XSLTPROC_EXECUTABLE}" -stringparam profile "${PROFILE}" --output "${CMAKE_BINARY_DIR}/tables/table-${PRODUCT}-nistrefs-${PROFILE}.html" "${CMAKE_CURRENT_SOURCE_DIR}/transforms/xccdf2table-profilenistrefs.xslt" "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-xccdf.xml" DEPENDS generate-ssg-${PRODUCT}-xccdf.xml DEPENDS "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-xccdf.xml" DEPENDS "${CMAKE_CURRENT_SOURCE_DIR}/transforms/xccdf2table-profilenistrefs.xslt" COMMENT "[${PRODUCT}-tables] generating HTML NIST refs table for ${PROFILE} profile" ) add_custom_target( generate-${PRODUCT}-table-nistrefs-${PROFILE} DEPENDS "${CMAKE_BINARY_DIR}/tables/table-${PRODUCT}-nistrefs-${PROFILE}.html" ) add_dependencies(${PRODUCT}-tables generate-${PRODUCT}-table-nistrefs-${PROFILE}) # needs PARENT_SCOPE because this is done across different cmake files via add_directory(..) set(SSG_HTML_TABLE_FILE_LIST "${SSG_HTML_TABLE_FILE_LIST};${CMAKE_BINARY_DIR}/tables/table-${PRODUCT}-nistrefs-${PROFILE}.html" PARENT_SCOPE) install(FILES "${CMAKE_BINARY_DIR}/tables/table-${PRODUCT}-nistrefs-${PROFILE}.html" DESTINATION "${SSG_TABLE_INSTALL_DIR}") endmacro() macro(ssg_build_html_anssirefs_table PRODUCT PROFILE) add_custom_command( OUTPUT "${CMAKE_BINARY_DIR}/tables/table-${PRODUCT}-anssirefs-${PROFILE}.html" COMMAND "${CMAKE_COMMAND}" -E make_directory "${CMAKE_BINARY_DIR}/tables" COMMAND "${XSLTPROC_EXECUTABLE}" -stringparam profile "anssi_${PROFILE}" --output "${CMAKE_BINARY_DIR}/tables/table-${PRODUCT}-anssirefs-${PROFILE}.html" "${CMAKE_CURRENT_SOURCE_DIR}/transforms/xccdf2table-profileanssirefs.xslt" "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-xccdf.xml" DEPENDS generate-ssg-${PRODUCT}-xccdf.xml DEPENDS "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-xccdf.xml" DEPENDS "${CMAKE_CURRENT_SOURCE_DIR}/transforms/xccdf2table-profileanssirefs.xslt" COMMENT "[${PRODUCT}-tables] generating HTML ANSSI refs table for anssi_${PROFILE} profile" ) add_custom_target( generate-${PRODUCT}-table-anssirefs-${PROFILE} DEPENDS "${CMAKE_BINARY_DIR}/tables/table-${PRODUCT}-anssirefs-${PROFILE}.html" ) add_dependencies(${PRODUCT}-tables generate-${PRODUCT}-table-anssirefs-${PROFILE}) install(FILES "${CMAKE_BINARY_DIR}/tables/table-${PRODUCT}-anssirefs-${PROFILE}.html" DESTINATION "${SSG_TABLE_INSTALL_DIR}") endmacro() macro(ssg_build_html_cce_table PRODUCT) add_custom_command( OUTPUT "${CMAKE_BINARY_DIR}/tables/table-${PRODUCT}-cces.html" COMMAND "${CMAKE_COMMAND}" -E make_directory "${CMAKE_BINARY_DIR}/tables" COMMAND "${XSLTPROC_EXECUTABLE}" --output "${CMAKE_BINARY_DIR}/tables/table-${PRODUCT}-cces.html" "${CMAKE_CURRENT_SOURCE_DIR}/transforms/xccdf2table-cce.xslt" "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-xccdf.xml" DEPENDS generate-ssg-${PRODUCT}-xccdf.xml DEPENDS "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-xccdf.xml" DEPENDS "${CMAKE_CURRENT_SOURCE_DIR}/transforms/xccdf2table-cce.xslt" COMMENT "[${PRODUCT}-tables] generating HTML CCE identifiers table" ) add_custom_target( generate-${PRODUCT}-table-cces DEPENDS "${CMAKE_BINARY_DIR}/tables/table-${PRODUCT}-cces.html" ) add_dependencies(${PRODUCT}-tables generate-${PRODUCT}-table-cces) # needs PARENT_SCOPE because this is done across different cmake files via add_directory(..) set(SSG_HTML_TABLE_FILE_LIST "${SSG_HTML_TABLE_FILE_LIST};${CMAKE_BINARY_DIR}/tables/table-${PRODUCT}-cces.html" PARENT_SCOPE) install(FILES "${CMAKE_BINARY_DIR}/tables/table-${PRODUCT}-cces.html" DESTINATION "${SSG_TABLE_INSTALL_DIR}") endmacro() macro(ssg_build_html_srgmap_tables PRODUCT DISA_SRG_TYPE) file(GLOB DISA_SRG_REF "${SSG_SHARED_REFS}/disa-${DISA_SRG_TYPE}-srg-v[0-9]*r[0-9]*.xml") # we have to encode spaces in paths before passing them as stringparams to xsltproc string(REPLACE " " "%20" CMAKE_CURRENT_BINARY_DIR_NO_SPACES "${CMAKE_CURRENT_BINARY_DIR}") add_custom_command( OUTPUT "${CMAKE_BINARY_DIR}/tables/table-${PRODUCT}-srgmap.html" COMMAND "${CMAKE_COMMAND}" -E make_directory "${CMAKE_BINARY_DIR}/tables" # We need to use xccdf-linked.xml because ssg-${PRODUCT}-xccdf.xml has the srg_support Group removed COMMAND "${XSLTPROC_EXECUTABLE}" --stringparam map-to-items "${CMAKE_CURRENT_BINARY_DIR_NO_SPACES}/xccdf-linked.xml" --output "${CMAKE_BINARY_DIR}/tables/table-${PRODUCT}-srgmap.html" "${CMAKE_CURRENT_SOURCE_DIR}/transforms/table-srgmap.xslt" "${DISA_SRG_REF}" DEPENDS generate-ssg-${PRODUCT}-xccdf.xml DEPENDS "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-xccdf.xml" DEPENDS "${DISA_SRG_REF}" DEPENDS "${CMAKE_CURRENT_SOURCE_DIR}/transforms/table-srgmap.xslt" COMMENT "[${PRODUCT}-tables] generating HTML SRG map table (flat=no)" ) add_custom_command( OUTPUT "${CMAKE_BINARY_DIR}/tables/table-${PRODUCT}-srgmap-flat.html" COMMAND "${CMAKE_COMMAND}" -E make_directory "${CMAKE_BINARY_DIR}/tables" # We need to use xccdf-linked.xml because ssg-${PRODUCT}-xccdf.xml has the srg_support Group removed COMMAND "${XSLTPROC_EXECUTABLE}" --stringparam flat "y" --stringparam map-to-items "${CMAKE_CURRENT_BINARY_DIR_NO_SPACES}/xccdf-linked.xml" --output "${CMAKE_BINARY_DIR}/tables/table-${PRODUCT}-srgmap-flat.html" "${CMAKE_CURRENT_SOURCE_DIR}/transforms/table-srgmap.xslt" "${DISA_SRG_REF}" DEPENDS generate-ssg-${PRODUCT}-xccdf.xml DEPENDS "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-xccdf.xml" DEPENDS "${DISA_SRG_REF}" DEPENDS "${CMAKE_CURRENT_SOURCE_DIR}/transforms/table-srgmap.xslt" COMMENT "[${PRODUCT}-tables] generating HTML SRG map table (flat=yes)" ) add_custom_target( generate-${PRODUCT}-table-srg DEPENDS "${CMAKE_BINARY_DIR}/tables/table-${PRODUCT}-srgmap.html" DEPENDS "${CMAKE_BINARY_DIR}/tables/table-${PRODUCT}-srgmap-flat.html" ) add_dependencies(${PRODUCT}-tables generate-${PRODUCT}-table-srg) # needs PARENT_SCOPE because this is done across different cmake files via add_directory(..) set(SSG_HTML_TABLE_FILE_LIST "${SSG_HTML_TABLE_FILE_LIST};${CMAKE_BINARY_DIR}/tables/table-${PRODUCT}-srgmap.html;${CMAKE_BINARY_DIR}/tables/table-${PRODUCT}-srgmap-flat.html" PARENT_SCOPE) install(FILES "${CMAKE_BINARY_DIR}/tables/table-${PRODUCT}-srgmap.html" DESTINATION "${SSG_TABLE_INSTALL_DIR}") install(FILES "${CMAKE_BINARY_DIR}/tables/table-${PRODUCT}-srgmap-flat.html" DESTINATION "${SSG_TABLE_INSTALL_DIR}") endmacro() macro(ssg_build_html_stig_tables PRODUCT STIG_PROFILE) file(GLOB DISA_STIG_REF "${SSG_SHARED_REFS}/disa-stig-${PRODUCT}-v[0-9]*r[0-9]*-xccdf-manual.xml") add_custom_command( OUTPUT "${CMAKE_BINARY_DIR}/tables/table-${PRODUCT}-stig-manual.html" COMMAND "${CMAKE_COMMAND}" -E make_directory "${CMAKE_BINARY_DIR}/tables" COMMAND "${XSLTPROC_EXECUTABLE}" --output "${CMAKE_BINARY_DIR}/tables/table-${PRODUCT}-stig-manual.html" "${CMAKE_CURRENT_SOURCE_DIR}/transforms/xccdf2table-stig.xslt" "${DISA_STIG_REF}" DEPENDS "${DISA_STIG_REF}" DEPENDS "${CMAKE_CURRENT_SOURCE_DIR}/transforms/xccdf2table-stig.xslt" COMMENT "[${PRODUCT}-tables] generating HTML MANUAL STIG table" ) add_custom_command( OUTPUT "${CMAKE_BINARY_DIR}/tables/table-${PRODUCT}-stig-testinfo.html" COMMAND "${CMAKE_COMMAND}" -E make_directory "${CMAKE_BINARY_DIR}/tables" COMMAND "${XSLTPROC_EXECUTABLE}" -stringparam profile "${STIG_PROFILE}" -stringparam testinfo "y" --output "${CMAKE_BINARY_DIR}/tables/table-${PRODUCT}-stig-testinfo.html" "${CMAKE_CURRENT_SOURCE_DIR}/transforms/xccdf2table-profileccirefs.xslt" "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-xccdf.xml" DEPENDS generate-ssg-${PRODUCT}-xccdf.xml DEPENDS "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-xccdf.xml" DEPENDS "${CMAKE_CURRENT_SOURCE_DIR}/transforms/xccdf2table-profileccirefs.xslt" COMMENT "[${PRODUCT}-tables] generating HTML STIG test info document" ) add_custom_command( OUTPUT "${CMAKE_CURRENT_BINARY_DIR}/unlinked-stig-xccdf.xml" COMMAND "${XSLTPROC_EXECUTABLE}" -stringparam overlay "${CMAKE_CURRENT_SOURCE_DIR}/overlays/stig_overlay.xml" --output "${CMAKE_CURRENT_BINARY_DIR}/unlinked-stig-xccdf.xml" "${CMAKE_CURRENT_SOURCE_DIR}/transforms/xccdf-apply-overlay-stig.xslt" "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-xccdf.xml" DEPENDS generate-ssg-${PRODUCT}-xccdf.xml DEPENDS "${CMAKE_BINARY_DIR}/ssg-${PRODUCT}-xccdf.xml" DEPENDS "${CMAKE_CURRENT_SOURCE_DIR}/transforms/xccdf-apply-overlay-stig.xslt" COMMENT "[${PRODUCT}-tables] generating unlinked STIG XCCDF XML file" ) add_custom_command( OUTPUT "${CMAKE_BINARY_DIR}/tables/table-${PRODUCT}-stig.html" COMMAND "${CMAKE_COMMAND}" -E make_directory "${CMAKE_BINARY_DIR}/tables" COMMAND "${XSLTPROC_EXECUTABLE}" --output "${CMAKE_BINARY_DIR}/tables/table-${PRODUCT}-stig.html" "${CMAKE_CURRENT_SOURCE_DIR}/transforms/xccdf2table-stig.xslt" "${CMAKE_CURRENT_BINARY_DIR}/unlinked-stig-xccdf.xml" DEPENDS "${CMAKE_CURRENT_BINARY_DIR}/unlinked-stig-xccdf.xml" DEPENDS "${CMAKE_CURRENT_SOURCE_DIR}/transforms/xccdf2table-stig.xslt" COMMENT "[${PRODUCT}-tables] generating HTML STIG table" ) add_custom_target( generate-${PRODUCT}-table-stig DEPENDS "${CMAKE_BINARY_DIR}/tables/table-${PRODUCT}-stig.html" DEPENDS "${CMAKE_BINARY_DIR}/tables/table-${PRODUCT}-stig-manual.html" DEPENDS "${CMAKE_BINARY_DIR}/tables/table-${PRODUCT}-stig-testinfo.html" ) add_dependencies(${PRODUCT}-tables generate-${PRODUCT}-table-stig) set(SSG_HTML_TABLE_FILE_LIST "${SSG_HTML_TABLE_FILE_LIST};${CMAKE_BINARY_DIR}/tables/table-${PRODUCT}-stig.html;${CMAKE_BINARY_DIR}/tables/table-${PRODUCT}-stig-manual.html" PARENT_SCOPE) install(FILES "${CMAKE_BINARY_DIR}/tables/table-${PRODUCT}-stig.html" DESTINATION "${SSG_TABLE_INSTALL_DIR}") install(FILES "${CMAKE_BINARY_DIR}/tables/table-${PRODUCT}-stig-testinfo.html" DESTINATION "${SSG_TABLE_INSTALL_DIR}") endmacro() macro(ssg_define_guide_and_table_tests) if (SSG_LINKCHECKER_VALIDATION_ENABLED AND LINKCHECKER_EXECUTABLE) add_test( NAME "linkchecker-ssg-guides" COMMAND "${LINKCHECKER_EXECUTABLE}" --check-extern ${SSG_HTML_GUIDE_FILE_LIST} ) add_test( NAME "linkchecker-ssg-tables" COMMAND "${LINKCHECKER_EXECUTABLE}" --check-extern ${SSG_HTML_TABLE_FILE_LIST} ) endif() if (GREP_EXECUTABLE) foreach(TABLE_FILE ${SSG_HTML_TABLE_FILE_LIST}) string(REPLACE "${CMAKE_BINARY_DIR}/tables/" "" TEST_NAME "${TABLE_FILE}") # -z treats newlines as regular chars so we can match multi-line # -v inverts the match, we are trying to make sure the tables don't # match this pattern add_test( NAME "sanity-ssg-tables-${TEST_NAME}" COMMAND "${GREP_EXECUTABLE}" "-zv" "[[:space:]]*" "${TABLE_FILE}" ) endforeach() endif() endmacro() macro(ssg_build_zipfile ZIPNAME) add_custom_command( OUTPUT "${CMAKE_BINARY_DIR}/zipfile/${ZIPNAME}.zip" COMMAND ${CMAKE_COMMAND} -E remove_directory "zipfile/" COMMAND ${CMAKE_COMMAND} -E make_directory "zipfile/${ZIPNAME}" COMMAND ${CMAKE_COMMAND} -E copy "${CMAKE_SOURCE_DIR}/README.md" "zipfile/${ZIPNAME}" COMMAND ${CMAKE_COMMAND} -E copy "${CMAKE_SOURCE_DIR}/Contributors.md" "zipfile/${ZIPNAME}" COMMAND ${CMAKE_COMMAND} -E copy "${CMAKE_SOURCE_DIR}/LICENSE" "zipfile/${ZIPNAME}" COMMAND ${CMAKE_COMMAND} -E make_directory "zipfile/${ZIPNAME}/kickstart" COMMAND ${CMAKE_COMMAND} -E copy "${CMAKE_SOURCE_DIR}/rhel{6,7}/kickstart/*-ks.cfg" "zipfile/${ZIPNAME}/kickstart" COMMAND ${CMAKE_COMMAND} -E copy "${CMAKE_BINARY_DIR}/ssg-*-ds.xml" "zipfile/${ZIPNAME}" COMMAND ${CMAKE_COMMAND} -E make_directory "zipfile/${ZIPNAME}/roles" COMMAND ${CMAKE_COMMAND} -E copy "${CMAKE_BINARY_DIR}/roles/*.sh" "zipfile/${ZIPNAME}/roles" COMMAND ${CMAKE_COMMAND} -E copy "${CMAKE_BINARY_DIR}/roles/*.yml" "zipfile/${ZIPNAME}/roles" COMMAND ${CMAKE_COMMAND} -E chdir "zipfile" ${CMAKE_COMMAND} -E tar "cvf" "${ZIPNAME}.zip" --format=zip "${ZIPNAME}" COMMENT "Building zipfile at ${CMAKE_BINARY_DIR}/zipfile/${ZIPNAME}.zip" ) add_custom_target( zipfile DEPENDS "${CMAKE_BINARY_DIR}/zipfile/${ZIPNAME}.zip" ) endmacro() macro(ssg_build_nist_zipfile ZIPNAME) add_custom_command( OUTPUT "${CMAKE_BINARY_DIR}/nist-zipfile/${ZIPNAME}-nist.zip" COMMAND ${CMAKE_COMMAND} -E remove_directory "nist-zipfile/" COMMAND ${CMAKE_COMMAND} -E make_directory "nist-zipfile/${ZIPNAME}" COMMAND ${CMAKE_COMMAND} -E copy "${CMAKE_SOURCE_DIR}/LICENSE" "nist-zipfile/${ZIPNAME}" COMMAND ${CMAKE_COMMAND} -E copy "${CMAKE_BINARY_DIR}/ssg-rhel{6,7}-ds.xml" "nist-zipfile/${ZIPNAME}" COMMAND ${CMAKE_COMMAND} -E chdir "nist-zipfile" ${CMAKE_COMMAND} -E tar "cvf" "${ZIPNAME}-nist.zip" --format=zip "${ZIPNAME}" COMMENT "Building NIST zipfile at ${CMAKE_BINARY_DIR}/nist-zipfile/${ZIPNAME}-nist.zip" ) add_custom_target( nist-zipfile DEPENDS "${CMAKE_BINARY_DIR}/nist-zipfile/${ZIPNAME}-nist.zip" ) endmacro() scap-security-guide-0.1.39/debian8/000077500000000000000000000000001327242345500170135ustar00rootroot00000000000000scap-security-guide-0.1.39/debian8/CMakeLists.txt000066400000000000000000000004621327242345500215550ustar00rootroot00000000000000# Sometimes our users will try to do: "cd debian8; cmake ." That needs to error in a nice way. if ("${CMAKE_SOURCE_DIR}" STREQUAL "${CMAKE_CURRENT_SOURCE_DIR}") message(FATAL_ERROR "cmake has to be used on the root CMakeLists.txt, see BUILD.md for more details!") endif() ssg_build_product("debian8") scap-security-guide-0.1.39/debian8/README000066400000000000000000000031201327242345500176670ustar00rootroot00000000000000Directory Structure of scap-security-guide ------------------------------------------ The input directory contains source files that generate SCAP content, such as XCCDF and OVAL. Since a single large XML file is an impractical format for multiple authors to collaborate on editing SCAP content, efforts are made to keep logically related guidance and checking content in individual files. The transforms directory contains resources that enable the files inside the input directory (or output directory) to be combined and reformatted into valid SCAP formats or human-readable formats. The output directory is used as a storage area for items generated by the files in the inputs directory. It should be empty in the repository, and built on users' individual systems (and rely on its .gitignore file to keep such files out). The output directory contains transitional output (which may only exist in order to be further transformed) as well as final output. The references directory should contain documents which are specified as references from within the SCAP content, or documents that are "seeds," viz. documents whose prose will be translated into SCAP formats, as well as other examples of SCAP content. The utils directory contains helper scripts and other items that are useful to developers but are not essential to producing the project's output. The dist directory contains final outputs, which could be shipped in an RPM for consumption by end-users. Updating the Makefile to copy an item from the outputs directory to the dist directory indicates that an item is considered a final output. scap-security-guide-0.1.39/debian8/checks/000077500000000000000000000000001327242345500202535ustar00rootroot00000000000000scap-security-guide-0.1.39/debian8/checks/oval/000077500000000000000000000000001327242345500212145ustar00rootroot00000000000000scap-security-guide-0.1.39/debian8/checks/oval/file_permissions_systemmap.xml000066400000000000000000000037311327242345500274160ustar00rootroot00000000000000 Verify that System.map files are readable only by root multi_platform_debian Checks that /boot/System.map-* are only readable by root. /boot ^System\.map.*$ 0 false false false false false false false false false false scap-security-guide-0.1.39/debian8/checks/oval/grub2_enable_iommu_force.xml000066400000000000000000000061631327242345500266570ustar00rootroot00000000000000 Force IOMMU usage in GRUB2 multi_platform_debian Look for argument iommu=force in the kernel line in /etc/default/grub. /etc/default/grub ^\s*GRUB_CMDLINE_LINUX="(.*)"$ 1 /etc/default/grub ^\s*GRUB_CMDLINE_LINUX_DEFAULT="(.*)"$ 1 ^.*iommu=force.*$ /etc/default/grub ^\s*GRUB_CMDLINE_LINUX_DEFAULT=.*$ 1 scap-security-guide-0.1.39/debian8/checks/oval/installed_OS_is_debian8.xml000066400000000000000000000032331327242345500264040ustar00rootroot00000000000000 Debian 8 multi_platform_debian The operating system installed on the system is Debian 8 /etc/debian_version /etc/debian_version ^8.[0-9]+$ 1 scap-security-guide-0.1.39/debian8/checks/oval/rsyslog_files_groupownership.xml000066400000000000000000000120521327242345500277750ustar00rootroot00000000000000 Confirm Existence and Permissions of System Log Files Debian 8 All syslog log files should be owned by the appropriate group. /etc/rsyslog.conf ^\$IncludeConfig[\s]+([^\s;]+) 1 %^/etc/rsyslog.conf$ ^[^(\s|#|\$)]+[\s]+.*[\s]+-?(/+[^:;\s]+);*.*$ 1 regular 4 scap-security-guide-0.1.39/debian8/checks/oval/rsyslog_files_permissions.xml000066400000000000000000000125161327242345500272620ustar00rootroot00000000000000 Confirm Existence and Permissions of System Log Files Debian 8 File permissions for all syslog log files should be set correctly. /etc/rsyslog.conf ^\$IncludeConfig[\s]+([^\s;]+) 1 %^/etc/rsyslog.conf$ ^[^(\s|#|\$)]+[\s]+.*[\s]+-?(/+[^:;\s]+);*.*$ 1 regular false true false false false false false scap-security-guide-0.1.39/debian8/checks/oval/syslogng_files_permissions.xml000066400000000000000000000066021327242345500274240ustar00rootroot00000000000000 Confirm Existence and Permissions of System Log Files Debian 8 File permissions for all syslog log files should be set correctly. /etc/syslog-ng syslog-ng.conf 0 false false false false false false false false /etc/syslog-ng ^conf.d/*$ 0 false false false false false false false false scap-security-guide-0.1.39/debian8/cpe/000077500000000000000000000000001327242345500175625ustar00rootroot00000000000000scap-security-guide-0.1.39/debian8/cpe/debian8-cpe-dictionary.xml000066400000000000000000000012111327242345500245210ustar00rootroot00000000000000 Debian release 8 (Jessie) installed_OS_is_debian8 scap-security-guide-0.1.39/debian8/fixes/000077500000000000000000000000001327242345500201315ustar00rootroot00000000000000scap-security-guide-0.1.39/debian8/fixes/.gitkeep000066400000000000000000000000001327242345500215500ustar00rootroot00000000000000scap-security-guide-0.1.39/debian8/guide.xslt000066400000000000000000000075211327242345500210310ustar00rootroot00000000000000 A conditional clause for check statements. A conditional clause for check statements. This is a placeholder. scap-security-guide-0.1.39/debian8/guide/000077500000000000000000000000001327242345500201105ustar00rootroot00000000000000scap-security-guide-0.1.39/debian8/guide/guide.benchmark000066400000000000000000000054321327242345500230650ustar00rootroot00000000000000--- documentation_complete: true title: Guide to the Secure Configuration of status: draft description: | This guide presents a catalog of security-relevant configuration settings for . It is a rendering of content structured in the eXtensible Configuration Checklist Description Format (XCCDF) in order to support security automation. The SCAP content is is available in the config_item="scap-security-guide" package which is developed at .

Providing system administrators with such guidance informs them how to securely configure systems under their control in a variety of network roles. Policy makers and baseline creators can use this catalog of settings, with its associated references to higher-level security control catalogs, in order to assist them in security baseline creation. This guide is a italics="catalog, not a checklist," and satisfaction of every item is not likely to be possible or sensible in many operational scenarios. However, the XCCDF format enables granular selection and adjustment of settings, and their association with OVAL and OCIL content provides an automated checking capability. Transformations of this document, and its associated automated checking content, are capable of providing baselines that meet a diverse set of policy objectives. Some example XCCDF italics="Profiles", which are selections of items that form checklists and can be used as baselines, are available with this guide. They can be processed, in an automated fashion, with tools that support the Security Content Automation Protocol (SCAP). The DISA STIG for , which provides required settings for US Department of Defense systems, is one example of a baseline created from this guidance. notice: id: terms_of_use description: | Do not attempt to implement any of the settings in this guide without first testing them in a non-operational environment. The creators of this guidance assume no responsibility whatsoever for its use by other parties, and makes no guarantees, expressed or implied, about its quality, reliability, or any other characteristic. front-matter: | The SCAP Security Guide Project
rear-matter: | Red Hat and Red Hat Enterprise Linux are either registered trademarks or trademarks of Red Hat, Inc. in the United States and other countries. All other names are registered trademarks or trademarks of their respective companies. cpes: - version: 0.9 scap-security-guide-0.1.39/debian8/guide/services/000077500000000000000000000000001327242345500217335ustar00rootroot00000000000000scap-security-guide-0.1.39/debian8/guide/services/apt/000077500000000000000000000000001327242345500225175ustar00rootroot00000000000000scap-security-guide-0.1.39/debian8/guide/services/apt/apt.group000066400000000000000000000004731327242345500243650ustar00rootroot00000000000000documentation_complete: true title: 'APT service configuration' description: 'The apt service manage the package management and update of the whole system. Its configuration need to be properly defined to ensure efficient security updates, packages and repository authentication and proper lifecycle management.' scap-security-guide-0.1.39/debian8/guide/services/apt/apt_conf_disallow_unauthenticated.rule000066400000000000000000000007231327242345500323460ustar00rootroot00000000000000documentation_complete: true title: 'Disable unauthenticated repositories in APT configuration' description: 'Unauthenticated repositories should not be used for updates.' rationale: |- Repositories hosts all packages that will be intsalled on the system during update. If a repository is not authenticated, the associated packages can't be trusted, and then should not be installed localy. severity: unknown references: anssi: NT28(R15) scap-security-guide-0.1.39/debian8/guide/services/apt/apt_sources_list_official.rule000066400000000000000000000011171327242345500306260ustar00rootroot00000000000000documentation_complete: true title: 'Ensure that official distribution repositories are used' description: 'Check that official Debian repositories, including security repository, are configured in apt.' rationale: |- The Debian distribution deliver DSA (Debian Security Announce), through the official Debian security repository, to correct various vulnerabilities impacting the Debian packages. Using the official repositories is the best way to ensure that the Debian updates are integrated soon enough. severity: unknown references: anssi: NT28(R15) scap-security-guide-0.1.39/debian8/guide/services/basics/000077500000000000000000000000001327242345500231775ustar00rootroot00000000000000scap-security-guide-0.1.39/debian8/guide/services/basics/basics.group000066400000000000000000000004301327242345500255160ustar00rootroot00000000000000documentation_complete: true title: 'Generic required services' description: |- Some services need to be deployed in order to ensure basic verifications and reporting on GNU/Linux operating systems. Each of these service take part in the administrability of the system. scap-security-guide-0.1.39/debian8/guide/services/basics/package_auditd_installed.rule000066400000000000000000000006251327242345500310570ustar00rootroot00000000000000documentation_complete: true title: 'install the auditd service' description: 'The auditd service should be installed.' rationale: 'The auditd service is an access monitoring and accounting daemon, watching system calls to audit any access, in comparision with potential local access control policy such as SELinux policy.' severity: medium identifiers: cce: "" references: anssi: NT28(R50) scap-security-guide-0.1.39/debian8/guide/services/basics/package_cron_installed.rule000066400000000000000000000006741327242345500305520ustar00rootroot00000000000000documentation_complete: true title: 'Install the cron service' description: 'The Cron service should be installed.' rationale: 'The cron service allow periodic job execution, needed for almost all administrative tasks and services (software update, log rotating, etc.). Access to cron service should be restricted to administrative accounts only.' severity: medium identifiers: cce: "" references: anssi: NT28(R50) nist: CM-7 scap-security-guide-0.1.39/debian8/guide/services/basics/package_ntp_installed.rule000066400000000000000000000007761327242345500304150ustar00rootroot00000000000000documentation_complete: true title: 'Install the ntp service' description: 'The ntpd service should be installed.' rationale: 'Time synchronization (using NTP) is required by almost all network and administrative tasks (syslog, cryptographic based services (authentication, etc.), etc.). Ntpd is regulary maintained and updated, supporting security features such as RFC 5906.' severity: high identifiers: cce: "" references: anssi: NT012(R03) disa: 160 nist: AU-8(1) pcidss: Req-10.4 scap-security-guide-0.1.39/debian8/guide/services/basics/service_auditd_enabled.rule000066400000000000000000000011701327242345500305330ustar00rootroot00000000000000documentation_complete: true title: 'Enable the auditd service' description: 'The auditd service should be enabled.' rationale: 'The auditd service is an access monitoring and accounting daemon, watching system calls to audit any access, in comparision with potential local access control policy such as SELinux policy.' severity: medium identifiers: cce: "" references: anssi: NT28(R50) disa: 347,157,172,880,1353,1462,1487,1115,1454,067,158,831,1190,1312,1263,130,120,1589 nist: AC-17(1),AU-1(b),AU-10,AU-12(a),AU-12(c),IR-5 pcidss: Req-10 ocil: '' scap-security-guide-0.1.39/debian8/guide/services/basics/service_cron_enabled.rule000066400000000000000000000006441327242345500302270ustar00rootroot00000000000000documentation_complete: true title: 'Enable the cron service' description: 'The Cron service should be enabled.' rationale: 'The cron service allow periodic job execution, needed for almost all administrative tasks and services (software update, log rotating, etc.). Access to cron service should be restricted to administrative accounts only.' severity: medium identifiers: cce: "" references: nist: CM-7 scap-security-guide-0.1.39/debian8/guide/services/basics/service_ntp_enabled.rule000066400000000000000000000010711327242345500300620ustar00rootroot00000000000000documentation_complete: true title: 'Enable the ntpd service' description: 'The ntpd service should be enabled.' rationale: 'Time synchronization (using NTP) is required by almost all network and administrative tasks (syslog, cryptographic based services (authentication, etc.), etc.). Ntpd is regulary maintained and updated, supporting security features such as RFC 5906.' severity: high identifiers: cce: "" references: anssi: NT012(R03) disa: 160 nist: AU-8(1) pcidss: Req-10.4 ocil: '' scap-security-guide-0.1.39/debian8/guide/services/deprecated/000077500000000000000000000000001327242345500240335ustar00rootroot00000000000000scap-security-guide-0.1.39/debian8/guide/services/deprecated/deprecated.group000066400000000000000000000005041327242345500272100ustar00rootroot00000000000000documentation_complete: true title: 'Deprecated services' description: |- Some deprecated software services impact the overall system security due to their behavior (leak of confidentiality in network exchange, usage as uncontrolled communication channel, risk associated with the service due to its old age, etc. scap-security-guide-0.1.39/debian8/guide/services/deprecated/package_inetutils-telnetd_removed.rule000066400000000000000000000007121327242345500335750ustar00rootroot00000000000000documentation_complete: true title: 'Uninstall the inet-based telnet server' description: 'The inet-based telnet daemon should be uninstalled.' rationale: 'telnet allows clear text communications, and does not protect any data transmission between client and server. Any confidential data can be listened and no integrity checking is made.' severity: high identifiers: cce: "" references: anssi: NT007(R03) disa: "" nist: AC-17(8),CM-7 scap-security-guide-0.1.39/debian8/guide/services/deprecated/package_nis_removed.rule000066400000000000000000000006271327242345500307160ustar00rootroot00000000000000documentation_complete: true title: 'Uninstall the nis package' description: 'The support for Yellowpages should not be installed unless it is required.' rationale: |- NIS is the historical SUN service for central account management, more and more replaced by LDAP. NIS does not support efficiently security constraints, ACL, etc. and should not be used. severity: low identifiers: cce: "" scap-security-guide-0.1.39/debian8/guide/services/deprecated/package_ntpdate_removed.rule000066400000000000000000000006131327242345500315570ustar00rootroot00000000000000documentation_complete: true title: 'Uninstall the ntpdate package' description: 'ntpdate is a historical ntp synchronization client for unixes. It sould be uninstalled.' rationale: 'ntpdate is an old not security-compliant ntp client. It should be replaced by modern ntp clients such as ntpd, able to use cryptographic mechanisms integrated in NTP.' severity: low identifiers: cce: "" scap-security-guide-0.1.39/debian8/guide/services/deprecated/package_telnetd-ssl_removed.rule000066400000000000000000000006171327242345500323620ustar00rootroot00000000000000documentation_complete: true title: 'Uninstall the ssl compliant telnet server' description: 'The telnet daemon, even with ssl support, should be uninstalled.' rationale: 'telnet, even with ssl support, should not be installed. When remote shell is required, up-to-date ssh daemon can be used.' severity: high identifiers: cce: "" references: anssi: NT007(R02) nist: AC-17(8),CM-7 scap-security-guide-0.1.39/debian8/guide/services/deprecated/package_telnetd_removed.rule000066400000000000000000000006641327242345500315650ustar00rootroot00000000000000documentation_complete: true title: 'Uninstall the telnet server' description: 'The telnet daemon should be uninstalled.' rationale: 'telnet allows clear text communications, and does not protect any data transmission between client and server. Any confidential data can be listened and no integrity checking is made.' severity: high identifiers: cce: "" references: anssi: NT007(R03) disa: "" nist: AC-17(8),CM-7 scap-security-guide-0.1.39/debian8/guide/services/services.group000066400000000000000000000013741327242345500246410ustar00rootroot00000000000000documentation_complete: true title: Services description: |- The best protection against vulnerable software is running less software. This section describes how to review the software which installs on a system and disable software which is not needed. It then enumerates the software packages installed on a default system and provides guidance about which ones can be safely disabled.

provides a convenient minimal install option that essentially installs the bare necessities for a functional system. When building systems, it is highly recommended to select the minimal packages and then build up the system from there. scap-security-guide-0.1.39/debian8/guide/services/ssh/000077500000000000000000000000001327242345500225305ustar00rootroot00000000000000scap-security-guide-0.1.39/debian8/guide/services/ssh/service_sshd_disabled.rule000066400000000000000000000005741327242345500277370ustar00rootroot00000000000000documentation_complete: true title: 'Disable SSH Server if possible (unusual cases)' description: |- Most of the time, the SSH server is needed. However, it can be disabled, do so. This is unusual, as SSH is a common method for encrypted and authenticated remote access. rationale: "" severity: unknown scap-security-guide-0.1.39/debian8/guide/services/ssh/ssh.group000066400000000000000000000014271327242345500244070ustar00rootroot00000000000000documentation_complete: true title: 'SSH Server' description: |- The SSH protocol is recommended for remote access (remote login and secure remote file transfer). SSH provides both confidentiality and integrity for exchanged data but needs to be configured properly in term of:
Cryptography usage, according to the current CVEs associated to the various cryptographic modes
Authentication and autorization, depending on your needs but requiring some specific initial generic security
consideration in the OpenSSH configuration writing More detailed information is available from the OpenSSH project's website . The Debian package for server side implementation is called openssh-server. scap-security-guide-0.1.39/debian8/guide/services/ssh/ssh_server/000077500000000000000000000000001327242345500247135ustar00rootroot00000000000000scap-security-guide-0.1.39/debian8/guide/services/ssh/ssh_server/ssh_server.group000066400000000000000000000006151327242345500301560ustar00rootroot00000000000000documentation_complete: true title: 'Configure OpenSSH Server if deployed' description: |- If the system needs to act as an SSH server, then certain changes should be made to the OpenSSH daemon configuration file /etc/ssh/sshd_config. The following recommendations can be applied to this file. See the sshd_config(5) man page for more detailed information. scap-security-guide-0.1.39/debian8/guide/services/ssh/ssh_server/sshd_allow_only_protocol2.rule000066400000000000000000000014441327242345500330120ustar00rootroot00000000000000documentation_complete: true title: 'Allow Only SSH Protocol 2' description: |- Only SSH protocol version 2 connections should be permitted. The default setting in /etc/ssh/sshd_config is correct, and can be verified by ensuring that the following line appears: 
Protocol 2
rationale: |- SSH protocol version 1 suffers from design flaws that result in security vulnerabilities and should not be used. severity: high identifiers: cce: "" references: anssi: NT007(R1) nist: AC-17(7),IA-5(1)(c) ocil_clause: 'it is not' ocil: |- To check which SSH protocol version is allowed, run the following command: 
$ sudo grep Protocol /etc/ssh/sshd_config
If configured properly, output should be 
Protocol 2
scap-security-guide-0.1.39/debian8/guide/services/ssh/ssh_server/sshd_disable_empty_passwords.rule000066400000000000000000000015031327242345500335520ustar00rootroot00000000000000documentation_complete: true title: 'Disable SSH Access via Empty Passwords' description: |- To explicitly disallow remote login from accounts with empty passwords, add or correct the following line in /etc/ssh/sshd_config: 
PermitEmptyPasswords no
Any accounts with empty passwords should be disabled immediately, and PAM configuration should prevent users from being able to assign themselves empty passwords. rationale: |- Configuring this setting for the SSH daemon provides additional assurance that remote login via SSH will require a password, even in the event of misconfiguration elsewhere. severity: high identifiers: cce: "" references: anssi: NT007(R17) nist: AC-3 ocil: '' scap-security-guide-0.1.39/debian8/guide/services/ssh/ssh_server/sshd_disable_root_login.rule000066400000000000000000000012661327242345500324700ustar00rootroot00000000000000documentation_complete: true title: 'Disable SSH Root Login' description: |- The root user should never be allowed to login to a system directly over a network. To disable root login via SSH, add or correct the following line in /etc/ssh/sshd_config: 
PermitRootLogin no
rationale: |- Permitting direct root login reduces auditable information about who ran privileged commands on the system and also allows direct attack attempts on root's password. severity: medium identifiers: cce: "" references: anssi: NT007(R21) nist: AC-3,AC-6(2),IA-2(1) ocil: '' scap-security-guide-0.1.39/debian8/guide/services/ssh/ssh_server/sshd_set_idle_timeout.rule000066400000000000000000000024151327242345500321650ustar00rootroot00000000000000documentation_complete: true title: 'Set SSH Idle Timeout Interval' description: |- SSH allows administrators to set an idle timeout interval. After this interval has passed, the idle user will be automatically logged out.

To set an idle timeout interval, edit the following line in /etc/ssh/sshd_config as follows: 
ClientAliveInterval interval
The timeout interval is given in seconds. To have a timeout of 15 minutes, set interval to 900.

If a shorter timeout has already been set for the login shell, that value will preempt any SSH setting made here. Keep in mind that some processes may stop SSH from correctly detecting that the user is idle. rationale: |- Causing idle users to be automatically logged out guards against compromises one system leading trivially to compromises on another. severity: unknown identifiers: cce: "" references: nist: AC-2(5),SA-8 pcidss: Req-8.1.8 ocil_clause: 'it is not' ocil: |- Run the following command to see what the timeout interval is: 
$ sudo grep ClientAliveInterval /etc/ssh/sshd_config
If properly configured, the output should be: 
ClientAliveInterval 900
scap-security-guide-0.1.39/debian8/guide/services/ssh/ssh_server/sshd_set_keepalive.rule000066400000000000000000000014201327242345500314420ustar00rootroot00000000000000documentation_complete: true title: 'Set SSH Client Alive Count' description: |- To ensure the SSH idle timeout occurs precisely when the ClientAliveCountMax is set, edit /etc/ssh/sshd_config as follows: 
ClientAliveCountMax 0
rationale: |- This ensures a user login will be terminated as soon as the ClientAliveCountMax is reached. severity: unknown identifiers: cce: "" references: nist: AC-2(5),SA-8 ocil_clause: 'it is not' ocil: |- To ensure the SSH idle timeout will occur when the ClientAliveCountMax is set, run the following command: 
$ sudo grep ClientAliveCountMax /etc/ssh/sshd_config
If properly configured, output should be: 
ClientAliveCountMax 0
scap-security-guide-0.1.39/debian8/guide/services/ssh/sshd_idle_timeout_value.var000066400000000000000000000004511327242345500301420ustar00rootroot00000000000000documentation_complete: true title: 'SSH session Idle time' description: 'Specify duration of allowed idle time.' type: number operator: equals interactive: false options: 10_minutes: 600 120_minutes: 7200 15_minutes: 900 5_minutes: 300 60_minutes: 3600 default: 300 scap-security-guide-0.1.39/debian8/guide/services/ssh/sshd_required.var000066400000000000000000000013111327242345500260770ustar00rootroot00000000000000documentation_complete: true title: 'SSH is required to be installed' description: |- Specify if the Policy requires SSH to be installed. Used by SSH Rules to determine if SSH should be uninstalled or configured.
A value of 0 means that the policy doesn't care if OpenSSH server is installed or not. If it is installed, scanner will check for it's configuration, if it's not installed, the check will pass.
A value of 1 indicates that OpenSSH server package is not required by the policy;
A value of 2 indicates that OpenSSH server package is required by the policy.
type: number operator: equals interactive: false options: default: "0" no: 1 yes: 2 scap-security-guide-0.1.39/debian8/guide/system/000077500000000000000000000000001327242345500214345ustar00rootroot00000000000000scap-security-guide-0.1.39/debian8/guide/system/accounts/000077500000000000000000000000001327242345500232535ustar00rootroot00000000000000scap-security-guide-0.1.39/debian8/guide/system/accounts/accounts-restrictions/000077500000000000000000000000001327242345500276205ustar00rootroot00000000000000accounts-restrictions.group000066400000000000000000000012511327242345500351630ustar00rootroot00000000000000scap-security-guide-0.1.39/debian8/guide/system/accounts/accounts-restrictionsdocumentation_complete: true title: 'Protect Accounts by Restricting Password-Based Login' description: |- Conventionally, Unix shell accounts are accessed by providing a username and password to a login program, which tests these values for correctness using the /etc/passwd and /etc/shadow files. Password-based login is vulnerable to guessing of weak passwords, and to sniffing and man-in-the-middle attacks against passwords entered over a network or at an insecure console. Therefore, mechanisms for accessing accounts by entering usernames and passwords should be restricted to those which are operationally necessary. scap-security-guide-0.1.39/debian8/guide/system/accounts/accounts.group000066400000000000000000000010611327242345500261460ustar00rootroot00000000000000documentation_complete: true title: 'Account and Access Control' description: |- In traditional Unix security, if an attacker gains shell access to a certain login account, they can perform any action or access any file to which that account has access. Therefore, making it more difficult for unauthorized people to gain shell access to accounts, particularly to privileged accounts, is a necessary part of securing a system. This section introduces mechanisms for restricting access to accounts under . scap-security-guide-0.1.39/debian8/guide/system/fs-part/000077500000000000000000000000001327242345500230105ustar00rootroot00000000000000scap-security-guide-0.1.39/debian8/guide/system/fs-part/fs-part.group000066400000000000000000000007411327242345500254440ustar00rootroot00000000000000documentation_complete: true title: 'Hardening the filesystem' description: |- Hardening the filesystem and its usage is an efficient way to ensure an efficient separation of services, data and configurations while ensuring a more precise management of filesystem level access rights, enabling deactivation of some specific rights at the filesystem level. Moreover, the Linux Virtual file system support various hardening mechanisms that can be set using sysctl. scap-security-guide-0.1.39/debian8/guide/system/fs-part/fs-restrict/000077500000000000000000000000001327242345500252555ustar00rootroot00000000000000scap-security-guide-0.1.39/debian8/guide/system/fs-part/fs-restrict/fs-restrict.group000066400000000000000000000006551327242345500306060ustar00rootroot00000000000000documentation_complete: true title: 'filesystem rights management' description: |- Adding filesystem specific hardening seriously limits various exploitation vectors based on filesystem invalid usage, such as invalid file types in invalid places (devices or setuid root files in external media, executable file in insecure filesystems, etc.). Some of these hardening require an efficient system partitioning. sysctl_fs_protected_hardlinks.rule000066400000000000000000000010621327242345500342070ustar00rootroot00000000000000scap-security-guide-0.1.39/debian8/guide/system/fs-part/fs-restrictdocumentation_complete: true title: 'Disallow creating symlinks to a file you not own' description: '' rationale: |- Disallowing such hardlink mitigate vulnerabilities based on insecure file system accessed by privilegied programs, avoiding an exploitation vector exploiting unsafe use of open() or creat(). severity: unknown references: anssi: NT28(R23) cis: 1.6.1 nist: SI-11 ocil: '' sysctl_fs_protected_symlinks.rule000066400000000000000000000010571327242345500341050ustar00rootroot00000000000000scap-security-guide-0.1.39/debian8/guide/system/fs-part/fs-restrictdocumentation_complete: true title: 'Disallow creating symlinks to a file you not own' description: '' rationale: |- Disallowing such symlink mitigate vulnerabilities based on insecure file system accessed by privilegied programs, avoiding an exploitation vector exploiting unsafe use of open() or creat(). severity: unknown references: anssi: NT28(R23) cis: 1.6.1 nist: SI-11 ocil: '' scap-security-guide-0.1.39/debian8/guide/system/fs-part/installation-storage-partitioning/000077500000000000000000000000001327242345500316605ustar00rootroot00000000000000installation-storage-partitioning.group000066400000000000000000000011011327242345500415200ustar00rootroot00000000000000scap-security-guide-0.1.39/debian8/guide/system/fs-part/installation-storage-partitioningdocumentation_complete: true title: Partitioning description: |- Separating various locations of the file systems in different partitions allows a more restrictive segregation, distinctly from one location to another. Moreover, some native restrictions can be made by partitioning, such as no hard link between different filesystems, and reduce the corruption impact to the affected filesystem instead of the entire system. The last gain is to allow a differenciated usage of storage media, depending on the operational needs (speed, resilience, etc.). partition_for_home.rule000066400000000000000000000015221327242345500363610ustar00rootroot00000000000000scap-security-guide-0.1.39/debian8/guide/system/fs-part/installation-storage-partitioningdocumentation_complete: true title: 'Ensure /home Located On Separate Partition' description: |- If user home directories will be stored locally, create a separate partition for /home at installation time (or migrate it later using LVM). If /home will be mounted from another system such as an NFS server, then creating a separate partition is not necessary at installation time, and the mountpoint can instead be configured later. rationale: |- Ensuring that /home is mounted on its own partition enables the setting of more restrictive mount options, and also helps ensure that users cannot trivially fill partitions used for log or audit data storage. severity: unknown references: anssi: NT28(R12) disa: 1208 nist: SC-32 ocil: '' partition_for_srv.rule000066400000000000000000000015631327242345500362500ustar00rootroot00000000000000scap-security-guide-0.1.39/debian8/guide/system/fs-part/installation-storage-partitioningdocumentation_complete: true title: 'Ensure /srv Located On Separate Partition' description: |- If a file server (FTP, TFTP...) is hosted locally, create a separate partition for /srv at installation time (or migrate it later using LVM). If /srv will be mounted from another system such as an NFS server, then creating a separate partition is not necessary at installation time, and the mountpoint can instead be configured later. rationale: |- Srv deserves files for local network file server such as FTP. Ensuring that /srv is mounted on its own partition enables the setting of more restrictive mount options, and also helps ensure that users cannot trivially fill partitions used for log or audit data storage. severity: unknown references: anssi: NT28(R12) ocil: '' partition_for_tmp.rule000066400000000000000000000013151327242345500362310ustar00rootroot00000000000000scap-security-guide-0.1.39/debian8/guide/system/fs-part/installation-storage-partitioningdocumentation_complete: true title: 'Ensure /tmp Located On Separate Partition' description: |- The /tmp directory is a world-writable directory used for temporary file storage. Ensure it has its own partition or logical volume at installation time, or migrate it using LVM (when non-ephemeral is needed) or use tmpfs if possible. rationale: |- The /tmp partition is used as temporary storage by many programs. Placing /tmp in its own partition enables the setting of more restrictive mount options, which can help protect programs which use it. severity: unknown references: anssi: NT28(R12) nist: SC-32 ocil: '' partition_for_var.rule000066400000000000000000000014501327242345500362210ustar00rootroot00000000000000scap-security-guide-0.1.39/debian8/guide/system/fs-part/installation-storage-partitioningdocumentation_complete: true title: 'Ensure /var Located On Separate Partition' description: |- The /var directory is used by daemons and other system services to store frequently-changing data. Ensure that /var has its own partition or logical volume at installation time, or migrate it using LVM. rationale: |- Ensuring that /var is mounted on its own partition enables the setting of more restrictive mount options. This helps protect system services such as daemons or other programs which use it. It is not uncommon for the /var directory to contain world-writable directories installed by other software packages. severity: unknown references: anssi: NT28(R12) nist: SC-32 ocil: '' partition_for_var_log.rule000066400000000000000000000011011327242345500370530ustar00rootroot00000000000000scap-security-guide-0.1.39/debian8/guide/system/fs-part/installation-storage-partitioningdocumentation_complete: true title: 'Ensure /var/log Located On Separate Partition' description: |- System logs are stored in the /var/log directory. Ensure that it has its own partition or logical volume at installation time, or migrate it using LVM. rationale: |- Placing /var/log in its own partition enables better separation between log files and other files in /var/. severity: unknown references: anssi: NT28(R12),NT28(R47) disa: "" nist: AU-9,SC-32 ocil: '' partition_for_var_log_audit.rule000066400000000000000000000014211327242345500402460ustar00rootroot00000000000000scap-security-guide-0.1.39/debian8/guide/system/fs-part/installation-storage-partitioningdocumentation_complete: true title: 'Ensure /var/log/audit Located On Separate Partition' description: |- Audit logs are stored in the /var/log/audit directory. Ensure that it has its own partition or logical volume at installation time, or migrate it later using LVM. Make absolutely certain that it is large enough to store all audit logs that will be created by the auditing daemon. rationale: |- Placing /var/log/audit in its own partition enables better separation between audit files and other files, and helps ensure that auditing cannot be halted due to the partition running out of space. severity: unknown references: disa: "" nist: AU-4,AU-9,SC-32 ocil: '' scap-security-guide-0.1.39/debian8/guide/system/hw-install/000077500000000000000000000000001327242345500235165ustar00rootroot00000000000000scap-security-guide-0.1.39/debian8/guide/system/hw-install/grub2_enable_iommu_force.rule000066400000000000000000000007311327242345500313230ustar00rootroot00000000000000documentation_complete: true title: 'IOMMU configuration directive' description: |- On x86 architecture supporting VT-d, the IOMMU manages the access control policy between the hardware devices and some of the system critical units such as the memory. rationale: |- On x86 architectures, activating the I/OMMU prevents the system from arbritrary accesses potentially made by hardware devices. severity: unknown references: anssi: NT28(R11) scap-security-guide-0.1.39/debian8/guide/system/hw-install/hw-install.group000066400000000000000000000002151327242345500266540ustar00rootroot00000000000000documentation_complete: true title: 'Hardening the hardware usage' description: 'Hardware dependent, but efficient against various risks.' scap-security-guide-0.1.39/debian8/guide/system/logging/000077500000000000000000000000001327242345500230625ustar00rootroot00000000000000scap-security-guide-0.1.39/debian8/guide/system/logging/ensure_rsyslog_log_file_configuration/000077500000000000000000000000001327242345500327345ustar00rootroot00000000000000ensure_rsyslog_log_file_configuration.group000066400000000000000000000030561327242345500436110ustar00rootroot00000000000000scap-security-guide-0.1.39/debian8/guide/system/logging/ensure_rsyslog_log_file_configurationdocumentation_complete: true title: 'Ensure Proper Configuration of Log Files' description: "The file /etc/rsyslog.conf controls where log message are written.\nThese are controlled by lines called rules, which consist of a\nselector and an action.\nThese rules are often customized depending on the role of the system, the\nrequirements of the environment, and whatever may enable\nthe administrator to most effectively make use of log data.\nThe default rules in Debian 8 are:\n
auth,authpriv.*\t\t\t/var/log/auth.log\n*.*;auth,authpriv.none          -/var/log/syslog\ndaemon.*                        -/var/log/daemon.log\nkern.*                          -/var/log/kern.log\nlpr.*                           -/var/log/lpr.log\nmail.*                          -/var/log/mail.log\nuser.*                          -/var/log/user.log\nmail.info                       -/var/log/mail.info\nmail.warn                       -/var/log/mail.warn\nmail.err                        /var/log/mail.err\nnews.crit                       /var/log/news/news.crit\n\
    news.err                        /var/log/news/news.err\nnews.notice                     -/var/log/news/news.notice\n
\nSee the man page rsyslog.conf(5) for more information.\nNote that the rsyslog daemon is configured to use traditional timestamping\nto be understood by any log processing program. For high precision timestamping,\ncomment the following line in /etc/rsyslog.conf:\n
$ ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
\n" file_groupowner_logfiles_value.var000066400000000000000000000003611327242345500416550ustar00rootroot00000000000000scap-security-guide-0.1.39/debian8/guide/system/logging/ensure_rsyslog_log_file_configurationdocumentation_complete: true title: 'group who owns log files' description: |- Specify group owner of all logfiles specified in /etc/rsyslog.conf. type: string operator: equals interactive: false options: adm: adm file_owner_logfiles_value.var000066400000000000000000000003611327242345500406000ustar00rootroot00000000000000scap-security-guide-0.1.39/debian8/guide/system/logging/ensure_rsyslog_log_file_configurationdocumentation_complete: true title: 'User who owns log files' description: |- Specify user owner of all logfiles specified in /etc/rsyslog.conf. type: string operator: equals interactive: false options: root: root rsyslog_files_groupownership.rule000066400000000000000000000026061327242345500416110ustar00rootroot00000000000000scap-security-guide-0.1.39/debian8/guide/system/logging/ensure_rsyslog_log_file_configurationdocumentation_complete: true title: 'Ensure Log Files Are Owned By Appropriate Group' description: |- The group-owner of all log files written by rsyslog should be root. These log files are determined by the second part of each Rule line in /etc/rsyslog.conf and typically all appear in /var/log. For each log file LOGFILE referenced in /etc/rsyslog.conf, run the following command to inspect the file's group owner: 
$ ls -l LOGFILE
If the owner is not adm, run the following command to correct this: 
$ sudo chgrp adm LOGFILE
rationale: |- The log files generated by rsyslog contain valuable information regarding system configuration, user authentication, and other such information. Log files should be protected from unauthorized access. severity: medium references: anssi: NT28(R46),NT28(R5) disa: 1314 nist: AC-6,SI-11 pcidss: Req-10.5.1,Req-10.5.2 ocil_clause: 'the group-owner is not adm' ocil: |- The group-owner of all log files written by rsyslog should be adm. These log files are determined by the second part of each Rule line in /etc/rsyslog.conf and typically all appear in /var/log. To see the group-owner of a given log file, run the following command: 
$ ls -l LOGFILE
rsyslog_files_ownership.rule000066400000000000000000000025531327242345500405350ustar00rootroot00000000000000scap-security-guide-0.1.39/debian8/guide/system/logging/ensure_rsyslog_log_file_configurationdocumentation_complete: true title: 'Ensure Log Files Are Owned By Appropriate User' description: |- The owner of all log files written by rsyslog should be root. These log files are determined by the second part of each Rule line in /etc/rsyslog.conf and typically all appear in /var/log. For each log file LOGFILE referenced in /etc/rsyslog.conf, run the following command to inspect the file's owner: 
$ ls -l LOGFILE
If the owner is not root, run the following command to correct this: 
$ sudo chown root LOGFILE
rationale: |- The log files generated by rsyslog contain valuable information regarding system configuration, user authentication, and other such information. Log files should be protected from unauthorized access. severity: medium references: anssi: NT28(R46),NT28(R5) disa: 1314 nist: AC-6,SI-11 pcidss: Req-10.5.1,Req-10.5.2 ocil_clause: 'the owner is not root' ocil: |- The owner of all log files written by rsyslog should be root. These log files are determined by the second part of each Rule line in /etc/rsyslog.conf and typically all appear in /var/log. To see the owner of a given log file, run the following command: 
$ ls -l LOGFILE
rsyslog_files_permissions.rule000066400000000000000000000027511327242345500410720ustar00rootroot00000000000000scap-security-guide-0.1.39/debian8/guide/system/logging/ensure_rsyslog_log_file_configurationdocumentation_complete: true title: 'Ensure System Log Files Have Correct Permissions' description: "The file permissions for all log files written by\nrsyslog should be set to 640, or more restrictive.\nThese log files are determined by the second part of each Rule line in\n/etc/rsyslog.conf and typically all appear in /var/log. \nFor each log file LOGFILE referenced in /etc/rsyslog.conf,\nrun the following command to inspect the file's permissions:\n
$ ls -l LOGFILE
\nIf the permissions are not 640 or more restrictive,\nrun the following command to correct this:\n
$ sudo chmod 0640 LOGFILE
" rationale: |- Log files can contain valuable information regarding system configuration. If the system log files are not protected unauthorized users could change the logged data, eliminating their forensic value. severity: medium references: anssi: NT28(R36) cis: 5.1.4 disa: 1314 nist: SI-11 pcidss: Req-10.5.1,Req-10.5.2 ocil_clause: 'the permissions are not correct' ocil: "The file permissions for all log files written by rsyslog \nshould be set to 640, or more restrictive.\nThese log files are determined by the second part of each Rule line in\n/etc/rsyslog.conf and typically all appear in /var/log.\nTo see the permissions of a given log file, run the following command:\n
$ ls -l LOGFILE
\nThe permissions should be 640, or more restrictive." scap-security-guide-0.1.39/debian8/guide/system/logging/log_rotation/000077500000000000000000000000001327242345500255625ustar00rootroot00000000000000scap-security-guide-0.1.39/debian8/guide/system/logging/log_rotation/ensure_logrotate_activated.rule000066400000000000000000000020171327242345500340600ustar00rootroot00000000000000documentation_complete: true title: 'Ensure Logrotate Runs Periodically' description: "The logrotate utility allows for the automatic rotation of \nlog files. The frequency of rotation is specified in /etc/logrotate.conf, \nwhich triggers a cron task. To configure logrotate to run daily, add or correct \nthe following line in /etc/logrotate.conf:\n
# rotate log files frequency\ndaily
" rationale: |- Log files that are not properly rotated run the risk of growing so large that they fill up the /var/log partition. Valuable logging information could be lost if the /var/log partition becomes full. severity: unknown references: disa: 366 nist: AU-9 pcidss: Req-10.7 ocil_clause: 'logrotate is not configured to run daily' ocil: "To determine the status and frequency of logrotate, run the following command:\n
$ sudo grep logrotate /var/log/cron*
\nIf logrotate is configured properly, output should include references to \n/etc/cron.daily." scap-security-guide-0.1.39/debian8/guide/system/logging/log_rotation/log_rotation.group000066400000000000000000000024321327242345500313410ustar00rootroot00000000000000documentation_complete: true title: 'Ensure All Logs are Rotated by logrotate' description: |- Edit the file /etc/logrotate.d/rsyslog. Find the first line, which should look like this (wrapped for clarity): 
/var/log/messages /var/log/secure /var/log/maillog /var/log/spooler \
      /var/log/boot.log /var/log/cron {
Edit this line so that it contains a one-space-separated listing of each log file referenced in /etc/rsyslog.conf.

All logs in use on a system must be rotated regularly, or the log files will consume disk space over time, eventually interfering with system operation. The file /etc/logrotate.d/syslog is the configuration file used by the logrotate program to maintain all log files written by syslog. By default, it rotates logs weekly and stores four archival copies of each log. These settings can be modified by editing /etc/logrotate.conf, but the defaults are sufficient for purposes of this guide.

Note that logrotate is run nightly by the cron job /etc/cron.daily/logrotate. If particularly active logs need to be rotated more often than once a day, some other mechanism must be used. scap-security-guide-0.1.39/debian8/guide/system/logging/logging.group000066400000000000000000000022041327242345500255640ustar00rootroot00000000000000documentation_complete: true title: 'Configure Syslog' description: |- The syslog service has been the default Unix logging mechanism for many years. It has a number of downsides, including inconsistent log format, lack of authentication for received messages, and lack of authentication, encryption, or reliable transport for messages sent over a network. However, due to its long history, syslog is a de facto standard which is supported by almost all Unix applications.

In Debian Jessie, rsyslog has replaced syslog as the syslog daemon of choice, and it includes some additional security features such as reliable, connection-oriented (i.e. TCP) transmission of logs, the option to log to database formats, and the encryption of log data en route to a central logging server. This section discusses how to configure rsyslog for best effect, and how to use tools provided with the system to maintain and monitor logs. Yet, it is also possible to install syslog-ng to manage local and server-side logging services. Both are tested here, to let the administrator choose. scap-security-guide-0.1.39/debian8/guide/system/logging/package_rsyslog_installed.rule000066400000000000000000000007571327242345500312000ustar00rootroot00000000000000documentation_complete: true title: 'Ensure rsyslog is Installed' description: "Rsyslog is installed by default. \n" rationale: |- The rsyslog package provides the rsyslog daemon, which provides system logging services. severity: medium references: anssi: NT28(R46),NT28(R5) cis: 5.1.1 disa: 1311,1312 nist: AU-9(2) ocil_clause: 'the package is not installed' ocil: '' scap-security-guide-0.1.39/debian8/guide/system/logging/rsyslog_accepting_remote_messages/000077500000000000000000000000001327242345500320435ustar00rootroot00000000000000package_syslogng_installed.rule000066400000000000000000000010351327242345500402330ustar00rootroot00000000000000scap-security-guide-0.1.39/debian8/guide/system/logging/rsyslog_accepting_remote_messagesdocumentation_complete: true title: 'Ensure syslog-ng is Installed' description: "syslog-ng can be installed in replacement of rsyslog. \n" rationale: |- The syslog-ng-core package provides the syslog-ng daemon, which provides system logging services. severity: medium references: anssi: NT28(R46),NT28(R5) cis: 5.1.1 disa: 1311,1312 nist: AU-9(2) ocil_clause: 'the package is not installed' ocil: '' rsyslog_accept_remote_messages_tcp.rule000066400000000000000000000012111327242345500420010ustar00rootroot00000000000000scap-security-guide-0.1.39/debian8/guide/system/logging/rsyslog_accepting_remote_messagesdocumentation_complete: true title: 'Enable rsyslog to Accept Messages via TCP, if Acting As Log Server' description: |- The rsyslog daemon should not accept remote messages unless the system acts as a log server. If the system needs to act as a central log server, add the following lines to /etc/rsyslog.conf to enable reception of messages over TCP: 
$ModLoad imtcp
    $InputTCPServerRun 514
rationale: |- If the system needs to act as a log server, this ensures that it can receive messages over a reliable TCP connection. severity: unknown references: cis: 5.1.6 nist: AU-9 rsyslog_accept_remote_messages_udp.rule000066400000000000000000000013621327242345500420120ustar00rootroot00000000000000scap-security-guide-0.1.39/debian8/guide/system/logging/rsyslog_accepting_remote_messagesdocumentation_complete: true title: 'Enable rsyslog to Accept Messages via UDP, if Acting As Log Server' description: |- The rsyslog daemon should not accept remote messages unless the system acts as a log server. If the system needs to act as a central log server, add the following lines to /etc/rsyslog.conf to enable reception of messages over UDP: 
$ModLoad imudp
    $UDPServerRun 514
rationale: |- Many devices, such as switches, routers, and other Unix-like systems, may only support the traditional syslog transmission over UDP. If the system must act as a log server, this enables it to receive their messages as well. severity: unknown references: cis: 5.1.6 nist: AU-9 rsyslog_accepting_remote_messages.group000066400000000000000000000007731327242345500420320ustar00rootroot00000000000000scap-security-guide-0.1.39/debian8/guide/system/logging/rsyslog_accepting_remote_messagesdocumentation_complete: true title: 'Configure rsyslogd to Accept Remote Messages If Acting as a Log Server' description: |- By default, rsyslog does not listen over the network for log messages. If needed, modules can be enabled to allow the rsyslog daemon to receive messages from other systems and for the system thus to act as a log server. If the machine is not a log server, then lines concerning these modules should remain commented out.

service_syslogng_enabled.rule000066400000000000000000000011471327242345500377170ustar00rootroot00000000000000scap-security-guide-0.1.39/debian8/guide/system/logging/rsyslog_accepting_remote_messagesdocumentation_complete: true title: 'Enable syslog-ng Service' description: |- The syslog-ng service (in replacement of rsyslog) provides syslog-style logging by default on Debian 8. rationale: |- The syslog-ng service must be running in order to provide logging services, which are essential to system administration. severity: medium references: anssi: NT28(R46),NT28(R5) cis: 5.1.2 disa: 1311,1312,1557,1851 nist: AU-4(1),AU-12 ocil: '' scap-security-guide-0.1.39/debian8/guide/system/logging/rsyslog_sending_messages/000077500000000000000000000000001327242345500301625ustar00rootroot00000000000000rsyslog_remote_loghost.rule000066400000000000000000000037471327242345500356230ustar00rootroot00000000000000scap-security-guide-0.1.39/debian8/guide/system/logging/rsyslog_sending_messagesdocumentation_complete: true title: 'Ensure Logs Sent To Remote Host' description: "To configure rsyslog to send logs to a remote log server,\nopen /etc/rsyslog.conf and read and understand the last section of the file,\nwhich describes the multiple directives necessary to activate remote\nlogging.\nAlong with these other directives, the system can be configured\nto forward its logs to a particular log server by\nadding or correcting one of the following lines,\nsubstituting loghost.example.com appropriately.\nThe choice of protocol depends on the environment of the system; \nalthough TCP and RELP provide more reliable message delivery, \nthey may not be supported in all environments.\n
\nTo use UDP for log message delivery:\n
*.* @loghost.example.com
\n
\nTo use TCP for log message delivery:\n
*.* @@loghost.example.com
\n
\nTo use RELP for log message delivery:\n
*.* :omrelp:loghost.example.com
" rationale: |- A log server (loghost) receives syslog messages from one or more systems. This data can be used as an additional log source in the event a system is compromised and its local logs are suspect. Forwarding log messages to a remote loghost also provides system administrators with a centralized place to view the status of multiple hosts within the enterprise. severity: unknown references: anssi: NT28(R5) cis: 5.1.5 disa: 1348,136,1851 nist: AU-3(2),AU-4(1),AU-9 ocil_clause: 'none of these are present' ocil: |- To ensure logs are sent to a remote host, examine the file /etc/rsyslog.conf. If using UDP, a line similar to the following should be present: 
 *.* @loghost.example.com
If using TCP, a line similar to the following should be present: 
 *.* @@loghost.example.com
If using RELP, a line similar to the following should be present: 
 *.* :omrelp:loghost.example.com
rsyslog_sending_messages.group000066400000000000000000000024311327242345500362610ustar00rootroot00000000000000scap-security-guide-0.1.39/debian8/guide/system/logging/rsyslog_sending_messagesdocumentation_complete: true title: 'Rsyslog Logs Sent To Remote Host' description: |- If system logs are to be useful in detecting malicious activities, it is necessary to send logs to a remote server. An intruder who has compromised the root account on a machine may delete the log entries which indicate that the system was attacked before they are seen by an administrator.

However, it is recommended that logs be stored on the local host in addition to being sent to the loghost, especially if rsyslog has been configured to use the UDP protocol to send messages over a network. UDP does not guarantee reliable delivery, and moderately busy sites will lose log messages occasionally, especially in periods of high traffic which may be the result of an attack. In addition, remote rsyslog messages are not authenticated in any way by default, so it is easy for an attacker to introduce spurious messages to the central log server. Also, some problems cause loss of network connectivity, which will prevent the sending of messages to the central server. For all of these reasons, it is better to store log messages both centrally and on each host, so that they can be correlated if necessary. scap-security-guide-0.1.39/debian8/guide/system/logging/service_rsyslog_enabled.rule000066400000000000000000000011011327242345500306400ustar00rootroot00000000000000documentation_complete: true title: 'Enable rsyslog Service' description: |- The rsyslog service provides syslog-style logging by default on Debian 8. rationale: |- The rsyslog service must be running in order to provide logging services, which are essential to system administration. severity: medium references: anssi: NT28(R46),NT28(R5) cis: 5.1.2 disa: 1311,1312,1557,1851 nist: AU-4(1),AU-12 ocil: '' scap-security-guide-0.1.39/debian8/guide/system/permissions/000077500000000000000000000000001327242345500240075ustar00rootroot00000000000000scap-security-guide-0.1.39/debian8/guide/system/permissions/files/000077500000000000000000000000001327242345500251115ustar00rootroot00000000000000scap-security-guide-0.1.39/debian8/guide/system/permissions/files/files.group000066400000000000000000000006131327242345500272710ustar00rootroot00000000000000documentation_complete: true title: |- Verify Permissions on Important Files and Directories description: |- Permissions for many files on a system must be set restrictively to ensure sensitive information is properly protected. This section discusses important permission restrictions which can be verified to ensure that no harmful discrepancies have arisen. scap-security-guide-0.1.39/debian8/guide/system/permissions/files/permission_important_state_files/000077500000000000000000000000001327242345500337605ustar00rootroot00000000000000file_permissions_systemmap.rule000066400000000000000000000014641327242345500422530ustar00rootroot00000000000000scap-security-guide-0.1.39/debian8/guide/system/permissions/files/permission_important_state_filesdocumentation_complete: true title: 'Verify that local System.map file (if exists) is readable only by root' description: |- Files containing sensitive informations should be protected by restrictive permissions. Most of the time, there is no need that these files need to be read by any non-root user rationale: |- The System.map file contains information about kernel symbols and can give some hints to generate local exploitation. severity: unknown references: anssi: NT28(R13) ocil: |- permission_important_state_files.group000066400000000000000000000004271327242345500436310ustar00rootroot00000000000000scap-security-guide-0.1.39/debian8/guide/system/permissions/files/permission_important_state_filesdocumentation_complete: true title: 'Verify permissions on files containing sensitive informations about the system' description: |- Various files contains sensitive informations that can leads to specific weaknesses or give structural informations for local exploits. permissions_important_account_files/000077500000000000000000000000001327242345500344005ustar00rootroot00000000000000scap-security-guide-0.1.39/debian8/guide/system/permissions/filesfile_permissions_etc_group.rule000066400000000000000000000013651327242345500427170ustar00rootroot00000000000000scap-security-guide-0.1.39/debian8/guide/system/permissions/files/permissions_important_account_filesdocumentation_complete: true title: 'Verify Permissions and ownership on group File' description: |- rationale: |- The /etc/shadow file contains information about the groups that are configured on the system. Protection of this file is critical for system security. severity: medium references: disa: "" nist: AC-6 ocil: |- file_permissions_etc_gshadow.rule000066400000000000000000000013551327242345500432160ustar00rootroot00000000000000scap-security-guide-0.1.39/debian8/guide/system/permissions/files/permissions_important_account_filesdocumentation_complete: true title: 'Verify Permissions and ownership on gshadow File' description: |- rationale: |- The /etc/shadow file contains group password hashes. Protection of this file is critical for system security. severity: medium references: anssi: NT28(R36) disa: "" nist: AC-6 ocil: |- file_permissions_etc_passwd.rule000066400000000000000000000013651327242345500430640ustar00rootroot00000000000000scap-security-guide-0.1.39/debian8/guide/system/permissions/files/permissions_important_account_filesdocumentation_complete: true title: 'Verify Permissions and ownership on passwd File' description: |- rationale: |- The /etc/shadow file contains information about the users that are configured on the system. Protection of this file is critical for system security. severity: medium references: disa: "" nist: AC-6 ocil: |- file_permissions_etc_shadow.rule000066400000000000000000000017211327242345500430440ustar00rootroot00000000000000scap-security-guide-0.1.39/debian8/guide/system/permissions/files/permissions_important_account_filesdocumentation_complete: true title: 'Verify Permissions and ownership on shadow File' description: |- rationale: |- The /etc/shadow file contains the list of local system accounts and stores password hashes. Protection of this file is critical for system security. Failure to give ownership of this file to root provides the designated owner with access to sensitive information which could weaken the system security posture. severity: medium references: anssi: NT28(R36) disa: "" nist: AC-6 pcidss: Req-8.7.c ocil: |- permissions_important_account_files.group000066400000000000000000000010641327242345500450250ustar00rootroot00000000000000scap-security-guide-0.1.39/debian8/guide/system/permissions/files/permissions_important_account_filesdocumentation_complete: true title: 'Verify Permissions on Files with Local Account Information and Credentials' description: |- The default restrictive permissions for files which act as important security databases such as passwd, shadow, group, and gshadow files must be maintained. Many utilities need read access to the passwd file in order to function properly, but read access to the shadow file allows malicious attacks against system passwords, and should never be enabled. scap-security-guide-0.1.39/debian8/guide/system/permissions/permissions.group000066400000000000000000000020161327242345500274370ustar00rootroot00000000000000documentation_complete: true title: 'File Permissions and Masks' description: |- Traditional Unix security relies heavily on file and directory permissions to prevent unauthorized users from reading or modifying files to which they should not have access.

Several of the commands in this section search filesystems for files or directories with certain characteristics, and are intended to be run on every local partition on a given system. When the variable PART appears in one of the commands below, it means that the command is intended to be run repeatedly, with the name of each local partition substituted for PART in turn.

The following command prints a list of all xfs partitions on the local system, which is the default filesystem for Red Hat Enterprise Linux 7 installations: 
$ mount -t xfs | awk '{print $3}'
For any systems that use a different local filesystem type, modify this command as appropriate. scap-security-guide-0.1.39/debian8/guide/system/permissions/restriction/000077500000000000000000000000001327242345500263545ustar00rootroot00000000000000scap-security-guide-0.1.39/debian8/guide/system/permissions/restriction/coredumps/000077500000000000000000000000001327242345500303555ustar00rootroot00000000000000scap-security-guide-0.1.39/debian8/guide/system/permissions/restriction/coredumps/coredumps.group000066400000000000000000000017561327242345500334450ustar00rootroot00000000000000documentation_complete: true title: 'Disable Core Dumps' description: |- A core dump file is the memory image of an executable program when it was terminated by the operating system due to errant behavior. In most cases, only software developers legitimately need to access these files. The core dump files may also contain sensitive information, or unnecessarily occupy large amounts of disk space.

Once a hard limit is set in /etc/security/limits.conf, a user cannot increase that limit within his or her own session. If access to core dumps is required, consider restricting them to only certain users or groups. See the limits.conf man page for more information.

The core dumps of setuid programs are further protected. The sysctl variable fs.suid_dumpable controls whether the kernel allows core dumps from these programs at all. The default value of 0 is recommended. sysctl_fs_suid_dumpable.rule000066400000000000000000000011731327242345500360770ustar00rootroot00000000000000scap-security-guide-0.1.39/debian8/guide/system/permissions/restriction/coredumpsdocumentation_complete: true title: 'Disable Core Dumps for SUID programs' description: '' rationale: |- The core dump of a setuid program is more likely to contain wve data, as the program itself runs with greater privileges than the user who initiated execution of the program. Disabling the ability for any setuid program to write a core file decreases the risk of unauthorized access of such data. severity: unknown references: anssi: NT28(R23) cis: 1.6.1 nist: SI-11 ocil: '' scap-security-guide-0.1.39/debian8/guide/system/permissions/restriction/enable_execshield_settings/000077500000000000000000000000001327242345500337175ustar00rootroot00000000000000enable_execshield_settings.group000066400000000000000000000012541327242345500422630ustar00rootroot00000000000000scap-security-guide-0.1.39/debian8/guide/system/permissions/restriction/enable_execshield_settingsdocumentation_complete: true title: 'Enable ExecShield' description: "ExecShield describes kernel features that provide\nprotection against exploitation of memory corruption errors such as buffer\noverflows. These features include random placement of the stack and other\nmemory regions, prevention of execution in memory that should only hold data,\nand special handling of text buffers. These protections are enabled by default\non 32-bit systems and controlled through sysctl variables \nkernel.exec-shield and kernel.randomize_va_space. On the latest\n64-bit systems, kernel.exec-shield cannot be enabled or disabled with \nsysctl." sysctl_kernel_kptr_restrict.rule000066400000000000000000000013251327242345500423720ustar00rootroot00000000000000scap-security-guide-0.1.39/debian8/guide/system/permissions/restriction/enable_execshield_settingsdocumentation_complete: true title: 'Restrict exposed kernel pointers addresses access' description: '' rationale: |- Exposing kernel pointers (through procfs or seq_printf()) exposes kernel writeable structures that can contain functions pointers. If a write vulnereability occurs in the kernel allowing a write access to any of this structure, the kernel can be compromise. This option disallow any program withtout the CAP_SYSLOG capability from getting the kernel pointers addresses, replacing them with 0. severity: low references: anssi: NT28(R23) ocil: '' sysctl_kernel_randomize_va_space.rule000066400000000000000000000013421327242345500433230ustar00rootroot00000000000000scap-security-guide-0.1.39/debian8/guide/system/permissions/restriction/enable_execshield_settingsdocumentation_complete: true title: 'Enable Randomized Layout of Virtual Address Space' description: '' rationale: "Address space layout randomization (ASLR) makes it more difficult\nfor an attacker to predict the location of attack code they have introduced\ninto a process's address space during an attempt at exploitation. Additionally, ASLR \nmakes it more difficult for an attacker to know the location of existing code\nin order to re-purpose it using return oriented programming (ROP) techniques." severity: medium references: anssi: NT28(R23) cis: 1.6.1 nist: SC-30(2) ocil: '' scap-security-guide-0.1.39/debian8/guide/system/permissions/restriction/restriction.group000066400000000000000000000006761327242345500320100ustar00rootroot00000000000000documentation_complete: true title: 'Restrict Programs from Dangerous Execution Patterns' description: |- The recommendations in this section are designed to ensure that the system's features to protect against potentially dangerous program execution are activated. These protections are applied at the system initialization or kernel level, and defend against certain types of badly-configured or compromised programs. scap-security-guide-0.1.39/debian8/guide/system/software/000077500000000000000000000000001327242345500232665ustar00rootroot00000000000000scap-security-guide-0.1.39/debian8/guide/system/software/software.group000066400000000000000000000004201327242345500261720ustar00rootroot00000000000000documentation_complete: true title: 'Installing and Maintaining Software' description: |- The following sections contain information on security-relevant choices during the initial operating system installation process and the setup of software updates. scap-security-guide-0.1.39/debian8/guide/system/sudo/000077500000000000000000000000001327242345500224065ustar00rootroot00000000000000scap-security-guide-0.1.39/debian8/guide/system/sudo/sudo.group000066400000000000000000000010731327242345500244370ustar00rootroot00000000000000documentation_complete: true title: 'Access Control using sudo' description: "Sudo, which stands for \"su 'do'\", provides the ability to delegate authority\nto certain users, groups of users, or system administrators. When configured for system \nusers and/or groups, Sudo can allow a user or group to execute privileged commands\nthat normally only root is allowed to execute.\n

\nFor more information on Sudo and addition Sudo configuration options, see\n" scap-security-guide-0.1.39/debian8/guide/system/sudo/sudo_remove_no_authenticate.rule000066400000000000000000000022771327242345500310700ustar00rootroot00000000000000documentation_complete: true title: 'Ensure Users Re-Authenticate for Privilege Escalation - sudo !authenticate' description: |- The sudo !authenticate option, when specified, allows a user to execute commands using sudo without having to authenticate. This should be disabled by making sure that the !authenticate option does not exist in /etc/sudoers configuration file or any sudo configuration snippets in /etc/sudoers.d/. rationale: |- Without re-authentication, users may access resources or perform tasks for which they do not have authorization.

When operating systems provide the capability to escalate a functional capability, it is critical that the user re-authenticate. severity: medium references: anssi: NT28(R5) disa: 2038 nist: IA-11 srg: SRG-OS-000373-GPOS-00156,SRG-OS-000373-GPOS-00157,SRG-OS-000373-GPOS-00158 ocil_clause: "!authenticate is enabled in sudo" ocil: |- To determine if !authenticate has not been configured for sudo, run the following command: 
$ sudo grep -r \!authenticate /etc/sudoers /etc/sudoers.d/
The command should return no output. scap-security-guide-0.1.39/debian8/guide/system/sudo/sudo_remove_nopasswd.rule000066400000000000000000000022121327242345500275410ustar00rootroot00000000000000documentation_complete: true title: 'Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD' description: "The sudo NOPASSWD tag, when specified, allows a user to execute commands using\nsudo without having to authenticate. This should be disabled by making sure that the\nNOPASSWD tag does not exist in /etc/sudoers configuration file or \nany sudo configuration snippets in /etc/sudoers.d/." rationale: |- Without re-authentication, users may access resources or perform tasks for which they do not have authorization.

When operating systems provide the capability to escalate a functional capability, it is critical that the user re-authenticate. severity: medium references: anssi: NT28(R5) disa: 2038 nist: IA-11 srg: SRG-OS-000373-GPOS-00156,SRG-OS-000373-GPOS-00157,SRG-OS-000373-GPOS-00158 ocil_clause: 'nopasswd is enabled in sudo' ocil: |- To determine if NOPASSWD has been configured for sudo, run the following command: 
$ sudo grep -ri nopasswd /etc/sudoers /etc/sudoers.d/
The command should return no output. scap-security-guide-0.1.39/debian8/guide/system/system.group000066400000000000000000000001721327242345500240360ustar00rootroot00000000000000documentation_complete: true title: 'System Settings' description: 'Contains rules that check correct system settings.' scap-security-guide-0.1.39/debian8/overlays/000077500000000000000000000000001327242345500206575ustar00rootroot00000000000000scap-security-guide-0.1.39/debian8/overlays/.gitkeep000066400000000000000000000000001327242345500222760ustar00rootroot00000000000000scap-security-guide-0.1.39/debian8/product.yml000066400000000000000000000001351327242345500212150ustar00rootroot00000000000000product: debian8 benchmark_root: "./guide" profiles_root: "./profiles" pkg_system: "dpkg" scap-security-guide-0.1.39/debian8/profiles/000077500000000000000000000000001327242345500206365ustar00rootroot00000000000000scap-security-guide-0.1.39/debian8/profiles/anssi_np_nt28_average.profile000066400000000000000000000017421327242345500264030ustar00rootroot00000000000000documentation_complete: true title: 'Profile for ANSSI DAT-NT28 Average (Intermediate) Level' description: 'This profile contains items for GNU/Linux installations already protected by multiple higher level security stacks.' extends: anssi_np_nt28_minimal selections: - partition_for_tmp - partition_for_var - partition_for_var_log - partition_for_var_log_audit - partition_for_home - package_ntp_installed - package_ntpdate_removed - sshd_idle_timeout_value=5_minutes - sshd_set_idle_timeout - sshd_disable_root_login - sshd_disable_empty_passwords - sshd_allow_only_protocol2 - sshd_set_keepalive - rsyslog_files_ownership - rsyslog_files_groupownership - rsyslog_files_permissions - "!rsyslog_remote_loghost" - ensure_logrotate_activated - file_permissions_systemmap - sysctl_fs_protected_symlinks - sysctl_fs_protected_hardlinks - sysctl_fs_suid_dumpable - sysctl_kernel_randomize_va_space scap-security-guide-0.1.39/debian8/profiles/anssi_np_nt28_high.profile000066400000000000000000000005301327242345500257020ustar00rootroot00000000000000documentation_complete: true title: 'Profile for ANSSI DAT-NT28 High (Enforced) Level' description: 'This profile contains items for GNU/Linux installations storing sensitive informations that can be accessible from unauthenticated or uncontroled networks.' extends: anssi_np_nt28_restrictive selections: - grub2_enable_iommu_force scap-security-guide-0.1.39/debian8/profiles/anssi_np_nt28_minimal.profile000066400000000000000000000012641327242345500264160ustar00rootroot00000000000000documentation_complete: true title: 'Profile for ANSSI DAT-NT28 Minimal Level' description: 'This profile contains items to be applied systematically.' selections: - sudo_remove_nopasswd - sudo_remove_no_authenticate - package_telnetd_removed - package_inetutils-telnetd_removed - package_telnetd-ssl_removed - package_nis_removed - package_rsyslog_installed - service_rsyslog_enabled - package_syslogng_installed - service_syslogng_enabled - apt_conf_disallow_unauthenticated - apt_sources_list_official - file_permissions_etc_shadow - file_permissions_etc_gshadow - file_permissions_etc_passwd - file_permissions_etc_group scap-security-guide-0.1.39/debian8/profiles/anssi_np_nt28_restrictive.profile000066400000000000000000000007711327242345500273350ustar00rootroot00000000000000documentation_complete: true title: 'Profile for ANSSI DAT-NT28 Restrictive Level' description: 'This profile contains items for GNU/Linux installations exposed to unauthenticated flows or multiple sources.' extends: anssi_np_nt28_average selections: - partition_for_tmp - partition_for_var - partition_for_var_log - partition_for_var_log_audit - partition_for_home - package_auditd_installed - package_cron_installed - service_auditd_enabled - service_ntp_enabled scap-security-guide-0.1.39/debian8/profiles/standard.profile000066400000000000000000000027001327242345500240170ustar00rootroot00000000000000documentation_complete: true title: 'Standard System Security Profile for Debian 8' description: |- This profile contains rules to ensure standard security baseline of a Debian 8 system. Regardless of your system's workload all of these checks should pass. selections: - partition_for_tmp - partition_for_var - partition_for_var_log - partition_for_var_log_audit - partition_for_home - package_auditd_installed - package_cron_installed - package_ntp_installed - package_rsyslog_installed - package_telnetd_removed - package_inetutils-telnetd_removed - package_telnetd-ssl_removed - package_nis_removed - package_ntpdate_removed - service_auditd_enabled - service_cron_enabled - service_ntp_enabled - service_rsyslog_enabled - sshd_idle_timeout_value=5_minutes - sshd_set_idle_timeout - sshd_disable_root_login - sshd_disable_empty_passwords - sshd_allow_only_protocol2 - sshd_set_keepalive - rsyslog_files_ownership - rsyslog_files_groupownership - rsyslog_files_permissions - "!rsyslog_remote_loghost" - ensure_logrotate_activated - file_permissions_systemmap - file_permissions_etc_shadow - file_permissions_etc_gshadow - file_permissions_etc_passwd - file_permissions_etc_group - sysctl_fs_protected_symlinks - sysctl_fs_protected_hardlinks - sysctl_fs_suid_dumpable - sysctl_kernel_randomize_va_space scap-security-guide-0.1.39/debian8/templates/000077500000000000000000000000001327242345500210115ustar00rootroot00000000000000scap-security-guide-0.1.39/debian8/templates/csv/000077500000000000000000000000001327242345500216045ustar00rootroot00000000000000scap-security-guide-0.1.39/debian8/templates/csv/file_dir_permissions.csv000066400000000000000000000001261327242345500265300ustar00rootroot00000000000000/etc,shadow,0,42,0640 /etc,gshadow,0,42,0640 /etc,passwd,0,0,0644 /etc,group,0,0,0644 scap-security-guide-0.1.39/debian8/templates/csv/mount_options.csv000066400000000000000000000012471327242345500252420ustar00rootroot00000000000000# format: # ,[,create_fstab_entry_if_needed] # - mount point mounted with specified option. for more than # one option, use multiple lines with the same , use the # variable name (i.e. name beginning with var_, without the leading # '$' to reference a variable, e.g. var_removable_partition,nodev) # If the remediation can create (i.e. not just modify) an /etc/fstab line, # add the 'create_fstab_entry_if_needed' literal string as the third argument. /home,nosuid /home,nodev /var/log,nosuid /var/log,nodev /var/log,noexec /var/lib,nodev /var/lib,nosuid /var,nosuid /var,nodev /var,noexec /tmp,nodev /tmp,nosuid /usr,nodev scap-security-guide-0.1.39/debian8/templates/csv/mounts.csv000066400000000000000000000001701327242345500236440ustar00rootroot00000000000000# format: # - this means on separate partition /home /srv /tmp /var /var/log /var/log/audit scap-security-guide-0.1.39/debian8/templates/csv/oval_5.11/000077500000000000000000000000001327242345500232115ustar00rootroot00000000000000scap-security-guide-0.1.39/debian8/templates/csv/oval_5.11/packages_installed.csv000066400000000000000000000000341327242345500275400ustar00rootroot00000000000000auditd, ntp, cron, rsyslog, scap-security-guide-0.1.39/debian8/templates/csv/oval_5.11/services_disabled.csv000066400000000000000000000002401327242345500273740ustar00rootroot00000000000000# service_name, package_name, daemon_name (as recognized by chkconfig / systemd. To be used when daemon_name differs from service_name) sshd,openssh-server,ssh scap-security-guide-0.1.39/debian8/templates/csv/oval_5.11/services_enabled.csv000066400000000000000000000000641327242345500272230ustar00rootroot00000000000000auditd,auditd, cron,cron, ntp,ntp, rsyslog,rsyslog, scap-security-guide-0.1.39/debian8/templates/csv/packages_installed.csv000066400000000000000000000010111327242345500261270ustar00rootroot00000000000000# This file contains list of packages in the format of "daemon,pkgname" to # create "package_pkgname_installed" OVAL 5.10 checks for. # # If the corresponding "package_pkgname_installed" OVAL is not standalone # OVAL-5.10, but only a prerequisite in order to the corresponding # "service_daemon_enabled" OVAL-5.11 to work properly, such a package # SHOULD NOT be listed here, but rather in the 'packages_installed.csv' # file under oval_5.11/templates directory!!! # auditd cron ntp rsyslog syslog-ng-core openssh-server scap-security-guide-0.1.39/debian8/templates/csv/packages_removed.csv000066400000000000000000000001071327242345500256160ustar00rootroot00000000000000telnetd, inetutils-telnetd, telnetd-ssl, ntpdate, nis, openssh-server, scap-security-guide-0.1.39/debian8/templates/csv/services_disabled.csv000066400000000000000000000002401327242345500257670ustar00rootroot00000000000000# service_name, package_name, daemon_name (as recognized by chkconfig / systemd. To be used when daemon_name differs from service_name) sshd,openssh-server,ssh scap-security-guide-0.1.39/debian8/templates/csv/sysctl_values.csv000066400000000000000000000010631327242345500252210ustar00rootroot00000000000000# Add to generate hard-coded OVAL and remediation content. # Add to generate OVAL and remediation content that use the XCCDF value. # xccdf value based (depend on the profile) net.ipv4.ip_forward, kernel.sysrq,0 fs.suid_dumpable,0 fs.protected_symlinks,1 fs.protected_hardlinks,1 kernel.randomize_va_space,2 vm.mmap_min_addr,65536 kernel.pid_max,65536 kernel.kptr_restrict,1 kernel.dmesg_restrict,1 kernel.perf_event_paranoid,2 kernel.perf_event_max_sample_rate,1 kernel.perf_cpu_time_max_percent,1 scap-security-guide-0.1.39/debian8/templates/oval_5.11_templates/000077500000000000000000000000001327242345500244745ustar00rootroot00000000000000scap-security-guide-0.1.39/debian8/templates/oval_5.11_templates/template_OVAL_service_disabled000066400000000000000000000074151327242345500324310ustar00rootroot00000000000000 Service %SERVICENAME% Disabled Debian 8 The %SERVICENAME% service should be disabled if possible. multi-user.target %DAEMONNAME%.service multi-user.target %DAEMONNAME%.socket %DAEMONNAME%\.(service|socket) ActiveState inactive scap-security-guide-0.1.39/debian8/templates/oval_5.11_templates/template_OVAL_service_enabled000066400000000000000000000074371327242345500322600ustar00rootroot00000000000000 Service %SERVICENAME% Enabled Debian 8 The %SERVICENAME% service should be enabled if possible. multi-user.target %DAEMONNAME%.service multi-user.target %DAEMONNAME%.socket %DAEMONNAME%\.(socket|service) ActiveState active scap-security-guide-0.1.39/debian8/templates/template_BASH_package_removed000066400000000000000000000005331327242345500265410ustar00rootroot00000000000000# platform = Debian 8 # reboot = false # strategy = disable # complexity = low # disruption = low # CAUTION: This remediation script will remove %PKGNAME% # from the system, and may remove any packages # that depend on %PKGNAME%. Execute this # remediation AFTER testing on a non-production # system! apt-get remove --purge %PKGNAME% scap-security-guide-0.1.39/debian8/templates/template_OVAL_service_disabled000066400000000000000000000033251327242345500267420ustar00rootroot00000000000000 Service %SERVICENAME% Disabled Debian 8 The %SERVICENAME% service should be disabled if possible. ^/etc/rc[0-6S]\.d$ ^S\d{2}%DAEMONNAME%$ scap-security-guide-0.1.39/debian8/templates/template_OVAL_sysctl000066400000000000000000000013551327242345500247750ustar00rootroot00000000000000 Kernel "%SYSCTLVAR%" Parameter Configuration and Runtime Check Debian 8 The "%SYSCTLVAR%" kernel parameter should be set to the appropriate value in both system configuration and system runtime. scap-security-guide-0.1.39/debian8/templates/template_OVAL_sysctl_ipv6000066400000000000000000000017021327242345500257350ustar00rootroot00000000000000 Kernel "%SYSCTLVAR%" Parameter Configuration and Runtime Check Debian 8 The "%SYSCTLVAR%" kernel parameter should be set to the appropriate value in both system configuration and system runtime. scap-security-guide-0.1.39/debian8/templates/template_OVAL_sysctl_runtime000066400000000000000000000022541327242345500265370ustar00rootroot00000000000000 Kernel "%SYSCTLVAR%" Parameter Runtime Check Debian 8 The kernel "%SYSCTLVAR%" parameter should be set to "%SYSCTLVAL%" in system runtime. %SYSCTLVAR% %SYSCTLVAL% scap-security-guide-0.1.39/debian8/templates/template_OVAL_sysctl_runtime_var000066400000000000000000000025211327242345500274040ustar00rootroot00000000000000 Kernel "%SYSCTLVAR%" Parameter Runtime Check Debian 8 The kernel "%SYSCTLVAR%" parameter should be set to the appropriate value in system runtime. %SYSCTLVAR% scap-security-guide-0.1.39/debian8/templates/template_OVAL_sysctl_static000066400000000000000000000071241327242345500263440ustar00rootroot00000000000000 Kernel "%SYSCTLVAR%" Parameter Configuration Check Debian 8 The kernel "%SYSCTLVAR%" parameter should be set to "%SYSCTLVAL%" in the system configuration. /etc/sysctl.conf ^[\s]*%SYSCTLVAR%[\s]*=[\s]*%SYSCTLVAL%[\s]*$ 1 /etc/sysctl.d ^.*\.conf$ ^[\s]*%SYSCTLVAR%[\s]*=[\s]*%SYSCTLVAL%[\s]*$ 1 /run/sysctl.d ^.*\.conf$ ^[\s]*%SYSCTLVAR%[\s]*=[\s]*%SYSCTLVAL%[\s]*$ 1 /usr/lib/sysctl.d ^.*\.conf$ ^[\s]*%SYSCTLVAR%[\s]*=[\s]*%SYSCTLVAL%[\s]*$ 1 scap-security-guide-0.1.39/debian8/templates/template_OVAL_sysctl_static_var000066400000000000000000000105431327242345500272130ustar00rootroot00000000000000 Kernel "%SYSCTLVAR%" Parameter Configuration Check Debian 8 The kernel "%SYSCTLVAR%" parameter should be set to the appropriate value in the system configuration. /etc/sysctl.conf (?:^|.*\n)[^#]*%SYSCTLVAR%[\s]*=[\s]*(\d+)[\s]*\n 1 /etc/sysctl.d ^.*\.conf$ (?:^|.*\n)[^#]*%SYSCTLVAR%[\s]*=[\s]*(\d+)[\s]*\n 1 /run/sysctl.d ^.*\.conf$ (?:^|.*\n)[^#]*%SYSCTLVAR%[\s]*=[\s]*(\d+)[\s]*\n 1 /usr/lib/sysctl.d ^.*\.conf$ (?:^|.*\n)[^#]*%SYSCTLVAR%[\s]*=[\s]*(\d+)[\s]*\n 1 scap-security-guide-0.1.39/debian8/transforms/000077500000000000000000000000001327242345500212115ustar00rootroot00000000000000scap-security-guide-0.1.39/debian8/transforms/constants.xslt000066400000000000000000000023471327242345500241470ustar00rootroot00000000000000 Debian 8 Debian 8 DEBIAN_8_STIG DEBIAN-8 cpe:/o:debianproject:debian:8 debian https://benchmarks.cisecurity.org/tools2/linux/CIS_Debian_Benchmark_v1.0.pdf scap-security-guide-0.1.39/debian8/transforms/shorthand2xccdf.xslt000066400000000000000000000005141327242345500252110ustar00rootroot00000000000000 unknown unlinked-debian8-oval.xml scap-security-guide-0.1.39/debian8/transforms/table-srgmap.xslt000066400000000000000000000011401327242345500244770ustar00rootroot00000000000000 scap-security-guide-0.1.39/debian8/transforms/table-style.xslt000066400000000000000000000002511327242345500243500ustar00rootroot00000000000000 scap-security-guide-0.1.39/debian8/transforms/xccdf-apply-overlay-stig.xslt000066400000000000000000000007511327242345500267650ustar00rootroot00000000000000 scap-security-guide-0.1.39/debian8/transforms/xccdf2table-byref.xslt000066400000000000000000000006741327242345500254220ustar00rootroot00000000000000 scap-security-guide-0.1.39/debian8/transforms/xccdf2table-cce.xslt000066400000000000000000000007331327242345500250410ustar00rootroot00000000000000 scap-security-guide-0.1.39/debian8/transforms/xccdf2table-profileanssirefs.xslt000066400000000000000000000067561327242345500277000ustar00rootroot00000000000000 <xsl:value-of select="/cdf:Benchmark/cdf:Profile[@id=$profile]/cdf:title" />



Rule Title Description Rationale Variable Setting ANSSI Best practice Mapping

scap-security-guide-0.1.39/debian8/transforms/xccdf2table-profileccirefs.xslt000066400000000000000000000014111327242345500273000ustar00rootroot00000000000000 scap-security-guide-0.1.39/debian8/transforms/xccdf2table-profilecisrefs.xslt000066400000000000000000000007051327242345500273250ustar00rootroot00000000000000 scap-security-guide-0.1.39/debian8/transforms/xccdf2table-profilenistrefs.xslt000066400000000000000000000007051327242345500275240ustar00rootroot00000000000000 scap-security-guide-0.1.39/debian8/transforms/xccdf2table-stig.xslt000066400000000000000000000006731327242345500252600ustar00rootroot00000000000000 scap-security-guide-0.1.39/docs/000077500000000000000000000000001327242345500164315ustar00rootroot00000000000000scap-security-guide-0.1.39/docs/manual/000077500000000000000000000000001327242345500177065ustar00rootroot00000000000000scap-security-guide-0.1.39/docs/manual/developer_guide.adoc000066400000000000000000001224521327242345500237060ustar00rootroot00000000000000= SCAP Security Guide Developer Guide :imagesdir: ./images :toc: :toc-placement: preamble :numbered: toc::[] == Introduction == Establishing Accounts === Mailing List Join the mailing list at https://fedorahosted.org/mailman/listinfo/scap-security-guide. === GitHub In May 2014 the SCAP Security Guide project moved the underlying source repository from FedoraHosted to GitHub. To register for a free GitHub account, visit https://github.com/join. Registering for a GitHub account should not be troublesome. === OpenSCAP "Content Developers" If you envision committing code, and needing direct push access to the repository (vs GitHub's pull request system), send a quick hello to the mailing list introducing yourself. The community may already know you, but this is an opportunity to reintroduce yourself and update the community on areas you'd like to contribute to. This need not be formal; though don't forget to include your GitHub account name! Pending approval from an existing maintainer, you will be added to the OpenSCAP Content Developers group on GitHub: https://github.com/orgs/OpenSCAP/teams/content-authors. == Patch Creation .... intro on GitHub pull request system ..... === Fork SSG Visit SSG's GitHub webpage at https://github.com/OpenSCAP/scap-security-guide. In the top-right corner, you will see a button that says "Fork." Click it. image::Patching-fork.png[align="left"] If you're a member of multiple GitHub groups/accounts, you will be asked for the fork destination. For most users it is sufficient to fork into their local account. To do so, click on your username/icon. For example: image::Patching-forklocation.png[align="left"] Congratulations, you've created a localized repository! Any changes you make will be localized, consider it your own sandbox. At this point you can 'git clone' the source over SSH, HTTPS, or Subversion. image::Patching-githubURL.png[align="left"] GitHub dynamically generates the appropriate git URLs, and dynamically generates zip-compressed archives should you desire them. In the right-most column, near the bottom, you will see the various git clone options: === Committing to your Local Repository When you begin to work on your patch, make sure that you are on the right and up-to-date branch. Typically it is the `master` branch, so you can ``` git checkout master git pull upstream master ``` Then, create a new branch for your fix - e.g. `git checkout -b my_new_feature`. Proceed with your work. If your work can be logically divided into multiple parts, try to structure it in a way that you avoid creating huge commits that affect logically unrelated parts of the project. When you are ready to submit a pull request, push your branch to your forked repository using `git push -u origin my_new_feature`. ==== Edits via GUI The GitHub website supports in-line editing of files. This is extremely convenient when making small changes, such as fixing typos. When you've found a file in need of edits, note the "Edit" button within the file's toolbar: image::Patching-inline_edits.png[align="left"] This will bring you to an in-line editor. Make your changes and scroll to the bottom of the webpage. You will notice a "Commit Changes" form. The first field is a one-line description of the change, while within the second (main body) you are expected to provide a detailed description of any changes. Your entries in this field should be as concise as possible while providing enough description for a community member to properly evaluate your changes, and the logic for making them. For example: image::Patching-GUI_naming_scheme_sample.png[align="left"] Click on "Commit changes," which will push the change to your local repository. ==== Edits via CLI As mentioned earlier, GitHub creates a localized git repository, your own personal sandbox. Clone the repository locally, then 'git commit' and 'git push' changes as you normally would. === Issuing Pull Requests When you're ready for your patches to be merged upstream, you must issue a "Pull Request." 1) Return to your local repositories webpage on GitHub. NOTE: If you've created local branches, ensure you've selected the appropriate branch that you'd like to submit patches against. For most people, this step can be ignored. 2) Click on "Pull Request," located in the top-right of the frame which lists your directory contents: image::Patching-Pull_Requests.png[align="left"] 3) You will be brought to a listing of your commits. Click the green button labelled "Create Pull Request": image::Patching-Create_Pull.png[align="left"] 4) You will be requested to input a patch title and description. Be concise, but thorough enough for a community member to understand logic behind your changes. Paste into the description field testing evidence (e.g. running testoval.py on any submitted OVAL, or before/after for remediation scripts). If you work on a feature or a bugfix that has an associated issue: - Assign yourself to the issue (if you have rights and no-one is assigned), or contact the assignee that you are working on the fix (so the issue can be reassigned). - Mention the issue number in the pull request. This will improve the odds that multiple people won't work on a single issue without being aware of each other's work. After completing the form, select "Send pull request": image::Patching-Send_Pull_Request.png[align="left"] 5) Don't use git commands that alter the commit history during your work on the pull request. If you e.g. squash commits, the pull request page will be broken - if you made some mistakes, got feedback and corrected those mistakes based on the feedback, nobody will be able to learn from your pull request, because commits introducing mistakes will disappear and comments of reviewers therefore won't make sense. Squash unnecessary commits when merging the pull request, or close a complicated pull request and create a new one (in another branch) with streamlined commits. Reference the old PR in the new streamlined pull request so it is possible to backtrack what went on. 6) A community member will review your patch. They will either merge the patch upstream, indicate additional changes/documentation needed, or decline the patch. You'll automatically be notified via e-mail of any status updates. == Building Official RPMs The following steps are required to build an official release of the SCAP Security Guide RPM. Please note that exceptionally few people have such access. === Required Accounts * Red Hat BugZilla * Bodhi * Koji === Required Software * fedpkg === Build Upstream 1) Update main scap-security-guide.spec file (scap-security-guide/scap-security-guide.spec) with new version (value of "redhatssgversion" variable). Ensure that "Release:" field contains 1%{?dist} (1 as release version). Add particular changelog entry (possibly verify for & fix whitespace noise). 2) Build and test the content (i.e. run 'make', 'make srpm', 'make rpm') to verify it builds successfully. Also try to scan some systems with selected profiles to see if the content works. 3) If it works, 'make clean' in the git repository to start with clean table. Make the source tarball via "make tarball". Upload the tarball to repos.ssgproject.org. === Build EPEL Release 1) file-in new EPEL-6 bugzilla (Summary = "Upgrade scap-security-guide package to scap-security-guide-X.Y.Z"). NOTE: That bugzilla is required later when creating Bodhi update request. See below. NOTE: It would be created automa(g,t}ically once the "latest upstream source tarball checking Red Hat Bugzilla functionality" would realize there is new source tarball available. But since we want immediate upgrade, we create that big manually. 2) Take that BugZilla (state change NEW=>ASSIGNED) 3) Clone the scap-security-guide git repository via fedpkg tool (as documented in: https://fedoraproject.org/wiki/Join_the_package_collection_maintainers#Import.2C_Commit.2Cand_Build_Your_Package) section "Check out the module" and later ones). Split into coins for our case it means: ---- $ fedpkg clone scap-security-guide $ cd scap-security-guide/ ---- 4) Ensure to change the git branch from master/ to origin/el6 via 'switch-branch' fedpkg's option (this ensures the changes will be actually committed into EPEL-6 branch, and not into the master, IOW F-21 branch, which we don't want. To see the list of available branches, issue the following: ---- $ fedpkg switch-branch -l Locals: * master Remotes: orgin/el6 origin/epel7 origin/f18 origin/f19 origin/f20 origin/master ---- To switch to the el6 branch, issue: ---- $ fedpkg switch-branch el6 ---- Branch el6 set up to track remote branch el6 from origin Now it's possible to actually see the actual content of EPEL-6 branch: ---- $ ls scap-security-guide.spec sources ---- scap-security-guide.spec is the SPEC file used for build of EPEL-6's RPM, sources text file contains md5sum of scap-security-guide tarball, which will be built during SRPM / RPM build. 5) To refresh both of them (*.spec & content of source) at once, it's possible to create source RPM package & import it into fedpkg. Two important notes to mention here: - The spec file needs to be the updated one => it's necessary to update the actual epel-6 one with changes from upstream or replace the epel-6 one with upstream one (the latter is still possible because as of right now there aren't epel-6 downstream specific patches that wouldn't be present in upstream already. But should there be changes in the future, the epel-6 spec should be updated to include changes from upstream spec but simultaneoously to keep epel-6 custom patches. IOW just replacing epel-6's spec with upsteeam's one wouldn't work, but manual changes would be necessary). - The new source tarball needs to be the last one uploaded to repos.ssgproject.org (so md5sum would match during package build). This means: * start with clean /rpmbuild directory structure * download latest tarball from repos.ssgproject.org into /rpmbuild/SOURCES * place the modified epel-6 spec file into /rpmbuild/SPECS * build the source RPM (result will be in /rpmbuild/SRPMS) Next, return back to fedpkg & import the SRPM created in the previous step: ---- $ fedpkg import path_to_rpm ---- This will change content of 'sources' file (include new md5sum) & update scap-security-guide.spec. ---- $ git status [to see what will get committed] $ git commit [to confirm changes. The commit message should contain the string "Resolves: rh bz# id_of_epel_bug_we_created_before" ---- Make scratch build to see the uploaded content (spec + tarball) would actually build in the Koji build system via: ---- $ fedpkg scratch-build --srpm path_to_srpm_created_locally_before ---- NOTE: scratch-build to work with actually committed git repository content, it requires the new content to already be "git push-ed" to the repository. But since we want to verify if the content would build ye before pushing changes into the EPEL-6 repository, we need to provide the --srpm option pointing fedpkg to the local source RPM package we have created one step before. Once the scratch build passes (visible in Koji web interface, or also on command line), we can push the changes to the git repository via: ---- $ git push origin el6 ---- After successful push, our / latest push should be visibile at (in el6 branch) http://pkgs.fedoraproject.org/cgit/scap-security-guide.git/ Now it's safe (scratch build succeeded & we pushed the changes to the Fedora's git) to build real new package via: ---- $ fedpkg build ---- This again generates clickable link, at which point it's possible to see the progress / result of the build. Once the new package build in Koji finishes successfully, we flip the previously created EPEL-6 bug to MODIFIED (ASSIGNED => MODIFIED) and mention the new package name-version-release in the "Fixed in Version:" field of that bug. 6) Having new build available, it's necessary to schedule new Bodhi update (something like advisory to be tied with new package). I am using UI: https://admin.fedoraproject.org/updates/new/ but there's command-line interface too (see [1] for further details). Add New Update screen is shown (containing the following fields / items): Add New Update Package: name-version-release of Koji build goes here (e.g. scap-security-guide-0.1-16.el6) Type: select one of - bugfix (intented for updates fixing bugs) - enhancement (intended for adding new features) - security (intended for fixing security flaws) - newpackage (intended for updates introducing new RPM packages) options Request: select "testing" option of - testing (intended for udpates that should reach -testing repo first, before -stable)) - stable (updates directly into -stable (maybe fore critical)) - none (don't use this) Bugs: Provide previously created EPEL-6 RH BZ#, ensure the "Close bugs when update is stable" option is checked! Note: Describe the changes in this text field (i.e. which bugs got fixed, which new functionality, etc). The content of this field appear in the advisory (sent on fedora-package-announce mailing list), when the build is pushed to -stable. Suggest Reboot: [] (generally leave unchecked) Enable karma automatism [v] (If to use the karma threshhold the updates push system to use to decide if the build should be pushed to -stable channel or not) Threshold for pushing to -stable [3] (Minimum level of karma build needs to obtain from package testers to be able to push it into -stable channel) Threshhold for unpushing [-3] (Lower bound for negative karma, which is a sign for the push system to move the package from the -testing repository. IOW the build has received so much negative karma/experiences, it's not usable even for the -testing repository and should be rebuilt) Once all the information is filed, click "Save Update." This will generate automated EMail about the build being pushed to -testing. After some time at the same day (depending on TZ) the build is pushed to -testing repository. The maintainer should check Bohdi packages for that update for positive/negative karma/comments. If the build has reached positive karma >=3 it can be pushed to -stable (if it hasn't reavhed positive karma in >= 3 in 7 days, it will be pushed to -stable; 7 days is considered sufficient period). If there are signs of negative karma, the build should be either unpushed / deleted & new one made. After 7 days the build can be pushed to -stable (under assumption it didn't reach positive karma >= 3 sooner), meaning in the next day or two it's reachable via yum subscribed to epel-6 repository directly. == Creating Content === Directory Structure/Layout ==== Top Level Structure/Layout Under the top level directory, there are directories and/or files for different products, shared content, documentation, READMEs, Licenses, build files/configuration, etc. For example: [source,bash] ---- $ ls scap-security-guide/ build BUILD.md chromium cmake CMakeLists.txt Contributors.md Contributors.xml debian8 DISCLAIMER Dockerfile docs fedora firefox jboss_eap6 jboss_fuse6 jre LICENSE opensuse oval.config.in README.md rhel6 rhel7 rhosp7 shared sle11 sle12 tests ubuntu14 ubuntu16 wrlinux ---- ===== Important Top Level Directory Descriptions |=== |Directory |Description |```build``` | Can be used to build the content using CMake. |```cmake``` | Contains the CMake build configuration files. |```docs``` | Contains the Markdown Manuals, MAN pages, etc. |```shared``` | Contains content, tools and utilities, scripts, etc. that can be used for multiple products. |```tests``` | Contains the test suite for content validation and testing. |=== The remaining directories such as `fedora`, `rhel7`, etc. are product directories. ===== Important Top Level File Descriptions |=== |File |Description |```BUILD.md``` | Contains the content build instructions |```CMakeLists.txt``` | Top-level CMake build configuration file |```Contributors.md``` | *DO NOT MANUALLY EDIT* script-generated file |```Contributors.xml``` | *DO NOT MANUALLY EDIT* script-generated file |```DISCLAIMER``` | Disclaimer for usage of content |```Dockerfile``` | CentOS7 Docker build file |```LICENSE``` | Content license |```oval.config.in``` | _Deprecated in future releases:_ Build configuration for mapping product version to correspond `multi_platform` product tags |```README.md``` | Project README file |=== ==== Product Structure/Layout When creating a new product, use the guidelines below for the directory layout: * *Do not* use capital letters * If product versions are required, use major versions only. For example, `rhel7`, `ubuntu16`, etc. * If the content to be produced does not matter on versions, *do not* add version numbers. For example: `fedora`, `firefox`, etc. * In addition, use only a maxdepth of 3 directories. Following these guidelines help with the usability and browsability of using and navigating the content. For example: [source,bash] ---- $ tree -d rhel7 rhel7 ├── checks │   └── oval ├── cpe ├── fixes │   ├── ansible │   └── bash ├── kickstart ├── overlays ├── profiles ├── templates │   ├── csv ├── transforms └── utils 13 directories ---- ===== Product Level Directory Descriptions |=== |Directory |Description |```checks``` |```[red]#Required#``` Contains content such as OVAL to check whether or not a system is configured correctly to meet government or commercial compliance standards. Can contain the following directories: ```oval``` |```cpe``` |```[red]#Required#``` Contains the Common Platform Enumeration (CPE) product identifier that is provided from link:https://nvd.nist.gov/products/cpe[NIST]. |```fixes``` |```[red]#Required#``` Contains scripts in various languages that fixes configuration to meet government or commercial compliance standards. Can contain the following directories: ```bash``` ```ansible``` ```puppet``` ```anaconda``` |```kickstart``` |```[red]#Optional#``` Contains product kickstart or build files to be used in testing, development, or production (not recommended) of compliance content. |```overlays``` |```[red]#Required#``` Contains overlay files for specific standards organizations such as NIST, DISA STIG, PCI-DSS, etc. |```profiles``` |```[red]#Required#``` Contains profiles that are created and tailored to meet government or commercial compliance standards. |```templates``` |```[red]#Required#``` Can contain the following directories: ```csv``` |```tests``` |```[red]#Optional#``` Can contain local tests to the product. The top-level ```tests``` directory is preferred over using this directory. |```transforms``` |```[red]#Required#``` Contains XSLT files and scripts that are used to transform the content into the expected compliance document such as XCCDF, OVAL, Datastream, etc. |```xccdf``` |```[red]#Optional#``` If the correct content does not exist in ```shared/xccdf```, use this directory to create the human-readable compliance guide. |=== [IMPORTANT] ==== For any of the ```[red]#Required#``` directories that may not yet add content, add a `.gitkeep` file for any empty directories. ==== == Updating Reference and Overlay Content === Reference Content ==== STIG Reference Content === STIG Overlay Content `stig_overlay.xml` maps an official product/version STIG release with a SSG product/version STIG release. **`stig_overlay.xml` should never be manually created or updated. It should always be generated using `create-stig-overlay.py`.** ==== Creating stig_overlay.xml To create `stig_overlay.xml`, there are two things that are required: an official non-draft STIG release from DISA containing a XCCDF file (e.g. `U_Red_Hat_Enterprise_Linux_7_STIG_V1R1_Manual-xccdf.xml` and a SSG generated XCCDF file (e.g. `ssg-rhel7-xccdf.xml`) Example using `create-stig-overlay.py`: ---- $ shared/utils/create-stig-overlay.py --disa-xccdf=disa-stig-rhel7-v1r12-xccdf-manual.xml --ssg-xccdf=ssg-rhel7-xccdf.xml -o rhel7/overlays/stig_overlay.xml ---- ==== Updating stig_overlay.xml To update `stig_overlay.xml`, use the `create-stig-overlay.py` script as mentioned above. Then, submit a pull request to replace the `stig_overlay.xml` file that is needing to be updated. Please note that as a part of this update rules that have been removed from the official STIG will be removed here as well. == Tools and Utilities === Testing OVAL Content Located in `shared/utils` directory, the `testoval.py` script allows easy testing of oval definitions. It wraps the definition and makes up an oval file ready for scanning, very useful for testing new OVAL content or modifying existing ones. Example usage: ---- $ ./shared/utils/testoval.py install_hid.xml ---- Create or add an alias to the script so that you don't have to type out the full path everytime that you would like to use the `testoval.py` script. ---- $ alias testoval='/home/_username_/scap-security-guide/shared/utils/testoval.py' ---- An alternative is adding the directory where `testoval.py` resides to your PATH. ---- $ export PATH=$PATH:/home/_username_/scap-security-guide/shared/utils/ ---- == Contributing with XCCDFs, OVALs and remediations There are three main types of content in SSG, they are rules, defined using the XCCDF standard, checks, usually written in link:https://oval.mitre.org/language/about/[OVAL] format, and remediations, that can be executed on ansible, bash, anaconda installer and puppet. SSG also has its own templating mechanism, allowing content writers to create models and use it to generate a number of checks and remediations. The SSG content is primarily divided by platform and it can be seen on its directory structure: ==== [%hardbreaks] *scap-security-guide/* ├── _build_ ├── chromium ├── debian8 ├── _docs_ ├── fedora ├── firefox ├── jboss_eap6 ├── jboss_fuse6 ├── jre ├── opensuse ├── rhel6 ├── rhel7 ├── rhosp7 ├── shared ├── sle11 ├── sle12 ├── ubuntu14 ├── ubuntu16 ├── wrlinux ==== Except for _build_ and _docs_, each directory contains checks and remediations that are useful and make sense to be used on that platform. The shared directory contains checks and remediations that can be used by more than one platform. It also contains some utilities, that will be covered later. === Contributing Contributions can be made for rules, checks, remediations or even utilities. There are different sets of guidelines for each type, for this reason there is a different topic for each of them. ==== Rules Rules are input in a simplified XCCDF format, which is basically an XML container. Rules are defined as members of a `Group` in a XML file. In the likely case if the rule can be reused in multiple platforms, the file containing the definition will be placed under the `shared/xccdf` directory. If the rule is platform-specific, place it under the `/xccdf` directory. The exact location depends on a rule category. For an example of rule group, see `shared/xccdf/system/software/disk_partitioning.xml`. Rules describe the desired state of the system and may contain references if they are parts of higher-level standards. For example, the `partition_for_tmp` rule from the mentioned file is part of STIG, so definition of the rule contains the `ref` reference to it. A rule itself has these attributes: * `id`: The primary key for the rule. It is referenced by profiles. * `severity`: Can be `low`, `medium`, or `high`. A rule contains those elements that are text-centric: * `title`: Human-readable title of the rule. * `rationale`: Human-readable HTML description of the reason why the rule exists and why it is important from the technical point of view. For example, rationale of the `partition_for_tmp` rule states that: + The /tmp partition is used as temporary storage by many programs. Placing /tmp in its own partition enables the setting of more restrictive mount options, which can help protect programs which use it. * `description`: Human-readable HTML description, which provides broader context for non-experts than the rationale. For example, description of the `partition_for_tmp` rule states that: + The /var/tmp directory is a world-writable directory used for temporary file storage. Ensure it has its own partition or logical volume at installation time, or migrate it using LVM. * `ocil`: Defines assert statements. The `clause` attribute contains the statement, and the element text describes how to determine whether the statement is true or false. Check out rule `encrypt_partitions` in `shared/xccdf/system/software/disk_partitioning.xml`, that contains the `partitions do not have a type of crypto_LUKS` clause. A rule may contain those reference-type elements: * `oval`: Link to the check that is able to determine whether the scanned system complies to the rule. Checks are written in the OVAL language (see the section Checks for further info). * `ident`: This is related to products/CCEs that the rule applies to. + When the rule is related to RHEL, it should have a CCE. Available CCEs that can be assigned to new rules are listed in the `shared/references/cce-rhel-avail.txt` file. * `ref`: If the rule is part of a standard, it is referenced using the `ref` element. One rule can have multiple `ref` elements. Some of existing rule definitions contain elements that use macros. You can find definitions of those macros in one of the files in the `shared/transforms` directory. For example, the `ocil` element of `partition_for_tmp` uses the `partition-check-macro`, which is defined in `shared/transforms/shared_shorthand2xccdf.xslt`. Rules are unselected by default - even if the scanner reads rule definitions, they are effectively ignored during the scan or remediation. A rule may be selected by any number of profiles, so when the scanner is scanning using a profile the rule is included in, the rule is taken into account. For example, the rule identified by `partition_for_tmp` defined in `shared/xccdf/system/software/disk_partitioning.xml` is included in the `RHEL7 C2S` profile in `rhel7/profiles/C2S.xml`. Checks are connected to rules by the `oval` rule element. Remediations (i.e. fixes) are assigned to rules based on their basename. Therefore, the rule `sshd_print_last_log` has a `bash` fix associated as there is a `bash` script `shared/fixes/bash/sshd_print_last_log.sh`. As there is an Ansible playbook `shared/fixes/ansible/sshd_print_last_log.yml`, the rule has also an Ansible fix associated. ==== Checks Checks are used to evaluate a Rule. They are written using a custom OVAL syntax and are stored as xml files inside the _checks/oval_ directory for the desired platform. During the building process, SSG will transform the checks in OVAL compliant checks. In order to create a new check, you must create a file in the appropriate directory, and name it the same as the Rule _id_. This _id_ will also be used as the OVAL _id_ attribute. The content of the file should follow the OVAL specification with these exceptions: * The root tag must be `` * If the OVAL check has to be a certain OVAL version, you can add `oval_version="oval_version_number"` as an attribute to the root tag. Otherwise if `oval_version` does not exist in ``, it is assumed that the OVAL file applies to _any_ OVAL version. * Don't use the tags `` `` `` ``, instead, put the tags `` `<*_test>` `<*_object>` `<*_state>` directly inside the `` tag. * *TODO* Namespaces This is an example of a check, written using the custom OVAL syntax, that checks if the group that owns the file _/etc/cron.allow_ is the root: [source,xml] ---- Verify group who owns 'cron.allow' file Red Hat Enterprise Linux 7 The /etc/cron.allow file should be owned by the appropriate group. 0 /etc/cron.allow ---- === Remediations Remediations, also called fixes, are used to change the state of the machine, so that previously non-passing rules can pass. There can be multiple versions of the same remediation meant to be executed by different applications, more specifically Ansible, Bash, Anaconda and Puppet. They also have to be idempotent, meaning that they must be able to be executed multiple times without causing the fixes to accumulate. The Ansible's language works in such a way that this behavior is built-in, however, for the other versions, the remediations must have it implemented explicitly. Remediations also carry metadata that should be present at the beginning of the files. This meta data will be converted in link:https://scap.nist.gov/specifications/xccdf/xccdf_element_dictionary.html#fixType[XCCDF tags] during the building process. That is how it looks like and what it means: [source,yml] ---- # platform = multi_platform_all # reboot = false # strategy = restrict # complexity = low # disruption = low ---- [cols="3*", options="header"] |=== | Field | Description | Accepted values | platform | CPE name, CPE applicability language expression or even SSG wildcards declaring which platforms the fix can be applied | link:https://github.com/OpenSCAP/openscap/blob/maint-1.2/cpe/openscap-cpe-dict.xml[Default CPE dictionary is packaged along with openscap]. Custom CPE dictionaries can be used. SSG wildcards are multi_platform_[all, oval, fedora, debian, ubuntu, linux, rhel, openstack, opensuse, rhev, sle]. | reboot | Whether or not a reboot is necessary after the fix | true, false | strategy | The method or approach for making the described fix. Only informative for now | unknown, configure, disable, enable, patch, policy, restrict, update | complexity | The estimated complexity or difficulty of applying the fix to the target. Only informative for now | unknown, low, medium, high | disruption | An estimate of the potential for disruption or operational degradation that the application of this fix will impose on the target. Only informative for now | unknown, low, medium, high |=== ==== Ansible IMPORTANT: The minimum version of Ansible must be at least version 2.3 Ansible remediations are stored as yml files in directory _/template/static/ansible_ under the targeted platform. They are meant to be executed by Ansible itself when requested by openscap, so they are written using link:ttp://docs.ansible.com/ansible/latest/intro.html[Ansible's own language] with the following exceptions: - The remediation content must be only the _tasks_ section of what would be a playbook - The _tags_ section must be present in each task as shown in the example, it'll be replaced during the building process - Notifications and handlers are not supported Here is an example of a Ansible remediation that ensures the SELinux is enabled in grub: [source,yml] ---- # platform = multi_platform_rhel,multi_platform_fedora # reboot = false # strategy = restrict # complexity = low # disruption = low - name: Ensure SELinux Not Disabled in /etc/default/grub replace: dest: /etc/default/grub regexp: selinux=0 tags: @ANSIBLE_TAGS@ ---- ==== Bash Bash remediations are stored as shell script files in directory _/template/static/bash_ under the targeted platform. You can make use of any available command, but beware of too specific or complex solutions, as it may lead to a narrow range of supported platforms. There are a number of already written bash remediations functions available in _shared/bash_remediation_functions/_ directory, it is possible one of them is exactly what you are looking for. Following, you can see an example of a bash remediation that sets the maximum number of days a password may be used: [source,sh] ---- # platform = Red Hat Enterprise Linux 7 . /usr/share/scap-security-guide/remediation_functions populate var_accounts_maximum_age_login_defs grep -q ^PASS_MAX_DAYS /etc/login.defs && \ sed -i "s/PASS_MAX_DAYS.*/PASS_MAX_DAYS $var_accounts_maximum_age_login_defs/g" /etc/login.defs if [ $? -ne 0 ]; then echo "PASS_MAX_DAYS $var_accounts_maximum_age_login_defs" >> /etc/login.defs fi ---- When writing new bash remediations content, please follow the following guidelins: * Use tabs for indentation rather than spaces. * Prefer to use `sed` rather than `awk`. * Try to keep expressions simple, avoid double negations. Use link:http://tldp.org/LDP/abs/html/list-cons.html[compound lists] with moderation and only link:https://mywiki.wooledge.org/BashPitfalls#cmd1_.26.26_cmd2_.7C.7C_cmd3[if you understand them]. * Test your script in the "strict mode" with `set -e -o pipefail` specified at the top of it. Make sure that the script doesn't end prematurely in the strict mode. * Beware of constructs such as `[ $x = 1 ] && echo "$x is one"` as they violate the previous point. `[ $x != 1 ] || echo "$x is one"` is OK. * Use the `die` function defined in `remediation_functions` to handle exceptions, such as `[ -f "$config_file" ] || die "Couldn't find the configuration file '$config_file'"`. * Run `shellcheck` over your remediation script. Make sure that you fix all warnings that are applicable. If you are not sure, mention those warnings in the pull request description. * Use POSIX syntax in regular expressions, so prefer `grep '^[[:space:]]*something'` over `grep '^\s*something'`. ==== Templating Often, a set of very related checks and/or remediations needs to be created. Instead of creating them individually, you can use the templating mechanism provided by the SSG. It supports OVAL checks and Ansible, Bash, Anaconda and Puppet remediations. In order to use this mechanism, you have to: 1) Create the template files, one for each type of file. Each one should be named `template__`. Where `` should be OVAL, ANSIBLE, BASH, ANACONDA or PUPPET and `` is the what we will call hereafter the template name. Use variables where appropriate. Variables must be surrounded by the symbol % and be uppercase, like `%NAME%` or `%PATH_TO_FILE%`. This is an example of an OVAL template file called _template_OVAL_package_installed_ [source,xml] ---- Package %PKGNAME% Installed Red Hat Enterprise Linux 7 The RPM package %PKGNAME% should be installed. %PKGNAME% ---- And here is the Ansible template file called _template_ANSIBLE_package_installed_: [source,yml] ---- # platform = multi_platform_all # reboot = false # strategy = enable # complexity = low # disruption = low - name: Ensure %PKGNAME% is installed package: name="{{item}}" state=present with_items: - %PKGNAME% tags: @ANSIBLE_TAGS@ ---- 2) Create a csv (comma-separated-values) file in the _/template/csv_ directory with the same name of the template followed by the extension _.csv_. It should contain all the instances you want to generate from the template, one per line. Use the line to supply values to the variables. This is the file packages_installed.csv [source,csv] ---- aide audit chrony cronie dconf firewalld esc irqbalance #kernel-PAE ---- 3) Create a python file containing the generator class. The name of the file should start with _create__ and then be followed by the template name and the extension _.py_. The generator class name should also be the template name, in Camel case, followed by _Generator_. You have to define the function _generate(self, target, argv)_, where the second argument represents the type of template being used in that moment and the third argument is an array containing all the values in a single line of the csv file. Therefore, this function will be called once for each type of template and each line of the csv file. Inside the _generate_ function, you must call the other function _file_from_template_ passing as parameter one of the template files you've created, the variables you've defined and their values, and the name of the output file, that should be named in the same manner as if it was created manually. This is the file with the generator class for the installed package template, it's called create_package_installed.py: [source,python] ---- # # create_package_installed.py # automatically generate checks for installed packages # from template_common import FilesGenerator, UnknownTargetError class PackageInstalledGenerator(FilesGenerator): def generate(self, target, package_info): pkgname = package_info[0] if not pkgname: raise RuntimeError( "ERROR: input violation: the package name must be defined") if target == "oval": self.file_from_template( "./template_OVAL_package_installed", {"%PKGNAME%": pkgname}, "./oval/package_{0}_installed.xml", pkgname ) elif target == "bash": self.file_from_template( "./template_BASH_package_installed", {"%PKGNAME%": pkgname}, "./bash/package_{0}_installed.sh", pkgname ) elif target == "ansible": self.file_from_template( "./template_ANSIBLE_package_installed", {"%PKGNAME%": pkgname}, "./ansible/package_{0}_installed.yml", pkgname ) elif target == "anaconda": self.file_from_template( "./template_ANACONDA_package_installed", {"%PKGNAME%": pkgname}, "./anaconda/package_{0}_installed.anaconda", pkgname ) elif target == "puppet": self.file_from_template( "./template_PUPPET_package_installed", {"%PKGNAME%": pkgname}, "./puppet/package_{0}_installed.pp", pkgname ) ---- 4) Finally, you have to ensure the SSG knows your template. To do that, you have to edit the file _shared/utils/generate-from-template.py_ and include the generator class you've just created and declare which csv file to use along with it. This is an example of a patch to add a new template into the templating system: [source,patch] ---- @@ -21,6 +21,7 @@ from create_sysctl import SysctlGenerator from create_services_disabled import ServiceDisabledGenerator from create_services_enabled import ServiceEnabledGenerator +from create_package_installed import PackageInstalledGenerator @@ -43,6 +44,7 @@ def __init__(self): "sysctl_values.csv": SysctlGenerator(), "services_disabled.csv": ServiceDisabledGenerator(), "services_disabled.csv": ServiceDisabledGenerator(), "services_enabled.csv": ServiceEnabledGenerator(), + "packages_installed.csv": PackageInstalledGenerator(), } self.supported_ovals = ["oval_5.10"] ---- === Utilities === Tests (ctest) SCAP Security Guide uses ctest to orchestrate testing upstream. To run the test suite go to the build folder and execute `ctest`: ``` cd build/ ctest -j 4 ``` Check out the various `ctest` options to perform specific testing, you can rerun just one test or skip all tests that match a regex. (See -R, -E and other options in the ctest man page) Tests are added using the add_test cmake call. Each test should finish with a 0 exit-code in case everything went well and a non-zero if something failed. Output (both stdout and stderr) are collected by ctest and stored in logs or displayed. Make sure you never hard-code a path to any tool when doing testing (or anything really) in the cmake code. Always use configuration to find all the paths and then use the respective variable. See some of the existing testing code in `cmake/SSGCommon.cmake`. === Contribution to infrastructure code The SSG build and templating system is mostly written in Python. ==== Python * The common pattern is to dynamically add the `shared/modules` to the import path. The `ssgcommon` module has many useful utility functions and predefined constants. See scripts at `shared/utils` as an example of this practice. * Follow the link:https://www.python.org/dev/peps/pep-0008/[PEP8 standard]. * Try to keep most of your lines length under 80 characters. Although the 99 character limit is within link:https://www.python.org/dev/peps/pep-0008/#maximum-line-length[PEP8 requirements], there is no reason for most lines to be that long. scap-security-guide-0.1.39/docs/manual/images/000077500000000000000000000000001327242345500211535ustar00rootroot00000000000000scap-security-guide-0.1.39/docs/manual/images/Patching-Base_Fork.png000066400000000000000000000602461327242345500252570ustar00rootroot00000000000000PNG  IHDRHU`mIDATx}[C>?| fowuݛ婢iwUiͺ0DI" IAr S3L<ӡNUWΩ M5 % ˑe}}=@P:;;@ "K@ , @ $Ȓ@ "K@ , @xRARRܺu ^J / #iii 550̀%K$ׯN0`@;튥A x-%v`{.DDD@dd$DEE@$MK[mmmE;I:>qqqO #hOЮX .mw,cgOII<@x!@;Y7i!vl!'jdi4o;M8@ Ў=E["K;211N< oau?s z=Hk~&#&QwA/kÒ@!K|mee%_6Óp?6Dv%ze+W7F!44>:&x0c773ܣ#zZO౰xxo(n"fL 7  Ddeudyf{Ӽ hoˆ/!#d`pwwg[2Z_>wM9޽{KJСCܦM ,,j>>> ޾}{!lذA.ÇxD䋘0Ν;b󾾾u}_A=g!Y+HV. /忾#ca1=  MWd F26̞gCPXmrqͱpDq_gBx|(s]@povϟ.)=u ;8,>~7od+bqj*o<6mtyZfG={5}B` E8&MX8̅;/L;'Ä `ʴtԶS &08b6\Fį>Ĉa[|x Hxr,j 3!DDߟk" $̑_wGIN͆]u2D{pvr52cBf)c= E8yTY=:A-z9vy@>72r$؝~V!iq<-?ym'܏&Ou6ĝ1[8ӍS94jlu9 ddAGT&Qg TЏCFGkpv7kAiʒ'd&E`m۠>nkH~/ (**jmCt8@>w{qrDr)v>u)fϘܿ,8 Ш׃&|nѲ?~ 5ir;y#=sQfoDwyaLUStB|0jd6T[N\l._:4{򩪪baGĉ4>[3((]WRR:0~;;8eC3^ -⃀dH̸Q8>L1Gc!7{n@&>u3D*1K (Q;$ >6b%hcmlݣ*g85_$A]s3< Y2G!#6YjG7Q#OYkoud>u1:3(j[9%:6:.wwnǏ3;~8Z;8*Hy(TO.cS=4ăcFk ?.>|il2(yEޡ5´(!K$"{3N466ʋKpЋ(< 8Foj h70O <<GXӧ.G<MDPZ$R]uPQX'f}jD[&p3*޾^AlN=v4#wܢ?}P4 $q3,G&' alWkd ND‘25a^ܛ +*?yVLϽSK YA@b4#8~(*|95q1flD'c2cNAyad)i-8ʋtP4el~b̤O6cNk`Oب4FQMdIŜ䕍u h1ٳ*8+Oj88Ccm6}R$s$ s3s`VVjCMqj[r}xueB=scD[U?>Cc}C5Ppv,2~#w9^i8UI`]̎atBKK ",*?V^.F, Ξ=Hז>,9C~bjZ)}.{3? teLkcN"%'s& U@r d6Bm]#:+ c8K8ГC !YbI Hlb L:Hѻtx#i>1e+Ð,z,%Z b=Q7"Bl)>#'1yS $'k>8Kk2e%pLa<+K_g bR)##-IWS9WL ,QPj۳TkQ7"3ϻ 96&qNEg-ᴭD5҆od/8KŒLMUaZ;DHmmML|JyO[cnH%ٌVl\Ɓ'f5/ s DiY")-=pjNHz8F/:>x `yhSp0qFv îx0tQa_Mvg$.Γɲe^S,6˖Δ8װ9[<EP^+K:ɠYFeb/1[p3oߎrp~Jz~2(4kPQ| U6L=k$2;3P 6A&l|lCk]iSKj;Tү=?:z "YZǾ[ nVl-o+D'J'3^)sO|3 Y$6\H$H8!Z~ڵk, 'G 9q,9Q ZSyI y@} &Y_]E^Uͅ=>@m5?k>q9N۽l5, K$6a!"pd$ tnqc>ArD!W/^yZ!,C%/_i7G;Gp/ |aYRWt4BsmĶ9+ {唂!.h(LByX~C^DՅ9P\,3ldq\4>Zꭿ7jC[`K?vN/އztt6W4{[0 W|&EC6%y[S?7T Dä["Ao<o$<#z\ ᳎[< R ?υn&ǰ)ڗ n0 AXlF~"cp<5liԋyZXg.ٮ%at8(#BILy<Ɓ,Zg0QV^-*v_X:zyɫ5Tτr“AI8yVJֵeĹrR/h$# ޶tjAH=Wߙed#⻉"H /(~pg4Jshz=4|3;I؉sX+W0Ga7gk@D_y -o Q,#>egO{@ ^} Ya6m1؄!LHRIʯ˿Gv e%i^YW- :x<&~ Q* xʿw"@ ^ /+ZȒw0M*=Kqネf@L(m nhD-kId BJu{8zuWHx'$oVG h&yA%K+v:UNrF[ҖCev [.ː,%adcּJ%Q( Hxb@*@>~RwĕdoMdi~?"D0hK[v(mF&q*؟,c:B -W\SYY @Җ۰0JDUa0 x|cdi-˽JopIOSPAHHYC.%yh|9qvl_X%KeGdܫ,))Ǐ˞'miK[- ,]hìci'Kk!XUTT@QQ;v a조.-H@i9T`Yရ7owѻĹK.,ܥ0iwm YWF8YK=*D[Җ9F222W<<@EE <kme, K`8*u>Bkh`T [k!59f^vP>4km ObthziQڡC䘿][} xot#Ff'|MyvөwlI0u(:.8 uGD:LH>d:hu *(c" rR&?d7,񏣑,q ӣX?,-5>5 2C$Yb!,'8{f4Wm-SF ,?3}x> O`DT..9uסG .DQƮBKca,pt2 =xz  hcQuHv+,1"_ٺu+,]֭[Ǿ#!{{{ÇaӦM h+W!''gҥKVberp c> <$}yv-G;vLJgx{r}^,r?g6¤I` ǖ}q=3ɓa„ 0e z: j%;5pn"'93Fg; ۠"-\9q)_?Lw_/0!핇8wwpp070FDEE|vAqN:eu)򳄶Fǹ\F$-Z7Q 5i3ȸ5Sƚx&3g嬺jlԩqpbaaC<EiU]1Y{K:r+**qh{0zDp;&yN=r|Ƿ+.CԅwKП~od^+ٮ~HۡE2DD qq'ONx >уD߷DXD>Q' H$6<p)';,tH<=As:=O_6>-ϟC#>x#Tv?4Ծvgp8]81k<;?d"d-cL^ 7RKuCow>LZq-@@~92|d | ^́5\dɀ[Â,=H^ L2;nmMofHR/v U=*$+`s򄎞nHT%҃7M1<ܫ6O?=5mvE _};x 4sBuss3g'@|8 cy}NsZ1z$f-%%%qYqlߢGGqJX ?cvL*?29j_d/q<mFEvJ(Qd9ׂ,˲YE+kMd hkUX JA5&/9sJ- F9lF8r=Rtl::T3=4!.5Zy~"\ Kͺ`a1w/x;M{cd)<5Z*+=x?xgA'D}V+xK^|l\z¡wYzzzW8*=B}7-/ѳDp-`m2LaW<0 ע.IIM~m?7}.Fm<#ǗvqLyy:GCE$Ց_T,Gπ-:3C\˂mP_%:&4Y>8>ňEϰ K cM9bJ8ZD^Ӭ0i?Nh<. )-ρ{AH,#B&KUB][8==PO f_\.v\υ8x)8'wꥏ4wd*\A%+UѵR]6h90/?Mq[ÇF`#W1#KY?ajy_sXO#<:b67shw?0, PZa2 ko| ""[.[ɒ}$+V^BR6n '_qנadLa`:yTku Y\%/kgQ#iO) GDsehO0e@pkF/BLMCÆ,큡8Wl޻#M0bQ'\nU؍PW&sʎ,>4Zͼj/+_D8@ Ky_ܗLd h2 ׇD_xF؛?~m n߾ xb1sDIN yڵ8vyS *DOZΫq<$oWmYKRm-}MM" a|4x=jsaϬOa@mVNڢgW] (w f:3,Ȓ-x^gf[m]Dž>W0g"KoKk~;\\'t4c31 ~v6;N.t@x,d2]\Dc^OY*|Қ(xy=:Uu՛w,dIdT۬wŢ>gX /WuPmyZ&h;H0$um#a zwcHܾ5#k8"^yFm)W~ /V |_Y' ?ϻim|M8aSxڞdwCȢPj];- 繼Ԩ׳&Q/kae`=ϻ@а,=6EK l5-=`l#!Ɨu>ް^moa\LZ9R!f82mnh`\L${.eA } @Ar1XVth׋_ yutճ }umBz+zzsZt1GȎ w:^k;EիW j@D8oɖW!YDGW$ .0w-ѻp{5Nm EOLy8oUˏk6kZoյIv_F}qdkvxEA9Cۀ ime"ت6u;м^ZW۲o^5)rzH e YMaHliMJUӝA!/}hHH8X+bwbhL]`iÆ,f=[]m.\~sk~Z]%ϥ;PgKE/ =A\,x Ed-ц-0"5{0<7m_vX%Y-U E_wwZ%T$KD?ñHҜ0 D0e 7vtp}\9.0 C,k-mi;ԷDo/02sC,R@ uV&_Kȇb9ap+44YK9\<+l?`80|M/L Җ[Uh*Xe|U+86, a(Ȓ0$ȒOӖPY8Y$3@ $q V@ $qd$! "K%@ YY"3ዺ.v.|_Ő؋%ዾ (a0AdI , {R^]]],< Pl`` =am2{Uihơ$$}Ȓ@ YY"K"K!JC; з :hqK @'!mMABdIV%vhMI z(Ai-@ h;Pעf< D$Ü, "Q6$Y%t:=kU N vmFV[-All50ӟIdI2G|Q"QfThagh5>W߹ mȡ5P\+&ژ6"KL8GWrrxZZ@ ^hCЖMAۂ!Y"KaM^ϖ&0 ,?@x A[&dq"KaLlB(1|$!!!yQAm aA[CdI?QRR:~*??rrr ##RRR !!bbbfť޸ 'cc$!!!yYA[6m 5l*YhІ-C m:yJH w:8k8?_o'*q$33\b,.N'$!!ydmm,?MCۆ6m< $; KpppEcc# ]TUUƲիD$$$C,VBۅ6 m4mh8Q*m <'L]GdIBB2m,]hЖM^%'J $;O?~Ƒ+4 ?g{rĈ䓐RD[6 m0ehӸWɉKS.ɽK W`Y D m2iܫDI:;;&.1\|m'ʉ,IHH Y*-CƽJNJH ፑk~lNVT.¥Pcy\x P]n& %% KOO;PG~pZ$$DDw,}RUn fd#Y,]h, %% K;V֒pޏ^e̓+^FZ Ӟ{xfyd,QkGko\=!ppEFS[QYs9g]dHH, DÞlj'14u^ell'Qt.BA} .ZJVȒ@d?w Mzy*zˊ8y6uAcU9W5I`T^Rv^!!!$Y߆0}QȒ@dIdi-d.߆g]4HBBdI $$!!!$,IHH,, Â,IHHH, DD$$$D"K"K"K勓eu: $!!ydm "K°%K0ګlCV%% eVyMnCFNgKAk䥥N} 5DaKmvkѳ}|Ϛ;I'!!yaA`SJkƠ!$ klj5@UN# f A ‹=J$J)Ղmi, Û, 1Wabpb>@  hCJ%l8_i $ g%&z.l@  HhKУDϫ$$ fDq7E vA"G!ܞ J"K°!K@x $Y%Ȓ@ , D@dI $"K%@ Y,, %dK CD7NB CD"K@ $Y%Ȓ@ , D@dI $"K%%@<2\1b|0zd bZ83,ӤcuPXX14ƊNK]mnY"@qn8j6.Ys^(eCi?b-%`M'N#>c,_Y @W"K@dȢ*xzzo4 '1~1k˺${bOCódnY M]!fd,=:%{.@lAlsNe`= {$sՙwa)i-Qu 6m[^jE^<8o;)rH/V7!6,|Jdץ㕬aIJnr7O'W&L. 7*1:ie^TU8Y"C?2lK˶]}Zuʙ|'l% ~D{{#m+ ?$DKSш{:9DxuߴsV[C"=ek|ku`&7_v>d+ c6ߓws:ɞB\?󶳷]ծSj^TH`5x]}H74 zMT~wʺG[N_Z1Z? BҞWß] w"Bacd۽"is`ٸ11#(tCq‚|ҥ +NjiG~4_5"$888 bh9Nn?_x 2SCCXd Qvh+2q|ŵ-}L*%XP)/#GsYe2fÜٱ2o\!Y m5Pˏ߄}R#Kւ@o,$ ar͒f aRKVO&CyO/TeS %]kC`ҁ V7r_e_ /1U{F&S0$?.Ǚ)k5[u4~^.ʟz,|:m><^ vX Br֌Q]2#kהeBD^ H|bϜ*_%*hfM'e4JOFhy,o(x$KkY*rdՁLH6U0ɤ r5ҙ͔iz:8dm&uvӌ|v,pΝ H5 ls;c@+`Kq6R 0?/hXrT1+wbjqPnl'تN Z9Z*:X}2@m凊W*+37 䯵@:X1 uCQNO\>9dYfxd?>('M pϪSIbG--0ų~wdyJ&KXekQb^ %BfM'9)mFBs=L⸽Ӽ|Djc(Q) SUFL&h<W.(\o~\9oC=] 0ÙD.:UՊ$ M,v1Ek ܌ ~YJjm Q[ \65PZ"ضz 4L.8s(cu%IrtOzOSS܂*kpG[oŋuhil}V^j؜3N1V_d<8LaF՚@>pC5mdX2ಧ_`NXPkثyJkp!  Ra'ce u(GO_Nهdojdi+P̥ u}m%"K26NW xޖFKbZdCħUJ Fk͆#i,0q[ w%1U0Ra_LfOU]wgmXax*YzE4>U~PV:yF;.ڽ%r?? l, ڪN Zyh4ow|TnB¿.96<'Kkr "Zg1%YS~EO#'@HAM_uF"ynq"$* `WcZ*ܛퟍ{di9'9DG)4t$eZh${Ai[/hOmbX ]4]MY71Ne]<=yF Z|Q!]<+vUo#syY"2UYe%q*EOe  NdafwkS-=Hhm[5`7~JD`jo{imrf|y&O(bK%bó$K$&]?%"%E,ZH^_ Vݬad,*xh:~M# +Ð{RS ݪm"J~ΩdA%BUuSoTu=KH O|uywS@Fղmdh/غDn,=TY }ElxJi-߅||(xk'OfeiT=zU+AV3},Lgn< Ï-_9X}5_7j DkHG^﵄a(͢+O>a? U[&BZdU;[dy2RSORӢ>g$0j4gOh8E1 e[YZkZvZ;!e(w8mdZLc[T eBæN,M+b=| @)lSzj}V #py] ?7y_or5@3V8[~p@~)y,l8X:m {/plXiNk YF|uS/zZӟb͂GtNŊd,yM%e*Y_4 0L hH9fUFS](]_t^Wj:64Hn͐'_ڮ6U>OdI"鵙Ⱦ_ fAf<իCD0Fx,THdsWoѣ൷-mW!'o_b¯L+IVɢhonFoia9~-ϼF ͊g3Ϙyўs̗qY¼I/4B_?8&L.ˏAzQ U '_G&>G(?8^$ƂvCbۮ!+D=9ђ sƎfBqf,{+؆y`p9[sf)t ' zqHoп -piOeayl>ir=2~Ma{x/^:˵};w[{0Y>,΅%Csg$2* ( cF1Cc4n@lYKv.1ff" gr;)#4Z_8wR02G~4G&CB?BnVȒ=kWGcQLmn#ߎIߓ6cv=;i*8OȌhi1MnʴXYK7…*5 ӮD z%k=cm:Hu#G|m O쭁Q?&*RF,IWƦwq.{^alDx$Yb[#!77vݎRnaNL IvY{^o1t,gYp>!z'[f%áU0H"e[ؘyˋfLhj?^ˌp.2^eNh 2SzVXqcfgPӇ,5 Nh+ϋ,[&fɿ# j6ˌxWŴQGEb!ֵ?63B͂. %|[p>,Z%Y Ŝ>$d4^UkvmEn:.2ʗ֦߆sDn}&[z'9UVު.ō V|ز`5CMvjs3g\ pZvk=דIu; ;B4 aLj'&sO0/Q$C?n Sme;֮j:ӽa3`垚i݋m#Ô[7hɃ-sgV΅Yrny<:`ؽP}PӟwX\gWXjgi$o,|*Y6fzqq2@#\fFj$go\?׊ |Lsy^p\v rksJT;huYr";Շ,d2S,:[{lz\Ō&ǧm̔(;qDޠ3cz7%%Sme=w%ȃ?2OZX,+;Wt,Ň!#'~'d9[]j,G[ O}0( KZ5;m@E-[ Y 6LuGWÎrհF7Jy=傓:"+ϼUGKvY9XuSk5SƪR 3ץk0_ٰ\+ C0xoq !N}ǃ´YaGͮbQӝ5Fy̿>,-FWn%.NHj:}qCЭp)\Na%DXUxk ddzl iI~a{s , C-`$~v+?9!k|aױsʕyхՒ^[ԃ4 P+wXvmPթV*?Y\'KvWؾ W7:36ԃ `c.tɛ'KeM앮gU }߳sya!Vt^Ej;Vk UG^ej* } SZu޼~V嬭*խw >5# 'liC#6φAu<ߵc6umB:3 dMba͠?( =\1:z[*-0Eg z 3\;&ɹu{2,9DRGgMN/|,a;f2㬑^8.CB ^`&@&sp20w\rmN"a9W\4Ɗ!hu3Uޛ^NbYRWje_t,1j+,0担<آb؏RVIYҷa_0)Fboþȇ=]C^3WBaGˤĝ Hr,/EAw/6u]aW]掾S c wZFר[SҥP_ҳz,=eoպNԤ_zmem -,0=~uW$D".Bv>tyIM8׽pa8sd]{u{z̆$"K"Ka8e޽30K0hX]Ѩ^ūw™#[93m<%{k'[~^ 6= `vhZf'޶8gD ɇ-sc3A`{j''à|B.s}(zE3 UsOF۰b\.Nto kS36Y6>Lګ'O&ᷕs/EJA9  u=aOfpvfyOBdI dٌ!2h;zrb+hkJv_!4:ιeo3o1즇`B1O.0d$A`m{b9@p3X@67p=8,mB9d=[\ ͎oqصX '٪\&?nԴ{YԘpDn&qs:6'*?< :-^M=Is[fdi$D"!Ka{dpNk`'M+bgF7%1KrQmx$#ypҏAF,9Rȱ}?~ ,ӋDJ.giJRʜ> ; kؘ &L2꠭̃dj\kUjmҲM{SuK},mdSȃ?O$UY,&Y6YN#1c* bdTE0YN#<ƈ)']s2nl#ĀPok,o]*l$7R[ɛD7̓gwX.Z=d.#\d-xGn}BoGM}za t)AT+;Y[֙ ꜥqÖbUĚlBTIVok:at|ls m,b-UARb8-bp[c\`ɪ'!$Y,J(**:ъ`|>W]2i=\^T .F 4ꨗY:{`oƦhպN Mo;Wem -w.+qa#$ WYdE!ƭ"HxCET ^@ P8p ['zR-?';!$.?cjE_5}xbYZjY>n8}>>e+^?S?Se_eæR-KR-KR{,GGGHCVYֲOۖ\Y]de*KK๸(r~~NOOё+K%YFmdY %d0b [Eka%p_YmdY %durr^,''' n%Fidj#+ 0m Bwu)"] DF-..)K2l#Tmd%EJ+eVVVt+fo劈tL"fff"e[wygegg'5 b4??_lADIihh( TVk6+MquuU\$g|dww7mmmVKKK\^UU5dCJl"E22l#n|=g]UT,nۀ 0B, $!I V+SkjI$;q_dDF.)$󝧈޻qHA @@ I@ @ $@ H@ @ KhjjFFFx`H fO%g $H$$HH$$HH$$HH$$092 $:FqxL@jnQt/kZ7ysHwb`3TsѸպyW^L+j:3LE4b}mU[?_QgibzuNOu*u'Rl2xVH(o͸$Ax)g©X{(20IZjGy*IzAu_]];Y-KHՄ.1YM $Q(HºM"S;}Jʒ5! *A_v W>$ݳNM^mHq!ΞiN![(4NXsDs'Nzquig>>J&  cpq-w2t-7*\ѵStP68 :I-VQN("&M"˔x㢭@SNsM ݿr-΅QqRUdxlSQ] j7(==^赻^bQ'Eړ&? /Wr(|(zwe7 SL*h?J6ͶYGEgWOwe՛:6$Cgl9m{ݷO*G(X->nWVُT`t%4L' tYۙ kBub+k+NKt7{~NFߥ"/sGX7@4fysY x+N-Tp?Of)[>77P-ꨲAu +!=YiR4=-SLGPޠ_3ݬO Y?_NPD7dNÄC]ԫgSY.60wIcPi * eR[{Ѷ>u}r@& }gPWWG0QxQ_7TU_'}xzf,ᬺ;+wˣKmys]<ReitJsRYQ1`(|9ͼGplEDzݵӼa赻>ImiJ R*p6?t޾]vmQU߈"$CFgEGr3ϙ)wSN8lsy>C4na?N 5.[:sҿVڞv>q i#?vD$$$'*9L6L'ϱyzjaQzϏ4ԼyˢsR'ֱTA xA2$ܾ}6o,m7dee?FxQyRJ^PZ|xX,d6OPfJVC'mj5MGՅ V8Ȅ8C˙qfYbv`&b6Mzdt0MS.0>Iqu>F ng,WyÓ.rO*JB:[>k" ڃHwxo_|vE~v}Xgz ke^Hճ)GK.9R>1~9tR6ez/4Wu0ӥ#}򸰔D>/:lב$J¿# $l:N vtCRJBJ[$?Jݔ|RvzyYGuYn[IPHzhjŒbz4QoIˆa$!_l1TtӇR="eo*Fϭ$Xŋ`ۆzdPxY\V Hr4,,46oqKobCV$oJyCp;,_?##RZjz7q9"t2[{IJ٘Xef?`oypǺmyQ([CFi@}% .3?y@2h{R#:N+R4`5olQ[?ܵϤmKY';hiަY Ċ 3Z˷n7A9|lsLl;OB<ҭ`Lw>8o-Ig{EX2L֊A׻seGf'G w?6ub^=23=(zݓym$dsE+7 ʦ$,# cM ;rG^ R 9ڗi?huͲ馺 |a9)ϐ$'pv(QF 86Ǜyp,nV&T-'Ht,~HM[A'4EDGysRT]д4}3VKPAu4{r yI=5-\eC r8/{)&BKAA[˖kQ9eۺ6yX׆< … }I{c5(xNš@^-p\*`\[g|@m UcꊇL0GT b_/~ oH't3Gq>v Чo Z$jJL?T=:U>O$[;::>xGQmZ溜/R~~rD>(y ]zT[ ϩS&>#}?lr}$Iw$'L&`fY}mUO!#T욑-MOU ;LCV(%''Ӊ'=ʼnJ ?˳2v555"ONN c<紜'|RNKq XZbQK}K4Qms.;EWiE!No>[B/Vv'_7(q~^l p ijoHq&Vyz\{IuĉUiV:k1lWwN?_kEՏC Qoܸ!d8[n 2+ <@38^k^5PӲͳq? %TedJ:&MO5& $W^^.p'&&(--M)P~۟ɄrorKKK]0"##37Gqpw\C١bsq~K蓿k<]G*U\>Z;&]yN,1{+(+9nRAz~GvܯI_mVo"zz4C#]͔C94PIlWQQQOCQ\p QL1U$Aئ8mH<$p{hIy A٧6N|6 O)T~#c|y/;DڱcXÍS4c so;lpU3@w o});(y4mKSBf4X'7őy\" &: Wom j]W"$ eplzmY|322Ġ'Isy>8ۋ5?ܹ#hjjdm5ϰ>l<| IIX$ܵkdl~vʼf>4S|JYUU$s/;YeKd6^he?H/iwlvSd,wLЌenW5]4eD~z'z-Od/ku&[?/b<{jgs] C^ 0O&)2;^]Tgf'8bދVUS~%ir2@KKK@ws3R<L״M[h:HlW$W $Azѳa4$8l4$$H $H $H ρ"jK;RHBPo\5Ny#DBܞkCx$-ok/C+:$[>a}6i_tR hnt\Q߫#6QN Fm۷ޠc|a:Ix-2?Ac﶑J@7Wyt%p_ŖG0-;먥Jڢ}KBnla)ŋ|GtCT.|NLx3=(zGG!;6r46@?_J0^~\FjZ#}ޠe/rS/N>\<~u I@V$'7k3:-@ 8y{HJφ;3owG1[YC45PJvF?װW$o$aio:h Q'ﱩQSkS34G%JP ݫ;KQ\YJ?F'~{Ra:pэp5ߤq7y)rY~]/Wn,Ch0`S莡ڳv.凪 A"*#̂8_;n2*gkqƗ#]yd?n[dEpNĀ~蛏?Mv fA6}|XNr\`Kݲ}w_C}k:|ѧP F* 0I,U9ꥹ45AO,ҽY:CYmgSIJZs*L}Yf+Khj̏P{~>75kwW39]g-&*5g-ta:L˵skꈶ5]EiuS*ա64qAXhv~=V{J}Rj.SuYǩ*l+umg+_HB_kL.}ΛeL1D 0V|ܾEq zO۩>53P/NvtIEwf]Ԗ6 ^\jöO_>"=/׉ga™-X/m;lݵBv bC;+;?KDLozBYqmAA$m.7W63GAM5?$vCt?tx:;Bv<؈vqMiHGd]*1D-qf-bTݴs>u}QƃvwE_m7Љ߫}I]iu͗$5G 'K%7ٶRUTj(C@bF녥|5Uh.Ω3q(=ӬZiL}L ^ِL)%4[lXQNj(]wI'}u'*9P\vi^%{]c7:xuqmUU\Jܻ\ӯp_31:-ἴfy pRo&{y;7ImvVVck|-eUtPVJ jtp-Ó^J;+3+ .۩}qmU㸇Y0 m?GJ~rmLfMggHW뜾|lYӶ#Iu0uQ񔟻OrkѾb<\ HRہ;X̎7gnت9Qt Cy=&7PHWҿns٪~_$!)R"} `9:HU=M|b9J re R*xD 4N.Q]B6}Dcӓ46RGw3hSKv6}gga>ENv7/?v]4FQJS:ʃnoks6n7t9a4=Wx־OX5qs&韙Jj|baF ۹vIh/}$Xhf^q -'UGaOg[T'<y{cPCtpSJ:;M*ϾCG}/*g78cAH/v2Ġ/Fy紞l1>9>YK ,{_?e5 f2eYIGw0Oڗ>[(fm-VP>9n$;CSZYn+G6S)طt`}$^/*rCݩt.0'罹y9Iځ4 ~3j[@bj'4>'[$6YtGU=*So`\t[< Gjy=QT6kӔPf3 `u"Oйhڶ0>c)0SvQ_L ҬY>'QӢS_]BxoUoJ,i;lE^tv×]i%~_~u)^v~m)Z$i*fW;p 1GifCٗ @ʼn =UZ=H\w8xʟ$!#awMŅ`jIاN6㬣3<+Il?r9/:!_7 z_t;eIp&,gCnх$<5IWwA8ioø Kj||i)4?Qɉd@ZaDڦfՙɾr8Hcٯu[k(T/ )KnmpIr:=!R'R|]2nV&jiAjZʇm$F]gڐzZڹ-'w"vNF326.P=˓cw~}% 숲]ʏ;Ryʞ蹤L4Rtf>8JeݭަM^SkAspѹ Oz D<մcoEW~Q&u2hbrͮBCJz_o.}m;qQ\~~ޓoڗ3q)|T,$(vm?@=t:k' Tס"wPh'_п}.[u>:g!E)6f}FfK|B;Iȸ6 겤=9 KGm0GtwQcۻ.PyuvShj({{RtqnB0=%P߬.ޮH*ץ.ڥ}erzifVMWl̺2Q;g.C"K/\/.]>hTɎmBli;U>S?z&!;͸?-_ӫ"Gm%I2Z3$DjQQݔI/vr}?pWngwiyWְ~s)NE@yfhkOf.:>c۟.ٌΫ!9>MxfB>.].I`dpxv#OԺ"I& mpPw^5ϩg3<>:\' eݓI{NLRN}oqMxmӕO:XDŭ^#QC_-~eGtEw%râLJy|| uOoW@u3 IV_)-֡ ).j p:*̃6w:K~~8hps ) HpeTT$ g<)_O"` w2IrȎQ2[iTB^[K<oO9+ީNi.Xh` o\$~K7w3x[E{$a$ "\*I;hXk$#I8K% D!HI#D!H[Yᚆ ~Hn'Z ~HJCF4I32%N x/<?]&QS|ixW*l/<FCw.?O1mq1^v$ $H @@I$@I$uAѳa4$8ZiBCH,,̊ՄIs -X`HxEU (j#I@ j H@ @ @@ $@ yaM?$:JIENDB`scap-security-guide-0.1.39/docs/manual/images/Patching-Create_Pull.png000066400000000000000000000647221327242345500256260ustar00rootroot00000000000000PNG  IHDR>Mle^iIDATxx=B˅BrߺM"-ݥŋKł@bA(@HB7{ϙ9>Xy33gfl=sAAc'AAPAAPAAPAAPAAPAAPAA{.q$I$MG Œ"!5n$I$I>BTgCC$I>=>$I$IR$I$IR$I$ICC$I$I$I>%N\Deq(Eb?Qi)JVJRRB*|l$)|It $ Vif$IS܅G҂.|#f$ISBO4l l@I>$ ??b%|D$i6$ UH ,')) bV4lذX u{CG;68ɗ/ 2,b ϋN<_lND-<>wQaŽG ;94I*| ]Rۊ-[ٳqƍ"JŊ$-;ˑwvȃhվY{=]VkikY%^?w..BPErc;vgְ"m#@X2uT4\:!2RѕΝk@L?g[mlw\qh$Icb֭ ) Bfq:ա#9m%6G>7xH_d`1޵+Zvkr8_Ư?CG%M,Qkse+:)R~trvt.nw\qh$IcuТE Il+00PwԩX 둸EBH.[!,weDŝRpj?W޲l:tFﰖ(VMD-J7hiEC:ÀRi ŢQ>J'đ[x&' KgtFn@嚡:ݠ12s.b~7ezxg%tgZ|=Gqm~OXYi6Bّ9 bRNEceyF60?棍tQ>6M>eqq躢>R/V:}g N ׻+^`i3EǕr}‘C׬Dr: =TV뭼9 1gT8/:B5 ]H*YO,iHmƚ ~(Tpma炮MhځhiX7 \$CǭڟQ^: GZnқ!6MN+QʵǕѦI‡G᎐h я9,G 2A6<>BD,A5 ۵}SWBfو@F׊wA5MwiplWFXO .w Khv вklJgQi&DȎG؆&=0وQC td0]kA+M$ #'q2V7ݖ M`, >7xpֹ8[$*TEooEɉ5 NuKNBMIs^ۆ?1,mgwβC$Av׳2prnr︰(/Ȩ|}1r4J0,bs®fl=mrlqiA"ҭ8{!ãWE>nKIm@1\#9K[,|Fo|cM 4i[5 cp)NjEqf6XkB؃x^\e~$B̉LiFyP:[Wb? y ;cP>&{:w6"R[ $a媉absK&I >/|/cn?jNƧ~Ck2QoXNY~Ǒ5ʴ`H8Z*emMҘNcMA}!hzbP!Ebe-~3Ht,*͋,Y;S1 "?4#Wc]ĵFa&8L}n\ =wl챴iyx§UVRМ9sF7jNGpKT{=}x͖z/3%=<+k|+d#>FB&I &|ƍ'M&MЧOo+~{ı`A OLBpjpˊm$m$B>ϟ%ǎ_ӳgO8p@W^EaP.r s )>$ICп'&&"&&F#GZ/Wxxdej:I&I |4ڊwl IIa ]hf$Ic!z<>92bCM$Oaw$% $I$IRP$I$ICC$I$I$I>,L$I$)|H$I$)|H$I!I$I‡‡$I$I  $I$ᓓCC$I/| I$I,t)|(~H$I|AAģ   (|  (|  (|  (|  (|  (|  (|  (|  s&.E#9!$I$IH>I<}Yqs"pI$IdK#<=B0H$I|O 23$I$AeF$I$IC$I$IC$I$IC$I$IC$I$IC$I$IC$I$IC$I$IC$I$I$I>>$I$IR$I$IR8`1DKߏI)lo ?Vx$I Go1p#L= "smnj$mP"+=I$C>]~qaʑ$Yd6gE-Vz$I +|T&ބ[nt+l$I I11gn--I$Y(gBH#?smn)|H$B>bqFr[[ $IP؃?aBn--I$Y(ǵ}o{z pxn)|H$B>xāk$žG,"I>$IdQȽގ]IWO"Zw/˪I#lh9kt[TE^I>ۂ K4t@~ۺwJXE Z};voǕܫqvo^3W<9Ly/# KfM°q2y}6٬U(?yS>(/ Æ E Av)6ӾF|M=6{{k^M{ m2˭S#q cfot-뵢2:̩:XxFwX3~nyo;&}ݖUůJ|,};EW瑟)s'v;Wvͥ(ioᓂcZg<2O)1yTVOpuX_yu01jvOEcްm >gä9kqGk&?wRKt76E)0v)gZT߆aΔV6M;K˺,wYu,(vm0\?ntlSЯcr^/\ر|s;esP>·Uc1 A/Rڳ{2*?Wu(\OlU[ylW %, 蚴ĉW%2 E ڦwh _2|g]a㉙ cSY;J\i[韋4~|v1|`3p"y8b!Bv[6Ŵ;g2"=w ;#/Y68Ly[ .۔G&4?^*=?^}=.]y"|l%+bM^3Gk{Y50,g7+̍H^I=G(&6Cp^M`t{7w(9bmNJvl@of`h樂y|jH\zy<^9ԣ8 a(vHpKjX0GҞp}36QO&LaZlnD5Y E:fGv?UpitGM,s5{ KJgteuu~gCU޺ g\KAMm y.ep/3pk PVCA;ޥk[ﳮ:%Zt)1$=뽫! Ϛ'`_J8Ҳ.BNL];)kogt?xa8sײϠmN9 kߕlMHD`w6>=l@?^=䉆 9bvUW.?O3ǐt1 3ە'OV+_+]sw&K6c^ϑh'-˻p~sF`؀.\rH>ڴ iݕAvҮCy0§>c¸ڷi?^u'oi-w[ _lߵ3Yj~:t4u69O5OϯD5Tte7L wKWvt)JjqUpit{uΦ|\7{FZMQFzbCU޺ Ṫ߸~Mlq |+4o PV68J<k:["lצ5[Dڂ 3(l!D 5 ',U|["x37&[|Aso[CmQmmg33sN\)LOf۸aZ/u1a >&a#ʟ;o{ |GwmD14b [6! qpTI[w?bT?) $]p`i @6 [/L}&&p]T%š§1Me&?<9$]նQ΅e|] L/τ%n3/c&l;MMU<]>Nk,;ZW¥;7ҽ+i1sF;\'saslucQI. =<[2Ŧ޺sB>7{yL 9?T~h;.i ث{%an@ 9F  BV#8v/7!z}*Te]p!0,˸8ռpY|Zr}k֛!ZΞJmxT[M'&30 syqh5s&$%7a98yf."|=-C޵6𹗾MV&-ʩE7FraqʞAKZaC ==m]1sfF9k|lT`[ыi: guUV-ź7u|{GI ;I6wC>cSdy7\`upj.Qz:g[>.܉R4*.Qېrs=c\-Z?Ki+|n~v[nK+y|^evf i\,:c}5Oұ&GL]=3氯lo!fJvF$bLm߂-OH-15μX;/;7͞!"-s7װ; 3k üvy{:S̓qYg6x5hml;'*]y͝*8:N-0UDOCM¨'Rat7yX_!G y‘]#q.&bxuiqr-|ķyřCS[:v(FbU%aΞb<;O-X_]ݭ 19~ߗrx߬$]SP HX( æ*|0vC$6)ƺ_Tlrn4 QjՕ!8q֮hkDͽpgsx#H=>u lH*d)aו]ɽSHM>f1b/&)lNVvG *ROnZzN륌%׋ct?8+O8.rLsU'u߆<ɋE_]VFOno^>+:cr|•%+Lpp\5>cm<֟ |BLWoŋc't=V}J-E!I$ Et_-)ۢR$I"|.]-E!I$ EtY5:/[ntKC$I%:}-E!I$ Et\I9)|H$ɇ.|:-:,$~_xғ$IR<\%rZm&;vsmn [d'IyGpct!H)l/Vx$IpI$I$I$I$I$I$I$I$I$I$I$I$I$I>>$I$IR$I$IR$I$IR$I$I0{]ff$I$ iѸv$3$I$G_ܹsSz}2pEfI$Iď$'k~H$I$K">AA(| ! ! ! ! ! ! ! ! ! ! ‡  ‡  ‡  >.\x=AA<G  (|  (|  (|  (|  (|  (|  (|  (|(yؿ!IAP#//HLLdfACDɅ+O=?Q|H굠VCC+\O<9W"f<  ,=sZL?scl%h(:6~%#Rokg׎Bdvx`RWyX9e&! W߈F'.{U*y}&@BB,h9')(o% mf>4<ԨR` !ӎ4$ Ufg`\Ynq.盎ccDJW$dR3ALYcnX W9 v)W' 7Y=BBjiz浺+>QusWmŹkq*y!$ +Q,+>uv Θ~Xh#|f;If5d)|];* 3!1l7շ!iپQ6ũuQY%[e}?HoRm -> B(MyfDXd(fM‡(\26+wu d~Qѐ͢U ,-2>W!Du}>))k6v\Zض}i'7M†E3o>;,Cy42|(<>sԵEP7GnE.pR~!cQE~H~d[6hy|kl*83\k0֋= 2ljli|⢰oZ1~C()յɏGϨO֧GI\Ý;8bjU/˱YRŝG苲t}Wشi:'g>QnB} ^gׄf/$SBA_g,Z;qSB1˽˧ `pյ ~I3\vK1IrБߵfJ#|:&tŪ] O[7 tkKUPf33Ylܼ E٫ KػD^VN~XcC}p=?QQQq-ῒש -Mg§q}fpTzM U'kWRhokgbLu㪈 ܻ#GYF(і;NxX#L튴p-?<θj?}&؋[sk­E>AQ|ڞEvI+EGQ0AA (| ! ‡  ‡  ‡  ‡  ‡  ‡  ‡  ӧ͜" >nA  ID$I$YRAAAAPAAPAAPAAPAAPAAPAAPAAܷ{.ӑ/>$I$hY#//rK$I$YRuČ"I$I>$I$II$I$I$I$I$I$I$I$I$I$I$I$I$Id 7|Γ$I$Ik#Č&h,ttA$Id> {H$I$K)Y$I$I8@]@wߖ_b3q7ޮnebQI*8+O>5ޫ{ѫʹOvޭhX5?3,6I$Iqhk$|ΐ,{'7bbb~)I{[o߅@0jwp HW?|w0>oZmU+4l$I,§HջCsbV$E0x.^vX{oFyOͶ ?l89matjzY;~$I$Y§[g>X6'n[Ğ?ccFt!s&wxLk Tkvƹ7Z̍ĭ31G$Id >+{nIr;?( ;Kѫaeńw 㪪Bhent]UD]XܼxV~OٽU筄M|bgYVLkn!I$;2\_.~v5!n>wIJy8^$pBŋ| ՄOIZBs |T^`8$Idq+|Mv%]8ұfbOfkyص~.4|[Y8Y!f$|55[TPCwjeH31zK Tt> sLd*\$ҰI$I uHYxkC}!|Ǭ_}viWY8J[AZ[$;~,wx,o6it$I$KTb()) 2ӄZfĒrZꥋGk4N$I, §Xe嗞.Ŗո=q£)&$I!I$I!I$I!I$I!I$I!I$I!I$I!I$I‡‡$I$I $I$I $I$I $I$I $I$b+|H$I$%|  PAACCAAAAAAAAAD>AӊxP%*Ue˖sϕeʿeʠ?K_o^}},  JxlFyT#|ygSJ=SJ4-,(_x}1K  #|V:^0FhZ*}* >!Q+J1;og*, (r|(7 YE+i琐21Jr~ L;e|'r^$z*\@)$82Uпk4=|*:տCިxWo>D*_`PǺX8UTAYG9ժoWSDXᴎ؉7o/0Aq+CMv66CL=S |BVVo:?-=bzx>yf~mWܐ}EFo7|u{EyJPʼK?J<-] U-y=k/;ܣ: U0$ X;Ɗ)P$M|B ¹T:HyGHQ:}g/#+= A+H{Z'd~[tٸmwZpaufZ>v;ό=%%?1`N^(R~r)|(|)J)_Nay}‹xyEyeʖOJ88>t5}mtiPoЪ]U6@ V"yO UѲ"\ϗ^;Y[\o{e9ڎ@|\ۀ͛cHfhּvZm`؄m b$Z&5U&͜VE ϔ\##6q}Xj <Y!hndCgļkV;"T׼z&?Zt(w⪷Y< }8_%?ѿHD 趵d[zr\0klgzGmhx 6SNNܭcޠrmstz*ɍ7V|,r/JF/ξuqn/JeY1]; 3#|4ZmcrrHUU7iےHbnm91:Kzk=\IᵫBf; [xǭy{]|vHt=nmZ7ӔTA8*6&; ,Ɇ^-@ݻעcjVދg ":Z8?s$*KN׉-: mjèGJ~*EXm|;YmTt ~Qc":|U΅5Vۢ#MqmMVG:Bco{ӱkvZ䧱'lbm/RSa&vaNs ߀3.#~EhB2hivz;r9>Y4&^~QϳϿReG27*ÛJcxJ5% d4R"0٪]Qc,\(:ZCT2i8B!)|= gzjV&o:J ûj=ʾmءA'ecVϹ F8$FJ:^ | a4^wQ/Fقfyt q_[cj?0.W 7jӠ5;* sH\@sKTaoI1%}}ֳ<'Oƨr܋b$MBйkuywS7T=hg2`0ǥؤO]viYIK6 7;9Y׫=+u\ h$Tc )|},.|gYTx*V('xPlS G7Oo[aMݭtFnM5>B^ hQӺ3 45^ ={«7L*TaӅi"\b$ 2M'1fF_caNCWY3iٴMq{I-vU'Г~:=MdsiVe&ֽDI3ö!:5n" bt#,?TSf:. & \mr%G ӞbpKzmy Hc b,|{UxYz|JI>gS籢[5 mĬ;`zZH<0,;Of){b04QաwVNĝ4FFy U]4acb) Q{l͎E/ggaX2QVOuAuⲡϏZ.2\,5ZAo|`u_O /J!ptdhQ _b#?QD_`݋MϏROGe築6BH8zھyBD L mɫ?ɣky\kϛ_]>w>M&_ƿ+?Wϕ-;.Sq8 /B<gB~:hooDRzފ+|p:jސ4!5[v;1c ħeI/Mt6(xeb`sA[LFrvne?i{iNyLOGUVUԩ)~MOOkx$"hv'u(h~8ffJ|m;791.H!PZ7S=@kbUTk1VDGcVIZVfV׺ [ܿrt+4M|F@<ߝ}jHA>ߤѦz-u:7ߦaNa-n>0',9@@Qa|t~:E),][֌dEB5F3 ָߎgj}i naN@=E.?OġU7}y"b 0._iѱf5o8mQ> D o9Rԧ!|:Ll}T~M 7yn_܉gʧe HKKCv>V퇔yŽ\Qɧ/ QNIMffZa|GE;}/Rs|R<3xg} )Vϖzz /AAD>+~axfK#4W ʿW^z W7гIA<v+VF~Q"q(|ˈpU\rRIGfؽjwmGo?WPwhR*>~m|[ X G6pJ*!V^oJOC1fEeX '#u|9{h HNQ1gu,~B[tٸmqYm-3U0wU^!6[zIq/d1VuE4CLfQ)J)_Nay}‹xyEyeʖOJ88>f:p~>|64IphXVq6=1Hj7DUooQ}}ۣ/K#ڎ@|\ۀ͛cHfhּvZm`؄m b*-C fNU*OV"~y0pq}it\8G8iǒagQbKf "Ivnyfa hQS'UahtYV5Z_[z #Z 7wz"/[Dpn[Kzr\Ɵ~c}p9a}Me_ )Ùw(b.nfscN㙗ь4I_v5xޫe7i2CLyq6 `pS+jXp=0YgŹ8ve#"}ѫF`$N/dqqeFyy'u@Q۬Dh§ITRr WZC4uN%GфOs} B>V|,r/JF/ξuqn/J Y1]; 3#|,ZmcTT2j!X~3 9zн[yN ssjX[SNu?l ]]^6a»t=n~rlsCqkӺ&Q | (|dŽ8Sg#r_ FX#M7FlJ&#'KmZT}4*Fqk{#Oݵ~ ~3{l e8V76ێZ: mc߉ի^ap'nQ}E8}AX>c밺D>ΞJ\N;'2'§Y7k"x}*51ʹ rAs }bƨr܋FI2Oi'#D'շ0A(tyVϰLpui[R(L=xI0f*oИ beG}vvn8yހI41 צ7O힪 c\2y51OMUKq\\2rO"b4uOc#y>O)ڭV5`VЮ,p\#f@iiQ هWD>H(iNM,ٮ2|IًFBDVmg/>q]꾉 O}A>O,*X+O<_}z_}(G·} l0G!;R]ȶk|,½#^7Xa okD{TF3en8:{.T&* {I@AOplHr-΄ b4{;Z퀂f?.hrq6ګ3v֮}QL9z" j\Nj>6=2ˇ>O댝@@VatoPM_;?񱉋&TrtQ=okkFSx |{UxYz|JI>gS籢[5 mĬ;`zZH<0,;Of){b04QաwVhF3?w0G/љ]* 2|WbFa 8;Zaᅵ aVFk#"wo0N;2Gv:ҝ^*D4oXLT F KoFIq?ab)mQj9R x3νS|m H\L\;yˎTQ~ZY1X:u;e) L^3D4k3܍KAQ%|,g5υ3mg.Z=eSOcFk|Wˁ8l/2~CuC_!%,>\SOӪIϕse=,OcVJZ_X7Ҷ@ ф"Qn^Z~0~xrDDkݹ89`Vi8gmv/O6X̱^7>v=H3%j׺ ;4o_8l=9i7G.Ov1nG*•ƴzH-eyt4XRSqO ֥@kqknN|za*Z'.<$[3ULM hj[yż<)d\1O0xƴO˒)4o쌽,բݚ#Yr[NًARr!^p7'eZ:N6.Feg>UoK(ULy$v'!::Za7g~!Tm[]kbq2|ҞWyxHp9-]u-&y>E$|:~U>^*NO]# o|] 1A;GѥE#{ Ŕ}\6eE W( m>WsyVkοjkhB:lqVsvtk=Z͚Y]*lqѭ4qIZBإb}j_iѱf5olQIJh{B`WS;1,Mh}Keٜ6S!T-lSZ]#xLE:⠭3 ×Yֵ)$g)5}ZDeoqx-][?7c9{Y3OVkipwGefXvS}\30\=O~~ĸ9"PM׊5%Vֱ֠IH{Q8;>P o9Rԧ!|:Ll}T~M 7yn_܉gʧe :fʑ92/;;]~K+ʺA[Vs=D=-tσ4-e;S%+]˳D\U;/v@ƥF{X6]SOPr|!Bu5Ǔr>F+Eݛ(*K 36A<e>u1NSbQTd=mH- ߩC=ZNCvr? 1~C]/7|?{_M LJ  z|(| ! ! ! ! ! ('8(|Z*RJlrx2x[QLgi+xkP/AAD>U/-(J_~O>=O? zYBgJ)Ƴſ{˽o?fiAQrϊ?_zޫFM@B/ᕗ^?}w.PQ7ٻ瞳q]E]㪉z7j̚(03]71Q/|X#j$.`*W]4t &1>g}UtE?B^=ݹֹ#& ˙8WXG(^FҎނk0̵P=&ʭǵw }G2zv=i>nBqqq,͟𹙵,31c||ނGߞ0_ÛoB7^C?]_BWϣ7fsGoĜq-, A^IIebi9~&u{Y-ņ5!06c<r]M܁lÈ>OՇ iʪߡ./WPx`*Oo 7)qB nm5`W հ\/ϲpZeUP~u4[V-R5_vѩ/i^qf -zg/|#:uvѢ;rGФy `]1Qi/׆oa.9IGuH\O*ߑE(-)Dj|'6-u$ܴZQRR"VsP~a̶ gIN`$~Ξ, 6rqubϪk (KhX9C͝5xؐUF*?͛ՑrRarNm+w^ Nq-Zq6pkϷjf-Ӣ%Z!*g6x^ ߾/!=5 lghCB'cH!A13|viVtnIW+qo ]{UVD 4_6.)&9pщvF*BC21>z@Q>H?:p!7xg6Qk~/ E bKO! f&XEx̑~~EKMlj۽X᫑dY= f- >+W?Xla>y$4Ih姅^UYE!7e D>-TR~51[eˁ}DŽ2":{Ƽu̵߯ KpR:5rO migqeؑt[kQ^I^kjxͯ΄OQ%.='Ы-~'ZBShڢ%ܱ;:7GDp? ƂŵsYؽcL_ ;1㋘JQ'alI0pż gB\EZ6K3yd$"N^5YiN9iK73 Sߜ=!VGKlC0r>z@>ӷdȃ-`I( 3N١}_MF$k:MY}Pf Կ0hXV)B"l2P@!ռ]ܥ&|bFAk՗ ~ %b.RZC X/@aˀei<i+s;PG72qF:]lB{xos\t]}eՙp/]qߊ*UJ@ϋXrTy<&,ZX)|Ss5Ø0/pI>uBGcViڶvGnhԨ&3? ‰}+=W#$xX܄ދɍGPY%ei>,M6eD!'iyYHWUU?i_#ڣu^=$|4bVi hǙr\3̱GU\>7U-JүcabeYDP5dlV k6g m̯'˷Mfl.ft|#3T P_ᣛfЎr]udX^(RcVإ$J<&҇Ѧ+_ț#ةRWm?QݧScIh/T7T#[+|wGv<Ӕ-;Aja^x%na>|!U1vῐv(I))5#=U#5'd~U! 5V;>ڿHb U/Z3uEx|f&RRqD{K_Y:a63m$Ƅ$ޥC&JKOV "E¤lT=?WF{U}VeI ]?Vg|tk[QljE+|tS\Sٝ>R[ISc묲8|]~llP=v/z &l^zqq,uFoW_ngsճMa?~L(?f2EO`jfQM륃x4'1o'i= L!5.Bޠ(5nr輰@O\:4W -?+,zOB$*Grj^=\~ȏv62FNIHb"A8"rAK&  +(v@6,"%¤z&]>xݑ.|s5bPΤҹNŁJ鴃‡ -X ./6+=Ԝ"}{)$9imlzy'lc;(~/z§0ku Du?A>=b=^z-m_`쁈wz#O߈\NFÝp0 ze U![ RBfIK]r_wk2(FVF{=4BG6"8Yy7,wVe=]IӃl`-IovmPͤyT]g`)5J[/ZGq\MS(cj]lѧyo(|nYIQJm.8ۏ-n3qCW+|ڽdžM}\OqJĨ^bt-n]:ݰyr/ |8C?WS7m ؞H_Uaڸ*j-/6٣[ē{rbf(3˄mZ$BJaZU4t뫡V;<4O+Ѱ ={K÷wYt^܋~ϯ@y$|*>DZ]q"!hlczAQqf_CHaiz†ch"D<\HAٸ !%! ?coAA$|  HAA!  CAA‡  AA   ;D }IENDB`scap-security-guide-0.1.39/docs/manual/images/Patching-GUI_naming_scheme_sample.png000066400000000000000000000374121327242345500302650ustar00rootroot00000000000000PNG  IHDRlIQ>IDATx݉{u?{{=ss33eDuQ6QPt˾oaG aj HXHK:aIdUwUw't$>M_, lVQQ!iii"/_(((lR*S%vGPYYYTTTa 0*SlM%*04qb6u% 4d+6 l@`# l6x([^^ܹs% )64,Ǒ!y56;-aY&#ޒG}ԧzDn8-IN%L8I- a]T̻ l kPR_`9Smoq2KGWnp_m +y6 ~<%sʯ1͠?GoKי).H9?x>-n lFݪ"6$vW{ZټO=f٢ST&ɓ'ˮX9ntIݎI=(6PI[jqH3M~9Eok|lY0Ŝ 䶳S;ռ޽>:u 36-c^{ey`yMuX{gFmLwoT'}|lgX4.OxNOeR=y<ٵ#sXjӤB~(SW{/k'׼q΍:QgԸ԰kv c-uUp'pNuQQ6zsZAv%IFp]ֹ}JH꫿?NE)^O\b޺˿LVy| wLcM5%! 5,+%{ۊSSo}ONGWY*8j|NGȶ`\/Ӟkٍҟ Qd3wIIMiuRyy[Rx|nҎ>cnt9}~@OM:d.f¢wkD^3U>7+-%ms;W|^)Xbϣ.a!4b[[8Bw`[`}ēC̓; ~Է\np}}+?WW5lcTxm>ٯZGeڵrP XGbeTuZa֏^V2IvLz'm r|c\|{?1ITTl^V 4f`k}@o$o%ySzH0BjJ򺦭02nFiű͋'cv@=xv<(x5?-lb#mۿ_'Z..,9=qjT~O1]LS8yV*+z:mѣr,kW ZYi7F{ `[B'بzv\@?/,߫ 1|nH6='/v (uޖ$kޞqD>s{YDYd՘. lirN^qkؼOvɕzҵs7Y=9 FK?wh@rEiqOoa!+܁͸kEg pv7RBna?;u5q~כμ^Ag[3 l'gCsir)7{ָGB=wD,Έwڞ+g3jχWthƙh:-ڌtS^`8g9̛2NGO<%]fZB`3d8$99Y{*yeRZZW wy⾹J(/5aTe$wry.[nw97^Qb3f߼Zޘw4d!^8nJr$~#Q; @` ll@` lG`WJ||=z(((E2 l*:uJ޽{EQEQEQ-TQFe.͛7%//O (((ZT,2ji{jBT3XZZ*EQEQEQ-TQFe2Tʊ(((46((((((F`(((F`((("((("(((lMr&,r(W^//%kϕy.M曯WofNm< e,{ E,_j_Ui5`$涨Se5Y1G_)("vyG%BY5Dض-ӻ&Ϸmw7Ju>55^zn9@:~5.gg./vܭ4_hC5kU-}N\O?w%SyYyMYp*5EQEQ،R*ʼnIR^yvme ?{υz Ovb~Wupό:K?nY0qsx#<FoxhYk˿%zeT˃(([ lgKnrL  g=2oM{l(͎ܔ(edA@j9~?.׳C>nת½U݄7Gȡ+)w8}\m; -|[!Ou&!#'oqf m.qii×Ju @VSEQEؚMGFu~Rv >@b~-)u[~/ASi)rZ7I+rփi96O~oئ^֧w-FPrl^{qGzLVDFhwW!zvOuO1N#T$r4azeN-3л>FJlċAvz@~:UfhӲZ:tv=>eӃ{}3SRϬz[ןiNӤ}z7c?EQEQ6uء2]ǡ:}:@Zkr,ť_̝=I?T5iwI7?ϑ9s|k%:ΡcsTkEc>4p/#9-- =]}eYɱkWxz тLd6ޭe_Vv>DY)wk 0S{]=p?gzcFB5)1NKZ>VAQEQ (("S"$JeYt;^-@iOyG>-^Ms[|zjNWGϝ/4N`ikU^T{T ٚ9޳$}Z Z~D`ƯجO  e˖.eA=d|(([ lƁq=G듃 ' Yo(:7eslzzO9T躃ښG";tnj])7}J_9=ޡN 0y^X6zudi{~^?P~Wz10`a-Vgܡ]jXOQEQE`kaM`~1Tf@fݻe˖-7b֛kfvrw"۴Pdt7r!yd'656eu.p.sdA#:4+?P Qw2b;AZ>{@rx>}Zni>}| )GmÚ56gKԡSr=+K܁x/]9SJòpbǭO_qJ qg|,(([ ,Ak?7O(<7X8M1S܁vwzV7FL`~H8nxysXo:yyϜq-WN1k@n4jW2jǮ ǖپƫf:?uGVyq;ӧg}[G~ ?EQEؚy`k6d^w"ק7n[fD V *īd6Җ_ԗ~OSEQEZs`&{qS17\?=beˇ((F`,u:2:tk)((EQEQEQFQEQEQE`#QEQEQE`#QEQEQElEQEQEQ6((([8f%SEQEQb+++Kv 9s䰢)((jq4*EQEQEQT*eTQ Q*#[t`SM*y .M+7sD(((ZT,2jiSGsӂkTj QYFem5m*T6 4n.S3R)T*Өl2:*Mu$(NEna# F`@`#6ٗiRn\h3d78+'3fm{Ngsɲ/Kpo Ѳi>ILߨ -Z?O!ϗ VqG'1j,_5e!ʵy>ϕeWj^u~%1b#7uX=+0!O0ߚDŚ.[! ~º}b{i~CMiY:sfx>@`{X[裏ʤo^ էS3%d6\vֲ~3OOZjybYC.J% %:?0l??iUR$;%Qw\إO^q\(<7G 8KS;=ݭ}}P_0_=l?ñ/liۇǓ#,qkrcQ((y=~N!7nyg m>sEB?;S^#ko{K^^Z?j 2}гF>h7Xnjj(>[_Nَ KY&_(zy/Ń7WߺQՁʥ\8|5P OQ^j(hۇr x{8'6i^afwfQK;%=āfTը5 il umXvgwy|{t2tP2tO2ff+ΠqKsZ7MoGlm=SnҵSm%!"?߶`ٗ3 eN9γv/;oJ̗2$b9% {QS/N9xϰ#mwvk5~QT#)3a׏>Ňcudy%́kGC)|>}KnrƩby9; x@8uL(_#O2gkκ?b$mV7 }\͕קSNloVlm? >4U2x$Uo#z<-6VoI?X"k=7nT椖6ajЙ)!dǯgOVtSԇY3eZ8yOضD+{k 1׾ww,Sa_u+Q/!YMao%j3eٌumgT듊~<ٶϰ1?P"b[|[p=:r8?}}[Vϕ 漯Q=mH./]e]˫wkI5$}@>˝A ?w;UL/ "VkZ lt>yuu/ c/G[m7;-UjSOַ55Ha/Іo)8jzQ5}|8>3?ߜO]bb&2Z`x;YNz8#ũ I9̛Sb\oj܌+Q=bAcZպh^; Po:Aڡ?D5_?o^yi ptw$S,6S95+,@ݭVۏv@>UE?`m? lu'?\o_͟ q3}jQ#{\vyx{ |@}7iY0/¼A|úwjw͖ uPr*D^?(Xm"t?Z r5j{O|X?}1(V?GVjmw[}YX͟; Z*wJ`{`Mmuߘlen'#6p|8ޏ8}~թ9ƁĐdVj8ءx6kU7%Q5&bIͱ|oQT;TGf|gn`_k_jn9gw \:(ڔ\m^kN%=c;5>HپSoͩ6ΩӂcVIU6[(*Zᣖc5cIw{43b` kkeL+~ck}|d~߶}7B?߬,QF=@M}[c>1>\ߺzD;,kf߶WX#xf|EN=wo~ x7׷CukM_`4>; ǽ|4<Z._;@N`>o3Ym?b[n%3{W}C^A۷Ov5r{+__WνE-')/x<=c[ks( {'9 yL_(ki篝#k}|1fk-ߖQG`{sYO`KR;,omdЛrv<6<-o,oz[whQwK@>Y1!Q}Ӣ7q56_o˽3fL:@=l׿ qZ֯aviul\qʆ՗AIlϸ`BԵH/Vֻpֿ$~W$=qO4‰5Oy}g lm1-_7p9wSiL+l? l.>-֯aCF盭|}sیco,7H͸([]0$r_tY p'ݰ| ih9-t=ڵl͟q׿*ǖ%V{U9zץZwaRNUAxyӆz6-JJڏk]u`Χ{K̋O|;.M_wu-Jb:n6ɫaX3W h"P~E9]g=;ϫޮ\!.߀㷳~-ޟVۇ\?6?ccyL.gf#-߃ &7~۷yB8S/U :^׍: sKko^qW9MBhghm6oٿ~By(9ї?ΗVO-:>l݈fsh-C9 ɛ\Gz_[I} U/ SCK7eCo 'YcYVj.0?iTUwFB]v} u쿑>E`kf @k;tO1R@|q `|F`,>ЌPzicΨܩ4B{ S刓Oz >@`c  F`@`#E83pM"G̘w á?u\*1~2[ Y~r?tI *FO{Y" ;$Wϑ6?઺:M:t :R[ tFЮW`+QSmV#6PMn7H寧mF1\_A].jLX(Osb>ssP,Mfʴq0V$dw`K\do,yMq~Q^9#qH&=9SUfV)Z`ҮO`ؖ-ly]ۺbNoqĵô6ժ̓t&%u6u=jڔT\ЁM{:v`~aשm!p>'CX*gRsxר=O`SXN[K$fGDEE*:֧Ecul9; =܁|0-xSk Vw=-۷G{V%9zek5s?n^C3 yy_i! l@찹)wwIN kZW lZ]wpqOϭM I$i3CeKlJn>ؼ_߬c6׺!)~`j¸ Z`Zs فYC*^v-lFs-(}nLBskTTA}i[}CM5=EzIEQEQEQͼTvQFeղMIe~%6M6Ҧ y [EEE~>9D~:9VH`@6V(AZ ?Ф? l?6H?>VH`@6ZYZz lhVZZo o?dVobSlh~6}uw?5=u=ex#v,c=xEeb=x?kͽggk>_%i[0΢eHuu^ +?7+ $a\ӓ2C[+tndɽ20?d/胗qM:,ֻMK%)wnW$z95k⤠X2Oy[vQQ/MV8rfRg eW}%|my59>2UII-sw)O[%e߇ԇ&|);+K~[-^,sjW)vkٟ=M=WGge\4W?=eGrTï^+ 6Y"֦,sB__{I=.E%WxM2qk\2EKܫozN:={ws4r}GZL`e+=7]r`<_QU$wB}|4v2c=m1<94:Mocν=-yߡ wfҳa lJ?~Nvk|&۴2~H˥+T=NfoV!_NoBkr>5{[/R}=/'Nt/(0g38Of^ dΖe߉rD6czaT--owĩf`?Z:Nű_1_1+z q/Նr>o(?.9:w>1Vx3;qIshɬtygYK3Z& l(3(?p|Y}&H'[+Z:p@Z lq3\-l}yDnލC2w0󏵲%nRQ]$w8Nz;OZ lTͺr?4yweeȍ|׵`2""T=jQLYjwtbo;Ogә_FEv񇶸?#{:װ> ]$#2w݋rVjOg1˧_VVZ*YM,(Ǔrr~F._-2$3`) -&Q湖l_e̿W#F=wk`lB6O lYÚ,՘rݺUY9{kp3}K޶?1AR=M;eM1EXxnti, 2 w,K,wd'Ȧ#}}k׵fY<-fgeuO`[OwxB׭$srZg1/ߵ~~rR70Z3}3]UqNg~q\qe6W4X,E7j[;YTUʝ3|=1Y._>%rӇ l[NfIIEX4g_udTUHyy.mjrB%.5_`t[/tK'lZRJ /#ktOOwq<-4,kZ:ĉ>ֿ|߉pCZ5mڰ.ܭYSdOo%p/o%N6~SdnE3L:+ 8n|OZӥ>2DdW>'\N z}dMKZ $pd>VU݋*F u7$ڼuuפUJ{XeR^v!Bx\þyխ5NW'{6~>>]]Y){/y?d[W٫7񛠆فdk>b^YdGּaŰc=zɄ&ze!{ba NNNhDcc#bȞP/msok n~g]a[v[u7šb:K`}u@@뺺:}g3|{W://{֠>| k9~g`emի#DAh„ kgoRQQN>-؟j۷޽{:O󨮮~ktbLJJ uU!Ӝ~VQ|V07Wj J6fV__=XI}m!m֊ kZߞ_PPE©;'ܹ^^^(૥_fwޱgSi[?+>"oZ_[-k/{#M|77 6:xbDdZ_x>,۟&e6b%!ny#X {a}9?^~u=mڴnDhٲeNәVN#t\%_%KS5})-h m4vgZdsQQ詘[P_1M<ݚ^eaW_aРA=Wq<Ü-AAcLDU<._c唆탿R Ʒ M5ބgX`[`踮 G>U9s)Ν۷oO<ؿtRDFF߿_8 hOoܸQ J-[ 66V집 6fBB_XXQgMt={iҼ~tK3OP;UfY*Ԧ;_bw |_aE\/?<],%2}\KMF@ X] fjM) OK93S3%G= ݢȧywMhii˦gI? yz8ve 4@HE۔⺾j(:r90 J.t^8ϙ.5X}:u$Ie?lΞcy8IFa Ad4!h5Z2 ^DVwhS"v\A>gT)c;\]'lbHX,= !t}ɾ#XT[\(Yܿ_IX)xfQS7 ck|7H>JճO :^bOo_΂|QhΝ6A"*KYYYxMQZdGV3n:9rDXiE/S>g ).BSʹj^I"TiΚ*P111طoȓu)~ruau7Z# >[{4T]!5|jxoZ#g= zT<{0@7FeCk>bDDP%x8v]-}Q9/C"JmŽqz]5ʼn">?' ~4h{(٫Yrzi<<8*{GS.P]#?P˦$עC3,ܯaDj5oo]!__6f̘t<`ݓm#t|(ʥsm9=Y9f}RʽeXwtF<}eŋł/ڧ<4\M$Σp%*#ũ||:1:}jխ_^KbA9?gϞ権"RJKZJʫ ;La'ȕtL'{Seh x@FlJB'_]5PU Szl3gM*ʤ;ZͧNOI-#AWD<OeU0[yReBM-1\G=ZZNq4gqb=ň: SX԰8_>o= ;%=cW`8*sZKj8(OH(.eNglko޼)C=Çya2%iҧa2g[p NV^!'i*~9{ |LzFd"""ӥs8\8Z4P*Sٸ{+95/lAquyAi YsM BuzMfƂ)1{ [v~Nݮ.)u;+Gd_\{~Sl﩮kGu,^;m3{F87oCbY]=w"Q'OtMqА+bdpp0fϞ-z4G|rr{T)'GCTiαNµ4OsMMii笩R^|MmjS S*3jۺn}m#Bw&iXpTk+w64ԵVXI3\KYU4|%U.\j*{QU%<CVvZ9I1\2dQeRKB3|-[$NӺnS|܂)0?8_tyKP\y_"RJ[ͽt[N'G6@AX\_4ϵR^>+3"2x^lƟwomnpzĉ4_JۮmMX3}…uK9VhSfԩSb~.)F!Zm؅ ~Qkڦc=ZҴ_kʻMfdd㩌)C{uHf6=f#tRa?5Eph3Nꅆ̵8t~d􏙇P.,Sa}:D,f{|Erz#,٧?]OCS g}LFLdxHǞ{xOm,ˢ>0pBuNc>i3w&<g~4գXjh͚f^\I9CC7ϟAj) 1=l('lt)AV;CNNR륆gjc`SƘ/7e+ku宖#XT[XS{4,NEgvSճ_m޴ix5j&p+_U?* 0exM@YYIJhDW9M>))+PJ~h[ISslm++Xl+F76X! x܈Z|\yCbȊCjbcjF!5S&+_.5X䳡IϜb^74)C WcW9[jXGAX&i\&4HPʮYSNfʊCY:_^yZ'}-OS˾|}G]:F hOko{ߪi+ #Jp k)g35YOܬ-sbtwo=8:{f[?u&GuY1tfy [VB9fHZ`A*DG|eAʐS• J<jw.utԯћWV`2,‹be FEúaM+_fjZ5fV֘z+=2 N5 !O2E3k,_iSubҥKq5\zsժU"=wvm5˖-W'a/}ŋxOeSC)/k%tubڦ~?}o lAWf ;sŧ~/sҹCs؜M5b 8q'U27x02t:B!UL3C.Õ?:Xg|v Uӈr~3:}6~x]N.m+(y]_wl-O> gkE%-lq~vaqD*k =Ֆu98aСG%5N:.]>!ϿG#4*OܭH7&*itOVM{~*Ko"ZgO:J ]%<77ׯ#}Fq_XX(lOt޽+>ymx(OQ>%} G~z?X DlܸQt(x7n:K3c+Vzbw|Wp wk5u30wc0WQ/ πFb(gbsOdx.xEuW(:z[IH,3:}^gXw%0Gh^ՠ0={IsFYYYx&H\2>pp!}yF\@m$/}E)mM"0Ӱ9* w~|yyy*l"m;-{p;~4p"`CkOOClz9OϘ᣶݀D$Rn[=v<"3H#9޿udڪ.AkפD^AcӢt?4Tÿ;(KHpw|@jtC6Q< iǶtC!5[^Eߊ_&Ѹz~FANv۶myjĉ k*FΨGEVhLll}%quW}nݎ`@Q^5c,bǣ81@}OgH8>Ws@>zx<0+j{fh{ΰXUJZVRw^ojyj-JA%Г؄5UhJ*[TTIf*XOrڦMqPQ^ gMlj>RoI+ [WO@541 I!8mvAW>ǏyW~x!'0\&~/<sw:24J[yNܐ]cgu>"2Jgѱ8,C}(DfDrcX;*3>{ʟg8<"SX}}SN۩}fYNe ns拸%Gv>_yx*ӖctA92S; 3bss<ӡ. C+yRgiu#Bzf|&ׇ"zǶ 58\2y)a#hM7FqMad3(5iD`>/My|9LxܻGOnz)Za\x 8w~R# ty 0I7/[>}İdXk lbd"8)0z d@Hj㴕"oSO\ XҢl=44ѰKwS>k ;`$n5C^V:s<_'$yOVmdLaM1X3i 6l1~s5bMro*-={5sǗ|d d:>c}!Žrc"As!%!ZrKjPOjvR8hfHeǛCo,ΉxrNRcOiT?\ keȑzimR侮OIC.sQxh>l-ugšQzJ RI{<5 bYv[6LlVUUSzЊȖYG#|Ǒ|||]G@vf`M&]4~1ͳI+6ϴ+Ž 븒2is:R$3L 쎂aE, -Q@J-XjRk3DCNkLCJ tAŹZXӐ8_2GMy9s8gϞ-1@ёwpIywre3hckojV@3{0LzƷ&74`>Ds qk[~ɼ+UÝKRϴEY7Sgm`Cinyeߥ{)˽,PTWQ-VN%+;eenVo[ާUjaM3mU2+sD#< e(y!0u0:UV;jg`MrF4F=jM;%OÇ[X#ަm7 y+дKF(.'Ρao + S/¸Bֵ}z0{&NPa[O\D$_?EngR0^\=6c\Lf#Js2(JS{N/Et5<İXk_ݢJCJh*T,X #xS LݒTΣ09kkXlsi[Cʣ ka]vԠ8z뾱;yN˩rƚHclSl,r'l+}E q.bP|? #xfemv9f}5sIΥ̭ذcfyahY/Iyԣ<ڦ59N^ugu`Ҷc~j^ թ7oᘧ1y?PS+Z*=|,n^34Hcy&1;d"2eEZ$ 'f,m+O(o~S|t,A:}jmSk: "3eJWi[Yd,0PUR P 忡\岤9KvLC],W^ R%bZf#Ҽ]Ҽ )RyTReS~{ig\_'DJG'k(I+ u.-UIiQmm(ҤydgS=\*+GeJ {:}sb(VOg@i[ S}pe[YE絷SJ<<3G6AIKab4:F6OrtNC]#,ZmNd*A&Ԛf EHjp~z>$87Ha:Al7+D\E9}H|} n68A*a"1 cnk5v{8\m#+W(72牅RNP$뙨y9]k(=y!>Pr.-#Gf>79W!;o Qc̙vG`/}C^׺,jy8x?BF謯g*@Ն+PU ؑxɧ2G{h+iڋ4 ^%?5r㠦fx^nR\د7?m4tY~BVWS k5-Pnq%j`*])%]u=>{ i+)z[}5ÚbXaflaͰfX=֭ϱXbX#.fXkz^]5Fځ}dz7]wY,UDҦ@:\"KtZ3sX[,=?mQ%їÔoLX,?a-5f`{j4lu&}\Y C k k9gGLݻwŃo)"El.adȦm㏨]군Z?~7MebzMl.adȦmS cXhjjfM:}mbzV)Ȇ)SwdƑcv鍠V`بPiqPlX,V*eޚl2idX3o4^5=RUիWE>='[E6K]-JaͰuC МOHHgdf"C ^ k8| ~OV3ֽ45@+*/^Ȇ}Tz&/x,Vrkl,]ZXmcX3{~} .ҿK(|~,K| ^-QxV"C6lEfֽ0 9]wyGշ3!`ʼnb߯o1>о!P$_IH+5tzZ#mז1iаxZ򧔋./;K _wN6VL_F$;7-Ml,5ִZ?ɠ/^ w{2T DtLi؞p(x{]7w!2ECuJy4K'98` {Cj_)q:y(N;]qT Ǵ-1\$3ƸaOpvg F8)/#b}1& #3|:2C`Сq&棕bΚLߴ”2V1u֍&HF~N$r{=7qӮ#= ^D|9D=;:شLxȎh3S=ޤš+|G6SǢ"ljܣL?g;,0/"ߟ-;%6ks$X? 8w7_smsWp!-ZӇˍ3ýlvNa1Hos ފJP{uރP)Y'9tYfw$}E'WV|/~/9,bBZS!=' 1[3i(g'[E6l0edȶ#[G6'dVun=T?Bc}1Ǫ/ʥ|FsTUs[)XyX~l¡qOtEF+pN*^@_L7 V9n,FjLecJ7xJ9W%rq:Unayo B!9?>'g5s~XkUšl֬:7P*X;[!+ҏC%+C2TP(i|ܳ@# oo9,_qܷC>;x@VP UNFhֵ3PR~ \Zeh>w(żaroqЊ(rvKǑ~ʽKː(ތgGsBNR&Ca\](GN3 }j8 ,pNNjvS9JYYzEU}и/iyU^K,﫦<9~6є}xNsꙢ5i^"`+noGatabX;]!k\ϱZ ~F1K9.R`ݺmjhFl|s?8M u_+NJހƦJeRꌚ|Qo1,"\>Pdԫmu:,)Anөk2\\,+@K[gK3ΖQ+> *7[PRo?N%/SXW6JaƋ#Qðf15#9-}[SU_qU-҄:nlhR2Դmnנ-U?7kr7R5HnJ57 d@S|^9MMRM)ox,ON6X8q!g*Xsyj #Չ}R*7z9k+坞ϯGn?NAQe#l'K;%{Y=V4n ~+=je#q3Y WF̚>Wo4=Q&-Rj{& ;jhwaf;k4]o#nʲ"zƩ8-TEo 4r }nfXR( FӧO#2G毪~~ $O++2V{ӗh&oG_%^5{l`zOٍoQ=35"MM00wgXzXS+Xi >Daap6~,YKbz,5Űf1{6iu&bd1Y k6,abXk⽰ L.=bׇ__p _w [U|]*~O֬nO8DbGXJe1b7lq+ֆ ǚ.Xqq(&{~ņ}>Úխ6w5k=NtƌQt#F.P C/bX=Z kVšK%vhl}`@xg$օ˽!C, _sfX,5a-CtT[cFas#HUפ^_Ϙs6,abX[zKQ] PGJ={#zG `ɹ1a Úb1Y 6%CM޴p=\UW6}ʆb1Y kkXo J jýp  Uץ^埱Xxab,uX+}]"E0qs(VW~K?a`솁lX,ÚŰ;.u/7Nu^6_+B^ðfX kú-DÇ:o<;yȫ|gann >,Xy57P +e~Ē`W}{gFةb2(`hTj X,3˶llSȶ8cΝ6aPxZUVA&W/BvHi.K/6X5DӢ4>KSq)"O59~Yk5iw;Oc˰pGVPT*jL(6€2rKxcX,D6lGa%UTmt_~1ݲ ⛫6gV vFduo :{v]8+7H2 qR>XK]~6'fa6v%.Ua?w ҿ_ ƓlTUUAӡ8ou 2 / ĀGE 9I,fT#FvyIؘzMmº>OPT iC^X߆;ntZ $@"Q8n7~ADM7~/)X:"⼕?I ˯NFLz5eXeI v{ԣ&P'WcB=!X,+lbdd`1:b2{Mȼ|sX<|R(lp蝍?A_YcZE7ih5lo+=Bjyu{"MOc٢Ÿ|af"g,ی֡ު3R^Z[jsPp}1{`!uMj*j]KFD&SXnW~Ps<`Cv_ WE1]W 2a뒮ɱ~h7slRR9jVZ Կ2TWWX,+l)d[hHX7;sQTݵb|'h+eWLx r96Db2DJpm9S ݪk֪شl=NݎMs+Z_酀sɫA},3Dk>~nq>jo,;/D,݁kX^式YN֏qpxcpJ\az0۽Aj Q#Xw]kRg}u$|JyMt<_; GG-npH]3ĩ3cxZf{86l'itõ:4)Zn1kۡBD8Ly{&m:ѻTkZn.fc!O$mmth;~-r qV؛3<8k\rYe1']|uκ6X/ *@_q—\K/}녥2-aLܶaW-h'- Ecǎ:%dSȶ![ן`yNI^aImgySon:C:a D@Q>u 0s3 cl*$s=j^.]>{mx}X7©8yZp!<59wxO -ˋ‰3x"෶ٱcXvX@XSO@c_Ƞ3$XO?1I]c'eE"!  wBKw! >ulرcX3Y= Y.g}ng/SL^0~gkÚK;oܚ_"`ZRV&rcǰfXz 3 J -Sx?뾏0kzw.%,8R }ea~4L~D\aǕ"UoV^<J8}%ZOՌƅT!֑#'.;v kVo5tOܟO$Pw߁Rz &]%X۷`}9D=zoH :OJ\k z_/0'CuxJzTq~ wc<ћ٩xUX'I x+]MMFDĽ60nĕo)Y_Sr/rϚ 439RϽ |_gǎÚՋ`OfLJ0u>iB4'^bNWf;ZϚ^"X$Xd~xsWja~\{* ȊÎ^I;9jcnBy^L3#zrb<9ٱcǰfX.!= 8//OiW |AX:\ Np$H[`yH\<iak*-8φn/.b4E>BFDZwJ<[]v֬=ӃL4=ӃN<=Tύ6`1Pyyy(xȨhD<佨hs4999RM~?{& +-v,[wɭ_TcǎÚŰfX@W6]FkfǎabX3ٱcǎabX3ٱcǰfX3 kv1Y k5;v kÚa͎;5aka7!Dd5;vd[ƐaX֯k-(3 a͎·ujA1zY֯k + xTdHg(6aǎkg%Efa1dk֬N(yk`m4բ *ְ",<+Ұc%$Lg6l Úi.~Ҍ 5&(7 [Tk5LW,*5lJd[*&5sahGRam2C4Mz4lEL0$b dCA].uhİfu&`S;?羘zDV xGs XSܒ$$%%⸵D`Hl }VU)|%Ѽ#$ek=ƒtP< kv k˻Y6'X捪;WlزF^>.t0:Fc=kGώa͎aVֶIjkX.wK̑<U!07]6ia'b𻸭=ߊXǯՈP)wub|+y]V㦲w1 ..)Λ"{U`11:XEPs 1%UC'|*+Qaf4b{D79,Qf5y*mYӼӺpe ~oyԜ;x 77/5y7<1_֕ BPs~U!WnyUd"66Vqn^t2m^l3b(C1olxYvS/M)Q q hM ᓽ8JÚYӂ[=w⁧%8PsD23pLm4^MH*}+ŹRqo|{NuHĒ6`lΫ9Ǡ0)>%FUsW(WD>+&Ta׸l3SvFGf(o ${ESw[sf/By.oCXUJtk1"R#G`Ԁ Y.k4m6y8oh(ًsŎa͎aZ>`L"mZ%-صc6 zC Zm9YXOVzxʺZ%Xl)k#Qvwq޵9k^ AO^4"bB 8`0pqTﺎE9"Мji0@O $Kw܆v˵nttgq}nZY`Fi kw*' [ Pm)b^q<:z11:XF  M<+;/GIũ Smf]܀/İ孿aik5fÚϡ bnt4)_zsϊ, ~"7}ot+$-=sT֎p(2ʴ[ #hBJ^ph^qMI,mr'q ,+O={ӢIN h29Nf5,TE"Ǥsׯtz)>X,Gō: d-#wOn0҆V.(SQ%w6zl]èޏ>Xh1|gձQkbkfs:Wq@ w^xWO/^>OƖzMA a ;R٧Խl{oZWPxXAO!3ԴƎ./0tg 뗟ώa͎aV쪋 ļnv~~))sEo[)+cEE.kSN i`}y f]\ 漴 <|4yΔ:*Wy"\ㆳA)bT^j~nEH>ʤ^b[`]Р8q+oÚaݞs)v IGEO_ݖ+:L];ˣ 3;ı[-(oÚaݞk.ŮWS]xn݋Ok=Yx_E7 xu{n k5Ú;vcXlBWY ]J<ʼnزq#6mڄA7)Iױkfl?4zleȒ_Zp{JX4=` X`0Xj՗,׷ʥ9`Oaz!0TQE1wlHX_XD=AО~u X#@Xk ր5A5HXA5 !k` XCXk ր5A5` XA5lzttk Wa.IHNtu/"HGN6jle4)FM73JoUp2ePSaGXö|>MOOshe9~ql P__Pgg'RAAAZA-[:-݅V'ke}0ыM U_2Woʂ=v^ bY,vbi,by{=.Ciw;ٳVa}OfhfQT~)'Fj]+t'gd6lKyQ^YuGsMjٷlAUS*uM~,;etalߔ+4QWRڨF{VE6Jͦ-zjzP@ɖI^9 |1)=Uהvf=$0"ytB(/g3?fquɮzгrNl/y蚠v10N1ȴL \SGpx<׭E4",lKPfzyE)M3qe3By]Pue)w-觪 4!:ՠ k6a{HĶXxnRZm ҷ}ҵƔϏ~=e%r9zNb4暥{;q㎌L5e9 xd1D^zGz~ipqYZ`epa:qLuAT"*`~FW;&O uR/h_ ,U=zzׂy\k`'`h3 'd mTkc5ۋRCenv-4OUt ' ky}U=n*e+v:~P[ܨ k6)hRɷt||q&tj|#k4M=\G i9FMĞz&SAeeF;JOLN}C󇥱ruRfecy?u4S{",#N8u۩@M;|ak#nG6Y.WO-d`4ksXv,S)ؒ<\2*5H?f燸w-paO0K#ZucG1޻b3v-*o|?w-M(+kј.YsG|N XQ.{Fd.Ft~qFRsǬ3A ]MHItfiC5 uX'2rF=e l<_O&MOg*|i+Ft,ERim2%FNoxȩwO mk۷v5M2;f>2+w-lL0q3my [^^P(פz<~166A=/Xb0XLc8zLң`ͨ_*XCXCo-XCXCYA5XA5X#@XC5` AXC5` A` Xր5A` ֻk AXC;5 um5 J`0aX'~k}k X6UX`0` :`_ӟ/H]g|Hˀ5 7R]M7 IENDB`scap-security-guide-0.1.39/docs/manual/images/Patching-New_Pull.png000066400000000000000000000232741327242345500251510ustar00rootroot00000000000000PNG  IHDRD{&IDATx흉wu1ܹqqs8AYpEAEG\!@ ,YB4, Y !@ ={4IHWouWtxSݵW}ߪ7!B!B!$B!B!B|B!BO!BA !BA !B!H>!B!'B! B!$B!$B!B!Bz_~]222dͲnݺ>Efffԑ#: F*^555#0ۜT&F:m;>| 6Hbbl߾]vql۶͔ڵkrIGu躢FsBH$dS|vh|aͻƍ)**ǻv풤$ٷo$''G,{;wڒu\.GuD m}BA"uxy}|myR_Tѷ32b|9x`Db^qY]m7:]6mO!eՑgFPۼH%__YDzCoIJO4)?pf0:)Ο~$RD?d ~^^G4*8zeIOCCC ;+xh{Bɟz`L=8a SG,**.$lhvG빋'H)O˔f%| _яJJ3ƣ$xWJ OT_S#W`䇳-}vOe̘1d[DoRBHH~*>%#Y^z2yֆ'C\OG{3hS&,םo=l[S$[omş\:WD4J~}ۃlO9,g9O/5?vvX% s+s*B^+$?mo,KuٳgX\[[+ϠUenOs^s߰Z~+{̑.O,y|jl=YJ3~ͅ"suGrHn*)Cۼm𓔏$9tlćq)Z\`)noŖgFG]wk&|K|Bazّ{ΓGjdp/ϸrP?4FgZ`̜9Ӽ:xu)SٳgC[:Kx$.YlԻo_s6|BH4H'IOI?mKH9~g_F> /Ϲ_^Y)n#j#2X'IeLC[={zk5׫ˍO|^}XWɍbY\Eՙ/d'Ȩw- .sWcL7ǎwnK~(Uҹ{ 'd˖-8X>s?~x6_zUͧ"s[o%'NBs]ǎ3~xIиm%ϩqykHf9Jx]Rv+)#3 B]yʳ2b4)tl3m],Eokx|eP۰C$ ?yϓ?|Ñ2v@YU|-5íO3㍦Fp!Q>IX % iܡѡRzx_&CIA %%sHƟɐ RY-gݿFeD{Mw%{I{'cr`{T}SU\I*c{7jȑ~볍=d4-8RpzRpkv#n{Ev͓^Wei͡r8_v[4Kyko؝p8uj~tT."l/T.F^$t{1׮v|qHnO:b=}쭒Ƨ}>1d;V݇g\xL䇺kƌ_|~ڋs{ziiu .}n[_돲UUÙn>T%_ϳkjřƖwĿ/`=_\z/~L\imdy߶=cslٲ6,F#mO!"Ic'gH~-٣dO'OScK7%gO|n),ti:-qlݕɱ[Ҿڐ艻'II s?3]ǹBU;]Uk^Zo+y^wZ|RgSW-5=qۣ3ϴhN8=SY jX&s9_rUWKV$<2kee?{Ns\̰$_*H-}c-_eL; ?Uj^YvDru GLIݲZVԼ[,n^0nl_<ؽ\+׌6WhK#C:vj _~i o>U*vΥCڸq̟?߬gΜ.oGMɿrF}-/!.g.s-=*Gֹpc,:2oFIs!rx.'zٶ'H`I;ܒtJy~ w[CkJQ<J+ߔgK<IzEe~`U]Ulw9Kf>%wH^XmnHҝ12aDAmo{rY:3qW{;Kx-/|pҎNcUZ7әr$[-EWꁧBn|-X^?gKq ٞJT):0xɮxw~}M'eanyݟ-*:%ʒYyr)g#N/%뛿ziP&#MJ#d0ǯ"8?/!uY>{䗗xWϟ?/+W4ߔڵkM @+:z5N>>x$F$;&=a?<9)f<|1^+1VuM->쿭3*?jK~FYmH- >O /pbGoȉXmw4Jƹ[XKu q4æ2{#'j"wr=z[tN IuDg<2{3z'8.מ"uITsq/L3? | wKOϒ%_3vNɯG]%(k-cv/fK<6[7:jq{FR1)t zd4Ҟ?vNXoU:>;O/r_w圷,pWbϿi/Ȕ}[6Ȧ s/Jyn}O.)/*|ޗ7tɘ?#C:v{g7'A߫@RRY^N+qqqΧxt%?}HJYЪJP&s~ I_F?:G*U\S_KyE[.!W=7*UmO!"c>!c<t8vO%n'miG:K.yfl^$K-hVBXW2jZVpXkg=|kC{g(^YqVaڲdOvCbZon3mWQ{ZC6m\9kw޷^~!ag%?mP~Mll)Eʹ&M2M?%==\NsrrHVUoǎ<Ӗ|rxG^&^{RZ."Ru F:&.Vmm]YawzcJ9g\Ąچ"h7?&;"wiӦoUf[w6<ƍ3%כ=kV샗Wz7Gmaihl|1fv9x)4~g5]]u5L/ v$ ަGݍ~s 1s;%Ouzۆ:ZoĘwj?s'l=_>.,wt7;[}sPSɜn%e}!чKͫͧ}﻽eEm:.s{hJ{7mq]ccʟ|+RpCsS^}yuЎT{@i\8.RC\9v]Rb,_\A]_99khtxYQ[MKi:2+g.o|hNWw`$Nr כ/k~vV+VV7YSc1M'\3;u,ΪJcZNj8'Og%?sZ0x8YNEk]Yw[޺ھ}~Ϋ-笹|6opw7i;z3Bhk7 u5a|&;6D ! |.gl'3OvmVy{Y6-LTVx['Z>Ә|n\TUCݿ@^>WvCԽmPJ~Hʼn󦰕ZOOqKYLG*/+ǰT U(U|B:j]r6յ<);=Lw]NY[][îpӭ>MvBj+y_O6kC="h1,-rK]~_6/WuG%%?'Q#eƣ7o{Jz㰳猶'ȑ{P2!i RPS&r{^"%Ro:r%_oTaWH~hn{BsFɐJ~/kekJ~ho{B>} dH%o%}AtVE{BHHk+V0JT; 6l0oh}|Ga̶җdT=jFpԲ{d̊TÕ|}yBB9r$?Y._v Fu躢E{BH$$1g}?eW2CEZۜJ~Ȑ͛7bܗP6 U'ND9T|BHdsbygeٍ.7tgV !BJ>!B!*T !BcO%B!>&\.YfM{iH>!B!7I;Ry/_.ӦMիWi:O!BMp+:mڵ/XM%_4;#B!p+yOu^$B!p*IIIߟ2H>!B!=(T|B!B"@OwB!Bz'o !BߑMB!Bzwo1,B!BzwooV|B!BH~G+Zut*Tw@|ͨRSkkk@J~χYd% Pɧ@%PGɧ|*T|*H>|$|*H> T#T|*H> T|@PG#T|@#SPG"8p@֯_/3:N!T/.. ȴit$ **̯ZJ :Κ߅|Ǫ߿oIfUH~V򵿽Uk.JXrIΣt$V :*Ou 먪ZD}%d…2}t)**j3mڵ޴}?m^Ξ=+.\i6m3gu}|8ml{E_ŵ:wm{yw/ү3337Ϗa@DKիWMqܲeKTj{Isٳz/^hʳW_}%/_6bëTÑ|"f^heE:]y/ס[1cy^Ϝ9c^ yuzTu}l~_|mmϒ|;v@~wZ_%%%ޟ#kPUEߪCu#)VC?_WiOu8ݻ]߷o_UUZu_Z1qޒl ~ӽ+*2-u配5رc&u mmϒ|s-LGg@ЋG(Ћ<}+]w S.:H>t䫐ie˖%_+ZU^^XO-af͚.|oזtZhEk7uqi:~ʢ97ZmOMM5hOC?6gI~VV[ ¯"B:M6yc $:%vPn,ޒk.Sb}_rYhO}dT:A8=MՒpoo222Ǣ5x[[ 48l@n^{7Zt^8|VG b%ߒF폭U}K򵯻Jͥ*ZWEU׮~>_9joWHʩow¯7HYǢோO} ~YZ>$=I~ml{$?ik,P F7^'&&ex{*H>䫀YϷ$_(YOan/Z=_n!ڟ[km[jkWzgg%_%U׭݂Tuۺ vы =W[7Zh߂_ _Eׯm-znuZ(|G&I~(sCYO3z/>݇@%n|Eo|k֊J^ K1*vZnosfCL1[EtۺkNmr:[tu}Wz.N^0u{});,$J>݌ >+^%7=.QD̺]KCXtXHu'ڷ`ת^mV+ޡlPۦgJ>}nJ>PG|@EoMԍC*H>|$J>H>|$|*T|*H>|$|FoU{ $N~o`ϋ)Jƍ]$>_Om!݆#H~H! _iHvBH> ,;wK~[{ɒo~`$>!; W߇$;H~^m?x_7W|$H|C _>$ SN۞)qOR$G%?%%Eo-[;'=E%|D؂oq]wɄ LI'[ WR$g%۷k_ɷPW7#'''"}lڴ|d/7Zލ"ߏ@5tI$!R$oHa(!߈w$0/ ɯH~IJJ%^_͐$u744^jo[}Dz<+3n_0 $_S__wؿx}ӿ{B|CUtB!-8p@h}bʽCg~i2O!BHJ~wE[$B!#)s#B! 0EO!BHߐCiJ~@ !Bo*B! _c2J>!B!}GW#B!f[g=B!g$Ր[|B!B:#)+"nB륩>"B!D/3O>O!BH'$WOBRinnF !B WKJJVv\&/'꽢U|?>O!BH)--J-VמB^ ~{GY.cIENDB`scap-security-guide-0.1.39/docs/manual/images/Patching-Pull_Requests.png000066400000000000000000001045051327242345500262300ustar00rootroot00000000000000PNG  IHDR'.qIDATxxV5;\&=L2))R H#@zB :p l i0qo6tssdcZYv.wKEu :Xt={(//rssAAA i%슎SNQII F4ZC%::ƒi Z : :`0RRR8%*==bcc)!!sΡ@Hiii?\I(++h6Vp):vpl@t\ ѣV70`b+Ipk~ggg <â$bC϶0 9'YIGA\`Zmm-'oySc~>uR/[rM(@r?`"R); 4M1# B]~ lҸܕn.JHʟM.x#uOFsvZUW;9?v](n7_Ǵ:)i7ӉvӉVa<8v褈 h0mtü(5y9NATݏ?,o'Xk?, ÖWQeUuCt\ b2# "'_A߿E Ov[WrCi=C+=`Jm$?GG.P KK)nx Io]*Xcعs@[t8wA2 ޥTeˎ'2lp7)jvX$_s:.C)5EJu8^ȈSRa9\Xdnoyj_cNoNS-N+DGNG78yxcz}Brb`ˇ޼a1 GlweG_Sk9os`l,H M&#~{)ʈ  RiC" (Qtd| )3g+4^9ˮW-KJc˫xCUD>Ckq͋& Ftq|]Te^.I?K>4ay 096xrǚU1i ۜpRk)OЬS[pYb}MR^]H+Qb.*%TЍU&::::(''o˳~jVЯ7ěEMYS)qfPqgT>rsXKh9z]$Z s|HOz+:a)B fŒ/ a꯽GxdD+|=/Mw^wmu zdUSc!jN +|(MmNھB쿧DC><[Ű&ק&'ߙѤXwh),A[z9qPe[H^EGl&5uRwc9ed^׼`R=^%!)x| kLn_#ƹGs`7-x>a'e״\m ׎3R/ q- XdZaǒn2PS ۷Xow\5qQF7@ʭMj:" |Ƹ8+69@_&:M1miC57|cJJު{.i+oh)<iDʾ$8V}ĝqm~qݵ&W'X?˥6:\æR}[;Eya˴F[M1~,%ABy懜JqqMV`>|PX.:*.-8Z?ZlR8;q$q{Dݳ+w뭽pMkF+$:Ŵ\~ [v*^|ڛe6m !f SNj/خ鸔22JOlٰ|QQ|gxCsUavU.䆔k:a)HP_´VyMv~E_m:}Y*iWWgc];iz}u?(R Kѡz.X>~m*_{+:P@D&uvTSDrYk;+߂Xqņr;I4}Ծp '=t :p]"ߝFm'h8c%I[ GP~?QkBK#L'F?h):d嵛ud%Vzs:^e6JcW.V ?u5y"oH>>w>n6D?dHaͤUCh́ هs@Kt8(3E5k߲R/4)E\ūsF\jpu 2k`(oʾt!>{ ߺodzl^wZZ_5|{%}z}Ou9&d?m>z>*RͥS\g-EI4o^!]zے]W$:ܝpYny餽۝JalK$vQOO$'l$59%EIo %˓%Lww77*ޒ` BS^tl4BA&:L.| IT?nMѫ co'::;;A%Lt,9-~r֦7Pn0Q}H $}2"-6Җ谻쿴`FM7Җ`D6lرK# #Fp+**hԩF7r5ke;eE0(qEm4ǽ{驩Q+n?TCՕ\eЎHON٭,e|WUUь3G]]]y<-&&sIZn=z͛'bZh_vvlTm/33h&o/M~s"OF< d)ŦGۗo7?uԓm~gGy}"G녰Gy=>*[hW}TTFqt<xsҤqo܍3ﱏ(P;^ @ YE3\Ѭթmڜ<{EA[t4HK}do谅vzuA$[> \\1;| 1R@Zꉎ61lQܦ9t~g> Ǐg??b<"9Z鰏IaL؜:u=aX1$Q(򗐐@\XLZ|<{3TJU +_~EF/ho4-:BKӨvo&?uL4s|*:伞͡·hALXWBF͌ ם?(o8:۷ yV?+);49;LStm-HU.5Y{GLF*ROt0C(%CUl?4\k?6B90we˖QYYlmg3rL,,.[\0`4&31"Ĉ4)͍"##jL:^ws>^:*Ϟt8x!|x< tl˗B[D95{6^\@i%q_]1slqVщcd# jovZ/SѾqɳKeC@n<_Ş26bωC閣ɫ(]n}2$QRC#Po+'sEjnTonFcx6-%ovGq3@_g/KkQ! q_c4c(CK Oky1D>njŋ%''s*6 D$l;{TXXɗpuuRPV#}}] C8'GU3UIN^jcqξ2)IUWz(0޶Uz?yF_pޛ3T3dWJ+Wa mOJJnQLH[Q lX|9-l{cc#wb#)WfOY:@  mQLS}/PMm(:Hujx[6)ɣ(:CUYQ>/}܏Ѩ82щ3+5Tk/L'yfPkQ:}:K-)Nͣ ): uWҌf{J:A;BST[H7|&QO>;&Z1믿Ng1:;`+~g n߾tcx,>lĂ`lԄ &^Xc|tE+(:~+7Qx*z~q.)gɽ >I'j9S)vwH i?*Yh.tiTtousz0(W(Lhh^Ӝ֢lrp=HMwQfU0{-D35*QLk1a%:b=yE(F\*)5^m6֕҈_(9s&iь}*:`_XW54n=dncgF!ѡw =O?l}вzksl&$I}J-m#ds0$[oqcٳ< [ц~l0F!( `bIPaobe\F&tVll#*,ozl?6XtfɕiXgVl*gy}W_m>Jrwr /nF =B/V=dnR/k\z,]eHYj#$GN-:^tLR|RDZ4u!m$ﻋN(jVՂɸQђK!fOh#. t*F!\bUBR-,:TǪ?Vmv] :A%:y0J:{)KW.~l]rR濵Ν;GPzzMgPlfu)hWE> ;#O+rS̓>tBNpM`(7.:)M*1F}J)d~id$jͅOY*`"Ǝempɵ>*`Јo1;_r3ٴ(sg>-t{1cжm8_z%Y./F1FWy'lhjܠ" 6ViiTt2}/,m%)Ha3_ddg.Uf7̕FZSJ}H%єO[}Z~y TydT쥏qbxG>TsLo`DCp~nę!vٲllVMGV.|5 /ƹ3hּ0cm-d]٘@ *}Y @4*w[×Jf szè>DŽ# `,/Ҩ.J"ߔZWh{+o&Oa6SI)y"J\Hn$.LxяuFlƶ,CozT`XZI%ݽ},: N_ 2 }lZ˓%{)"˫gٗ9't@8ǝPX'hղpx͉R0"wuDBpˍ8SD8~ym$7<^%͛6'{Fӷm\)ɥH%t*̢.7]U&/, z{qۏ&O[G?i}p{-9(up(5GK&-7Z *1eS4~- xZfP'U%~'ucWVuⱹ䌶Ѩ*i6b彣˧|ݼ-#?nI) k\FlWt+s8\m(s%}[ GShD]}-Y^X,&gggSUU E?X?aeP/O-/R'#4wjM[wHGvgsVF͌^qG Hag}a wkdy 8{;\g@P zp- : : : :(!!AAA i2 tjkknAAACdi )lAA-<؈MEPY   LS@t      D   D    uqqLŚd߫AA*NǏYp=zQ?3335 )) AA'ڱcT]]͍۷S\\eddPmm-"011QLl6D U}1 ;vp!144PW̽{ҩS4YXXHᆄGc:}45wuAt쪧Mn`E$:ߑRc 5Pfk.i%*Å1=&3pwG:£`K겷Zsk(uZ^ڃ~9y&TvAz:ٜIx:tj>HEuUδ=8D$:v]AN.42;v^$y}3\4Һ$qZABbݭ?P0:\]zSC.AҞi\6}K1 6!mcƒZakv}g6Q~^ڞ]ezgV寷KͩaF4X]3q! .Xiߞbq!O`^%jB`n޴ܤ؂ZIjuYJ]DE]u m-00r[Ak7eT1]=hU~(E{eT,}-OR;;\Ic@ˡ6X}|evd,sy߸'Xzer61TJͶY=VgxIbLtu6Hu/ }P݌^փ^_Ъ<+蒉"A;Ht>fhYȯqI{h+Ed{7:of5z~)]ד\=q5W/Oz_`oR1*ôDGIF~l'][Un:{h leϺGRtZvCtwPw2 4U;6v:en鼃"(jz` NQ'pI"$(l^` @e~BvF3 Jb7ÈA}WS6ʠ簿 O3KH1X[Apzy*2uL}@@K;mWGOg<7na*o_mM̡p @Frm zwUp`MrY R#yFӾVynFFA/hՁۖVue: x%0*(ܔp)\SSBTv͙k;$:N>RLmrpA~b,k=uv+I7vvPrٮ[ʺu0ց aTtXwgRb߽JͥNO^P>RmЕ41k嫊D17g X=lv\2ѱ4Ti+;JWS0{X5/d&6'ƤVVb~TډK8@^6-(ި?Cט|lG+tFG6m`2,:GRA)6Tک!Si_b펷̶̠Y'sB헳mu锓}C)@'=≺o7% 1 ZF//ҾVyna ^OaCn_ЫZu]-+ɓ' c. ;|9iod*vvr5 :%(PJ*ٗ~!Zkui` ph+8zlR0l#ի7]ѡ|g48`ns=Z[,frCr'ڸK:?lš5tt2.HyKV/'h'f@Y寧@;e Gڵx[7+87TEWS1{(M-itR W7k2Ci_+ij.^ҞCv(m# zu`YW %3p%aQ!\ϔaaFg.5Oʮe󤝞@iIkRnԷui[[d}H  x:??_3=eg5IJovs |%/Kd_0㥠䎶%һCt  WȧxUB?6RF:ʪc4Wcda}ׅcǓ^2MN#WK)V'OFy>Pь>/8&~9^Qer['_Du羅ASnn9 ^9alO_w>*& sr#[J&IaH-WZKߍI޶4Ps~qywchgF&!zjz"mF,^>ǑDKGvm1)rCP): 't1-6D>&4r҇!\rhA=0 FO9AYVvmGpXYWFR(ޏ4"0n?J]I.̮IZf"pG 5Q>)IȓT]$_gYpg^m";c}" e\|v'&[䑀8ShTM4F~_Q~Dt5srh|h!ow?wL ע&Bbh<|qxcyaTPWOy՜=F)ΗB)LHog ϨR)Kr f#Mwd?K;S)X}=sRvb#VwR )z, 룾ugR2踑"3bu789U*a LO&^+ʻ^X=:D߿ן~cF_E }U^ N|sDxZcuΟV .At2Grb}|@%MKEtdPJFuA0(:64+\^8S;Ԩkd+?8bB'T?OLÍ`'chgy)u-6(_/=߶X-:L#$cD⬊.aLps_RFz0/-s=+&qN:F)ڠV}谵W$=OSkw=! |ߴ^̃~ӓDWG씹d8L :&7PBre7fylr83?YJɻ׾ݒH%uմCt)((&dE d_h\fQK޶a]7V+S/\Ҟ܉( eʞLo-jVG)oWިX΍IlDCr|:|i/_H]bѻzQo l[If9^UA~VQBDr+_GպT+:2`]K., PJγb ^eU?D4a衠5"m}[X}o@t  D6rbk~=%n'%(D#c*/:ڷЧ$~+|$]h2[:9a-:WԾ`5 acRƩd.@j:= 0+3Q 9t ɝ'~BeH)zjzUxQ_A5fUʷmJH\=K'#vZ_^*T]KYE1/ u-p߈}|f-?}9Ǚظ!F9 :@AElPWTPJne ɸcdOgSߤĶ3tkYQ'Uأ̃v-닍,zL-sZڠWT5~!oR r.X|}?2U>!:@AC%c|`inAA4 v/}v   Bt AAAAAAAA!:@AA!:@AAAAAAAAAA.:ʪ@AAEC u4oC;nnVH7r;ϯo[o~wnBt{]?y=?|(-wr@ Du9Ӿ?u;+aOgno~s(@nF[{C7 ?~V5>t錄w=?ӸQOы=KOW5]ton!Cn﹋nFz{iW 0PPK9GsTtͤ ?ѾsiYisiG azŧchޢF@z^{ j3hM`b#X5{ˎ^ZQEYa )eZ4>}w$4陧1/1/ 1?EN[{=4W}D Z^HOWw0_^T1rģпnv鷷N7t]ۛ!7ѯL!toАOz${O>@OA"B?L:']ޖHW}t:zIIebi)_l4RZb5RCv0-u KW-rCVӁ>GCf;0'уzԐŁj80)EwQntwҭnwt <[iȭoHߎy6,Z4:SI{ys(Mz3S]Er :^^<TK_ttg F嵛EG%&:)UXttFm\ Og6q-M6s_r_TYZJ{׽i^ V4uZj26./}8k19טA3?p!e5m=4G'*Pgd}j`>3`G/)CKT;yQdE|;7n8<|iojyԢ V.. 2m5Nޞ:#hʇH}<''/SCh->H>y 3BLu` Zl伯Շo)oדPݽ6i: [1fym8.V\~.B e-`ӓ# 6ah1\1 zb**)C{O }a4) K@ %/˸0e#D.| ˅<ǝ.:>y.ظ$:n_h#(=Atx 5Ub֧'hҳ܏_|Q@#a㿣93&z}*z(g|i2\s|xGߠZΠfұ#K~1sBo3|b(yd㫙>_#= ۏ]c#vz͍zg4Ffx]4PY d^$!adT㢋OFK. { Il0*|+rokz;)|ه4q34):dz<;r e^{I,ן6.)::Oӊ%dE.AP/ΤCCi%-5O@c}|f`xmC8͖Ӝ6k9嵉,/ nZG?32ك?k[m})}أupz+mHa#/~xuqDǔWQOn6( :o;뮣 &?[G(|4͞ 9Ly^7sg+ʾiߞw9J#D'UIɔObdܧGً~.O{q,LJ)`^Ŏk/2i돫%ɆUs8mY&OLXnVs]S!3O pf6&'Gr 1?F{Hz"^ItT(p:}Vt˓*eӬUKaaΟz+&rh5^eUulVv0Fmp4)FA, ›z{)c/-^8 8r ~ wEͧa̐_( '{4mԓ- .iuU F'㟐moךmȞ-M\CVVВg=M9S&ud MY+Z6tmL/bcm''f>4vRGUAltH(jи`1{hwӐoq&:ne#ѯL{ 4/ eͤyX 2jjjx UA tѓRKOq_rh!m6HnmpӞUN!^aYtQ`twSKk7CzmsS#bsyX.TtدG.Ѝet[)3qpt0n[PjV"m .Qz؝ҨxSZ.:䇊E7.49}^ܖLlA0072;{n"i yz55/ GpaἻs7јӽ=c:K( [P#֏20ÞN_&Xn]Y168Gtc_^jWtPg1Mm,~yއ%xbSe#l)ۏeG w-{qs`DŶJzvھ P/1iz';ͷIt3QԂWcaTJd_1sUTxȝ& hp}U:Y^q/K iƄv}a8|,t`T!Vvؼdק-1?U-QklH?u']t}foF_]OoiQ4i b/)#pqzvUQCm)y,WZ{s$ɽ;-q.*񯈆L0&fbCYҜ YdXݚX:i7*~3ǩ4?qmՃ L w_O}0bX('o0] 'ˏ3ϪW+_In* fuPM۽89ze.Bn:VHUyߌ&Ccܮ[xӛ7%oKALD0灿1˗ʻmp@q!bD7%&BԢcmJ(5'vmkr*9_D2+˖4mOKRE[7~"Mpa+3b>rQq u-T 鰬O-'`0O L*M/b6i4H_! Mzoa;s_Z*QfZ! mJ|S%W4#QMۏy'&Iob IzⲸWC7I;J}a>1 99Di{<(s=K~>}IHlz><}Ӹ@QGAg-%B|*Y܋*:owYTG 3õXʦ8uRTى?\.JGRo6k&[qDR$"(⥃%D'@}@V@ TU/3=fw>%B3=ۿ[4~3sy?%>O/ҧYT}7ٿ_%Ł8p/$:{ZWߦRsh+o.':>Gs?K_?w@OR_/п__?GGG?J_Fv| 8p8p@tXO=ՕfҿɉaӬ~ _d7W//?kt&?8p.%8p8p@t8p8p8p8px c'%ۿ[:88),@tDoItw'qTܞEzvB QJe?mlpxyѡ0M' й3QQuoMnmVC-;f%+'7 DlVۨHSO,lż/+TmͧZ|5$ 5ѿಃΞ!O(>/Q[k5i"\efSv dJFV^)/eo/~J94y/.*ȯ^wO59F~LӭV;A{iwt?oJ{PAo4 x'wu|ßROUm[toq;}|r:Iᣓ':);|[ wg~2Dl6Ȏ,vp=}?j@u8L49zQ2TM'RGokQ)Nv 9WJU͙jX):TjZEfGzчTϽK愩BCqioMt ӯaئvy𮉎L:]A,dDDn,B}XEǵ_uy<:Gg2QJZ)puݘ TkIX:*EMf[x}x> pz&߭? ;nwjeI}yPٯldD &x_'Z{s9Ge}Ia"Ar65CE:{UEw*︧ibwu]o?)r%:Mozb?}ȥB=êI RKLz^)呝~NԢ!6O㄂q> o\dxn=IWbÑz&*%_~o=k4zFzy1f*2֖V\7 jš'L?c}d'.ڧuqIi5mj=#AtJSv12m)2eӨ':%huM ˤK=wwߒio2w/秒)*CuHsFߛʓȣn7Hhk]-L>8{;,0H81QɽN>Lv?ˋˢ[ϮD6I:S7ᐗE7F6ٮDvfe꼚%:i%ݧK=L(0M $wamNtl i_97]˺J#.y ׏ˆhdj.%'lsm%Mtdi; G~u^bS5H_sϠq}Cخ,7mkG\<0:k.A;YEK12B7rXc2W7 9zP\ϒVDwzz*ĮOuSNiz6q0R-Lis+w(W7f߅}K3p~&nu%sa7dwcfgg㘙L@Iƺ{?<>핦f6N@ZbE:ׯ|K]o[Oiy7K%b쓾](7)b$zYyP¨Ϗadgiyb]a_:㛚k::qf)q YR;8O+^sTGV?`+}9x6qN4׹h65U:ŪR®wat^td( 9gs̸_r7Q9rn%Eg=4bg>j,cSfwANO{UMNtWSxO -1G_ӊC?HQ96 Iq}dMQ': 0zu,k^E{)˩zM??JEvRMdB!yedCgʀ3ґfI|xCGSԬ\!|`O5]\,Ly#1Xwabo=vk&M;&E%h͉sࢎ}yݬ#4_U89St2gP| m#ZY!5j}i?kAagxp*̊ŞEF#zdGEkjD:+ a@}]qG{lTk{\+ZK!N6\ר^ n]; Pk: ymatަ1; ȅ$,(ȏ>";ib)u}=@1K^ȮEW9̚<œRy4CrB&ۨ%:g4G#?rR%2r5}wra^H*)*F#I(Sۢ6 R8ޛ5;zѺ};6mQ| Cb_w.Upj#aF-&sQuI@"? P!`Zu+P0@0|('\W5q(/O%+nNFHˍ9Z]D- GմEDn{~ X ӵө1}QNdW|,[ʨϏQFvi5*Avz"O\,re!Zrާ{?;,N1* EA쳩塸#*:X4`^YSwW&:41aZRt55U%IӴb]TcR%6 亦ڽHtޢ%VLʇ4y*[DkUۗ ",)T2Le<>Xܢ4uas֋?Hn/+:)>|ofuw2#7Z,;˽u5j)Kל[}KjM,fnvOvq7'~;i6gͧ 1 u8нר*++UʨwaFooV\u畵7 +My\G?ʑa4!ocݩ~kK"yjrҨ+,أ~ƕ1e lPMʼnutyzRQ{qGܲ-سfmvZOp-:z'&aqh6yD7i}>gzf4q3aG=?5RTC&݇ꕴ7{cTvI͋n`ܧ8~gPVq&Qv&HUǞ*o?6?m6<ǚ[hy~z ヿc/Y/:nZqw:^$I_F@ >GM)DˆC5vDzu{QӦX}uq93ºprx5ב+%jav&7^N5QDy֖u족]qZ(K?L3|ė 8År!H-"ؗ_Tjm]~m:&@Q=m:sj6ݷCf.*.R/ ?bvg.R-Ǡ{!LuIF/^:Yܖ4}tȈ0S}dv5]1J͔I%uCO| D@tDD(:@U@t :HRtw'qTܞEzvB QJe?mlpxyѡ0-q6TP :G]5O {#\?-'NDg~Gcq9wA?*R_#8|^2M/Dpnq!DlVۨHSO<<Ս%=+\tv"1G`*Bk |jO7 3<l-dSf3j{S)#u~I :|tD}T<%<}vҏ;[]vƟ5̽-WNT^J7 Q|ķC:_pvDh%#KtDŽo2RR(l6y<#/NulX-id~H5QZqa2svp Β}UrTJ[Sj-?2wQ:-F:#/rmE%O:s_({ߛ0ohaLWEVΨ9W'tk*hh>9f9h î jT:> ׳LӴ;S .E:C1OZ+ajtԱA+R{&haNLp`sr gk4{XRrЍv!׉6 C5463JՅ&ݐwT.槊oaEԼ 쥒lsپ!Dlhzaω!ڪ߅h2lQx?O ^g*l8\9PUI QۤVTؗɤ&{T4 +eAYdԻ6 mylm~*zF8C`|("E&W:B_M74x#KR$5!a;KCÂ1Ѥ,7eB.\r{0m}?ua%\roNd2:c$:#1pR(b|Ӹjg4bduJ:Ӡ+:Ưk]fBK]`jߑu ѓa#Ü^ceLz2G#v6#^^?:z4amen7-..rCqNkxc((*r秹KGP.+D&塺l:ZCuRVf i (TN0HR] ,EkN\ݘPAt(O͙+SOڟ9E'lY舞6EINVګ2Ty lyd0f"B]WWv I;':wOQvYomo%Gnw2=tt ͗gid~㞸Oe:Ogc;|xgV337&^0i}R%(nT/4e!:Ȯ\^5u7n4޶ȯXS]ޚߵ8hhK|6"y[Æi1R]ܡ;|4D%ֆ=p^8 :|oytQcعF1$ϝ\I&td(ϊFSՊto Q eq f\|΁Ū4^#EvQHTMnudM^R3J }ZnKӞǡZ^XJb-/UWG-3;1"Cs>RO=UޮqB (-FFXgl##v ZF]b,ckG^[8yuq1nMmhkm=sC5dv:p:<][G>Nݨ|N/굶!+*&?jeXfvvy-}Wr?->GMBrX;5)oOv{e]Ut*ewަB,4}53ޡ5AlfGdN@tDD(:@U@t :HRtw'qTܞEzvB QJe?mlpxyѡ0-q6TP :G]5O {(o}e{稹ynL=<njz*+;[ < Ӷ w#oۋRnN)ͽ݋EcjCϸ1iPwX ^u-QJb Xmd-* mo:uhAd8DmMjy0Wژcg ?$>:y>*Doq;}.sw;^͊w*_0S^}DpLx~A&JII!f~H5QZaUî7f:'<+/ѽ,1rTJ*ҹ.\S'-dj_/ df3eFY&g>'zcl۰谤v7JH<}9Epdw<@ۑdw!^?|ABZEF# fEgiQ sӪ7h gBBݟr={I}mid9RXA#.rxFh5i1_y!cŸY5=Ѡ5(ZAt]vm?SJieS@[Ƽ; ѡ):BTr9NYt7?F[yB9K`4It9qFJ/Dd`Jű 츧ir]w9>uy.ߣ3U]A'LEc\]ݮnI J ߒ°, 럽EB-cN&T-Ѻ~Y UX>Y5}&]Wt)TRiT|i䨦Ag众eF#8Խ0QgS Dg¾#cLrol&3f=H+ѹlYY<"c))F=!E_3Y&;h61)z5CydǜOjkLy}UvM>k#;.r^U9m7;+uQg$i'[I7sM-ܷy!"sӵ9*=v=1"$_4ܯd8{`-0K0/`B_t,^bx}lCRP\tkTk}xS$m<6e__~) WA}T-tB6JSaw N޵ux5̅5?h'j9ʼc3T]h,gP2ijsp 9NOUy ^10KU93j=O KO=Bl6;Nة]jkTw=a#2<. OF煀$W g&4̜0U0ó[J!BC>t)'~ IDAT*ȳpCMFmQ?8٢ AWes8cdgBlq5Vsc )wDPD |t9KHt1 wM8XΒos4D~5 ѱFוz"|>aJjH']hs>W /;bg0m+8(H1=&|`&ayrG'L!ʪ:Y!ʲFԧuBbUޒBj_ؕtaO.ė1;%| gYʐ;|"U;8!ÔUE{]UtsI:g'}GᏎ)T8 Yދa Phc\ } T$f?M)d鹫Z6u?xGOtaS.]mK6ՈH*p^>#;kdDonٴpOK#79# )wDdž=%^U}!IEv⢐"}9yT~J4]wKKCKtyatݾ^tB4Sv9J(k4Mp)[Ԝ|u vݴ4MёITitze70x|/: ʓ&Eh]iڟ4P瀆겹<7h=I0ssfOu}>zAzضA.W/ܚ-ё! ~+iTM*ZEqJyR7c!ٔ]OeYzm*Y HG eFkƮUmGY#>9D9qvaЭBR6(^d9?%G)Φkg5?\pmN#Byd'SٹNٱ:&oazN|J^Xt;/6uݡGrdd'zAt}'ߡd5쬰=L039QrZEؓG*A:RG*7\C?zp˛p2ٖ6r.fD]i$%%.H:Ƌ738)t^M]-D}n0azUftSyr=^K(`[%[-AI][HOGS,4jS-Uy 8cB uE5)ҡm;cm5 ywra!joiIٸ&:f>ݤy]QrL1K7li9l&h> x9lRߒ ˎQZHRXGI4wyDu)Wi/%簸C} -k'>?bc-_-ô{,e s u Fibex:UwrǬ.#y-'smKռǁ1F+'Wՙ94-g4:a'{[8@ۻ Fx6y]&F[eCX*4ݣ09E1[r[E2>F`8/@KkW*fd;cmQ^#-,4ޢݍ%Wۗ }lQ^>2Z ݈ڊߵ8hhK|6"y 2 ~Zdw/lt oetӫ+L s~`Hd,)B#Oɾ7BSa]>-ąAsIaX؎JH򹩖ja:KTzf9HU*oGV򖙘-mmaeHy}x][n&kz‹aa[GE9EQ2pXnmYWSTC]6?pyAէeXiNzUvv삒=P酥/.}$lܛWi~~ŕC?&-Dkiڑå%f{~Y'^-vꮗ=\BLem>jjTL]Aï˴HkW^uk^tF X!Tf,OцOU GmC>n7mx)" .{|o̮%ccم؁-^'xnݗ\ܭbLt na>iN6A!'s@t :@tD𾊎WyX;IENDB`scap-security-guide-0.1.39/docs/manual/images/Patching-Send_Pull_Request.png000066400000000000000000000562051327242345500270210ustar00rootroot00000000000000PNG  IHDRb]\LIDATx݇{Oy8˓n'vرč 6`0 1`zGHQL5 EB5P!@"PC]ul_?!vgv53 RHڤT … EQEQEQi ʔ j"o:=O}ʐnݒy2h UiVQR;TTٲˁT%ٻw)-֑])[e)@ 7@ ; R@*RXX(DQEQEQ[䒒)HUMOO2(((ʭ~_VRH{8&''իWVܹCQEQEQ[dzJ p U!7YssQEQEQVj?Y/f)H7?ll(((e)R(("!6m|s5RmTmUm((}#DKPJ (((i&ud V@JQEQEQ>/ )EQEQEHF#H[*P@[PQEQEQR)@ˁNo*?= ]%Ơg¤hTFSm<*r}+]OZzw̽٧?j+*Z>()("H ?@zfgvtپ]ƽ;;)y'卥= L?{jֶsp+rO/$~7孷޲xnܚ`,߷|VgV>,)("H u mE/?+䛒r3_ @zYжglo9/>=|#HW~|1tg==C ((@ /-'Tkj`W'om*Qߏ? n#voVke6=YX7J=d4Ui {GO 7qat8}v#vҳKK䡜m~;<\7_! 6˲`{&lkuSϿߘ)PLUn,{ ͬm<۱gG l>lr{]=ibs]]@zy:×>=Cj矽V_SO:y:n7|$0 `)h.1u*B|=(()s+ K3*u_0J Czb׷µ$-НҽWxoZaBAV( 21ޭkǜɾeCu!!b Z YϪaxg3=jv"9 ˡ|W#L/\O^l? kEvSA;`R1ʺdٲ.yu(z}/nc+=(8{CÄ=t270WLK(};tt}=HjWUܾ\>qT͎vԫrL %'#xBs|g}\~iU@}굣27} Y(O\3u^;rJjzaV(SAնPcMYk^Ξ}>=V2@ϳ eڪ.ԕ@ʼ@d<#o]ɘ&5((@ U.Wet+j0^\Ler:UQsy9Z0qӇZHz3xRgH#|۲<ZQFACʓa֡/ȩi̍|-sF~/&o5(=EQEH@UTSW԰`a[}mY2@8R*l[c-o8}hޒ;sPzH݃KtF@z=yU@jٖ(7Nեs$##W*Zmz`ٺ[9sj޶PoqحWiw!Uv|kPaϫ,{_趮l=]Y 8&M)?((cH+JR5+TihiJ }\ _IQUv렦~3-@E+:i*ܩٵR4.X="gjPp z_uwž>m e>>uB^w@j=ֺeV[ݿPv/LڡKDzא}6((cHڇ.Lz_uȮ!͛O }ٵ {$9l}X+X|kĝLv?o踟@O9ɲ9%G_,-gDŽOlč5| *Y!ɽm2_Mvҭg}92xH#M }.jze1Z^avxv9;}zଞ^ԽThk":%Cc~<ݛg_+ZWV7 l>f^|3c^0 `_t`DHwZe3vInq? zqi^R4l2yEQEQ>HUMg:Pe~>HZWu,!7s/t-^o9FRӾ\v+Ǘ_6sVmn2uGZy:_ A,C0ڧT{C~g謝ͫeoBM|XREQE _ 4Jxiv=]-WTjeC'E?ɹEQEQRioR+H 0禾;}} G> 3R0EQEQ@ˁ7O % o+|ècgvnԱ>u[e$\W((@J %H@JQEQEQR)@JQEQEQR)@J ((()@J ((()R)EQEQEH R)EQEQEH R-99YPEQEQTu떤H ҞEEE)ll(((ʫ~_VR)RXXQ!PEQEQ*ܕ0J 8ȫ>Q<^G })߉'o^ʦ>Qa=~Ƒ/}j@ H ~dq2dqG5'o x5@J Re iݧa=40) HVm󭀁R uH @үЏS.Lz_uȭ3|F %Ri+6LGʕvՅy/"H 'H+.۫Uߕ+zC!F R@ R@ H R))rpݻw\R˥MR) jQaHǑZ.|R<`J %HC q T-'@ %H@ TV$gt>Fgy'@F{UkRG@)GU4^RfvH(}>JUo:/J%Q'x-H(}O@F`R) =)H{͒tDR9/=ƽ})]'Jw:f$S3'bd_A9xЭSwQE<(D;u@ @"J$þҮ\`[Pm/?+?{m):Җ|wH]pY}(4ȬluDvx۫Nӟw|8'VmfTkd\*~륽[ .KRxCTүxS7:r] cӫN_c/\q:i̓}S+FT\CփZooe )q엸0"I9_s=mvHp W簨/?t/\痢W8B"Uz:_6wyyښ:swyk҆=^MYmOPaseh+'jK8o`miS7Sː Fwm.ۻzztuk_6˘+efj_p_Nr7Ț _0;Yr3Sc?z8BW@p'?^U=k HA 7Kܴ?sկ\oи$=H_VݐUUGa.6k/d nyɧ~A@=v+7CߔlO)?kNߎ4ƷV\7@I밃k7|K R 5%KZJ?OƿO!y3;h#Zy{by^:L#jnj"cgw *|i<~t99qRw h^gZse)2upPM7j2}f j>w,IOw3}@hi5WV˰˸_}qmwT]sQj_)3d &"1yu׃zT0_߷-9RKҖuܵhL8f@y '}G&"{f=k7HA 7KEL ϨCڴźԺ_| hH͕zXZzث_LSE5U=&͚0eD_XRk?ؒFqe̙2s}8UE=bdtΦs<<+$.T .ꏌ:&RH{QpsO\WrodҪi3>2iHiԔ)SdEzRfZb '!vF#'Jòb'yp#WTt:WFG+;Βr(Z輀U̞U -;Kɍ9G@s@57P{Lʜu*z $ HvH᷍l[5mIwsgz~?)͒q_Zq[wSKZiuH3O&W~]~Kay@z S.m^v??#~%z%GTb?rר;B:LֺXA@/76όٯ<{^%k7HA }o4*'\_ܮc1םPoƳ5y}7Sͫ^Nڨ ~gO n:/@/ؐCMz.O:EsNo6?`u:Bʻ6/RWu~`ϼt+mR^5gk{NgrY{riutcށ;Xe]~U >//cB{.oҵIUUUurJ: tOG.Z)))[55FA}P^|?zj:oz?u%.fװx8 ;n'SE5H姺`߳+TK<{tmȫv sܑ1ʭ88N$wu6dӎEУ)HQ+`vJoζա!@)fP1&Ǚؽ@~i~UR){Pil‹=\jvŧo˄丱T$Jz72+5Od[v.^?dJdinmJ kS* '˷v[/ʶcͶ&qjBhgI/3ɮe?ëSL8,J" ŗ6uy lb߳a&|OGڇ) Vt 'N1|Cx3&frٙ~16f\iJFl3=նԡ~O e}OsDF+V";?g>TzVes3R2|{5X$<$w Yssͯ\]T̏1;ָ=tM7Zmxܨc>i;igG_ORrOw8B*ɩ ;O e}OsDF=UW2v`;[1βr'#Hk_}v훒^{޺ =+='W]1nmz M^:d;{ߔ̅֞$Ś\zYpgHR6 @ R5+?lh:2K9gH6ʊdС~ke2x6{CÞn)@ Bdg_p#.\6˖KkdUM>_k}yHȕF ݐu# %+!CK…j{ e0=lWsܖ˾{Zn8aƼ&9K2qZپa1Η[!qksF+:\X"Q9sh8Ֆ-S2B]R@pi"ӫ@ %:쳱MZjKH\]W/W*[R&)aa2jij vj5!udiːr]7@E~fw؞ge.YT2%<ՍeHP;#Haz}(鮬[:l%RJZcFuJĤa:{g2χz!F`!ڠ58l>TzCG+XUSmQ,r4\ŒxǗ]yvwB]gw))҇H[sC<afRεt`s`8C@=|Ӳ?:^[>_rٖQцQMiU͙;@媭>W}U!ZI\(x]u46{ F[*kz};g!uz' @ T $IID|4T>,eƽԵhiŹ%@ 4fz';PiQ^&dҖߝҊ '.0(+RRH{5u:>hropqߞ,%%%oua3@+?l">@ԓ<)R)HD/?{m: ~w&I^9޽d8|*6kAyO@ٗu8ݦd_͞'~-#nzoi]cdΝ8tǺ(rP t.ۧ6H5m5U_L_?`@j[:@0L)|Q\7ÖKR. ,bVc_B`lZV={::{^?/cu7nuȳ[ -w_Kot\_;kSaܮ/َZY/EWoMC?_Í6j}ۻazK\+vqJsMZ%F^4{T0 Ch-_<օYGM>tT(@iW, NZ]@mtv[sIG|EGۊdT}ke鳁30 tȦsTN4vqŮ@1kwß=-д;ﲷҗ,aHu38=F)#2e,H_XY[: ,>=v|Uyį|y }?Z#@ }DDzdСF5gλsBCe">+{҄D͛)+dƨ0=losW_4_8zYV =2:-Wfn/F-V&廱ce{d#n7,Lƫvnzq3$(%hԼ9ծo\e@lڝM;Ի"iokVW 5t[ F{N7,ut8yl[ Z#46_i?޶V|9lA_k@!H@i06KR $-v8?(>uUvn7_12l I/.z1 4V)3CWՇNȁe6rNLnfiyCv63dweH;*q"Z,_ʞ,9eoeMiBgp$=0+Xxt1lIL}M O#T >d.wjŁ R\+WҶU4`uq9/Huyl_d^¬Siw6RNWKQp3̫Ժ{̋^ k8>>iy琚㚽XE: bwBN{e3շG5;ﲛ!ܻGoo֞Zqv=p.'ma5@IX{E(oή9̾lQKS&s;J[oM1Eti~ |4;5/6YoqtiRujEu=,LĖyM5e1*s޺ƪkZ4tnfG<}^zKJJ"Uxj\5<4>@sHUi)%N\>ԕ7ȁD Yj6w6 5\WǶvs^k~K @P^vCJ0̸cA=-m*kzHUw;ik^ԜPaZٲl$] LxB}F@ʲ4՛R(mmmr%̾3{˨w-iN({,ARa_˱-_o,:P~D @0Xgqj7Y~~~~jyy%}s?^k T|>d@p!j?:Wz 3H7[@T?B ]O_>=*wZ:-zHPV݉H0j @>T]!@ȁT?b3sS/ ځ2(A%R;;w@ H@:'mz`E v }-u^;32-l~}4HHg} wzk2thٓMb3ˮ12|ӫ61k {^>Y۽{Ԙ/ z{>E -:uPFyU>ڛ^Q_tB6o%-N6\ aGɝKdk=&9;J@7Y ٵcy@2~~ʗOȥl[GSkR#aNHq/<Ǎ6^w'ʆp ZvZ~2m=i¿dG^ |h":aMQ:ǧ(!Q p}co:aˉJvGKs0o/BVu8nxH>J*szݎq}},Gocz7n;w5'zmDZLmh̓Wnӌi6C=:{+;Gl7Y-WSu]ڶڞ@u?^R=*n#dmzi᫟O<'WY~M?㈺/2rK2://h|X|9bX)msҫǜ+2v9/ӳ85^ؚdq;y 3ߠ%/Z^屖ȿȤƸcvfgWdqk 7ۥo<L׃iKkFw 9 oww'!7F$\r;q{nș˸^ƞ$?FKďnǥ7ֿsQ :R;z/?Μ`vQ*FVW[{^ڝJimnoy`PYs#u{Gk{w0^UvٹȖ K,M$Q%Iޔ)_3)L/+YFj,s_wj0oL1ec+͹l*z' ݘ^TUdɕszmr6mLt^_)keiRPkS)ov0{EszoJ~1?IKG]rX:piZ훲e?>hLUcr^?ƒ!UNm>UKx^}>&ԽSNGP'ĹP #!ϞcbYx<˺WiVYV۰r?\vÛw:?=da];!WPI;-GӉI-m-Q?l_:kon ߸Cr٩ M6Nm޶IGv<:sdKF{zh]k4^@?[XT%~r'ue={iq~^:ɰZtϤ'f(GFO=~H SPh ?jۊ嫉2Ӈ_8#ቺS2cpMsa˒eւxY-312e1Z9llٵ' Zrth;5=kC؝OW0l}61 vwz ]g@:k25^mnr⼤go[M/^r}s}|揲 &mZO!ϟlgSfp 7斸w|v s{~Wӹx0vj>";79wq[j;٭e6,Mt턪-4aڝp.K+!33nZ P}z^6KycEoѷw;Azps+#uʬl6uISz);<vն2#Ab/؇.:=nrkLsCl6׊ mzm,^4%#xGh$mph9l;loϚ@4{=;|n<8 H'x*ה*.y^FDI>Y6.wn_L2 K#X,k_ ѓ\d=[2,2d\{{'3е]9^ u:mKeV,"_{ FPKx8?["玏</_HE#rbɥd~t4bꐫc;w@)i^Zl)vm~mT};m~sU4w$QIι*.9$F{e9w>Xmq׉s%(?ڤ o=j"lH[[ie6gKk\g/ev>a=ݾ/g jt0+9/kZcxD uq#ǥqnX.8.Ij참$*` >[zAV 2C~{H{.t"OV: ^/1ߋ#x ]\'mϲy/OP?k?{߶Hu9\3G e^-󱼺̾y#ʺPs+n?01V~uMqcyQYm%Nqre*->4NU>Z.l K&=H,nݟxRCf2ZiF~}_ ?ߜ4G+ s}ѵE]?2I>Ta[\dW8ݺ3uX/n Ƈc5_2+m2R$3zaPKIC0L-2 %cF߶AOg~3^w5~[ cUx]~8g0ʛu2~gYXCyԲf2x=1s^8N=1疥I{|/019<ɦԘ̖!/Eצg勮OZ9n_5wvv!j2i_.'mJm[EQDT~oIWux=KA}zrb_Lg-If@ d³ؙpH5%y~i,J<>h8h֚TG_F1O7 H 8e9?kC*acF/]LȕQ;WلzdW-ˀ5z?ySՑ̝J.r]ߨGⴿi??q7sw| ːnjX#ue^O?/8UqnCX2ZsY:ڏ%ߏW-yQi9qQ\X2zTj8B峿Rri';eW-,Bԗҧ+42CDC"We,wCz92.3ճyU iY2+6Xz1}PͫfAB?!>'y[mP8wU4ɓokD/R:4`H3 / $,I! :("Đ`Hӆ}˫ KbH0iC/#$,I! ˵K$Đ`HӆŚ奚{ KC:c4K! )WC?5х6/|~B%ӊ0s]2=@/qs`*j iH_ujB!B8YѠ1nVg5.!UVtǧ2mc 8І`R4C2 Z«@!BRc5NVe5nbF1!A<0R )0R )@Y^ঈFח!1JC pS(OeކT9Y5K !ʌ*O'orjU5B!B(T^R7y )`HC !ǟ<(t>IENDB`scap-security-guide-0.1.39/docs/manual/images/Patching-fork.png000066400000000000000000000215241327242345500243610ustar00rootroot00000000000000PNG  IHDRj&#IDATx} \UU׾_}J A4A2MPYp̀Ҳ2-R#GSa)e={c=gshhjA4iҤI֢ABBBBBB"Jj!&M4ic$!!!!!)HBBBBBBGjI&M4i5P!&M4i%zIױ~t@nhݲ[DFMU3X4AƦ5ڴAS++h:G7xm+ +DI4Iz9l~}z¹[wo<6Zں7IҦE38tl1[:x~s+i51$$$u'3^@©-p|u)4lЋBç㩧 $iFʪ9lúy3vwST*IIIX|9BCC[y3f Ο?_4;udu1Ա]6n_["tf/G^.޵ 0y0 vc eA6H>FeJbp4h'0|p~N=kbɓ'+<"QR4iu3.m"|:W`˽ַ'y03b ڢmp퀮]0̭7F`m|֏ʕI:??}6ŹAPT;ҽB WSnQvecX?'6qȪckk?UI<V<`IBϒ\mۣU[4om-mФy+4jjFV5mlۦV׿X9&dζp  A^UN?Nc-3<_.垥cb. WXly{ʔ)|_wѵ2Z^q֬Y-ǘu:bwq;}] =6#[@y!.C!%T4 1^,YJ%(I?2y۵F6Ѳm[l6mL g[UVhl o qzhhoQ} m |{aUN_cuDz1"1&徥뫺:.uĈ4in޼-[[n21999?~q999ܹss++vN\\ܣ1{0H4w1$8"ZY2I~{bԬKJb;\ 5X<cı5{)1)I/xgϞ5v74)B>}4Ɓ@t*sfѲ}[u[4Hi+NV-[)حs; | G":hFnn XhC`Sn:qbظuqM,ĭ,v_bc-_p"\$nm<bN3wШn#v )ʈ__+ `f`~akr_bӋ!ƍfe0u_6 X~@_qgoqŀKi $~#?,?$SD/>~ 2^&ƔK!rzǍCb^߈+,s5+ -lblѦ58)J mbAZ9Q ƍBoXUuSx,i4aC;W_l ]: q; @w;)(c$b4&jzNJj2~y7B (b|an wOraFd҆(l.klUpb]7!jY.<ˆ L\w*tNx[{4fKuȆP4n[us4k \ت)>X0 7.|M|4eM{h {g>\χw"lG$~JL) C  $];׼;"+ww1VGw6% L9fxbuG]9ċXwG$b M61FKQmByQ9">>Ʈ]0dlذ /Hb4v4cRbdqw8fΙ6q8|^pPhqYo(S:l*4VmFV[Q?>NF Æ.Ą _!_SYB'1 C<&Zz1 fp| l4B ƪ ~{ئ |[X4 +f 4F~F z;{ zPsW$ G4ؼs|}> 胮AhG8mˌJ+ œ2[N!\ԯL[R7Nnb\ڮ%r4)ٿWb>ʟj\sK3WF"&B4ײ:b!rΙC˱(> H:o>~LvKB\QUj1JoE^(S{r1*)׌&ބ aPNb.>cv 7[c+4Ƌa j˽{87CH+MF2[}8c4.؏"uXSRf-|y} ={s ;X;OlCL䜒c2eItbM*7-jŸ]QIu@u4ǪE8g򐕸K>5y>Rr~0Uc\F?NoUoߒ[뷄-o1i,u.},dzGۇogW?ISwS[4m՚cc|Mh/,W{|cC(NlzĆ 獄Sg{84a|?Ec)榭څ7 &\#)WWd!W |c\(?srԫLJGаc1TPF| -1j(;c=Ă[dLAK\{0]/ D@p]#mAnGm.Yh{1Z?s>9r9=Lz*ڄ _Z:%" 8M3~= E/h:|m" 4T6:e'Lk=Ŵ~X;fsґu:ŅXe#_LJ&ڡ~{BldeX)הc%ذ$RP<@6=(㺲4 Mu6,^oH&S/]Q=Sd32a(ggttǎ3s"u jq5ZOiT%-tI6%XRiQ'~1w)I¾lӽ{wDy0r>2. 9gF%QG`~A!c]T(Z|)I-ك".'a;(!nΜj mO>zcF_'oaag31ޙJeJROM6 >lTts߿?f̘!%AZ,1E4QGyXt"7,/a+1>}?xhb' vZ5=,00L큗z8 #TՌ ȑu5rj@BtjVfEʟ0lY>l; o>rbۡ-FuEK+knOC4S]ɲ^TILS4i lGQQ v-"ic$M4iҤcd?HHHHHHHrKz$$$$$$$zk3iҤI&M:z$$$$$$c$M4iҤ1R!&M4i%# INIDG@ d1@H #@ D@ 1@H #@ D@ 1@H #@ D@ 1@H #@ D@ 1@H #@ D#==W\A\\I=Dȍ7L~Cv$;ԡ-y&j5 Iꉰ@6p޽*3 ّ`>;1ZRPPP@RĜ,3kߐD9Hm@f`@7dGã#IKPIȎd"ǒZ-wsiB7!͝?Y[Bja>uVy{޽|ٱ~رSN\D1j4C >}:VX/_T5ySNɓ|{ǎO-[>$;Z Et\"FcCu۷oc7o/6eO<2ȑ#8|0K*-d"ǂr萐N??3yߌ3k>XtCGGoį|WuQ'q22+9?-~/ϛӸPdzkS9abK""*?**ʠ/]T'Tx}PvdP<vnVє7|Å+kOiՎǺ#sS\pp0w=z`ɒ% ~ ٍ";BՊ');ylF~ځB-1E9 'CiUl(ϟ˓l!EZZfVp~ .w정X쏞={ӰuwŜٻJ78a;UP]_2TH8QB { E"UyҔHq oysµ|,"kmr9TW_<[0>*5VB5%lxƞ={HoaS`éRJZB~~mΏ=.bEPpVx#{ѦHV*y:S_Zq[W블07Um)v,=\_}vo_qq  wgA_by$ eaۧbY_ 1KG 5kvv b@b*$&&Lr,&999[SsA$]F+ _K$;$k~*,Ʒ97"sC/ ;~w1`>{F-)b@Ļ'ѣru4Hw;(*,-[;ĂT[Tl_Y+TSjժrY^z g+ٗX*/l ڋv ?]b8!CSM(!>l|vdO"P=tvcaD$o߷;vb9{6mf/ƈƇumӐQ ;1Z 123EƏᅲE6w1X8ѥKd 3;9 Fe\ŧc . "upߔ(<U{=9wݳ")8Z_DFf]K#Ņ7|),D {.lN~pup/c`/,7{;J9Μ9d;015\XqwY+TS*(H ΎS}k7G Y:@V^+wJa~s//yjY6ֈ*~'Iߵk^xdO8#vE2}5+%hYg5TKĥ4kOe"zL~~~)ت4iG'F4===d"ԯ⶗X/WRMc`s(>>w0g ,-)`2ei(J*X!@ ݓP -YM~ԢBef*Y~Y4,ɱhR g#d N+T6TNNN";Αk4k7h2\@zbCE*O3R_*˗3[dgX#-|w!bKR Zڧ/$JCDL$ՋyDo͚5e!I }} HvHqKe&d2 *8*k}J*܀mwvI<"Cw 9[.WUˏ ySg4][19 c1 %#Hg1Q 7v bPb4U=|'ODh"^7+l [B!3<l= *wȯGdkJ*T~| PeEp9ˋh9W" { fběyyBp4?-bxu͖K߳ ߫~U}  2YGJE+>9 [Ri#I8n8JB4,V}s((*B|!LU 4R+,_}B35y9"hU}UZ4r]$>ςZ7T+T/,*YIE^A! U?l gFؐ~^ g#YYC ?ӎl\^yZ,]I`?--'m qv#"eٳd"Ǟ322H#m)*cGh=kȐkbdAR*Tّ@#[@R*Tّ@Xxϖ]Sp-b勒ߐDmlU MR?Ĝ̂VߐDbb-G$GLLX˶:AL~Cv$;D@ 1@H #@ D@ 1@H #@ D@ 1@H #@ D@ 1@H #@ D@ 1@H #@ "F@  @ q5IENDB`scap-security-guide-0.1.39/docs/manual/images/Patching-forklocation.png000066400000000000000000001464731327242345500261250ustar00rootroot00000000000000PNG  IHDRJ=pIDATxTia{}fgfw{}ދ EEP""vF`5o%Q4bHD;gvf .`ԅ>-{iwČ30}Dd$CSFQL<&MBuvQE P҉ζj#{O*mt/sq-H)8nͩj;N,>[R*!Bį)6X, BAA{Zjj*籐Jhii+++!HVz|0 Mӭ<-kJ)*3@Ij[;ь8O,kBmA,nL*@yA{?"Q#kPY$gi6(~ut"ylwu6F,4fcbݍɓDCMDӧOǴ&U&N,N$A$ N#B(s{NsO I@{{#",qEu(HYh 硴 -0I#p-^Ĩ/H9vY:[?1N"DJd2t:# [QQ\0$S/CW( T!\'Qjs@ .NM3L RKL RoN,DMU6_Z^?4. =9Hf2mnf״q9bԩ2@Z!B˚8DMMCiGff&222x wD!H~\hB~멬1ytcDy1l$ a"2ɰYmMrSThqDBrcEAo {d["~AJJʐՉ&%%qW(sl:)s:\6s4SF __>@N纉|†$N >-,6љNl=?9h?!;\'}FC\J2 =P( WH46fe"=]bLE nA%4SLI(M*iDmm-T~-AHHHHHl'|'|\ͭ:aN$:!C k8Dw-rQHHHHaUUܭ;:Fn.;W[FExꩧD '@QQo̪>Y[R:r5.b3rrr#Vꚙ+e nL+ e8Y]9&$$$$$4@iiis"3))sYYY"5k uaY!!!!!!Az]W]b]FXR!!!!!A!RRV?ʊu] e- Wll,o[ZZf:p54rՏ2Z% 㣫HqSTHHHHHtAjhf2_R!!!!!A8ŮRTHHHHHHTHHHHHHTHHHHHHTHHHHHHTTWz~B?۽jc"3~ =;a0ߏ{ߜL>/|?`'O_ n7}:G(0c?Em3< $|ݱ<_75G!$Gyuѕ׃1J|{ɏߝy89um3qx_ç>:8!yٿg J+׷c?Vw˳eGwQ:oBqlw|?+5d'b'N?zdڗwr甖 Òu?؏ǟ繧mGM²o+㘀陠Ç^{5<3w9uo^~vc92~E>f͚W~<ys-r;{<뫷)m8.?{bޘ̷ِ)Ǐ^/^dyҵarܸm;~2}6y<{'8ɸ9[?ʋ\O}l(޾w]6,.~_a řCZ7UM̵;x9uN]o#`@q郀oՑHڦ(̍tH|xcoϭtjzE7WI|;?AŮC==śs2凊O>-W{ҭ9kp׽Y{{9gn>tm%Sq>hl߆|aŽ?Cis]Nt֭'\s9-Y[~8].к9oj]>7uxz]usF)6r/9 '=6m+c;+v?PjiصǎȼiNozQ>}_/|c?UOT2k^Wz0sȟO#_)\'?ǝ l?^f}9 zSv/]cPfju:WorNK&+e  cOeb-_}UK;rla6 :=tK Ps~p7bu'>ƾE!q,y"O u"H{ob;ihc#$k*N|ry]JN{s\Q űC s\ <'C^~|qߟ XIPdASҳk[dҬ]YJԺA Z28P^p^z%w(Φ;-æuHYQ_OwUއɩx{@˦ݿi&=NGfV׸5yxd6'|`ǸRJQ@ \Vg'L@Siֆ{Yt֧/S+;|=MwsiXb{o) =kZ, 9OirgnoVFտlx$tfm\ľD-H]O\7XU6Mm7!`wo ӐD> %gy#!E ?OvYz"0@c u# /=.BLJ`7ݓɟijO !]/'ғ[wy|O~Nԉx}7D/y>Z^+b8Cv]u9SWQ,EܭRlMs[s7G[o%'f݇}@h_;usܨTn~Qz?':σlnDuz:\)9ݏtHtrC^NӺv/\9wITt ꀻO鍯g/oB(:8!K;7ןeٽmسCXDb ֗G;`Vo]Հ9]fѐvW'Jxœ`Bcc_$9@pj@ωγk@rGWEᡜ]/?Tpn6,~C <~`>;s>i[~m ;z w_Ÿ<>STguD6ަx?7KߏފQ>Io?=⼜Z:v`?H^~4I [n(y|*q|>h)|0M0MHd2Ra19 v[(d #@}+w2a 釱%xK5Rx_@* V Z \#aarA&WBC.C#6DJF1>PKP_YF$o/UrB#2 UIܜt(Wb@eaba2iCǩT鑜A CAn6{?pك;w"⌼^5H'oEd#cERa&-LZ 4*%L:- D;0e04K1v%P(E?"1QZ,ހ AҏDSo_4i+R#l4T 15Dp+y) OO~X8 qcuppzY]냐ECY#U#+6 v$tAE̠aV";0 Rř1DdrtR4c(oH$*>~/@!Hy|`ZބlU'AR9/0Ë@GQ~AAThi$0Ҿ@DJF`5FK 7-RxرJ ku`@Bfrtf9]?5i`A\cEHS;qHCZb$fOi47f8 T0rm5ſ }+ v."L^-H3g!Тg^ (F!PxT42rRHE)f 0->jBNgO -1“ԋ9P"bP^Urxy{k pzoxzch 7ae/r&j6 hJz{qRRj-NFԛC9h_orJUPCf֠;aV/- L;XB@p nANZ<BY/HKBBZe0T ̛>sv@艎_.nH׋3z ͏Gev,B PKI=#k$DJF!w'#ȡCLzi) HJIAcxdfbD||ПKY7B *ԕ!D+A],=;9Ur~=.ɵq P-` V#=l8lF^G壊jjB kkI\ r)N5##z+}Mtgsk;'{qT#d~`2բS@ȭdIeP&8;z?Scx=`jr22ғ8$` 9(/$j@ 3:: of(AtxF|}h_?(،ZQwaaeejm^'V[UZxhYq%P{b옑 l0m!ª'Wi0BC=E 'D})MrJhbc跆7h wDC/}bX* @nfm 3$H)@:C,=C9@DZhUp: "CC>jHGY61!H62? IQgF 5()CvF:֖vp5AՄ1"On"[ .!8'"/*AI3rXP\Z1- %FK0K_,uEn\\<"2wwQft|V@ =@ 6^Gk BB'<Uٸp9JOZ&*gxxFӛir9_;wO!:܋vgn|k_(]W;CHHBIO,,MF K)hVwѰXU `HG}~$C+HyReZ97Ue(/.@]U%b㐕ɵfA5`Ԉ1');F2W Af6bYH$Kx7 9OMTÛ*k@#.XVo :th/rAШ(kxĠƊ2 L@zaJ H`T"jE!3o!F*/_FM0`̝Ҋ?p;.pB}RJ x\(k Lŀ(zYHw؎؂^ۄ_܋;&皹;Ɵ?}~<ş=6}ߟSq8HGWaBGy cagBC-GV۴%%Wʊs#, Dh+KCWM:dYRD+&78i(cJ GKS3J d TWTbL*F)-aȝ >|rYVa(/ѣFzJ-KeAX]?/,V?#h*8DY+biXxI}:lVB!" Pe?UѡH&'^z()EF/wAcC> *:yg-Hwybayl>]ris%sR|.yoغK{}ߟpp;LH̊ QY 5a\u*j nâQ!/%L/BYV`Y4a3 a"Lr1HMNC||"'AVV6V%e(,("Wހ?APck$1hKeXkYN˃L1>TGYkZAR9_F< 3׋@ͻn. 9kÝgh 1^]]oT! Yx føϜ#N!@?|b2ʒX8aHaa5nBY^*se!lAÊ\&G#KOC$MKGk\bBia>/ڭ(/^g3H',eH-p?- 0r7s>TP;~>lBm6>95dbŸcxYuHYch^ixxzcђX!6"8O_I/X7~Cfuj Zc!W9u| ғisoj!!(LCF@'>' N9AH ]5l'/ eTtp1'_ "| N1,AZ[[jޥ RRR;&%-[mI8gR!r6_dJ &3;iP*Zb1IQa(rmHCJLA7Ο%TD5!%%h)d >.q|]Or!Y=* +8{𑔬xȋ]CC$Mo^, R@.7@q9r86#7$>~0(ËFERr2 |xq4+RfY,_ﱔVmv!\Tul%G?&\܎ +;rJ!&E e|ddddtVE(D`r˻zA,jxH4@Ɯe.?<;*Xld'#)&:?iCϟ4$#73eh-.,GC]JK\S`,rvLJLhrG1wz(PY?TJ?X5w ̩K lT%JFF9j&5L!X`Xɥ6G4^^Zk[۲!DY1r7l2[h,8옱]5F=Bj52$bL7-sj-m‘sb0, 2X5!7Ww seYLHœ㐓M!J,7UW#uX:'bAw)-9 *@\L< P2LĬiS j F?_)5 $xrLV^dl6[QQ^/OuĈ1|$J ̻ʰtXUUo]H%9v,9OOXh4zpB΋iUC!Pސ5wa)+)VŬl"Vj`7QSVՠ\0۶f_g5KS6on 9I|7)5bA;f5框JX^ 3իakkcca_[–exK)6W qk olܲj;P_򲐗&!;9@VΦ:THP^TlFL$'8 U8gF7Ϛ9&-6KgMX` .\Ѝ+//_5cEbŸaŸx|x.V7 Kyx*V,ĸ0rAKjr;ؠW#(iЌJZCANˇC4/J=uq1HOc+*F #%YhDQFyn*^وWvb˚v|}ٱ|%زlȄCF҆S[ֵqyz4,_ԎIQYdb# 5D ECԒ#4jfi0Yf(ATKԛMЙ PNjWTC U;%*U=0Ur4*#W*cܬ344]CWe2Z`$G(oxf%$ rZ*O* * @$ kmԔ#nCMiiA5\ԉGGl%Wڈ/xꚉӍS3ʝsV<~YH]_~w=voᚭy^O 1^iRWv,?v_k‘H3$%1HM ATɬިD ӧFb1Bn3{\yn%{bzvx<|A?w1]ۍaHIz5|5F9rf5J2QaǴx̪N5 kqL4fqN[ . nG{ [S0J[TTlFtt4bcUP9|@igpBBNH.ެŴZVLKm Oj:;O5€caE*euP ۑxŽNx*E.G +q*UMHq^s*\XQUbQF&G0?݂mɸaJ3۰{qts8e%ϳC{˱:Z9~PH(_P0ꕈȕ:tB.EcQ{nZт =btbf0 _ЁsƉ 5[CQZVD#nxa5̊3VcHJ5ND5z-9Mᐚ@BКxEsB>ŷ`q< %jF>_ZLeRhZ&VٍyB)K%eI4 $`MY64எ4<09# O[ww^ѽowC_o>;ǾGmő/ཌྷ$DH`A''gB!:\L+.oEwe"pͲLAGi5$(I#?VfW KhIHH Y`5d7d#ZκO kuw52xj=*OMO_Ϟ.. Vi9Mֈ)s=$wT/U'xy`^}n[Њ{bR\ۘkqsm*4O *|r4yvflx G~G}Ç|w(=]8#quYIҬR@a0OAF lW!}z T"WZ%RhS r]8L{>0]En*ܕJ{8InPe afFSIJws>2;p.yn-} !(ㇰӧpW]hهңWÇ=}pոlTKQ^C]~ZB0ʎ~a₱nq#ΟT4 "da H^8& QȠ rޭWTG*bu Lx O]Ohݟl#d.}w9RiO?RH۟)b-c4pz=u]C=ER'v=,F]u0 Q:-W6w+*p٬_ҀճQkBZHHHHHH-j_E8zZ6*9+ΕC 3\V$"\EHe=EcE|p%HtQ]δ'ȂK ]QC+Ý3Rڔ[ NƓT|ƕ8п7á>û^ѽp:[@9Qr(ww/Fi<\x3ie8Łl]PW}@Uy(wR^ ""{{1Xb/&h,1{Ad36/q%cx|Aʪ #)@FG!}rU U U CdO6MM%ԯ|ş@Hrӑt){&%P L߆p@\.ZK=3˚h6AT$uII[Sh7{6 lݞE.*Ci@ gsym/̓χqQnxbnH|7&20ӛ٭\9ItǺ22/oXs~cݽ% ű=SFS:{7/lHRRҿф,N]&ShT`0nm};t[;oeHߦҷG,35Xwv<226Rc`bGu:4uEѬH4+CӸm@t%' <><?ՙ[˟ HS8կ, ÚJ$3Y̽O`^}SLY^[ċofqk0ʋ[m+Z@Z^rice HRiHRr}Jx]ß(;o _F12?q(bϼ|wftN |g怶 RAȊjFF=2$ӋO MD*5n4o-R P$'w;^7mfNw|>wN{שHQ}Clv'9!f9X{+"\hߺ%8!ȝ~ A M 8;}bzNVp>͊qq^UDqa43/FHHH7HCke:Ƃv45P)P[g߇piO_Bkc*c$Aj& 5AR`Z 5Csڷk-Z:a&UWU@[MM50GW[ 55TPN=֩#H <|61ZP3Fj7&س% |vMg^0ci*]O)-!Pˋח47gzf:%Ōi(€ތi lߙ#SȏsQR U U } @n3y^ MvGq][7줦#iNF`j[cQ|m"z;po{pĤv]FMk tʋF\)T_ƍ)TXJ&nׯ[mM*HM:"922;L)l/ Zh4RAKj m:E^]j^,ٍMyT?:A_x&U/xQwsK })iʜ1|<)OfudtW"\ 9EÒ4-}Zl6g1 JbTJTT}tր {h҈Ė. '7 tNoCtZZ)ݺf\χyN}|h .GGkf.>pԯ+ UQCU9u6_O*7ҘzjҺXigHPg>؞ z~@MǓ'"HTR U U } ӟV$x[= M(hBV[gjaaBݺw:udjFwׂҚf"mcG k 5-nHjjv 444TmPET}*/P`+FTi٬ vz4eOQVuK4@w}U@ܯ/^'K3t`6+u`A8&w eJPcdn,G|B<:gfdFwObi cص'S{#AN!V왗MQ3Sdr7Q)RRw!!::H ?kl0f < ]پNw'):Y @Mfm"}ݟ;G:sN]KW56JQ-PL嵣yCnj%7ICZ\Qƨ4TE<.UzR&aޞӭ-}829G16+ Z}5fRT\WSӢ~=qP 񸙦,܉9,FG(΋cް^:]3X@߼ $`D-=NLg4E(_J)*m3rI0fa"z? ތtdX+y1 @Z24χ; 04ABy E-o׀#̃2XZ3kZ WT>^87եjCJhXC'Sm4G%n,*RHF&8 gS:aaxl*"ՠ^cNjxL[a\`ُI]TܝǗ}|Gud4g>gZδ7"'օ8'Oȣg,Ƨ.L- ev+_R U U } k#Ғ1=[2ؐ"kD@կ9fXKڡ]o%'T?<GnFS P$RiKm*55#ە B UPo, jb\>NڹʫqO`Ȏ[PS4_Zu4iV:z4 !LBXoBݒ>Z05˗'779'1_i!4$-XG i|0$]%HbTJTT}4=œ6L.g`7RmLn<A.86b=J\{G?Ηlw`62=HTϰ涶TރW[ny;W$T_zhPQmI^)WQ#< 5YϖQze~~M/K}WQC5I$[mʌdDVPKz2_\JɅi$.M1]y)sF1Tq~-S%1O|r"SћR 3́ ؊;gAN7X$wm{@ߖC!לOzeXDj.HeX%H՘MYn|=;F&&45R#m}73MuZkSԜ-E;痠>,dHsovhd+ҧ[GnVRu5hdGaZók´^'sd*^\MmJn(~WZQ:8I}Hn%ofϔ~ر'x7ӣW7*[***!=̂PG-}HJvM@~'Nmf#i ;2kV{iwOrHuE e~9léU ti.wjD^WK պujBZ7c3P:{5COŃTUʟ>>E\^׃sxtx<&߆'z`Hn4 ٗHw:Fx**(**ofmAĸeԢ6LJE&X D2F_*7Nc1ӕ`ΑڭI] P$)H5F-iz SÚ]_{ D339hWِԄ6!#]hjLjh_|SL/k.NeE%oq留|:2݃SYP؎Ļ ;"7'tU].-͵acGvϖp=>Au˟o@ӯ)-9WugfF;S3X]܅(/[5sK&R'@{Ϳk<}(rRҿ|w#AulL!@#: 4|H!H Mk1@v@?WJJPڡwNzx%:2FF> R|%lufvf(8<>'iQ4BY}<1>ĕ=]| Q]zr3޼8ulh<{ı.?񾌍pcDH  xdv{WTJUT>|iU3KQz_7 P\]őu)LjŧOYd5 oH<r?齭sG6pE=~$RRҿ:yHa=ɁD2Ӝq[ߠ-]mh툁<̫+o`9pQ<+h;K\jl Юܹ+Akd$wjhIs p2abjKff*'gװ(6 1]̊`f DMeU7 y_WPeUo.Rޙ/ǰ-ߏ xfhM䧵#x~y?T_)ϊWЊ'էT=׾y\,<0l UҾ%gbn/ [7vO؞ms<7/yMTT i㺷!]3FTjPLdT5]JGǨ@jl$5טk2( 391'IJ_8[0GҌT{+Y3߁չ"q܌t>NPO.N"5~k;[Æ|ɝC<| 76 (OSVUTT DE2|ʇ2߆2h}SS2G_Vp|EY"qz.s L`øn H[+RRRR ҡ]3{ц@7;ÌۅɶD1#u:ǹǜH~|sD27ת9CLZb\EJr㑼<@s3}=14P )ךGuߞ#A-FrC܀d4S;s|j? Y kN7W;Ys>XW8?A/Ky**',΋dA;p`@$ǧwTF`yWx%oeuTR]~WҲkV>LwN r{lcLv 옛8l1tT{ijI$XhGSSMk3 Q@Osu<h>Q^ DnV8 "]Lu價-DY -75P[kCJ$PCk׏CovMuv #}yic-qi,ޫg;Y)|16mBYه"?[2͈ojJH/jfs3uh÷:;crN/~O y}nQq Mq+9s-_ ᇙ9\śҟ((/*D$ӧT\ů|}M|e|ct^/{`-I i _&1W$X2:>mHHHHH7H eDwm3lD 3u}N=ao!LMvMД6kJ]S9O q۴f=.-&K \3y@iɋEǸfzkWK2[iUWa#zF ۱wl4LJ^h+G1%΋IQ̎҇})z dNץ[ţ_W6^udÂ>ܖe}oϼ.Ie *ʞh_ݤ%^'rۭ$bdpckںF'^:QP NGw {ial e9QaOV Y6tk5}3]pL1zijH Lgp SZ##Hm&kXs8+4$k^N{X6+}t._- JЯA \)JkK ɉ䛩; Ҏ^K dAN<[tbShHYnaíCyzp*Syy5w>řtIe3 t3)X|A51amGZqA{Tg+V-c+j}jH7yuF%ttфSth$GF,򡇧5q6[1V}+:.+~l,W6viw86)erjAίPukWv,-!ɽ=zQ@v%JKQ]u[zE>1P>)95E1W}7"[ -—:p|M!f0syd02֎$r~MOmC)xx +QYvRySܼ#Fhխ_+{ڈތ۞˘,˼Ɍؼ) {zbx43$Щ ΣGBk&f|2dt~_yLgzGY2(9=ۑh!&pP$K}m·'b}koON |ȈlJdk鞌( f8'?nۆpi%lkL{f원΁atxfaj{w z̐tCz4a i˯yD2]>{Fjj؉dm.tKtI%-қ`:EK]d'rc=ك:2O&>|_gҚPϒ>ńL_+tf}i 57=8[)ԆyEmhł>>Ƞt{>NnaEF ͋b*a@lj6mߔhM&㶑\vr1~YË멸 ˩u gkiڇyZ:u _=$ƶƊa,؆eڰ )mq~O rc(nxykʟ\"Y>*ƫofq`z*gx-iݓTċ'ٴd>&"Qݠ,Ԏqɴc?c{Bp2:5=[^ToH>ǭw/ԃ?H?x ~,lfO,5|CG潛 o_+OkaH(Jv_a8[c&j8k߂6*u0Ɩm92L; 5FA ӻz/ #Қ399g8-'7Pru=olީռ틞FzuUiX_u0S &Q,'m=R۰[4wb^A7Ŕ!7Yޔߓ.G_9Ǘp|m?gRrgnn&*n1JK򻬟?k==l=QkLviaGF[@Ώd`Xn=}k@@& >a#>s}vܽ3^fXUJq7KgJz7z'v%?:ygwa]KҟVL bTI- BVDyYJxklM3"ۖ+Fg; PftWM`ϖIҠu},tjGgV[zo@(Xɏ]C9,ٝ?ϏODWWsJ|OY/gSzmnF7S.x^'dH c MzɈk+!ģ%y $3[z S}PKE_R4f?QS)4D{OvxYzRO=sg[Ȉ?9LBvҟE9=GGKm-i슻 6f:o" ]ɍh. Ԛ%x` ;>IFo[dD7纲jb[V [[Dp+Ys2wս>uzz56ITENuHf"-ƾ32U݂X5ŁѬe^\Yn‹y|^_BÔ?9"P=SRKEI=eh~+yuie?~5e@5JfD8"ZcALiyхJ"w\ 2)DЪx: 0jt\ :;cu;3ņ9Y9 JH_i-3]ݝ Mޯx!M/mѭ#jjo(~2Dm>I84"s;0CkqxX" #G{1گ+;ứx$^XK[)WW'\F G_QzsJnnn^;_R]rG?#3<֞W[&퇳9_J/wcXlܚ6ss[c-mX@ckC{s[7#<Б ra\hCD4D~#QXFԯkc] Hf02ƅq>0ƈFPٌqa͏؇x|x/O.幵g?u<^$͔> H)s}"ʛLM>D7Ԓ1E5kBJTA[A+]"41P'ʻ9ԆD WONm!Jn6XhcC 6fDlJf#:ڱb6d|B?LIDAT&N¥kٷs&V&4[úu@Js^jFSW$zRXMF"& m*Ϗ̨h7oK!$ɌёGټ~N/Ź5<,uDmŕE屮5~J]]AͼK~t6,Μ~i1`jS3DPԕ dĄ LfKQNczeӶ3 xaIQV]HHHHH7HS3wx0,e~o/÷$)VP&2-ϙZy3Np NգJ+&بUԔ4)5 Փk$Rt_CRS~t u jyѨHT0bFdD1"o[:z;T>4C~v!/MךNQ54C@ZTTTT}>w%0ǣCøw?.`8۰{^r=قӣY57əzp`j+ nš3yrlԫ?a8XѸn]IHNP!9u֩+6p%l HԴj$ҨjC5V)U͆M7\6#^l/+݈vo!'Խ%=Ң9q͐&gsL um҉H)K2 +XTTTT}}AXjZ$HLÎ%#5A9q*@פ`e'w;3Z0k pw%1<ƍqkjMtFLXQa)2:^GOeS!>atpi4哺3cpRRRR)vtHCsrhw~Y;(vח&eP+?qD4_w.̦ltk26nəcp1^gN4w*w Z^ R㑺cKwX5kjl`p$,5%5k/cJH'1H7̗>djNK3 Y? g|#y #YFbfؙ)::–Frj7MĎ}87 aPNtH"!ҟNflFNex^Eԩ҉U U U U U g6mKbd~slh}?_̗3x|n g?KPq/R*٥>6fp܎tƕ]Y\)ge>E]i(R\*øz޹jEUJ]zxy Lm\ڨ*]6lXlT_PE*21%iّnA6-A3HtqcX^±7\1;<82;Mgll,x\VKNuhjnNHup>׉3xNq@*^N윂%3Gf s2?;6G=c{rpPn|=o<:-cj3@OyqF>Iytf%.ڑÍpvk/-A^Y̙#K03ԪxeM"[Qz*AHhiPUz54jjC ҚN:qe\/3$L( iN%MMڒ@;;bkjM@vF,׎Mc7=o\|<#;F7DMi*CC@Ow=I g<6ɺy,Śٽ<;:j5k^ܚxpL!5݈_f:)****oNPA(RGzک|iG?-]ʝڃthWDZŜ~1O~N~q{_E>03$7?|xr;'r2"ej56yΓ4Ѱ@SY(uhe JUq]Ek(vgBsR}X GxDk3Ymc(#Q9Yقn-ΧӺs`P&NujmHkKSk+}jXC m=f|O-U9Z2 ?zzn?6/Ĥ~H )NsH }^)*{ MJH!!>DgB`m5vw ߅0O{"}陛Aݗ&ö98}ȃ_WrG8˛yxZjHK9:s'p<:wqhin5SlԜ߭3[_/sOq3_޿/oiEGB:utnִkӌnts[/|DRkicvfYA ud|>_?Sf:Y9;4[?.ZJ.ə<*邊 ADJʤN ! BB* VԵuu]uwTa["ADޛ@BI衃H/A"ܹ3wJE!933ޙ9~|g׊Om(K+u1nS!j2"ƍoBF7vƸ2%Mp hUT F[8DLg$Kğ;CFPkth AnBŵޓhRRԻ4[_QkU⮏hM%".*ww_x;_{ͧz/> ׯWU2n#x~CAOd/ o?1CΈTE+gCw|l):62" "i&htJ;7VTN{xG}ϨM葕6#<|Ο1/=0#ǀTO9w7t6J8񑡈FzQsc{_z'{] }OLeL3_A/W]^ 470aѫwG'sǰ{E^jw5) a Ig{wqA$s&dHO-ί~u?Eұ͛ |Q|Ͱ0{}]Sz( y2_y.P후~=:`@v"'aJh{+}XϑkWR^vԌHKp7u7y_W_}@eniCZ:zD\7#߮x#%(}oG%Ѡo榈y3P^v)\qSuVmoG}Jd|u6\/W=; MoN }.^ ?HO<x ? {]"5ʅw!셒"Y/x RBVȖyؼt>!x L,8fCђXx4&aO1YEK_O_`FtMIoRb E_ t+j)]zy}CLYFDH:rKK=RV[:-ҚYӚǃBh;zfVQg$Ԭnkrnn| Vlpe-\"zj+G%M~3*JYӾ&Wdz:F #92_?O܅߯߃Mo@u:E!`@Ft œ1iċX?c[#R]uu)H+H/B̵phDl+_^ q`lUn0װf7ظz 6-kgamx.EaGпg{$wg땄H1Хc5=VZޥME(w]=?ƐއA?tWtTr/k7eݏ8|x5^8m>nZ;ි8q0~= v¦UӰ![lQ^8a겹#ibسܽ n͛v:*:*4ﮡ$SHРӚ~RCzRyj/WHenDJȺTR ٢9g⩎x(&עekqSƸq*yֿ]} Zm[ꫛ*q7]5tHRP"Rɮtͷ":4:ƽo  7/Xn^ӦE D"v;&u<?9رc('/,ժ\"N'N}Qavoy9JmCJ[qB8kN,plU=c)غzfO|Oݽn^["zE-%Ku)G//]bU+_\"@JkjKk5D euqiž]١~x(چpTEa܌\45J*6it vGdEছZ5fAP5˼n:ɍۚ6=}fwem>}FCtI]}+'O_},> {o(.: \9R-Rزi9m ͻ~Y$ bۦ|Z6EEӱkLÎ?HgPz {aC1'11}А[6E !`}a}(EJ!PBEJ!P)!BB!)!BB!)EJ!\"==ūQTT%E]gNGqq.r򇭚H;w؄$t쒈ml\7soZr)GOUjyT6}^# 6uh|xUvxbӨ+n}-fr܂kS[`&f.(r9Eq9OW9wךUSڪ: :uf+ou: ~O/ś}^Y{"4<QӱizۊfzSvqߌKeݏE:!66:!49xU5~{NX}8_v_怿ᩇ8/]?Ë%͙^kο58{3yxR|)V&V;eι7pf2_k*&g+Wu9nQy"3vQpIu6w>bm~sT7%ό\q|dT2ulGs^G&襲!gΔGjx->rqsPZ1,7-wU^ݓ4kD$| of<.:?Ynv8cHs0z~zsך?Q_a.5Z-kcn6_:UR~}f_F}gD8OںBD'NƝtß`tIG}>.+)R]ߣ+.tݽ8 tI`S\pg){úqz{;as{eC^qN}ҜOq'FC]ojm]=)Qʮ{}EZ&Î*R덗ksn>:/ެ7gt)oX}eH Jk{݃:3r̦U)/=*{Vroؽ~KKZ%#}=}җcde.*uQw~֌U;|wzUoZQ=K=x(.m8Fs=v½7ә.}mElRX[3ֵfѰrC#wtZˠ&>蜧0LkH˫>ؿcnvOۜ9Ǵ Ë}7ENQd됖ͪ216oZ#M"sCǼEcnk߾rptNz;vXF c>=LeLBR?e9ߴ'qKܚFrY;X~km} ðHNSͦSFK1]SQYLђu]^}6&/u[]H !.Xn]KuyCG}fjg˩s)!T 6,VgJOO >)J3Mg5@aF!H !BH !B!)!BB!)!BB!)EJ!PBEJ!PBEJB!)!BB!)!BB!)EJ!PBEJ!PB,ҞAJZ!)% ݒoBqC(_7ş5.qӧh~[BGR)H !BH !BH)RB!"%B(RB!"%B(RB!"H !3inv/DPBi4+nj҄"%BNG}D7SBHeijuNzB,-5׶@rVis6B!'"6%QBHU lDz 3(RB!԰!nh ɽ2)RB!\wKkݭB<ɡH !)H !BH !89uT !Xy&'B^=V-c=Xg*ޅE3nٍ;c!"x)朂:|7g,è) ojFM](c?{%&/ZYlv;x_*!\("홑 tOMCRJ*%#($V)9#I J9L,;b5;fZ>Qr]\UI9_B?'ŗMg~!77 `Ch#"N-*W.@GAɱR"~OQ"$?= I9|aV$Jl"cH B^z WmƘik6l,'[oe{x^8B߈Xn]u ,jK% s u쌥1o&%cg3]̯_ y:E<+#*E!Ei -?S"6w9#F#RwZir-*bzRJkhzFǖHuvFB' Y.s4ʔJ-/ACYD+iN4  粨p3N`)!P6kLebLSq4U_3_E2*3lJ†Dr_jo-EK!dNcPFw5e@Ch^5:&B3l"nў1;JtG߰bNH_gLRB[fTMK]rͬC MCf!铕)0ޚzM~3k%y !iFJ<-Hw9h/z 5*=n$m%x?W.,‰L)H!g@?DEEClE_pP iY yE&RKD'Mc/!"#=F`mrhڴ)||| ?v虝c7”e'WjnU/H3Ot=_^0eQV.S%­ګ'BHUtn4'-^sro$DžiVg$WDV єkNk)[#SLƒQ>"3%0l❝! iv"2ĦY"lDG!ņ٪mD*olͭ?QRM$K,xen)o׃گ3-dz 2g@Mr&")-5f%f!6%i5H=9a*DfKVo 덄u\{1mOn/9+Q rcyL#H!goPn=*" C.a𷅣WVvΡ;ųIW#΄G9[s.Z#0K[\39 KUIx z]F:|<BFx94Qʟn =eӮ[b4 "1-T`ߎ7>Q2HV:斪}B>6虂.1WiPTW Rkf@ً۫݇&]Ki6JSbLY߼֚w]U>'Ihϖ"jN!G#E,Kf4:U4Y>ɣǎEkt͔Tl,m救$\E?d`+Qeﴟ֝!\̄ Abb"%rZAFht-;&}"Q٧f&cy.M2RXOeTY4|u֞/WcS. ^2=!T2iHOd歿P{:kbZ{u+2թ?u4fZr KyxbN b\,u2vӊnr4 ISk#oYDx;z&Tc-oE1e Sc!B$c)eQUb+^Is5Lk}GyHVu5]{6#ޯ4BHHE:2};9 )%y۔͈:e[ZGK56e$wLڣCKW5֛8!ѶU )HmRҺF m}T>kѻz&ZLѮS]GZ NEMneK55E/->MJ+FyiHG !4m1;!,~~HAɩȱ}jմkb)9HRJ084窿`WJ"n}h]5d'ͽ?2 AξɮjaB!4(B7JT"!)C4sE~ҳWD2VP-U$r&"sҜ+ʹ"LoH4}&WB%o."qVzIXח r"`{F&jlڨH㪩HMQ!-q4w3GN^9W$zhd3)ދ}kEүz&Ѣ9inA˔3;J!g 07fHi0g8v}~Q~Af?pMHZ^o´JyDe5NZXtrEֱudTF#UQEmBd. DEEiHxC:ڔ"Ҕ2lr~2U& emU-YBEiH #>%a!!c.mM`Wѹ|F|?-3-@!gH ҺF4.zci8[NTr:\EzXy9ix5^F_M_&]B=DZ]SV$R3y9ڤ|%Qv%BHϪVnة':RWEgĉOB2ɥOt繛 !PRG*/YOii%?WH@Db&ҟMBE{!k$nͼ_Xw=KǐX{)b6BEtU"۾;rY\H˺Oq~^]Jt(!wŔރG( =y+apNx.Bk6lH N.e(!P`O <#n*rgސWK"3go-X5B()bh^J2u-9t*} Id X4>SXMk$\[ݜBovlkSd#aķWW!"HKTڇj-3e&/Ek,b҂"%;X`ˢ.uk.&+ՔrnBCE*233T ,,ߖYEdhe2kfXBGR)dDZIdP1r=r\֒WI;#Rx%:Sp8ŅB΃"Zz$mseLYz(.OuX\탋{ t3AKB(jƕvòt)2^uT;anXznlٵ_/M!"(*Ϳ2EU9/e0FMX<_tG,|?j ?ǡSs^Dz'/+)lHyN-`_"2:E?|'?B(Rey1tH oH-*?c_%뾳G8n2zcFsMG,4 Ws Q^.F9ܷFL6Exq8 Nf&}1X}pї.׿XⲏH !"u1C#J l)0go?atk:m~|6h ^V؛Ţ1|kpr-o Ǣ7Q9ߧ1abL~>fK|o82k6n5][etzj~l~vH_d~=UWmrz"HOOGjj*RRRvGPEeoV੕ZZX- Qs?VGK|]=~{L<Bt6i!mȸ`q*-Uމ_5DkEfc#%Fk0vćn^)kJԌ-7>Hs龓v PR ďIxSY-#җ?Y%}OX#;gaک.ͩ7m:Rg%vBKV%< GUP/ Z-;%;u!JKcͲ6dC~\OF z}fD:l:lٲu8gBșDMܗ,x3;sD`|=9eQ&hU5ESh>E:[MVxI JKKjb}ΈyKoyOj@_}#&bݺ(**º?a+j+AKvB!+eoqvWsK_z#l;W)( ;aX0#!f*;xV68',R ѫDmn\xJ梅u{L7!7mߘotH.d[S6;r 'BEZ1+r4o̙|#,޸-ۏ #hѵsrAnkS=DjFJ2i5©^o0_f?'v#Uu,z(#RBH+1l/^u֡x vb:B\}8ҷi}=?TRR\[uޯ_L!>η$"= w3%BH)RB!"%B(RB!'ڶ!rz"큖4E!nDڲEJ!TZ:"YSBqmѾO1D6 A%>hJB!4m1;!,~~HA1A𷅡Wٴ[)RB!3" M#HmHP" -0GJ!K`!Ҟ HgdF+f:D -8jBiH3UDHixDc;H !ʊ_\tR0Fh$BHHyi={{d2E !%B(RB!"%B(RB!"H !BH !BHmB!)!;4--"%BxE 33HMME=oBqC(_7şH !3H)RB! EڧOBHş8J)RB!ĻH;QwAB!g"Ҿ}?deewވE!!~O/śOHmB!nH] W)RB!ĻHœHş5NXIoBqCh67"uoС8oByfGk]wy׌J0qD~kBb\t q裼)qw=*_#ȨBavf%0"?HQ)S1B&?`jrg>Hjh-5څF05A!QqG4%Zjf͚Vm?DϣIbkfM./m‚|Ծ[Užy˶ m͜ock_{khݺ{+.~qRZekGXc=ԏn3>[Z4>;7meg[Dy-[ܪo/(~l7Gv}YYXXX.V͛iIiޢ ;tݝ : M4#A퐂 E\R2t 2-Y=b5$ ___ɨAM. qJ걏/zmmPkzgdaaa9ߊ3)tD? Y2Kxڣ"MJ!aHs=J öTG{i>9 ! *Q,ٽl̝R AQSK @R,m~JP"SR"mi6tMϪ~vQ“aϚ@ߌ"q9]yZ?s9L-kn!GL-7mof @L-련JB͆nz[~s$[|Q"I"{s\Ip=]lnOSr5]o E,([ExWtbVt#ܾ+{gJ}gLJ/xXXXXbo_ޡrS:3(Jx{O.b).;}ISEMA>OCckj*KKIOIFgE{V_&8) 1^Ln_׾lun.6DĪ}m~[-- 9Yо]~_t܏゚4sh8&T?Q8nj[LjolI)ܬ*{[jyee9'畝8qjl-㕷>k?/ ZL$߈@蝠wGrH >?ٌ^}IENDB`scap-security-guide-0.1.39/docs/manual/images/Patching-githubURL.png000066400000000000000000000236541327242345500252730ustar00rootroot00000000000000PNG  IHDRm'sIDATx}yPTWڷSW3zj;K|L$L7%bh⒘ĸ$EAEA@  A}_D<ݷ7ƜsϽss=yh40<<,b^OFS 13u] g@gX]13uѯ13bΈ;#F 13b(. ch-)S ~~ Q%b8c:8o !eqKbdխNAkn4zJb~`/q aӑv4_[f|hMK)$%@QM=ćAdZӸgZ`g ݤvS7m4L|;.u4_ޝ땵p1Sν8+ƿS %PR! 7/r"ICq4s}y&/$?V36!0$^= ˘Jqބ곢ET@bdD_=/$CikYq*O$baV4}6|TM(mV6ۊ ?؇sGÃ%ԤO *J%G7h 1(8B!<&hEp" 4DӖ!]^ޠAn/tܺfȏ=*i>͛PaR d^:JhMC?@Me;R|W A텔~TGMLjR _KqCyLh3mF+i 1 i#4@ڎ'J`/0]sn:G|P# VXcy=./B' ՇC!/$S]1 9<\]GH<ͧy0Tkq'2^TlM~</֥s~px3!*L@'<*58vI)d6Ǎh㙫s.~=e<[38 iIdT9S\X   SqM3O0aHOH1 QkNTpA7Փs\5\:`~]A$ 6ᬷ=Ϡgp]P8ft#""`̙v?#{I  % h-O4șі#lk Ë\yC#7*%(q볥$NT/&%+J1$M(&ko4nrbE(1~\m;Y[MPPX'yvT1z(E+Xgx r4˻<####̎å0+%/N8nAa~Cy{͢!L_3UtT"xaWk"*ZTcbM LPAkM;33x۴j$j-;z$;?5TVVoAí?`RO p,9s WinoP LLy>TڈuŖ[4VDBY _A.o@Kem7;E0.xϋ!~˻ \=? 8ȍq0^41}@6M1?:/N>͔$mOic4+zq:#q;`_drkq͗wM݁;9͏]vR1b`ooo*5\(**b;# dGR***B%`GbJ$g1z\;#F 13bΈ;#F 13bΈ;#h%m7WK~-D?,^&˓enFy/,Knk9:REYIPkTWW͉$D ~pbf[R!{wc~'Z4h^Hw,'yF5K4#kpw5ܾ[Gd F.,+̶H_%&  P[+.mƪ,<_m34VV;@^'aG~iuזҎn#]e6 }L{=dy0h%"ot/0kBS$2xUpof1JUrV} lK?k;ÐwjCۆ ll9i:>[# |+x{<S0,/Y CM~}Y$^:4dZ9.^N;i9ھG |U; յz3';ͅIc/=:g>0&`B!NQF:= *ػ\ڕ~OKu)*Α}Ğ m8BҚ"7Z?t(O.폴Î^_ci,tIy2"V\n A]qXA9vU7l&b͈Nj1I{b Ep= _p q| w$?pZxeT (.ౕ46m#ڍ}=Pn0#Yc$:D 0.* LT*N2Q|HLFG@+`qŏɥS_kyὃj aapX^+ w~ "!U~$#T{bāZa*Xvs18\& #` |SXy~I,S>YƴkzG^x*R*7<@Ep_Cy [}j­Mx^xﵲ(|I;(֔5Ŧ֜0s;f[ɐT!5Gf߈i섍>[=J]D\H-F<1zAfs~HR*4Zsڦv)wBZd vIhi6g5ac_PYI_;_ 13b`gĈMB=6l^x?RUhݝvNݼy?O<|{pF!؝=*0q}/*đ瞃&jj11znh=*Fw5@Vv[jV?0e@?cyFw'f$*VNf|v{xswg@ ӦM///z}_Bm}i&1^F8p;)?^24Wc LLnW/tLCݬZ!yP y7 X^]j&\H@ף8!eܓI>T Tr:3}sSb9={v o &&c~;8xͣ{mb-a:t?',Gn48M;{|rVq{zq#9aaXp|P ū[2|-tLE>i. AU',b-1+JulfpӑzE}9EEEQwb֯_AAA{pF`cHm$KV,.9\\]'hyt͝0qߧ)x& 9OC:;#F 13bΈ;#F 13bΈ;#F 1b`gĈ#vF1b`gĈ ;lCUnي1cwaĤ czPt:cnÈI&b%`/--ZMt2fn%`ƌ\wt.;c.F2SO=5&^du)]UӧN; mn^ .q]vyXDqUr쎗'S;EčJYrX|sԕf%y,>b{c'_PskXy.=P %c8.;f nN!a08~BՋ^7GU@Wy$w?/\>GY^K;/"Xhs`ѢEO -nE +SNe*>3{r~úXߣ*NjW^7#(%.m~ON_e'D`t] w+Eӳc} (iUvlغYft5Nʕ\ Ұ7x‘sV맮 [?^ $BJjy/X g,dԅPѶ !fgk> 'cl/$Lf6&p}<?u~lY,<UMˑU_U 됳pw-F:%[:}\'u) r`vX`CSLcv4CϐFҩiA1y8eMxu*7:>p xΝFsɔЙ(4(\_t0n:k:Rhy[Qn{A7>=U|^ ea6^̉*Sg{AHx4nYU.}H(J 8^_9^HU vP A}zpRr}W0V&Qyxx8isRa*NC.'awCqRa98+ԩt4တ?KF+@wկӤ{y[P{iB&{?|f}/p3!V܉3ѐQn H@Ղ^W#{_>3]AgR?,ʭqF{/D`U(**¢ h)=?b%}T*Pt>#'Aяy1/F=C3Qܩ vɽOIS/Z*p;֮`lGGu;]GQ iCӏ-~w/<0; f-ďO#w_qϲjN]I,{˼m(>0&B4+KςزMy ߾}2+G;S~fxpWʥ`GWú<`zS1-PϞ3ʬ}{$tLM l[ے@}b@Ba6A>_,gEʬ~f`7oD`h,3ghΖ ڭO^;1f\JKs+Ph"3A@*-7Kv.¯xm/ W.+xڵcl2'Rȇ +, e")-K?&Ż22+,24jH=ITߗAjf3k-gvQyAaԷn}W,Ę^9',Pe} $P:nKSQA-W^[[HU0ӂFmY?*IgV[O3io(@G⫺賑vw*vtBL]<3gݰ2R1!W;p x`ǯtqvS _ԠTG~'[MO\Yш|qQ$_4,fGǁ}AP6{(=.oK>/‘CaK.u 0wln{M2xvq-`S ]<3W܉s9-[ƳȘ;K3vWvKJJKP#㷗J׀ J)3vFL"6㐒*[1bҥJ1b1b`gĈ#vF1b`gĈ#vF1ĘTb̘Tb̘Tb.sM%ƌM%2w2Tb.s56&&&'o^x^'%%\4ŋ+s@"P>?Ͷ -bV us2ZrKJrNNi񺶶y-~qT9g"X0ר hLX[{A{d~WUi'V< ^3Ν \Ԣn ̝3[sTrE-OvٳgO? ~-7Cx_S@-K.yzAbU]pxm,p4M ///t8ޗ }y>ĿvSY~j\xaͶ(]i\ jݶKEf>&mpFlxc'}Ȥ9 hiy%0j? t^A;}Q!P!:+N^֦#?>q{v0 U)`\cl`?kL;^UgTF! dPֿD'>xhT5_S-Kz$a\~oΌ+|`Úł- yn|V?kQ4v[J"a-[v+|PF2ƃ̌#K/Qv|x*+?JoqI]ϩr(>/> <6}`CgLv5Fl.z*EF+(;s[c?dwA!|I73W*4퍣"6VGg1|8c`S7D:<<7k2@lI wZ 0q#Ȩ?B#`82ΊŗzmvΛ0 *T> `vp.셥?s݃4]yϘ1ӂX{`6kմ̪KmsO:Dmm*9| I //2ƿT(LoTY`~&uY39&x &ޞQWє tD"JHU2 -2AA2+aXUj4)͢i:K[[d(__BtQƱ;V!hC@M%Gݻw*ԸD `xڵkt&x۶mwȷGN} ':3ȴh XV ~à i 9WMxIbMpn/ހ 6}*8^$=֬3qYGl6HdO(.&M%G">>}]o gy͛4q'y{ `X7șQ5A3Coo<AVZ7T$]|G;=Ұx2H npԝ3*?d`pw vD>wwQjmzu9c؍ ϞplLJcqŦ`G3>5D:i<fd?&R+|ghPnȐF`#Iљ. _Wʻ9{H:c;^EF]mmЍK&kdu&ԢszTT6qc1DCi:Ѷ앫[oJц+I䌋[f¦.xdf6XT 0;BM%̦ÀTbl*1fl*1fl*1bt=2bΈ;#F 13bΈ#vF1rT IENDB`scap-security-guide-0.1.39/docs/manual/images/Patching-inline_edits.png000066400000000000000000000456131327242345500260730ustar00rootroot00000000000000PNG  IHDRs#KRIDATx{ǝ&~{{rX9}vo%[і$[ٖl,eI+YE H0" HiHs` >߮03==}P]ՕTU=, X`V X BASSSKoAAAAdZrfffw+F.   `(iJ-w\vuu!AAAmYZw\2.,   v,L[`E   !+          ++      BB  833Cׯ[655n)}i5?XX %V@onn Lo`ݯ4R T_ƮA~A|%$^  AVVQ2+~~,Lp+c V3o0ٯ4R`E~QjfcBօE=4ZcGH׮ ּ? ['wMQJC?Oѫ-!_Co{K/+hY APځ7A՜|\6333#:ivb?w`"n} aޯIӻa-->+AN!(XݮGCCWn:;}oQ .*ID)GZ^Vҵ9{ Dc^Ӹ'~M奩 ^wq߾C6?/yjfnmnt =J[;#X]c建qrɟ,(( Kx~a:UTq*`X5++Tt͛7)''Gc]e~BcŏtJIIy&RsJipvv ֱ>I'7] 7>O1,ĵ>'y s%Sᅫx+\lo~Z'}^HV١Oynz|nbZ1\[:3ϞpEfe7λSݸZ+-\Liބ#X-;_OC{O.gCoK׿#'8yjrU]̏}$Z ۢ5ɗ*~AͻEτ^sEQk{bF )R*ہ瞠mGDGtg677i1ǷiI>2}gBu\zq ,3\k4eU~LqcdO =ӳ;"X/u&k4)\i2 Ê@v _N_iچН-w3LZ`Q5|ϾO?N| _j΁KqiEVʼnK+'{?xl!Z{iQ ]ܨ]6|=GӴ`5Ndk +h|N#Bn /.^'o/%XorikF;zF1_",ǹA3-b]/R] _~uw0xA5 *̙33}UX\ J -S$Z*:([].b9#oޮT*xUGQY7U]`IY>nM?}2;ƯkF?ƿ+ }M2:y~+sBx곊zRCȂ%L?U"cO }?):.3|Bo\_r5;x o=˱]^n-zל~Jo*ԡ.X=SB;/]ŷO2.ٳٟRXvs]%#!8OQC_w/w 嵈"P.s[D|[ ŝM'kS.RGoO K5 ř`k͸INWSQ5kn8uX<8ko9 X1M3B!ny8}/]n4t ye?Vjr9'\]nmh{uil5=!ܳmmWoOKɣ-i=Z6, c7u3Io ;+u<̬Iΐ '1-fˊCk}a6=mٗs k?\y)Yf+PoӠmW&^yy uasMI ^A`(X^B.juz:9ɹ?F7>n_VKKKlFC4vΤk {Zj bwK ) K"1ߣ_tE |ᅠYzf<&-z:SҡHF-. ї>wHV&E+=V# m]s41ô)>hZܤDqOޤ1a<ܚ5혣ӯO)%\ {GV/U tO[X~_D7g\~k65AĽ@J.Rw%?MnPf2Nk5S廙νU3a갘Eϭ*O__/{GzrJ" %c_ =N._r^r =Fa։v~!w>huC ,g V;3xXAVDƿ@ˣM07 ۮ6n}T{[?inZ@!XܲXD.V+5BvFK܍r-3Ua )Y`ަ*IRrr2I"5:·yQ(^g:,D%[*fhE &I&rgg贴5P00I7,%"*?Cv=6SK{+={[4?//#gޤgsϿAyyfd\Wng8PCYJ;J2~awFqMEo4\3׹x`9F{1;WUБ/ p7KwzG oGo-PkOx>8^9k< c ,.MVG|cRU}n5A` Cv\b2=.QNh-mSgWxMcY"XKnoqNPww7u+r͞`OIMpk5 <=5ίrLߋ-㿇"X槾CSC! V6]]] MY^ o?͸ZIBܪ֪1,ũ+iT_ =G k"P&a]EAz/,ɪ=hĞp:!M6&lhn\BWޢ5eB;-8ɄCzij6*RM7//bGcinI) ݌Y:a%^neF?V+s+jxj"7UM>{MH2>NhK&[XWU^3vɵsq_ZX^lkE 7Ff7Έ'n[a?4B5mW_Ǭf\Ɨ*KKՊIg>|qzB_ȸ6FoKUW6ktipFqR}csR~?MBYo["/{͑vo?kj_' {b<ٙ뙸c5sӁ<#|YVܻBg^<ٜ0PKA/X7է[WhCUTvR b25#V<.`mt|XS&;%YT^uRjj**ٝLZ`r?yC߉hz_~OvkP@~X <]YY1k[fVeÓ(~}rO({DpUE6@Ml\ŎDMo'xH`t,sE{.@rQH?Ң{ B3u72i3f3]VeAiOzJZ3UTCo_:K sʒעҨ7OɻE1&ӪxVvo^璵`ފ$X)$<.>uJ#Og@ OR 5kIOӨ_kcMnaoIf"hpSDUUԿﰸx|8 0ӖlUpмPz :GW^ռ_5VTTuǷA.$~҂˗ʂ52ҕkvѺk֍q9pvugyNZ\-/X;ti`` 26LG>H;C;-7@CӔ-~Įo).`e[sM싧iV"!xE ersw&ZpmYߚx,i=0^ߤ5YRn$-mmkʿa۳˧^^e'׿ vܺXe,;== jR---)) Z\\\L}}}k=O8]"_2˸^" |C\,#u< 涴;+kd$]^1`Ebρ%m@p(- {&gKjEۻF, Ak䠥x˃_7onn'dsGn6G/6E?k`ۘ<.CuxH`t>dtt߮7 HiYÆ|B=\f:x<\<6\<':w'ʊ90<66ɹ0nLO)!=ッe>ZvGJf$XUi1<"Xϧ eYTvN' جC):#Z!12z\d~.ƃo? QOt~hߦaZLv >؂U͋/Hv…ž 8Y\.hT(Xvsany1L4LӨX _|#ҡF 7SV|rceU<[duig[˺Qzd.)\um-]^\kB GҲbfqEVׅp!W U@FE>bFݿKK̲we loÖv\ jgjbnL7ʂu7n}ʂu{;Ո9A{Yz)JGVT' X!XA1 k˃2Ȗj{)X{{{eSmIۏ$L4,IU Ve  ZU9LOo&wQ1W\xPiU"? XAA`ukWW׾dfvZ~lIۏq4L?(5+ }jfzzsFVB?}Ggg'+ bmjj 4Bn,li~syRd //1q)+}~VA+ly0ۯdB24qݭ[`i '? XAAA=X*+          ++      BB       $AAA# ֽa XVV```` X!XCHw+ϻ X X`]J>g9@YTVYGSٙm^ӕgFS]_J, s&Aw~5Pf^-2bt 4(1)rr;wlw`_M5̻unHCm11-׺+OK~]gCN,;W[(-!ǥurxM)򋥲EKۛP֡((*[{L#Bc[t32CB;VBŵ=@ՃێNw~MEgRcʫLT* I O+>Q9/ i\OCKiQ$) C|hzq9F5=mT__O'5!ҒdYCvޡrh?uwrsl m y3Ln70(("c@#L V_ +cQxnJy嵕zao&ףKk!N7Ui%hh\F"{Pz0Z(x?vX`u|`˲?EVn$ݤfJ1ᗭ^{gʢ9\uWs QVasVp_;€vkNGEߍ [%duĔ5Tl]߃Uwr w/9yPsےoQ2?ʠ-#ڸf7-(ۚT;heyJd&V>/C-hD\D-:r7E [皐g[#!U_~(u)]2?ikԧâ`5+#Ӹ蔻\|?[ ϣ􃲀tt  D ,QTQWGM4ݲ4q<\k\|ekْe&'V @-K/w!@UOH*JKt,tGDq@L UVr1J Vl~^~o~Z)S;#b|㨗 RLQ&پzGQGsiJ1([ }t@}H*K[4 /&((*FE!#ZuKjgViܸ]d B6KF)qtc&;s,d~nLyӔqH-̌,.rTpA&[D1i)پjb裛gQAz uZ Q{`nj9zT<|rH˓OROw'uvvRG$J%bn_ezЯM6-+T_fdŨ-<[uc\z|]wRS%`\-1vU#"rъx8jTCZEoU-r{z󥥎2NxggPyiH[3uJK\di)VvyɖMI;A٪וlSd)V 9iyk\j+xVV16K]'2lTZCIiY~Œ!7F@Q~tLJB02AK '/"!X-MT]ߡ:?lhΎJV:RwJ!i7ߥW@I9sJ@,j +G9x/Q(lu|%,˖!'}}`)K156X72-_<1֭zЏK*Ϝt>A.=WB~h5Pik宅I~w\9,9.:~zedyk`~/m:S,n? W+ 0,_r 9F]]c {NLFD8X=p8GnNw~{5>r[kn!>/|Kk%!Jڄn!v*-@'Vw7 2txpױ2CuT%aE`` XVV` tRuu5A@F6VwhRA5!٨c-Wxnr g3BYiT?a.m<^ט]ofy&m,^R]+w :>Kz88 (*K鸍D 9!_кP;L,5mzT9<&GZ,䋱H`n j6tXCr}.^?JNyT+ԍqnIʸ*/;,=mNl\^l]wXj}3~WΗشڠ%6m/dmfVs%_gZ@w?P智W6[^:~/rIvKnǃPbWҬ5blηQ --:40~ۊ(+4>M@j>CA)TZ#5XXȜȰQiQ bGq#**.-3Gm!>RK.S!qD\Xx糓NCt;)1N=CQrhQ;2z;ܭYhKЮ:PNcA_d ]F@,sZL{Gӯ__X:T%Mf'"[5 R]/vo LxoKoww7M:Ba.В&zsTۭy]~fedŲvkca-ZbHl #SZ^-y('FLOV/=+WӴ^vNJWYT~ٸ/|  O62:Es {F)-<3Mڊ3G92Ac?`_4/#g?<3|N=(zEO-8emy}N:qAte?/n\5@AB+wWh=K?!fygi]`.V(˲H+S"/q\`RA}inaX@LK{@zfY=X \2lBP rhъ2O,5J81JÝ9bRk[l*gg}Ҕ$`Z,L]CTPy 6XTv]t5M|%Qe~LƓu"˴g`:/캉 nNzͬ!*t}JڥA.RuSp@G/Vv&Y)o?y"Qx,/ HZڟN4 M3fyE%ygNT*AN4¸wuXw|ݪ@3kz뙼=\?:h01,[cui9yB5j型VAiiF#len]㡷*pfekZ pI=3w:R-틻Klpf"Xt4I 94<4)Xj_Y0k+f8y~2(bV]彅ŌVڴ^=SC֗99]Is$IknfT'4ݾU/vo5kK%#ĸ$X9jFL~_Oh+i7wC`UܷGBctkGY2p޿qk?;C(;L%-!Fc]gg؁E^jy@uL:$YsBY Y;tiѮTtْ[լCA# k)svmJQ/FIafVcKSU>%ccR4{_<TkJ8IK䣴qKi,qUW;9ࣛ9u_T\Nr6 T/؞͌|YǢƟu8T44H <-Wo z_P:A~"~CKnbφ4 b3Z=務H`nۘfU21'B?:h[ZhwM0)cngO A{0MVd]Z)MABZy%CBYHr-zu~-t_Ѽh}|?wٳ"Jnu¤=:'n_'[KLZ`PedL ]_"3紼U nV_:aʶ7Dnty%.ʻf (W^7n'}!X^Ck製I/r[nu#3 8_nWHäv'wNt5sZ4vdoiKUoaދzwߗ.NwОYmkܬ}nmgW>r }$Odi"FgmʧJuJ0W}?ݻ޷:\y?vJ{;G`oHt/ K}W(pMzm4h+gˑx*#"xX<\~w;}M!X!XdlK^F+=TW]MU>uվ I@++++*5?F5T]]Ms{CBuFG{fjkBt7kJMQusғdf m xfY*vdDogᣦ̫fJˤ=]Nn$= xj[|wuIs*`mȉ/ӽ2Jnݢ#/%Z߱iڥw,^Š ~ItȱE [n(DnpIY(:4i]leA񌎣mmI{4k&yNԘ(y\J9gOV'4nGZ }[#!g%{y8*in'5k&D&{?99\!OJD-2 O.o;* 5I*fi}b/r4*#6"`{g Vpuh>rwR7qd`FGGk,jQijhJ"xnU-Ud{{c&K_UKJť\DD 9tior8j_czr00睥Fe 4laʟQrp ^Af<"MFD 3* Ϩ4{/=KGO$ڹ@IC4Ut BTwU&2^w<㥫'h|<MAZLk`њMAKiwZKL`֞M(*Fe1ݴ:VEl r찺OCr`E+Nv^Ug(kVyߡ#'Rfv&eRau- nbb;.}-1|)bx:'dp#dL40镝niA?-k@!ē]>emϤN_i`j["cI$Xy}-1KQ$=?Qw.oRK4Y>ݴ3kQ:>U*_Y֟iL`OOOp< zKu\Bp ֵ5;Pk%.nXX4Gx4cL5RFƽz#{ ڽ)~H3cԊP 5Uʙ|y Uk*:jd+)xwt*!7f/1@T']BȔC\r?4H IY-0[viut4Qu}|T1 BFKk&:z{{mncbbhl!:FXvUZ.6(%Tx|U❽mt } "-:멳sq/<=\_vJW[- J=.uK( i,X>?rXʖsP9nH`Eǂ/|^V+ gkkMto02ItH4o>3fl㫯P/)!!JMM9s1pXrr2O̙3yfJJJE󑑑e˖񊊊Tg2i>JcMѴק| 1=ꇫ(%/<>{מ|xz)4;iކp?w6|>Yg?tnCjLs[*OM}uZN[]>{ul!:?M8) 37G|/`Yttpz pvU~tf`谆ziI,?T{^1/j"͏k+aYjn1Q<gB ϶9FJ6WTTبEIIht g',KC$j222x,Ei_#}qoRKWեMsz{~TS{zO⹏蛧bLwlN_{ :_ex׽PA9vWWr.! {R`1 6+03"[ iɪ4nV iG. u鍙!{]0XzrOx-yzꦨ*O4ciOj͐*=^(cbyڑx,IeT}8MM pQ&$e{#%)u,mKGiUP.с)B#YIy_I uG52kz~\LK]hArXWB;F|:.W>!Ϫ2 6eڸ/EXz$ת5[,%: <+&:@l% U8K[- m U1fc?xoxlNrN5aXW'OrF)q<0#eb²- Ʌ K,K#1l:#R<&FI˯'- k)yyڕڿZD1QT{;j3g|^_[ Bns#(Z[Oc;?MI/0hb){Eþ bؾl6bcoiujY~][tF{sɓ+dC"&Y3c\;1 RPhqڦ!yxD3ܻ$QRQLfk"uwqڂ1XΩr~ǟu١6܌D!`oLs-{F \Ix s9Jp!:8xwO>D33/_:](LlyC"Hkk֭[):: iĂ i"V<[eD_'P~bv!DG_c:}4Ϫlcw:ה#f7#|Z/|e~JaGt/R±t88%IR TZK.jcqAIP2,oJ-~a*ŪgzƙS.;|LUJ{tQw<K-qc"3 ,KF($|Š!9Y_S]^ 1תYW5)ڀ]/([>w&׊"6³ܘk-:+P`Pcq4;|i- gVKt ֩SҨQ￟Dhœ~tt͡X~|A㙙-i3sb#*Rئ&96`nnn\ŊXgJQ*7)@'Sdz)6ZC3VF}#4MP-q0ݫRUz> VhyO7*F bX#:ʱ✎rz[c6 A1ZuU+|TJ@SNc$9~cjE*W *`DYl%|I44`*g[ñImDdٚIt10_|wwb?ME_1| ٳtkz,>lĂ`X|6j/, k~~~>];EGWu;Elb)26N0W}JGbi;[۩)K19R~-x BWb;D͊kֵo:4ݜrN<qbx 4`UQDNGYn5Jcucj.>DoxeЂYf_/"EobBo/:be!cMt$W{VRGN0h׬+TrLӲ9C*:$Zիu |ؗߡKth]"Oӌum;zZxO'+ iOhh9܂ojWlkMt!!7x/^aXFfΜG6`dlT0\pLX|6ڡ JII12Ʈ%lt4  L>sbua<@ar,:QB+z̽*)dX9^v9J7=TW?5lW ўT.=_٣2$;a%LfY:gP>͊hH ZVF`o+Ft+TH]>F)urkRUBtEOkh_QwXnvUzJ7ODx}zT Uaζ$ȯ9Ϩ%:$CGBqܸq-o&* 6ׂKJEDq&0Rp϶K+o-ۗܲ@}}wuYUw ;i 3~'G]-g*^uB]}QpNZ)_niյtik`i^.wWt<:;*)?)V͋\c݌i3l*ŊoLy+Xr}VRku-WQ5̓qZNOwM`(/:(W:ca$IqJ)d~idBu|-UE]KoXkU{U_-w[ jwZC>DŽ#j^^_cӽEtQdiYWhZtۡ{-};3J(*3=e3ODik}ɍĥskL$Q>ehQklS\n1an1ٶу/t|K[kCrye.\FgNL EAViڰ:,S dZ'uR(ˍNsʚT~y%OWFSӼ+1i.[aJr)RA#sFR*-af=I7LK]>e`a򽖧(et6JqtVAt#JtL|=6Z v}^W^-+,/?VW-`-V9ÕTv K5󦷌5B:gU.PCJS_:m[SBԾk=)*6£9ʑӹ5CQ>>XպmD0bD'[O<2bZu~qeam`U4mij~}הǞ7<]1[=[.xZ+YicQ4-}eY)*Q0A[dv,..?@\x015Ў6h&w,KP0\`f{CC2@vhK3dP#+(aKΊٛrjtt*}0ZMS@0La_FfDt5[i֋;\g@1Qt@tD@tH.\ JOODAAA]dɓEyyyM   4LSX   Zx @AA,AAAAAAAAAAA!:@A!foo/'bxIɾW  `OOUUUQSS,83du\PP` 233!: :@AdY;vP}}=7vCOͨa`FF&hmmmc  ?0FFF1 ޽{r!1<p#L|rQWWGEEE\xi03{ݗ+u>UJ{$/9Ğ.:::>! 8 5﮴]iOzD$:#wOOrr]Kkisxo3O:r>BZWDtظ9bZWĔDUΫsX9 JҞi|\6!Aļ&,(t fZ:gfWo/}z;5[u$Zi{yy t}mWކ9/63`uą$>q46vyփֽ`*ՕVYMEWL zIkcF7gMMY%t>!ohj(dW  P}Nq$)b^p @e~v &fTlC8Y+eRzʓY(s=VaF5+?[WLt&*|rㄠ0◠Xd~&cyelP} S+b1?bc=ܩTZQ#Kezʓ3.=Zy:h0SؘrE%,ˆ,׿puMWN[maZpCdJgp*VׇV_ۑ=5 an:CzA^Ъne])Ze@p :~86vY|Glr N'n{ңUb)Y'm[]s~D`Kasg[H]mHkùvd[t($&3s/iUpP 8@Gw MG#]iXrE({ EvW͚Vt4JoYAϜ9ÅE||9fs Vtj6U9duWX(@N)d_ o't>BtX] K\w-B[s~nI^m@6,Cgl8v`ns&KY*.f:!|mֈ_ i6FRP/kZyx%(L.  GPՔR~qWLSJwRa+Q   D        Bt         D  *   x9*:b AAApPdAAAAA!:@AA!:@AAAAAAAAAAAAA!: :@AAAAA-:NTҒo"r.sUX+m^ -k;^M} } oEheBsiYUy8zRf9U[̳&*sMYF03EߢN-αks>'@}dQU'Ry*^n~KRiИg ||⍿r['K>Iyg[-Gi݇:YVQI%%%CJ&  #5Ri³hsYOHۈW'" } NFWOϪ˜r/ʐ9&s-^ u^x{Ϋ©$?9ѫ 'ӑSPԣ~2vWM' CӽBy2^f~2l'9/' Ab\OM^_o(y-:m0A{Uh,ZuB<^tK6O=iP#0{{Y//3^eB`90O  C:20|HYү˦I!:>߼,420j/˛Gf'/Llq>u0Jyڪ1㞣GǯӺ?tVY>%6Ct  8E3ا~V8- pI]4yhXO[Rz5I:njyB-%c'Ea)ߦ>37 bA{\ޢ-ikF4b7xIttdC>_7UQ{ZsSvdWɵw悌r:@zjdZRh&:vyu}tfM|K #i՞$>[vOZgtMTn&~pf('>4Uy,q㋠Bss3(^K&,Գ3t1I d7YN%Am6Kw<'At  xEd0ŴBy$ON{kN]bῘ{$Sw';(CZԕ?9|?Gz (ZZxM=g/gنp-1T&~nn`Hh~Lryr=ZF87:RXQڏy[ڕ[@Ol{=DשD+3'6/\~Iw,Zc-.y? şE }Vn/ YykKhlF91.\KksB, :G#.So=8?mCt  DNѱS=6ѕߢ/]C$C;USIAє'5KQ\G^N -<.װTIVEdF)d$zG|dcպ0LE !1{~<=y8nQ=cǷUuj.RQƐkmpY}ovzg{&*n6˻ꬭ|?Ȱ"SrenDWGlz:L w͍t'ߵq L\NXeA+yz+,\[xbatꍆAtxd6SʶoU,.. `tӪ?VR[YFU IʛZthw'Z4m6龳/ X+w $f-bo1 bCXעU_RI%(#~EaV?w8K#e}2D!zk.-:V܇A0cFK8{bW( !7V~#VP }9^8y:76B2Oddp5ld}dQVnE殺|TEzEdM9yk.J˧6ҵbeº.t{7Csؽ̈́rfyC~ǚs:@Al2Ð=_с4縁Svsyy.>OMg9u@\u n}>3dWѥC>&#/;P& F3E|_CsygaU+COׄh܉x =ez*:UocH t(>30)hH\wML[2GzLS;x@׹{lOZ姪 [V.G3:eº\OׄS;+`ŚUfCtHBeu&i ;;9}[<  qY1L5.1~ Mx- zGO5`cN%כ #R%e}8ziS=@MCS^K~t7_Jx>|:Lk?Dk2d~)K>WcaUt НwIqxm[nnMt7/~utׯM<'s]xX4{<,~ePҒK?yu[7^zz%鲓R?NqaڊBis0 \*='0iʊ$Îw=Fq VaOTy\*J:;U9RRK#04gٳ9Wd'ohߺÐpΡYsk`0I]?nj\{>9?R*lW$-Ei.tWMd04LSO}ŐQ^j(G2pXEǟt'r tt 8~}m\l\-o[:8%=<>:;P7eG6ј{o=NO~Jрyb֩ Q/~H_,=0j<͋x埧틅x/ Z1m 8ف*t^zl+Ӌ/GGwл'hp>,>7 7GQHӓ<@/߫+çz$z n>T ѡ](:Bˌ_gw?ʯùC.`Uڙ_CY!|c#?䴖J}UncATϏwUFP:Ih)Ű at֒HG{8a*,SbDC_#*BD-Voο5%,oߛרֿ?wTm1ͱN?A3G?%YLtu屺N_%mke*AC۟F'*i:vm[8!Q~lE5viHV z2F*`#$e}dIk Q)'[-rxU=܈(,cDa0vqdiJ9JΠ-:[M *HlKoߖyc"km\=.[tP>9vc]C(#+Aa=s)셁Nr|dy|w 6N#,,C&#eDz@y?vNFfCiQ8ʼHBBϨư'MNBḙڛno~sӍtõVOS};|Z4wK^<̕J[\])`{$͐rJi;hތYPm5ޣҿx(>ˢo i|HᩁrڣMNY=6Qg|$#Sea4Ti}#Al+8N ( i\ ~`ܫD5$> m+9y.HڲDx/UVevO̝kT0ÝW \Tf)NXzZ sLt$@rd\M9;FC|t[1WvZ&F9ɔ[-?;+Ҫ,'P;'4sw42ONs\7:-SkfyP}3geOe5wY9w:K/pt$yl CBy7?LN QRG1}CI|}I|k4ɸ?ZON|e'nގFTAtH;GSV&%4.[tL{.nq&:na#Ϯg?V:J(k-ziwH5΢ch[chQk)hwTmY1&>QSѱQp,ڞEe7o(E&N1?4_vļJPFs9vʪ0Fp%|BaY< ͷ8\ąSSGcgmN?y?IN[%me`=>5L.)ij:c*lyƾ*MA}(Y̜?C!yɼ尔/_Nۢl9ki8ǓEG雱# w-{as`,ݩ˚P>(1u~OsqM7IxP)hCZN}C=Y~bQyZ&TβicU'y=7Ïshβma<|-b)f,k+VvĢdקK} 1?U5QA9qvJUVl?6y> G0LˤZ=(!~|BqWm.7fVyaDP[80 2pN4 hܬ/OCXE6Ig9j3xXKd䴆Sc0:Gt֣Y$=\D,4_Y33F4BPzM-:,]a9ťPzr2edPrDiF춵;~UI+w?"ʛh "sf ŁYthS-*hsuI3~{uŒQ3uX-! k ?``LjRjFExY;g-MS\(0n)@{ J1qDǛ^yz;{n&ooϮkk8<Zߨ23CG]ަ먭y.7Z{s$;gRרܪ&(a*)L6Ć90IP/ܤ&?Uam8*cfUo`+0*q6y;̝hϹeꯢ⹴ 52wǕ•Q6{3:=t\֮se.B9K#G!::DT거G}i2NoKALDo[g_1ˏN[o#;zR@C^s7U$nJLElڞ~68^jIǽɶE~nRe!e ds-kiZ@%88МTϿQURy"I%w13󑋚K\Xl9' ALKLG:Lle`+?1eFT1켣W?0*jאַ4,w٤|"yZ}l3w굯z5 v=~$F6vZ:j]_jV<*zNUhN2WŽjѳ^}=?ݭ&<7ggEMk'=D%h&ˏҢd{c-+SwPCC b1x:;^(Sg2驇 ]ttuRWֹ@uueK;Wx:Nɓԭ#xO{=i)lN}۹C=jjOuDjEtp6ci#`iVɰL| _O߱Z$'3'o tX"`D6(RE+Mkx:V:8(]@ UQmܐf.TLX\`.Tsx U)Eζ^v:pW^h9fj%}IHLSwIUذ@sT*0N@ց4q'/yMy -AZ7mzw)mY?nZzoӦQ%t-JCR/>?7һ@s>?T%.PKK՞!L0=g-MiԶ"/įa|D}ěJk>+Ŭ~O U?u=4RK}wf?Qgeu3էĩT ٶ|6SDF5*!2tVёDžSsIէϡ 4~IfF w;t׭ѳN{rGGGgˆzPiQ/"_Jnj)W0(Q2 ͚#zym`yd5ueXf / T({fy"RoJMK]fO,<|#,~dఉ,eFF9x,s;Ѷm;d1#tHJ?KttQ0 a*#њ8꿌ʹ#9,\hLd#5gQ`-ʧC\TvD \1_ut򥄤Hr3}&׏ÒuF!>KMz]C_޸d2w5Đ &suS4 L> mɢXrvp EoFt2҅9Xy[hכ=嵧{[3 N7פ9Ρd`3f4_ɖeoƼ|:^+> g$Wrܖ݌8Js Kb\=*ؒ[="߉8g7&^r.҅ݮrg5gX0ó;!:^8#c}SkۨCP5xN Biwp1o#HOq.fTQt * ͢j OG@#Ct{bpżNZȣ(VDd,ۖbfĚ۸X_.ͬEReku6RIZh x_'T-*F$*LXy[Ieju+x Lu)FΖTk%^ U1wU:k:ѡmaN/=D|`G3c:n|r՚`ɰ+ˡ4JRـl[{M2[c>f\}l V & nk^^ItXv);J3 FE K#^Ċ,+k|3aߝ|306Eϳ{?#I<a+ z~$=8Y"ąHAtDȓ({Zhak@t91c7h8KUUUtL%4-ZSF׬˜!8ޮ4N.]^$ǚ(91fZa0XPa$oMo--nK 8aooކArˆ5F)-h]޼YW Pm0\l Ks= RkVoS>5D+naiDm_g@]QP4{;JB:@P[eϸ!ʎEV2_Cxwm+\Kf=-õuR {gaN/:^ha*mfMD3`JmvG.$aFA)tsR3t0b*:}'5j ~dఉ%~jիLa)賽N͐,2:M;, Gփ>{KneeI۾_`v%uu! *SƋ{{^U|ζ6l#):f 6oLfKˠz(;0/pvs7yP|q[7{kOKꒀf"녫{   Hmp_y޴p ZB Wlc'i [+V]vY0d5<0h|9IsL∲FP6_[eoWkװρ*AWZ#INrAA%tQyd|\EFE)RDﰫ0(:DW(J:^GghݪHvJafFdG.1Z|No(Q8BtJe&226.uP%6 'Z$9Xz5J»3TYB >lXН+B-zj9[B[ im,OaMwR]C2,Q#QxvRAfCy2u{vV̇yJ[K.=]6$ˎik]Yt2zokjNt/MMiX͉-'{V& JVoGiay#EO=y;hϐ׎6+%9*C^xVRck#&؛-R<;w{E|'ʮJk|KZװ)4pM#{s:w^r{z~U wbEE9qoyd48WW8a7aIƌl8SY]werCχ0X&Unb]t8;כ.*WSC*NyNhab8x|Ò|Uĕ3-Ԫ4I"w6հT1%=m*`ںVY+}{WΡ9λ &ߐؑ2XXMooVXk=aWR+X Iyk= .|ou=mw3g㺦qxvg'B@ |5m]C=F|˼`鰈*/&sgNNY\ *+F`:cdZ xDi;KTft(SiY])c׭>*Ɯmh6?v%)\s;y zdjWS [yCMchM:v*QETbc+q_ ; hZ͟lTV2JQn3_5g]w^t{]oq mkaOں=)!~9?P}!I}ƾ CSP@6GB{ֺUG~J[e褄0aIv^ $maY%?}1xe9}6yQȬ}iQ xD~(-viAAk40[EE* ND :D : :$K^It lp#IENDB`scap-security-guide-0.1.39/docs/manual/images/logos-400x400-disa-300x300.jpg000066400000000000000000003271431327242345500255600ustar00rootroot00000000000000JFIFHHCC,,   J ! 1A"Q #2aqB$R3r%b&C'(578S  I!1"AQa #2qB$3b%Rr4C6DSTc ?F .]00at`у F .]1f']myEכH71u^N۞2ָK{oNJ*&ʮl*IԊFjRCX@[̑-6$^7 Է\q~=Od㮃 )**X_ghrՔ %U?> ?oPv’HyE l~8gYjNROk_F@>`]5o>$궇˄=nh)CX1 T)–HjJ&UY)BѠFșG"ؒxA[)-ʧ,x]B>W}y(Kl i+gpdaSrV@I{aAK541ӡ"4$Fn^ù>8= m}!llUNEh~jUvEbuLn;xiH3y,$ efkǍ{QsG."~UOۭ,i%VES2F˩6;N RA|}kwMK+|qWHK&Wt_28O馴˷)z"D//ed<7Ɠrك9V9EǾ7qG H\uUl6Wτҿ-J: TʙUL7ISk a-KyT@r0:t }95O,F!($䫿:𪈛QӾ:|2g-H4[*tGOS[EW0$3BE:%*FUoM|IY +r>@ߌ>>kMiQ-TT}, Z0>)PEQ?TBD%OK$;rbv9 pJb ƬTFjܟVC8R  JW_7Ը6(SrYA@r ؋6?إ~x]F .]00at`у F .]00at`у F .]00cotv[|qݬ?&܁@ovi+)38UU]ADU|/>7]&yr7Mw4]|9̶G8v۩ =) 4Ԓ%scu -kqcR^qlS$ԅ? FyֈWBDK u薐4ZgE"C r_(6tfG3ተ*\,ydbz+ mOZG{#y:9{<6xj_6y6¼x~E/I$:g!кvfi(4.{<٩KXR! -F]=g\s)Ӗ"M&Oct9vw#*$6^DEd߭]_G3uY9m\?ޫf|;Ȉx&:B=nMC~q{o~gJPNIm)2.lU;e-|vUǧH.\U2TFl|TRny#PhO0d;QQ5Y*.@ȶ( >Ynvu~:(ONq7FՌ'5:/Ғm*^QUQIrg\ {e1DPz%5& d{߱zLk[u:_[mQ2|O: 6} [@0~WBT-s*tbcinsTX1Us؂O'5kD_(<77 w{~lZݷepEcpkDr-̟FiU`%6s#pm_+y#kv;j|?0c~>~د'ׯѳP>dc/)p{[gf-txY YUϴ3,]i ֜L IS5rl{&׿kzM-O̻m"RORp-=-Ur̎>ZmZغgeOf'}Po';q"guDd $aldì3hKMi%VE8rO'͋hnj6 ԰NXbG^̤TF !DuMI >~D$hierC2ț 2 re8œj.揨W@jZi#$f$??@8G`'68NU%ERa"*LSm7լ*}+s0aeٕ$q}~k)G"EmR.AWPJ-^gFWXլr\t$k~bXl죷s~T‥ ^q[MPHvUޏβ^k"kjj*@ S΍cLYhg֡R+()f`[̥~oT*l8<*( Um삫}«ɥ>]!( UUi-.!!S"pD.oKjIr 9Q0; E0d $bc+=朊΄y"GpQ_ }]-9A>l;i2]FĀjZeX!,\ 7ϲ9$YZ5(Xȥp?kwĄ.r]7DOoC+| Y"p ɾ J?sq*'T=[u͸+xc]_ F .]00at`у F .]00at`у XI6ߞ t/#AO ?}kg+㝤~bǑ#h?0kb\mGؙ9DKuۊ"n7$5Nzg'\P|&o1^sjY.UFDQـ]pm-]dU$α%C,lEbM" AN9-ke +K,y(E|*ͮK͠<=iF3NڣP\6fK5Cc)qoJ sg-bS-nSz Up0l5O\?Ii8FOmU9'$ۮ> |JfiQJ@}$@[ mŭߛ ~;-Վgpм\s}%˵hJTI׳xyV噼mC{U.=+PT]{*sOupB[[krx[ k؟Mw/_sQz'+V>0Qm_Q)uNorI?8sf0?KOu'NN0NuV].H鎠dxTI ա:΍Fn^ᘧ2I'WgVQwj$:93GL_5e"{dyu%kxy 6fIR|}ݴWL\U~g 5Bnut`/C܎N6lOa]cڃw,Wq6SGQml*ҼnE4uZ66vJb]pC0߅/~I+s?mZ=kE9Sj=Gv{68v0;!O6RUcnWUHy 닷$`O{?k05zwgzDSY^şQzPȤ$(VbdvY[ӊBDtڷ@ ,y{w ,ǷrOn'ctILJ0LQ5+*ǰ w9%zJ:meϙ)D[ FSBnQ45UKGQL8;@Ve`,bȎ8{b4׳MRWpP&I.9qSLզ? 5!cr'E=EM_ۦ"*r5bh@RۊFѨ s`H7RF6:3f!ycp]"D@;܏W7mhْ͍.+͵}ysvɶș^bUcE(oUf٣yKR5-do.V,YM*Co @sn*LT $on,sqKR A^*#Rq_̱kQuIWbn j$NfO Z=ON"v޹t#T`)'wvǿȴ^A5 ٚ76W nyj3 (؈G&ҧ&E]q$_a> 6qQ?E L$1#8— YBye\z~+|JPrU7;JphfabH[kmܾRȏ+B 1qf;a6?,w"*.Qp p}b8"wу F .]00at`у F .q{nJ'EUm۪X[J̀PvsaW#q lO$_//+*.(~ՕUL p 'h6 I|T(Pܞ,x\{_!Wqr 쓤?W* " ︢WEtZ9)Y#H zZId|uҺ %XJYI-YjFK8[Tnb6A:KvyTVB,8ꈮ7^6U^ԍneYYEfaAedpmqHuolM[H89Rćd *%JpX+LGI:k ;v]ORdu٨HJV;Oa-Elxy-3mHf ߇csߪeoXqȱ rbqY0kH 8G| tZ"QSSQm:H`PTT[=MXHnIrco酭}jVd9NM 1{_g3ua9d1>^&;k%|i}U^v-{{˂~]n?S~dF9&$Ա0\Wc? IH}PqME@^TE5s;=~t_;̞IJLb1: a&lwUKf `{^zvţVb1r@ pl֭^n3܆\"ẍ́GѣqLԷts/ڟLU5#?c,V$de&nC$HDU::RkOtZwL{{23W[E;&WA!UL׿k=joo ĢtG̴"v+ǙcD(2]ϒ1ǭ?87g0:v9V[Ҿִ֋RL*O/WјtB%U#s - =ji_w:_{aYD4ek,js  KoyVb01pKer& נGqEwz]κ'Djqދ\- C-4;ڮӧR Cq92}`Gs"0ai:nnygݢvaVݯikzHQaILڶ@;s vݦ,\t=n6⩉ekvkE3Xt\;[-tdcW_Eu.;u4XI*& [P0cTsi(ǃ]t㢍d^-I𼭌fn)Xa jTK8KSs ?ڮj<_ܣ0y`󰮯rFjʔqo1RucW{v%5C?&9,VN-)/P(Yh1#]v&m+eU"u ~Q}63̻`ȩ$LCʢe+\8bb =DsHD\7p7$`GcӣB=Rl֜R<|^B6WZaTJGHM+NdGAMAK#&~t_TQeBm#jy%q(PᅑB R,0ȵ~@GԲ ͏}89䝕[i<C h"pu7Pcmw뗃TIWWM>/4%t++ʥʍgaK5\=tَAh\Y ymy=mk U#ln¦B=@#{8.o~=tiɣڂ#%YET0Ģc  "%yfr uDY /ŀ/Rm%qUQQ|'lWԖsf@(6r*?Np{^N;EUQ~rZۅ~9]00at`у F .]ec͒Xd p"uγlOeَN9e?S5KftSе2<gB6ƬRFBg=9\0ү3 *%W" M#-έC0fTn[ "wu/O%.jmdvWu~#ʨ jIXGk[4NYBơhUY`8U(Vb mr-~]U"*TE5_.^z0cPdSeA_EO .F |@({9В(syE.0cےª{nI6Eiq8òmKe%R$"UUW~XdYAÂ-Jۂ.mD}ǝ0cҞfD@ho?[6l{ Î2mhm#`ƒ~⺧]w.9?b3[0g)U }XO%Eg]8c{$`=v2=]j5FW9ܓH˲\S1ڗ)*Zn V5 Ռ%gH (?ɱj'=uf6t34F3 &e+cպwK&luSүvd5X$}#/S#PN^͒naYnn/A!0Xe>[~;ZdP&EPeUL?EYA\wV2Ky[ \n^%dFS6;r>.}!^E1Z.ЉG^{[ 3Miݪ[c;리VZQ%5Ը&Kk87\͞-cCBn;틸VRCX6f} P{>#~ޖAEۗtk.j33H1KHQ=Ͱn!#m0LS-(nX!hX9'qM6cUC25;:mX~}=Ͱ,j2|Vq~98,)J7ےG"*O6WPz+/SA6E^R= S jZ:T"EJg}tCgqA9tyY$P/".qpeM799_$.E fG%QT9Q6@JM)!N m:.㧓O琝7 *Z-Ef")ʕҲ&B7`e0Y[g31iAPg%V*B2[`Җc{F&ObneTODrEP@ H\ PI "ony~#у F .]00cGmtǏ?~];q#@QbxA<ۀ|T FiǤ8 f89AE"U]UvD4̨rv!UQ*E #+_x'x-*6.H" YaB%,\{߁msK!r"K퍜57LYmTStD]8'z6%ЙVpc|yi䚦2.*Ord:nGekLzt)! 9&ְL%~ea86GΠbu$űz8wR-¶"qUU}zm\Mހu:We5Tyo:Ehaӧ1R JoIz1XuPǴ4i)fWUIo'2ڍe |'Ċ)AhV mElinYUEVr&3q ) OrL$j8h6x0s=#BF@CeD~d'19$h@D뺧^;숞<&0רb'}RAv:b̖CiQTQEWtC2/Iq9*G  ⊈f (!4O;"I SC\e%< /}il4jlke۫{mKkm>d !g5O-=!A+"KlG[PuL!{6<9 l`E'ңn(C7JJG6DTmTyVCF[]H0{FӰO:JQɐBB%⩹V>F䀮7D"1 k`lel*qO>O>O_у 5ij \a']a_$iT_b[ @4Bi)*1JW^zr]zGƤk Qwŵut+R?8dJu"i ?;-[Z~5۱^3[Sy6Lɫa,)4Uےn1j߲&mڝw vs=rţfOv$(*b+3Xfv4g {\iKCVF,ڲ̙djE+: 9l5n,YP0cHlkL{=lvAXjcEU܆cԎ*a[o Sq2ߥr8W J`ŦWlzZ#iE8o7Vؿ&TZm*O[AsSVqQm] d4TsO JmMaukͱc7T)!pI # {\chEǪE1uZ3I[(ncTA!l@h<Əs΋*ί4=Ye(>exdEgIi)ȩ6I\2sm#^4RcfUKc 8*#%o'Hg+vS[RR .jUZj,R5ʌLBM!Lj 1KyR25eBy$ĺqTm uOtTO~S}O=Kr]SrII=66nbVgczy2`<\z]00at`у rΗdT(5$Va7#THy|EɲWk iZg7ʻUB/n`,-Y^vWi`ӵMsJO*fxnJny<&&E&VEc(Pr;9-k{[o"EK;X{ͭ؎}vޖwG镐j~gFhk[c،8,&i~#SnSH 81[ l$,#wC!Tp1#$1-"rɳI*(YmXQl [ZBylìrV{}-=q}X0 Z$ə^exsU#p꜋W;'q1%)f`zxU75ORvZE)Cf+&bwoHvP1z|x+mQE-!#h .ˆ c$Lh8(IV]meBU덑AE<W~(*F bޚbrr_ʩʊHLdU >' EDEmD'ލ're=ϔQے!u[cY \A*h4Z&TRO~}DGm[ ! v6L;4**ЇZ#V4۳L}xmLSs3w$AqGa35.KcHF&(*'4ou$vn r*#reFFj\XUm88 13?$+'?cyyr驪4W2M8ثN)[Op <`ď1}=}e2Ԏ*BnG4BD UwۣHr+ {aI"eCY[7_,,ßCyup\i$mKe$F NXn7y *_D!m*cM_q/[FM:M+ NDs&!춅~{}"`nʍ{;0f̦ }˸ v̥AlQ U 󶜉Gd Flֹ+,q%$br¨oCy>Vic-1 ڴ665xEYu6մlT-~`ywxna0qZK5LgO)% U9+D/~'Ըq!baMƎb`z]'MvfYf1zsڮx4TZg^Ccgbg"^Aƫ(y 4%0cMTWMEa jfzur)1*,^H5N\+WYUx( N570ba^tûTs];f[⚩ul6sz!]ijbFx%@r8-uno~⌡R.qYל3Fto.{uZaUqo;e\ue_ 8So(lu6{bM6짉;12.zC嚟-l7uXju4\zncp1M4lBlёkōv\^."lqeFxy 5_"|~? ΋]5/js XexC@ s-[ϒf+׌J+HnÏp/ < -Ķqx^Ը[=[hgE]qQ:Aצsa% S -.g#A\ "ՒJ#)$%@/ro`E%d'b~Wspat`у/~m^:DU7yա[>W;y`nklAҷ_N9t$/#%8(B2*{ŲQDXM#%ItT{-gZ:*D>HUB <O]{CZf,$n 6lM#4b N;5)~ᣮːEStC"|lPTd@]X/^FU?[2/LjHld<'K%!km۾ƪ*&(~X2UUJݑvnF42ԇf]f_`];w}ѱI'iePFG5h22rtkjFyQF ڱ @*h\+b7Y b뻇gS:PȰKWdځSkr Rh#>rC&}bԸ^]ݶ_=!ao÷=ƀnvEg6QU^u8S3a#|AfeMǕ6 f oUX?&ˢ_[MHάXcU"Ce$΄\^`R850`ү^ޒRbv?YsMEke&Di G"t`Ń8b R8ntؑEQt]7_ cÛf8CDU#mQHn{D-7:0`MԌO2LNvL._Sۧ[. % IJdVEH+#@`SˏQ/LulaZV_V IєY,EQmՠ/4s6KEz#R)C0BlT1ETTH|`ݍaqrB) i"Fw%~\Y?.*C i(ml`įPDI`JP>iiHq2<r∈у/d3ieA]my)%&޹JTNs&Kӕ('vP_|x46MSHmMB8X!$9P/̟s<ӽ|"j5U9-0/b!lVě"9U-{^FIK,*<17HKA_w_ߧF yZO>oF u$g?eEOt+F }$~^6U_F zRa HTWu3?S.ʻ1੩lJ p U7o i]bEy++ŞG(5T#҃3`Cv(ӫD "0ˉCXԊ9qdq%2Yl͑`&Ɍ/2#': WLjeDŽ촄x}x6(+S3tY2[4>5SCfAT}+ȉE(:|P" fkrVQ wJb t 80ul|wHƄ緳FĦ gڵnJ5 9&Q>̞kM=wuj޲#U@Y.lT,&~龠?۶d^nqqtՌL,P$d҄\)u=,LlM~X2;RtG}5\"2 Y1Ev|'"vspZV! G׿'Zvy{k=w2ZL4洬gdK݊(r-H1fP ͪ* PArޠh%)Zzc; TEb}pt~e|iQ 1Qyn>VwAE3&%av+6ī ASmMS~["ox뜹G.f*fP-4)d(@Au穹kV"RfbۘX(dE}NpQ{nkk5JpGۋcat`]/]V]w/u9#;wxͿƹd1a`I$x'{d@EqXwbEDyDAUxqT&ΤΓ"6g4NI<$l>&f>vb FTԅ*سAa`= _xz/uz<Qr>Y65U>!ʤ`!VǓ(kbXIk,s)Om0BG龄ʪ3 #*(bPKn )]H,Xkp;vxuRDM݃Yoapǵˌ~|^z~pVg1rL~o[YWgkuckacXCJ tez;Q`RViaTMeDU3EmP(^Z,$5sv+jd'5$! wƤSɱIF 0_PRn.bGye}-mIMAP/:Ub*qC4Dpw}fCH(+f=HPFd<,Ϲm.6N%19.ĉ.(DD )Wn)x**1vXps~M0c-脻t`ǕM l"%]w?ף1,Ws__*_u_>_2F /o?:0cM*}PlQ$OF dۖ &('g -6mO ":lda"B9*ߣ:-stK;e5_V]U|V4 зL"9s,MKʋu? kz[Y^A&#R$ǘܗNg4(c ]qQ/o_[g (=]%P|5QPblI\TRу]؋"U;mضU Fqz9iR1rv֪ Xd83 eՁ9WwD*ep?_Hn#]E'Y)MAּl ȧHn6YMk+e8BFEݥyl0XtNoAk>{BjƱڪ+(|Z<ʬ^p\'gz]uo%tn4c^ӋϵP$ss5;YH jVf`ZBU=,Tr,~V:˭2iȤӲpS(ЖHE @@Iw[\[薖ͼFuy2;̼PAZ [c#An{^.JSt+QeKzvMFpMۂ{yn/9/ΦzEIE] ?[kV<̔o#a E&#܄U3*&lEo"y-a#),P-nMc</b}I4kZ4W ̰3\~L&u2'8& ()׶+%ҲvsWqw~ 6c[=]bqvOǛITf&i C@s0aq;ܜ,?V=7V8mTkZh*tD2$f':E'lѠVjm5~dOeN+?mvEC<^Pؑ6OVSx$yUуGإ_~sL4`*G+&Yt`APQWF PaeQ'.:BMEMR#m#*1@L?ډ9Qr:ck"r$e`+UD%Ou}ͼ% vI* nJmMih&eשAHOa<]GmWª*/Q!TTTU_鵥J>ɿ:;؜mmO?dg9TT6D~1jS`?u)dH` 60;"EUItPq8襹Mn mviYmnDemEޔlȘXڇYXRŴU륽&_ QOmޠGy\@]Ŵ2& ؤz{Is%00[5p[+LbLC*v1J/Rn5sJ|'hp̙x[B_,Fߒi$8BJ*"1a^=Yz᪱s&|!P³ - )I ȕQYk$3]Y}D b97Ǫ˼{7X~cj}@Ƃ6y; >l"*&@b]e~Nj.Ǯg\CO-2n)$A$_RL1Gyp9$) 6on^ [De87 X*͎ꊪɺ4+}C6]Ďtԕy>cQ+ZtfryHŎ4gڱD/W/#DJ\R*o+{Źy= T>|}QW񹑝ʔ !mUO~ֽ(,G" #w7qIwMMwȟ})$Mc ^[ Tk82؟]ܬ33r!^?α9AO-ȊKP4G'nZ14T (H(-jDHnKLT0Ñ\DDdHl7 c a Z<+ҵ&7wf3Fk9QVɈk[PXԎ@ Rֿ%6km7k7qZcݿ^ Ʒw}goD5Q/-v8챗mW2 Dm7Ze'`SbeY  { sX"?@cm^i|Bgc.QӜ*`&ggImq\6e{R(KzbK5BJBy$ߩ?R/kOs~g/WIdzAe]oAٌ(q O?@&K"$F3,B\o&k6,Ffbv؋[̞G6Z'dyjXU7vtTeq+{:\j]Nxn+fbձxSJ1Fb%×0ܘ]&k#sJ)*$1S,r $ Xc )v$m)r1YM-Ec@̔derll@682X\(aN*$mÕ1$Ó!b[v8E48. 0ڑo#tS̩!񀭸7ܖKO'"Y磩!x,X:2!)#IC?1 Xd*9!B$$C;.ZHF@YH:*qTp%"/4QcGFqk$R7@[QEN-qLtiQwUM)㬖dR]`S<{~X.U|hˀMaq M>jr`m/:b3*yn8. IZ+?{vv6P,I/{lVHs߀9?,EګU X&S.kː*PlHCIDV<vʕ1˝)A$m%2}b7;OloqpEǽp32Nי`YR}dBS;jHdi}I)Uf{BrF+~p'FU ©\Jv緷LwU+#B&gJ. o 99*"} EmQ:֦Ѿs%V)T "XXrY<(& SXK )Z9+ƭvp1&bڌ.x^f 7<8MMu&3eܑ&&qٖiUWUYfttKAŸ\;o\s )jbvI)GFduh22xÑ. SNJ*⢑ kHWy>%(Wx7lB_pm 1a1e!H) G8o)dN- { @@C!5 T$m: 2MC$SJֲ٢RI@.#`݈ nT 7n8~zRYr\7xKa_Iq,쫛Yy[Uf,yGJ3AukTٝ_k!X]<ъR ؋I FV/6X_߰}b!'&&i_d$SSd#q)rte4$%̛RPqA:Y*%0RJ8R_Woa'Лm_E~ J2 j~Q<'_;f˵GO[WU!UQH>U<2*&ߛV!r7{ \YZ$P c͸;`'q1z֙ MTr߳ӧ$ّѡ$$_xC<*ˢYj%OQz6ͷWnY†Q6I'j:B ̧ &idh{av\#9ɩf"Ĕv yh؃b,AS86C,i#eYGUecI8R m}}e.,.;R7_uhUϯ~ *QEqm#u&UPJ~F %,\dRݔRT=al QQpk Uӹ%4_bViq|8ۊ}[L$ 4o$7w􃸞hSKŠ - y^;٢HŸcyf?[:F?L9qeFs">϶y&ЪoɷRXHI` R $A>BH#s;r>dXZDMTč 5E7\G:Jj<βJ, `Ik#-2F37A`ě_p&8Щ"r粺QvͿ"&%Y?C$ ^.;xc$^ÌzZ \ Gu`wǕB*[W[W&S2(SiR`R[̄VO=IfUQe$cWJ{\IoA؂ mY#,BRful\AEVVy*|?1{>ΒҫP5kB"V17[.BWnlTe+Y VSPX%lr@p!]t DTR0QOy ju0,Ėmhq$x*u3۷ 7^E|/|/ã2IVt م:A ˛fɑ4'}m&v3蟖O`w@b糵e2y1rڝD/$a=1vOKq o|#Ȍ~op~ ij^+āu>=˯+}gCft (ͺݛ@dD|`"&O19=,-'Ƿr}yW$&{y_wl\k]\<7UrW,S#jkym-?u-*lc:q9M@L&d4}Jx3ltfH-Y]+20CfmpBض4EU5d wTSWRت olYdM\1݌d*7 ɴ"Dv)%9YRC9TY1*M^CP<ҥֲm^][Bc0$w6<8嵙vgB6g48-XNe$97^2kQ8*1mЭ/x-YSDijf3TE SP Jڄ(Hqng5^ڸiS48ڒ ;pNHDn5<5uqTT1_/hk^cV> `~{a?\ȎU$$Ő*L09Jr%s0١/pnSACaNvʋx>Xms|6-~װmōϿ@k~wq]끾."#hKJ=C>)d܁`H$c*xosl=HT0L`ԻÜ۶NTT;d 6Dv#zcDc%lj @ NgT#| "eH»25mit]6cXךY"I!m<[bp{3Yp%K CmY~gY)>Y{>E4"C;*b@cTڮ2jcS#p@ H# }0*nvӴ`\ {mu<~8{UdޥeN}-jOmat85b hU%9[2p6"0,/!#||݃*4LJUcKvBCQY$Pbb0G I`w0H X _>zg[YK^j;U͏cZJ06+مGo-Zaس"f#WQVXt+5hj`HUuwtEԬ[CZA7V ΛՇY3"kNkܙqf:ĖՎn'1Ld;@M4!*\!:;,Wn3R\ +L()m}[lE6mcso{^ }?6* x}("lJώ)ʿSCI_PP_%2TUD\{D6$nr'T͜*[]|xF[Q I^J_C%OE%-m^ ,jCfޥؕ[H=uPV2,Q`" ~!{cC_#?^](ϻ˳8q10'KWY~@f++-GͥL/V1(vƛsH9$۹M6'<_߾TГMnݰYy/cW#Wjbe 1ra?q$1l6{eX5"tgSΖiV `v9Vuo]nƦss"}L {|K{ /r5DM=ˊi7)3+VK%LӇ7Xи\gS:" EQU I<"ANH;rU ͉o=T4YE?Ck$g5[IKMue,lұ Ogd]dDfJAA}5KP@ZRX@)]?HKdGAs~&a.AP*Ԃ0,{j~bw+4U"ڕn6{U@(}n7X;&JXAy! Vb>qVUU3E@ȞFdR  oQ@ӵ"*|‚j 4. eUq_Uۀ7ed8\&#O9+"q![P'AqKv pn|ə4%aM4ma%ij9`X0 mݰlPRTUCTDI۰ ܐE&+106Zso0H#F[IkhP`{^^ªy"e".Gpb̄/":#1Ue<${Xϰ8n^irȪ*+dYZX=%0UM3jpBtf2^<xBfkMETԱ ZݳWq\m Qf.!Ȇj&cph7?spU @9lr-[6mG[ :&(6H 3T#AE,e3I`%+\1{cUC,u% F6.n mf wn6cN)e\fG3H,lm"0RA:gy-IWN3d`(S^778=;3CWbָH[`q3cQekEk"q+%QM"ua2&-+ҫtk^[h!4˝8vN&,ܒm~Îpk8%Wouw䯵maVR~\ʆd6 ,bfIoa0Fb},O7AV`sv߃ŏlSsҲ{n[)b]~PnluU^+Ko,7g(<}l\b^L*#QˎVfE()_1y=ۃ[`jsLEՑ*&b`E*\}D&HtȑHoɺ&5RAh0*M M"tUT$oCyw3}d[xMj쎟\E\]MdƝy)q7وFYmLryUSeTaBf+< *l8i28Fa[ܲD.z *@ 3w1# 7gɮ*hOyly~[#D& se4p0S-)Y#pۋ3$H"ʠm\\[GCO m#̪"ɎpqK\*|~O'%' v!P`HGPc|!IQQQ7MiIS$ ~`b;a#`C/k ,9d/h)3,{%r1(;rXUm]>ƸB}usOnB((bX=]='=/w}ogWmy[TRUSGw UԥI[tTV6lrBHrr1A>=M!s~>@cU*zt)aSTnMiĉ:1 n/vۇWJAqײlݾm,2#MJyMU( l/TV>wwk>d-?< ^laOe6[QD&Ȉ}/LATȻivHĀETiL33ѳy@@{;A+EګL㢭mm Sp5ʹCTMvDOoejtfCil2C=[P3F}0dF8>iJvmHݸF؛_hDNr }KWdRH**0mMU'SoO?1f?tT42'7<yOY0N6bn> SۭGj.QvҴ*y٠puuuCe)y8C[_k-Or4/G0aQPcڅ5M[MEQDC U%S}U Ջzk:lrC>Dfs?ݜc; }sV,m9"P$r}ߟybUr< 0w/1e Kܨ@ gj)bҘ`ZY&4#T1|V98Dg1EA-8顰,FSf6eQ)jAoIb-q`hO~ܖGa͸L o287SVmP)Z cCl\\qʖ]G(j!ڪX7 $[p`e!7 8c.{_E56242f%GjUGWm=DN]<a?j /iWy1f?t,!VE`Wn4ȦT0oO ܛ |񝡔Fl貌x2m|jyVޭVڑ_!ݛ$rA93CWAN 5*GeE;BnksxgPzE|&-# nYvu|lv w$@$7|MX϶Ҡ) .fYƛγZBM((XV(Bܫ:1KUX3X2fTI6HXye C Cְͬepp,Uuf͌i·^*~/&̃:Kf zk9>n%cNԙ^oMZ5;tNkƱ 2,R# 1ҴSVKK8x4F m܇;v l =mL f/aۻ%sT{aWUV!x4 ұ@ꏲxpz q j ~#pI;B- "!RUDT˟ʯ4{OW/#1b}B.X|V2]' fdM]qɮ1_ϩ 3:4>SG i+[mZa陞968:h у,ڤƤw jmq 򒺎&Yl6%DऋGdA&r_qo,QSԣD:YG:,ՒZ'q-WcFGzJj̮=>2Oa.bi8 ̌-nr,/R+q\: {) GTV PRA+5 J%@y?;Tjq q{ߏcq?4_M9dݳvUq?cřk ue8>_-q%5lcdf.Ō_¤m3 n?AXB}P8u^>w+q@$LN4*CAn_(F-ף?gݴwzwz3:S1"0۬+&aV<]&# ~q>66; )** hS~q'C w %7c Ĝ$RWɃ({s"kȤ{e( `(1RD %I"'$ tUս :ac™ ?UZ-m q&#؋ldd /`úgˉo/x!EG~s܏+srnnߊra= '/T1sd4a7Y*3請|M2pz z a'=_}$Xl]Vٴ YV2dYñG/e&(GUFPP[ɝYxm_">b8j/{?+`#Ǵ] ם7O/ҌRDM6FLޞhj)kĔҴ0RK(kX.G}s ʄX"\yp޻EH˲biiNAG,)5yJl+l BU%tM UsOŻu6 onJV0)b ~zS )3/T12>i!+F"yT7SL2,j.3ƥP>w+VQbsh iVH;ԥ[9Ek}G#˓es+}#uTqUe_E*eD'ώW ui+o`iڥA oiuc@ 6${ ]TE@UETv}vqlQQ͕F'h7>si=vW؍k.8DUN[섻'$BO;TDTBwMRn im\<=㋛YE٠:J M mTKdB%ETߵ6R|ŗ΀ CY ia Qi&0APh%ix곆Ő+>{.F[`.k3Qf4vU~$[hCDNB,Q@H$LGv@Y7k/Ӏn%m=$ٸ* ,Wqjw=1Lʥ-U_92d 61X! HrpHQTze4Qujej$9LĖv ]b rR#!bs`GyCVCд)b={i#Fd]lՖ\%R!^`,(Nj V*=+agjj $JU܀i؛r#ON>޴:/Qp J%fT`{|] lj-V4o=ñ~j4xNiq#r2-\4b !&b# qkM4g1`Ŗ:G4,ȬI^)1mIpxYE'Y4Q6$!l'(_dT WZZXD<\ 9akX_+4I3$mؙ!j-1TP;1"VEm\/supdOvE2Bx2&Hꉷ6_Oz,Z=߯o*IB46\p"4JqQ o—b4l99F&HǤF x`YʽanMɶLGGYtƔOLpW:q"$ TmT2xϢ(") H^cpDϟ;*.tE]t`Ɛ?NKhm2- 2U\=[G{0f"_epR;E G I>’ȿ$ٴlWMSuͿA:wBzfcxX*$CteT@B@q۹.J#kX݈,,$t '|{,ʴV@uFYU 7&cTI$H}UURAxD` #UvP#URfZcbA,QoOe8z, cӳ]*[:駘C8|>ޖ?oS wAAxA;uWܕ_q+v_?dDу $&Qdۜ8Ԥyz4mXem\Tj]GR4S$m& @6^k K$Z92gĔZ퓫:}6]L2hH Ć8_i>vi }7eQ\fq-> aR%icedoYUTMڗدg5_@0hM3]ѶeQ~<кt˽JЧerlbǰ "Ϭ,|Fޗ]fJٖQW~77::DپN`t⩙<9ĴMWF<>xƏ۶p>m(h%t:%[ _̼Bҷ<1b4r"/-eLx궠AjΨfKIiEA *A*uf_d2SeMf*ގZTđ#D";m `'i*LeYO:+Š#S4zE8 q#Aݠͯ]=j3c>LHQT7h̦(9u<WcQ [9 6®̀XS:5ydɲFysǾjY{#_>Wtjت+v?70hAțO 8bE$䀢i9 H(o tU]i6b$í_؏wl߳+7ݟ}\_%^wmvjV1 |}\ڵ*bG*TFY/LEA{qjY*bX^׺sou(J㒇p/ƠpQ$R)EO [Mt]'='o:hY뤂E#2g@JF$v*4mk$vYGWmENt۶ 7&k3^XnG 06$, 6<ؑ|vDQ|Ә_i6NH+|"܍m9p>";{p?a+ftzF%hi`!Gnzn ےk Imb6y;[<~~w= m}Ϳ#Ŏ?<^{3LC βIdzzJ2kZ24vsmTƹ)"cE(S~ n1 |dYD]N}6O$=TL¯,#Nkv-Ú `%pb "כrM>^Vn,PU 3cuhrTdvSS?Giy- e!QTODȕU7]0b3̊DȔ0fr&)*,R7ql)qOsa$*`qMǮ^ʥ_RDEKE>"²t*Q2s8"[u8G 6CKa}%UtHNX %Ɛ2hNŔMȟPm̐PQzSB~?_'Xvz0a'F 7qm(ӈO40Uv»aE"/JHw/~9*yŁr _uGe:-]'e6Y5%jk^bkBMPeZyMt*tBV2;4;S V[X(V l l8:CX!O#Wn1L$X0&˒"K-[ X(("Aq# $hBHfrrFF)C2IFfPϙf Ȫ]AfqPHyKzʦNX*H$\\,1@2Er1YyW0ܕ)2CdXh՞FJ(̲5& 8'e8YP,刲 z\\GJSibcrMǐ;r;w^fKѯsNk]6d4&z!":0aE(P7暛ZR$qTTR*E:x(!AvL )92ltTx$XnY( 7#~+O4;JBqEAo?*nWXKg{IHh{{wdž@|6x*ە2 [=fR?5`@cAD׺Vg'QCIkln>q4RߟntAj{O.&EETQQ8d76O `IS" G"ܑd]=0E9vbI{{s ~Mѹ.O'bG&ܽe9&Y2. gV/a F*+9;x|ߩd&$G"URcV o~sUC_{4UZr;I˩Fzu^U ;]LQ"{h1㋎62KTߐU!qn0I8\p#?3fMs3 xgB쿟ШY  =,VUYesW. Âu&]UlׅĻ-J?~]2XL)yɩ9G0b6ǒf쥂I=-O3' ,DVk eMǯȣ&I ݶ@NkcNY~MT~*U>G"m!3l6AK*iŧ W6)1Ҏ0)3+(bcӨJ` +Y6*# HVxR= ܑMGnؼrQB#DRT1V[lRymUqi%XH<ַkA>G6{F׌6k[n<^"bk??}WwD0w_S;_oîܑwSeM*鿏TM^: \oO~~#59nUW߃/Q,ҋױ,&LoA*$0p߿>LJOPc XOSe/`}[,Kܒʒ9!$1J`g^q&SgTͣN2>=mm*$L*Ml P?igN=CfqFn1.-cl%+"n &1Gn{q{Euktnzi~%ZOWl"U̹Z22)t`z_z'cx ΂dCd5ݰ:OǥA\Hf:ɜ/Iisqu7[~|TpG1'~fvwvsh^͗ДJY߻g*XVd> ̋ gi93S|;vq~)b-px„KgPh|"MkoE>S ~{.6]#M9&!QWWWdX~@j'㰷ן~-jJrf3+N[k6jz0|#܆lV gJxPI=c'xQ,N>؄ބ [w6=S")I,ӹP 2Ņy{u@qP5#N|{O,lJ*2+2'7v=' !7 >\6K4Sey]ILRO-q;Gzyn& LT ͠`ʺy:5JޱgsK#2%}+rOc5kXJNVQb?Bbc"e\RK lFcKViqem [UP41&VTxT%},yeuηMڿTTHH':CvHǧ,iED<_O;²TU|l5P)nNd4V+CS<,"*pi-FL7VpX[mvuCUӿf*S J &t Rcm2eF+kjڱ.Ck'P@fS1چirLZK2PS+%6<ȨӼ Ͳop6IS.oaH ,rI6$>׎jM"̪ŭ57&Ȫ^bSi7!/ݐx$3IX4,PmWECԼʿuz73jŒemB#|jmB0 eγ-+eAL&A#S~M,QnʐFc|X՟c}[}5DUcdخEշ7ʾIM}n>ҺGvBr3!ɯtnx#=tkcIHp(xٮy救N~VgVIx4k-YoΙ_BlPXt@DDJ;nx=ͥކ KԙlY]=ͽ5Oّ ь_P =rX+r|&^eWp_vll\Г류/i5V_[ɶ|못8v'9,8ӱh`."U%Kz0ۑ4LS 1F[nYoj{GuT'.[UBGi꼖ȳEM!{ Bd"븖Ar$b@Ӿq|0Cq YAoWeФ67g)rcpUP'۫pQn$ > :iV):|ޞj(j4j8L"}TzUA7GkMeiTworM̛a)+fY8K+.֒4PO.`ܖDHYjdΊj:JLI$x[P=Cd} MBsqټF͎fm趰qܖ_q[@hc .Ƀ*#G_qcW<.4se|HkZd4NuP˩ahRT|\(nڬ+'zY*!6(H*A#@^Ã|0/7)"{qHQ U# m*w0O"rBH0LZ!y6'=^˨yS$CIIS+ mf\n%uA FM:~uoWt:<%@ 9{7_,IIb1DZJUOΓ5#X^E@1#0)bOr`zlaLT9%bМ*lM l8+sdG-u!IP^v3d\pmcGQٗndq,q2lz3'º}_85y umo:-Jڱ/TщD#A (oIau,.Й'W3>mqQ@a.[3!{\;qL_e^.BMRڵOګhy!I:΄ YDXR vA Gt֤yUQN_--,$S2<5=K 0 !2J>? eՙ6mF <ڻJTԼq1p@`i뮍݀YauڏkxDے;5F1D_,qj;)v7Qni._6O:C6~EQws`q|κ>b9 g&<j\c0H\( u"4ܻǚb{*jȰx-}4~"Hn2@e\R%i|ir)x̑ bЉl9>^]KG,|0rKiI/rŶ%Ǔs6fxQxwRຓXKw2z&RdNuXyT +ۇ*P]&Y>UrZ~neFo1n-'/qq"y"˜:n-{>~8lbXVr4L<3WmTUf@$G|#̸㋛ x߶5l"B 8UIEvU͕Z8Kӯ\\d'E)`ˏ܏ksaQ sVJ)02NiY d-I%Jl7TAސ剛똳h%<+j$6@ 0$*=?3O;U5~gYU?(GC=LE@7^[*`YΞBSsyVPrL^R a'@.i sCe?au9~M 0C>b˲&b?5,~ʴEae\Ͳ.%Y~0m<،oNs3lxHb?9JpF%mǞ&wUďt&$_9nK@. ͩfC٤H'ZVvOu &u֮g4eT,XYŗeHysMwz}+0h)f%Dq~Es&~ Ir/nz!d,wh*yVհmƄDd%IӮhޙE&5s#3URC$7-Lg.,ApN=;v-N!VbvX-|'jK65+jӮǏ񅀂!QtuipFP}+o<8nYۉ%ۺ}cNpcCpb, cƝ Xu?yQ;mrq#M?}?ETSxF Q߯fWif%ucy|Aإ-l =;7H2o j)e Ґ\zY[gK}nZܙ Mwrb8lh3rSp m(/(`ŊheVS>?͚eՖ`w̲Nш9"n5n+"k(8se֮+RWi([l[p*l><*zҠnOӿtE2h((l sM ěW w\X$Ŭ,ƲC-W//1AռV7.bWª&~D 'MSj$FMA#˓ x5 Z2WP!3p[*D[".0` ԛ[ʋ47XhU˸6 * ;q$He=e>}'b`2 (ܗŪ/RʥmPn[Eee95 Py(0!J\n ,HfUnG@oē$RNMBH$"nEՌ+nWwA۸Mp=en?\4$mT\FY )? $8~u_yc4*P K7w Б-`"Ⱦ* A~[a>A^iu&Viiwp&~\H$).`dO͗X43N\/=V1̴SsͦʲcY%$T142ѢM^/m1t5YDDE*H?"GZwr ol';ыQk7؊?O"&_G@TCԉo1lG٧lQYHENeQG[MP$Ky iVXZk/o7d˫̓$YwzDQlp oEZ0ېV &SL*<6ݪkĚPi-"*-G2%WC)^~frڎOAetWc,UPNWGg5e]=RY{II"L".WhxnUBU E<4^'*a2"ji0ӜꮬjKŴN3 >XU[TQ[U5XviͳPUR!]\2٨2/U%3S2AB 1ƪΪX^ZgSF_sI8+pUĵ}fVcMՍq˲Ȳ #H0 ƛdWSu:!V›S~?\ )-?t՚{;43<9XҘ̫4Q PzqA&ak fqEHJ2A"^IebR2_8˽)8kk1ޜfy^o^HqҰ3L>Wu#Z\fζMTGpTr߉"[P$N<.Ӵtu53id)xe#RIK]ۛk5" P#9.ђ͊l@ X;4{8˦ϰ=ZƂf%&k5\KrExQjC2qJzPh?ٓYyz &ٗ;j 6[X΋/.0^Y¤/̾K9_r82vFemkOdG^5 J A&aL*'g; 8@qeqG4=;ʨ饊 " ]).IN0`AtViܒ4c-<2̨A.D!+!enSQ敂2,:u-2'n }':=$F%_#G` Gy2ZERdb>R%G\V2rMʲtI65y TyLLyyfE8t*w+:ʻqz89AH^6k{N;,.GWcm4q+,l>CFˌd8 6f$KK""R0yVfIaK͖HG,DZ6W2*fTZ<LcjKHHW]{Ó:\.ũ Txll ' h%0m:DK7ŧ\NWKS3ȲsX#oLgy%\Q7 Ci]4Zi!"ir:F `$cal5vTi>eB4nnV[zEa:A{ bfq2i s_x^w}fB4EU\ʹTao=C;tR k8 nH0֤D|ø@l#x'{lZzauq}^X]6.F ̦ͳd4Rh\1f͐A`%æ3Fֻu.ιR܇Ά5qn4.A8[Z6Setrt( ++.)wF>St[0c?>;)G⳨6\zU'9WX^S+Ta&  smd*)OϳrٙEmDǭq涯(g}^]OaR{{|qP@"ݗһ ٱb8JH=|YvPQ7hu\cp^)8 01Y"<7Mqǎ6Aok۶4i(A)T䛰Ć[/ )˺'zKǎOILޮh6ԕt*|C S28?6`%-H=PtReKz#nM#`0# `2icEg^M2>"NGqʪ"q-;/E#鎽7MU3QM`nqҼ964%C kR|إLo6N[Ϧt 8?G}D_)l~TDTU㺢;st9Sf+KTm$HD\v*UAE &i#]Y.]k@c/c(e0L2J++)2mOB&GظBֹP@6o ɹ ˹{v#.wVY3 nwlY9J6L*GZ r-#2>ٸ RE\wߧ{AwVʱ@JLq#ibE DVlѫ~ Kz}]NUPnfAH8T^,gUʶy(x:F0sLariDEPuDUIy"hllnpghwb34̎DZwŌlN'ok^L ǨЭd-iA:gda[vaOC-UEJ5!\URez E/+鮭.STӣ,m \`,TVY^˳$W9G(JʐHn@+4i[_{ ӸQۃ7Cڵ쮦UfVE$90ѮNV ~U6X*lvcn=Z΁YJWFda=Z3 Zc6]Ge0Wr Z@2zt13WByUK@"Hdύo 2e!HIǐ/~&KʺQ,ٔ˨f%9vkY^ÕGkFy632Ysd5rBr̫0p|{dv5/XtRCxvK31{\"/.#`` . /_a9ҹz2=qXa8NYDo=n9]sj1sQm[ ZedbîFT_3,ϺGizLILMpyʇFڪFSվ:܃MtU]b!EN[UW@4tT~\k*bpkmOkj25hZW db&-Ⱥ7ST ?NVSٗQAբ˴{5;Mm'OO.vYU^DljiH0_3W۩5U=4JY.ҒUza J `U@g7"H2;d"JzoN6K hFVV#F Cڤ}VkE&Pq8N3t3di.Q.}.bշ3qkq/=q 2+ n.|*~UKgs0̺OHmD5͗%d&G8Gv= V_Q2sL%|VuOT! CMd5 @%`RrkI_ =Awv8?iϤ75~IvZ_W7;s$6+e;u[3QjO2QimKl$cXr]SGGM I"X(^ɨuYs;o ?&ʨtΪ2QjGPDI$^y[z2cm~U-xPo, <[T$|Kt&e[ MS[S3Iŷ$l2),ZCR.t2:X *|6( (k _ \\8ܒKӘ:lw0]bңbOA"(` tz)|/Ij_j6h:s Z4%:S='|D. okY2䧏2f4"ԼT*MBh8]C%j;6/VXcG%bKÖ 70h @Ey),ѿjDarOqL*m;2PU ]RB5莠5T2!FagR/+'=ȷ71!MTwQTcS#6$IhbrHfB :㢖jNuWRTefF#E3 eK,k"SE0"Kt9S<"5&B ^yÞo8d:sڟk)K U8Tc4, 4jBJftf#!+}o$ȯRv@$w y9"jupd@ ؏,"LZgN~X-! o1"((ETE^֍BQ$6`NjF6!q()DF D 8%3.H5_w/6UT$_g]M^F=E$4C$3KkH@T[aEBRi;GĞtL.A+FU۱$rOsoqSSۮ4$.+{>_#$D .Kdo*E۪ԤrSTG1Q ȓc!V ǃ#b6|3XMc`U(F25|u_~6ʬ˗Pg.KSE%Tr`b V"BH:uILw 4K:eA"ug9eeCC<ӮmAUI]_yK46Y1յvju5ԕ`}&Rwj{R7e`@`*fIHtjdqcHal X&ٚQDWG]=UqgK~u5V?,_YfI<TB$gQϘIM4WtsuTY3[ӦJ]VXJZs#0S,ęSoq巕A8\uDwОukCH="(Rj镤U(̨9#i㑐28oWs 5EnQRu\Oy@;%O />CgUc E,,d8cϮ䒤Nqǰ CQRgkGҌ#OBD%vʡfH 5tj {@!-<&:}iQtcYU&wSPG+idz/eP3CQ+>溾ىy9g1Yn@۫m$V5& nxGMN},ZdwA‹W#? Nic]%vk$[`\f!wbWU8qo'R*CYU6$/pJI #TUY`F"E0.O#CP9c=OʪwO-r7MdYm/ sB$X"/IZ5oލujچtJiW+fw#d VB3'Sϖ)^NE*GVn%-uS}Tcz&zt qNG:IpF 6ȋ"U`${!]ïZ7!aId\yĐAN?Rō{UOMGxLz 5krC.Y#hi#jיv֒F!ÿx>ih=MJZҡy7SBnp h7oŴrcqXˇ %mi)ɴW li\scX-Կ;_Cy^t\/j4 UUSLFg$<'Xe`UӚ!45qET*AKNF*os_EYp^q]s EMcVƑ٭%*d\Iحfftwq$I~=ս#6u~BVdٖ_A;튒%ƾ?b\ܩ׷WtR(Yr~ ˣbzZW!ZcW1$tql> ׀5GiQKe9U}$)<떂IƆCvԆAr@`ßG?h+,G2.j9oeT.57݉\r2eaQayF Lrvogs>+va_0s>~mQc̐'v#B$@ЬTQQN]i%FCI0GTPX.CO2bu8 RG$7scߟ88pIw$/#qwdU&@ʯ^dɵ/#}T dPDZ)X;-Nf+W,|Ax({=N|7x`/M7O>wy8GE/nwG/YC"`~Xߏa{~}+kVZh- ;]=J'<*'e>U8'>Э_M:{Պ-'">fʄBF/3$Evn֬uvC;7 },ŀ  ]1wq r4ro㛢2ߴ*aC^.ynmGt,F^ڎHƒf5 m\,I6*l9~_3f6wujwIk=̚oGaQ;e@ XH_X¯,j Pi j~">&Agv8~.w>;vgfU|zi2ɴ[I2%d2 :#&⫬`wfU͉ &{ qb-p>; ;u&O0|*H嵔2ы3Icm_6~S$ӎ'>T0e{ߟ1@nHpWZĪWl@>mrx0גDH*m _z-pX${ۑcf˂" 6"rmW@H[x3J$@Mbs$"Bm,{pH3 p/Ci\b,<[b Ďn(mH C1ԮkXdt-Ery맪 cMF$b'X)7 \L 9vU4fuU&2[ln"ǫ}eVq8T Gs,{eHTN,v;کV7,D?o8˜__YE:'L*i oXd A 6_ԯ>e==uj԰XӀ6;&7;HnvM;^39k"_ Fjcq]ECI=dY'YiZn,=m4PU2O6Bt>ʳQeSZW[\9nF;%0}2f̓vQ,"$rcڎѹzZUe\_BBRJ#Y\ -;1QiI Il`yF4U%] ĽdWvxXйz߮Y}KSռN:!lRM̤^&:֟J*J]ϷP Rs7|2qǕ % m <LQDqSu<ۯlljmV v=qydtePŢ12ޢ%s6\Z'BL|K#`j#ak"(+XP>+0/s_ z՝Y s(a< Sh$+6J(Lh솀+:SOdqG똢n-q݇ @.D϶h *'wTGyf.P"Fvp@nXE74&Ybɽ_l@Y>(tpuȄCŶUvDFxTDD_){GTI\/=mt 6Y^if SIaXLL,n 6`PFĀA`E6e VP̦JbSIP=*RHс^gʒ"qEVK]G$=`nεv}EG>g[HWRJϨai,fu UlPIe,ʢ%u{ue@cbMK]v:?*) ,noVPo\G_o_gKzU]whTGe:{-kr+bMeK\Q&Y0UY'InZ%ISE,&Lۙ2e2m]DHĝր5)$bMu!\2hn*ԧL~Ȍ4״ꤜ3O14GzEOtc%}>)`QLhzf#/OG<>k+yЙ}=5FU)*H+xf_Z4:kcc_=;z{A4B(L(?w"q%Üɯq&²S ''FTSIY̒CZ܃]-cCԈ7FQ"e5MQHR.hH*$$Yd馥k(h΀Fci742h 1A@,ezLYf.?An~!0jܗ^*rjki3B'Y9Sѱ$huMO% OYU\KdϮ4uf,wetVݮ^ciYTǨy)$DS,)dij-99Lh]I {QmaZ,hqܷq0zʅɢfնB$)$oJn H:qOK(9Jj*Jȑe*rO5rLM aI[o{Qe1oc⯖8=udW:j.Esu #DŮmuOo.K)91dtk-*Hk" pB2VgCYNBU([s,/Ol?G"!t y%.rVpT"7(%1R%meiS"R6#JP+)r.A׿ ۋ:EuDT$6&<[_#'۷<_c{v_9Jɣ&heU¯;uK}>v#qjيn*9!"mSe^\y ē\l,;''q筟]Yr++ދV=E1Bl`N1ɧI6K#P&3&+66-Ņ<[ ky׾;˯܈\<[J):$Zx+[UHFaOErH M lX==m7r _ X|ͬ?^lq;qy[32-ªE9 įZ6?\2dBx?d<[4/AfsS.`.W ~kGWWg3E刑o?KObj5h1 *+mQw_:s(tFZ _{YPDFkJ~ ppRUpTr [BN['x​=FPmŕI2-~qdOb--lFz=bT!":bD9c ߆xX7yu끤Ybڡ7x5+up#NZ:r-HD1H!$V_b]ŘVҟB?CS0<4뵤ԪbHŹ3$J8Ԟ.zueUfeSI溥fT߁p&A>Ư>Lٚxgefr650Po#b(4t؝Γt8չ{ Eirs2XR`Dή]ujr-=a(s |( OJ۷ݵEwzViHphqrՁ@!RzgQOIM AHYKPbeܩ!ͤte4{D~z*ɱQ*\rQ7fD+D*:)$ Ӳ>@y*Zg4\6L_.w9dnj>"UUwIS6O4ZoNi:CE2yM1Xg> }չ]~qgy4cQSFdm0BdWVt? ]03-DfD/Zܫ*8xSFjr+Lpbz8A$ !͖4A%q{ O"a379cMN$R/Y `83RDe^7"}sd*YjJToeO*dl/~;rO 0P’5l"q ,VFuA%A妀YH_uԔcs |G~Lɇk1i^Ar1!Eyi.5U34YI"H1_l[DIPhkEO4lCG.ge/JIv&-Z=~idzJ_B1&lHLzMxj5 LF''c71s ZZlu;ص3IPegezثF2/PdgD5$(o,.8br5,nh݁7g։qP9FaT 0l*D2W*Br!nBK Dv@M,pgPi1Pk/$pS׫)H8Ć̠00+n,<:×gGZՕ4L*Hh.u6Q8) R-LꞆf fYU'|jH}PQȸU+АDE]l57>ә}ZTT uU,S# ,_<*$)O7K>҉^uC]hl7dJo.) O&X6y-ZEEX鶺`LRlrw,x=eU 2#Ig\gؕӪd}'Uz%3*-C*}/j\$Ye+OQWGIb9"Rf'tGY9&VJhX$4q+**NGGy{ ]Pı}Eb%(EI3F QhLC tA u5VGy]Yu|uST(Rolquu#4-AQy$h+R C]jR݌rxd:ABu3L:ޟ.{蠣uO\Irj5娟PSUlDVeV>]\mGK"#83e~K)iQ,PM+N2ceD7ne|M>C̋J;\i$`Y<8DڤsčwT[61L+zK :4/Y33A[O5G,ᨲf(5H ){1MI>$NR-F6fx$Etаvw{u2$=OԼYH!79 ̆ HpyIu&_Dm7H5,I+?:[NC,Tg:^E뤊/LU0]3Q&Y12Љ|0sY[5]i'Q27V,nI,7!ZuGUdPLx&$oQyʫf(AUG.cj ˖>kM;U1f#\654 _Z٩y5O AM> <0r7^Fpcqqkr'¢`%Ln-$(+"3ޖJ F5v]SCPTDjp ewAM'w>َNP9E v)a~~MZMpiXf] &aa˩s{x*rG3bNS-MZiIDo8džE yfEIAum4oGOoKbX}A TNX,6~xڠ0zIf`\ d*!V]`ghj~m1"^Mǧsj1yםy%3 [tE :i|뇈~(ɲ-ZݴYxa,Qmp4SC=UQTVvunmN`Hn<1H|" Wo𗤫:wRoL1fd* W$rrU6K>5 d!"g1O$maÏ.HvSs_>QU컦vxjf@oKoJ۵5Ǿ k9n}WY1Š/"tU>[nޥ+pA= {_F;ddZnGd:af[Y-r0ERI{=כsp+zyMn ?ivFnBq y/"& v_mKxfWX9{ƢH$hSAcٝ)pgLզ53U ~J$V2 ˀX\߾ [Ƙ"nq䨻/Sύ<"un-qmGA,sC[Or[fkv ]}2Qxdeq猣D6udOrC.;CoIa؜aܫae7Rr8-|EV$dj9)L*\GjNiJpnQxլG7v36a :i 5JbƀfqVTĢfuBZXX$YM.n]MiMĵ1*Ȏ0p<iP{+WޢW{5Us 0m *Gn9sRzDyp LF!f3I,uqgCM*H暲2MW$Rxo +-_u 9Nxjڶ:5$fR!ZZ\wwX981,yiM j>"*y$UN+vUv?+GMQ@(j${]w%"eJZc[+4  ,׸`ҬQATPD;"DT%mHj&zwi"HSHf0H&r^X$m30$aͳc*8+O${r=,L񸰘㭉 j 8Co*>w]dM񕥞)^3+%Lk{׹ o1hk#'Gqj.ڈ&NGolYd%ZFFa+bWUqgpPmNCEpU֭~rպc)/;3(J}fŮ>Ah⮠y)h)Y'滤˛3HTţmTb.78vj^kqlmϠ P@l}FʞpcŌod钸$?#zѳ0_>w$ybI^ 5 Y=E:YLi`hؔA)G)Jt%c{M{j[ *ߕKm/T_?MvD&U5"FWr-'?<1'žVb`P ŕA#`-)F#tQ7Ⱦo)mP[p6+c`8p4/{ [lyEvMM앹|m>m$}6vm 3:@USqxM%.|uDmwmq҃-,"kE@Wi6\f@vnEPO0륓MjDJJ|nJ(\UwE4ET=7>5TSdHv,cf#lIRo#S#YP @;3bݐwjv?uٖVP̸,[7"J|TV%mjHr~0+-2qNj .jujr,kb($8},˞9V"? ɽ*2(B}ENA 7ӭ\ukМhfM9 A#ˎM**+]Ru&$rV*Vy6LoOx*ŋu!%!t?QQH ؟Wn;nn3B1.)\)'$T]N(jڪ!]C]ZX&g_tnHt; A 5ٮ/od#"T^[/b~W=\Y(IQA!n8=ȵI"WdSooqϰ=wUGx mWrEB%ʪ yT񯨥gX!jxF+lͷn,RAI# F{MZsgzSc9d؎yVYwF61lHm% q܆@KCF m,ԙ)̩|6`a:J1U&[;Hs Ń1S@B7hbH 'UiזPkVԼsq[慤ݗ!fFo/:?鶹9.yGSVFlM[UR$egnFRǒ еY2Tf9um<4@ "ÑX)aIXdɭعr&]wǬ&L^Awd+,#UbP )1tTY^&t23)cSLsu1WR4+)dQE|_$`ijg 3;$umMrm'iL=WH (;*mw~-ODO9XS<8ܯ-rs-F3c|KQJyTC8#f ~x[\XŸJ'1lJ2ed!& |0 ›*x]K>Kl0|rA_ 3ŞD;(Mh`I2B7D $F ݤF-v "V8Qk+~|`@ZQ ĹHa i]w* lX,9Ӝ{zǞF p~:o1j9~<(  i%5U8*ISus}Ih3zLT*GeXaKD!֞FWÔR$2=<^JH 0.fU8γI3L!Ȩrn² {D\Cm+"(-߯Hze}yӨYuc2*3*2B,̐X]Iks 1+2K84j2^ S`"BmIhQHoh PĝT^).HPM4 +Y¤\J6S$JQ1Y9O\{X/nݖeq(P 6VD0EWe4U*u3V4Fe#*P(j*M芌̅bfbBUbcsӮO5f[K*H2̺x\mw!r,@ {ct Ub~*[Lf"<4,ih^4#%=#C} QU HS]%= mIXF,9#mlx=>OtJ5-^`Jj{B9Pc ň=϶hz)MWu?> /u(UŽCن,*$ ,q~ 8ɏkc&3#X /ȸcz$)#e_i^c(Q+ۿaonaa)!?toMUU~r'xY&QD!Ǐ^' }/ԱDv>{{`,sڪ$YWey}/Q,Nhv-pumᐏkZͭ{wlDXi=S^ǽ8 5!oU'0Ԭ7BOrtQQSS˧>vn}з,e~`̕WtGmC_ "+}XƺXc?" q\Eu6M?蛧wVfwG Ƽ_;lIm ):Zܲ0`O"m<߷|n@7&{Lu[| MaͩdE1q-);Y,M/fWJ3&̖#JN ~I-{ܒM7a5U<|ICAe0ܨD:mV0,kIWDENX#,e/q EAխ#pu:[ѽgTI#iMR2G TUbG‰Ά \T9jg,^)=p@/qu?ugCe]IyP, vJϦZh)YX ym`@ #7YzўQ!k z*^5 Mm.5R+\nHIĴڋp|Yu@`R@ oZ::#E&chD\$Uf$ !I:#&tLml 4hY<#SnP.]AbPwvUbcA)(JTea@jQ<L81`p AuyqILȢY㩬v^JSl*! 6#:RV.SrzTU[l70&?g51T%ra3"u֍ ٴhI͆J@]=m9^rMmԈ$)4fC$j%l(rGZ޿/SAȇrovݩD^[)^/31`XU+UՕX-4ڎ- njql {@~5βW NGO._Rڝ!#Ow YryiSU2Tīkmmof2L{N9IA ,7vW";"l{(K<S>9fA̡&MPғCܲL,$hA "6Ma k΍UAFہcpxe8샰l?ʛ?Om顆 zt৆8!$ƜqU !,I,Abnv~у/ߪ/}sql1v;$M)n)"pV@U&4@Xd C66#x]7qϸ8&g1RIS`CPAC%UȪ?D*=GW%4?93pPe TԘXT0*e~VuO2 hPG1ʌ/o"ܢ-C4蔆ؗ%䃱J(ªK."B.C_̃ LկJk#5 >ZtܤXE8!9"ɄUTܛɿ7XꮪIXT?xn/MI9$䕲3z{HfEE*%i>juĉ5 ~+pS9҆UWI)%cgLRǶp1QĒ=;4>SfidB̠ g.dRI[X5MZ7ų\Ai@J!Y ͼckZ=o*\6 lUМvs@_4Oi-m̳7|nu#dkL'tȪg~U,R5Gdٶ^Hc->mZ3[M*2-%man$lRҾg ecdh1 2dl h2 d1%3}|dEnkO:w6ָʠՙ2]"M94؃%iVvG E/S 2Bqg0QI_^n b+CJ#bh<JJ^2JT8UJ_,D 5l:ګڇQtӨ5VW U1-&e4~,xU0%ѓMQBjҹ_rZ /j)#fʗobvˆ 9C \.ڳRqg-#N7ܞQ/ꤳ1$Xʭ$"٩Oa ,^dZvOk CU|j ڲr":z'IH,GFѱ@!2. ̲,4Had#ĂJ/Hp\]\b;:^G}ěcexl,͋F' ;U+[b=z\PdyLrGl7ZZ%5ZT3,P] s7)Ҽ uO;eƆۃ O{3[ċ,Ѵy졪Qճkb9Zm qE S)uQZQ=5Nd9$ETlPRP#+M 6YV6,P-Jy{ja:mђEߋZUj+ kIn'?ccg9~URHQu#l][aw&R{Nrʪ7RahQlQs7]1j+ UyTǽoͻX\9"j/.K* ~TU-"oȟ=ebIm%m{ mې/RȢB q \ؒI778ȷ-$|n_m`1-  s>~M'>WG/xٷR?6; ~t"U򛪪<wA22}Gw7}=/UrvDДqJ~Qt"m!8)ޒ] >F rEn-˿; oVIOkUuN~,>6ER}EưiZi1 rm罹4Ί5 T;ǎr-{=c Uuץ@ G,ǒ-p vTQ 2X~8=ۿoadm/;v<}W$h ׷k21% P彅=q!GEvE}U&sk\ ~۸Sgjo*ꊛ'>'UwRASG{cq,1FnX;^f;g\_TzKP$,9.OCnI % b5DFak3lò\ViZ@6LJ˸џ!M$Gcm[i=CUf+EN ܍V*{p;Գ:]R}'$ǵJ=)j n; {.X <^z4U5 #龳bs4ž3T$VCXrޠ,M2]e1Q(lPϿ`(A1k>y|^We):4fGaVDi5-2 ѾP輿W^R%@z!yLf 42rDZBX`N@{պXT#_\f2++F Mn>v5WaTkFd`հ[Ab8ɽ摑W?S6hB}Q'v*~V0Qf,y?Yx$^GLF~ekezfJhjJ8DTXݯOfCP̕^tʴ>4.Qn9_+u`%+KeBE7?**VESd6x6i>"юՙTymI"Iyue,[6)G1 >QG.!&H % X{A G1uH80;#xwQPEy  =˺/ EЉ(3:i5{yg4።A0lQTH.v`vܑs;{ |uש(n*܆-ok {?6;_߾>у oуqOJ{O0koߩ/˜&͒yTHUH @ĄwD^}@.њKf)3,xR|4X2qa"6({m7b@YNX5 ^WT Pe }U^g࿬cJfUWimW3 |2 Yі-o.YR?OQNZň,J@07'l0fD=u9)HFrN*"*"x_ jnyeĩ,W["nTKH; 0Y_,.C+7(ܥl+n0-gmI+iy1XV1w˙2!N8[egEHR>%莾yzNN4޶id\#aM}ԞZyhLKP@+'i4UUU|lƑ՝$6ۂJqWvIgZ-or1uNKW1}lw[NaH6G@FjFiI[ M=tSf0ڛu"unZp^sͳ:j$xrYa`*S|s.@I (aEdB,4R@U}WW#+IckR,%km`2adaAk!#Jd؛:Y2rG׹2$D=RMIF eekc1h4*F$ʲnF]@r,%OozI݆-cY:gy6*7N}\~ȿi:J*lU@x]e :nk*>n?0*)3*'ZfL.OU@ è%LF]=IcX(eyTs(5vfͳE<66J5sUrnDxى; Zsmd>j_΅fKG[z)iN:z/ɧ@Yqb U<#u3FfU5t1 Y*J(K5#1bWo#s8&~m8Rmq<,RT X7I=@3<58և62"tSuǏIXJ =BBco|fe 9']ۇA?0Y=1}1؈D6x\"T>fJj8"**]!ˌ8e%ͬ}) nv;ޑqktz⮝i>q)z- yj_a7z¯X1GnwƄ̵hf3IYlѭnʴciWUUbTqHJ+̝poRE]bʟ?Ys|cbM/Ȟ6-tїMĪ }QNdT:щ%l0DR^Zvݛ[fI0$hbw )bC$鲋mvS{c}ݶvÅ H_#ȭ )ߚT%yR[bfV5-=o/ uy<-/JsN<~|ETL0i!cver ,+('dBʨ<='/%lWk4lYpYI{ab/Qb1ֻemE,8-:ޚSfWxRg#ʹp#<ϵ^ws玾jdUQQ5gj-dTt CQF豨"ePTm15 5;MbdUVJlx mX۾@v׹K-m辛h1J))oY6O+ #2B%SO#@Ym^ p?`yC2|svNcvZ`L[Ry>>rK%U*Ƈ:fAPN6,::Cd^LuLzj/$,X$L7oQX( #E `N3T ]r kvRhyfgm `i>?HOeVr8$4z*|Ye/O EM7CWUAO<U ]\FQjbj ȁNtOOTًQX䬖%uYJC"|LF-F?c^4N yld _PՔi8BN9mIAWʣzO2'W-Ͼ:F,NV zY2' Ye.09=Qj yZٜ* pʾ P@ګSN\˯'BvF˟>ɕhf. n-r(6tg^zI׆bEMF)L, A.w7{si\#>ohr܀|\"k]K8SV/@%nm{c=_G]tTZF B6zǩ:cw{AR9=fDgK$<"#)tOPq[ɗ+3 Qh`XGeHFEPኒY8$4F즣PsS{{*O<&hEN->x6eiWp&}'\}a ^0eQzRT,uT!п(iKr?GS,)etI3U2^n,$rKvjSm0BU}<tEO_CeMLmӉd7MIsx$hOSb{os! _*HHw/Euh<m%XZ{ְ$[%_)?X}l-#9P؇yPWTAn#ŽKoQ=«svCMyï 4F[E$',_E:n8+Ѧ;h5Xkzǵ1ǣ9c[*h؝i+ꈰս2 s2^&pKW9V꾉..WFZ=jK\l'U@fR%>YPj%jeO6AIfrſ`2Yc|.Q1KM3 Æ /7V~2 1ImPލu+ԦmI&}ѝCt}tRji%}G!l-40B9 b|7k&/bVE*Pko=IB7`H4%J YUq.[39eUC]m,ŒijcZJ-W2]W,2ez%9IIm^WOZ@4usG%!iW%|)xfMFZjaChgj` IQʝKu/#@DJ,#1[z5%b&<ҡK M0UسᨣNΣ:Pjr 4TC]%3xRdzi+hSA) c|9K%Eu QOSKU w4Jw}5xV"WGcqonqH6٦? +_}*PHd%6ё+O >/Ey:s㝴w(銲%Ffs =V O z} VP:3yD:՝A)әSN2)kzxEmjBXbae4Hr^izqI#zu¨oʥ}L{Y ?Ӈ)w`\ge['aRۑGSWc|B%H`O%IMENϲ4Ҧ*ښ&\2OP*WRhq ťEi+:Gɳ9j8䍲@lrӴ`n^>/IzbgyZPRa$HOmD}2o ! QMwqѥDEs LVZEw(j+i`Hj)|H:S|`'C1w eDqO)Yb ?O_vS"vͨFUV)A2 z%BUEhm "Ia#iʶNNJ}U1}.YKUٌtNBVk:Q&e*]6sEsxk)R4, (9hA NM5CT3k.j1`5 0ʊ9S36W%Y1hzO!:F'Ӆ=ɩWN!QjbP66G1趟&9P2, UP,۷X;6/a7KVMt }dG.#auc4 hswUSR*zǹړ%JPo~JN[@UbgeTwl/ rA]m{jsgnZl'=@uce}5+8,5#5& !XFEAvs=CT63kP_bS;z εgJܲ RECF#Y9d(iKR;ȇ<[rh=qS40_WEfZ}"[<Tyؒ(#\7D2tԞ!A̞7vi6Aer$Q B RT>WbVfDP8S*_#f2( Mݷ?vZ7sx+M48SN8\L.ȫL4 q\)4/7?DUplUßYM_NQEӌ?i˥Nc_C$FP+ cIE",Zڍo '=.Z(k,)8cF` %r-緭M8, ־3Va}+ h h5mcgyG}d $7;-|k'7dU46pj!Y˦ ѣXb4s=:Kz-CQTNgWAJFY"IpAmmJȗW[q,D~\FupPM;{"8@a3ږfiUfU4V,LqUK%Al>"5 "Z꥚8Än o]G'G"S[jmuzA efkZ6:çEFͿ;FIbh(N6н!%ЙT5e U h0a*!R#P~S@v5\ْeQ;;Ɛ0r1纒7Vȵ! Zz Qa0fgTĄ))J9`ҔW I͘CENҙ}fOIY-e>m+KEVhrم==5>,ʍW*$tᶠΩr ʺ*jʰ^9Zt٤ ^g $T%V/Q+h Ta~%Rf+1SߕvK )10ڊ(( 2?/3UCs}JO%CT %TiDiq+‹`HFv*nH UXyM1]Ag;O{rHjNv\lXۉ˫'IHJ2tOξ$ҵES4U3湈TV$EXiy.\O$iveO:Gᶐ U#i/`T۽i.if44o̓ou{)l2 O#H첌&ƍ;*-(_G$6摡n7UAYS:+ӗC /=#mEe@*djWU ^fG3N27׷8]00at`у 8TE~լ,ۑo.'-7;ե9 [npm@k6hGR3. CvN_bd;" )dB^O9#&cI.3Emd^F FkdwF[YquN$Fv7;~rX2ӍNG4񼥩05a6(hm8$ !-,c[t>UkJ&]KIɶ*9{#k r$7\jMK@3TTD\u;M ~/`4'c>ӌ;/N_NjboN)-O=UFל(So.icz9ȌlnRjMe"$AO_QTee#PGAJa1 "ti}.9~9VLMe\2m)4 g*.6  ~=f_JsW:euW k,k'猞^bBLLVz'㦢\J *W4E`(GFUKQ4 ;$LAWp2L-QXsō5h~{XΤ7쥻JYTfVΛ?NqPr$hrZ^j3 ;;d)yvz_RҾyONGBaeZZ\PdCDfHuSoO3OEUf:k=)k&}dc\w12\d1Qm^mG֮h}If蚖]=٩PM*AH-4ѠedYi%cYҹ}d-:l /1c{$f%틺Hi7֘TT*rWSXqR69 DZIPELH.uu#Y-7VUgI.VlUKOH SB  WRzV,Y.< _ -٤>jCPU̾hZXsMGK5Ru&WaQ&Br<$i+Ul%@}k/&Ĕ>ސپCZj'zjJӔ$cME13ķ/!)Һ89ӹ4m<,2^ڱݓ+ Ѿ 2zQ:%WRjXcxݡjiI% x\*ezМë3(&2IgDAl+(oGmQS/KtL swXky'_Χl-:nOXN¨82ZfkŲ-*K_F}Afr긳Vce6|_ ;SSֈq];4L\&ޜihm=ez{NTtTbY&4 THe ";{tM"xN/!D#p dU$Jj&{1dH9  e:\Z=9yjγ:c0 MD#TG h y&tS'&Z#c+RIPgv򐼒mbOM^fu(t1r&tmK 7d",9 :'A)P΋܉i[IM,9I2l'8*eWyae2Z#sMDXϰ]̡Cqb%C5Q܊C/hśkudcVv2% mگR\i7\?tO?ܯ,q*RHM>bQ$ Rԡ*\TQ%3;H ccc}}6Lq\ڲfHaM&mjr!"-MIo,zym`l/JU5Y\>QA%5GS$9ݔԑ $'ޞ2>w}pyߛJ*%uLz*}mq tvƗ#pwmUM<,e,Xi|*U^ә\h@#A k4%"NJ=u? K$eT$`F{lA׻B5KLZ s,ћ4$$ڬ~5".L/1.${NAOK}0k='~$iHQ__@$St9}vY$nNSI8PVKY 7jLW#,2SH1P!  zWq۾|]5zSaX)7\$#).I|SC#^hV[|˦諞K!%4/&ͽÛ v>[y|PdIp~{Joٍ3P0(#qc0-ǎ.YhQ =D3O<4T4!bH#;om{}l/Q?^ op ${9]у F .]00at`TӪr -sc{wo~A6?()o|zH/+޻*)M=p7ۀm,#CcYFIQ+gq"!,N%ͳAQRPpBR,K!Lu-ʞ=?LZ5KV4g %$`nҺNlhjaZzmEnTXǎЦ+dZ{eG8 ]M7N@?~zt߯=UԱӮGIO$qPfΠ]6_2Y"ats}=k ʧZHFҤnnP؜Ю*hMﺠ&§ǍNzF* .!I^W}ִ22)"DrbEm ^:fDcb7<$_*"/Tӌ?5o`A'o.qW ͽ&|M|쪈>vB-mYA!*AX.<$_Ёq#Y4zU虮p*)JVʤm&ۣ>ӱH_l\+xй͢DcIKxoR:Ð6@A56a\BMB% XCXn\bs{P1\L3=h-5!S6Ŷ1M2걷qoA ,ԚW:4Ut2G,wz "3/6F]cjJHU}L)#vNZ |0V&,@}uډ#0q4G!]ar1+Vܮe'Sv$:bX'RrxXKG<*2 BCXdYHe $HUPvƬjrw0Wij#PNމ8]{9- |ڱ²4"zJѭ{Ԧz,J+&yQFj򨫲yܽXv`,.u$rgdzgY>Ϲ"ZhkhKslSEWL!iJ15&]OYI' =g!ӺCo:*zJIOl+_(NAZe󘲼3Si#"Zu#IfUi4_GS$sѻ4鴢űcضX5(ZWO=uk̛/c# k^p7e[_beFtE>vuE&ӚCRԄg3lNjC?J^n˒h)cB .J"̳|Gw%3YXbdR\qԺlqkโe-+K&mkDe&˱#/ N L!3.L0ΩUЮUR)^hcsQU|*PeUuukzز 4ffB-Z1E Q$c^Y !v?ejg厛j٨W> VaTO&ۯ@"`=`1Pslj9)2@ηx2jq!FX{޷i:X*AD("`]ͷA!I*h\gX6\~XmVFd,nࢧ1RqSTE!z{`cLLJ3RXQ$˺E Y#rg#+~eحTrn m1l:M_ݰhmxF[չ.߱m ܻ/gm[bS؀&IU5=MA/Q랲#(34faUe8$s5,_T:^N7|,q43el ޒbnn$s/* ~<X U:Á@V)ɜ{R^\ܫ}@Xg1T l<4Y%DI5Q$z0΋F6 5TQ}؇HhLK,l0AzHff8^obr̢bY6-`l͋pycY3*M3'$I ސGjzCK\9.>0 ,y"vZڊP2"UVgF3(j /2LZRl&% 'UrtK)U}qf-; 1i /r{w_&xWu/Խ5%E=QGSD3rtvOVRr-?>^6e$2ChǤΨ+'/], yq79!I Ǻ90)ynaNmćC#LrSqqD# : jyꡔRT*QEZWLƟ4*2Ȁ9P 3RTy6l/+c,$@Qaߝ/Ë-Wjܦf˼!)JóŲqzmS1+9 )0@eZ2iFY癳M;SdU0fn%`Y x%Čޖ Li-c5|jk+a 8{EdmRATUTUuwqTrNi(T4yi2M;AH"=<@p[s\Y;U];M9o`EL8TmԐPSr"|& Hw(tK ʃKHi"~oǂ7ПxĪjUQ3 ׻=mkX |'_[ }7Lspat`у F .]00at`;6/U>QQw.?; \[Hd.̲77K^(c-{p\FWUH/2( *fЍ ֝#Uf\:1(: ftvY #z Ȉ{p56gjEhY!qxeUEݻ_zλ:[dЫ,͌越L#(*{jHK!oO:79VslU36}K4QPRU4u4#MEXd0yjΌX=y~m5'8PŕE(i`vHbwN f?>rPF١/U]~t]6oRѴ JxHC$jdT<\ۜ6ZAU3KL%0pqs`.#}l`$*+U_e:I],IцapMŰdelow L=TW/$M2 iPj#mO_*P5y/Ժj-AgM%,땫憪,ș#8)jgj4r)3\i]ABQ;?%%,T*VfcmTcci߷M{]>IAϣmu5^d7, v#:U֖ШȄO,/z/՝R]!l/zXML^XwDTVʊKNNY=]nkQ4KZ"r)ac~]kLcVMe1 dVMopu jb>,o2J5gQ(a+QJE[,L42BYV[c:ǖ %=DIn W 3dhPq$C+7zM^m6&6dCЏP7kU8n 3~:#45FjU'ida`V[pl/^:ԍVxw{#wX"7ŋg7",ɩh1jMV]XµH1<*,Ӿ6,ͳ&(,>?jX$8ݰH&)ގcE8)GI' ! 6M<1\c/PaG[EEʈ [} Ot#uOq%,FjH!iK{+3-#M^42MIK\2E/p8P;ou4oq@um'-_Uf4H” Und*(**}|o֚+˳*42p.>9""ܐkkH%ziVX Dn 1Sܓʕ?1m0MbdO5[Q$l|A@ QʉMquƯ[ts:M%5M,bEɪKK!jAN]=Ժhs0Kn7SY ro 2rdjFiKf1 Wd#GseooEEhɣ|EÖm1ս;2z)E,3W ]%Ynљ$ԓӴP&։8D FiMU2K^l<u jv;zȓreA""_ 箎tL:t{"0OܥJQ7c {}QR^H(H%-J*SeE~Xx R3$ȭ{1e(ptxb}=|n [f杞"Gek hLfz,# )q&Zi'=(rEbUO͗i=/T9^Y 9F_QZ =Tp.hD7q\eҭEe\1IDuD@cm2HTXF6W3}:ōؕA4۰?mONĦcu jt׿iֿitƂnG-u"ݩ4Bq |*ƒIu( AъCO]U4  YHb !?lG5TI(mS͠{/8^6 &7A,zTz(%GPDZC/zJFjNBN%[D8Xd &J|(%S"LZUUZʅ f7!b [l9h:3 '74g I>s :B*nQ>e|v^M#oɼFEU(\ҟfT}Zfd SzrƯlS=!@т'mqSHFGSS/M ҈ 1F=7\c̪eU0 ǵ7, "{*َ )K.^Uw b ݪ̎f$_W-)GVHK$RM+"%UYDtZu;fY= lGU$ePl*{ mu{M?x$=eYLBe6/Yb6)!>\I|8⍵|gtA3~K02IO7VV$g<:N@j%>Rll b~ܒnNp~WI[oSkI|))-^`oۏbD#>+ByVy.*o$BW LuuNRK](01D+<8w.~7;+O0ب+bq+PuUǤfw qGlLvtrn53wO9=ZEV[sij@}Lf3MIQ-%DT47X۸Ak^ǑPIPN"ygX=DN_58TJ& graf|""tn$5k,uC +pGȤU&ۚv੃DcEaDPَ (b>PELX˦U e5+A UUOn9Ǚ8g,HmLjfTʏPQx)7wvU>}_yu.@ +$hnRr Um6[SU=#,nI`m`@r;j(iJm~vU]wZ>* :sI5:Og#UۼYU!nvãtƮN`H*n-rypDԧFe1r5tr:S3E@*[*ADN_LV?u5'KT51V|B=hiULd)zxD[l ¶RhA!Ui3Hm ?Oq>'Y R< ׉Q?2nSnK~Dׇn#LG2s<8u&jWgUwDgTzg]Z3L P{Ā UTDUw_oH٤7IP>; @Synɺ]{*sܞuv .]00at`у F .]00at`уlϞT7_:\i *6Soug܉A[YM͈9< X*.;mXn\V\r{XqRGnjoeENCi]sU,*f$eA,Cbn1GU宒RX{Hc{7ϑ@;]H5kRč^㬊EUruO槬:fUI*H=Vg$|j%e}o;cDQU;9_W$(5>Y.m5FFy*wO̒poU.+v(!)\h7_ʞ:yO`~Ԟ/5KFT+t)P"H K{Ec+ *O:C )TdME=Đ;VLAE5DDӂM &M/~Ξ:[8T ɚFD uH쯾P,yA+B7Cw`U6oaKUY5j(qn%;ߦLmoL hsȤ`(!<嶭94;Qf7k߷˞Zr`>QgAD~<՗Y>*`\UA/K cE] ܧ=U nQH&yR4kgG*Ke cR n/kȇq۴OF5dvk?!.jU뗙Fp/PDn3m6("io C*ՖI*@;;:5u%g&P [5=e2M,aO1cKD,Aw1llQSA&ӧ"5(c8c8Q$P**U@ ˙$KXxh(U^R[!qy4)\<%ȧ'\w+5Gvܭε~yLuOU@c1nI&׾Բ+;lHD; *('|ntI4*XB)k ^2,RʷK aږ,a߿߰!moq`&ItQ(NtEGudT-DRj}O׹}*ʥ|!JIõVHYih$&/ ^ZNyYK,|xد=+j^`+!n2i9SHUQUg!OʊOmτesBdaR*I(k"1$5 foRId)]4FCSe|V0т_.6Mſ2{kt=q~#f*텊e"_mx"*rޏȮQf8䖷:)Xf*jkK~tTǑ%GѫdbT  `K;M'ȴ[O<.7O&iU!D"HvN$jW8F$Orl/;E76_#bXklܓ㟎ð`|.]00at`у F .]00at`у F .]00cj,m`*C @nWء, SoISbX-^iF,E}ԥF%w]%|ϟ?;5u(ڳDd2?e44Zs1g NcSRrSybmێfVԥ[]ɒ쌫{ G Ek]jS&W`hYxSv䨈CԿfNY:yխoN%))c,Y)x!V8|bUf@1h'g4r7>>m:P5RC>>wT6w^)lK[wHj];E7FM+6[HQ2s%-==j;K{cɜ-fU+ԊMŷyqp9񒋡o{ 7ܚaU>m*2;o ȾΞgj+.NM4䍓fW6c_Q&bPaE㷢' oۀ/sVb^3/$m-B=wԈg?3(o 1$,f7,OX㍮A;{㒪z0 ;|s҈Q7)E|n9]00at`у F .]00at`у F .]00at`у F .O*>w1|t1'j|'׌Q]]" rTq~9, 1 10U ap}?qwf;ISa6H?|ojfv6ൃd=rXn.G=&c%ODOd⫸p {!<[U_n Y}<{H7>p*'UmxHDvU9E'`sE'qUm.OEWrMeUWU*NŭoPPd?NI*-ok|ROWtEqF .]00at`у F .]00at`scap-security-guide-0.1.39/docs/manual/images/logos-400x400-nist-300x300.jpg000066400000000000000000000453721327242345500256160ustar00rootroot00000000000000JFIFHHC ,,   T  ! 1AQ"Wq#9aux$2568TXw(R%'?1c1c1c1c1c1c1c1c1c1c1c1c1c1c1c1c1c1c1c1c1c1c1c1c1c1c1c1c1c1c1c1c1c1c1c1c1c1c1c1c1c1c1c1c1c1c1c1c1c1c1c1c2tOKRMY,8렉҈ciNW#+Ǒn ylYG ?S8SʇyUaY\NĪa I!FTkk% 6ϒ{u}y6, \z 9A*7PՎng'B8> -6?!cQ~MX|~_,o>?j/cB7i OڋЅ¾/AWEO4KZن [~[ֵ &gT]Ќf!sBXҮNI2b2M,B,/bG u1c1c<ׯDN]SX#j:"3=LWY"BHlv 9 ` nB,gڹwhR2N} -T@2(4Na$ Ś9Xbj3mVYGYŊo,+\UJٰvLae KI3r6BT{@G@B+3<1gD,-{;;PzdeI ޵ &hif=!aU8G"K3%ox?w(Ħyi]8cw<;8 1&LHXMnU.&8Ĝ:vHWUArNӗmiC?G#w >jpX#хmH рyZi P|H tY%`:9<6g徔\!usTy;6Ҝ(_)[#Nʥjɪ/[wLf'gkǝ_;? Y+}{Ə'ӹG6_fo%53̐g/lp;ƕ$]N Y$/Wxf{{]$Λ`}/6G6parKaE%R(W"KXc-OZS'8߄Dw5U_WìLBL$ģV2FkڦGؠ:8ajœ^nh|?t]QYm.%OR ieuE#4"9m)@8wZm(F{Uc1c1cyo,ZS_J}̐>ȏ7,_xfeQ|M <{2T?R>[9U^*4X襍N?e5*iy?yIt*J-xvm춫`tY32շA#Rf6/n4WcxNkrhڞML`喏F)cXvr쩛]NYeXiVQDjE/NWViS*Fb[/J(6' !qnXP4XpDḐ@VeLh6 I,8W+gcWW{M8hBpvqmg맄iBѧO<Ik?d'c_?Z/?-X7L|wezֵík~޾iS$)ҝ;Z85 lPcP Rt줦$*&oHjA(ӶU]'HD LϠq}(I#[daR8n /5$?Gsե']B5Y^$uJA(ܕHn4XT-5WӌBz^>Z^\c1c1cd/"U^_t{]VrkmE>ƑYtMj(n("F B]UL:qѨNux~Nc4ށq8ߜY! @-l>rQ\}PF#Ck#-pm\Gf|hB:/k~Zֿ]~zJ3ySҗuQScjC5&9< V%LzkrouW/:i:}GY231Xc 5; `B!)T+q#,RGLRbD%:sONm(^.ۜG4@X4XB؃FӫJfJ8?L iFkރk~:~/߯6_?(zNZmwO_gs66u 'nF!W'`NA8@/޴-T;j ;Ѵ3šJPe_icugvk9JZ%YY{Ѐkzޅ[z޾M皈Av! @uB޴_][߭kZַ{߭k)ԧT 2[v2 ,hZ[bl[F1co7xç_%VDQ$ օo6% *5#ttekH،)y{uuDY ه8.oDp_C{+ޚE&#HKN`~q`XCvgGؕbqBc `V1c3͛ͯ4ڝ{l.ݖ)-~11I*N>WrjFGci^#R'E(3[O%>S$㳚yߡSeKghͱck>^bIf% O*B|voD I_|t#}MWm/7$Na+U L!9Uc֔np^([tPPˏ_J]'YDjm\U(]d36 y= :X HXZ5?#ٔWÕQꎡiLַ& 'ZHAf&yC3ΗVê/T0MuQFb Ͳ/,Q(}0J"vtC,ħJԾ^e>+ߓJb߻{פkMƪ5E#J+1:XT wJȍ x|]m{YrJ['X-Ҙ\]͐,Ӑk>zɓm t#Niȋx+`wDו nO0L^iS c-r>kcv{1y+LTZ{t71)㷽jnzU["J"bD;&cQg2ɓIf\H%Rx+.gN﨣{m׿^oZ~|!uIgr^U N/O|*'8*+IT F+&d4&/*C~o*q ʞ%s9fc2y[~p+BHQɢo~arL*? WW7t.gXw0#M7N뉵c*+H+P*vV\@4p9j8߽׏uW͕=5Xv+uPa.da6dP&05t{{֢$asΡ/zjj·k#@RQ6hRɃN I󧼯+;'/D&AEs{i)IpW7N4_qA߾V;)>=*:y"TGUHXkRf䥳%hDݳUѻmAy+_~>.NSQst%$EQ2ȀJ jUohClM"@G*9:n} 8kʥd- Z7}r@ܑZi2dqŭūҕ)K,KPɽIՇ8 k_3O 2[r-FJU>zM4"ozµ?;U+my yNM1VfȍbD%8u2,FIT{y{7Jkr(zoFprCԑnÄ=s&-3yZVGrf@v7h];z >Tzka6 ?&oޏa qKQϖ0c1c}j<ބe*ׁXؖ4)i~Q9j]B]1h>H}![lLyul:ElS,Z+ %*c?MNn5L(! J}d+Tuޗu 89פz갴qD\&a#ME9g&*Q;n,0҅~üo>_RΧ*p(a4q')Cr^Hg&%9iN<]o巽Zi^eCcbZ;v9wcJSvk{C"Stn.m.Cub^Gg%(\ snd}!/=]VBdn.4넒g?^Li3i>܀ku/-9 Jx}b=Yd9`1ˉR_Xgt C³.Z-l;w6ٶ|iæ㕿fi{ !IImٕZS"g C JK="Լ9x _"#{3FLPb"xdRz)vIIv3O>4Lxaex{ŸY[ۍV4]&ު&֐ n j  p:1[xU4 bڎo0:6>uO$#cN3J=9q"kQ63͕e6 X'63^}SZA(Rmppa_{|-u]{yck>";$nHs;fC<-[5j\'Xj6:|qtL(Q>?+]wsܽ~QlŹl7;~!A66> f)Ov^^GL nj_ݵ㇐lkc$nIG+)@vj,HYk#(`WC}MYs/:֌م;P,]IcmDQAra(@ЮW-.FO6Z3f]URtGa܄ ۊZqQ$fhanmlnm5BE_gMcudv-m_ZP㹨!vvLTXk e܉#d (!:Ǧ*ZJ-fK`ʣ޶`[$?@gR%R0C=1Ag6;޵_M~Ϸ~߭74_߯~^~ZֿZ鬍,2QWXOr!C;2IMl LPkp#LB'EG][>?:.Aל[͝7-ahɮڵxjW휍Ճ8[0z^~{׿^kYwkֿ-kZֽkZk~>X=z~{}~߽[~߽w~@l^9ʗpWZվ=( qvDJ\'X.=Q‚ӋLqGaY־ B[w~{߿?=1c_aMz+⋢]T+4Yqй>@JF~[jmc1gyyo޲"q^V"KJM&03!FZssrtSrW2d9q/({A~%[tĒkh77e $j]C(pvBYHd0H·bP>~Qe.VU6<}hBkFnjW)!ryx*m8VXѠ9ťJ9&YQyWqy/ ta҉B`4-$NL̲ƷvHK1Ǜ0 ]c/ˤ" 9Ups+$2o%x~׬DclI#|T9QSR7%/Wt/|sa֜!5 am~F"ծM+Y[V%_;iWsz8m=pR_TI8r },We9'(]U"hA)1lrl 땨1BOQ܏o^L P2ej"oaJR[*Y\tJ65aQ+z{"\2$c{ȷÚ\nQ/HZ.{ŗ24Iޒ/Jme QD)63Kprr4Fyޣږ_C, ldsdCڄMHQZ#GC\^*;7;:WfYcYZK9W=tY=d0/x}.*`^ɢ\LmY&Nrx޴}~ɏAEzk~:Bfh\{J;V&WYОcǟڎ!vV<^{-@g#F(!"uJw3NZCۂO+< ʯ'\飡(%;T}=c(Qzmqz{SX ]n[\ Eyh$Ii;wbW XX@X[qEnHѯH1/L?V|vŇy|$qYʆ{Iؓ&1cpcusXb`6620(8iրeh]E'ޱx,XĝmRw'yCʧI#,7fT~5GX7"A~Jx]ȥ:jV[FmU |6{<ykS49IMJKwpikLN.|Fyߑ9MVc,T zQe@GmXzݦd,nZ*ے̕6n &Ě=B WUcv9/gޏYMjK6 9@]d PԌ4L[@YmHٔ"j ^ bwx&(v_]a9Iٽݍkڄ*md6F (O3oBEsDy9ݴZ%_}ӎkIhj^ssZRJp9[at4ϥf Vjʠ:4&zkEHk,Fq@ns{^=Y*}}Lܵ^k%FSBsZKԩ-V{%r TR!\Sap֠eNVV"#[!hpon(ؑ)Z7FnqT4}G[WJ7&Tʑ/m`kdQ+hZ\jG&ƣe ߾{[4͎?ꊪ{dgAdº@ݍo iќhNs$Z9`LXNj`ϷIP!v)nSM,y FE֍"FKG\ :зb܈|o$4FGqbNAp^JtJ8b=7:MQdtˆFz'iz*".SI6|CN/`T3\^{t?YIyʘ& WPR,*9զiɗqIA"wkxGdo':IsW MnryJIOlbel "DԅDov'yCWJ]17jՎ m2Ͱay[SrU)\Fڰ-8;S|:#4zbWM ٍf{{tHpVA4N+IYܹ_ A$6⚓@23Rb#kBWmȆ$ {zfl[׭oZ?+kqMK2l Fhg)k;jzkճ[8wĠBg-{CH[#AxҴ ?ٚd)[;a4Ӥh-O *'v'קI CJo-+p2S_ "k_zȰ|B }c#}Ar.MobZ)| )Ŋ=)*ZVyeKuBw4q΄aƓ]ò$p1( :]otx*qXe@i8dnX[tu^I`ʯOM *8~7g/ U:Uֱ;ݜ'+!4LC$ 0k*#{f~*q=*CA5{@TmH/qR=MCZ%n~V1 kj@AB TNgȜEPy E)Y+_$keJWiĦ$雃0Vf-|:޵&s3,n$xrX9rR2+KԀM`@kB aĥ uN ;\=w;A6cV Gidz%ᇷ76-dʼ/mRju!m~9zՆƟMN ! +@3;폮̟E&^K[%J`(CTevZOmxk&⩡c:kcnCWjjDz}D:`dI BLRiy> rJYncu4blt"Zj6;72Nצ) 8jS&~y6k^Q˿BSkx F5lE:4l o2 ډ$F'Fr)u?X13Xu:D[y #Qm{R Tiٿ ,H8)ن@7 /m! &nCvpp.6"-D\Z 7E+-뎫JY[4uqvw"l \hFSMsZ1"rCR{&rgT2V̧Z^ha58& s--@27ې|wgt#S)۽;OUVĽϧg*FJG&F6ptbӖ h4=l75eY7fb..{l^H"6SLhWRmy:$3U\ڐ1Tz_k3f+6._̊\CI# қQf.0h(h-6Q6ny66H Qo*h nM] tnRb2')#hgV[5~5k^U)mYhӸ9WdޅX#ݒR"i96lZ7mZI[܁TtLqBSp5m-5Ma̒DbU>NL,3ڍ 5s 鮙1˭RyBF$@52uG$N 3tP=(8:ʉt-) G t.l!uyM?% gʢ aL#ҐmGsg(Ĝ`@@ΐc3"?zt-oַkz߽}=}7_{6I{ðka>M|?{kPuַ޵ZZ׿ֵzBެOgy'0F\=S:0`'iT6+/aiצy/J\pM^N-ZAlLe 1UDe&zTܱ#%)//CMl@X+Y!P#oMI^<րC K' =5gt3]եr^-9Ώ #)[eNtg;56i&XIjR(%RsCzs@q& ^{K,HzZA AŒ1 ;Ѕ~{޲3;dH/;c6K/Tf0y&K%x"+\eA kѴvۜS>.raf9Huϡq}Pm{y[W$?6 (`HcƗNh*u&KBz+fWY bR#lD.K k$q,KMKyCV2Pgk˪xEDAZu#Romg[̡\C"%F#%-r 9[-^7Oo\OUSüsbmoOSTFBFTљR@h|t6~ozzY{VE*}v1]B[# -B/;lLؘ "n=E:~/sP>LR[;ꚮ/wU9F׊ UmJ{vHJעVMԍD -+߮y?N͍&-!9X/ȷW)^L鹵Zw 惛xR>_6Z|d½Sqc 2ͧc޲*Y|A>KzsĸN龵&N"tK#rU w{tv']Fzv..͐}^A빋gXQ9VrNMFrq֌2c}?ڶ$-=F+UR?. TFEH n6Ajs'=:1^ڜ7%#AjS4$ VB(,ǧU(07gBy"JIjli-WֽWVS64*{RPbNatG!yⳐqnX@K4cKgGIj-ګ~]>j''8b؅MlhU 2Β5WFKS1'Z%TtR2n~2Y0Zf{&pP{UnR0b0 )MN`51B: bƳ.ߺ!2_uwO0uA'zu|\jE\lHa#CVADHĨTд MJ0*u.:5U\Nk5׸3[25͢ PTh Z"j, hr+{߽;׽[ïbqcg}I|8^eЀ*dRZЇ&p޶aRM?ۃ NfViRr*;ϜY|[I*2nF&Ƹ,-%c oN* Sq$!ξ?ccV ~n]l&5:Jes>thMl! Ȗ;̔7:*9ٶԂҋ6!ag#>6Hִ'(2>;y'WIl*UYHI6" HtR/+cO-q%(-"J"Bua)xB[$:@9MĒQ5rJJЗjdG+ynd-dŎ+RuٜS a*;qtCi"!oZ;.?%zCnaX{N# R>'zؤZ>2;"\!`N' ro8maJ$HA%J9`K)Hb&׺ ܣT7)RAF diBZ VuL<{h%&JC 5-+զrYhB2IZDAyr˯ {V3aLgnR6^ܜP(VH%-)3*Z#qIo`(-I}u$2m8'kYhXcq!lVn>PpK'E=gXWս_4Xݺ"oHbHgSmdPv?Gۜ$IvI 3G~{YJPiKͭ6˥BwTGl$))c*WmƨRBW)R롩M!Y@)՟=^åkW+hH٥JY6)ڕOT~TiDyT2r)lH TftBÊ.eǴ~LJ5aZ@G/GMueY;bGe'v:*`3y NBr 8tlOZd)̶joUY'O4cjUaC⅀-eH >9dwkX{ȧ~CO P3w,_L,D#?ǭ3>T"!ScuHvX+_V/ 2rħ&B~q3p0_WZMɚ{m܆Jvԩ^'; Kž@>ڝo(!cbz-֧Lz|qikT|F@Yɚ4DlPa-ZeMĻ'PS'4iTW% \şϭ{=xI-ĤS$!< jcgX9-<|WG<k90HɉI J`/hrm'sD;rCUF&F*RZЕˆo8Y*RRkAhHe6ʄȄT;$)6Slt ysEꓖoO\ܚƳb!k;~C!d)Z>&[w&`I-2~f$9\Xk~7o.a,c4%b8yTf?-r-Q{s*FVK .͢C'ٲ~*S*QEk[Iވ+*a O՗&9uݧuHek1 V]屲ۻQ`98 cG⯌>Фo-컁Gװ 3-2>Kl#i"{[{i IMCwfuHPI%7HO~urX[ q)" w d*G_畒EB?Z|F|S@"?Q:#o0/,5; ro3?JOi}b?ܧ~ķ.iv~J2.ۂ7wjxXoZG[6UB'p|QiGskU{D(,]\ %JC(e "K.fw1}Q Gjo^Xۭ5lnU"aqOgoEsgฑmrNX7>clE]By\]QEdQ@Q@Q@W5k-Ҵ%F|Gnr{*FyQ'H|+g|wQR {wė2K!*K*@y$_xfY!<Osy%5O14[UY߸Y]e=~̩J[n>eh桤7GEmI.6nJPSO[w-ӲEwr@52œ&;~כ́[Igz ~;5XRXE?Lu葉䚞Cޑ& 4<{yKFѳVKn> ڍ$Gkmd pHƵC} 'Vif@Ͳppy3szRbo0 ._q_O=;liғlȒ@rs8ֽyMOSQe#rTL'<^w v٤uxwdx }tvv8f/~'[&Q$#ە*х#rbB5i|Azʀ5i4]NmwL7v͘n%KD}U+Ƶ?Aۺ~ѫN ?~'amN1"mmQ1r;kW/Ún6iI#R܄tZ^>=Q˪4l,v<=OZ:k˙u<6鞜{/A?VNm.~i-R@<:OTRFfOg0_ZOm( (#UQN7FVZ è2:'SYURƔT+iz֡N%dLOzק/{m~rЩ{knktޤJޣH :\Giw_gB[*-;?џ_-vpm#@ڹSajd-yI/"L_&ֱ=̜c ߿u:~k&fօ_OB:NxS}wg9(j_ח;St/!_o--`+Nߔ猞+RA?us:N?@3=+[赏u-eܠIUBN ~(x;r"k{w?rA>ɬkrᤖHNKfzR$:n0=%˹4JM 'RB>aA]m]93ꉜ\](I ]Zd-hr:TҺMVt.eWxQXhlcis?f1>Euy?u95k\Yx4;6{{fxdpFI}+mW_tieuB1C/Y-64 ]" /SRKhÌ125UԼ!ψu {ˈYI "ێ]kw.v!9?K/2kz;O\5u`hONj.4+k%\w?PDFBTJaßC+ՒI4!IW$'yLi?uhS &׼Y"2#パW7YX( M^ʷrB|SBs<}JS5NF5yd'R3kSgXd-R3Ip#ӊ/{MJ}>D$@9C}WI _Qx7Lq,K,X;N+e?ylLO51)pxa%ͫ,Lg?0w\BuYi}nI`tfgF5Lh"hB ʔaMY> xVtNM/_ * zOqs:O|-O4kW4l|0Nyǹ'.e}V)uKz[k0Yd0]N.uT? Ɵx-`w]ѳNy= 4'm#ķZ\wdT\U?NWuQEu'i-#g/~!wl5 ;4rdawuy¬)m0I¼HlřI=Iq`?Z鱴`q^YrS]&y%ݛ o#;:Iri91 ϑu[}^vRĿظ,6}!0[[j.FetTs+9{O_Eud)j=XrO嚩S#K2#31 9$i-n3k"L~Bfa*OҺOGuwc +Qptg$ pϊgFJ}50!M{4hWdM0C 퓁m\<-e ;}HRx :q396hsj:JMNZ>> V88I';:e'`q<~TQJ{=®'Z;+d\&m³emjd>R[,1; 7ۏzmc-tf'j/Aө&i[F\)iG̹%ѿ21%V\aR"!AbglIzXOeM9ۅnJЊΚRM?;de)o@8>=jluKVe}(S-+{יn.u![*ЃPWi(5aU<^HDyjyM}o$,ɜ3KF4"L5 ս\~"N #3#`}ȯ;]:}^=%!W*Px[qۅ5+??'/[°X$Dk"0bȾc/ANn꺁ҴAm-4uʹ,?Z? xq!/ tZGRҵ&6슴o"qӌ..T[[W5~}C,k"0dpHA'?E-ܞ#?$%Ԇex@CR #)ebcPglmu=> hݒrp$K^wsn*v7:^o8fItnmN8<~σ֊}{f;z~GgῊe+R7F˜1k[k@{u}I\XY |@ =Yfq!Ǎwa>K8NmHZ: =Y{M>ZKw?c~.^}MD}ͣ/THJ80 qAN~'?^|WKI֡m`y+'}vpżYl'i?ks%~.e@pDǀ8N{4]Z?$Yͼv%G\1Ri>&!hdFB''$~8i&\;n\czW $7\$~OJH[ /j[}:v}H-mL/gm 41g9N{]ұDw qt~oY:=O}z-e/wuNSMmwd\E@r#XppzvO6nB@xQ1s=i!oZukp$(6ƾ<0R[iOm 9mJ3ӽpwnO[6c+AӵE7CyB*?ϽlX걞H@?e/k@&Zv W8[BҲ_.=?E6- ?QTDTkp.x]Yj plxGd,//r2=+^^q:~'gԪcbK4x'w_VᗂТILفdxfc'𯊴[_Ga$hV{ɐ@$/{՟ZNJO!$+˷yqSuKk_Qn5do#FVm4o %KyLh?4W ⻄Xp>O? h/t]i64^]?mF"F|o8V' mK,sa7tG{^hn>[rl#^#MNOU}+a]kwfմ荻@' T sj'?*="Zi;N޸hqO1KoY%EgyA_7k;z7v?N=-cО@>vFeXGzY|kQyDW5$>Smhc6uD(ۛ|Cb~_hm*^[|A#W_k^9R(f9;l*P5 ] LJ~Q\ʝ*^Jߡ+^(vi^y =s&{>d,k$p#]|kV ^+' Z癌yU y.';ZZDR$5'%4L2}GoשN?X$QT6?:8eXV+dD-ӱsa+'Sx/m`c1wP03Wl݃C( #55m{ TUH#@<*)g o܁8J0pu7%W| ܲ #y?3 Oikֶ )pTvz~5͆GmHGF='j/z/f6}>sa (R|SuYϥ]IF@>|+~$jOso-mD͙c1"<0Bx98Qe,EW?1݀g9q'J^_ߙN{kgU [$)@FAێ֚=mv?ơ h꺬+xPngcTw&#_5="=+GbnX蠎t*Qq{345*]WE #e ^ Գҳ">H ڽwRgy>Wo/jX[LL8=_l#\"@. w%Dh3`` } ݬMu,&H *?Ru}w-cj]'鎀t}.9lm'mFIjIR,)3n*qt' J=G3C.>P>^ZAc',G|⼠{אf#ySVֺ}?]5مshv;I\xeR s;*2V]f~zWrjzxPrHܿoYgq+7^TiЖ)rǩ0U[XLݿa6}2#:āPHP ?@=yƹxNxor IXcZHw**qkɏ3hzvQJ1@$#Bmx~h-W*>ի{Ón)_")a#GM/˩JxALvdEsX[-_oFb_EdL{D-Lr;EEEJq lʌ][t 7k !yC9 KXh5v΂RR7Ky|r_-=HK-Z_ Kun/l%=jiexM|ERB!a8z֕O~+?2E|QV* 3xjQۉ5\جTd޼GlTc/(֍SԼ?êGq1hE`+d$7`Zeg˓clݩ))KFMFQqu&lR$wx=M>kmo.E4BDG~`8 j1d G]ti{4Zw;= f;;hkGlt_fWf'xe#=yPGOUQ*kTߍ^tWfͰVP:sƹk↿yEgoq$Q 9; ק\MF8U=SGF썌eN 6#T^YU´f^ɪZ!b!=p{W ]!x 'JzzW&#u%.[>gUJv-Nj )k4>׿xKU.O?xgJnһE 4O#43,Z%}*,'pFzbJUZ~;M>E5o|~ :L٨iQ7upѲ|t sU[j>IrDڶ2$7KLcpsב^!VtL '؟sQZiCþNȣx^MG?N}[l٪"(UQ 4qXmLwoA:ϩ5QKW_"I7e ( Š(n 1$2.Sr~ŝ4sKjhq"~##aZ%>|=\h=}x.5G츍Q*ħ灺K C\M6) =c29=}j>3>Fx7[ߡ%4(W=ҘH S:䔥r\IjuE04 a 0~bxS6-ͥ-v#SKG# iOU(v%3Az?Jœy>]2"Y~$3I/ Xfz'tco͉`կxsV՝EX6z4φJ+N[IOh1LL=,GJxQO88/C1}QX}篖GOK~edD<ۥQ;ReHEhE =SW#~}'XkOhr[(eþϾ`q+uܷۜ-%R4C\B>6?cGD-Ωڞ Z\6*3cH;WA>oF]M,e0 J7T 7x;\w^AO?!}*χt9aꚐ&@vF>J==^ƥ%ɎKz]f{إ#,T]W%mj ̛&602!f 4VPv>SPjٻ>GMkkjs>6)u|YeKdt?(NϭAe ݽŷ^h=Vd$> +Ԟ(M I-Uۃd6wnqOs8ʻ@<ֺOc3Emu˝CF}H/iT9$/#.HGԤP{-M@w{ڒ( nlǚҴ?i~Юŵ-"mġ 85k^O YA{v"&+p@39Ҙmn> 뗚x^Hԫ);'k5}cP{uD.N#rbp˹W88? h1_vkif>RɟH'ZiV1 k\}7UW<^kh%rNr:.;',4屍́ ^O>ۧ)L`4y8UM?(0?\}R#lYwD+/mVeZ~HG%e5_MEg)0>}R+G-4d\tq GryEUDT`0P||N•FՖ(3 ( ( ( ( ( ($i*2HXdXOEq[?;EHQS(FJWmls!zFnǗ/TH\4*m؈:|EÈьoM՛vluY$V=UOjQ[O!6 7V8l=)ίujJ+Fw3NRyn1<C Ƶ;N[.7u?W TKsJrEVQ@Q@Q@Q@http://ns.adobe.com/xap/1.0/ Top-left 72 72 Inch Adobe Photoshop 7.0 2009:02:05 22:55:06 JPEG compression 72 72 Inch Exif Version 2.1 FlashPix Version 1.0 Uncalibrated 600 600 CC,,  Q  ! "1A#2Qa$Bq%9v6:CRbuw348*SWg  b !1"AQa#2q$B35R %8Crs&4DESuv6Tbct'FUd ?M4tGM4tGM4tGM4tGM4tGM5>?$MkJugQm|6 <| (-yprr  ʔ'.<iu׎[yQ96>}Dvc%H44; RU5!mԼWzҭfMǽ,羍IdK!C BB)R2y_WN'di`O*%Jxo$y>O{GrVO Һ-LmfM|O6@bN(F6;j~T=ò뱯VI'bp Oh}R> _'nO>Ǐ:CM~?%S?~k'gFbB:Ee`gǟf^nXǪj¿Ws9K 6Ы7CTu+&j;Wkf^mXm5$GGTj1l2ʐ0ec)eX>nUE K~|\0DEǞG[n$YےU'Q1߃Ve?S{yDipj:$UAm(cʒ1{*'^rCyR~eNP-KqWN@&V jr;޼ B?.W͌'Uor՚‰ۑsKzgo:Cu]16՛~P̕[ڇ>?K(z<Լo>37~ޞ:D\Xo$x-LYE{?Hqmuь6AMudqǁ$>;e8WO%-zlelFvw@Җ.QʪUNr,J /W2T#.fMwэַl{bQ%F.B<)$՛ƫI82yl}i@;yBۧŭ$Y֜ I>m;`Ӎ}^]my}YxlmS"0-_^^x^GG*ݬ9αҘ/ӳJeBxYI?m9?˪#&GM4tGM4tGM4tGM4tGM4tGM4tGM4tGM4tGM4tGM4tF~l;}bBe^Uif*Cqڶa/% ߗąHh& ȱC٠nӷv:lc0X\gs$a%bI%L4X[qnM!. ䷘Wf8|̎)Q헎ҳ_&ut]<4>UD)VTQ qJv>d!;C[60 u09q=ހ.RĈ%+٫ V V T۽;ػJ" q);\M2p=[K!r52[=r,F>=%c84#>RĮN_q_r7T? vlDmU{;Qr%=Al뎌Z2c9ϋ/H8<=?ϟU=oX{ycպ/CT[{i]?EjNUWeɗ0dGry +eEr??46^EzWSej|qZN.*EiC±`9O#*6 {Ur.Ɋ@j6i6,FKY#vz_c&28&"ۍ3KJ[m!&UNs 4;avyg+ ]1boL?Z9Vh4L$7s9KKo Bi9q-ƉnlA@VA#M[,*I;-aqH’Z3'}/o?ݨxű 5e2l=4$_ ^}a]km/c䠑nճB7UU+Y&WRx#ƻaz^i`pA =(|RA|[-) l|(R_.Ӧ N'˃>5!@^^_ ݾ6V3n%@{1c*o#3wVwvcz⺑Cj,7/wL*( ;_9asFY)\>|U#I`)gQ'Ss*$cZMak,%3?k\H:܅ӽ5U8s 4}q Xd=ԺɌE[lշ5uEX{\F `ݬAe*v$d('[TiѮec#{cb([1͙+}c4Y4hzљ՝cuaoOצkHDݳ5}Ŋg$J_'t_z *_bym,bDH$ #WږAyYUI=/gWwWXIqG+U[ 4!Ԉ쾬{I:L#=2V"=7RD(gf:쎬9O?KX( #'MFzM~O$4ȫWPyjS!QLJNC2>5aX d\馎h馎h馎h馎h馎h馎h馎h馎h馒-۽7(muUX- [HON9EYB36D 2RV8kikz@srvNv %LjTSwM*Y"?Oo4@y.@եM; 9ntoXQ,'!{~n/T72GFǾ۳+xEuk,-c0nཾ⏵ʔ\Ҭ6+LH|տ6Zmg[;k{Mû:񻯏Yɀf;%F$FX1X1+ T]Qۛb6"~HuK*bmo[FA`CjMNE6~M&5fl++ f'O3)E,[a3 af~5?=1JR~Y+M5bI1A"*|n)LQdc>JFws,K< GY78N#q[z$REܯ[L*UajDǢQsL’H+sRywenDD:: M VҚIqP5=O@LŎ_$W3yTo&\yKdֆ26; 7hOE/PիsS.e!P㎖RFR{(iKrySUπ`v V[G3kY!T~l HacyRw/.a_Ovbؔ0Nœr% @%]_17:ӧa= G̸M5YŹkvwnD6Ǡja8+h= s+F?M5UfvV|eJ79_^Hnj}pkXX:Gi*g6%x+'&dX /+baJߟVpK_S|cLE-!xzo"!?a["dGȗL~`c'.#yN!n76nkܙoZ3: FMGk]QsR[L#ĐhxS%Uo9%P|nE0r fo;Ak}@ eu;OEw=Y27ZP67aT#0}l͖G=\tbΦγe!A/)匙}.v1&2B_۹/Fb^Dѿ*-ҒxB4?`dgr5J#|`Ӝ+}?_j2fDpĪd?/o?VGM4tGM4tGM4tGM4tGM4tGM4tGM4~4køe{PM y "DK.ӌO/-!.'[*>+ykjv>!ZvgHF'؊Vml$dEbUAZtÎٯY>֘-wmMX u"uZO'rIB)KUs\OI+\z hR~bp Z~E ֙bY9s-5w{I \.&̥Qv%E vV|+|=*jc*+*A-EcfdZQ#tv`U6hɮ]->i}ꝩPݟQJ\,-3dX?;, /b jLɜļ4@?M1C𷉱g*.þ^%j) ~7O(7s9Wt4wh?h]ًX|؋Xա L8 !8W8&DI: \[-5n)BY81Vc;YSn0p6(cFb~ м8i?5mǻrO܅Jxqkw=;]òW֪D&̨m":I4X-5}^|^r+vr6lW٬vje $-؁BZkԕ@02۬Dע)(22C8A"ۥ^v99rA DեAA!큵퓊TLS*1# ÈxFflywhԓY.z\ON &KܩMH4F bRuj "^x؍&hR9ԕdu*GI!t'h单Ԃ2 u< mAVM*uēIU L9lۮf]˂ZP U,[mm=Vg+MWbڱt|M˅K:z+jurh \*d5ƉeD+n&/B)$;Ks3iTotoM򂓨M^DaK>-ImjMO7B 9ZikSt5y34j&Q%a xHJ8r5DrD%.sNElG~ȥ{>I8rA+VfXVvu>ֻ΍ %GC}n0^Z0E!"e…)hr! SN4Z{CjYb4 : ȡ)PQQP37+u$YHEcؒϫ2dLm(igؤ1"G3{69j|&Ulg1H I_]"V$,)Oq\ۿqJdj뀠;XPA,4/$ޤ|eyi2NTbM+<# ?=lG>B}l+RzV1׭ U8`5AGH4D^T*8xI%vYIFgwf]xώcyiq㣕-iS CrQ>fa\vIW(V$(Vs"C'SivG3ֲ<~.+;^B"YkrĊK0Ā9עKwdӫbxXC,1$p"Ff>G^ ZeҥάG=R-K"gp537eeo3 4C!Kk=`FpV%bSlSiX0SX5"|<&Κ$q?_?6pmd>rl}x|j 9ϒϩlUCg=ya:1/DvVWi\f?7#ς8>u|:Zf ,0@ YT맄p>U eaNc,8rc}|Of 1GO{i_0*8pwznm呻#XqOGn2>*ݮyNkf;R xUU5aEO%+`E%|Jo[1 Ԭhu`G]ǶB(fAI L*{@ 57 L2Hd^G&6Ąx<:/W;yvR V*cݮl81;HaX5-ݏY 3ޚoAw%8㺈W$JDnbOrGsay9,F`<Ds=Nx 4^zv熭/m$Y]Ɗ:#V:WLnLƽ 3lb$}VE Se" AG8yy߈ո|sώ?pm١Ae~ -Dڄo# Z-kIYRoϭ5ߌ.l*uCK .6Âq9|iy$Art FifmwOc Nݞ%VܸTdjM] RJP C^$2%5, yg}I)CR4:Wt?c(E vJzv;E</<`A^V 8e 9N]n\8ɺ{XX KީC3Z"I6T[mgsRdzr',NQ uTeLq׆pK ]أ\ܢ,6c 0 [ ᷺eBoY&,>iB%R{ryV)jc61;cX2F~b Y$a=x9B+XBigʺ;jS@ګ ue# |նưP䷕],♯Ț Klno#_)Df$ge{01^eIY];e1w׬cUnxsk̑8ᣑ # >z5M4M4M4M4M~^Jg*Rc<*RJSc9ʳ<4rܪ"rZvҬH{lRU)tANJ/uPbe 3mIN:p_'z({ ҌfF:uӴʧI۵OSY(}ǮGb_x[ ~,IE:(3 EamdVRĩ lsoW!Y.Ck)̝KH^Cf;EVO,=@Lp{| ؋9\v*ډ {r[2xM-M&֗$MZlOEV,Ðx*5#<Ԋm %ҩwXR_{W{GFEi}F|ߕTuWfZR \%Vrl|If/WKy+/Q- x>AkoB%b+U{|MJa(3% ~eS˒IN)Բ+_{M]f2 Lni݂WIV Hv+[s/Rՠ9i2yjQi ̊9’G g~3ZF B +yW ҢבKCm0_'ց۟vX[gpryrNN[G%+6zGmD!*ԏ5r'oqb?;6x`T ڙ^rɨK%% ۑq^% --JÙvuT$ten/#8m_;z{<ͽ7WjK{\+?<-j6H$/(53yc:u9um6Kzw%>E/*>0 an.-KF~/)VsK.QvgN6h =,-F8P 5rw<`R,s=W?'HǏi4tWB9~clH1{`</-[D4}<旕sdrRVQzS!G>^\*e]΄H{7=ΝvG*kbM6W.P#(`^ly0eI6ew:A7D|{4%CO)-jZn^ai.[6h~gGbI|T , cO.nf$oJ ԗ!o]XCUlJ;@6F'uQ|M>3uU % H\' 炳g$p6/b>!]Bs ՕviZl]-$Qf%b:NDz1kߕ՜,#pFW`TrH Y * HF!]i[ؒԳ+$6#hR aʰGXӪ^߯_xq$>m{5bA9YjXF[Z73-hA)O=No}۹5?u^Zҡx+*||pfrjḮn$VʖP":䈱@`t>VUӚ?Oqn}QWckpc?u9qs?wJ#/~iֵX2qla:0!IbF0 Fr*e:Î6kv7Óߏh&{Zd"Z IIpwb[ۘN`|4r!dEdVRyD] 6֦]qh|Ju]7j}FvP_FSyTJI[)EĜ!:W|oeNK;,4J69A?pԀQHȘu`bnepQh!Ȅs%|2 -$ʗS NUZmS8C.Y5շ,aKa-LVf&& l؎۟lߎ'#T=KqZv s܎<B1`61y:^veQйI*wWF:i:i:i:iڃ~cnZ,EғR ]z* }BRSx˜ղjPRr-Π(>aU-qWd{6s*9Ẕ%mN|0msz3L_0UkBܣDJᙊ8*ǽ}׶ZER*dD(ZƩ@(X (Eu|U-a#-ȯoPi-[M36^d=X%OPvO6X6HSU!@P#"*qϒ߳[oU[ZmՇy#꣤Fjh$`c&cZZ8ϯRXP1tXLмU.{/|Y`[eT^d+6AZ&LJ= JpFa/HMGY%0YVa$q ͓zq90b* 5܄ȝƮ>Jڰ܅ G3gZoe%ţ$zȎ (Mp4}z7:W͈KQ~z"!Zo|epjLe6;lIߑHsm]P.ڭ7Ez5fBwevn:AleT+>/]im0grntiLYY{%!R`؜lw(;F#+ei}֤@ U,w"{ؤӄZeh`_V+MW%2c銝.X3 IX[HgE~:5Ԋ~ 0e fPcD2c$JfhNu erK‰i%~tZkjGQڥ"?y~ݏԘ'㟷><~G~oqqxh馎h馎h馎h馎h馲P2`'PSNɘsymd+[.SXZs mjNhl߉8lnPzuR) &W^E̓F S~p/\G-ׯZ 3в$|U| u[kvٙ^n[/jLA墎[dXmc q>' LJ5EU!19@5P+GUH-3 MrbI&$@_C̒5Y%hʾE :c?XO(nӮm=.4 !5ri$x ĝK3دY,%jL8Jק~ɭ`abe2,^5㹖nߺ/@"IdDe6zv:& yxWy'\vQ< be$GIM"D1$<}?α~:h馱Sslsp,)"kS s+ V J:i-iƮyNJ2NaZB0jg;dFʤj5Yuۘ}ۃ(ik[02:Fx_X'ʋ"e2WqdqkudY" A=7ܫ*AQu>z U3{jђڷ`Lz3;0ȑ[~f!۷M^Ml w#cQ}ÊBVT(T䲚6HbBH4wf*/WC7#@geۻq=Zw'gHIc*R;5QOQe_|r)Y|JV}s9yszؔQGG10ġ#$j8XDcEJ~8GGI]G/#3YY%OvkGM4tGM4tGM4tGM4tGM4tGM4tGO{sc?njղUk%[YY$ꅽ9|Phj)=;ޚ~]<2ٳ!0?)SڦRE %-fq!B}l1o-/|ɕgBZX0@ %F;74b,⼫'~:uh8}O]hzM&GlM*-|F9ʼn2,bd`VG6~ghVdĞϪax؍ _$v\hDB7R#w$~9xYBS;4Ҟ9tcá=e@H" 6+sѿZZHMRDu$UxXr2:H,G^`p|rC(:+!9G=M}$75Z *a -m6c qrZnQmG۹2:v)^H.mb5$[]MnCjr58ijKgP>AN!0,qs4\t<&LM>"Ҕ̺%Xv<>G@ uxezM4M4M$[vѸcSZDKHaU@HL-$\Ypqo5v6ԥFٙ!Zm,Ԋ4gse4UycK+DP>I0ܠ]o[z@0]:;*2RyuH IJrv0ur?l;Kf24|zI$腏C=vBqn MnuʫM½$Gc,Ya*׉d_v+v"8EDBxUSZC!gg}K?x`馎h馎h馹q%e]m3š*J3>Vq|xdqH-ߥVy@aje( Qf/#7JB׫ViXeH 嘀'NJK6|=i1ϕN38ˢDgs\ʜ8[)g1ct`,E)NksD)H{l𥚌1G%v–Ww+۫ $Sa6G#gN"y'.F7p+/q 18_oz xO:.ٙݿ~TJ5ս|i&Gmst[%r V0bPg Cg^R+h9Bd_KzWɁ|y$=QR (yÜ Ԟ2ko3X P#Yǀ;EG5?~ZFIȃ1yrх0tly/p:9axrq8[o4*3K1TᲵ߅lSZaĐ UЫ(#ݍ0תW,PQlTVFx&OxH V`m[+%; N8zf Y#  %8=#%(x'P(j'"ݿۊ0^9܀r_Z[ 4Tyum5'1<ÙVN. :.;+ؐS%]#~kbb1t+ccU->If἟8A*HZ-> Vt{pŷEe iۅYH~heVx\ "7²(,mE8܄ ^I Sԫ*H ̣wϣpGIP5NCp/.Uh+[#_~ƨO6%Ɉ.b½;J{64א:ގΑdO EV`]j1N#"ViG+5U{4/!jq*' c-Q ʜChy8N]DYW_BZ1妥xWg24]s |_ɇﳸ7]2faYl|b*6Nm T89ӣv5"*ZRHA}MM- nH>~(zr2׌%j?;i䶋ٻ7Vc\ DukPVxTT󌷆屺w$,P/N6oF>9a4 95E~2֌\\b*͔xg]֚ēگvjm!:B0 ,=e[7?xݓS^ij[ԋ==FIJ}zv hM[!݊:1l/^kk"xYZnlbZXLzjs%b#eɇz]cXY[ :V(|42ғ++j[aכJT%qϤƯ!%nF_TliTՁ*E=Z+f ,U~]'xuf2_;;lVw=`cvވdf"80)F,ѣ+q=Ya %^yiJ;[rlsZ7虅R{SqY_4 ѵa֯UY-30_v?c`Jʰa\kR@{jqS#M$e7Zj.ΒP-$XVJM@Ь?IRZ=Ь8ǻi"Y6J&I؝8 բ =dH? fRyZ2LMdǧaKsß0PAmX# ($!߀aȏ'b-)2G-s?6>n#swWVv'zY,~ܪPr̲D  i~>ಫ9kjRkG>%u_ ,˝c E5cì,nj'I8_>: 3&anI$42BO  +ҩdU84qKǀDʲ߹?xc<]RԈ7la+OCmЖJuyma+ʳvXpSߴgRKKZ9O3GZW4^iqaWom~vMx\i! shFdZ9 ޽@+x.XrPYN=0P>^1'8R28ۈR\iԶmIZ`{wqafoދ#ffGpRRH䍂ȭȋ$r#a/^9J\~NHC$nXfX9#`k7)u3ITA9<#*(8ϧR}gϷ<ݽᠪװ_;KCf,T-$j{xѴob*sXV%Of0{K# uj3xZSnA|LWV%D %f$5B:]FD(qO2LDzwP9->rߪf̬ORpOnLͦ%;+I%he7Sv>ޯv_ YH )exI+Ĵ=(jDA $q;["8+ 5~b2-l5i6SC*=Q~l\hwȊ܊dtTmb8 vZx/k1Nq!^?BK ՘IQ߫9]xI_$TJQ4V ݽHMwPS~Etv«, :6#C;O#*Ft-}*0iJ<㍆M 0ܩ{q$l,$m #9,XƮ트KXY4?30qȳFpeMcs38.Si--y1KRS9 *)j8g*ERIBԧqjڷçXRԘԨwfH0?IQf쭔U>=F`Dia#MiuKC$'㮅/k\}5 ߪ%~f$xCA(c,gA RK-1 CMiVkԧv!R.cC4R/ FH` 5n̝d4}g$ n"S*9r.9\ C",` P:xn h>:R>WȊown&B3XwO큌<z`rT[e!xVc1?"GH 6P1l68X”:sBseuzy3%Ɏ KI!;4ie.M`'evο7V+mcF36{;B2ܷ/ XYf,*jU)1A8@0aaKǜI.{:+>%:p{3ŝ/3bc>ԪUZvj/',Nض,&?(glp]fVi%3B}㭰q %oUe^ /'I >ws죞XP}Nb\\ϧ=ciHʧG#<,&|dcTB*!q;h}@Uکf% >-Z8aLVZ@Oh`{W+'oID^[&hr ǔ9ҲG,Gﶬ}Ҷm'8IS!FRe,K4.@^GC#u Z+9Ic Xr];nt.5}$dPŠC!ą68[2Bz$:e̴҇<>+/M&WP[9Fn,W1J"4fy1"2֍ ;c,i1R$ya1cud#xjVd+uH;,uq>ؼ|~)N)FZdL`:^ljbp-nzGhf@kh)WV蝮nt_㲲cd!Nkڱzu{ +o~`0ʍ9izN6AD%A2%VE5\Z' RUKn rc8VKE$k(OиO/pƫ$nX$$7rXry$9MBr+aC4 T,B-}BerG|S dk&Dm+RUhpd$"\|$v1pc÷HIE.RP}CvHQ-^Y M.K 4}Gn][35[1c[M8fSX $E&H<0ZmeV\ UWljQX!1? wr6]'(:-nv+i)hY=IH}*X- &N4uQ+vJcEAl3jz4AXL,ymI&KO}Cfy 2+H)n PuU he'Z9cg,+be9IaM%iH<5cN[Rz5l:3HL[ۨSn6!֜օe+CV0-*R±g?`+0f # <FI$edB90SO3#4RI"'1򮎥Xb>GuۮlU+mfS G4HG f׏\}(W}0W^8!V[oW57n2 ӖBGdR#:Y;gf>%:$滶&_ifnJYmc주02QAdO#oQ +I 򓶒^Tn.}4wI߼l. nS0ɭ*3pb0< NL!M,mc>{#n s7aKVu{Xm%ox91l Q9*'T ̯PKpnޚ븵7Nk~jZvw"סi#d3f%cލ{1Ya`p+s{S\!#(SH-lmeȣ\jq>",[|uzEYU ,tv+5`ɏn8z9DEsm,?1Xbe~7  C vdj]̓(Vk[?8>T˻6 %M.O Jb(crC@- ZSm^AmYV}mtٕrqErBg_Z(vH{2Q!CbSVF`xhʮMp}?=56Fv(*z9++yO=)6[ՃRS65ֲjVDC!k-PcG{\n^I_)/s# %mWIHʻ2$hH$ %@ϢXk+* x?g2QZg$qڗWF=yj6[9zplU.gJSRjl|ֺ "l['1/:5@xͮ,s^Gl.>ڮ W͢ Q!luI$:t)#ysʲP1[[omښR 8yɫ%yL5~&>>eIbDXven$VxcLCŶ:iĴ {9h3h4 E\"oЯ>Y2^+31*W2F|T|FVڎ?F-:w5wV*Dm IS.Om2tk3Mj;};U I C#LM4ReJTg9ʕJs*VU*s9s9s!"$PQ/h¢"D<<;HJ1%=Oij1$Iλ5Ě^Kgt"qyVC%H:3C<8s ϕ3 zeo65;D Fׯ<b~%(n{BބH$OݢfV*k&N=T)3Ƚo~Ut:פmն+uW>te|6C:1.Y/a`Y<}yq/NƢ1|ز+-fDuUiTy K1 ak_,˘=y#Y;Xݙc"2mvo蘻yt\ EclDfe%,b5+F wC {PSYlJ$cE\7RKJx)y\f|gҹ\-PBg~ETAbx׫xF5 X S-l֧"R!kQbq =z29bb@ x5&O!{!7.ڞO {jiEN#W'h>|OӛůnMƋG0Zrye!OGZ|1M[qSÍcNa^-g+,[tSxc܎2>夈8@HՃ7oV UraԵA8?>?O4K(œ bkJ}jK;^XJʾ3 T/~<: m p#ۛ5Lp7&I1zrLt&hٹwN;ː?E6=8フ»/N]Hjؔp1=wS 澳TҚu6/!U] (fe.dzNJ͜g:3;vϧԒo2W$$}Hf8" Òvz* _"T~G1/HaHnZ4£!ol.=vAʣ--+4=v&Xd#J:hYl/[>68Q^I)d! Y*}BI~r~~Ǒ[ e1<q),]D ~['o>T_Ym3|=2VL՛D^L]:WWZ#mjEOlևnhNT+ɍl+ǒ,C9@|Ef&*gRXGM4x/.1 rEċw]Gg0|%TqFJ2&ڋK?~I.KMͱUbfHJvT<"䡩#~ɬ;:9BV)5Z:_椲;Ty|]ߖ<=xal&-L,5 j2>ïpld`6sqגJP0h꜏0Wgآ]u.B}'a17%$Nr<ƊKSjZb볭qDOWb8p\|,9OM?rwwNvrIgln ,3D9H֍$Js?6lүNӇԆq.׻ar;NKsڭ^G8^ݱDF5H3kVE8 V4Hn&Fe _'MX.JF:V/%O1M2t_?[$E=)<7x6kMN͊vfh^jx#:]ZCYsy2 4 ye VR8bRJBTxrIu_l;qG; *.>P_F0nNk9W4hTfLw.}p_#cηx[,cΠg|f~^#6E6b4!dWCxۍV7#DV`A(:l߰CpAVZty;X?_qsbVфqiNGfeX5v @J-ch:~~?~yN} ~$MI[޼ԌćrZӧ0;[`E*>S(.ٷJ}rByP a0Mc R{ڈv 8l7qn2} ˪Ͽ3aQx ^Ȝ796&qۮ*%UL"V/'REH :nAd^z4[5Mh{j5IR$ =HR{\/ [ nܔ{)9Rb@xX"A}R.W45kZ+kx(e]*&0<&S Zn{Mhݖ%%22ZmN_ |\(^`.TC^:QZ+P٬aepY6ld#ҼO3D2"Fi)R >W۹k ejM5sXN# 2GH;ʧXw<9+XıKyiH0)E34L;6wtW1@[x­tGưڒeA8_ĽK+}1Z>a焩{Mv۫Z|]AA^տ\f'QX% gJf\wW-%!$xhC*P-vr;TER[}l'* ϊvr,@R+%©XJ2_mARZtwQ{̕cr\|E:וx$ !VjUvM({e'6*2I!ȏxNKyUh]Hq3,<_Fa$ . "sìҷ+kidGG8BA}M$Œ&$}Q'>djԷ6:>xi$k)%H%M<3EúCYyM)mZ"Zhb[VrNy#N!Y)1;@٠Zoi`RxݒH2cąƔOzU) U]bYWNOlw}2!V to`[Џ"m|dCo]z--ԞE{|T,IVa[xNt\+ӸO`dK&TQS~\YFq3ܯǟƕܗU&<0^1wTV`D*stDN=!F$vϿ ƭwU<a_s*svVޟzIҬdqeE%p#iLv)G^iS+3FoG/]mKI%F9oد#p[oghoϧqG ~ Tk`YȡK3Suw{W Nc|P`⧴͹pjDyc'Ɔ&"* L~nU]?_2 _qDB=jڛ= .ٗ̽24!L8S>t[pkg=sdI[v_Izl5b.UX>ҵiKY<@\M*/YOx[62㿈ܩD6zb\s/3_z`.V-z0&@NXg*O8" fOlNgNxˌݵ-xXo 9@h8!ۉ[gp&gw:>[xP # MXxl/ǝ̕~/IEp#u255\Rہ< K%bB+[mȻJ,M ۵K+xbLn!CBcM4[o:xͧtvMl#ois-%k=?a *A]>9Onա#!DL:#s{?!R?pjbW&A7 ^qfs-I0!9feJ\mԽoݩ\ٽ.V>J\U>4F 9*)SWn͞?7 a(0lƣn1~w=~FZp$O~x@8xǷ5λq=$xQPycǟ>bK ~=OϞx|FO-( /{#"xd]2x~G-bdnԤ8df*ÞG9sȘ,:ҿqS@]qT| /s8 |4 YKyydG֏et^yu裼 bĤ3XwXF dbJ/bGOQWT=P;ȊH uUKulohnWu4V-R.eĭak-qn2 Rɵ{cBbw,q(#HL!daMoP~|'(fe7,H{g?REPƼ4kD=c7&Z!335qI-mY@]0VR_t`p\`Yr5\ex *rZ; #߰H+sӨYBX@I>E\wlTH;s=v IX(l[`kG͂ [%iduG o82RƲr0½{#Zܒ:̨I}>Np"̱%wP^mmKY2/S4Bc J#T^N;@6)֡Oп*ĉF"$%qXeLl;;L -=ɉL6Z& ")OUb0esNE+wr;s`rOWMPQk*#H3>G {{u.u-cxxy`T Xƅ#$qc荫c ._is+,mS4AHij !vUQ24v <.]1T7KH0Y0`AI %h2F*4VM2;drէm !Y,c.';-<\i_H^1ssR\Rܡ&>ïI4ZOZ2x૫yjLV$IoVi^u88tY2'3 ZB[[6~ëXZu:kڱS OeRdExEb:e!QOԝ7U1k22G z4g{R8B~B>y)].ʠT%GRDqvgsǹ䧉Dw~5n>.>i?G&/rq{Ytc:zasw;#Cxm  /쬤F5"ޜ}O!@97?x^ثwKzSVudw#2}Ž5 ;WJv% e_nZZ0_>qO)eʂI:gE]RySB~:kեg ܷnB y&( ʵ#AVxYdOX.n^'d7b* XfVH䘲4'A!mTp* a9>|2Dѳݣ 1&)!]xU%$7.FiM[{.L0\ƾccIBj!ѥ2|qXAL8al3JlDt`M^9)vZwcuDd3Z)`~W n{d4vxR f5_ B|- N?aՄf`1NDNϋh屏fexrvOF;cݱ9Y1ݠw} *׾ 2ˌΧ}&|EMa]Db 4i97vL:bZ+aJP_c"X/k}lwGב͓qL۟WsccY&Ǫ5&ɅyQzzS2(GkG.6vh7 օbV,tba$.\>f3 T'אJLvfyb `ɯ,wkI}2½bP0S_YŃYGg#I/oR77ҹy*dx}6mЮ_׷4/SkMb.o݋9UCVdHH%LdcN*R@t׶Y|g@XÌ0b;zb 0QLTC !7VT&x8c[4tjs]4ģ,Օ@A>1y~:ώn?/'~#Q>G#:ix\\ϛ"uV{T+W AI&JVq<#f#G "W9)V1u]>Bօ og!^ %)E㐥s~]Լ\7%TͳY\,FA9d q ǁR[rw|n5m_pSG܂{gj[f"!3-6(ZU4P Q(8t8Q:swb1-[o/'֜N'2r-v~څUCMIn-8^kYÁH"|c$Lۙ"G$B||/HKjANDpfΦu4t6z$%Q/4̜END"ΒLY&@*u\¼lc#ojFjA3UݝzaQ$|ϺLa!?9Knʼ\8fC)e+hܿaNffoꅎ6bO]knj-Oxy-$,HrFn}*FJQ\G]/ vug\w|Y3qٵ淰Zuoz4C PF##GpY]Ѷ 6TI#RxkU&aհ9uQQdAf@2񔽈N,nh(d)`/˒[ C,rF^eYHax3vlzsgJrt)UśB4d>.tq<.N'IFA[!6Jb2:Jv0Xd2<5Oq[ kpWǒ,giG]`HLi"TEJ%k/v|$kaneyd,5KT,Ko4n<$11H6y <{ dи:txnUU!SG>UTbvֈ!x$V\5e )oeKڵe,4QOw7d(Վ$ގ$_7vj$vy3Z2!]UkkW!H^ 5]'jq*'~2$XfԌ{"~FV7=ԚHZԩd2< XxaǧoUe,cP+繨D<}.vP7-SX\K1{66YPe@a-wtdFd 9G\mۙ,nA A+ đ!1$,$8ۼ1Yhvfen8"cvv!}72 #U(H3*u s(Kg*sT2>IRY>XVZy9hJ[c~|m ݭ$s 쯒SI}Uw6N$vp`) @{yƧ9ssO?Z=ߗ=oN:NOttGN:i?}Zэ]]UWWhǏ?9onjy8ZmqW(IП|yߐӱ/{S$cz[c2a>[>M7 ӛ4LcWFѵ<fb6 *1f䤢Ӆ+$xhU2Enj%~hmsUìrz/2VKҢ9OgkpɟrmzqKSEg(dVua-2TG)$LN_-p^^n\Ki۵"C6KB M?2ĉGv9/IJACGIx~@I?TM^=C֕.&]n*c6UjOgYX/;l Aӭ9m}Xyc:+[p-nxH.5{nt)%@S;~a$В !X8 VC.Ͽ+-;eOZ:OhC|[֯ I޶ȃq }p)^,5Y+;0roK2IC^=`m&Jڔ9V(ѥ c$frb FVoNx&j w(jJlgW;V  `_՚Edi_n[;@G9%Xhxs9HTuljRqKm pe9e,Vc7{#RG Gjv1>Kr~~u_WT $['vyYܳN>xȴ[d{NѷciM*{uoVHNc II&;H>@=b${r9zx| $VߏQ$Ȟ7_0gq~3z>zv7CwlTUo0nGOيƞ['LFRVfHO>y^q8.z馿ISRVۈRVۍm(Z3Rsc>3=uOVZxİXH'^ Q{H Ag,sD$X&U /}z<wQ^NsUйݏvr`R*@AZ~PF&=;02G Lϕu ϦO$qt==@@5޾Xo$Hx j'<ȢR%)CxB2X^fh~).uinØ3.M`&a/iS%$O4צ.Vu YS z@2&ca- c;HǜVTYi4f7s.z{Mdԥ.à[hP !ikQɸVaߥKX͂vX;䡮LUA<Ȯ;g{M\j^ Fmy9)}9{j-Y`6>,l#±a$P9GjO1,71ʋ"q܍Rve(̬8e%X~ qm@Ǐwow|8/&5Jן`izX6=e>kl[iqoR^& d%7?HPx >Ӡnne"&>>fŔ='}ۨEjú]5 kU%.KpR3G2, |Ĕ=`v>I'H^PvelnǤToMkpJe*K*"p3[8R2U)P/{D)?X}_bC-DNKj!guʋ3\d\!b i 3|LY[B;ג1 5K:n(U`h,z JWFc}]q@-mzL V#ɨRr݀e'dcwhaX@qvjo OJ{,;2PK[?d\z1$G_ S~ƬM4ܭc[qSqzg V3ώFw^|bWX)mgDZ52pHN{ߟ>~]s QaX3Z~e)+x |c+[)X˷?c<< }ŧ}vyof7c2ـ -rB#1q6`+(Sx_ݟ ٯǭqr1D"GG7$r/?R9QaOb̀{d $$f䌑X,Tkmv1؍5Ξr1AC1P7õB+gK؂?V:ɍE\O64fX23,1iEFnJ8hhX4dYQ缶fJ08o=rRͤ+z.rDv.o[Jm". Eaj͇g)!GpIxxS-JL}!jǔ0/ߩH;z].:* ObPؘΡQWd"k x; EMg=,;BYޙndqrCsS ,6Ivג9dXPyRַ 5#p"V䛱U*T1%q ^%OL@p[Rs B[s ³95.[)+@Xpa|QlKurCe FE.^e XmR`$Xʤ8b4}vJñ4D v 8ypp䄤Wp>Jag6VmNj ~,M oYQ6dw-cq鑰`Qpzc*׭AciϪ%ZhsmyˁϏ|wsU8ip岷+Gu/DŊ]`܄{x'q?4_\_sT|Ts9`hGyrQ_?=iD#׭^vޮkғEZA/+>hAðcm@($Jr|#(qJq{ufdRRD+%B-'qu+7m7fCeW1C[d/z͈ #C7!V_0,f[>*ƁO5fZN]}FT6>U\|<{ 0ciCu[ Eme}Ziw]UE̖hCܕN e(VVXYk;\~ %T$%P(v3Ua #$$UA*nωj`5vm 6Sr(Z<5t@~R$o:uw6wRː2 FY^w5pW3^tM(ABOJ䍻;zg*`Y_0nˉx%`VUvs2F]HξB2񳄫*]{tdٍqtn80[fyY^\ &nڋ_I:3;,d9YK{j ܕ&/438dk[*(cT!8Vgzu*)ٱw"J~|}[ok[fCb֛[Ǐw4\HLKeINMm:1Rk3Bq"3՟Q~Y>P|s=Zʅb%DZ'?h}; iAGKq~KW0lxǟ>1}?I6C<.+!`ӂcy2FyǰSFuTl#zwYV.h?צg@Z#Z3k)yeO-n=)WW0e& =Nٗv~BEa+r0 ڝ ~Vۤ,m b0髊LSo>,etivp*qrSMq <}ѱ&Ӹ9U["&H5p:[81E7|XcL"b^@\MMG79we柴{wF?lkTqq3Y19 &XAJ@aLaTj\y .Ri9+VAUspNbgkNr38}"^1)YV?|%]B ]6=^5{Zp&*y`ܷhwORXxoe':=p^^9mOG)oP;*]` V3IJzx2I>gϼ kpGEGw'}|m~%l5̒W'G35!h݋,Rq\Dz N$k$%^FpEd'?N[mIyM/gTaE,U|vГpʧ2>5d1WHn9ahE\?VO'hrn LqYQf4y쉨)% )v[:6%؂JJNtRQ?zf9Us1:.EϲEYn~ңҕF\n- Gǖ\ͬ/ PyQoyī<-!^@UVl:Щ^0n,JEE֕0ma.+8V߱'t sŘ}µ-9%!;&D]Oq[e(In P!.&-Cmӻ~zw{ V#vнPAXK}(B9e#%[kLYvJD;KL/<=玔8Jq N9c|y1ϭ**UGuqq|[maʲ~h`}Njx–yr[5N\%L@@e'~ڒ ~I)R–${;('Iң{؝<-2z hK!Y[D+P}!`gq1o|ckg86} dLŇ `\8l6&z\r~<;3';-fؒo8tŸ϶W?|Q@.yP?g*}~RGܽ-?tU55lh+wks JP ɱZҬBcP(5? mA!\Vm*wB{kj/O a1 ue#UVkuF6F *(lBeFYǹ&ǏۑqV:0yVÖeј@j#%몶CK ^ IU_~]8 `߻"Ƹ ɩ1JįUX}( PANĜ'RXie2[nakv%Q}'if"pMx/ݧ6ڳO =eE}vK-&b𢰱|LQ5]?,o$7XHXdECC\ j&[x$XBd\v?38T[C)13c jejv.Y QHWTo؅v ydY̹z,L] 6_,0'a]G.ela8FeTiGz_Cð%꯶3>sţ_ڛD# z O<37<o>x"'6z-JV<SB {HeƳVvۄw|aܶ8BhmiN|ӌ1{2~yFH*>5GޛyKA8Y8?il㬻FѝsXjRJڍ_q8tqۚ9^jǎx ’xU|X%o.j #?y~?ls1~_ǰZ-@$j?_V7i2XZg?ݏ#IYXGM4tRg-h $Jk 4`\òqhYa0c%»juYm y+*Zt{qOH_eusUK31JݙI=~IN%~7>g?۞V'8,Zن T!Ξgi~qWho:1cY#H3yiuRKxt²p' G履<u#'2[Y'r"KUn;Xz wnEŎЫeG6+*,C*yKKN:{nN0Kk7iRbX=iΏ]hk \%D/3AZj܉<rROo{B8#m$O?\L(?(IoA\B%]KYm  #_iok5T>}єqJ'ȚIE0ݒ1T!Zu&yHr$8qeY󞩿 t7i._x+e,ȀϑO{RȒj[ђu>&-z}8h3}ʬNNX?o2g,o@7b<s4nȈ~ FjzM+Đu)cϻu'z8ݎQwmP@6Ftab.4/ ԊR }r8q0>u5^'SSjS=˸\ߔk%r*݊|Y-2X8Q TX"4RD{MZaZE]חzZBYXb [ #1&ԜIS3 Jʸ<yQ6>b9ynjϦ~|iZU{>yZjje|ZvJʿќ+?QxϏ\'V1^fn>:z/ܴ*'ۃD}?x?4k-?>|rӃ<|{Z%>9c'wd?ii>><~&n6;/ٜ3ۉ8Nx||tseYʲvU9Ϗ?|ē2$0a>z~II׳ky9e?3Yo#MD4H_z5 bVb)]}$1a(q䀈Fs@)}fۥS'M &5Y:#4\E*!YJ#wJ[ַkhmr6t%p}CA8Pն6f$B.*2!>Oؤg6-\MDķb_K'aH*bj,-,#RgbHJ<i M$o{x""/Yv~mdmଶtڗU )_kЋ4,KO_/(ʺmIw+,UUejA!f;P@bI.vuIjJM\E"+FA`8P$>?iiΘߚ+R|$몟4 q#_moLsO5h:0O\W8d,}?Uu_A?}kE'7n7cI_ڟsҿSxO^T|aK:N%A7ngr4l[`DR۰ۣo <\; 6lQjsoIf4βDrY/~}<YsγOJ;!Mk|k$hV=?@3>b{Lom+Fϯ@ޏn+vn*Iij%BO`|/0 \?lky8^ީ:YZOjam@aGI;zfQKg`1YoA3O+=3$iЕiؤa oTٮ>uYa" .JSHRĿy%GP;^MۚJJX^:*Nai! Qv8}Vc%<1Y'XX,D]f^QUUu\Kp}SNu9 |7q=UҕeJXg=Z;nG'px?|Br?਼牃'au8u9~NT3ڸ}m/*DŽ7Y}p+N3ްqN>JXAM^s;W'#Ϸ#\[Fr*1U]WoZԤ~]cXr|v[~O }v8s)=˒ pgJ"Rkawu GМ n9frҖ#8s|@JKqG2Zۗ`nc#_gYqs/ل}(0ǔCխ82|e??y#g=a}4M?.+U+KI)p*10U>q3u^cg:_c|,ז##cS# I1G}l'^O#: ޷Yȭڗ1yU}Zsկ09%^y:Nt({w,# 6dqc[>| *em4KCmhAcm$ɐaHOdlXfJvPuty?m<ˊ\yyq-5\͉^֕zF'UNwؓմ-(E@d' 4qYZyAse8N2=f~@hg;Te<ْwfݐ(W!Q͆ ,xB.>.~gҦz/qt^[wfQ@*Y)ldPwdSSc#n!:K7眺+*\"@y̫eYZxb!]K>W<{c8'?[w>{O\҈o ˌ[niJѕ3()>ǔ ǜe9ĵvq}>&7 ,!13V2qrҙ66J,cIe>f %,8+/cϏ#k}OT σ d?Hq^uyQYV?q>ߨawؑys1@n9ڷ́mvJR|Da9@/iwplNsrKYq!)q>[tf=sՓVR7p@*?o9Bh9ް1̃yaΚ6ΠqrpZѲ߯'peH>5a,Zm4T 8fVːvI َLE(FVay1,U8LV̈YH w0,: 7IE\Pa!4 "0$lp/iKN2Y^VZR=ibĀ-VWd}'$Jfibz+M,u{%`vG2/vBj,u#V`?{7įqX:g^֋J7{99NoӮo[VX㙵?Z7?̟yyuW9um9Px lت5*O=bz5z/*y`GhTmU/ X4~@\8Syʱ㮝8D*n Y$c,XT1r8IcS'+,1UvU޿x$#Iӡ_ͣiQsbkWqȏko=lNȟyuqi`?ws$knCKػC5l(馎ip4 c9 c~2bqY씫9g#|u“|,L1^bGrIsϑgy }i٤^{~סw!MV⏡,w;lK٩ )[]r մ$DIy1(2]GLؿN+vۧ?~HY=c#s}!"_S -6|Cnq0.c,j .AȼL68%Q5l[γY+׺̵brbd>i&\U"%-ƤP:$yC[.%ii|so;plN=5Ik͹ēW`6M[Γ>f-iJ2R:VIbBg^se!Ct{)ΏnmVpaᕡj0!tXyN\Uaϟ1q r?OF y|k;uUbTs?խ:DBوug$Eu^s\Y o8gĿX(?"IsxFWobU#K=`pDc۟J+?r|[Ɏݵ|~{<0j?c!n,xp24rv 1BNrGⳜmG]U?imw/ - WlV^XWi\%ɿ{Rja+YbE6{Mw yU:XƸENſ`͂w7nyDŽ+V}s` v NKr;[qPxL'I_];wZ?dqH?`1<}s8uϿ>?pֻtGM4t$|\X]5XX= Hnx<Ϸx<{O~nWhZ4+Fst߃%G>=u(8H+bs!& +]"uJ2lĵ#q츕z)U8U} Gn3eݿkٜ\XN42۱⬒_4,2?N7rXt3F+ -B7ok4nI;<8e\OO7jz}簷`4B^Yx!Kw79pڦpV5`-YÙK0S,jI$]LyYf׏! [H,9oL’^44e&mJWi,j4*\ܓskk\HXe5ygdJ!S5_WGu_StMY厤/q< _yO_WOo~iEn^M{s?>1?Huo9WnzWj`]-gpp{Ti [ioS)5Dʬ\vY b92+sTcS- U  n6Aܑ '0x* ~2Q|a\{s:e)EVՋ5ZY&KW+fX)a(dP,r%]TubbϲE˔DS-V/# SF sAzViG.?Zkט:]ʑ|Ϩa)Vi#gv?MCӷWBPKf&SK%H,B V#YUTwteV5-ߎEo.M ?C,֎JZ2saG-^ RqY=̳}ͳU,#p]d+fl">9&rڭȳ(.JF4`2=׶ax;Ux3!fDwV'$I"F$ 'xizя;yW֣͒?8s|=b.EfsʬJ>vP3I)?OpMlpIkіec?{WPcpQRg8伿zD\y*[t'؉ox$[tW'X<{ j8 AKjrVpAֺ^B~*Lc?YZ|e۱|S-Qr8>l4GO~3Ok[̸Eru~Oo>I]Cy9K>;DCeҬK-!ԡ+ _mY\rL GdxdJ.;$F|bZ@A{08>GCUg)p6Ií5YMsZ] 25B^AN'/-@;XEO?r weX#n,?Y⸪@kbǓ$R(f1׃ Vz6&{U%Ǜx<6ѣ)0RIUe]ifG5+cKMڕ|sSٓgie-6@y(e${y!,Uu >*jz{kdnCjC#ֳ0>G#c"ÒGr[RQoGM4tOO^ey[Ǐ)y\ǟejh/CO릏Q#q'yǴ[lukpGbXKl?px ^s6H|Vg|)}KS@^{Ա˚͊Ë'Ȩඈq^/Ì;zyal)}ԌMO}u 32["Cs #>u_ ~8}`ZevuDY*Fcuj_p+33ՐD tTJT}FHXA5mc=Sz#ϻN 5%_ǷZ.(a%mPB6W"{mRPٗZ\۶I-0yVkl a "ɜ(=$@[ =|=Tk,ay>xےxjDf娯?Bx{j5+1rI(UGT:Z[y\ƿLß .g~P;,4J / pJx=i]YsWQH~$qs ΟbrԫyosJk>ߨZvm8H`*W'\mYVzcνr<6 C'cks{ ry#{/#z}y_A HrpA͍udr>z.ƩkVebXv!v8n&DIfݹc V~7]V*LuDKq#U5m?ڊ@Xyơ]dF$IiYL~2a*njc禘-t٢gt-3{atݎdMV~aj!R'*k k{Cm|G|&n֕a66t*qE˪ܞެy9udc>6D"H+TǍkwƎh馗R%G xdž1N)%;I6f |X*Xq!VVx{>? M?a.TUYb%̪CJ|ޓ^q%HZy$|) B jaVExGM-rrT9N qʛ$ܞEQT #Cn@Hp^G5^>]kmr8MFEHOX.î se?c/ N16ǵFӔDd,Hݱ^91Sx@W񸵰7+(gt$Sblqx҄`epe=(`}9^RdeIq=<3V?#._q[NTl'ǔtJ\o*OԄ1ޖFn4 fhb7aQ XfޝM5c~D7adt%*x]dGu9}ٺe`D6qsw0!8){v#{?Z=<ȩeF *aWCHO6,Fnjd!CC4njm' >3'Ϝ>|=l:EN Vc8!Hۅ(BRc <{vݛ۞ڝĒO$<Ē#yڷF^炠`ZKyn[s# W#vV2uW. 3#u Px9~~aaʙPsǺyUR eqDql<) =f뛍z^cqG(Ǹg;|,eͥN!IR֜#?ϑsf*ZyV@Lr VQ{\3e`|v822,Ua%4dC !d}<0 0Iޠ&Rc<ٿ%ښf{TX|1.Y)QKJx4Ÿd7l5T̥+w>Co1zϥBCaيnYK+weݱU>.r@Z6!XO%+RbE}}{WSVbṔ[xh~39eyZ[1x+`|mܔر)Q) ' lm\%hM!%Jۺx"$b9YT.B4aa|Scq)LcyḨ̂p8[4;K/&2͚%^x=&Lym4MHwkLLBzc_Nea.d >s% 6Fpꕕc):97kwzu#iTf*&6&,`8u*,S;6c##sFjTxSFk vtvɃj- :d؍I9a$\FghUNU h~$~Hq>5Y1vΚG[jJ_8;yB4oS!89 b>6Z(ύ(yC `u>u"lS[ٜ'9z\o8LP(RNj3S,/gL4U&clE'(MJ[ܯmxPC.3q+EaJ`EPO fёї)XFJ8ź Ea훕~֎cP|Ǟ5xl 3Cǿlӿy&uS[ݹ囉UPYS Rj׆NSsu_XH+! 9ۀܢX*+H<}jmD+}2̢(*M_7m)%v Sgy0!rUS{̯F\`xrpy|n&yml׫v9F= kM>%ٯ@V^V^CJXVyؚ.?s}ݨH 'v_eʍ[6 s/i 8ό}}icG\q 奟cJYg}J*'bpnj؏rH-f"N JR`B2BeXiNxv gboHأB[ަ)^R x=(9s,4ݦ)dn I`<1ˉ8'\a̫dzFǐe3eyr9s]v?JEk֑{7Cj2;b{ek6#/XC܅2Hz$yUS4tNwI 5ۙI&*zFHui1g48YgH<;`#>^(Zaeŧ!PQnZ9AՖey8iBB+15q#ލqC-QAYg G$H8LlQfrLr,H'* tAzeO:[HNsb?l{FgrJxxOPvqs\_GodoFc~4NvV!>{|s{Kp3pR*ѯ>[OǟaE9' <u=J##-c*ba!*ʉ4zN1$JR8s雪YI7gT}u?7.ԍV9ڌLX |[n56MvN ]Nԁ -.K{K1C'}ҒqH #*Y3Lbʞs,2O0eI@,$qD@5g2{~۟,a,5wJ6b1XI0`UN;iX]٤aOo%T ,7  *HGB$e <23p5\>J'UJ:rC:L#sT5[2VVQ0hѸ!ddRۉIk~#lʕ#A(iADS pDb.4 b2}f&A2ZK+U1+k#Saè'W;H,ŵSqqŒH$9}ZM=<{. 2bIǜpqLB[#uJOԈ{XdVVTǜ _Fnvlhى+S@=67(yX ߬@tQ i<y'r S9PۘP2ka<+-ְӟ91fV6~@~QrqC r8<}J !Zt৮hlE&eۖ "Cp7^r7c=[OMdʽG u +ǟMoO#qIfuY @R>yْr<_zw8ZyFOQ<0@Kse#VX5y^ Uxv6rNs3o-h^Pe34t8tjdzqڣSR^?$kR':c^' rjE$l\j0Z'Ɛ+ZrZ-`0¢xkGknICD6]2G'Nw_M1vOy'+.2R"ӖA=z$&XE#FLE ׽M}*R|Zd*Ik$ed(i#Ժ?-D}4MOa]fexl-Ơ/583Y2l(c11đ쌎aYk:꺻 }3#H+)3~<׎LdU*7d|+_r譙}*YhR۴=,{2X*{H'^dMTtyM4 ( Ga_"֋1#8ÈU'aJ°# =^n&*c,%pmYN y~D`VW },zs$P~Ϸ'JIyف$yQ$Ʈv`&Ov&1*V}*R/Nʱ:1+o,K#ӚG=X疏34J1>Jn|#>uB5AsS:XME{ϋsd ᣵNE8;WQ)CpJ}e忍=F*0{@$؞Sd+f)Wfg ZT2Xb0K*F04D!ԏҤOSv,:FV*be Ej+ rx  VbhʞA}uNJe⫰1bM;g /W 1tI` CoC C9iTo?cWU-S0+.bVõ,Tkqo81Pӫi-/Wk$~-P~ zY=tARke.[^F<.L~LgyHNOWqQ*)\pH!2 l8;O,}쨷#V8RHiqܓC:#&%,d|RA}I?H?Rh>qۇ1\UGE,ӻV#YTB}BwD̊o=_o5 y;Ij앇nf O{_UVg<(]oaKqݪK톤@w|7g1t⺣j1'ngzn9Q:GRlN:gvf,qƐ PwIfֱ o[x2+o)*:#Mg s9R/ܩua-)9/. C_ҙ+^{GHCl$Yu^D,g)fH򹜱}_TyeItݠhrlmôu7 . =W=lWȦ]뭩N6>"uӴݝaqY(RnV?%Y^720# r,fI^I?G+LO S9&-;M Z8\`QԥKw 2+>V┥-yR?$Q0_Yi&r81׌avI~D@rVD3$h>r }^?R1d C./{"TJ@>_>>O:x\seJ%D0@f*yWyΤbXYiȵy˕-' v;_ $9ǜ% - W+ne[׎Bd&W@jC$>O(dIvjp`%kpwd,0Հ7̪h'O^ &jݮwen8;<#$R~J~dl1De'jqhHR8 {F;rfveH]HM+*CTF5ب^)<jNjWH8QK2(%99RO$›sk+k^3)=pqnޞ4BIr+b*A"ؑW&!F73}VI2ڮ]TR|1J>Ewv6[׼Yk[nDV./5` w ے_EVJw)>2X <bRZC Zmj~u".v%hGIʓ+ݯ|0l#v㲘+{&iq1l8:TC+C^qQwHl,1:raC9!$+M`**^x#o"kCeJtg=9PQe)^iSkEcfo<5|fNb8$4m=X unUV[ؼ6a* Hr7*ˣ#/)ۘԦ׏[jUsxڠBQ-`_l|`cǜ+ >5fm}KLc-9Vk}L-hcpKI*d[3(=S?:p ɝJ-NC FXOoXSzDkUv(ː}؋mNys .>Vd /Ն ݐAuC\nD9H,Js:xJ ŋ6Jt9):8)Lic9a$@3E6g7.;>i&(pr3uCy'JlY.Ic'Sq_we;"?(/ZRz(vmjx6z_"RZ{ Vl * (c 844I# ϺuZ72wfԼi~Ct!s8IqpDiC`dOO^7 A#edNͮ\j[OjH7($ V5eHՌK@ OOX-d:SIJ0 1,x>GqG>rGqj8\ZeL2/5ܞs#LJW)JtmT~_Z|֏0=ɕy9^őE'т}.]Aknv9zVbRCF# G oچh馞 (5V=UU!0{Iqk[e-g O<Kwغ$`y\=*N k.!:}kc W{g.G=ĂY/C\|HMEZjC(e!X,W J {9$:[o* :!-s# CӍ#!d.W{XJѽ|Tp)ba+<~F<'Ko(ok-gumy8=>dЕeI1JJ3 TX [srN`4f%wp /Ĥae5hbg)i* eROo@ mfwnw%gcq8qj!Bį.Sgc eNi|矔( ڭZOԯB^mOǒY#D_u9:Χ),dxVKHF5lc8Xdx`]=^{kРmjZ1|AǁfK1qW ˶WBv4@dj]0p_*_mVW.2 [yy?1w=#K繛!hw{ο`Yp0Vp/1l%KuHuX.T`R1>e2N.Nkx}~GãocoF@gYd]^c,1dCunf#.)fl}E`}EnU&D`2 vϻ,5*1Rcifw ) %H jۧ5:Fm%y^|\fk)N^mNP"0 up )RՓ6J lNY6V rFv焊Jib 3d^*"Ƽ-YB 44CCtk:^=~BNlqiqP(]C>.,^(["FAAlB_"+?WȒ6|p#<blBb1hFa+xr_#R;E$tc.aec q:%}ҭC%T\Ya%B dƨ!<uao/xЍ=85o!Y>_q'wBߝ&Č9!laшeϻo029xP+39u&0^bZ$3Fy :HRWCOiX 4V sHE IF>Px ǐF~<pꝃͨWa\5~K"krqDR$2sΡljNmZQ3w*Utfi\G#HY_ oȑ-nK*3œHg+{P(uٯ&kw֔9::Y! [Mcy R0E?%"JPŏPӫi-_~amueQGq zR@/:@bm[xmݱMI1RF5Ze7,H@$G^g#G^]tVqb,yg&KzYO;f4>RL ^p2z\M>Nk%rӿ-4_*Čjn?gDlKF IS ͵BKHhS_`B iluEMѸ-Ĩ^rNEۭjn;trzDZASS"H4l$3$!38Ԕ83Zڮ9Í_~En6m=w%7a.k$$u_"ٻ[]e%FIݯ.kMR20W*Vґ j[naέBV#+hrrJʩXR% YqK M58=ա[\qq0&tL#ʛbvEd%㦟iהɸKO; 'b%Kj͠T1g'h= )FcڽeKY!LҌx? ۏ.8a 4BV fXc9}i!s)3z_Wqy:zm|[;V!ZgRKmp7mz_Bt;rёeki.&TX<VJ0}ݗzBDf>92+xG5w@1CÉ{`I4)/(`/VJ is7RzC>9 ӊ^aڛքPGvWT2,W<9\FlWH&u׻[ʄv6Ń:#(u`f|C; X?2ʖKa߳-HS/>=<=j\LpJrcuqۚcn=@L|bP-jă;/[iCУ>hw5am 芥 놧#+feň9:Ͽr6Vєm`j5qV#}iYRj,FgSIq@ڐ$|伦PL$fZ"D9|ڱ3,U,NQsvܯ$ի^@zyIt7%Ӝq!lHZ 2+ģǛ͊3RXBTlrZBn=Jr8%8u (Zsvmݸ Bqbeh@ʝޜџ9CƸLd9X9 M-{W2Q7F X~RttY!5# $ !Xq帆CSjVRߖyRqm9-t[ 3tq1ҜvO%~j=Ŗy$z3^O7N:gseCZʼneR؆J3QT=^yq"ۈdѪ[;iZo.)ɷȘLxo"ߴZeaQr/MNS!y󟤯H܎!>X@R;@Re~7F^UWəc^}4jNԭuؠ8nx-NBU\$m14N9*җjݭMUPpΩ+qšm Z7qJpa8N1)m; 0UV.Z(N) voݙ$gS2Z|W$ڙ*>STUQG[PZ HmG(hN%M}ji4V2Ҩ{ xܥW`A ;,W+Xq 9\H`YZ㡀8>- q q5֨BO HjLM~*x S+2wU]{[g9|5k֙P,Vy畖A: Χ  ߯)VUG>|{i(R@ e%%ղm0^%?֑9LbmJ6ⲙT|lqt䇯+ -M 1$2F߀[x9nc`|>?-P4F+Mk[ B"kI dB:˪ϗs,D~q le6«qcpJm+$>Q*.֜0a/[Z)nY  Tn$Vs{^v5R}r.>|:'fgSn Ju0Mk"U6X;=^aju?~4x%>14\W:˸{иk i^ctr VTwYdtH% ,}2=7GdeYj2=coJr~d Cr^' ʺ+\hsM5~ͫ_"O"',=zBbƸJDc󮾧t7ܯeFʲT5GfY^ȥ1ƌ ,kYxjYpcCق7쾵rk,[M,GG`^[r \ԛ糖Bm:OznI`,aV:E%,$K>Ps;>Sodmft6fUVHKզrREإr5YbAUW@K+w#$<$Vj -O..IW춤KuYBur)xBq|5Ϛrm*f0z Bܟ[pxT`ϋLA RWdoq X*K(`lwPGM4t?xG|MdȀ=5ʕz "=vc m.+ZgyP[J q,)VhPpW j8}s+4?wSVz6;WqSM/;^6W + Ah-dbY 䍜?tQ9KCVo on=3S3v ,wȞ~+6[%K\5P֏=WU.E%P{dcjZ3j.q(a`T!]*lGҴۨwi`9!RT+sY._3}ܮJLM{=R.g8ՋHZ>.̅V/gda_om:m :nX8x%; $ẃz?~>??:49Уư+eh~rzxJvd%MAM08KN6ef)́$`:o2r-M;8n$=Ӽҝ"T䆑q%l;QK ޼ؖ9fّ3qJGq> njOsH^c JS^JjKm׆i`MK)!ee A,RA,J#"8!Dbbɰ2vC,0Ii[mь! 8B%81u^zifRgLE04I-) >mXneWS-<{#Ss~{eknR79IىH>DZkpJV^AvP^YZ5fx$RAI"`|{ S:K{%Vc%$l7#H+r([L-Ԑ(Hx':~{` .wwMYuG{mPXx|qF %F Aٰn ^`k%lF ПJɈ,'`/wP?:i9ZWg9ȈQ DhY9HYu0o.d%9ӆRVr~s%]ߌ۔dxR#ĎRӯūҖŞ vKy=*-#dVyBVU$4@O.r[уĿOՙ(4ɲ]e#A1ȩ9c ߒ@H k/мۘ:tj֕C m ͂ hc(޳ᷦm]6"bJ dIwA"=e/j!SwWa" Q4{a(u`{9N2aJ.4C[vܾF =SJ-8Q y(Sܠ22;a`RuӼA4U$b{*p5h9T*#05! Q)jRLf*\JBvCЮd0[{PKaxgDׁ őF>RF]h&ZY+m-n;NL^]K%~hm٭zJ 󬲫EVD e涞rn-ŅMR 0d1jڱBRJlW4+bdkFcNP<em{>Bᮽ7%_6s4ٶ;AlGkɄe` 匯%j؄Ϯؾn{vN6ZAr,j؍x%O 02 $5uԿ-Gg~J3 kP2R#Vtd\ IUh;v P"ae!e nZi&)f e3̩ӎ𖾡eWsS}ӵWw1legOz0\ Xbޙ85c-TL=H{Tb9gU@G ^[Wh#Ȅ<3qX^K4XCZ3{1%|g)+X~P{~"xQiYjYS;yjHe^ˡ?VN%m&ǻ)++`#9syYNqY1.g•vN {-1~ R #Ҝtg- ^[c>8?9o߁Tn1DNцk3rѩP 'dǀ)ij#80P[|-y-[jnhֲ}K ~^{ 2[ ^8s,M>M%AX #yO<#Vkwkyͷ13i;@R mDGǎ8KSa24$Z`yw3;b[S-k m[ƓB=>Z7dgwcT@L8I40+>Nc2dcr2|Ęx8bFY"K&$+:Ȓ?b*.X;VkN5]<ȄjF8 p$8XpьҬu4sU3;3QՋ%r;푣wP=9"YuHŦPu~&.ouLLL\<),N|nKB!)FxbI\"qE3`a/6m^1Wq)Z3>s'? [uoW+0\: Vhך2HWxYsqO^zI^2W),M=DꮍU?Y X9'jnVӁbL壌YaY@D*$sJ{^Zu^C[5he5qqHд9c;rVS٭bK!"n{eU/x*XA#d?W=nփ.[ ̃l+"6:Ö2y# e|2 S $oFnZWn2&JԪT},#a"۷6jzc|mXؠ5,=2C/ogH:ukM#o0PWa65|&Nau*NHV2H9=I GτDAЍt9ޟ砚X +4."#8V0HD2zs8]8ެRzM:I V`ή+(  =mWݕZƹ/q7zSMN1a /SK`^tbGu9KÊi]NN%HZt*n:rH7ru n+867RA)# kufS\UrRjb=߾S 3dfyg޸.ž7-XY;Xw ZZ[Eμ׶xZ|^T"7k9Yd lUbw$ݸ N{Apr'!a1[6d297"l`9 $]I&o}EHsLNvIAa0NJ2XY $~I)moS :ao;iщ2S! Ȋ&J%iVk Jh馣?2D}[.ᅯdHy֖kϐa7ƶlN,s7~B9A 30xC$"E଑ֱWfxo7s?` 'S4TLyHߐvT8ح9VNێҋ.sK[$U[2NNY ɧH8^lmWN(W8 1e$KQt\7q QU }q9^nMk>D / a,:]~~qpij&WG ^ #umF9X#SdvHU JJW {Tj@:ĚoOq%6_Tk.)a3;ı]o䓱OC&>CdRUi گN!z.W+_0B@QF"f9>ČlApN5#MoWnt.%ې@BRtIVxr KJ sq ]c/ 3mtާRYf<*X;LZL)@12ښ:;gK'!l2h{#s"X۾n!JzgXUR)>nK4Ѵk{9pgNr o.z}J-q)Lyfu4J ?<5c(e\vxdxc-rHS3Yc"K}Cܝo=쭚TED٢)?=Bx!l ȑgsWqMYՁNKUxه5%۞X:\:iqTU:ܽyR шwC Qt{>F4~LX5ydrlѵVsb1vY$Q-G+ >Oqڬso%{qqq]6Xmd Ljf2D[;/3aHPU(vfUiHm^S^8yCI /X1@Hoh 1%22Yl"#L;9ʋ[6Tn]lS)3UDtrM/)<187 u =j&cB%  aNyVo"s*q~Vg9U1!JhUJh*jĐ׆5E*(>镍5c }YXSv5{r\bKXW3C_pI?׮4>꿊 _ݷ<&xH]Y: )ɪv<'&]miҤc6=G6Mj$ݛqWoZjX>ɏ DS;1BXK6Lr|ENd}T$-[(;˔ȉS)pVW"I<'Nc_ wC`Կ/?d[9.9.EaYdahqi 00LiKm4iJm J)Ncp=j/\飦MX&dyӡ@!>&+YE}]O^q\ςyr#8 :#\V헃ӇÞg ('l3ܝqyJ} BcdRhXhEY _ 7]w JޒR,ɒL]+Dh"UI$G; ;+gT] ѝ[PwU9RXr2 `-(p1te$ qm֗q JvSR[k]]ׄ=Ad$nXdգUՔk-WpzQcz*NVg+r@'NKLx\D~X.a?l忨}88Y#(y]Q'|}5CmÅmv`7S3ÕXػPp.U&)`<ʘpV%oB۟w#nzH+CV /O "aA43 D+?突UYȱvf4.c0c~V^'(ݲX w'*Q5vD|c8 /X*uj_ hF~!҆*6k q׼沘"2< Pj=;f5OxfI*qԻk K̈y wa0z$Ok)*;/+^Lmp+݁fil[Ȏ-Aj"럙̄ ܳSE28-ٝܘ8B 򻚐EqL4:ժ@%b[%l11l`Wj*qbS 9%.UIvŨlxghW V) b΄jg%l7"iB˸SYˉo^ث'bڮ#7\v :b (d4sB"w#uXx烬ݦ{SlDȟZ~MI i3FI x% $QYldt*͇>7h6fO{+rVr۷ikH֧]NBYWc;k2)E"LuXRwlqG QؗiI9Q4Du;96=x]B&!NkGdf z`1, L;#,TJ v?[42dl 7 T,j sI,3?9Xz>V>=ාqvD M^JK %[ʣrdfW`U"ȍ׬+ cT9N#}ľc*>׶R\\Ǜuřf{5-+4vIVVF(ܬ њشT+XjeO^9Ճ*29 SUt|Ms?2d .4 *uC#B)>URc 9|M Eգ"W=%w,eRc<8d1C/YWX/sp sx#NOx6kz?Rv xX؈RXZzRzq "GNJL ƛש6J6$0g&56", I{D9PHG9r2^Ij8RE3UQA1^Oh$_+v@w}eJmZ&TKE#p%V0C$G-v91H8v8:)ǙldE3ElEOV` w1ohr>G'&"l8 7"9lrK'2V{ϧQ>|;H4G2@ck!-<P,$^?J<S3:4i?Z`Ѫv/33L. -B IVd~ԥ@0}8irko.Q=x_㉴Qys,ef`nM(r.7=lM^,DGǖ|>\եi܈㵓܅ AQۥ^ 4ţ6UFER{-#Tl0eQc]NY9r=k&`Tж"u@ԓ^kyxI5 >'49ƪՑְ>|cCϗ5ҋ>ìyDG"A-X2!|]SI07sh\+Bac +2*)zEFc4ˉ7Vuwӗ 9jxeS&<N؃/)Ok]4VjZڂ|)|f!T'Aώm9M*T8 th l15+v\z\z]lm+ܙйc (>[ czP.ҍ^ԑQ(HF4F6mxLIG(Jɗ#fmd]ܥB1tzA aG;~ZEw^ne}:0d쿘d>e?\~q{:'&F+Yc$R9XqK{X\XPV8=7a$f>?h2tyPy$;qۍӋs(Up]pRw/(_Rr$gI7+߮6CAK1ywbP^1GŝT۫J$f%XI'@կǒ|j"z\_?v<׾<#->>_ {#%Z!e֖֜J~]Aâ8xu {?}}#dfV*WYGkA^C?^g-xݭo:Fl3ƓYF{!AurB),K\*0)@Pr[ZO^嚨cRQ]VxXʕE]{^E*C;tgqQdTeȱ0WW P2pdH9쌆/)}k~eP]ZUe`uAnSC&aZs:cle!+ypgv,':Y "Gr;"B^GSwb֫]. f4 %*8qf f-/;a~&]ڴꞱֺn6}A+8Mr*5l,IV!`ѻzF0^Ō˘!ȑ8'f3ʞ#*YfZ+^ +^+-v[8FV'pK2yVD_dc[q핬+zO}V_iVhØD&>r[ v:,FF`)(yc->lw'ŰFc.1N)C09jܵ}j5DbH֪n`YIc$@SȾ^36~m_]-lZ-P\Yr҃ɲe/mKъ6fiQ˙w "9eO$InnxldKbZ,Pay%F,O/"x徕Ḿ>%<돾C-}թ^y2uթKqũKZ)Ys*;T(T8<#}O rJ8]7(ʞ)ZybF{Na DJ%72;ƭ p@./gaF a kWucF'%u}i&!s|?j658 d) Ss5jb0jhvpɰP:à)Ot [艨콙I)fmZ\Z[㡞Djݱ͕9*UtAbzF:3vJLIl<>{=:i2G4h7dr[xՖiȔiD4P> 8kIEliO Y ]m&8c0MْK6{y5S}'W7=V 0"*Xj(FTi]75 P[Vl k>?[o#," +rbRf{w7okcDڼ~w=>TL9cR0bCUaDJddcC$xLN%dfdq2Sk_pG^<}NjWȨ;ٜ\v5lyTl (;!nJb,]!!S ܶgN3!ͻㆢ3 ]*PW-6XDYճˉRU/ SpU6U\ͦ4yZs*J#c}9K>V-RUg)pm6]n }|'# r-џ>$R#pM 42)0c\>̵.VI 7?AVR<:0du]YI]1(l֨ [o ۔®]rU݆F07/Mj`GK Cv1x?p3ٌiG#jqX*X㒤O> }&UIM4M4M4M4M4MlQe|wŁX'MưL>38~xc[e{TtOZ YxHه|>N+%ka4JyGUOÄݿ6/m&5%sm{m'/C ƝTm#b!9eJxgfF_czouYz ђVODo;$mcV1D$"I_h{}j5Lds}Bz3kӨ9-x1={z]mCLÀ+)y9ܭˑ~q Od΍,6bRm~k-#X3422Ix؎*DEVrM#7.>>tSqJ {3vGfw2Xyft=u7R^V=1yH 6P$,+2#փ)ߵܥ^DUn5ĭܓ"\li VNWp=F{~ qyuSi&f1zmb9FeN~J0O&.sZc+-5Nj\6{|ՙ.svb6L3xu2ZE},|2Ф yڝdX1-m5p.q K|q206AoPVϋG,X\6&HL>"[tD׌-!:iΞUzPB:݆>PΎ]~:)Ĵn'/dsRÆaI)t-l|fzlWE:u9FA9jW..nKr1XT ۿc T't}-o}Ɲ A|M G"< IG  !L 6/N2-aH;tZU*=ipZj1+&rFX'x^m\F!Z`B{ܟyH$EyÕ-|G CU^B"r  9.K#GM4tGM4tGM4mOFz6T3s3ГqcD h5/ 8҂En6P-=kArmEa E) r"7*ȌUՇ :I!%9bu9:ÂR FN<+:![5|bduW#tr%$W ˢt8oanU,P`+YnnOިW{Bof:JgH$y&FH;xoz_ ukkɂI ꪮ"!=7bǑq Yڍ9#m1{o`eةpEG!.MI)(} ^6foݹ;n]fZ+ҫE4NV^lcg dlp4kYhHB|~*Z^G2s 8򋸞jb槫 3sS-|Xs+H*gZj{ưߨV 64vebdv jNZ$BVR:\mx[/6ͭ Z&jlמ'zƲ42I"'$ЕdpU HdIavXdDb2:yr5 }6AW HɼBgbQsQ(wQiacن,)g3MFR:-&k-̤M 4byR# ن~7B+!m>aT&ʼnݔGI U%RV+ʣHJ(_('(\VxoT˘BANTXVr۹=<ʼeПjtڻQE|ܦZbŠ!m!{]iJaȪ"3E^~4tGM4tGM4tGM4tGM4tGM4t~*4e R\$`B+< 0$4+ ϻ6eXwٽ8Zܻq;w'd@4j\^fԆ{17~JF\&dUN.I4V yy(}O"$XcʚnhM-ƽ:u/qv61醪5geՐ뤪b0rJ X@MCodjfZe-1#;!lH>+ 5_B6gLcꍚu*,m'Krd i OϤ̍^Af<?% F @ 0K$4&  @s[(>c);& (2%XHN2LO̭_;1,#tF KPTGjOȩ[oҊq׺EXݱt\/[x$IQrWmn` l3."NhrH[{ޭ=E?/9=;]m[o)6+v^]u S^EykzGE Pa6H뙱dܿ>MVxvsKp?93ƺL?#\n20m) LMPp0W93r(KdldE[M\w;& :ܟFUT ق.J4J%l?Kd`*F"E+(@'9> 4ˊVg"!")r \@:CPwg_ Jðm@EK#]I$ѽyWC7ucb [$e*MiA7r[]_\#vw:TaBCK4 _m5u(X鄣FSI+@KW}+JXe&8e1WdIRw*ȤwOl$RZ9u 0ӻMΩr*2Z2B8W뷠Zj7ktiJK)90KuO1vʻ<\,܂ǂ5|m FHn_Y=z5bX|le7)\44vy7شe_ m0eGi[Qz(:Sn*,b% yaY 5n-M;m+]r3]Q/K3 3RC"f6\#:NZc!#(P5.j9.ءZ>Uq |eY<ÀΉh2>EX؝O$Yh@ nj K=EԞ4``&ʢ,n^C:zȟgj3pG=dhl5yʄ{EWR9PG>wM4M4M4<xTaoG^%C(mICȖ;J*=OJ <,KnwWze|-ق2`䫦F̅Yxw]:r[o-yjӔԅCvu)x'S^rzF,u5ٰذ/6+"Lc N[R\徼2)S;w|xnbf~Ss?&)zaqȒIĜ$=~y(:[koW7uLjMmd9Z{XV(mFOg@~>CF^@^oK;}`y >9#N">НſsoOv}J[nI|IeÙq։aI!dsu:ӉRs3ժpO9e5=3kr3fm>,7ktwq6ʘN2$3@GOoc r{ Mh>N1wOeC#:*֛]8]Nj"_ܵGaj}Fƙladp\&PcEޒ&0QL ZdDOzˮgڇqlblW\ʩ,66EY ɌRt Ry>Reꚻ~ KvߴGEرR)P%5M:TtX܋|UD ]Wb/6ގ/,M1REIIӳ}u'K#o` G$dL#DT $ )P5M4M4M4M4}連,Au,Ll*iDMꝵ^d|uݑ0˄ 4Gi,%'cl<+gw 7Òߏ!TY2 ժXG~ *V]8dt$h,R;pT f|@jkh0 䊆 㗫(7e&[x}›̴9 0rY:)F5jR7yE,\pE[^'qA ZiS*:vX1-xt\y"C2Xݮ󹨷% x@a</$?X4G1-/%bD'A uw 7O:zp\ڬ ۧ'ly ]#3A2) d1pؾs *DjҐ|r8QjϊrSW^NY'l[- 9k f[ł데E2)"ET s^@X݋ H>]k۟xjf2(CX&V4t39E;WX)F *ڂ[j*;~Q#dr w3Dlkb\H͝窄M|=}Vb9u8jR;2ۇϿn}iTr У#;SVc? ܉n6ZtJhli {M!+wj`% M>g,d2ʳ#%Ҟ ̬J8{ze`Xxut,÷\I٨{ZJӉ a |@:DA[IAP6Pʮu;'Ʉ'mݍeIp6-it79Юq"`oj$ 3xo7=ݴjz}C pGhCJj#5 ,QB D:Al{2Ԝv!R#I@ IƆ P@w=f@K_3t&:ұ4PIsRTgPʖG0o<8aЎ6WX济PH> @,+d|ѻR6f`7BwԧmdȨf/;xAM̐R7Ja /sXUcS8q}8t{naܻa+ SgZ݊Hw)K>e n|qtk՘N,ɵ:P}2>G@Jt6&%zz#4Gq9U>u.:k#%uzBRԆعg}|yʣhTP8g3\iG1u['):Y_ QY4Hʁg|v@6q \$4u$'67Wru6:k1Q1"xxgဍJ}-+q6< ;M׿NnEoϗY;Yy%8Uj(."jZ[o,TaN@9<w}V4xj,d HGpki`fo?kWRRt ՅBCZׂPXQTq{4XY&-$;ŝcNwsnW^VPi'ieE4.izgL:Њb 6/BÃ6K ou. o&u|+V6V=Kj)6uzPXŕ'c.$xt)C;v v#昂5|I+@Ec 1if ;ִW"yK-z޸rEv2DL!.6 ((hَMnr^B8Q kSŀ\l-%pcN)!aY-`]&ޕH̙㐔cf[cGHŁFF3I9aXn=c]Ċ$'>8qdl|M5p[U >vA ɶi][H"6Z$<,?Ei Vڛ*U߽Bu|Xۏod$[_sTҳ3=BSf{z!_E B\\BT* mm 6xҜ!B)J1)cN1u0GX{\sh馎h馎h馎h馎h馐BqUrvNѬl*F m:2}ju&rрdDǓL{w ['ծй^LA "0GU7RF=4ZڂnH'G*G VJ*H0ExD$H5Ok|`DSk|VdI{O*ģvoP&OD^}s . YKD`7߸[!#th'$ x<1nB`ݡ9L#VJKk.eIZ2c84<&Jq2M0BQ#)$_z .Ծ< [j32\fU3kN6r|)v% 5t#%SBI1Qޓq)!kʏ\#84Ge59Қ`MGBNæt_KɾGZƚFGS {?#TufxTtu֖)X{F;@ +X0.E(),s_K7 y|{s/6!m{JɰoRB>^b.fn0-Җ K $1d=Lo4}rmn8vjn 5B׹;kՂ.&%=78j]zJ:8]})10)151u9wƫBֽnߵC+hS hajrThA_JxǴUU"s;o#t+ekfߚ.f"DLNH ݌Tc\г$_/M5bY5n rv%j5かfB~Tp]%Ƕ\KuA.eqmVe*V8Ьxs)+J83RU3>߶zxG#i6#LjYjx.JtS+)+>Uz^_϶~󞨷*`.O$Ѷy ͊p;xײG#Sr, }^>9CUgʵU9j|gs=RNND'5pW?[\њexƫO!u8WV3M8ФIV3a[-}d=WVC+ U>kr l H3pA?»M[yZWd$5]ifF{(\YqusCZ ׊(#1q<G>Tb;H;o5ş7=) +4tdpl'+|1EfQuN2Ǟvْ75\)yIdAFkV0Q!51ϔf+?2g馚7s{_3OT.ڛwa;CLd$rg&O uC6bX43 ڟKi cZun/#]IڙP)b;$Q 2,QKʾuMYn9jVǿ?qE5p7hx* Tkk =|ou5c]_=NLR9lda1YoA޶F{ݾT<}>֫ȡ&!A2zKݷaDL xQmn+Ϙ#Cޠ k[hHX֚Yt-yo E.@a.TddCvGǑ9+s=Ֆ]|)Zxa3Z `:N+X2kXN]cS[h[foiW,ʕ6jV^SLZk,ު6?.q鄕\C,P ПDokO>.TY#(f,2oTn6רvԷBP>ڦC/0T%+RDzbP\:dm{8bi^\Ӊi ^݉Ob6 9-Y2+!VZH+f"l|č0b0ZpBe,Ig>\[|mB=EOۍslN~P[G=K$ʨmcU-Ay w)[Py,6N1K":V ||,"VV- ^ K&lׂ\+Sj3IGlFD$ frcY}fd2pY^@~~Zj'mΊ>Tx?WN7m@ nƖ^HRl:P&XˌQZ\Kf7Κ˶7l?Yy)-Zɟ&u6nZ j`2(˹40$>JE~ʈJ vCK~)Zjw"754n܁Z;I+g|R=h>(RnL'0Hz7(F 8j"<^zWzD״=X;V)aR>ss)Z G_MVq>{rNm}81C֩MCdF"}aw/4 > x)XYc$3i~O,sӺWrѹ=w 2\Cĵ#IHbI^TXkM8.Ys}jNnW>{BayyךŹ#4 s,J~##1O:tP6 Mj-7UUn ՒpcnIY.+Xb i% QdłUgޫi[_vS ѿjMț Ϝlھ2TLguSb5򈌓ApM56ew&CPZoVZe}DEIKRqtDth$l4q 1]x؇TmZjYMlfmӼhxyncA>FtCXY_H4PD<#WǾ9t-7w 1u}ux%y dڥr `@W %Щ49Ż'58SMҭ^ \؆4j=gP#`ey ult[Pj]T%va fpfdLL>U!aamTgI=bM"h$ڈy,<`HxTE.O  "T66}J3n5IB2UH :,[B ܉ðMUٛHχ|t{cԽ J&RK$3vb6Hs9q6F c @Epd`c97k꟪cIMU`ؒgSb!\BAP,;<a}>|Aen{wmw%~x Qި ,2FP=받rcoBljo}ru*,$"hQ-3ܑOwl:CZcx}E ApXBh+ )au8U,G[R)DWyNH4'K>vVڽ?xz}Rcչ~s=-~ jF5n -r[sHuӂ!=f%b5IM4M4M4M4M4M4M4M1ۧ}㦛_!A(ZlPKcVdNl;g 5 '\&1D,Li%pmOx]ԲxXu ;H%T#puo⬥mZ'##V~GlAQk](c+؉2Nz([9ۘ2#AaP/*vN=kEj1KWaؽY(m1kH).A^ v-P~#bgQ]gtWq2ES&d$kC`RwD2CTt`V 88VX $|P6ml_įZ:CzZvhZH"l*H258l{c P'U[=5ٛ2+/I_vZ.V0X,yT(U2goJ)$ЦiYr2!撵=' S-}~, Q+v/Iw,v/"M ҽ+ ш 'zqg'W XA< pA:H A#_Rq p]|]gZ=.7̈́|`:X ukE^bzSaT}ڔy,ƽ:&-߭5  x6qǵ+~ϋG6v*nL#{bcfEnU nM>q`<3M:m_hJ뽋WkclJƸTW`#Yp03 ZgM5?=Vaw|:s3_cžx)Ϗ68#9>oǏ馣_z9nTiqB˥f`&$XjG[ȸN4gU妧ߗ]{9w"q׈y |qFč6 &Km-%Y{H-M5oIɽRfZFCD}1.NnեJ|lB=b&lenÂ-_4w+ȞZl/wlT.lpRp{Y iP7.pؚX>uȹX\K %ieKk.u͗k"ɪnf6erbql͗eEVFFYg_Nlq]Niň9[qmhq+}OB3lr\Ky^.N!}Sڮe?Z6FEޯ2wKyW˘KhK$xmk*˯O!Cm9.K_ɱ~&"K;('fţrqtߪ!Fn5*'hrQDpޘZ<-a:ڛIP8dܐ="Ř>9ҫ 'Cy£udyu^>[xr(ҥ|ym8dݙ-33`jl$Y9rǥ=6v4g7N*ٵ (F:'O.C {ӪƫGQ.2A=Ʒ cn~bn}{'‚$qV%<+ XBGF,|x0 ;B6GAXBfBePmB}?5ak:h馎h馎h馎h馎h馎h馎h馎h馎h馎h馐]#7>m@N"ղrp\W}T)`Sm#Bp,^;3NlvZ< D׆I?O^xYI^TT|wֳffV>xeN}^2;Fm{LyC19`ųV_AoLM dE4a W ְC#R3H$v,"|MՓ_=F{HLYw^/+ƶj+cb* ;׆rbi ͞3 ֍k0^.ۯڒy̸Kҵ &1laD?+)ig{/!;IMWAzV/лAa⳱®{@ΙnsaGڔ%ǂ;O*OH~vuN‰'_5HuUnAyXig 3)dF:G?޾ +'r8NXr-&eJ++/ 11ZWI!k[`3R3{r:ɀ?F}R*N Wg.wmU] 쭊fֺf7*Np$%d_<Տg-s>28f>tU}mFR9w~>lhx|YOA.\,TW]LgF6wk-fŷ?*?c~m.n4!vuof5uBB\Tjyi\Y%+rN+޿ LrgpRy./$tz2#4=D+#R*_%^m |(H9Q0m2+Q/e~8,ߘؽ5ˤ/,#MJ!S0u|Ugw45cYhUUG-Ȉxl=_vw8~"j7.t2(vsy,Մbv t|ex츰Kjy-TC4406UYC^կ 8;9{w3KK-?sA#^!}ضqRK&VY=N(hFy0fnl28, :V4߳%Pf)K$;GKxTcb+wff: R벛UIfܑ%!|i,fp<{7_CS]^ KČ|z#dy:k^5_ڙrn ocg*i=kսUJ~$Tda4N:rWkѩu#/e~1{#sձbF@K{q2I" k@dxqEf`qm ' ,-6Д%)N1ce}stGM4tGM4tGM4tGM4tGM4tGM4tGM4tGM4tGM4tGM4tGM4tGM4uǎ?6_$g?٤5 2)`he 1,Q'-87|c#uh$7Eto HqDZ~ZGtedfF21VSガ><AWyH7>3 <)zW$kI#'ϹyrQZL҉' fqIKi 9JP%oNi%\O䳜>32|&t7'i͌%Xeu!OlO=jխWrh֔x y2}Q nE --w((7-9V*4}P sfO^FYm` |*sMC;UhÒԦ^|v'ƣ'+ zuQ[G?O=X|,]dwryb9ekǞ|x:[sNDlDb+YF pž4iv43qq?3UloM,r;>@b+ϞךVw,`Ekc_SVݾZ%6ɬP|*U/g5m'ˎgp1=X{4wPmZUx$qZwǽi>:σ,9 Kvս4lRm5SvJR~™{Nk)sE=+ZWxH9tG$:%NZ1ɒR{ud$~Vծo&Dx?(IxY*R\O?k:M4M4M4M4M4M4Mscap-security-guide-0.1.39/docs/manual/user_guide.adoc000066400000000000000000000506761327242345500227070ustar00rootroot00000000000000= SCAP Security Guide User Guide :imagesdir: ./images :toc: :toc-placement: preamble :numbered: toc::[] == Introduction The SCAP Security Guide (SSG) project delivers security guidance, baselines and associated validation mechanisms utilizing the Security Content Automation Protocol (SCAP). SSG provides content for Red Hat Enterprise Linux and JBoss Enterprise Application Server (JBoss EAP). In addition to hardening advice, SSG links back to compliance requirements in order to eease deployment activities, such as certification and accreditation. These include requirements in the U.S. Government (Federal, Defense, and Intelligence Community) as well as of the financial services and health care industries. For example, high-level and widely-accepted policies such as NIST 80-53 provide prose stating that System Administrators must audit "privileged user actions," but do not define what "privileged actions" are. The SSG bridges the gap between generalized policy requirements and specific implementation guidance, in SCAP formats to support automation whenever possible. The project homepage is https://www.open-scap.org/security-policies/scap-security-guide. === Government/Industry Collaboration image::logos-400x400-nsa-300x300.jpg[align="left"] The https://www.nsa.gov[National Security Agency]'s https://www.iad.gov/iad/index.cfm[Information Assuranc Directorate] (NSA IAD) is presidentially mandated to protect Confidential, Secret, and Top Secret information that could reasonably be expected to cause damage to U.S. National Security. As part of this mission, NSA develops and distributes configuration guidance for operating systems. These guides are currently being used throughout the U.S. government and by numerous entities as a security baseline for their systems. The SCAP Security Guide project serves as NSA's upstream source for https://www.nsa.gov/ia/mitigation_guidance/security_configuration_guides/operating_systems.shtml#linux2[Red Hat Enterprise Linux operating system guidance]. image::logos-400x400-disa-300x300.jpg[align="left"] The http://www.disa.mil/About/Our-Organization-Structure/OD-Field-Office/Field-Security-Operations[U.S. Defense Information Systems Agency, Field Security Operations] (DISA FSO) authors hardening guidance known as Security Technical Implementation Guides (http://iase.disa.mil/stigs/index.html[STIGs]). These documents, used throughout the U.S. military to harden systems, establish formal security compliance baselines. The SCAP Security Guide project serves as the usptream development source for http://iase.disa.mil/stigs/os/unix-linux/Pages/red-hat.aspx[Red Hat STIG content] and helps DISA FSO move towards their business objective of utilizing SCAP-based formats to automate security compliance across U.S. military organizations. image::logos-400x400-nist-300x300.jpg[align="left"] NIST publishes 'National Checklists' for software, which https://nvd.nist.gov/ncp/repository[as defined directly by NIST]: “The National Checklist Program (NCP), defined by the http://csrc.nist.gov/publications/PubsSPs.html#SP-800-70-Rev.2[NIST SP 800-70 Rev. 2], is the U.S. Government repositiory of publicly available securiyy checklists (or benchmarks) that provide detailed low level guidance on setting the security configuration of operating systems and applications. NCP is migrating its repository of checklists to conform to the Security Content Automation Protocol (SCAP).” The SCAP Security Guide project serves as the upstream repository for https://nvd.nist.gov/ncp/checklist/811[Red Hat Enterprise Linux related checklists]. == Installing * Red Hat Enterprise Linux 6+ ------------ $ sudo yum -y install scap-security-guide ------------ * Fedora ------------ $ sudo dnf -y install scap-security-guide ------------ == Running a Scan === Command Line Interface (CLI) This document outlines the usage of OpenSCAP, a command-line utility packaged within Fedora and Red Hat Enterprise Linux which allows users to load, scan, validate, edit, and export SCAP documents. Additional details regarding OpenSCAP can be found on the project homepage located at http://open-scap.org/. Five arguments to OpenSCAP are needed to perform a system scan against the upstream DISA STIG profile: * --profile + Mandatory, identifies which profile to scan against * --results + Optional, indicates location to place XML formatted results * --report + Optional, indicates location to place HTML formatted results * --cpe + Mandatory, identifies location of CPE dictionary * xccdf location + Mandatory, identifies location of XCCDF file Putting these arguments together, a properly formatted command would be: ---- $ sudo oscap xccdf eval --profile stig-rhel6-server \ --results /root/ssg-results.xml \ --report /root/ssg-report.xml \ --cpe /usr/share/scap/ssg/ssg-rhel6-cpe-dictionary.xml \ /usr/share/scap/ssg/ssg-rhel6-xccdf.xml ---- While the scan is running, you will see output similar to the following on your screen: ---- Title Install AIDE Rule package_aide_installed Ident CCE-27024-9 Result fail Title Configure Periodic Execution of AIDE Rule aide_periodic_cron_checking Ident CCE-27222-9 Result notchecked Title Verify File Permissions with RPM Rule rpm_verify_permissions Ident CCE-26731-0 Result fail Title Verify File Hashes with RPM Rule rpm_verify_hashes Ident CCE-27223-7 Result pass ---- === Result Interpretation HTML Results asdasdasd asdasd XML Results Looking at the results.xml file, you will notice lines similar to those below: ---- pass CCE-26709-6 ...... pass CCE-27024-9 yum -y install aide ---- The XML above can be parsed as follows: .Table XCCDF Rule Elements |=== |XML Tag |Meaning ||Identifies which XCCDF rule the result reflects ||Pass/Fail/Not Applicable ||Identifies corresponding CCE ||Remediation actions, in bash, which will configure the system to be in compliance with the XCCDF rule ||Identifies which version of OVAL the check was authored against ||Corresponding OVAL check name (name=....) and source OVAL file (href=....) this check came from. For general purpose users, this information can be ignored. |=== === Remediation ==== Bash Scripts SCAP Security Guide embeds bash remediation scripts into the SCAP content. This allows for SCAP compatible tools to extract these remediation scripts to aide in potential remediation of system misconfigurations. OpenSCAP, the CLI delivered with Fedora and Red Hat Enterprise Linux systems, contains the ability to transform XML results into an executable script. The syntax to generate a remediation script is: ---- $ oscap xccdf generate fix \ --result-id xccdf_org.open-scap_testresult_{profile-name} \ /root/ssg-results.xml ---- Replace {profile-name} with the profile the system was scanned against. For example, for stig-rhel6-server: ---- $ oscap xccdf generate fix \ --result-id xccdf_org.open-scap_testresult_stig-rhel6-server \ /root/ssg-results.xml ---- You will receive output similar to the following: ---- $ oscap xccdf generate fix \ --result-id xccdf_org.open-scap_testresult_stig-rhel6-server \ /root/ssg-results.xml #!/bin/bash # OpenSCAP fix generator output for benchmark: DRAFT Guide # to the Secure Configuration of Red Hat Enterprise Linux 6 # XCCDF rule: set_sysctl_net_ipv4_conf_default_rp_filter # CCE-26915-9 # # Set runtime for net.ipv4.conf.default.rp_filter # sysctl -q -n -w net.ipv4.conf.default.rp_filter=1 # # If net.ipv4.conf.default.rp_filter present in # /etc/sysctl.conf, change value to "1" # else, add "net.ipv4.conf.default.rp_filter = 1" to /etc/sysctl.conf # if grep --silent ^net.ipv4.conf.default.rp_filter /etc/sysctl.conf ; then sed -i \ 's/^net.ipv4.conf.default.rp_filter.*/net.ipv4.conf.default.rp_filter \ = 1/g' /etc/sysctl.conf else echo "" >> /etc/sysctl.conf echo "# Set net.ipv4.conf.default.rp_filter to 1 per \ security requirements" >> /etc/sysctl.conf echo "net.ipv4.conf.default.rp_filter = 1" >> /etc/sysctl.conf fi # XCCDF rule: uninstall_xinetd # CCE-27005-8 if rpm -qa | grep -q xinetd; then yum -y remove xinetd fi # generated: 2013-07-05T13:56:30-04:00 # END OF SCRIPT ---- This output could be redirected to a bash script, or built into your RHEL6 provisioning process (e.g. the %post section of a kickstart). #### Ansible Playbooks SCAP Security Guide embeds ansible remediation scripts into the SCAP content. This allows for SCAP compatible tools to extract these remediation scripts to aide in potential remediation of system misconfigurations. When using OpenSCAP with Ansible, it is advisable to use the playbooks from https://github.com/Ansible-Security-Compliance. These playbooks are generated from the SCAP Security Guide project and are also available on Ansible Galaxy. IMPORTANT: The minimum version of Ansible must be at least version 2.3 ## Deprecated Content .Deprecated Content |=== |Product |EOL Date |Last Release |JBoss EAP 5 |November 30, 2016 | link:https://github.com/OpenSCAP/scap-security-guide/releases/tag/v0.1.35[SSG 0.1.35] |Red Hat Enterprise Linux 5 |March 31, 2017 | link:https://github.com/OpenSCAP/scap-security-guide/releases/tag/v0.1.34[SSG 0.1.34] |=== == Alternative Scanning Tools === SPAWAR SCAP Compliance Checker (SCC) Funded by the Internal Revenue Service and the National Security Agency, Space and Naval Warface (SPAWAR) Systems Center Atlantic has authored a SCAP Compliance Checker (SCC). SPAWAR SCC is available for any U.S. government employee or contractor; it is not available to the general public. The SPAWAR SCC website is http://www.public.navy.mil/spawar/Atlantic/ProductsServices/Pages/SCAP.aspx. To utilize SCC with SCAP Security Guide content: 1. Import SSG content into SCC through the cscc -is command + ---- [root@localhost scc]# cd /opt/scc [root@localhost scc]# ./cscc -is /home/testUser/Desktop/ssg_scc.zip Extracted: /opt/scc/Resources/Content/ssg-rhel6-cpe-oval.xml. Extracted: /opt/scc/Resources/Content/ssg-rhel6-cpe-dictionary.xml. Extracted: /opt/scc/Resources/Content/ssg-rhel6-xccdf.xml. Extracted: /opt/scc/Resources/Content/ssg-rhel6-ocil.xml. Extracted: /opt/scc/Resources/Content/ssg-rhel6-oval.xml. SCAP Content successfully installed to the Resources/Content directory. Please enable content by running CSCC with the '--config' option. ---- + 2. Enable the SSG content by first executing cscc --config: + ---- [root@localhost scc]# ./cscc --config SCC 3.1 RC2 configuration edit menu. Make menu selection: 1. Configure SCAP content 2. Configure SCAP profiles 3. Delete SCAP content 4. Configure OVAL content 5. Delete OVAL content 6. Configure Options 7. Configure SSH Options 8. Exit and save changes 9. Exit without saving changes SCAP Processing is Enabled - 0 of 3 SCAP streams are enabled OVAL Processing is Disabled - 0 of 0 OVAL streams are enabled Enter menu selection: 1 ---- + You will be presented with a list of imported SCAP content. Select the option for SSG, which will be simular to option 1 shown below: + ---- SCC 3.1 RC2 Available SCAP Content All content paths are relative to the installation directory at: /opt/scc/Resources 1. [ ] ssg-rhel6 2013-02-01-05:00 0.1 path: Content/ profile: test 2. [ ] U_RedHat_5_V1R2_STIG_Benchmark 2013-01-17 1 path: Content/ profile: MAC-1_Classified 3. [ ] usgcb-rhel5desktop 2011-09-30 1.0.5.0 path: Content/USGCB-RHEL5-1.0.5.0/ profile: united_states_government_configuration_baseline SCAP Content 0 of 3 enabled. Enter content number to enable or disable content ('all', 'clear', or ranges N-N are allowed, type 'back' or '0' to return): 1 ---- + Once selected, an [X] will be shown before the SSG SCAP content. Verify the SSG content has been enabled, then enter 0 to return to the SCC main screen: + ---- SCC 3.1 RC2 Available SCAP Content All content paths are relative to the installation directory at: /opt/scc/Resources 1. [X] ssg-rhel6 2013-02-01-05:00 0.1 path: Content/ profile: test 2. [ ] U_RedHat_5_V1R2_STIG_Benchmark 2013-01-17 1 path: Content/ profile: MAC-1_Classified 3. [ ] usgcb-rhel5desktop 2011-09-30 1.0.5.0 path: Content/USGCB-RHEL5-1.0.5.0/ profile: united_states_government_configuration_baseline SCAP Content 1 of 3 enabled. Enter content number to enable or disable content ('all', 'clear', or ranges N-N are allowed, type 'back' or '0' to return): 0 ---- + 3. Select SSG Profile + From the SCC home screen, select option 2, "Configure SCAP profiles" + ---- SCC 3.1 RC2 configuration edit menu. Make menu selection: 1. Configure SCAP content 2. Configure SCAP profiles 3. Delete SCAP content 4. Configure OVAL content 5. Delete OVAL content 6. Configure Options 7. Configure SSH Options 8. Exit and save changes 9. Exit without saving changes SCAP Processing is Enabled - 1 of 3 SCAP streams are enabled OVAL Processing is Disabled - 0 of 0 OVAL streams are enabled Enter menu selection: 2 ---- + You will be brought to the SCAP content selection screen. Select the option for SSG, simular to option 1 shown below: + ---- Select SCAP Content to view available profiles 1. [X] ssg-rhel6 2013-02-01-05:00 0.1 path: Content/ profile: stig-rhel6-server Enter content number to view available profiles (type 'back' or '0' to return): 1 ---- + You will be shown available SSG profiles. Select the numerical identifier for the profile you wish to scan against, such as stig-rhel6-server: + ---- Available Profiles for ssg-rhel6 2013-02-01-05:00 0.1 1. [ ] test 2. [ ] common 3. [ ] desktop 4. [ ] server 5. [ ] ftp 6. [ ] ftp 7. [X] stig-rhel6-server Enter profile number to set selected profile (type 'back' or '0' to return): 7 ---- + You will be brought to the SCAP Content screen. Enter '0' to return to the SCC main screen: + ---- Select SCAP Content to view available profiles 1. [X] ssg-rhel6 2013-02-01-05:00 0.1 path: Content/ profile: stig-rhel6-server Enter content number to view available profiles (type 'back' or '0' to return): 0 ---- + 4. Configure SSC Options + From the SCC main screen, select option 6, "Configure Options" + ---- SCC 3.1 RC2 configuration edit menu. Make menu selection: 1. Configure SCAP content 2. Configure SCAP profiles 3. Delete SCAP content 4. Configure OVAL content 5. Delete OVAL content 6. Configure Options 7. Configure SSH Options 8. Exit and save changes 9. Exit without saving changes SCAP Processing is Enabled - 1 of 3 SCAP streams are enabled OVAL Processing is Disabled - 0 of 0 OVAL streams are enabled Enter menu selection: 6 ---- + On the options menu, ensure the following settings are enabled (indicated by [X]). To enable/disable settings, enter their corresponding numerical identifier: + ---- SCC 3.1 RC2 Options menu. Make menu selection: Content Scan Methods 1. [X] Perform SCAP Scan 2. [ ] Perform OVAL Scan Select Reports 3. [X] Generate 'All Settings' report 4. [ ] Generate 'All Settings Summary' report 5. [X] Generate 'Non-Compliance' report 6. [ ] Generate 'Non-Compliance Summary' report Report File Types 7. [X] Generate reports as HTML 8. [ ] Generate reports as Text Logging and Debugging 9. [ ] Save screen logs 10. [ ] Save debug logs 11. [ ] Suppress warnings XML Results 12. [X] Save generated XCCDF OXML files 13. [X] Save generated OVAL XML files 14. [ ] Create ARF XML output 15. [ ] Validate XML output files 16. [ ] Save failed CPE XML results files Content Processing 17. [ ] Scan content directories on application load 18. [ ] Validate content stream(s) XML files Data Directory 19. /opt/scc OVAL Processing Options 20. [X] Ignore remote fileSystems 21. [X] Enable item creation threshold 22. Item creation threshold: 50000 23. [X] Ignore file extended ACL attributes Enter menu selection (type 'back' or '0' to return): ---- + Once the above options are set, return to the SCC main screen by entering 0. + 5. Select option 8, "Exit and save changes": + ---- SCC 3.1 RC2 configuration edit menu. Make menu selection: 1. Configure SCAP content 2. Configure SCAP profiles 3. Delete SCAP content 4. Configure OVAL content 5. Delete OVAL content 6. Configure Options 7. Configure SSH Options 8. Exit and save changes 9. Exit without saving changes SCAP Processing is Enabled - 1 of 3 SCAP streams are enabled OVAL Processing is Disabled - 0 of 0 OVAL streams are enabled Enter menu selection: 8 Saving changes. ---- + 6. Execute an SCC scan. Results should end simularly to the following: + ---- localhost: Processing (391 of 411) Configure Dovecot to Use the SSL Certificate file localhost: Processing (392 of 411) Configure Dovecot to Use the SSL Key file localhost: Processing (393 of 411) Disable Plaintext Authentication - (CCE-27144-5) localhost: Processing (394 of 411) Disable Samba - (CCE-27143-7) localhost: Processing (395 of 411) Disable Root Access localhost: Processing (396 of 411) Disable Root Access localhost: Processing (397 of 411) Require Client SMB Packet Signing, if using smbclient - (CCE-26328-5) localhost: Processing (398 of 411) Require Client SMB Packet Signing, if using mount.cifs - (CCE-26792-2) localhost: Processing (399 of 411) Disable Squid - (CCE-27146-0) localhost: Processing (400 of 411) Uninstall squid Package - (CCE-26977-9) localhost: Processing (401 of 411) Disable snmpd Service - (CCE-26906-8) localhost: Processing (402 of 411) Uninstall net-snmp Package - (CCE-26332-7) localhost: Processing (403 of 411) Configure SNMP Service to Use Only SNMPv3 or Newer localhost: Processing (404 of 411) Ensure Default Password Is Not Used localhost: Processing (405 of 411) Product Meets this Requirement localhost: Processing (406 of 411) Product Meets this Requirement localhost: Processing (407 of 411) Product Meets this Requirement localhost: Processing (408 of 411) Guidance Does Not Meet this Requirement Due to Impracticality or Scope localhost: Processing (409 of 411) Implementation of the Requirement is Not Supported localhost: Processing (410 of 411) Guidance Does Not Meet this Requirement Due to Impracticality or Scope localhost: Processing (411 of 411) A process for prompt installation of OS updates must exist. localhost: Calculating scores localhost: User: Saving testUser_SCC-3.1_RC2_2013-02-04_145218_OVAL-Results_ssg-rhel6.xml localhost: OCIL Schema Version: 2.0 localhost: Saving testUser_SCC-3.1_RC2_2013-02-04_145218_OCIL-Results_ssg-rhel6.xml localhost: Saving testUser_SCC-3.1_RC2_2013-02-04_145218_OVAL-Variables_ssg-rhel6.xml localhost: Saving testUser_SCC-3.1_RC2_2013-02-04_145218_XCCDF-Results_ssg-rhel6.xml localhost: Generating report testUser_SCC-3.1_RC2_2013-02-04_145218_All-Settings_ssg-rhel6.htm localhost: Generating report testUser_SCC-3.1_RC2_2013-02-04_145218_Non-Compliance_ssg-rhel6.htm localhost: Adjusted Score - 0% [RED] localhost: Original Score - 0% [RED] Total Errors: 11 Total Warnings: 2 Review complete. Results, if any, are located in the following directory: /opt/scc/Results Logs, if any, are located in the following directory: /opt/scc/Logs ---- scap-security-guide-0.1.39/docs/scap-security-guide.8000066400000000000000000000357441327242345500224250ustar00rootroot00000000000000.TH scap-security-guide 8 "26 Jan 2013" "version 1" .SH NAME SCAP Security Guide - Delivers security guidance, baselines, and associated validation mechanisms utilizing the Security Content Automation Protocol (SCAP). .SH DESCRIPTION The project provides practical security hardening advice for Red Hat products, and also links it to compliance requirements in order to ease deployment activities, such as certification and accreditation. These include requirements in the U.S. government (Federal, Defense, and Intelligence Community) as well as of the financial services and health care industries. For example, high-level and widely-accepted policies such as NIST 800-53 provides prose stating that System Administrators must audit "privileged user actions," but do not define what "privileged actions" are. The SSG bridges the gap between generalized policy requirements and specific implementation guidance, in SCAP formats to support automation whenever possible. The projects homepage is located at: https://www.open-scap.org/security-policies/scap-security-guide .SH Red Hat Enterprise Linux 6 PROFILES The Red Hat Enterprise Linux 6 SSG content is broken into 'profiles,' groupings of security settings that correlate to a known policy. Available profiles are: .I C2S .RS The C2S profile demonstrates compliance against the U.S. Government Commercial Cloud Services (C2S) baseline. This baseline was inspired by the Center for Internet Security (CIS) Red Hat Enterprise Linux 7 Benchmark, v1.1.0 - 04-02-2015. For the SCAP Security Guide project to remain in compliance with CIS' terms and conditions, specifically Restrictions(8), note there is no representation or claim that the C2S profile will ensure a system is in compliance or consistency with the CIS baseline. .RE .I CS2 .RS The CS2 is an example of a customized server profile. .RE .I CSCF-RHEL6-MLS .RS The CSCF RHEL6 MLS Core Baseline profile reflects the Centralized Super Computing Facility (CSCF) baseline for Red Hat Enterprise Linux 6. This baseline has received government ATO through the ICD 503 process, utilizing the CNSSI 1253 cross domain overlay. This profile should be considered in active development. Additional tailoring will be needed, such as the creation of RBAC roles for production deployment. .RE .I desktop .RS The Desktop Baseline profile is for a desktop installation of Red Hat Enterprise Linux 6. .RE .I fisma-medium-rhel6-server .RS A FISMA Medium profile for Red Hat Enterprise Linux 6 .RE .I ftp .RS A profile for FTP servers .RE .I nist-cl-il-al .RS The CNSSI 1253 Low/Low/Low Control Baseline for Red Hat Enterprise Linux 6 Profile follows the Committee on National Security Systems Instruction (CNSSI) No. 1253, "Security Categorization and Control Selection for National Security Systems" on security controls to meet low confidentiality, low integrity, and low assurance." .RE .I pci-dss .RS The PCI-DSS v3 Control Baseline Profile for Red Hat Enterprise Linux 6 is a *draft* profile for PCI-DSS v3 .RE .I rht-ccp .RS The Red Hat Corporate Profile for Certified Cloud Providers (RH CCP) profile is a *draft* SCAP profile for Red Hat Certified Cloud Providers. .RE .I server .RS The Server Baseline profile is for Red Hat Enterprise Linux 6 acting as a server. .RE .I standard .RS The Standard System Security Profile contains rules to ensure standard security baseline of Red Hat Enterprise Linux 6 system. Regardless of your system's workload all of these checks should pass. .RE .I stig-rhel6-disa .RS The Security Technical Implementation Guides (STIGs) and the NSA Guides are the configuration standards for DOD IA and IA-enabled devices/systems. Since 1998, DISA Field Security Operations (FSO) has played a critical role enhancing the security posture of DoD's security systems by providing the Security Technical Implementation Guides (STIGs). This profile was created as a collaboration effort between the National Security Agency, DISA FSO, and Red Hat. As a result of the upstream/downstream relationship between the SCAP Security Guide project and the official DISA FSO STIG baseline, users should expect variance between SSG and DISA FSO content. For additional information relating to STIGs, please refer to the DISA FSO webpage at http://iase.disa.mil/stigs/ While this profile is packaged by Red Hat as part of the SCAP Security Guide package, please note that commercial support of this SCAP content is NOT available. This profile is provided as example SCAP content with no endorsement for suitability or production readiness. Support for this profile is provided by the upstream SCAP Security Guide community on a best-effort basis. The upstream project homepage is https://www.open-scap.org/security-policies/scap-security-guide. This profile is being developed under the DoD consensus model to become a STIG in coordination with DISA FSO. .RE .I usgcb-rhel6-server .RS The purpose of the United States Government Configuration Baseline (USGCB) initiative is to create security configuration baselines for Information Technology products widely deployed across the federal agencies. The USGCB baseline evolved from the Federal Desktop Core Configuration mandate. The USGCB is a Federal government-wide initiative that provides guidance to agencies on what should be done to improve and maintain an effective configuration settings focusing primarily on security. .B "NOTE: " While the current content maps to USGCB requirements, it has NOT been validated by NIST as of yet. This content should be considered draft, we are highly interested in feedback. For additional information relating to USGCB, please refer to the NIST webpage at http://usgcb.nist.gov/usgcb_content.html. .RE .SH Red Hat Enterprise Linux 7 PROFILES The Red Hat Enterprise Linux 7 SSG content is broken into 'profiles,' groupings of security settings that correlate to a known policy. Available profiles are: .I C2S .RS The C2S profile demonstrates compliance against the U.S. Government Commercial Cloud Services (C2S) baseline. This baseline was inspired by the Center for Internet Security (CIS) Red Hat Enterprise Linux 7 Benchmark, v1.1.0 - 04-02-2015. For the SCAP Security Guide project to remain in compliance with CIS' terms and conditions, specifically Restrictions(8), note there is no representation or claim that the C2S profile will ensure a system is in compliance or consistency with the CIS baseline. .RE .I cjis-rhel7-server .RS The Criminal Justice Information Services Security Policy is a *draft* profile for CJIS v5.4. The scope of this profile is to configure Red Hat Enteprise Linux 7 against the U. S. Department of Justice, FBI CJIS Security Policy. .RE .I common .RS The common profile is intended to be used as a base, universal profile for scanning of general-purpose Red Hat Enterprise Linux systems. .RE .I docker-host .RS The Standard Docker Host Security Profile contains rules to ensure standard security baseline of Red Hat Enterprise Linux 7 system running the docker daemon. This discussion is currently being held on open-scap-list@redhat.com and scap-security-guide@lists.fedorahosted.org. .RE .I ospp .RS This profile is developed in partnership with the U.S. National Institute of Science and Technology (NIST), U.S. Department of Defense, the National Security Agency, and Red Hat. The USGCB is intended to be the core set of security related configuration settings by which all federal agencies should comply. .RE .I pci-dss .RS The PCI-DSS v3 Control Baseline Profile for Red Hat Enterprise Linux 7 is a *draft* profile for PCI-DSS v3 .RE .I rht-ccp .RS The Red Hat Corporate Profile for Certified Cloud Providers (RH CCP) profile is a *draft* SCAP profile for Red Hat Certified Cloud Providers. .RE .I standard .RS The Standard System Security Profile contains rules to ensure standard security baseline of Red Hat Enterprise Linux 7 system. Regardless of your system's workload all of these checks should pass. .RE .I stig-rhel7-disa .RS The DISA STIG for Red Hat Enterprise Linux 7 Server V1R4. The Security Technical Implementation Guides (STIGs) and the NSA Guides are the configuration standards for DOD IA and IA-enabled devices/systems. Since 1998, DISA Field Security Operations (FSO) has played a critical role enhancing the security posture of DoD's security systems by providing the Security Technical Implementation Guides (STIGs). This profile was created as a collaboration effort between the National Security Agency, DISA FSO, and Red Hat. As a result of the upstream/downstream relationship between the SCAP Security Guide project and the official DISA FSO STIG baseline, users should expect variance between SSG and DISA FSO content. For additional information relating to STIGs, please refer to the DISA FSO webpage at http://iase.disa.mil/stigs/ While this profile is packaged by Red Hat as part of the SCAP Security Guide package, please note that commercial support of this SCAP content is NOT available. This profile is provided as example SCAP content with no endorsement for suitability or production readiness. Support for this profile is provided by the upstream SCAP Security Guide community on a best-effort basis. The upstream project homepage is https://www.open-scap.org/security-policies/scap-security-guide. This profile is developed under the DoD consensus model to become a STIG in coordination with DISA FSO. .RE .I nist-800-171-cui .RS Unclassified Information in Non-federal Information Systems and Organizations (NIST 800-171) From NIST 800-171, Section 2.2: Security requirements for protecting the confidentiality of CUI in nonfederal information systems and organizations have a well-defined structure that consists of: (i) a basic security requirements section; and (ii) a derived security requirements section. The basic security requirements are obtained from FIPS Publication 200, which provides the high-level and fundamental security requirements for federal information and information systems. The derived security requirements, which supplement the basic security requirements, are taken from the security controls in NIST Special Publication 800-53. This profile configures Red Hat Enterprise Linux 7 to the NIST Special Publication 800-53 controls identified for securing Controlled Unclassified Information (CUI). .SH Fedora PROFILES The Fedora SSG content is broken into 'profiles,' groupings of security settings that correlate to a known policy. Currently available profile: .I common .RS The common profile is intended to be used as a base, universal profile for scanning of general-purpose Fedora systems. .RE .I standard .RS The Standard System Security Profile contains rules to ensure standard security baseline of a Fedora system. Regardless of your system's workload all of these checks should pass. .RE .SH EXAMPLES To scan your system utilizing the OpenSCAP utility against the ospp profile: oscap xccdf eval --profile ospp \ --results /tmp/`hostname`-ssg-results.xml \ --report /tmp/`hostname`-ssg-results.html \ --oval-results \ /usr/share/xml/scap/ssg/content/ssg-rhel7-xccdf.xml .PP Additional details can be found on the projects wiki page: https://www.github.com/OpenSCAP/scap-security-guide/wiki .SH FILES .I /usr/share/xml/scap/ssg/content .RS Houses SCAP content utilizing the following naming conventions: .I CPE_Dictionaries: ssg-{profile}-cpe-dictionary.xml .I CPE_OVAL_Content: ssg-{profile}-cpe-oval.xml .I OVAL_Content: ssg-{profile}-oval.xml .I XCCDF_Content: ssg-{profile}-xccdf.xml .RE .I /usr/share/doc/scap-security-guide/guides/ .RS HTML versions of SSG profiles. .RE .SH STATEMENT OF SUPPORT The SCAP Security Guide, an open source project jointly maintained by Red Hat and the NSA, provides XCCDF and OVAL content for Red Hat technologies. As an open source project, community participation extends into U.S. Department of Defense agencies, civilian agencies, academia, and other industrial partners. SCAP Security Guide is provided to consumers through Red Hat's Extended Packages for Enterprise Linux (EPEL) repository. As such, SCAP Security Guide content is considered "vendor provided." Note that while Red Hat hosts the infrastructure for this project and Red Hat engineers are involved as maintainers and leaders, there is no commercial support contracts or service level agreements provided by Red Hat. Support, for both users and developers, is provided through the SCAP Security Guide community. Homepage: https://www.open-scap.org/security-policies/scap-security-guide .PP Mailing List: https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide .SH DEPLOYMENT TO U.S. CIVILIAN GOVERNMENT SYSTEMS SCAP Security Guide content is considered vendor (Red Hat) provided content. Per guidance from the U.S. National Institute of Standards and Technology (NIST), U.S. Government programs are allowed to use Vendor produced SCAP content in absence of "Governmental Authority" checklists. The specific NIST verbage: http://web.nvd.nist.gov/view/ncp/repository/glossary?cid=1#Authority .SH DEPLOYMENT TO U.S. MILITARY SYSTEMS DoD Directive (DoDD) 8500.1 requires that "all IA and IA-enabled IT products incorporated into DoD information systems shall be configured in accordance with DoD-approved security configuration guidelines" and tasks Defense Information Systems Agency (DISA) to "develop and provide security configuration guidance for IA and IA-enabled IT products in coordination with Director, NSA." The output of this authority is the DISA Security Technical Implementation Guides, or STIGs. DISA FSO is in the process of moving the STIGs towards the use of the NIST Security Content Automation Protocol (SCAP) in order to "automate" compliance reporting of the STIGs. Through a common, shared vision, the SCAP Security Guide community enjoys close collaboration directly with NSA, NIST, and DISA FSO. As stated in Section 1.1 of the Red Hat Enterprise Linux 6 STIG Overview, Version 1, Release 2, issued on 03-JUNE-2013: "The consensus content was developed using an open-source project called SCAP Security Guide. The project's website is https://www.open-scap.org/security-policies/scap-security-guide. Except for differences in formatting to accomodate the DISA STIG publishing process, the content of the Red Hat Enterprise Linux 6 STIG should mirrot the SCAP Security Guide content with only minor divergence as updates from multiple sources work through the concensus process." The DoD STIG for Red Hat Enterprise Linux 6 was released June 2013. Currently, the DoD Red Hat Enterprise Linux 6 STIG contains only XCCDF content and is available online: http://iase.disa.mil/stigs/os/unix-linux/Pages/red-hat.aspx Content published against the iase.disa.mil website is authoritative STIG content. The SCAP Security Guide project, as noted in the STIG overview, is considered upstream content. Unlike DISA FSO, the SCAP Security Guide project does publish OVAL automation content. Individual programs and C&A evaluators make program-level determinations on the direct usage of the SCAP Security Guide. Currently there is no blanket approval. .SH SEE ALSO .B oscap(8) .SH AUTHOR Please direct all questions to the SSG mailing list: https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide scap-security-guide-0.1.39/eap6/000077500000000000000000000000001327242345500163345ustar00rootroot00000000000000scap-security-guide-0.1.39/eap6/CMakeLists.txt000066400000000000000000000011171327242345500210740ustar00rootroot00000000000000# Sometimes our users will try to do: "cd jboss_eap6; cmake ." That needs to error in a nice way. if ("${CMAKE_SOURCE_DIR}" STREQUAL "${CMAKE_CURRENT_SOURCE_DIR}") message(FATAL_ERROR "cmake has to be used on the root CMakeLists.txt, see BUILD.md for more details!") endif() set(PRODUCT "eap6") set(DISA_SRG_TYPE "application") ssg_build_product(${PRODUCT}) ssg_build_html_nistrefs_table(${PRODUCT} "stig-${PRODUCT}-disa") ssg_build_html_cce_table(${PRODUCT}) ssg_build_html_srgmap_tables(${PRODUCT} ${DISA_SRG_TYPE}) ssg_build_html_stig_tables(${PRODUCT} "stig-${PRODUCT}-disa") scap-security-guide-0.1.39/eap6/checks/000077500000000000000000000000001327242345500175745ustar00rootroot00000000000000scap-security-guide-0.1.39/eap6/checks/oval/000077500000000000000000000000001327242345500205355ustar00rootroot00000000000000scap-security-guide-0.1.39/eap6/checks/oval/installed_app_is_eap6.xml000066400000000000000000000143521327242345500255110ustar00rootroot00000000000000 JBoss Enterprise Application Platform 6 EAP Version should be version 6 JBoss Enterprise Application Platform 6 eap6 JBOSS_HOME version.txt Red[\s]+Hat[\s]+JBoss[\s]+Enterprise[\s]+Application[\s]+Platform[\s]+\-[\s]+Version[\s]+(.*)GA 1 /opt/eap/version.txt Red[\s]+Hat[\s]+JBoss[\s]+Enterprise[\s]+Application[\s]+Platform[\s]+\-[\s]+Version[\s]+(.*)GA 1 6\.[0-4]+\.[0-9]+ / scap-security-guide-0.1.39/eap6/checks/oval/jboss_eap_configure_application_authentication.xml000066400000000000000000000053001327242345500327450ustar00rootroot00000000000000 Remove Silent Authentication - Application Security Realm Verify that Silent Authentication has been removed from the default Application security realm. JBoss Enterprise Application Platform 6 JBOSS_HOME /standalone/configuration/ .xml count(//*[name()='server']/*[name()='management']/*[name()='security-realms']/*[name()='security-realm'][@name='ApplicationRealm']/*[name()='authentication']/*[name()='local']) 0 scap-security-guide-0.1.39/eap6/checks/oval/jboss_eap_configure_auditing.xml000066400000000000000000000037301327242345500271540ustar00rootroot00000000000000 Configure Audit Logging Audit logging must be enabled JBoss Enterprise Application Platform 6 JBOSS_HOME /standalone/configuration/ .xml //*[name()='server']/*[name()='management']/*[name()='audit-log']/*[name()='logger'][@enabled='true'] scap-security-guide-0.1.39/eap6/checks/oval/jboss_eap_configure_keystore.xml000066400000000000000000000037041327242345500272160ustar00rootroot00000000000000 Configure Vault for Passwords The vault should be configured for storing passwords. JBoss Enterprise Application Platform 6 JBOSS_HOME /standalone/configuration/ .xml //*[name()='server']/*[name()='vault'] scap-security-guide-0.1.39/eap6/checks/oval/jboss_eap_configure_logging_level.xml000066400000000000000000000071721327242345500301710ustar00rootroot00000000000000 Configure JBoss Logging Level Verify that the logging level for the ROOT logger is INFO. JBoss Enterprise Application Platform 6 JBOSS_HOME /standalone/configuration/ .xml //*[name()='server']/*[name()='profile']/*[name()='subsystem']/*[name()='root-logger']/*[name()='level'][@name='INFO'] //*[name()='server']/*[name()='profile']/*[name()='subsystem']/*[name()='root-logger']/*[name()='level'][@name='DEBUG'] //*[name()='server']/*[name()='profile']/*[name()='subsystem']/*[name()='root-logger']/*[name()='level'][@name='TRACE'] scap-security-guide-0.1.39/eap6/checks/oval/jboss_eap_configure_management_authentication.xml000066400000000000000000000052511327242345500325630ustar00rootroot00000000000000 Remove Silent Authentication - Management Security Realm Verify that Silent Authentication has been removed from the default Management security realm. JBoss Enterprise Application Platform 6 JBOSS_HOME /standalone/configuration/ .xml count(//*[name()='server']/*[name()='management']/*[name()='security-realms']/*[name()='security-realm'][@name='ManagementRealm']/*[name()='authentication']/*[name()='local']) 0 scap-security-guide-0.1.39/eap6/checks/oval/jboss_eap_configure_security_manager.xml000066400000000000000000000033241327242345500307100ustar00rootroot00000000000000 JBoss Enterprise Application Platform 6 Security Manager Java security manager must be installed JBoss Enterprise Application Platform 6 JBOSS_HOME standalone.conf ^SECMGR="(.*)" 1 true /bin/ scap-security-guide-0.1.39/eap6/checks/oval/jboss_eap_configure_syslog.xml000066400000000000000000000037361327242345500266760ustar00rootroot00000000000000 Configure JBoss to Use Syslog EAP should be configured to export logs to syslog JBoss Enterprise Application Platform 6 JBOSS_HOME /standalone/configuration/ .xml //*[name()='server']/*[name()='profile']/*[name()='subsystem']/*[name()='syslog-handler'] scap-security-guide-0.1.39/eap6/checks/oval/jboss_eap_file_permissions.xml000066400000000000000000000040141327242345500266550ustar00rootroot00000000000000 Configure JBoss Directory Permissions JBoss Enterprise Application Platform 6 File permissions for JBOSS_HOME should be set correctly. JBOSS_HOME / .+ false false scap-security-guide-0.1.39/eap6/checks/oval/jboss_eap_logs_permissions.xml000066400000000000000000000056251327242345500267130ustar00rootroot00000000000000 Configure JBoss Log Directory Permissions JBoss Enterprise Application Platform 6 File permissions for JBOSS_HOME/standalone/log should be set correctly. JBOSS_HOME /standalone/log .*\.log$ false false false false false false scap-security-guide-0.1.39/eap6/checks/oval/jboss_eap_remove_jmx.xml000066400000000000000000000036671327242345500254730ustar00rootroot00000000000000 Remove JMX Subsystem EAP should be configured to remove the JMX subsystem JBoss Enterprise Application Platform 6 JBOSS_HOME /standalone/configuration/ .xml //*[name()='server']/*[name()='profile']/*[name()='subsystem']/*[name()='remoting-connector'] scap-security-guide-0.1.39/eap6/checks/oval/jboss_eap_remove_quickstarts.xml000066400000000000000000000026671327242345500272510ustar00rootroot00000000000000 JBoss Enterprise Application Platform 6 Security Manager Remove Quickstarts Quickstarts must be removed JBoss Enterprise Application Platform 6 JBOSS_HOME * /.*quickstart.* scap-security-guide-0.1.39/eap6/checks/oval/jboss_eap_remove_unnecessary_apps.xml000066400000000000000000000030661327242345500302500ustar00rootroot00000000000000 JBoss Enterprise Application Platform 6 Security Manager Remove Unnecessary Applications Unnecessary apps must be removed JBoss Enterprise Application Platform 6 JBOSS_HOME ^((?!(README.txt|.*\.rar|.*\.deployed|.*\.undeployed)|.*\.dodeploy).)*$ /standalone/deployments scap-security-guide-0.1.39/eap6/checks/oval/jboss_eap_roll_over_transfer_logs.xml000066400000000000000000000040031327242345500302340ustar00rootroot00000000000000 Configure Logs to Rollover Logger should be configured to rollover log files JBoss Enterprise Application Platform 6 JBOSS_HOME /standalone/configuration/ .xml //*[name()='server']/*[name()='profile']/*[name()='subsystem']/*[name()='periodic-rotating-file-handler'][@name='FILE'] scap-security-guide-0.1.39/eap6/checks/oval/jboss_eap_vendor_supported.xml000066400000000000000000000010731327242345500267070ustar00rootroot00000000000000 JBoss Enterprise Application Platform Supported Version Installed version of JBoss is a vendor supported version. JBoss Enterprise Application Platform 6 scap-security-guide-0.1.39/eap6/cpe/000077500000000000000000000000001327242345500171035ustar00rootroot00000000000000scap-security-guide-0.1.39/eap6/cpe/eap6-cpe-dictionary.xml000066400000000000000000000242471327242345500234010ustar00rootroot00000000000000 JBoss Enterprise Application Platform 6.0.0 installed_app_is_eap6 JBoss Enterprise Application Platform 6.0.1 installed_app_is_eap6 JBoss Enterprise Application Platform 6.1.0 installed_app_is_eap6 JBoss Enterprise Application Platform 6.1.1 installed_app_is_eap6 JBoss Enterprise Application Platform 6.2.0 installed_app_is_eap6 JBoss Enterprise Application Platform 6.2.1 installed_app_is_eap6 JBoss Enterprise Application Platform 6.2.2 installed_app_is_eap6 JBoss Enterprise Application Platform 6.2.3 installed_app_is_eap6 JBoss Enterprise Application Platform 6.2.4 installed_app_is_eap6 JBoss Enterprise Application Platform 6.3.0 installed_app_is_eap6 JBoss Enterprise Application Platform 6.3.1 installed_app_is_eap6 JBoss Enterprise Application Platform 6.3.2 installed_app_is_eap6 JBoss Enterprise Application Platform 6.3.3 installed_app_is_eap6 JBoss Enterprise Application Platform 6.4.0 installed_app_is_eap6 JBoss Enterprise Application Platform 6.4.1 installed_app_is_eap6 JBoss Enterprise Application Platform 6.4.2 installed_app_is_eap6 JBoss Enterprise Application Platform 6.4.3 installed_app_is_eap6 JBoss Enterprise Application Platform 6.4.4 installed_app_is_eap6 JBoss Enterprise Application Platform 6.4.5 installed_app_is_eap6 JBoss Enterprise Application Platform 6.4.6 installed_app_is_eap6 JBoss Enterprise Application Platform 6.4.7 installed_app_is_eap6 JBoss Enterprise Application Platform 6.4.8 installed_app_is_eap6 JBoss Enterprise Application Platform 6.4.9 installed_app_is_eap6 JBoss Enterprise Application Platform 6.4.10 installed_app_is_eap6 JBoss Enterprise Application Platform 6.4.11 installed_app_is_eap6 JBoss Enterprise Application Platform 6.4.12 installed_app_is_eap6 JBoss Enterprise Application Platform 6.4.13 installed_app_is_eap6 JBoss Enterprise Application Platform 6.4.14 installed_app_is_eap6 JBoss Enterprise Application Platform 6.4.15 installed_app_is_eap6 JBoss Enterprise Application Platform 6.4.16 installed_app_is_eap6 JBoss Enterprise Application Platform 6.4.17 installed_app_is_eap6 JBoss Enterprise Application Platform 6.4.18 installed_app_is_eap6 JBoss Enterprise Application Platform 6.4.19 installed_app_is_eap6 scap-security-guide-0.1.39/eap6/fixes/000077500000000000000000000000001327242345500174525ustar00rootroot00000000000000scap-security-guide-0.1.39/eap6/fixes/.gitkeep000066400000000000000000000000001327242345500210710ustar00rootroot00000000000000scap-security-guide-0.1.39/eap6/guide.xslt000066400000000000000000000034021327242345500203440ustar00rootroot00000000000000 A conditional clause for check statements. A conditional clause for check statements. This is a placeholder. scap-security-guide-0.1.39/eap6/guide/000077500000000000000000000000001327242345500174315ustar00rootroot00000000000000scap-security-guide-0.1.39/eap6/guide/eap6/000077500000000000000000000000001327242345500202645ustar00rootroot00000000000000scap-security-guide-0.1.39/eap6/guide/eap6/eap6.group000066400000000000000000000013431327242345500221760ustar00rootroot00000000000000documentation_complete: true title: 'JBoss Enterprise Application Platform 6' description: "JBoss Enterprise Application Platform is a popular Java \nEnterprise Edition application server platform by Red Hat. It is based\non the open-source JBoss Application Server, Community Edition.\nLeveraging robust container architecture, JBoss EAP is capable of\nhosting a wide variety of applications - anything from simple, static\nHTML pages all the way to distributed, transaction-based Java Enterprise\nEdition applications. JBoss EAP is known for being dependable, fast,\nflexible, and cost-effective. This section provides settings for\nconfiguring the JBoss Enterprise Application Platform running on \nRed Hat Enterprise Linux systems." scap-security-guide-0.1.39/eap6/guide/eap6/jboss_eap_audit_privileged_actions.rule000066400000000000000000000032661327242345500302510ustar00rootroot00000000000000documentation_complete: true title: 'Audit JBoss Privileged Actions' description: |- Launch the jboss-cli management interface substituting standalone or domain for CONFIG based upon the server installation. 

<JBOSS_HOME>/CONFIG//bin/jboss-cli


connect to the server and run the following command: 

/core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)
rationale: |- In order to be able to provide a forensic history of activity, the application server must ensure users who are granted a privileged role or those who utilize a separate distinct account when accessing privileged functions or data have their actions logged.

If privileged activity is not logged, no forensic logs can be used to establish accountability for privileged actions that occur on the system. severity: medium identifiers: cce: 80487-2 references: disa: 2234 nist: "" srg: SRG-APP-000343-AS-000030 stigid: JBOS-AS-000480 ocil_clause: 'it is not' ocil: |- Log on to the OS of the JBoss server with OS permissions that allow access to JBoss. Using the relevant OS commands and syntax, cd to the <JBOSS_HOME>/bin/ folder. Run the 
jboss-cli
script. Connect to the server and authenticate. Run the command: 

/core-service=management/access=audit:read-resource(recursive=true)


Under the 
"logger" => {audit-log}
section of the returned response: If 
"enabled" =>.
, this is a finding scap-security-guide-0.1.39/eap6/guide/eap6/jboss_eap_configure_application_authentication.rule000066400000000000000000000042601327242345500326470ustar00rootroot00000000000000documentation_complete: true title: 'Remove Silent Authentication - Application Security Realm' description: |- Log on to the OS of the JBoss server with OS permissions that allow access to JBoss. Using the relevant OS commands and syntax, cd to the <JBOSS_HOME>/bin/ folder. Run the 
jboss-cli
script. Connect to the server and authenticate. Remove the local element from the Application Realm. For standalone servers, run the following command: 
/core-service=management/securityrealm=ApplicationRealm/authentication=local:remove


For managed domain installations, run the following command: 
/host=HOST_NAME/core-service=management/securityrealm=ApplicationRealm/authentication=local:remove
rationale: |- Silent Authentication is a configuration setting that allows local OS users access to the JBoss server and a wide range of operations without specifically authenticating on an individual user basis. By default $localuser is a Superuser. This introduces an integrity and availability vulnerability and violates best practice requirements regarding accountability. severity: high identifiers: cce: 80456-7 references: disa: 213 nist: "" srg: SRG-APP-000033-AS-000024 stigid: JBOS-AS-000045 ocil_clause: 'it is not' ocil: |- Log on to the OS of the JBoss server with OS permissions that allow access to JBoss. Using the relevant OS commands and syntax, cd to the <JBOSS_HOME>/bin/ folder. Run the 
jboss-cli
script. Connect to the server and authenticate. Verify that Silent Authentication has been removed from the default Application security realm. Run the following command.

For standalone servers, run the following command: 
ls /core-service=management/securityrealm=ApplicationRealm/authentication


For managed domain installations, run the following command: 
ls /host=HOST_NAME/core-service=management/securityrealm=ApplicationRealm/authentication


If local is returned, this is a finding. scap-security-guide-0.1.39/eap6/guide/eap6/jboss_eap_configure_auditing.rule000066400000000000000000000047501327242345500270550ustar00rootroot00000000000000documentation_complete: true title: 'Configure JBoss Auditing and Logging' description: |- Launch the jboss-cli management interface. Connect to the server by typing connect, authenticate as a user in the Superuser role, and run the following command:

For a Managed Domain configuration: 
host=master/server/SERVERNAME/core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)


For a Standalone configuration: 
/core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)
rationale: |- Log records can be generated from various components within the JBoss application server. The minimum list of logged events should be those pertaining to access and authentication events to the management interface as well as system startup and shutdown events.

By default, JBoss does not log management interface access but does provide a default file handler. This handler needs to be enabled. Configuring this setting meets several STIG auditing requirements. severity: medium identifiers: cce: 80459-1 references: disa: 130,131,132,133,134,169,172,1464 nist: "" srg: SRG-APP-000089-AS-000050,SRG-APP-000092-AS-000053,SRG-APP-000095-AS-000056,SRG-APP-000096-AS-000059,SRG-APP-000096-AS-000060,SRG-APP-000098-AS-000061,SRG-APP-000099-AS-000062,SRG-APP-000495-AS-000220,SRG-APP-000499-AS-000224,SRG-APP-000499-AS-000224,SRG-APP-000503-AS-000228,SRG-APP-000504-AS-000229,SRG-APP-000505-AS-000230,SRG-APP-000506-AS-000231,SRG-APP-000509-AS-000234 stigid: JBOS-AS-000080 ocil_clause: 'it is not' ocil: |- Log on to the OS of the JBoss server with OS permissions that allow access to JBoss. Using the relevant OS commands and syntax, cd to the <JBOSS_HOME>/bin/ folder. Run the 
jboss-cli
script to start the Command Line Interface (CLI). Connect to the server and authenticate. Run the command:

For a Managed Domain configuration: 
ls host=master/server/SERVERNAME/core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)


For a Standalone configuration: 
ls /core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)


If 
"enabled" =.
, this is a finding. scap-security-guide-0.1.39/eap6/guide/eap6/jboss_eap_configure_auditor_roles.rule000066400000000000000000000030571327242345500301230ustar00rootroot00000000000000documentation_complete: true title: 'Configure JBoss Auditor Role' description: |- Obtain documented approvals from ISSM, and assign the appropriate personnel into the 
Auditor
role. rationale: |- The JBoss server must be configured to select which personnel are assigned the role of selecting which loggable events are to be logged. In JBoss, the role designated for selecting auditable events is the Auditor role. The personnel or roles that can select loggable events are only the ISSM (or individuals or roles appointed by the ISSM). severity: medium identifiers: cce: 80460-9 references: disa: 171 nist: "" srg: SRG-APP-000090-AS-000051 stigid: JBOS-AS-000085 ocil_clause: 'it is not' ocil: |- Log on to the OS of the JBoss server with OS permissions that allow access to JBoss. Using the relevant OS commands and syntax, cd to the <JBOSS_HOME>/bin/ folder. Run the 
jboss-cli
script to start the Command Line Interface (CLI). Connect to the server and authenticate. Run the command:

For a Managed Domain configuration: 
ls host=master/server/SERVERNAME/core-service=management/access=authorization/role-mapping=Auditor/include=


For a Standalone configuration: 
ls /core-service=management/access=authorization/role-mapping=Auditor/include=


If the list of users in the Auditors group is not approved by the ISSM, this is a finding. scap-security-guide-0.1.39/eap6/guide/eap6/jboss_eap_configure_ha_lb.rule000066400000000000000000000043641327242345500263170ustar00rootroot00000000000000documentation_complete: true title: 'Configure Load Balancing (LB) or High Availability (HA)' description: |- Configure the application server to provide LB or HA services for the hosted application. rationale: |- A MAC I system is a system that handles data vital to the organization's operational readiness or effectiveness of deployed or contingency forces. A MAC I system must maintain the highest level of integrity and availability. By HA clustering the application server, the hosted application and data are given a platform that is load-balanced and provides high availability. severity: medium identifiers: cce: 80492-2 references: disa: 2385 nist: "" srg: SRG-APP-000435-AS-000069 stigid: JBOS-AS-000640 ocil_clause: 'it is not' ocil: |- Interview the system admin and determine if the applications hosted on the application server are mission critical and require load balancing (LB) or high availability (HA).

If the applications do not require LB or HA, this requirement is NA.

If the documentation shows the LB or HA services are being provided by another system other than the application server, this requirement is NA.

If applications require LB or HA, request documentation from the system admin that identifies what type of LB or HA configuration has been implemented on the application server.

Ask the system admin to identify the components that require protection. Some options are included here as an example. Bear in mind the examples provided are not complete and absolute and are only provided as examples. The components being made redundant or HA by the application server will vary based upon application availability requirements.

Examples are: Instances of the Application Server Web Applications Stateful, stateless and entity Enterprise Java Beans (EJBs) Single Sign On (SSO) mechanisms Distributed Cache HTTP sessions JMS and Message Services.

If the hosted application requirements specify LB or HA and the JBoss server has not been configured to offer HA or LB, this is a finding. scap-security-guide-0.1.39/eap6/guide/eap6/jboss_eap_configure_host_access_restrictions.rule000066400000000000000000000044331327242345500323550ustar00rootroot00000000000000documentation_complete: true title: 'Configure Host Access Restrictions for Applications' description: |- Configure the Java security manager to enforce access restrictions to the host system resources in accordance with application design and resource requirements. rationale: |- The Java Security Manager is a java class that manages the external boundary of the Java Virtual Machine (JVM) sandbox, controlling how code executing within the JVM can interact with resources outside the JVM.

The JVM requires a security policy in order to restrict application access. A properly configured security policy will define what rights the application has to the underlying system. For example, rights to make changes to files on the host system or to initiate network sockets in order to connect to another system. severity: high identifiers: cce: 80452-6 references: disa: 213 nist: "" srg: SRG-APP-000033-AS-000024 stigid: JBOS-AS-000025 ocil_clause: 'it is not' ocil: |- Obtain documentation from the admin that identifies the applications hosted on the JBoss server as well as the corresponding rights the application requires. For example, if the application requires network socket permissions and file write permissions, those requirements should be documented.

1. Identify the JBoss installation as either domain or standalone and review the relevant configuration file. For domain installs: JBOSS_HOME/bin/domain.conf For standalone installs: JBOSS_HOME/bin/standalone.conf

2. Identify the location and name of the security policy by reading the JAVA_OPTS flag 
-Djava.security.policy=file name
where file name will indicate name and location of security policy. If the application uses a policy URL, obtain URL and policy file from system admin.

3. Review security policy and ensure hosted applications have the appropriate restrictions placed on them as per documented application functionality requirements.

If the security policy does not restrict application access to host resources as per documented requirements, this is a finding. scap-security-guide-0.1.39/eap6/guide/eap6/jboss_eap_configure_https.rule000066400000000000000000000044401327242345500264070ustar00rootroot00000000000000documentation_complete: true title: 'Enable HTTPS for JBoss Web Interface' description: |- Follow procedure "4.4. Configure the JBoss Web Server to use HTTPS." The detailed procedure is found in the JBoss EAP 6.3 Security Guide available at the vendor's site, RedHat.com. An overview of steps is provided here.

1. Obtain or generate DoD-approved SSL certificates. 2. Configure the SSL certificate using your certificate values. 3. Set the SSL protocol to TLS V1.1 or V1.2. rationale: |- Encryption is critical for protection of remote access sessions. If encryption is not being used for integrity, malicious users may gain the ability to modify the application server configuration. The use of cryptography for ensuring integrity of remote access sessions mitigates that risk.

Application servers utilize a web management interface and scripted commands when allowing remote access. Web access requires the use of TLS, and scripted access requires using ssh or some other form of approved cryptography. Application servers must have a capability to enable a secure remote admin capability.

FIPS 140-2 approved TLS versions include TLS V1.0 or greater.

FIPS 140-2 approved TLS versions must be enabled, and non-FIPS-approved SSL versions must be disabled.

NIST SP 800-52 specifies the preferred configurations for government systems. severity: medium identifiers: cce: 80451-8 references: disa: 1453 nist: "" srg: SRG-APP-000015-AS-000010 stigid: JBOS-AS-000015 ocil_clause: 'it is not' ocil: |- Log on to the OS of the JBoss server with OS permissions that allow access to JBoss.

Using the relevant OS commands and syntax, cd to the <JBOSS_HOME>/bin/ folder Run the 
jboss-cli
script. Connect to the server and authenticate. Review the web subsystem and ensure that HTTPS is enabled. Run the command:

For a managed domain: 
ls /profile=PROFILE_NAME/subsystem=web/connector=
For a standalone system: 
ls /subsystem=web/connector=


If https is not returned, this is a finding. scap-security-guide-0.1.39/eap6/guide/eap6/jboss_eap_configure_keystore.rule000066400000000000000000000030161327242345500271100ustar00rootroot00000000000000documentation_complete: true title: 'Enable the JBoss Keystore' description: |- Configure the application server to use the java keystore and JBoss vault as per section 11.13.1 -Password Vault System in the JBoss_Enterprise_Application_Platform-6.3 -Administration_and_Configuration_Guide-en-US document.

1. Create a java keystore. 2. Mask the keystore password and initialize the password vault. 3. Configure JBoss to use the password vault. rationale: |- JBoss EAP 6 has a Password Vault to encrypt sensitive strings, store them in an encrypted keystore, and decrypt them for applications and verification systems. Plain-text configuration files, such as XML deployment descriptors, need to specify passwords and other sensitive information. Use the JBoss EAP Password Vault to securely store sensitive strings in plain-text files. severity: medium identifiers: cce: 80478-1 references: disa: 196 nist: "" srg: SRG-APP-000171-AS-000119 stigid: JBOS-AS-000295 ocil_clause: 'it is not' ocil: |- Log on to the OS of the JBoss server with OS permissions that allow access to JBoss. Using the relevant OS commands and syntax, cd to the <JBOSS_HOME>/bin/ folder. Run the 
jboss-cli
script. Connect to the server and authenticate. Run the command: 

ls /core-service=vault


If 
code=undefined
and 
module=undefined
, this is a finding. scap-security-guide-0.1.39/eap6/guide/eap6/jboss_eap_configure_ldap.rule000066400000000000000000000036001327242345500261620ustar00rootroot00000000000000documentation_complete: true title: 'Configure LDAP' description: |- Follow steps in section 11.8 - Management Interface Security in the JBoss_Enterprise_Application_Platform-6.3 -Administration_and_Configuration_Guide-en-US document.

1. Create an outbound connection to the LDAP server. 2. Create an LDAP-enabled security realm. 3. Reference the new security domain in the Management Interface. rationale: |- To assure accountability and prevent unauthorized access, application server users must be uniquely identified and authenticated. This is typically accomplished via the use of a user store that is either local (OS-based) or centralized (Active Directory/LDAP) in nature. It should be noted that JBoss does not specifically mention Active Directory since AD is LDAP aware.

To ensure accountability and prevent unauthorized access, the JBoss Server must be configured to utilize a centralized authentication mechanism. severity: medium identifiers: cce: 80473-2 references: disa: 764 nist: "" srg: SRG-APP-000148-AS-000101 stigid: JBOS-AS-000260 ocil_clause: 'it is not' ocil: |- Log on to the OS of the JBoss server with OS permissions that allow access to JBoss. Using the relevant OS commands and syntax, cd to the <JBOSS_HOME>/bin/ folder. Run the 
jboss-cli
script. Connect to the server and authenticate.

To obtain the list of security realms run the command: 
ls /core-service=management/security-realm=


Review each security realm using the command: 
ls /core-service=management/security-realm=SECURITY_REALM_NAME/authentication


If this command does not return a security realm that uses LDAP for authentication, this is a finding. scap-security-guide-0.1.39/eap6/guide/eap6/jboss_eap_configure_log_permissions.rule000066400000000000000000000045011327242345500304570ustar00rootroot00000000000000documentation_complete: true title: 'Configure JBoss Log Permissions' description: |- Configure the OS file permissions on the application server to protect log information from unauthorized access. rationale: |- If log data were to become compromised, then competent forensic analysis and discovery of the true source of potentially malicious system activity is difficult, if not impossible, to achieve.

When not configured to use a centralized logging solution like a syslog server, the JBoss EAP application server writes log data to log files that are stored on the OS; appropriate file permissions must be used to restrict access.

Log information includes all information (e.g., log records, log settings, transaction logs, and log reports) needed to successfully log information system activity. Application servers must protect log information from unauthorized access. severity: medium identifiers: cce: 80462-5 references: disa: 162,163,164 nist: "" srg: SRG-APP-000118-AS-000078,SRG-APP-000119-AS-000079,SRG-APP-000120-AS-000080 stigid: JBOS-AS-000165 ocil_clause: 'it is not' ocil: |- Examine the log file locations and inspect the file permissions. Interview the system admin to determine log file locations. The default location for the log files is:

Standalone configuration: 
    <JBOSS_HOME>/standalone/log/


Managed Domain configuration: 
    <JBOSS_HOME>/domain/servers/servername/log/
    <JBOSS_HOME>/domain/log/


Review the file permissions for the log file directories. The method used for identifying file permissions will be based upon the OS the EAP server is installed on.

Identify all users with file permissions that allow them to read, modify, or delete log files.

Request documentation from system admin that identifies the users who are authorized to read, modify, or delete log files.

If unauthorized users are allowed to read, modify, or delete log files, or if documentation that identifies the users who are authorized to read, modify, or delete log files is missing, this is a finding. scap-security-guide-0.1.39/eap6/guide/eap6/jboss_eap_configure_logging_level.rule000066400000000000000000000047271327242345500300720ustar00rootroot00000000000000documentation_complete: true title: 'Configure JBoss Logging Level' description: |- Log on to the OS of the JBoss server with OS permissions that allow access to JBoss. Using the relevant OS commands and syntax, cd to the <JBOSS_HOME>/bin/ folder. Run the 
jboss-cli
script to start the Command Line Interface (CLI). Connect to the server and authenticate.

The PROFILE NAMEs included with a Managed Domain JBoss configuration are: default, full, full-ha, or ha For a Managed Domain configuration, you must check each profile name:

For each PROFILE NAME, run the command: 
/profile=PROFILE NAME/subsystem=logging/root-logger=ROOT:write-attribute(name=level,value=INFO)


For a Standalone configuration: 
/subsystem=logging/root-logger=ROOT:write-attribute(name=level,value=INFO)
rationale: |- 800 records less data and may result in an insufficient amount of information being logged by the ROOT logger. This can result in failed forensic investigations. The ROOT logger level must be INFO level or lower to provide adequate log information. severity: medium identifiers: cce: 80461-7 references: disa: 1487 nist: "" srg: SRG-APP-000100-AS-000063 stigid: JBOS-AS-000135 ocil_clause: 'it is not' ocil: |- Log on to the OS of the JBoss server with OS permissions that allow access to JBoss. Using the relevant OS commands and syntax, cd to the <JBOSS_HOME>/bin/ folder. Run the 
jboss-cli
script to start the Command Line Interface (CLI). Connect to the server and authenticate.

The PROFILE NAMEs included with a Managed Domain JBoss configuration are: default, full, full-ha, or ha For a Managed Domain configuration, you must check each profile name:

For each PROFILE NAME, run the command: 
ls /profile=PROFILE NAME/subsystem=logging/root-logger=ROOT


If ROOT logger level is not set to INFO, DEBUG or TRACE This is a finding for each PROFILE NAME (default, full, full-ha and ha)

For a Standalone configuration: 
ls /subsystem=logging/root-logger=ROOT


If "level" not = INFO, DEBUG or TRACE, this is a finding. scap-security-guide-0.1.39/eap6/guide/eap6/jboss_eap_configure_management_authentication.rule000066400000000000000000000042531327242345500324620ustar00rootroot00000000000000documentation_complete: true title: 'Remove Silent Authentication - Management Security Realm' description: |- Log on to the OS of the JBoss server with OS permissions that allow access to JBoss. Using the relevant OS commands and syntax, cd to the 
<JBOSS_HOME>/bin/
folder. Run the 
jboss-cli
script. Connect to the server and authenticate. Remove the local element from the Management Realm. For standalone servers run the following command: 
/core-service=management/securityrealm=ManagementRealm/authentication=local:remove


For managed domain installations run the following command: 
/host=HOST_NAME/core-service=management/securityrealm=ManagementRealm/authentication=local:remove
rationale: |- Silent Authentication is a configuration setting that allows local OS users access to the JBoss server and a wide range of operations without specifically authenticating on an individual user basis. By default $localuser is a Superuser. This introduces an integrity and availability vulnerability and violates best practice requirements regarding accountability. severity: high identifiers: cce: 80457-5 references: disa: 213 nist: "" srg: SRG-APP-000033-AS-000024 stigid: JBOS-AS-000050 ocil_clause: 'it is not' ocil: |- Log on to the OS of the JBoss server with OS permissions that allow access to JBoss. Using the relevant OS commands and syntax, cd to the <JBOSS_HOME>/bin/ folder. Run the 
jboss-cli
script. Connect to the server and authenticate. Verify that Silent Authentication has been removed from the default Management security realm. Run the following command.

For standalone servers run the following command: 
ls /core-service=management/securityrealm=ManagementRealm/authentication


For managed domain installations run the following command: 
ls /host=HOST_NAME/core-service=management/securityrealm=ManagementRealm/authentication


If local is returned, this is a finding. scap-security-guide-0.1.39/eap6/guide/eap6/jboss_eap_configure_management_ldap.rule000066400000000000000000000047161327242345500303670ustar00rootroot00000000000000documentation_complete: true title: 'Configure LDAP for Management Interfaces' description: |- Follow steps in section 11.8 - Management Interface Security in the JBoss_Enterprise_Application_Platform-6.3 -Administration_and_Configuration_Guide-en-US document.

1. Create an outbound connection to the LDAP server. 2. Create an LDAP-enabled security realm. 3. Reference the new security domain in the Management Interface. rationale: |- JBoss EAP provides a security realm called ManagementRealm. By default, this realm uses the mgmt-users.properties file for authentication. Using file-based authentication does not allow the JBoss server to be in compliance with a wide range of user management requirements such as automatic disabling of inactive accounts as per DoD policy. To address this issue, the management interfaces used to manage the JBoss server must be associated with a security realm that provides centralized authentication management. Examples are AD or LDAP. Management of user identifiers is not applicable to shared information system accounts (e.g., guest and anonymous accounts). It is commonly the case that a user account is the name of an information system account associated with an individual. severity: medium identifiers: cce: 80477-3 references: disa: 795 nist: "" srg: SRG-APP-000163-AS-000111 stigid: JBOS-AS-000290 ocil_clause: 'it is not' ocil: |- Log on to the OS of the JBoss server with OS permissions that allow access to JBoss. Using the relevant OS commands and syntax, cd to the <JBOSS_HOME>/bin/ folder. Run the 
jboss-cli
script. Connect to the server and authenticate. Obtain the list of management interfaces by running the command: 
ls /core-service=management/management-interface


Identify the security realm used by each management interface configuration by running the command: 
ls /core-service=management/management-interface=MANAGEMENT-INTERFACE-NAME
Determine if the security realm assigned to the management interface uses LDAP for authentication by running the command: 
ls /core-service=management/security-realm=SECURITY_REALM_NAME/authentication


If the security realm assigned to the management interface does not utilize LDAP for authentication, this is a finding. scap-security-guide-0.1.39/eap6/guide/eap6/jboss_eap_configure_management_network.rule000066400000000000000000000056721327242345500311420ustar00rootroot00000000000000documentation_complete: true title: 'Separate JBoss Management Network' description: |- Refer to Section 4.9 of the JBoss EAP 6.3 Installation guide for detailed instructions on how to start JBoss as a service.

Use the following command line parameters to assign the management interface to a specific management network. These command line flags must be added both when starting JBoss as a service and when starting from the command line.

Substitute your actual network address for the 10.x.x.x addresses provided as an example below.

For a standalone configuration: 
    JBOSS_HOME/bin/standalone.sh -bmanagement=10.2.2.1 -b 10.1.1.1
    JBOSS_HOME/bin/domain.sh -bmanagement=10.2.2.1 -b 10.1.1.1


If a management network is not available, you may substitute localhost/127.0.0.1 for management address. This will force you to manage the JBoss server from the local host. rationale: |- JBoss provides multiple interfaces for accessing the system. By default, these are called public and management. Allowing non- management traffic to access the JBoss management interface increases the chances of a security compromise. The JBoss server must be configured to bind the management interface to a network that controls access. This is usually a network that has been designated as a management network and has restricted access. Similarly, the public interface must be bound to a network that is not on the same segment as the management interface. severity: medium identifiers: cce: 80476-5 references: disa: 778 nist: "" srg: SRG-APP-000158-AS-000108 stigid: JBOS-AS-000285 ocil_clause: 'it is not' ocil: |- Obtain documentation and network drawings from system admin that shows the network interfaces on the JBoss server and the networks they are configured for. If a management network is not used, you may substitute localhost/127.0.0.1 for management address. If localhost/127.0.0.1 is used for management interface, this is not a finding.

From the JBoss server open the web-based admin console by pointing a browser to 
HTTP://127.0.0.1:9990
. Log on to the management console with admin credentials. Select RUNTIME. Expand STATUS by clicking on +. Expand PLATFORM by clicking on +. In the Environment tab, click the > arrow until you see the jboss.bind.properties and the 
jboss.bind.properties.management
values.

If the jboss.bind.properties and the jboss.bind.properties.management do not have different IP network addresses assigned, this is a finding.

Review the network documentation. If access to the management IP address is not restricted, this is a finding. scap-security-guide-0.1.39/eap6/guide/eap6/jboss_eap_configure_multifactor_authentication.rule000066400000000000000000000063101327242345500326730ustar00rootroot00000000000000documentation_complete: true title: 'Configure Multi-Factor Authentication' description: |- Configure the application server to authenticate privileged users via multifactor/certificate-based authentication mechanisms when using network access to the management interface. rationale: |- Multifactor authentication creates a layered defense and makes it more difficult for an unauthorized person to access the application server. If one factor is compromised or broken, the attacker still has at least one more barrier to breach before successfully breaking into the target. Unlike a simple username/password scenario where the attacker could gain access by knowing both the username and password without the user knowing his account was compromised, multifactor authentication adds the requirement that the attacker must have something from the user, such as a token, or to biometrically be the user. Multifactor authentication is defined as: using two or more factors to achieve authentication.

Factors include: (i) something a user knows (e.g., password/PIN); (ii) something a user has (e.g., cryptographic identification device, token); or (iii) something a user is (e.g., biometric). A CAC or PKI Hardware Token meets this definition.

A privileged account is defined as an information system account with authorizations of a privileged user. These accounts would be capable of accessing the web management interface.

When accessing the application server via a network connection, administrative access to the application server must be PKI Hardware Token enabled or a DoD-approved soft certificate. severity: medium identifiers: cce: 80474-0 references: disa: 765 nist: "" srg: SRG-APP-000149-AS-000102 stigid: JBOS-AS-000265 ocil_clause: 'it is not' ocil: |- Log on to the OS of the JBoss server with OS permissions that allow access to JBoss. Using the relevant OS commands and syntax, cd to the <JBOSS_HOME>/bin/ folder. Run the 
jboss-cli
script. Connect to the server and authenticate. Follow these steps: 1. Identify the security realm assigned to the management interfaces by using the following command:

For standalone systems: 
ls /core-service=management/management-interface=INTERFACE-NAME


For managed domain systems: 
ls /host=master/core-service=management/management-interface=INTERFACE-NAME


Document the name of the security-realm associated with each management interface.

2. Review the security realm using the command:

For standalone systems: 
ls /core-service=management/security-realm=SECURITY_REALM_NAME/authentication


For managed domains: 
ls /host=master/core-service=management/security-realm=SECURITY_REALM_NAME/authentication


If the command in step 2 does not return a security realm that uses certificates for authentication, this is a finding. scap-security-guide-0.1.39/eap6/guide/eap6/jboss_eap_configure_offloading_max.rule000066400000000000000000000026131327242345500302220ustar00rootroot00000000000000documentation_complete: true title: 'Configure JBoss Log Off-Loading Frequency' description: |- Configure the application server to off-load log records every seven days onto a different system or media from the system being logged. rationale: |- JBoss logs by default are written to the local file system. A centralized logging solution like syslog should be used whenever possible; however, any log data stored to the file system needs to be off-loaded. JBoss EAP does not provide an automated backup capability. Instead, reliance is placed on OS or third-party tools to back up or off-load the log files.

Protection of log data includes assuring log data is not accidentally lost or deleted. Off-loading log records to a different system or onto separate media from the system the application server is actually running on helps to assure that, in the event of a catastrophic system failure, the log records will be retained. severity: medium identifiers: cce: 80463-3 references: disa: 1348 nist: "" srg: SRG-APP-000125-AS-000084 stigid: JBOS-AS-000195 ocil_clause: 'it is not' ocil: |- Interview the system admin and obtain details on how the log files are being off-loaded to a different system or media.

If the log files are not off-loaded a minimum of every 7 days, this is a finding. scap-security-guide-0.1.39/eap6/guide/eap6/jboss_eap_configure_ports.rule000066400000000000000000000041751327242345500264210ustar00rootroot00000000000000documentation_complete: true title: 'Configure JBoss Management and Application Ports' description: |- Open the EAP web console by pointing a web browser to 
HTTPS://Servername:9990
Log on to the admin console using admin credentials Select the Configuration tab Expand the General Configuration sub system by clicking on the + Select Socket Binding Select the View option next to standard-sockets Select Inbound

Select the port that needs to be reconfigured and select Edit. rationale: |- Some networking protocols may not meet organizational security requirements to protect data and components.

Application servers natively host a number of various features, such as management interfaces, httpd servers and message queues. These features all run on TCPIP ports. This creates the potential that the vendor may choose to utilize port numbers or network services that have been deemed unusable by the organization. The application server must have the capability to both reconfigure and disable the assigned ports without adversely impacting application server operation capabilities. severity: medium identifiers: cce: 80472-4 references: disa: 382 nist: "" srg: SRG-APP-000142-AS-000014 stigid: JBOS-AS-000255 ocil_clause: 'it is not' ocil: |- Open the EAP web console by pointing a web browser to 
HTTPS://Servername:9443
or 
HTTP://Servername:9990


Log on to the admin console using admin credentials Select the Configuration tab Expand the General Configuration sub system by clicking on the + Select Socket Binding Select the View option next to standard-sockets Select Inbound

Review the configured ports and determine if they are all approved by the PPSM CAL.

If all the ports are not approved by the PPSM CAL, this is a finding. scap-security-guide-0.1.39/eap6/guide/eap6/jboss_eap_configure_secure_management_access.rule000066400000000000000000000036211327242345500322500ustar00rootroot00000000000000documentation_complete: true title: 'Enable HTTPS for Management Sessions' description: |- Follow the specific instructions in the Red Hat Security Guide for EAP version 6.3 to configure the management console for HTTPS.

This involves the following steps. 1. Create a keystore in JKS format. 2. Ensure the management console binds to HTTPS. 3. Create a new Security Realm. 4. Configure Management Interface to use new security realm. 5. Configure the management console to use the keystore. 6. Restart the EAP server. rationale: |- Types of management interfaces utilized by the JBoss EAP application server include web-based HTTP interfaces as well as command line-based management interfaces. In the event remote HTTP management is required, the access must be via HTTPS.

This requirement is in conjunction with the requirement to isolate all management access to a restricted network. severity: medium identifiers: cce: 80450-0 references: disa: 68 nist: "" srg: SRG-APP-000014-AS-000009 stigid: JBOS-AS-000010 ocil_clause: 'it is not' ocil: |- Log on to the OS of the JBoss server with OS permissions that allow access to JBoss. Using the relevant OS commands and syntax, cd to the <JBOSS_HOME>/bin/ folder. Run the 
jboss-cli
script. Connect to the server and authenticate.

For a standalone configuration run the following command: 
ls /core-service=management/management-interface=http-interface


If 
"secure-socket-binding"=undefined
, this is a finding.

For a domain configuration run the following command: 
ls /host=master/core-service=management/management-interface=http-interface


If secure-port is undefined, this is a finding. scap-security-guide-0.1.39/eap6/guide/eap6/jboss_eap_configure_security_manager.rule000066400000000000000000000064441327242345500306140ustar00rootroot00000000000000documentation_complete: true title: 'Enable the Java Security Manager' description: |- For a domain installation: Enable the respective JAVA_OPTS flag in both the domain.conf and the domain.conf.bat files.

For a standalone installation: Enable the respective JAVA_OPTS flag in both the standalone.conf and the standalone.conf.bat files. rationale: |- The Java Security Manager is a java class that manages the external boundary of the Java Virtual Machine (JVM) sandbox, controlling how code executing within the JVM can interact with resources outside the JVM.

The Java Security Manager uses a security policy to determine whether a given action will be permitted or denied.

To protect the host system, the JBoss application server must be run within the Java Security Manager. severity: high identifiers: cce: 80453-4 references: disa: 213 nist: "" srg: SRG-APP-000033-AS-000024 stigid: JBOS-AS-000030 ocil_clause: 'it is not' ocil: |- To determine if the Java Security Manager is enabled for JBoss, you must examine the startup commands. JBoss can be configured to run in either domain or a standalone mode. JBOSS_HOME is the variable home directory for the JBoss installation. Use relevant OS commands to navigate the file system.

A. For a managed domain installation, review the domain.conf and domain.conf.bat files: 

JBOSS_HOME/bin/domain.conf
    JBOSS_HOME/bin/domain.conf.bat


In domain.conf file, ensure there is a JAVA_OPTS flag that loads the Java Security Manager as well as a relevant Java Security policy. The following is an example: 

JAVA_OPTS="$JAVA_OPTS
    -Djava.security.manager -Djava.security.policy==$PWD/server.policy
    -Djboss.home.dir=/path/to/JBOSS_HOME -Djboss.modules.policy-
    permissions=true"


In domain.conf.bat file, ensure JAVA_OPTS flag is set. The following is an example:

set 
JAVA_OPTS="%JAVA_OPTS%
    -Djava.security.manager -Djava.security.policy==/path/to/server.policy
    -Djboss.home.dir=/path/to/JBOSS_HOME -Djboss.modules.policy-
    permissions=true"


B. For a standalone installation, review the standalone.conf and standalone.conf.bat files: 

    JBOSS_HOME/bin/standalone.conf
    JBOSS_HOME/bin/standalone.conf.bat


In the standalone.conf file, ensure the JAVA_OPTS flag is set. The following is an example: 

    JAVA_OPTS="$JAVA_OPTS
    -Djava.security.manager -Djava.security.policy==$PWD/server.policy
    -Djboss.home.dir=$JBOSS_HOME -Djboss.modules.policy-permissions=true"


In the standalone.conf.bat file, ensure the JAVA_OPTS flag is set. The following is an example:

set 
JAVA_OPTS="%JAVA_OPTS% -Djava.security.manager
    -Djava.security.policy==/path/to/server.policy -Djboss.home.dir=%JBOSS_HOME%
    -Djboss.modules.policy-permissions=true"


If the security manager is not enabled and a security policy not defined, this is a finding. scap-security-guide-0.1.39/eap6/guide/eap6/jboss_eap_configure_security_realm.rule000066400000000000000000000051121327242345500302710ustar00rootroot00000000000000documentation_complete: true title: 'Secure the JBoss Management Interfaces' description: |- Identify the security realm used for management of the system. By default, this is called Management Realm.

If a management security realm is not already available, reference the Jboss EAP 6.3 system administration guide for instructions on how to create a security realm for management purposes. Create the management realm, and assign authentication and authorization access restrictions to the management realm.

Assign the management interfaces to the management realm. rationale: |- JBoss utilizes the concept of security realms to secure the management interfaces used for JBoss server administration. If the security realm attribute is omitted or removed from the management interface definition, access to that interface is no longer secure. The JBoss management interfaces must be secured. severity: high identifiers: cce: 80458-3 references: disa: 213 nist: "" srg: SRG-APP-000033-AS-000024 stigid: JBOS-AS-000075 ocil_clause: 'it is not' ocil: |- Log on to the OS of the JBoss server with OS permissions that allow access to JBoss. Using the relevant OS commands and syntax, cd to the 
<JBOSS_HOME>/bin/
folder. Run the 
jboss-cli
script. Connect to the server and authenticate. Identify the management interfaces. To identity the management interfaces, run the following command:

For standalone servers: 
ls /core-service=management/management-interface=


For managed domain installations: 
ls /host=HOST_NAME/core-service=management/management-interface=


By default, JBoss provides two management interfaces; they are named NATIVE-INTERFACE and HTTP-INTERFACE. The system may or may not have both interfaces enabled. For each management interface listed as a result of the previous command, append the name of the management interface to the end of the following command.

For a standalone system: 

ls /core-service=management/management-interface=<MANAGEMENT INTERFACE NAME>


For a managed domain: 
ls /host=HOST_NAME/core-service=management/management-interface=<MANAGEMENT INTERFACE NAME>


If the 
security-realm=
attribute is not associated with a management realm, this is a finding. scap-security-guide-0.1.39/eap6/guide/eap6/jboss_eap_configure_syslog.rule000066400000000000000000000046311327242345500265670ustar00rootroot00000000000000documentation_complete: true title: 'Enable Logging to syslog' description: |- Log on to the OS of the JBoss server with OS permissions that allow access to JBoss. Using the relevant OS commands and syntax, cd to the <JBOSS_HOME>/bin/ folder. Run the 
jboss-cli
script. Connect to the server and authenticate. Run the command:

Standalone configuration: 
ls /subsystem=logging/syslog-handler=


Domain configuration: 
ls /profile=default/subsystem=logging/syslog-handler=


If no values are returned, this is a finding. rationale: |- Information system logging capability is critical for accurate forensic analysis. Log record content that may be necessary to satisfy the requirement of this control includes, but is not limited to, time stamps, source and destination IP addresses, user/process identifiers, event descriptions, application-specific events, success/fail indications, filenames involved, access control or flow control rules invoked.

Off-loading is a common process in information systems with limited log storage capacity.

Centralized management of log records provides for efficiency in maintenance and management of records, as well as the backup and archiving of those records. Application servers and their related components are required to off-load log records onto a different system or media than the system being logged. severity: medium identifiers: cce: 80488-0 references: disa: 1851 nist: "" srg: SRG-APP-000358-AS-000064 stigid: JBOS-AS-000505 ocil_clause: 'it is not' ocil: |- Log on to the OS of the JBoss server with OS permissions that allow access to JBoss. Using the relevant OS commands and syntax, cd to the <JBOSS_HOME>/bin/ folder. Run the 
jboss-cli
script. Connect to the server and authenticate. Run the command:

Standalone configuration: 
ls /subsystem=logging/syslog-handler=


Domain configuration: 
ls /profile=specify/subsystem=logging/syslog-handler=
Where specify = the selected application server profile of; default,full, full-ha or ha.

If no values are returned, this is a finding. scap-security-guide-0.1.39/eap6/guide/eap6/jboss_eap_configure_user_permissions.rule000066400000000000000000000035041327242345500306560ustar00rootroot00000000000000documentation_complete: true title: 'Configure mgmt-users.properties File Permissions' description: "Configure the file permissions to allow access to authorized users only.\nOwner can be full access. Group can be full access. \nAll others must have execute\npermissions only." rationale: |- The mgmt-users.properties file contains the password hashes of all users who are in a management role and must be protected. Application servers have the ability to specify that the hosted applications utilize shared libraries. The application server must have a capability to divide roles based upon duties wherein one project user (such as a developer) cannot modify the shared library code of another project user. The application server must also be able to specify that non-privileged users cannot modify any shared library code at all. severity: medium identifiers: cce: 80464-1 references: disa: 1499 nist: "" srg: SRG-APP-000133-AS-000092 stigid: JBOS-AS-000210 ocil_clause: 'it is not' ocil: |- The mgmt-users.properties files are located in the standalone or domain configuration folder. 

    <JBOSS_HOME>/domain/configuration/mgmt-users.properties.
    <JBOSS_HOME>/standalone/configuration/mgmt-users.properties.


Identify users who have access to the files using relevant OS commands.

Obtain documentation from system admin identifying authorized users.

Owner can be full access. Group can be full access. All others must have execute permissions only.

If the file permissions are not configured so as to restrict access to only authorized users, or if documentation that identifies authorized users is missing, this is a finding. scap-security-guide-0.1.39/eap6/guide/eap6/jboss_eap_configure_user_roles.rule000066400000000000000000000040231327242345500274240ustar00rootroot00000000000000documentation_complete: true title: 'Configure JBoss User Roles' description: |- Document approved management users and their roles. Configure the application server to use RBAC and ensure users are placed into the appropriate roles. rationale: |- Security realms are a series of mappings between users and passwords and users and roles. There are 2 JBoss security realms provided by default; they are management realm and application realm.

Management realm stores authentication information for the management API, which provides functionality for the web-based management console and the management command line interface (CLI).

mgmt-groups.properties stores user to group mapping for the ManagementRealm but only when role-based access controls (RBAC) is enabled. If management users are not in the appropriate role, unauthorized access to JBoss resources can occur. severity: medium identifiers: cce: 80455-9 references: disa: 213 nist: "" srg: SRG-APP-000033-AS-000024 stigid: JBOS-AS-000040 ocil_clause: 'it is not' ocil: |- Review the mgmt-users.properties file. Also review the <management /> section in the standalone.xml or domain.xml configuration files. The relevant xml file will depend on if the JBoss server is configured in standalone or domain mode. Ensure all users listed in these files are approved for management access to the JBoss server and are in the appropriate role.

For domain configurations: 
    <JBOSS_HOME>/domain/configuration/mgmt-users.properties.
    <JBOSS_HOME>/domain/configuration/domain.xml


For standalone configurations: 
    <JBOSS_HOME>/standalone/configuration/mgmt-users.properties.
    <JBOSS_HOME>/standalone/configuration/standalone.xml


If the users listed are not in the appropriate role, this is a finding. scap-security-guide-0.1.39/eap6/guide/eap6/jboss_eap_disable_analytics.rule000066400000000000000000000025201327242345500266530ustar00rootroot00000000000000documentation_complete: true title: 'Disable Google Analytics' description: |- Using the EAP web console, log on using admin credentials. On the bottom right-hand side of the screen, select Settings, uncheck the Enable Data Usage Collection box, and save the configuration. rationale: |- The Google Analytics feature aims to help Red Hat EAP team understand how customers are using the console and which parts of the console matter the most to the customers. This information will, in turn, help the team to adapt the console design, features, and content to the immediate needs of the customers. Sending analytical data to the vendor introduces risk of unauthorized data exfiltration. This capability must be disabled. severity: medium identifiers: cce: 80466-6 references: disa: 381 nist: "" srg: SRG-APP-000141-AS-000095 stigid: JBOS-AS-000225 ocil_clause: 'it is not' ocil: |- Open the EAP web console by pointing a web browser to 
HTTPS://SERVERNAME:9443
or 
HTTP://SERVERNAME:9990


Log on to the admin console using admin credentials. On the bottom right-hand side of the screen, select Settings. If the Enable Data Usage Collection box is checked, this is a finding. scap-security-guide-0.1.39/eap6/guide/eap6/jboss_eap_disable_automatic_deployment.rule000066400000000000000000000036701327242345500311210ustar00rootroot00000000000000documentation_complete: true title: 'Disable Automatic Deployment' description: |- Determine the JBoss server configuration as being either standalone or domain. Launch the relevant jboss-cli management interface substituting standalone or domain for CONFIG 

<JBOSS_HOME>/CONFIG/bin/jboss-cli


connect to the server and run the command: 
/subsystem=deployment-scanner/scanner=default:write-attribute(name=scan-enabled,value.)
rationale: |- When dealing with access restrictions pertaining to change control, it should be noted that any changes to the software and/or application server configuration can potentially have significant effects on the overall security of the system.

Access restrictions for changes also include application software libraries.

If the application server provides automatic code deployment capability, (where updates to applications hosted on the application server are automatically performed, usually by the developers' IDE tool), it must also provide a capability to restrict the use of automatic application deployment. Automatic code deployments are allowable in a development environment, but not in production. severity: medium identifiers: cce: 80489-8 references: disa: 1813 nist: "" srg: SRG-APP-000380-AS-000088 stigid: JBOS-AS-000545 ocil_clause: 'it is not' ocil: |- Log on to the OS of the JBoss server with OS permissions that allow access to JBoss. Using the relevant OS commands and syntax, cd to the <JBOSS_HOME>/bin/ folder. Run the 
jboss-cli
script. Connect to the server and authenticate. Run the command: 

ls /subsystem=deployment-scanner/scanner=default


If 
"scan-enabled"=true
, this is a finding. scap-security-guide-0.1.39/eap6/guide/eap6/jboss_eap_disable_domain_admin_console.rule000066400000000000000000000036631327242345500310360ustar00rootroot00000000000000documentation_complete: true title: 'Disable Network Access to the Admin Console' description: |- Run the 
<JBOSS_HOME>/bin/jboss-clii
command line interface utility. Connect to the JBoss server and run the following command. 
/core-service=management/management-interface=httpinterface/:write-attribute(name=console-enabled,value.)


Successful command execution returns 
{"outcome" => success"}
, and future attempts to access the management console via web browser at SERVERNAME:9990 will result in no access to the admin console. rationale: |- When configuring JBoss application servers into a domain configuration, HTTP management capabilities are not required on domain member servers as management is done via the server that has been designated as the domain controller. Leaving HTTP management capabilities enabled on domain member servers increases the attack surfaces; therefore, management services on domain member servers must be disabled and management services performed via the domain controller. severity: medium identifiers: cce: 80486-4 references: disa: 2322 nist: "" srg: SRG-APP-000316-AS-000199 stigid: JBOS-AS-000470 ocil_clause: 'it is not' ocil: |- Log on to each of the JBoss domain member servers.

Note: Sites that manage systems using the JBoss Operations Network client require HTTP interface access. It is acceptable that the management console alone be disabled rather than disabling the entire interface itself.

Run the 
<JBOSS_HOME>/bin/jboss-cli
command line interface utility and connect to the JBoss server. Run the following command: 
ls /core-service=management/management-interface=httpinterface/


If 
console-enabled=true
, this is a finding. scap-security-guide-0.1.39/eap6/guide/eap6/jboss_eap_disable_replace_welcome_page.rule000066400000000000000000000032031327242345500310050ustar00rootroot00000000000000documentation_complete: true title: 'Disable or Replace the JBoss Welcome Page' description: |- Use the Management CLI script 
$JBOSS_HOME/bin/jboss-cli.sh
to run the following command. You may need to change the profile to modify a different managed domain profile, or remove the 
/profile=default
portion of the command for a standalone server. 

/profile=default/subsystem=web/virtual-server=default-host:writeattribute(name=enable-welcome-root,value.)


To configure your web application to use the root context (/) as its URL address, modify the applications jboss-web.xml, which is located in the applications META-INF/ or WEB-INF/ directory. Replace its <context-root> directive with one that looks like the following: 

    
        /
rationale: |- The Welcome to JBoss web page provides a redirect to the JBoss admin console, which, by default, runs on TCP 9990 as well as redirects to the Online User Guide and Online User Groups hosted at locations on the Internet. The welcome page is unnecessary and should be disabled or replaced with a valid web page. severity: low identifiers: cce: 80470-8 references: disa: 381 nist: "" srg: SRG-APP-000141-AS-000095 stigid: JBOS-AS-000245 ocil_clause: 'it is not' ocil: |- Use a web browser and browse to 
HTTP://JBOSS SERVER IP ADDRESS:8080


If the JBoss Welcome page is displayed, this is a finding. scap-security-guide-0.1.39/eap6/guide/eap6/jboss_eap_enable_rbac.rule000066400000000000000000000034531327242345500254240ustar00rootroot00000000000000documentation_complete: true title: 'Enable Role Based Access Control (RBAC)' description: |- Run the following command. 
<JBOSS_HOME>/bin/jboss-cli.sh -c -> connect -> cd
    /core-service=management/access-authorization :write-attribute(name=provider,
    value=rbac)


Restart JBoss.

Map users to roles by running the following command. Upper-case words are variables. 

role-mapping=ROLENAME/include=ALIAS:add(name-USERNAME, type=USER ROLE)
rationale: |- By default, the JBoss server is not configured to utilize role based access controls (RBAC). RBAC provides the capability to restrict user access to their designated management role, thereby limiting access to only the JBoss functionality that they are supposed to have. Without RBAC, the JBoss server is not able to enforce authorized access according to role. severity: high identifiers: cce: 80454-2 references: disa: 213,2235 nist: "" srg: SRG-APP-000033-AS-000024,SRG-APP-000340-AS-000185 stigid: JBOS-AS-000035 ocil_clause: 'it is not' ocil: |- Log on to the OS of the JBoss server with OS permissions that allow access to JBoss. Using the relevant OS commands and syntax, cd to the 
<JBOSS_HOME>/bin/
folder. Run the jboss-cli script. Connect to the server and authenticate.

Run the following command:

For standalone servers: 
ls /core-service=management/access=authorization/


For managed domain installations: 
ls /host=master/core-service=management/access=authorization/


If the provider attribute is not set to rbac, this is a finding. scap-security-guide-0.1.39/eap6/guide/eap6/jboss_eap_encrypt_keystore_passwords.rule000066400000000000000000000032201327242345500307150ustar00rootroot00000000000000documentation_complete: true title: 'Encrypt JBoss Keystore Passwords' description: |- Configure the application server to mask the java keystore password as per the procedure described in section 11.13.3 -Password Vault System in the JBoss_Enterprise_Application_Platform-6.3 -Administration_and_Configuration_Guide-en-US document. rationale: |- Access to the JBoss Password Vault must be secured, and the password used to access must be encrypted. There is a specific process used to generate the encrypted password hash. This process must be followed in order to store the password in an encrypted format.

The admin must utilize this process in order to ensure the Keystore password is encrypted. severity: medium identifiers: cce: 80479-9 references: disa: 196 nist: "" srg: SRG-APP-000171-AS-000119 stigid: JBOS-AS-000300 ocil_clause: 'it is not' ocil: |- The default location for the keystore used by the JBoss vault is the <JBOSS_HOME>/vault/ folder.

If a vault keystore has been created, by default it will be in the file: <JBOSS_HOME>/vault/vault.keystore. The file stores a single key, with the default alias vault, which will be used to store encrypted strings, such as passwords, for JBoss EAP.

Have the system admin provide the procedure used to encrypt the keystore password that unlocks the keystore.

If the system administrator is unable to demonstrate or provide written process documentation on how to encrypt the keystore password, this is a finding. scap-security-guide-0.1.39/eap6/guide/eap6/jboss_eap_file_permissions.rule000066400000000000000000000040371327242345500265600ustar00rootroot00000000000000documentation_complete: true title: 'Configure JBoss Application File Permissions' description: |- Configure file permissions on the JBoss folder to protect from unauthorized access. rationale: |- The JBoss EAP Application Server is a Java-based AS. It is installed on the OS file system and depends upon file system access controls to protect application data at rest. The file permissions set on the JBoss EAP home folder must be configured so as to limit access to only authorized people and processes. The account used for operating the JBoss server and any designated administrative or operational accounts are the only accounts that should have access.

When data is written to digital media such as hard drives, mobile computers, external/removable hard drives, personal digital assistants, flash/thumb drives, etc., there is risk of data loss and data compromise. Steps must be taken to ensure data stored on the device is protected. severity: medium identifiers: cce: 80484-9 references: disa: 1199 nist: "" srg: SRG-APP-000231-AS-000133 stigid: JBOS-AS-000400 ocil_clause: 'it is not' ocil: |- By default, JBoss installs its files into a folder called jboss-eap-6.3. This folder by default is stored within the home folder of the JBoss user account. The installation process, however, allows for the override of default values to obtain folder and user account information from the system admin.

Log on with a user account with JBoss access and permissions.

Navigate to the Jboss-eap-6.3 folder using the relevant OS commands for either a UNIX- like OS or a Windows OS.

Examine the permissions of the JBoss folder.

Owner can be full access. Group can be full access. All others must be restricted to execute access or no permission.

If the JBoss folder is world readable or world writeable, this is a finding. scap-security-guide-0.1.39/eap6/guide/eap6/jboss_eap_log_deployments.rule000066400000000000000000000040261327242345500264100ustar00rootroot00000000000000documentation_complete: true title: 'Log Application Deployments' description: |- Launch the jboss-cli management interface substituting standalone or domain for CONFIG based upon the server installation. 

<JBOSS_HOME>/CONFIG/bin/jboss-cli


connect to the server and run the following command: 

/core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)
rationale: |- Without logging the enforcement of access restrictions against changes to the application server configuration, it will be difficult to identify attempted attacks, and a log trail will not be available for forensic investigation for after-the-fact actions. Configuration changes may occur to any of the modules within the application server through the management interface, but logging of actions to the configuration of a module outside the application server is not logged.

Enforcement actions are the methods or mechanisms used to prevent unauthorized changes to configuration settings. Enforcement action methods may be as simple as denying access to a file based on the application of file permissions (access restriction). Log items may consist of lists of actions blocked by access restrictions or changes identified after the fact. severity: medium identifiers: cce: 80490-6 references: disa: 1814 nist: "" srg: SRG-APP-000381-AS-000089 stigid: JBOS-AS-000550 ocil_clause: 'it is not' ocil: |- Log on to the OS of the JBoss server with OS permissions that allow access to JBoss. Using the relevant OS commands and syntax, cd to the <JBOSS_HOME>/bin/ folder. Run the 
jboss-cli
script. Connect to the server and authenticate. Run the command: 

ls /core-service=management/access=audit/logger=audit-log


If 
"enabled" =.
, this is a finding. scap-security-guide-0.1.39/eap6/guide/eap6/jboss_eap_logs_permissions.rule000066400000000000000000000063111327242345500266020ustar00rootroot00000000000000documentation_complete: true title: 'Configure JBoss Log Directory Permissions' description: |- Configure file permissions on the JBoss log folder to protect from unauthorized access. rationale: |- If the application provides too much information in error logs and administrative messages to the screen, this could lead to compromise. The structure and content of error messages need to be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements.

Application servers must protect the error messages that are created by the application server. All application server users' accounts are used for the management of the server and the applications residing on the application server. All accounts are assigned to a certain role with corresponding access rights. The application server must restrict access to error messages so only authorized users may view them. Error messages are usually written to logs contained on the file system. The application server will usually create new log files as needed and must take steps to ensure that the proper file permissions are utilized when the log files are created. severity: medium identifiers: cce: 80485-6 references: disa: 1314 nist: "" srg: SRG-APP-000267-AS-000170 stigid: JBOS-AS-000425 ocil_clause: 'it is not' ocil: |- If the JBoss log folder is installed in the default location and AS-000133-JBOSS-00079 is not a finding, the log folders are protected and this requirement is not a finding.

By default, JBoss installs its log files into a sub-folder of the 
jboss-eap-6.3
home folder. Using a UNIX like OS example, the default location for log files is: 

    JBOSS_HOME/standalone/log
    JBOSS_HOME/domain/log


For a standalone configuration: JBOSS_HOME/standalone/log/server.log Contains all server log messages, including server startup messages.

For a domain configuration: JBOSS_HOME/domain/log/hostcontroller.log Host Controller boot log. Contains log messages related to the startup of the host controller. JBOSS_HOME/domain/log/processcontroller.log Process controller boot log. Contains log messages related to the startup of the process controller. JBOSS_HOME/domain/servers/SERVERNAME/log/server.log The server log for the named server. Contains all log messages for that server, including server startup messages.

Log on with an OS user account with JBoss access and permissions. Navigate to the Jboss-eap-6.3 folder using the relevant OS commands for either a UNIX like OS or a Windows OS.

Examine the permissions of the JBoss logs folders.

Owner can be full access. Group can be full access. All others must be restricted.

If the JBoss log folder is world readable or world writeable, this is a finding. scap-security-guide-0.1.39/eap6/guide/eap6/jboss_eap_remove_group_accounts.rule000066400000000000000000000053101327242345500276110ustar00rootroot00000000000000documentation_complete: true title: 'Remove JBoss Group Acount Access' description: |- Configure the application server so required users are individually authenticated by creating individual user accounts. Utilize an LDAP server that is configured according to DOD policy. rationale: |- To assure individual accountability and prevent unauthorized access, application server users (and any processes acting on behalf of application server users) must be individually identified and authenticated.

A group authenticator is a generic account used by multiple individuals. Use of a group authenticator alone does not uniquely identify individual users.

Application servers must ensure that individual users are authenticated prior to authenticating via role or group authentication. This is to ensure that there is non-repudiation for actions taken. severity: medium identifiers: cce: 80475-7 references: disa: 770 nist: "" srg: SRG-APP-000153-AS-000104 stigid: JBOS-AS-000275 ocil_clause: 'it is not' ocil: |- If the application server management interface is configured to use LDAP authentication this requirement is NA.

Determine the mode in which the JBoss server is operating by authenticating to the OS, changing to the <JBOSS_HOME>/bin/ folder and executing the 
jboss-cli
script. Connect to the server and authenticate. Run the command: 
ls
and examine the launch-type setting.

User account information is stored in the following files for a JBoss server configured in standalone mode. The command line flags passed to the standalone startup script determine the standalone operating mode: 
    <JBOSS_HOME>/standalone/configuration/standalone.xml
    <JBOSS_HOME>/standalone/configuration/standalone-full.xml
    <JBOSS_HOME>/standalone/configuration/standalone.-full-ha.xml
    <JBOSS_HOME>/standalone/configuration/standalone.ha.xml


For a Managed Domain: 
    <JBOSS_HOME>/domain/configuration/domain.xml


Review both files for generic or shared user accounts.

Open each xml file with a text editor and locate the <management-interfaces> section. Review the 
<user name = "xxxxx">
sub- section where 
xxxxx
will be a user name.

Have the system administrator identify the user of each user account.

If user accounts are not assigned to individual users, this is a finding. scap-security-guide-0.1.39/eap6/guide/eap6/jboss_eap_remove_jmx.rule000066400000000000000000000036341327242345500253630ustar00rootroot00000000000000documentation_complete: true title: 'Remove the JMX Subsystem' description: |- Log on to the OS of the JBoss server with OS permissions that allow access to JBoss. Using the relevant OS commands and syntax, cd to the <JBOSS_HOME>/bin/ folder. Run the 
jboss-cli
script to start the Command Line Interface (CLI). Connect to the server and authenticate.

For a Managed Domain configuration you must check each profile name:

For each PROFILE NAME, run the command: 
/profile=PROFILE NAME/subsystem=jmx/remoting-connector=jmx:remove
For a Standalone configuration: 
/subsystem=jmx/remoting-connector=jmx:remove
rationale: |- The JMX subsystem allows you to trigger JDK and application management operations remotely. In a managed domain configuration, the JMX subsystem is removed by default. For a standalone configuration, it is enabled by default and must be removed. severity: medium identifiers: cce: 80469-0 references: disa: 381 nist: "" srg: SRG-APP-000141-AS-000095 stigid: JBOS-AS-000240 ocil_clause: 'it is not' ocil: |- Log on to the OS of the JBoss server with OS permissions that allow access to JBoss. Using the relevant OS commands and syntax, cd to the <JBOSS_HOME>/bin/ folder. Run the 
jboss-cli
script to start the Command Line Interface (CLI). Connect to the server and authenticate.

For a Managed Domain configuration, you must check each profile name:

For each PROFILE NAME, run the command: 
ls /profile=PROFILE NAME/subsystem=jmx/remoting-connector


For a Standalone configuration: 
ls /subsystem=jmx/remoting-connector


If jmx is returned, this is a finding. scap-security-guide-0.1.39/eap6/guide/eap6/jboss_eap_remove_quickstarts.rule000066400000000000000000000012101327242345500271260ustar00rootroot00000000000000documentation_complete: true title: 'Remove JBoss Quickstarts' description: 'Delete the QuickStarts folder.' rationale: |- JBoss QuickStarts are demo applications that can be deployed quickly. Demo applications are not written with security in mind and often open new attack vectors. QuickStarts must be removed. severity: medium identifiers: cce: 80468-2 references: disa: 381 nist: "" srg: SRG-APP-000141-AS-000095 stigid: JBOS-AS-000235 ocil_clause: 'it is not' ocil: |- Examine the <JBOSS_HOME> folder. If a jboss-eap-6.3.0-GA-quickstarts folder exits, this is a finding. scap-security-guide-0.1.39/eap6/guide/eap6/jboss_eap_remove_unnecessary_apps.rule000066400000000000000000000026201327242345500301410ustar00rootroot00000000000000documentation_complete: true title: 'Remove Unnecessary Applications' description: |- Identify, authorize, and document all applications that are deployed to the application server. Remove unauthorized applications. rationale: |- Extraneous services and applications running on an application server expands the attack surface and increases risk to the application server. Securing any server involves identifying and removing any unnecessary services and, in the case of an application server, unnecessary and/or unapproved applications. severity: medium identifiers: cce: 80471-6 references: disa: 381 nist: "" srg: SRG-APP-000141-AS-000095 stigid: JBOS-AS-000250 ocil_clause: 'it is not' ocil: |- Log on to the OS of the JBoss server with OS permissions that allow access to JBoss. Using the relevant OS commands and syntax, cd to the <JBOSS_HOME>/bin/ folder. Run the 
jboss-cli
script. Connect to the server and authenticate. Run the command: 

ls /deployment


The list of deployed applications is displayed. Have the system admin identify the applications listed and confirm they are approved applications.

If the system admin cannot provide documentation proving their authorization for deployed applications, this is a finding. scap-security-guide-0.1.39/eap6/guide/eap6/jboss_eap_require_password_access.rule000066400000000000000000000030631327242345500301230ustar00rootroot00000000000000documentation_complete: true title: 'Require Password Authentication' description: |- Configure the LDAP Security Realm using default settings that sets allow-empty-values to .. LDAP Security Realm creation is described in section 11.9 -Add an LDAP Security Realm in the JBoss_Enterprise_Application_Platform-6.3 -Administration_and_Configuration_Guide-en-US document. rationale: |- Passwords need to be protected at all times, and encryption is the standard method for protecting passwords during transmission. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. Application servers have the capability to utilize either certificates (tokens) or user IDs and passwords in order to authenticate. When the application server transmits or receives passwords, the passwords must be encrypted. severity: medium identifiers: cce: 80480-7 references: disa: 197 nist: "" srg: SRG-APP-000172-AS-000120 stigid: JBOS-AS-000305 ocil_clause: 'it is not' ocil: |- Log on to the OS of the JBoss server with OS permissions that allow access to JBoss. Using the relevant OS commands and syntax, cd to the <JBOSS_HOME>/bin/ folder. Run the 
jboss-cli
script. Connect to the server and authenticate. Run the command: 

ls /core-service=management/security-realm=ldap_security_realm/authentication=ldap


If 
allow-empty-passwords=true
, this is a finding. scap-security-guide-0.1.39/eap6/guide/eap6/jboss_eap_restrict_jboss_account.rule000066400000000000000000000024561327242345500277640ustar00rootroot00000000000000documentation_complete: true title: 'Restrict the JBoss Account' description: |- Use the relevant OS commands to restrict JBoss user account from interactively logging on to the console of the JBoss system.

For Windows systems, use GPO. For UNIX like systems using ssh DenyUsers account id or follow established procedure for restricting access. rationale: |- JBoss does not require admin rights to operate and should be run as a regular user. In addition, if the user account was to be compromised and the account was allowed interactive logon rights, this would increase the risk and attack surface against the JBoss system. The right to interactively log on to the system using the JBoss account should be limited according to the OS capabilities. severity: high identifiers: cce: 80465-8 references: disa: 381 nist: "" srg: SRG-APP-000141-AS-000095 stigid: JBOS-AS-000220 ocil_clause: 'it is not' ocil: |- Identify the user account used to run the JBoss server. Use relevant OS commands to determine logon rights to the system. This account should not have full shell/interactive access to the system.

If the user account used to operate JBoss can log on interactively, this is a finding. scap-security-guide-0.1.39/eap6/guide/eap6/jboss_eap_roll_over_transfer_logs.rule000066400000000000000000000053151327242345500301410ustar00rootroot00000000000000documentation_complete: true title: 'Roll Over and Transfer JBoss Logs' description: |- Open the web-based management interface by opening a browser and pointing it to HTTPS://EAP_SERVER:9990/

Authenticate as a user with Admin rights. Navigate to the Configuration tab. Expand + Subsystems. Expand + Core. Select Logging. Select the Handler tab. Select Periodic.

If a periodic file handler does not exist, reference JBoss admin guide for instructions on how to create a file handler that will rotate logs on a daily basis. Create scripts that package and off-load log data at least weekly. rationale: |- Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Protecting log data is important during a forensic investigation to ensure investigators can track and understand what may have occurred. Off-loading should be set up as a scheduled task but can be configured to be run manually, if other processes during the off-loading are manual.

Off-loading is a common process in information systems with limited log storage capacity. severity: medium identifiers: cce: 80498-9 references: disa: 1851 nist: "" srg: SRG-APP-000515-AS-000203 stigid: JBOS-AS-000735 ocil_clause: 'it is not' ocil: |- If the JBoss server is configured to use a Syslog Handler, this is not a finding.

Log on to the OS of the JBoss server with OS permissions that allow access to JBoss. Using the relevant OS commands and syntax, cd to the <JBOSS_HOME>/bin/ folder. Run the 
jboss-cli
script. Connect to the server and authenticate.

Determine if there is a periodic rotating file handler.

For a domain configuration run the following command; where SERVERNAME is a variable for all of the servers in the domain. Usually server-one, server-two, etc.: 

ls /host=master/server=SERVERNAME/subsystem=logging/periodic-rotating-file-handler=


For a standalone configuration run the command: 
ls /subsystem=logging/periodic-rotating-file-handler=


If the command does not return FILE, this is a finding.

Review the <JBOSS_HOME>/standalone/log folder for the existence of rotated logs, and ask the admin to demonstrate how rotated logs are packaged and transferred to another system on at least a weekly basis. scap-security-guide-0.1.39/eap6/guide/eap6/jboss_eap_secure_keystore_permissions.rule000066400000000000000000000041041327242345500310470ustar00rootroot00000000000000documentation_complete: true title: 'Restrict Access to the JBoss Keystore' description: |- Configure the application server OS file permissions on the corresponding private key to restrict access to authorized accounts or roles. rationale: |- The cornerstone of the PKI is the private key used to encrypt or digitally sign information.

If the private key is stolen, this will lead to the compromise of the authentication and non-repudiation gained through PKI because the attacker can use the private key to digitally sign documents and can pretend to be the authorized user.

Both the holders of a digital certificate and the issuing authority must protect the computers, storage devices, or whatever they use to keep the private keys. Java-based application servers utilize the Java keystore, which provides storage for cryptographic keys and certificates. The keystore is usually maintained in a file stored on the file system. severity: medium identifiers: cce: 80482-3 references: disa: 186 nist: "" srg: SRG-APP-000176-AS-000125 stigid: JBOS-AS-000320 ocil_clause: 'it is not' ocil: |- The default location for the keystore used by the JBoss vault is the <JBOSS_HOME>/vault/ folder.

If a vault keystore has been created, by default it will be in the file: <JBOSS_HOME>/vault/vault.keystore. The file stores a single key, with the default alias vault, which will be used to store encrypted strings, such as passwords, for JBoss EAP.

Browse to the JBoss vault folder using the relevant OS commands. Review the file permissions and ensure only system administrators and JBoss users are allowed access.

Owner can be full access. Group can be full access. All others must be restricted to execute access or no permission.

If non-system administrators are allowed to access the <JBOSS_HOME>/vault/ folder, this is a finding. scap-security-guide-0.1.39/eap6/guide/eap6/jboss_eap_service_separate_networks.rule000066400000000000000000000055711327242345500304720ustar00rootroot00000000000000documentation_complete: true title: 'Use Separate Management and Application Networks' description: |- Start the application server with a -bmanagement and a -b flag so that admin management functionality and hosted applications are separated.

Refer to section 4.9 in the JBoss EAP 6.3 Installation Guide for specific instructions on how to start the JBoss server as a service. rationale: |- The application server consists of the management interface and hosted applications. By separating the management interface from hosted applications, the user must authenticate as a privileged user to the management interface before being presented with management functionality. This prevents non- privileged users from having visibility to functions not available to the user. By limiting visibility, a compromised non-privileged account does not offer information to the attacker or functionality and information needed to further the attack on the application server.

JBoss is designed to operate with separate application and management interfaces. The JBoss server is started via a script. To start the JBoss server in domain mode, the admin will execute the /bin/domain.sh or domain.bat script.

To start the JBoss server in standalone mode, the admin will execute /bin/standalone.bat or standalone.sh.

Command line flags are used to specify which network address is used for management and which address is used for public/application access. severity: medium identifiers: cce: 80483-1 references: disa: 1082 nist: "" srg: SRG-APP-000211-AS-000146 stigid: JBOS-AS-000355 ocil_clause: 'it is not' ocil: |- If JBoss is not started with separate management and public interfaces, this is a finding.

Review the network design documents to identify the IP address space for the management network.

Use relevant OS commands and administrative techniques to determine how the system administrator starts the JBoss server. This includes interviewing the system admin, using the 
ps -ef|grep
command for UNIX like systems or checking command line flags and properties on batch scripts for Windows systems.

Ensure the startup syntax used to start JBoss specifies a management network address and a public network address.

The -b flag specifies the public address space. The -bmanagement flag specifies the management address space.

Example: 
    <JBOSS_HOME>/bin/standalone.sh -bmanagement 10.10.10.35 -b 192.168.10.25


If JBoss is not started with separate management and public interfaces, this is a finding. scap-security-guide-0.1.39/eap6/guide/eap6/jboss_eap_system_up_to_date.rule000066400000000000000000000021451327242345500267330ustar00rootroot00000000000000documentation_complete: true title: 'JBoss System Is Patched' description: |- Configure the operating system and the application server to use a patch management system or process that ensures security-relevant updates are installed within the time period directed by the ISSM. rationale: |- The JBoss product is available as Open Source; however, the Red Hat vendor provides updates, patches and support for the JBoss product. It is imperative that patches and updates be applied to JBoss in a timely manner as many attacks against JBoss focus on unpatched systems. It is critical that support be obtained and made available. severity: high identifiers: cce: 80496-3 references: disa: 2605 nist: "" srg: SRG-APP-000456-AS-000266 stigid: JBOS-AS-000685 ocil_clause: 'it is not' ocil: |- Interview the system admin and obtain details on their patch management processes as it relates to the OS and the Application Server.

If there is no active, documented patch management process in use for these components, this is a finding. scap-security-guide-0.1.39/eap6/guide/eap6/jboss_eap_unprivileged_mode.rule000066400000000000000000000035001327242345500267010ustar00rootroot00000000000000documentation_complete: true title: 'Restrict JBoss Account' description: 'Run the JBoss server with non-admin rights.' rationale: |- JBoss EAP application server can be run as the OS admin, which is not advised. Running the application server with admin privileges increases the attack surface by granting the application server more rights than it requires in order to operate. If the server is compromised, the attacker will have the same rights as the application server, which in that case would be admin rights. The JBoss EAP server must not be run as the admin user. severity: high identifiers: cce: 80467-4 references: disa: 381 nist: "" srg: SRG-APP-000141-AS-000095 stigid: JBOS-AS-000230 ocil_clause: 'it is not' ocil: |- The script that is used to start JBoss determines the mode in which JBoss will operate, which will be in either in standalone mode or domain mode. Both scripts are installed by default in the <JBOSS_HOME>/bin/ folder.

In addition to running the JBoss server as an interactive script launched from the command line, JBoss can also be started as a service.

The scripts used to start JBoss are: Red Hat: 
    standalone.sh
    domain.sh


Windows: 
    standalone.bat
    domain.bat


Use the relevant OS commands to determine JBoss ownership.

When running as a process: Red Hat: 
ps -ef|grep -i jboss
. Windows: 
services.msc
. Search for the JBoss process, which by default is named JBOSSEAP6.

If the user account used to launch the JBoss script or start the JBoss process has admin rights on the system, this is a finding. scap-security-guide-0.1.39/eap6/guide/eap6/jboss_eap_use_approved_ca_cert.rule000066400000000000000000000034631327242345500273640ustar00rootroot00000000000000documentation_complete: true title: 'Use Approved DoD Certificate Authorities' description: |- Locate the cacerts file for the JVM. This can be done using the appropriate find command for the OS and change to the directory where the cacerts file is located.

Remove the certificates that have a CA that is non-DoD approved, and import DoD CA-approved certificates. rationale: |- Untrusted Certificate Authorities (CA) can issue certificates, but they may be issued by organizations or individuals that seek to compromise DoD systems or by organizations with insufficient security controls. If the CA used for verifying the certificate is not a DoD-approved CA, trust of this CA has not been established.

The DoD will only accept PKI certificates obtained from a DoD- approved internal or external certificate authority. Reliance on CAs for the establishment of secure sessions includes, for example, the use of SSL/TLS certificates. The application server must only allow the use of DoD PKI- established certificate authorities for verification. severity: medium identifiers: cce: 80491-4 references: disa: 2470 nist: "" srg: SRG-APP-000427-AS-000264 stigid: JBOS-AS-000625 ocil_clause: 'it is not' ocil: |- Locate the cacerts file for the JVM. This can be done using the appropriate find command for the OS and change to the directory where the cacerts file is located.

To view the certificates stored within this file, execute the java command 
keytool -list -v -keystore ./cacerts
. Verify that the Certificate Authority (CA) for each certificate is DoD-approved.

If any certificates have a CA that are not DoD-approved, this is a finding. scap-security-guide-0.1.39/eap6/guide/eap6/jboss_eap_use_approved_ciphers.rule000066400000000000000000000047041327242345500274200ustar00rootroot00000000000000documentation_complete: true title: 'Use Approved Ciphers' description: |- Reference section 4.6 of the JBoss EAP 6.3 Security Guide located on the Red Hat vendor's website for step-by-step instructions on establishing SSL encryption on JBoss.

The overall steps include:

1. Add an HTTPS connector. 2. Configure the SSL encryption certificate and keys. 3. Set the Cipher to an approved algorithm. rationale: |- Preventing the disclosure or modification of transmitted information requires that application servers take measures to employ approved cryptography in order to protect the information during transmission over the network. This is usually achieved through the use of Transport Layer Security (TLS), SSL VPN, or IPSec tunnel.

If data in transit is unencrypted, it is vulnerable to disclosure and modification. If approved cryptographic algorithms are not used, encryption strength cannot be assured.

FIPS 140-2 approved TLS versions include TLS V1.0 or greater.

TLS must be enabled, and non-FIPS-approved SSL versions must be disabled. NIST SP 800-52 specifies the preferred configurations for government systems. severity: medium identifiers: cce: 80494-8 references: disa: 2421 nist: "" srg: SRG-APP-000440-AS-000167 stigid: JBOS-AS-000655 ocil_clause: 'it is not' ocil: |- Log on to the OS of the JBoss server with OS permissions that allow access to JBoss. Using the relevant OS commands and syntax, cd to the <JBOSS_HOME>/bin/ folder. Run the 
jboss-cli
script. Connect to the server and authenticate. Validate that the TLS protocol is used for HTTPS connections. Run the command: 
ls /subsystem=web/connector=https/ssl=configuration


Review the cipher suites. The following suites are acceptable as per NIST 800-52r1 section 3.3.1 - Cipher Suites. Refer to the NIST document for a complete list of acceptable cipher suites. The source NIST document and approved encryption algorithms/cipher suites are subject to change and should be referenced. 
    AES_128_CBC
    AES_256_CBC
    AES_128_GCM
    AES_128_CCM
    AES_256_CCM


If the cipher suites utilized by the TLS server are not approved by NIST as per 800-52r1, this is a finding. scap-security-guide-0.1.39/eap6/guide/eap6/jboss_eap_use_dod_approved_certs.rule000066400000000000000000000035561327242345500277350ustar00rootroot00000000000000documentation_complete: true title: 'Use DoD Approved Certificates' description: |- Configure the application server to use DoD- or CNSS-approved Class 3 or Class 4 PKI certificates. rationale: |- Class 3 PKI certificates are used for servers and software signing rather than for identifying individuals. Class 4 certificates are used for business-to- business transactions. Utilizing unapproved certificates not issued or approved by DoD or CNS creates an integrity risk. The application server must utilize approved DoD or CNS Class 3 or Class 4 certificates for software signing and business-to-business transactions. severity: medium identifiers: cce: 80497-1 references: disa: 2450 nist: "" srg: SRG-APP-000514-AS-000137 stigid: JBOS-AS-000730 ocil_clause: 'it is not' ocil: |- Interview the administrator to determine if JBoss is using certificates for PKI. If JBoss is not performing any PKI functions, this finding is NA.

The CA certs are usually stored in a file called cacerts located in the directory $JAVA_HOME/lib/security. If the file is not in this location, use a search command to locate the file, or ask the administrator where the certificate store is located.

Open a dos shell or terminal window and change to the location of the certificate store. To view the certificates within the certificate store, run the command (in this example, the keystore file is cacerts.): 
keytool -list -v -keystore ./cacerts


Locate the 
OU
field for each certificate within the keystore. The field should contain either 
DoD
or 
CNSS
as the Organizational Unit (OU).

If the OU does not show that the certificates are DoD or CNSS supplied, this is a finding. scap-security-guide-0.1.39/eap6/guide/eap6/jboss_eap_use_secure_ldap_port.rule000066400000000000000000000035541327242345500274170ustar00rootroot00000000000000documentation_complete: true title: 'Use Secure Standard LDAP Port' description: |- Follow steps in section 11.8 - Management Interface Security in the JBoss_Enterprise_Application_Platform-6.3 -Administration_and_Configuration_Guide-en-US document.

1. Create an outbound connection to the LDAP server. 2. Create an LDAP-enabled security realm. 3. Reference the new security domain in the Management Interface. rationale: |- Passwords need to be protected at all times, and encryption is the standard method for protecting passwords during transmission.

Application servers have the capability to utilize LDAP directories for authentication. If LDAP connections are not protected during transmission, sensitive authentication credentials can be stolen. When the application server utilizes LDAP, the LDAP traffic must be encrypted. severity: medium identifiers: cce: 80481-5 references: disa: 197 nist: "" srg: SRG-APP-000172-AS-000121 stigid: JBOS-AS-000310 ocil_clause: 'it is not' ocil: |- Log on to the OS of the JBoss server with OS permissions that allow access to JBoss. Using the relevant OS commands and syntax, cd to the <JBOSS_HOME>/bin/ folder. Run the 
jboss-cli
script. Connect to the server and authenticate.

Run the following command:

For standalone servers: 
ls /socket-binding-group=standard-sockets/remote-destination-outbound-socket-binding=ldap_connection


For managed domain installations: 
ls /socket-binding-group=PROFILE/remote-destination-outbound-socket-binding=


The default port for secure LDAP is 636.

If 636 or secure LDAP protocol is not utilized, this is a finding. scap-security-guide-0.1.39/eap6/guide/eap6/jboss_eap_use_tls.rule000066400000000000000000000043311327242345500246610ustar00rootroot00000000000000documentation_complete: true title: 'Use Approves TLS version' description: |- Reference section 4.6 of the JBoss EAP 6.3 Security Guide located on the Red Hat vendor's web site for step-by-step instructions on establishing SSL encryption on JBoss.

The overall steps include:

1. Add an HTTPS connector. 2. Configure the SSL encryption certificate and keys. 3. Set the protocol to TLS V1.1 or V1.2. rationale: |- Preventing the disclosure of transmitted information requires that the application server take measures to employ some form of cryptographic mechanism in order to protect the information during transmission. This is usually achieved through the use of Transport Layer Security (TLS).

JBoss relies on the underlying SSL implementation running on the OS. This can be either Java based or OpenSSL. The SSL protocol setting determines which SSL protocol is used. SSL has known security vulnerabilities, so TLS should be used instead. If data is transmitted unencrypted, the data then becomes vulnerable to disclosure. The disclosure may reveal user identifier/password combinations, website code revealing business logic, or other user personal information.

FIPS 140-2 approved TLS versions include TLS V1.0 or greater.

TLS must be enabled, and non-FIPS-approved SSL versions must be disabled. NIST SP 800-52 specifies the preferred configurations for government systems. severity: medium identifiers: cce: 80493-0 references: disa: 2418 nist: "" srg: SRG-APP-000439-AS-000155 stigid: JBOS-AS-000650 ocil_clause: 'it is not' ocil: |- Log on to the OS of the JBoss server with OS permissions that allow access to JBoss. Using the relevant OS commands and syntax, cd to the <JBOSS_HOME>/bin/ folder. Run the 
jboss-cli
script. Connect to the server and authenticate. Validate that the TLS protocol is used for HTTPS connections. Run the command: 
ls /subsystem=web/connector=https/ssl=configuration


If a TLS V1.1 or V1.2 protocol is not returned, this is a finding. scap-security-guide-0.1.39/eap6/guide/eap6/jboss_eap_vendor_supported.rule000066400000000000000000000020461327242345500266060ustar00rootroot00000000000000documentation_complete: true title: 'JBoss Version Is Vendor Supported' description: 'Obtain vendor support from Red Hat.' rationale: |- The JBoss product is available as Open Source; however, the Red Hat vendor provides updates, patches and support for the JBoss product. It is imperative that patches and updates be applied to JBoss in a timely manner as many attacks against JBoss focus on unpatched systems. It is critical that support be obtained and made available. severity: high identifiers: cce: 80495-5 references: disa: 2605 nist: "" srg: SRG-APP-000456-AS-000266 stigid: JBOS-AS-000680 ocil_clause: 'it is not' ocil: |- Interview the system admin and have them either show documented proof of current support, or have them demonstrate their ability to access the Red Hat Enterprise Support portal.

Verify Red Hat support includes coverage for the JBoss product.

If there is no current and active support from the vendor, this is a finding. scap-security-guide-0.1.39/eap6/guide/eap6/var_jboss_profile.var000066400000000000000000000003661327242345500245130ustar00rootroot00000000000000documentation_complete: true title: 'JBoss Configuration Profile' description: 'Choose JBoss configuration name (string)' type: string operator: equals interactive: false options: default: standalone openshift: standalone-openshift scap-security-guide-0.1.39/eap6/guide/guide.benchmark000066400000000000000000000054321327242345500224060ustar00rootroot00000000000000--- documentation_complete: true title: Guide to the Secure Configuration of status: draft description: | This guide presents a catalog of security-relevant configuration settings for . It is a rendering of content structured in the eXtensible Configuration Checklist Description Format (XCCDF) in order to support security automation. The SCAP content is is available in the config_item="scap-security-guide" package which is developed at .

Providing system administrators with such guidance informs them how to securely configure systems under their control in a variety of network roles. Policy makers and baseline creators can use this catalog of settings, with its associated references to higher-level security control catalogs, in order to assist them in security baseline creation. This guide is a italics="catalog, not a checklist," and satisfaction of every item is not likely to be possible or sensible in many operational scenarios. However, the XCCDF format enables granular selection and adjustment of settings, and their association with OVAL and OCIL content provides an automated checking capability. Transformations of this document, and its associated automated checking content, are capable of providing baselines that meet a diverse set of policy objectives. Some example XCCDF italics="Profiles", which are selections of items that form checklists and can be used as baselines, are available with this guide. They can be processed, in an automated fashion, with tools that support the Security Content Automation Protocol (SCAP). The DISA STIG for , which provides required settings for US Department of Defense systems, is one example of a baseline created from this guidance. notice: id: terms_of_use description: | Do not attempt to implement any of the settings in this guide without first testing them in a non-operational environment. The creators of this guidance assume no responsibility whatsoever for its use by other parties, and makes no guarantees, expressed or implied, about its quality, reliability, or any other characteristic. front-matter: | The SCAP Security Guide Project
rear-matter: | Red Hat and Red Hat Enterprise Linux are either registered trademarks or trademarks of Red Hat, Inc. in the United States and other countries. All other names are registered trademarks or trademarks of their respective companies. cpes: - version: 0.9 scap-security-guide-0.1.39/eap6/overlays/000077500000000000000000000000001327242345500202005ustar00rootroot00000000000000scap-security-guide-0.1.39/eap6/overlays/stig_overlay.xml000066400000000000000000000475221327242345500234430ustar00rootroot00000000000000 HTTP management session traffic must be encrypted. HTTPS must be enabled for JBoss web interfaces. Java permissions must be set for hosted applications. The Java Security Manager must be enabled for the JBoss application server. The JBoss server must be configured with Role Based Access Controls. Users in JBoss Management Security Realms must be in the appropriate role. Silent Authentication must be removed from the Default Application Security Realm. Silent Authentication must be removed from the Default Management Security Realm. JBoss management interfaces must be secured. The JBoss server must generate log records for access and authentication events to the management interface. JBoss must be configured to allow only the ISSM (or individuals or roles appointed by the ISSM) to select which loggable events are to be logged. JBoss must be configured to initiate session logging upon startup. JBoss must be configured to log the IP address of the remote system connecting to the JBoss system/cluster. JBoss must be configured to produce log records containing information to establish what type of events occurred. JBoss Log Formatter must be configured to produce log records that establish the date and time the events occurred. JBoss must be configured to produce log records that establish which hosted application triggered the events. JBoss must be configured to record the IP address and port information used by management interface network traffic. The application server must produce log records that contain sufficient information to establish the outcome of events. JBoss ROOT logger must be configured to utilize the appropriate logging level. File permissions must be configured to protect log information from any type of unauthorized read access. File permissions must be configured to protect log information from unauthorized modification. File permissions must be configured to protect log information from unauthorized deletion. JBoss log records must be off-loaded onto a different system or system component a minimum of every seven days. mgmt-users.properties file permissions must be set to allow access to authorized users only. JBoss process owner interactive access must be restricted. Google Analytics must be disabled in EAP Console. JBoss process owner execution permissions must be limited. JBoss QuickStarts must be removed. Remote access to JMX subsystem must be disabled. Welcome Web Application must be disabled. Any unapproved applications must be removed. JBoss application and management ports must be approved by the PPSM CAL. The JBoss Server must be configured to utilize a centralized authentication mechanism such as AD or LDAP. The JBoss Server must be configured to use certificates to authenticate admins. The JBoss server must be configured to use individual accounts and not generic or shared accounts. The JBoss server must be configured to bind the management interfaces to only management networks. JBoss management Interfaces must be integrated with a centralized authentication mechanism that is configured to manage accounts according to DoD policy. The JBoss Password Vault must be used for storing passwords or other sensitive configuration information. JBoss KeyStore and Truststore passwords must not be stored in clear text. LDAP enabled security realm value allow-empty-passwords must be set to false. JBoss must utilize encryption when using LDAP for authentication. The JBoss server must be configured to restrict access to the web servers private key to authenticated system administrators. The JBoss server must separate hosted application functionality from application server management functionality. JBoss file permissions must be configured to protect the confidentiality and integrity of application files. Access to JBoss log files must be restricted to authorized users. Network access to HTTP management must be disabled on domain-enabled application servers not designated as the domain controller. The application server must prevent non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures. The JBoss server must be configured to log all admin activity. The JBoss server must be configured to utilize syslog logging. Production JBoss servers must not allow automatic application deployment. Production JBoss servers must log when failed application deployments occur. Production JBoss servers must log when successful application deployments occur. JBoss must be configured to use DoD PKI-established certificate authorities for verification of the establishment of protected sessions. The JBoss server, when hosting mission critical applications, must be in a high-availability (HA) cluster. JBoss must be configured to use an approved TLS version. JBoss must be configured to use an approved cryptographic algorithm in conjunction with TLS. Production JBoss servers must be supported by the vendor. The JRE installed on the JBoss server must be kept up to date. JBoss must be configured to generate log records when successful/unsuccessful attempts to modify privileges occur. JBoss must be configured to generate log records when successful/unsuccessful attempts to delete privileges occur. JBoss must be configured to generate log records when successful/unsuccessful logon attempts occur. JBoss must be configured to generate log records for privileged activities. JBoss must be configured to generate log records that show starting and ending times for access to the application server management interface. JBoss must be configured to generate log records when concurrent logons from different workstations occur to the application server management interface. JBoss must be configured to generate log records for all account creations, modifications, disabling, and termination events. The JBoss server must be configured to use DoD- or CNSS-approved PKI Class 3 or Class 4 certificates. JBoss servers must be configured to roll over and transfer logs on a minimum weekly basis. scap-security-guide-0.1.39/eap6/product.yml000066400000000000000000000001061327242345500205340ustar00rootroot00000000000000product: eap6 benchmark_root: "./guide" profiles_root: "./profiles" scap-security-guide-0.1.39/eap6/profiles/000077500000000000000000000000001327242345500201575ustar00rootroot00000000000000scap-security-guide-0.1.39/eap6/profiles/stig-eap6-disa.profile000066400000000000000000000042321327242345500242570ustar00rootroot00000000000000documentation_complete: true title: 'STIG for JBoss Enterprise Application Platform 6' description: 'This is a *draft* profile for STIG. This profile is being developed under the DoD consensus model to become a STIG in coordination with DISA FSO.' selections: - var_jboss_profile=default - jboss_eap_configure_secure_management_access - jboss_eap_configure_https - jboss_eap_configure_host_access_restrictions - jboss_eap_configure_security_manager - jboss_eap_enable_rbac - jboss_eap_configure_user_roles - jboss_eap_configure_application_authentication - jboss_eap_configure_management_authentication - jboss_eap_configure_security_realm - jboss_eap_configure_auditing - jboss_eap_configure_auditor_roles - jboss_eap_configure_logging_level - jboss_eap_configure_log_permissions - jboss_eap_configure_offloading_max - jboss_eap_configure_user_permissions - jboss_eap_restrict_jboss_account - jboss_eap_disable_analytics - jboss_eap_unprivileged_mode - jboss_eap_remove_quickstarts - jboss_eap_remove_jmx - jboss_eap_disable_replace_welcome_page - jboss_eap_remove_unnecessary_apps - jboss_eap_configure_ports - jboss_eap_configure_ldap - jboss_eap_configure_multifactor_authentication - jboss_eap_remove_group_accounts - jboss_eap_configure_management_network - jboss_eap_configure_management_ldap - jboss_eap_configure_keystore - jboss_eap_encrypt_keystore_passwords - jboss_eap_require_password_access - jboss_eap_use_secure_ldap_port - jboss_eap_secure_keystore_permissions - jboss_eap_service_separate_networks - jboss_eap_file_permissions - jboss_eap_logs_permissions - jboss_eap_disable_domain_admin_console - jboss_eap_audit_privileged_actions - jboss_eap_configure_syslog - jboss_eap_disable_automatic_deployment - jboss_eap_log_deployments - jboss_eap_use_approved_ca_cert - jboss_eap_configure_ha_lb - jboss_eap_use_tls - jboss_eap_use_approved_ciphers - jboss_eap_vendor_supported - jboss_eap_system_up_to_date - jboss_eap_use_dod_approved_certs - jboss_eap_roll_over_transfer_logs scap-security-guide-0.1.39/eap6/transforms/000077500000000000000000000000001327242345500205325ustar00rootroot00000000000000scap-security-guide-0.1.39/eap6/transforms/cci2html.xsl000066400000000000000000000004661327242345500227750ustar00rootroot00000000000000 scap-security-guide-0.1.39/eap6/transforms/constants.xslt000066400000000000000000000056501327242345500234700ustar00rootroot00000000000000 JBoss EAP 6 EAP 6 EAP_6_STIG eap6 empty Jboss-EAP-6 cpe:/a:redhat:jboss_enterprise_application_platform:6.0.0,cpe:/a:redhat:jboss_enterprise_application_platform:6.0.1,cpe:/a:redhat:jboss_enterprise_application_platform:6.1.0,cpe:/a:redhat:jboss_enterprise_application_platform:6.1.1,cpe:/a:redhat:jboss_enterprise_application_platform:6.2.0,cpe:/a:redhat:jboss_enterprise_application_platform:6.2.1,cpe:/a:redhat:jboss_enterprise_application_platform:6.2.2,cpe:/a:redhat:jboss_enterprise_application_platform:6.2.3,cpe:/a:redhat:jboss_enterprise_application_platform:6.2.4,cpe:/a:redhat:jboss_enterprise_application_platform:6.3.0,cpe:/a:redhat:jboss_enterprise_application_platform:6.3.1,cpe:/a:redhat:jboss_enterprise_application_platform:6.3.2,cpe:/a:redhat:jboss_enterprise_application_platform:6.3.3,cpe:/a:redhat:jboss_enterprise_application_platform:6.4.0,cpe:/a:redhat:jboss_enterprise_application_platform:6.4.1,cpe:/a:redhat:jboss_enterprise_application_platform:6.4.2,cpe:/a:redhat:jboss_enterprise_application_platform:6.4.3,cpe:/a:redhat:jboss_enterprise_application_platform:6.4.4,cpe:/a:redhat:jboss_enterprise_application_platform:6.4.5,cpe:/a:redhat:jboss_enterprise_application_platform:6.4.6,cpe:/a:redhat:jboss_enterprise_application_platform:6.4.7,cpe:/a:redhat:jboss_enterprise_application_platform:6.4.8,cpe:/a:redhat:jboss_enterprise_application_platform:6.4.9,cpe:/a:redhat:jboss_enterprise_application_platform:6.4.10,cpe:/a:redhat:jboss_enterprise_application_platform:6.4.11,cpe:/a:redhat:jboss_enterprise_application_platform:6.4.12,cpe:/a:redhat:jboss_enterprise_application_platform:6.4.13,cpe:/a:redhat:jboss_enterprise_application_platform:6.4.14,cpe:/a:redhat:jboss_enterprise_application_platform:6.4.15,cpe:/a:redhat:jboss_enterprise_application_platform:6.4.16,cpe:/a:redhat:jboss_enterprise_application_platform:6.4.17,cpe:/a:redhat:jboss_enterprise_application_platform:6.4.18,cpe:/a:redhat:jboss_enterprise_application_platform:6.4.19 scap-security-guide-0.1.39/eap6/transforms/shorthand2xccdf.xslt000066400000000000000000000005111327242345500245270ustar00rootroot00000000000000 unknown unlinked-eap6-oval.xml scap-security-guide-0.1.39/eap6/transforms/table-add-srgitems.xslt000066400000000000000000000010721327242345500251160ustar00rootroot00000000000000 scap-security-guide-0.1.39/eap6/transforms/table-sortbyref.xslt000066400000000000000000000005551327242345500245570ustar00rootroot00000000000000 scap-security-guide-0.1.39/eap6/transforms/table-srgmap.xslt000066400000000000000000000011401327242345500240200ustar00rootroot00000000000000 scap-security-guide-0.1.39/eap6/transforms/table-style.xslt000066400000000000000000000002511327242345500236710ustar00rootroot00000000000000 scap-security-guide-0.1.39/eap6/transforms/xccdf-apply-overlay-stig.xslt000066400000000000000000000007511327242345500263060ustar00rootroot00000000000000 scap-security-guide-0.1.39/eap6/transforms/xccdf2csv-stig.py000077500000000000000000000003651327242345500237440ustar00rootroot00000000000000#!/usr/bin/env python2 import sys # always use shared/modules version SHARED_MODULE_PATH = "../../shared/modules" sys.path.insert(0, SHARED_MODULE_PATH) import xccdf2csv_stig_module if __name__ == "__main__": xccdf2csv_stig_module.main() scap-security-guide-0.1.39/eap6/transforms/xccdf2stigformat.xslt000066400000000000000000000006751327242345500247270ustar00rootroot00000000000000 scap-security-guide-0.1.39/eap6/transforms/xccdf2table-byref.xslt000066400000000000000000000006741327242345500247430ustar00rootroot00000000000000 scap-security-guide-0.1.39/eap6/transforms/xccdf2table-cce.xslt000066400000000000000000000007331327242345500243620ustar00rootroot00000000000000 scap-security-guide-0.1.39/eap6/transforms/xccdf2table-profileccirefs.xslt000066400000000000000000000014111327242345500266210ustar00rootroot00000000000000 scap-security-guide-0.1.39/eap6/transforms/xccdf2table-profilecisrefs.xslt000066400000000000000000000007051327242345500266460ustar00rootroot00000000000000 scap-security-guide-0.1.39/eap6/transforms/xccdf2table-profilenistrefs.xslt000066400000000000000000000007051327242345500270450ustar00rootroot00000000000000 scap-security-guide-0.1.39/eap6/transforms/xccdf2table-stig.xslt000066400000000000000000000006731327242345500246010ustar00rootroot00000000000000 scap-security-guide-0.1.39/fedora/000077500000000000000000000000001327242345500167415ustar00rootroot00000000000000scap-security-guide-0.1.39/fedora/CMakeLists.txt000066400000000000000000000004601327242345500215010ustar00rootroot00000000000000# Sometimes our users will try to do: "cd fedora; cmake ." That needs to error in a nice way. if ("${CMAKE_SOURCE_DIR}" STREQUAL "${CMAKE_CURRENT_SOURCE_DIR}") message(FATAL_ERROR "cmake has to be used on the root CMakeLists.txt, see BUILD.md for more details!") endif() ssg_build_product("fedora") scap-security-guide-0.1.39/fedora/checks/000077500000000000000000000000001327242345500202015ustar00rootroot00000000000000scap-security-guide-0.1.39/fedora/checks/oval/000077500000000000000000000000001327242345500211425ustar00rootroot00000000000000scap-security-guide-0.1.39/fedora/checks/oval/service_sshd_disabled.xml000066400000000000000000000026651327242345500262050ustar00rootroot00000000000000 Service sshd Disabled multi_platform_fedora The sshd service should be disabled. /etc/systemd/system/multi-user.target.wants/sshd.service state_symlink symbolic link scap-security-guide-0.1.39/fedora/cpe/000077500000000000000000000000001327242345500175105ustar00rootroot00000000000000scap-security-guide-0.1.39/fedora/cpe/fedora-cpe-dictionary.xml000066400000000000000000000044731327242345500244120ustar00rootroot00000000000000 Fedora 28 installed_OS_is_fedora Fedora 27 installed_OS_is_fedora Fedora 26 installed_OS_is_fedora Fedora 25 installed_OS_is_fedora Container installed_env_is_a_container Bare-metal or Virtual Machine installed_env_is_a_machine scap-security-guide-0.1.39/fedora/fixes/000077500000000000000000000000001327242345500200575ustar00rootroot00000000000000scap-security-guide-0.1.39/fedora/fixes/bash/000077500000000000000000000000001327242345500207745ustar00rootroot00000000000000scap-security-guide-0.1.39/fedora/fixes/bash/accounts_maximum_age_login_defs.sh000066400000000000000000000006561327242345500277200ustar00rootroot00000000000000# platform = multi_platform_fedora . /usr/share/scap-security-guide/remediation_functions declare var_accounts_maximum_age_login_defs populate var_accounts_maximum_age_login_defs grep -q ^PASS_MAX_DAYS /etc/login.defs && \ sed -i "s/PASS_MAX_DAYS.*/PASS_MAX_DAYS\t$var_accounts_maximum_age_login_defs/g" /etc/login.defs if ! [ $? -eq 0 ] then echo -e "PASS_MAX_DAYS\t$var_accounts_maximum_age_login_defs" >> /etc/login.defs fi scap-security-guide-0.1.39/fedora/fixes/bash/accounts_minimum_age_login_defs.sh000066400000000000000000000006561327242345500277160ustar00rootroot00000000000000# platform = multi_platform_fedora . /usr/share/scap-security-guide/remediation_functions declare var_accounts_minimum_age_login_defs populate var_accounts_minimum_age_login_defs grep -q ^PASS_MIN_DAYS /etc/login.defs && \ sed -i "s/PASS_MIN_DAYS.*/PASS_MIN_DAYS\t$var_accounts_minimum_age_login_defs/g" /etc/login.defs if ! [ $? -eq 0 ] then echo -e "PASS_MIN_DAYS\t$var_accounts_minimum_age_login_defs" >> /etc/login.defs fi scap-security-guide-0.1.39/fedora/fixes/bash/accounts_password_minlen_login_defs.sh000066400000000000000000000006721327242345500306310ustar00rootroot00000000000000# platform = multi_platform_fedora . /usr/share/scap-security-guide/remediation_functions declare var_accounts_password_minlen_login_defs populate var_accounts_password_minlen_login_defs grep -q ^PASS_MIN_LEN /etc/login.defs && \ sed -i "s/PASS_MIN_LEN.*/PASS_MIN_LEN\t$var_accounts_password_minlen_login_defs/g" /etc/login.defs if ! [ $? -eq 0 ] then echo -e "PASS_MIN_LEN\t$var_accounts_password_minlen_login_defs" >> /etc/login.defs fi scap-security-guide-0.1.39/fedora/fixes/bash/accounts_password_warn_age_login_defs.sh000066400000000000000000000007061327242345500311300ustar00rootroot00000000000000# platform = multi_platform_fedora . /usr/share/scap-security-guide/remediation_functions declare var_accounts_password_warn_age_login_defs populate var_accounts_password_warn_age_login_defs grep -q ^PASS_WARN_AGE /etc/login.defs && \ sed -i "s/PASS_WARN_AGE.*/PASS_WARN_AGE\t$var_accounts_password_warn_age_login_defs/g" /etc/login.defs if ! [ $? -eq 0 ] then echo -e "PASS_WARN_AGE\t$var_accounts_password_warn_age_login_defs" >> /etc/login.defs fi scap-security-guide-0.1.39/fedora/fixes/bash/disable_prelink.sh000066400000000000000000000006211327242345500244560ustar00rootroot00000000000000# platform = multi_platform_fedora # # Disable prelinking altogether # if grep -q ^PRELINKING /etc/sysconfig/prelink then sed -i 's/PRELINKING.*/PRELINKING=no/g' /etc/sysconfig/prelink else echo -e "\n# Set PRELINKING=no per security requirements" >> /etc/sysconfig/prelink echo "PRELINKING=no" >> /etc/sysconfig/prelink fi # # Undo previous prelink changes to binaries # /usr/sbin/prelink -ua scap-security-guide-0.1.39/fedora/guide.xslt000066400000000000000000000037671327242345500207670ustar00rootroot00000000000000 A conditional clause for check statements. A conditional clause for check statements. This is a placeholder. scap-security-guide-0.1.39/fedora/overlays/000077500000000000000000000000001327242345500206055ustar00rootroot00000000000000scap-security-guide-0.1.39/fedora/overlays/.gitkeep000066400000000000000000000000001327242345500222240ustar00rootroot00000000000000scap-security-guide-0.1.39/fedora/product.yml000066400000000000000000000001431327242345500211420ustar00rootroot00000000000000product: fedora benchmark_root: "../shared/guide" profiles_root: "./profiles" pkg_system: "rpm" scap-security-guide-0.1.39/fedora/profiles/000077500000000000000000000000001327242345500205645ustar00rootroot00000000000000scap-security-guide-0.1.39/fedora/profiles/standard.profile000066400000000000000000000062621327242345500237540ustar00rootroot00000000000000documentation_complete: true title: 'Standard System Security Profile for Fedora' description: |- This profile contains rules to ensure standard security baseline of a Fedora system. Regardless of your system's workload all of these checks should pass. selections: - disable_prelink - aide_build_database - ensure_gpgcheck_globally_activated - ensure_gpgcheck_never_disabled - rpm_verify_permissions - rpm_verify_hashes - accounts_root_path_dirs_no_write - file_permissions_library_dirs - file_ownership_library_dirs - file_permissions_binary_dirs - file_ownership_binary_dirs - no_direct_root_logins - securetty_root_login_console_only - restrict_serial_port_logins - accounts_no_uid_except_zero - no_empty_passwords - display_login_attempts - accounts_password_all_shadowed - gid_passwd_group_same - no_netrc_files - var_accounts_password_minlen_login_defs=12 - accounts_password_minlen_login_defs - var_accounts_minimum_age_login_defs=7 - accounts_minimum_age_login_defs - var_accounts_maximum_age_login_defs=90 - accounts_maximum_age_login_defs - var_accounts_password_warn_age_login_defs=7 - accounts_password_warn_age_login_defs - account_unique_name - service_firewalld_enabled - set_firewalld_default_zone - bootloader_audit_argument - var_auditd_num_logs=5 - auditd_data_retention_num_logs - auditd_data_retention_max_log_file - auditd_data_retention_max_log_file_action - auditd_data_retention_space_left_action - auditd_data_retention_admin_space_left_action - auditd_data_retention_action_mail_acct - auditd_audispd_syslog_plugin_activated - file_ownership_var_log_audit - audit_rules_time_adjtimex - audit_rules_time_settimeofday - audit_rules_time_stime - audit_rules_time_clock_settime - audit_rules_time_watch_localtime - audit_rules_usergroup_modification - audit_rules_networkconfig_modification - audit_rules_mac_modification - audit_rules_dac_modification_chmod - audit_rules_dac_modification_chown - audit_rules_dac_modification_fchmod - audit_rules_dac_modification_fchmodat - audit_rules_dac_modification_fchown - audit_rules_dac_modification_fchownat - audit_rules_dac_modification_fremovexattr - audit_rules_dac_modification_fsetxattr - audit_rules_dac_modification_lchown - audit_rules_dac_modification_lremovexattr - audit_rules_dac_modification_lsetxattr - audit_rules_dac_modification_removexattr - audit_rules_dac_modification_setxattr - audit_rules_login_events - audit_rules_session_events - audit_rules_unsuccessful_file_modification - audit_rules_privileged_commands - audit_rules_media_export - audit_rules_file_deletion_events - audit_rules_sysadmin_actions - audit_rules_kernel_module_loading - audit_rules_immutable - bootloader_nousb_argument - service_chronyd_or_ntpd_enabled - chronyd_or_ntpd_specify_remote_server - service_auditd_enabled - sshd_disable_root_login - sshd_disable_empty_passwords - sshd_idle_timeout_value=5_minutes - sshd_set_idle_timeout - sshd_set_keepalive scap-security-guide-0.1.39/fedora/templates/000077500000000000000000000000001327242345500207375ustar00rootroot00000000000000scap-security-guide-0.1.39/fedora/templates/csv/000077500000000000000000000000001327242345500215325ustar00rootroot00000000000000scap-security-guide-0.1.39/fedora/templates/csv/file_groupowner.csv000066400000000000000000000000401327242345500254470ustar00rootroot00000000000000/etc/cron.allow,root,cron_allow scap-security-guide-0.1.39/fedora/templates/csv/file_owner.csv000066400000000000000000000000401327242345500243720ustar00rootroot00000000000000/etc/cron.allow,root,cron_allow scap-security-guide-0.1.39/fedora/templates/csv/mount_options.csv000066400000000000000000000011341327242345500251630ustar00rootroot00000000000000# format: # ,[,create_fstab_entry_if_needed] # - mount point mounted with specified option. for more than # one option, use multiple lines with the same , use the # variable name (i.e. name beginning with var_, without the leading # '$' to reference a variable, e.g. var_removable_partition,nodev) # If the remediation can create (i.e. not just modify) an /etc/fstab line, # add the 'create_fstab_entry_if_needed' literal string as the third argument. /dev/shm,nodev /dev/shm,noexec /dev/shm,nosuid /tmp,nodev /tmp,noexec /tmp,nosuid /var/tmp,bind scap-security-guide-0.1.39/fedora/templates/csv/oval_5.11/000077500000000000000000000000001327242345500231375ustar00rootroot00000000000000scap-security-guide-0.1.39/fedora/templates/csv/oval_5.11/services_enabled.csv000066400000000000000000000001011327242345500271410ustar00rootroot00000000000000auditd,audit, chronyd,chrony, crond,cronie, firewalld,firewalld, scap-security-guide-0.1.39/fedora/templates/csv/packages_installed.csv000066400000000000000000000000671327242345500260670ustar00rootroot00000000000000audit chrony cronie firewalld libreswan openssh-server scap-security-guide-0.1.39/fedora/templates/csv/services_enabled.csv000066400000000000000000000000461327242345500255440ustar00rootroot00000000000000chronyd,chrony,#only-for:bash,ansible scap-security-guide-0.1.39/fedora/templates/oval_5.11_templates/000077500000000000000000000000001327242345500244225ustar00rootroot00000000000000scap-security-guide-0.1.39/fedora/templates/oval_5.11_templates/template_OVAL_service_disabled000066400000000000000000000074421327242345500323570ustar00rootroot00000000000000 Service %SERVICENAME% Disabled Red Hat Enterprise Linux 7 The %SERVICENAME% service should be disabled if possible. multi-user.target %SERVICENAME%.service multi-user.target %SERVICENAME%.socket %SERVICENAME%\.(service|socket) ActiveState inactive scap-security-guide-0.1.39/fedora/templates/oval_5.11_templates/template_OVAL_service_enabled000066400000000000000000000074611327242345500322030ustar00rootroot00000000000000 Service %SERVICENAME% Enabled multi_platform_fedora The %SERVICENAME% service should be enabled if possible. multi-user.target %SERVICENAME%.service multi-user.target %SERVICENAME%.socket %SERVICENAME%\.(socket|service) ActiveState active scap-security-guide-0.1.39/fedora/templates/template_OVAL_kernel_module_disabled000066400000000000000000000112511327242345500300520ustar00rootroot00000000000000 Disable %KERNMODULE% Kernel Module multi_platform_fedora The kernel module %KERNMODULE% should be disabled. /etc/modprobe.d ^.*\.conf$ ^\s*install\s+%KERNMODULE%\s+(/bin/false|/bin/true)$ 1 /etc/modprobe.conf ^\s*install\s+%KERNMODULE%\s+(/bin/false|/bin/true)$ 1 /etc/modules-load.d ^.*\.conf$ ^\s*install\s+%KERNMODULE%\s+(/bin/false|/bin/true)$ 1 /run/modules-load.d ^.*\.conf$ ^\s*install\s+%KERNMODULE%\s+(/bin/false|/bin/true)$ 1 /usr/lib/modules-load.d ^.*\.conf$ ^\s*install\s+%KERNMODULE%\s+(/bin/false|/bin/true)$ 1 scap-security-guide-0.1.39/fedora/transforms/000077500000000000000000000000001327242345500211375ustar00rootroot00000000000000scap-security-guide-0.1.39/fedora/transforms/constants.xslt000066400000000000000000000022231327242345500240660ustar00rootroot00000000000000 Fedora Fedora empty fedora empty FEDORA cpe:/o:fedoraproject:fedora:28,cpe:/o:fedoraproject:fedora:27,cpe:/o:fedoraproject:fedora:26,cpe:/o:fedoraproject:fedora:25 scap-security-guide-0.1.39/fedora/transforms/shorthand2xccdf.xslt000066400000000000000000000004051327242345500251360ustar00rootroot00000000000000 unknown scap-security-guide-0.1.39/fedora/transforms/xccdf2table-profilecisrefs.xslt000066400000000000000000000007051327242345500272530ustar00rootroot00000000000000 scap-security-guide-0.1.39/firefox/000077500000000000000000000000001327242345500171435ustar00rootroot00000000000000scap-security-guide-0.1.39/firefox/CMakeLists.txt000066400000000000000000000004621327242345500217050ustar00rootroot00000000000000# Sometimes our users will try to do: "cd firefox; cmake ." That needs to error in a nice way. if ("${CMAKE_SOURCE_DIR}" STREQUAL "${CMAKE_CURRENT_SOURCE_DIR}") message(FATAL_ERROR "cmake has to be used on the root CMakeLists.txt, see BUILD.md for more details!") endif() ssg_build_product("firefox") scap-security-guide-0.1.39/firefox/checks/000077500000000000000000000000001327242345500204035ustar00rootroot00000000000000scap-security-guide-0.1.39/firefox/checks/oval/000077500000000000000000000000001327242345500213445ustar00rootroot00000000000000scap-security-guide-0.1.39/firefox/checks/oval/firefox_preferences-addons_plugin_updates.xml000066400000000000000000000024011327242345500324570ustar00rootroot00000000000000 Disable Addons Plugin Updates Mozilla Firefox Firefox automatically updates installed add-ons and plugins. ^\/usr\/(|local\/)lib(|64)\/firefox ^.*\.cfg$ ^lockPref\("extensions.update.enabled",[\s]+false\);$ 1 scap-security-guide-0.1.39/firefox/checks/oval/firefox_preferences-auto-download_actions.xml000066400000000000000000000025161327242345500324100ustar00rootroot00000000000000 Disable Automatic Downloads of MIME Types Mozilla Firefox Firefox automatically executes or downloads MIME types which are not authorized for auto-download. ^\/usr\/(|local\/)lib(|64)\/firefox ^.*\.cfg$ ^lockPref\("browser.helperApps.alwaysAsk.force",[\s]+true\);$ 1 scap-security-guide-0.1.39/firefox/checks/oval/firefox_preferences-auto-update_of_firefox.xml000066400000000000000000000024071327242345500325500ustar00rootroot00000000000000 Disable Firefox Auto-Update Capability Mozilla Firefox Firefox should not be able to automatically update itself. ^\/usr\/(|local\/)lib(|64)\/firefox ^.*\.cfg$ ^lockPref\("app.update.enabled",[\s]+false\);$ 1 scap-security-guide-0.1.39/firefox/checks/oval/firefox_preferences-autofill_forms.xml000066400000000000000000000023021327242345500311310ustar00rootroot00000000000000 Disable Autofill Form Assistance Mozilla Firefox Firefox formfill assistance option is disabled. ^\/usr\/(|local\/)lib(|64)\/firefox ^.*\.cfg$ ^lockPref\("browser.formfill.enable",[\s]+false\);$ 1 scap-security-guide-0.1.39/firefox/checks/oval/firefox_preferences-autofill_passwords.xml000066400000000000000000000023551327242345500320400ustar00rootroot00000000000000 Disable User Ability To Autofill Passwords Mozilla Firefox Firefox should not be configured to autofill passwords. ^\/usr\/(|local\/)lib(|64)\/firefox ^.*\.cfg$ ^lockPref\("signon.prefillForms",[\s]+false\);$ 1 scap-security-guide-0.1.39/firefox/checks/oval/firefox_preferences-cookies_clear.xml000066400000000000000000000026361327242345500307200ustar00rootroot00000000000000 Clear Cookies And Other Data When Firefox Closes Mozilla Firefox Set browser preferences to perform a Clear Private Data operation when closing the browser in order to clear cookies and other data installed by websites visited during the session. ^\/usr\/(|local\/)lib(|64)\/firefox ^.*\.cfg$ ^lockPref\("privacy.sanitize.sanitizeOnShutdown",[\s]+true\);$ 1 scap-security-guide-0.1.39/firefox/checks/oval/firefox_preferences-cookies_user_notice.xml000066400000000000000000000025011327242345500321400ustar00rootroot00000000000000 Disable User Prompt For Clearing Cookies And Other Data Mozilla Firefox Users should not be prompted about data and cookies being cleared when the browser is closed. ^\/usr\/(|local\/)lib(|64)\/firefox ^.*\.cfg$ ^lockPref\("privacy.sanitize.promptOnSanitize",[\s]+false\);$ 1 scap-security-guide-0.1.39/firefox/checks/oval/firefox_preferences-home_page.xml000066400000000000000000000031311327242345500300310ustar00rootroot00000000000000 Default Firefox Home Page Configured Mozilla Firefox The default homepage for Firefox is set and cannot be changed. ^\/usr\/(|local\/)lib(|64)\/firefox ^.*\.cfg$ ^lockPref\("browser.startup.homepage",[\s]+"(\S+)"\);$ 1 scap-security-guide-0.1.39/firefox/checks/oval/firefox_preferences-javascript_context_menus.xml000066400000000000000000000025101327242345500332260ustar00rootroot00000000000000 Disable JavaScript Context Menus Mozilla Firefox Firefox should be configured to not allow JavaScript to disable or replace context menus. ^\/usr\/(|local\/)lib(|64)\/firefox ^.*\.cfg$ ^lockPref\("dom.event.contextmenu.enabled",[\s]+false\);$ 1 scap-security-guide-0.1.39/firefox/checks/oval/firefox_preferences-javascript_status_bar_changes.xml000066400000000000000000000025731327242345500342030ustar00rootroot00000000000000 Disable JavaScript's Ability To Change The Status Bar Mozilla Firefox Firefox should be configured to not allow JavaScript to hide or change the status bar. ^\/usr\/(|local\/)lib(|64)\/firefox ^.*\.cfg$ ^lockPref\("dom.disable_window_status_change",[\s]+true\);$ 1 scap-security-guide-0.1.39/firefox/checks/oval/firefox_preferences-javascript_status_bar_text.xml000066400000000000000000000025611327242345500335540ustar00rootroot00000000000000 Disable JavaScript's Ability To Modify The Browser Appearance Mozilla Firefox Firefox should be configured not to allow JavaScript to change the status bar text. ^\/usr\/(|local\/)lib(|64)\/firefox ^.*\.cfg$ ^lockPref\("dom.disable_window_open_feature.status",[\s]+true\);$ 1 scap-security-guide-0.1.39/firefox/checks/oval/firefox_preferences-javascript_window_changes.xml000066400000000000000000000024741327242345500333430ustar00rootroot00000000000000 Disable JavaScript's Raise Or Lower Windows Capability Mozilla Firefox Firefox should be configured to not allow JavaScript to raise or lower windows. ^\/usr\/(|local\/)lib(|64)\/firefox ^.*\.cfg$ ^lockPref\("dom.disable_window_flip",[\s]+true\);$ 1 scap-security-guide-0.1.39/firefox/checks/oval/firefox_preferences-javascript_window_resizing.xml000066400000000000000000000025261327242345500335630ustar00rootroot00000000000000 Disable JavaScript's Moving Or Resizing Windows Capability Mozilla Firefox FireFox should not be configured to allow JavaScript to move or resize windows. ^\/usr\/(|local\/)lib(|64)\/firefox ^.*\.cfg$ ^lockPref\("dom.disable_window_move_resize",[\s]+true\);$ 1 scap-security-guide-0.1.39/firefox/checks/oval/firefox_preferences-lock_settings_config_file.xml000066400000000000000000000025311327242345500333040ustar00rootroot00000000000000 Prevent Users from Changing Firefox Configuration Settings Mozilla Firefox Locked settings prevents users from accessing about:config and changing the security settings set by the system administrator. ^\/usr\/(|local\/)lib(|64)\/firefox\/defaults\/preferences ^.*\.js$ ^pref\("general.config.filename",[\s]+"(\S+)\.cfg"\);$ 1 scap-security-guide-0.1.39/firefox/checks/oval/firefox_preferences-lock_settings_obscure.xml000066400000000000000000000025221327242345500325020ustar00rootroot00000000000000 Prevent Users from Changing Firefox Configuration Settings Mozilla Firefox Locked settings prevents users from accessing about:config and changing the security settings set by the system administrator. ^\/usr\/(|local\/)lib(|64)\/firefox\/defaults\/preferences ^.*\.js$ ^pref\("general.config.obscure_value",[\s]+0\);$ 1 scap-security-guide-0.1.39/firefox/checks/oval/firefox_preferences-non-secure_page_warning.xml000066400000000000000000000025211327242345500327060ustar00rootroot00000000000000 Enable Non-Secure Page Warnings Mozilla Firefox Firefox is not configured to provide warnings when a user switches from a secure (SSL-enabled) to a non-secure page. ^\/usr\/(|local\/)lib(|64)\/firefox ^.*\.cfg$ ^lockPref\("security.warn_leaving_secure",[\s]+true\);$ 1 scap-security-guide-0.1.39/firefox/checks/oval/firefox_preferences-open_confirmation.xml000066400000000000000000000033151327242345500316220ustar00rootroot00000000000000 Enable Downloading and Opening File Confirmation Mozilla Firefox Firefox is not configured to prompt user before downloading and opening required file types. ^\/usr\/(|local\/)lib(|64)\/firefox ^.*\.cfg$ ^lockPref\("plugin.disable_full_page_plugin_for_types",[\s]+"(\S+)"\);$ 1 scap-security-guide-0.1.39/firefox/checks/oval/firefox_preferences-password_store.xml000066400000000000000000000023141327242345500311650ustar00rootroot00000000000000 Disable the Firefox Password Store Mozilla Firefox The Firefox password store should be disabled. ^\/usr\/(|local\/)lib(|64)\/firefox ^.*\.cfg$ ^lockPref\("signon.rememberSignons",[\s]+false\);$ 1 scap-security-guide-0.1.39/firefox/checks/oval/firefox_preferences-pop-up_windows.xml000066400000000000000000000024651327242345500311100ustar00rootroot00000000000000 Enable Firefox Pop-up Blocker Mozilla Firefox The Firefox Pop-up blocker should be enabled as windows may be used to launch an attack within a new browser window with altered settings. ^\/usr\/(|local\/)lib(|64)\/firefox ^.*\.cfg$ ^lockPref\("dom.disable_window_open_feature.status",[\s]+true\);$ 1 scap-security-guide-0.1.39/firefox/checks/oval/firefox_preferences-search_update.xml000066400000000000000000000025341327242345500307220ustar00rootroot00000000000000 Disable Installed Search Plugins Update Checking Mozilla Firefox Search plugins can be automatically configured to check for updates. Updates need to be controlled and installed from authorized and trusted servers. ^\/usr\/(|local\/)lib(|64)\/firefox ^.*\.cfg$ ^lockPref\("browser.search.update",[\s]+false\);$ 1 scap-security-guide-0.1.39/firefox/checks/oval/firefox_preferences-shell_protocol.xml000066400000000000000000000025311327242345500311400ustar00rootroot00000000000000 Disable Firefox Access to Shell Protocols Mozilla Firefox Firefox can be configured to access systems shells which could potentially allow Firefox and other users to access to the underlying system. ^\/usr\/(|local\/)lib(|64)\/firefox ^.*\.cfg$ ^lockPref\("network.protocol-handler.external.shell",[\s]+false\);$ 1 scap-security-guide-0.1.39/firefox/checks/oval/firefox_preferences-ssl_protocol_tls.xml000066400000000000000000000023431327242345500315150ustar00rootroot00000000000000 Enable TLS Usage in Firefox Mozilla Firefox DoD implementations of SSL must use TLS 1.0 in accordance with the Network Infrastructure STIG. ^\/usr\/(|local\/)lib(|64)\/firefox ^.*\.cfg$ ^lockPref\("security.enable_tls",[\s]+true\);$ 1 scap-security-guide-0.1.39/firefox/checks/oval/firefox_preferences-ssl_version_2.xml000066400000000000000000000023571327242345500307050ustar00rootroot00000000000000 Disable SSL Version 2.0 in Firefox Mozilla Firefox SSL 2.0 and SSL 3.0 contain a number of security flaws. Therefore, SSL 2.0 should be disabled. ^\/usr\/(|local\/)lib(|64)\/firefox ^.*\.cfg$ ^lockPref\("security.enable_ssl2",[\s]+false\);$ 1 scap-security-guide-0.1.39/firefox/checks/oval/firefox_preferences-ssl_version_3.xml000066400000000000000000000023551327242345500307040ustar00rootroot00000000000000 Disable SSL Version 3 in Firefox Mozilla Firefox Earlier versions of SSL have known security vulnerabilities and are not authorized for use in DOD. ^\/usr\/(|local\/)lib(|64)\/firefox ^.*\.cfg$ ^lockPref\("security.enable_ssl3",[\s]+false\);$ 1 scap-security-guide-0.1.39/firefox/checks/oval/firefox_preferences-verification.xml000066400000000000000000000027431327242345500305770ustar00rootroot00000000000000 Enable Certificate Verification Mozilla Firefox When a web site asks for a certificate for user authentication, Firefox must be configured to have the user choose which certificate to present. Websites within DOD require user authentication for access which increases security for DoD information. Access will be denied to the user if certificate management is not configured ^\/usr\/(|local\/)lib(|64)\/firefox ^.*\.cfg$ ^lockPref\("security.default_personal_cert",[\s]+"Ask Every Time"\);$ 1 scap-security-guide-0.1.39/firefox/checks/oval/installed_OS_is_part_of_Unix_family.xml000066400000000000000000000020171327242345500312170ustar00rootroot00000000000000 Installed operating system is part of the Unix family Mozilla Firefox The operating system installed on the system is part of the Unix OS family unix scap-security-guide-0.1.39/firefox/checks/oval/installed_app_is_firefox.xml000066400000000000000000000020001327242345500271120ustar00rootroot00000000000000 Mozilla Firefox Mozilla Firefox The application installed on the system is firefox. firefox scap-security-guide-0.1.39/firefox/checks/oval/installed_firefox_version_supported.xml000066400000000000000000000026311327242345500314430ustar00rootroot00000000000000 Supported Version of Firefox Installed Mozilla Firefox Use of versions of an application which are not supported by the vendor are not permitted. Vendors respond to security flaws with updates and patches. These updates are not available for unsupported versions which can leave the application vulnerable to attack. 3.0.0 firefox scap-security-guide-0.1.39/firefox/cpe/000077500000000000000000000000001327242345500177125ustar00rootroot00000000000000scap-security-guide-0.1.39/firefox/cpe/firefox-cpe-dictionary.xml000066400000000000000000000012101327242345500250000ustar00rootroot00000000000000 Mozilla Firefox installed_app_is_firefox scap-security-guide-0.1.39/firefox/fixes/000077500000000000000000000000001327242345500202615ustar00rootroot00000000000000scap-security-guide-0.1.39/firefox/fixes/bash/000077500000000000000000000000001327242345500211765ustar00rootroot00000000000000scap-security-guide-0.1.39/firefox/fixes/bash/firefox_preferences-addons_plugin_updates.sh000066400000000000000000000002301327242345500321210ustar00rootroot00000000000000# platform = Mozilla Firefox . /usr/share/scap-security-guide/remediation_functions firefox_cfg_setting "stig.cfg" "extensions.update.enabled" "false" scap-security-guide-0.1.39/firefox/fixes/bash/firefox_preferences-auto-download_actions.sh000066400000000000000000000002401327242345500320440ustar00rootroot00000000000000# platform = Mozilla Firefox . /usr/share/scap-security-guide/remediation_functions firefox_cfg_setting "stig.cfg" "browser.helperApps.alwaysAsk.force" "true" scap-security-guide-0.1.39/firefox/fixes/bash/firefox_preferences-auto-update_of_firefox.sh000066400000000000000000000002561327242345500322140ustar00rootroot00000000000000# platform = Mozilla Firefox # platform = Mozilla Firefox . /usr/share/scap-security-guide/remediation_functions firefox_cfg_setting "stig.cfg" "app.update.enabled" "false" scap-security-guide-0.1.39/firefox/fixes/bash/firefox_preferences-autofill_forms.sh000066400000000000000000000002261327242345500306000ustar00rootroot00000000000000# platform = Mozilla Firefox . /usr/share/scap-security-guide/remediation_functions firefox_cfg_setting "stig.cfg" "browser.formfill.enable" "false" scap-security-guide-0.1.39/firefox/fixes/bash/firefox_preferences-autofill_passwords.sh000066400000000000000000000002221327242345500314730ustar00rootroot00000000000000# platform = Mozilla Firefox . /usr/share/scap-security-guide/remediation_functions firefox_cfg_setting "stig.cfg" "signon.prefillForms" "false" scap-security-guide-0.1.39/firefox/fixes/bash/firefox_preferences-cookies_clear.sh000066400000000000000000000002411327242345500303520ustar00rootroot00000000000000# platform = Mozilla Firefox . /usr/share/scap-security-guide/remediation_functions firefox_cfg_setting "stig.cfg" "privacy.sanitize.sanitizeOnShutdown" "true" scap-security-guide-0.1.39/firefox/fixes/bash/firefox_preferences-cookies_user_notice.sh000066400000000000000000000002401327242345500316020ustar00rootroot00000000000000# platform = Mozilla Firefox . /usr/share/scap-security-guide/remediation_functions firefox_cfg_setting "stig.cfg" "privacy.sanitize.promptOnSanitize" "false" scap-security-guide-0.1.39/firefox/fixes/bash/firefox_preferences-enable_ca_trust.sh000066400000000000000000000004301327242345500307020ustar00rootroot00000000000000# platform = Mozilla Firefox P11=$(readlink /etc/alternatives/libnssckbi.so*) P11LIB="/usr/lib/pkcs11/p11-kit-trust.so" P11LIB64="/usr/lib64/pkcs11/p11-kit-trust.so" if ! [[ ${P11} == "${P11LIB64}" ]] || ! [[ ${P11} == "${P11LIB}" ]] ; then /usr/bin/update-ca-trust enable fi scap-security-guide-0.1.39/firefox/fixes/bash/firefox_preferences-home_page.sh000066400000000000000000000003151327242345500274760ustar00rootroot00000000000000# platform = Mozilla Firefox . /usr/share/scap-security-guide/remediation_functions populate var_default_home_page firefox_cfg_setting "stig.cfg" "browser.startup.homepage" "\"${var_default_home_page}\"" scap-security-guide-0.1.39/firefox/fixes/bash/firefox_preferences-javascript_context_menus.sh000066400000000000000000000002341327242345500326730ustar00rootroot00000000000000# platform = Mozilla Firefox . /usr/share/scap-security-guide/remediation_functions firefox_cfg_setting "stig.cfg" "dom.event.contextmenu.enabled" "false" scap-security-guide-0.1.39/firefox/fixes/bash/firefox_preferences-javascript_status_bar_changes.sh000066400000000000000000000002361327242345500336410ustar00rootroot00000000000000# platform = Mozilla Firefox . /usr/share/scap-security-guide/remediation_functions firefox_cfg_setting "stig.cfg" "dom.disable_window_status_change" "true" scap-security-guide-0.1.39/firefox/fixes/bash/firefox_preferences-javascript_status_bar_text.sh000066400000000000000000000002441327242345500332140ustar00rootroot00000000000000# platform = Mozilla Firefox . /usr/share/scap-security-guide/remediation_functions firefox_cfg_setting "stig.cfg" "dom.disable_window_open_feature.status" "true" scap-security-guide-0.1.39/firefox/fixes/bash/firefox_preferences-javascript_window_changes.sh000066400000000000000000000002251327242345500327770ustar00rootroot00000000000000# platform = Mozilla Firefox . /usr/share/scap-security-guide/remediation_functions firefox_cfg_setting "stig.cfg" "dom.disable_window_flip" "true" scap-security-guide-0.1.39/firefox/fixes/bash/firefox_preferences-javascript_window_resizing.sh000066400000000000000000000002341327242345500332210ustar00rootroot00000000000000# platform = Mozilla Firefox . /usr/share/scap-security-guide/remediation_functions firefox_cfg_setting "stig.cfg" "dom.disable_window_move_resize" "true" scap-security-guide-0.1.39/firefox/fixes/bash/firefox_preferences-lock_settings_config_file.sh000066400000000000000000000002441327242345500327470ustar00rootroot00000000000000# platform = Mozilla Firefox . /usr/share/scap-security-guide/remediation_functions firefox_js_setting "stig_settings.js" "general.config.filename" "\"stig.cfg\"" scap-security-guide-0.1.39/firefox/fixes/bash/firefox_preferences-lock_settings_obscure.sh000066400000000000000000000002361327242345500321460ustar00rootroot00000000000000# platform = Mozilla Firefox . /usr/share/scap-security-guide/remediation_functions firefox_js_setting "stig_settings.js" "general.config.obscure_value" "0" scap-security-guide-0.1.39/firefox/fixes/bash/firefox_preferences-non-secure_page_warning.sh000066400000000000000000000002321327242345500323470ustar00rootroot00000000000000# platform = Mozilla Firefox . /usr/share/scap-security-guide/remediation_functions firefox_cfg_setting "stig.cfg" "security.warn_leaving_secure" "true" scap-security-guide-0.1.39/firefox/fixes/bash/firefox_preferences-open_confirmation.sh000066400000000000000000000003421327242345500312630ustar00rootroot00000000000000# platform = Mozilla Firefox . /usr/share/scap-security-guide/remediation_functions populate var_required_file_types firefox_cfg_setting "stig.cfg" "plugin.disable_full_page_plugin_for_types" "\"${var_required_file_types}\"" scap-security-guide-0.1.39/firefox/fixes/bash/firefox_preferences-password_store.sh000066400000000000000000000002251327242345500306300ustar00rootroot00000000000000# platform = Mozilla Firefox . /usr/share/scap-security-guide/remediation_functions firefox_cfg_setting "stig.cfg" "signon.rememberSignons" "false" scap-security-guide-0.1.39/firefox/fixes/bash/firefox_preferences-pop-up_windows.sh000066400000000000000000000002441327242345500305450ustar00rootroot00000000000000# platform = Mozilla Firefox . /usr/share/scap-security-guide/remediation_functions firefox_cfg_setting "stig.cfg" "dom.disable_window_open_feature.status" "true" scap-security-guide-0.1.39/firefox/fixes/bash/firefox_preferences-search_update.sh000066400000000000000000000002241327242345500303600ustar00rootroot00000000000000# platform = Mozilla Firefox . /usr/share/scap-security-guide/remediation_functions firefox_cfg_setting "stig.cfg" "browser.search.update" "false" scap-security-guide-0.1.39/firefox/fixes/bash/firefox_preferences-shell_protocol.sh000066400000000000000000000002461327242345500306050ustar00rootroot00000000000000# platform = Mozilla Firefox . /usr/share/scap-security-guide/remediation_functions firefox_cfg_setting "stig.cfg" "network.protocol-handler.external.shell" "false" scap-security-guide-0.1.39/firefox/fixes/bash/firefox_preferences-ssl_protocol_tls.sh000066400000000000000000000002211327242345500311520ustar00rootroot00000000000000# platform = Mozilla Firefox . /usr/share/scap-security-guide/remediation_functions firefox_cfg_setting "stig.cfg" "security.enable_tls" "true" scap-security-guide-0.1.39/firefox/fixes/bash/firefox_preferences-ssl_version_2.sh000066400000000000000000000002231327242345500303370ustar00rootroot00000000000000# platform = Mozilla Firefox . /usr/share/scap-security-guide/remediation_functions firefox_cfg_setting "stig.cfg" "security.enable_ssl2" "false" scap-security-guide-0.1.39/firefox/fixes/bash/firefox_preferences-ssl_version_3.sh000066400000000000000000000002231327242345500303400ustar00rootroot00000000000000# platform = Mozilla Firefox . /usr/share/scap-security-guide/remediation_functions firefox_cfg_setting "stig.cfg" "security.enable_ssl3" "false" scap-security-guide-0.1.39/firefox/fixes/bash/firefox_preferences-verification.sh000066400000000000000000000002521327242345500302340ustar00rootroot00000000000000# platform = Mozilla Firefox . /usr/share/scap-security-guide/remediation_functions firefox_cfg_setting "stig.cfg" "security.default_personal_cert" "\"Ask Every Time\"" scap-security-guide-0.1.39/firefox/guide.xslt000066400000000000000000000034161327242345500211600ustar00rootroot00000000000000 A conditional clause for check statements. A conditional clause for check statements. This is a placeholder. scap-security-guide-0.1.39/firefox/guide/000077500000000000000000000000001327242345500202405ustar00rootroot00000000000000scap-security-guide-0.1.39/firefox/guide/firefox/000077500000000000000000000000001327242345500217025ustar00rootroot00000000000000scap-security-guide-0.1.39/firefox/guide/firefox/firefox.group000066400000000000000000000010041327242345500244150ustar00rootroot00000000000000documentation_complete: true title: Firefox description: "Firefox is an open-source web browser and developed by Mozilla.\nWeb browsers such as Firefox are used for a number of reasons. This section \nprovides settings for configuring Firefox policies to meet compliance \nsettings for Firefox running on Red Hat Enterprise Linux systems.\n\n
    Refer to
    • \nfor a list of currently supported Firefox settings.
" scap-security-guide-0.1.39/firefox/guide/firefox/firefox_preferences-addons_plugin_updates.rule000066400000000000000000000014311327242345500331660ustar00rootroot00000000000000documentation_complete: true title: 'Disable Addons Plugin Updates' description: "Firefox automatically updates installed add-ons and plugins which \ncan be disabled by setting extensions.update.enabled to\nfalse." rationale: |- Automatic updates from untrusted sites puts the enclave at risk of attack and may override security settings. severity: medium identifiers: cce: "" references: disa: "" nist: ECSC-1 stigid: DTBF090 ocil_clause: 'it is not disabled' ocil: |- To verify that add-ons and plugins cannot automatically update, run the following command: 
$ grep 'extensions.update.enabled' FIREFOX_INSTALL_DIR/*.cfg
The output should return: 
lockPref("extensions.update.enabled", false);
scap-security-guide-0.1.39/firefox/guide/firefox/firefox_preferences-auto-download_actions.rule000066400000000000000000000020471327242345500331140ustar00rootroot00000000000000documentation_complete: true title: 'Disable Automatic Downloads of MIME Types' description: |- MIME type files are automatically downloaded or executed in Firefox. This can be disabled by setting browser.helperApps.alwaysAsk.force to true. rationale: |- The default action for file types for which a plugin is installed is to automatically download and execute the file using the associated plugin. Firefox allows users to change the specified download action so that the file is opened with a selected external application or saved to disk instead. severity: medium identifiers: cce: "" references: disa: "" nist: DCMC-1 stigid: DTBF100 ocil_clause: 'it is not disabled' ocil: |- To verify that user interaction is required for the downloading of MIME types, run the following command: 
$ grep 'browser.helperApps.alwaysAsk.force' FIREFOX_INSTALL_DIR/*.cfg
The output should return: 
lockPref("browser.helperApps.alwaysAsk.force", "true");
scap-security-guide-0.1.39/firefox/guide/firefox/firefox_preferences-auto-update_of_firefox.rule000066400000000000000000000020101327242345500332430ustar00rootroot00000000000000documentation_complete: true title: 'Disable Firefox Auto-Update Capability' description: |- Firefox can be set to automatically update as new updates. This can be disabled by setting app.update.enable to false. rationale: |- Allowing software updates from non-trusted sites can introduce settings that will override a secured installation of the application. This can place DoD information at risk. If this setting is enabled, then there are many other default settings which point to untrusted sites which must be changed to point to an authorized update site that is not publicly accessible. severity: medium identifiers: cce: "" references: disa: "" nist: ECSC-1 stigid: DTBF080 ocil_clause: 'it is not disabled' ocil: |- To verify that Firefox cannot auto-update, run the following command: 
$ grep 'app.update.enable' FIREFOX_INSTALL_DIR/*.cfg
The output should return: 
lockPref("app.update.enable", false);
scap-security-guide-0.1.39/firefox/guide/firefox/firefox_preferences-autofill_forms.rule000066400000000000000000000016501327242345500316430ustar00rootroot00000000000000documentation_complete: true title: 'Disable Autofill Form Assistance' description: |- Firefox provides tools to auto-fill forms from prefilled information. This can be disabled by setting browser.formfill.enable to false. rationale: |- In order to protect privacy and sensitive data, Firefox provides the ability to configure Firefox such that data entered into forms is not saved. This mitigates the risk of a website gleaning private information from prefilled information. severity: medium identifiers: cce: "" references: disa: "" nist: ECSC-1 stigid: DTBF140 ocil_clause: 'it is not disabled' ocil: |- To verify that Autofill Form Assistance is disabled, run the following command: 
$ grep 'browser.formfill.enable' FIREFOX_INSTALL_DIR/*.cfg
The output should return: 
lockPref("browser.formfill.enable", false);
scap-security-guide-0.1.39/firefox/guide/firefox/firefox_preferences-autofill_passwords.rule000066400000000000000000000015251327242345500325430ustar00rootroot00000000000000documentation_complete: true title: 'Disable User Ability To Autofill Passwords' description: |- Firefox automatically allows users to save passwords to be auto-filled into password forms. This can be disabled by setting signon.prefillForms to false. rationale: |- While on the internet, it may be possible for an attacker to view the saved password files and gain access to the user's accounts on various hosts. severity: medium identifiers: cce: "" references: disa: "" nist: ECSC-1 stigid: DTBF150 ocil_clause: 'it is not disabled' ocil: |- To verify that password autofill is disabled, run the following command: 
$ grep 'signon.prefillForms' FIREFOX_INSTALL_DIR/*.cfg
The output should return: 
lockPref("signon.prefillForms", false);
scap-security-guide-0.1.39/firefox/guide/firefox/firefox_preferences-cookies/000077500000000000000000000000001327242345500273575ustar00rootroot00000000000000firefox_preferences-cookies.group000066400000000000000000000004441327242345500360350ustar00rootroot00000000000000scap-security-guide-0.1.39/firefox/guide/firefox/firefox_preferences-cookiesdocumentation_complete: true title: 'Clearing Cookies And Other Data' description: |- Browser preferences should be set to perform a Clear Private Data operation when closing the browser in order to clear cookies and other data installed by websites visited during the session. firefox_preferences-cookies_clear.rule000066400000000000000000000020001327242345500370040ustar00rootroot00000000000000scap-security-guide-0.1.39/firefox/guide/firefox/firefox_preferences-cookiesdocumentation_complete: true title: 'Clear Data When Firefox Closes' description: |- When a user browses to a website, cookies and other types of data get stored on the system. This can be disabled by setting privacy.sanitize.sanitizeOnShutdown to true. rationale: |- Cookies can help websites perform better but can also be part of spyware. To mitigate this risk, set browser preferences to perform a Clear Private Data operation when closing the browser in order to clear cookies and other data installed by websites visited during the session. severity: medium identifiers: cce: "" references: disa: "" nist: ECSC-1 stigid: DTBF170 ocil_clause: 'it is not set to clear' ocil: |- To verify that Firefox clears data on exit, run the following command: 
$ grep 'privacy.sanitize.sanitizeOnShutdown' FIREFOX_INSTALL_DIR/*.cfg
The output should return: 
lockPref("privacy.sanitize.sanitizeOnShutdown", true);
firefox_preferences-cookies_user_notice.rule000066400000000000000000000020241327242345500402430ustar00rootroot00000000000000scap-security-guide-0.1.39/firefox/guide/firefox/firefox_preferences-cookiesdocumentation_complete: true title: 'Disable User Prompt When Data Is Cleared' description: "By default, users are asked if it is okay to clear out cookies and data\nwhen Firefox closes. This can be disabled by \nsetting privacy.sanitize.promptOnSanitize to false." rationale: |- Cookies can help websites perform better but can also be part of spyware. To mitigate this risk, set browser preferences to perform a Clear Private Data operation when closing the browser in order to clear cookies and other data installed by websites visited during the session. severity: medium identifiers: cce: "" references: disa: "" nist: ECSC-1 stigid: DTBF170 ocil_clause: 'it is not disabled' ocil: |- To verify that Firefox does not prompt users about data being cleared, run the following command: 
$ grep 'privacy.sanitize.promptOnSanitize' FIREFOX_INSTALL_DIR/*.cfg
The output should return: 
lockPref("privacy.sanitize.promptOnSanitize", false);
scap-security-guide-0.1.39/firefox/guide/firefox/firefox_preferences-dod_root_certificate/000077500000000000000000000000001327242345500320765ustar00rootroot00000000000000firefox_preferences-dod_root_certificate.group000066400000000000000000000007321327242345500432730ustar00rootroot00000000000000scap-security-guide-0.1.39/firefox/guide/firefox/firefox_preferences-dod_root_certificatedocumentation_complete: true title: 'The DoD Root Certificate Is Required' description: "The Shared System Certificates store contains certificates that\napplications can access for a single certificate repository.\nIf enabled, Firefox can access that single system certificate\nrepository. If the DoD root certificate is also installed into\nthe shared system certificate repository, Firefox will see and \nuse the DoD root certificate as a valid certificate authority." firefox_preferences-dod_root_certificate_installed.rule000066400000000000000000000020241327242345500451410ustar00rootroot00000000000000scap-security-guide-0.1.39/firefox/guide/firefox/firefox_preferences-dod_root_certificatedocumentation_complete: true title: 'The DoD Root Certificate Exists' description: |- The DoD root certificate should be installed in the Shared System Certificates store for Firefox to be able to access the DoD certificate. To install the root certificated into the Shared System Certificates store, copy the DoD root certificate into /etc/pki/ca-trust/source/anchors. Once the file is copied, run the following command: 
$ sudo update-ca-trust extract
rationale: |- The DOD root certificate will ensure that the trust chain is established for server certificates issued from the DOD CA. severity: medium identifiers: cce: 27457-1 references: disa: 54 nist: AC-10 ocil_clause: 'it is not installed' ocil: "To verify that the DoD root certificate is installed,\nlist all certificates in /etc/pki/ca-trust/source/anchors\nand compare them to the DoD root certificate. If there is a match\nto the DoD root certificate, then the DoD root certificate is \ninstalled." firefox_preferences-enable_ca_trust.rule000066400000000000000000000021711327242345500420640ustar00rootroot00000000000000scap-security-guide-0.1.39/firefox/guide/firefox/firefox_preferences-dod_root_certificatedocumentation_complete: true title: 'Enable Shared System Certificates' description: |- The Shared System Certificates store makes NSS, GnuTLS, OpenSSL, and Java share a default source for retrieving system certificate anchors and blacklist information. Firefox has the capability of using this centralized store for its CA certificates. If the Shared System Certificates store is disabled, it can be enabled by running the following command: 
$ sudo update-ca-trust enable
rationale: |- The DOD root certificate will ensure that the trust chain is established for server certificates issued from the DOD CA. severity: medium identifiers: cce: 27457-1 references: disa: 54 nist: AC-10 ocil_clause: 'it is not enabled' ocil: |- To verify that the central system cerificate authority store is enabled, run the following command: 
$ ls -l /etc/alternatives/libnssckbi.so.x86_64
The output should return something similar to: 
lrwxrwxrwx. 1 root root 34 Apr 30 09:19 /etc/alternatives/libnssckbi.so.x86_64 -> /usr/lib64/pkcs11/p11-kit-trust.so
scap-security-guide-0.1.39/firefox/guide/firefox/firefox_preferences-home_page.rule000066400000000000000000000022231327242345500305370ustar00rootroot00000000000000documentation_complete: true title: 'Default Firefox Home Page Configured' description: |- The default home page is set to a vendor's defined website or Firefox's own website. This can be changed to an organizationally defined website or about:blank. To set the default home page, set browser.startup.homepage to . rationale: "The browser home page parameter specifies the web page that is to be\ndisplayed when the browser is started explicitly and when product-specific\nbuttons or key sequences for the home page are accessed. This helps to\nmitigate the possibility of automatic inadvertent execution of scripts \nadded to a previously safe site." severity: medium identifiers: cce: "" references: disa: "" nist: ECSC-1 stigid: DTBF017 ocil_clause: 'it is not configured' ocil: |- To verify that default home page is set, run the following command: 
$ grep 'browser.startup.homepage' FIREFOX_INSTALL_DIR/*.cfg
The output should return: 
lockPref("browser.startup.homepage", "");
scap-security-guide-0.1.39/firefox/guide/firefox/firefox_preferences-javascript_context_menus.rule000066400000000000000000000015611327242345500337400ustar00rootroot00000000000000documentation_complete: true title: 'Disable JavaScript Context Menus' description: |- JavaScript can configure and make changes to the web browser's appearance by specifically disabling or replacing context menus. This can be disabled by setting dom.event.contextmenu.enabled to false. rationale: |- A website may execute JavaScript that can make changes to these context menus. This can help disguise an attack. severity: medium identifiers: cce: "" references: disa: "" nist: ECSC-1 stigid: DTBF183 ocil_clause: 'it is not disabled' ocil: |- To verify that JavaScript cannot change context menus, run the following command: 
$ grep 'dom.event.contextmenu.enabled' FIREFOX_INSTALL_DIR/*.cfg
The output should return: 
lockPref("dom.event.contextmenu.enabled", "false");
firefox_preferences-javascript_status_bar_changes.rule000066400000000000000000000017731327242345500346320ustar00rootroot00000000000000scap-security-guide-0.1.39/firefox/guide/firefoxdocumentation_complete: true title: 'Disable JavaScript''s Ability To Change The Status Bar' description: |- JavaScript can configure and make changes to the web browser's appearance by specifically hiding or changing the status bar. This can be disabled by setting dom.disable_window_status_change to true. rationale: |- When a user visits some webpages, JavaScript can hide or make changes to the browser’s appearance to hide unauthorized activity. This activity can help disguise an attack taking place in a minimized background window. severity: medium identifiers: cce: "" references: disa: "" nist: ECSC-1 stigid: DTBF184 ocil_clause: 'it is not disabled' ocil: |- To verify that JavaScript cannot change the status bar, run the following command: 
$ grep 'dom.disable_window_status_change' FIREFOX_INSTALL_DIR/*.cfg
The output should return: 
lockPref("dom.disable_window_status_change", "true");
scap-security-guide-0.1.39/firefox/guide/firefox/firefox_preferences-javascript_status_bar_text.rule000066400000000000000000000021161327242345500342550ustar00rootroot00000000000000documentation_complete: true title: 'Disable JavaScript''s Ability To Modify The Browser Appearance' description: "JavaScript can configure and make changes to the web browser's appearance by\nspecifically hiding the status bar from view. This can disabled by \nsetting dom.disable_window_open_feature.status to true." rationale: |- JavaScript can make changes to the browser’s appearance. This activity can help disguise an attack taking place in a minimized background window. Webpage authors can disable many features of a popup window that they open. This setting prevents the status bar from being hidden. severity: medium identifiers: cce: "" references: disa: "" nist: ECSC-1 stigid: DTBF185 ocil_clause: 'it is not disabled' ocil: |- To verify that JavaScript cannot change the browser appearance, run the following command: 
$ grep 'dom.disable_window_open_feature.status' FIREFOX_INSTALL_DIR/*.cfg
The output should return: 
lockPref("dom.disable_window_open_feature.status", "true");
scap-security-guide-0.1.39/firefox/guide/firefox/firefox_preferences-javascript_window_changes.rule000066400000000000000000000016271327242345500340470ustar00rootroot00000000000000documentation_complete: true title: 'Disable JavaScript''s Raise Or Lower Windows Capability' description: |- JavaScript can configure and make changes to the web browser's appearance by specifically raising and lowering windows. This can be disabled by setting dom.disable_window_flip to true. rationale: |- JavaScript can make changes to the browser’s appearance. Allowing a website to use JavaScript to raise and lower browser windows may disguise an attack. severity: medium identifiers: cce: "" references: disa: "" nist: ECSC-1 stigid: DTBF182 ocil_clause: 'it is not disabled' ocil: |- To verify that JavaScript cannot change windows sizing, run the following command: 
$ grep 'dom.disable_window_flip' FIREFOX_INSTALL_DIR/*.cfg
The output should return: 
lockPref("dom.disable_window_flip", "true");
scap-security-guide-0.1.39/firefox/guide/firefox/firefox_preferences-javascript_window_resizing.rule000066400000000000000000000016601327242345500342660ustar00rootroot00000000000000documentation_complete: true title: 'Disable JavaScript''s Moving Or Resizing Windows Capability' description: |- JavaScript can configure and make changes to the web browser's appearance by specifically moving and resizing browser windows. This can be disabled by setting dom.disable_window_move_resize to true. rationale: |- JavaScript can make changes to the browser’s appearance. This activity can help disguise an attack taking place in a minimized background window. severity: medium identifiers: cce: "" references: disa: "" nist: ECSC-1 stigid: DTBF181 ocil_clause: 'it is not disabled' ocil: |- To verify that JavaScript cannot change windows sizing, run the following command: 
$ grep 'dom.disable_window_move_resize' FIREFOX_INSTALL_DIR/*.cfg
The output should return: 
lockPref("dom.disable_window_move_resize", "true");
scap-security-guide-0.1.39/firefox/guide/firefox/firefox_preferences-lock_settings/000077500000000000000000000000001327242345500305735ustar00rootroot00000000000000firefox_preferences-lock_settings.group000066400000000000000000000002641327242345500404650ustar00rootroot00000000000000scap-security-guide-0.1.39/firefox/guide/firefox/firefox_preferences-lock_settingsdocumentation_complete: true title: 'Prevent Users from Changing Firefox Configuration Settings' description: 'Firefox required security preferences cannot be changed by users.' firefox_preferences-lock_settings_config_file.rule000066400000000000000000000015741327242345500426310ustar00rootroot00000000000000scap-security-guide-0.1.39/firefox/guide/firefox/firefox_preferences-lock_settingsdocumentation_complete: true title: 'Set Firefox Configuration File Location' description: "Specify the Firefox configuration file location by setting \ngeneral.config.filename to the configuration (i.e. mozilla.cfg)\nfilename that contains the Firefox security preferences." rationale: |- Locked settings prevents users from accessing about:config and changing the security settings set by the system administrator. severity: medium identifiers: cce: "" references: disa: "" nist: ECSC-1 stigid: DTBF070 ocil_clause: 'users can change mandatory settings' ocil: |- To verify that configuration filename is set, run the following command: 
$ grep 'filename' FIREFOX_INSTALL_DIR/defaults/preferences/*.js
The output should return something similar to: 
pref("general.config.filename", "mozilla.cfg");
firefox_preferences-lock_settings_obscure.rule000066400000000000000000000015361327242345500420250ustar00rootroot00000000000000scap-security-guide-0.1.39/firefox/guide/firefox/firefox_preferences-lock_settingsdocumentation_complete: true title: 'Disable Firefox Configuration File ROT-13 Encoding' description: |- Disable ROT-13 encoding by setting general.config.obscure_value to 0. rationale: |- ROT-13 encoded prevents system adminstrators from easily configuring and deploying Firefox configuration settings. It also prevents validating settings easily from automated security tools. severity: medium identifiers: cce: "" references: disa: "" nist: ECSC-1 stigid: DTBF070 ocil_clause: 'users can change mandatory settings' ocil: |- To verify that ROT-13 encoding is disabled, run the following command: 
$ grep 'obscure_value' FIREFOX_INSTALL_DIR/defaults/preferences/*.js
The output should return something similar to: 
pref("general.config.obscure_value", 0);
scap-security-guide-0.1.39/firefox/guide/firefox/firefox_preferences-non-secure_page_warning.rule000066400000000000000000000015741327242345500334220ustar00rootroot00000000000000documentation_complete: true title: 'Enable Non-Secure Page Warnings' description: "When users browse websites, web pages can switch in between secure and \nnon-secure protocols. Users can be warned each time by\nsetting security.warn_leaving_secure to true." rationale: |- Users may not be aware that the information being viewed under secure conditions in a previous page are not currently being viewed under the same security settings. severity: medium identifiers: cce: "" references: disa: "" nist: ECSC-1 stigid: DTBF130 ocil_clause: 'it is not enabled' ocil: |- To verify that non-secure page warnings are enabled, run the following command: 
$ grep 'security.warn_leaving_secure' FIREFOX_INSTALL_DIR/*.cfg
The output should return: 
lockPref("security.warn_leaving_secure", "true");
scap-security-guide-0.1.39/firefox/guide/firefox/firefox_preferences-open_confirmation.rule000066400000000000000000000030241327242345500323240ustar00rootroot00000000000000documentation_complete: true title: 'Enable Downloading and Opening File Confirmation' description: |- To have an action dialog box appear promping users what action to take when certain types of files are downloaded or opened, set plugin.disable_full_page_plugin_for_types to . rationale: |- When the user receives a dialog box asking if they want to save the file or open it with a specified application, this indicates that a plugin does not exist. Also, the user has not previously selected a download action or helper application to automatically use for that type of file. When prompted, if the user checks the option to 'Do this automatically for files like this from now on', then an entry will appear for that type of file in the plugins listing, and this file type is automatically opened in the future. This can be a security issue. New file types cannot be added directly to the Application plugin listing. severity: medium identifiers: cce: "" references: disa: "" nist: ECSC-1 stigid: DTBF110 ocil_clause: 'it is not set or application listing is incorrect' ocil: |- To verify that downloading and opening file confirmation is enabled, run the following command: 
$ grep 'plugin.disable_full_page_plugin_for_types' FIREFOX_INSTALL_DIR/*.cfg
The output should return: 
lockPref("plugin.disable_full_page_plugin_for_types", "");
scap-security-guide-0.1.39/firefox/guide/firefox/firefox_preferences-password_store.rule000066400000000000000000000016071327242345500316760ustar00rootroot00000000000000documentation_complete: true title: 'Disable the Firefox Password Store' description: |- Firefox allows users to store passwords whether or not a master password is set for the password store. To disable the storing of passwords, set signon.rememberSignons to false. rationale: |- Autofill of a password can be enabled when a site is visited. This feature could also be used to autofill the certificate pin which could lead to compromise of DoD information. severity: medium identifiers: cce: "" references: disa: "" nist: ECSC-1 stigid: DTBF160 ocil_clause: 'it is not disabled' ocil: |- To verify that the password store is disabled, run the following command: 
$ grep 'signon.rememberSignons' FIREFOX_INSTALL_DIR/*.cfg
The output should return: 
lockPref("signon.rememberSignons", "false");
scap-security-guide-0.1.39/firefox/guide/firefox/firefox_preferences-pop-up_windows.rule000066400000000000000000000013621327242345500316100ustar00rootroot00000000000000documentation_complete: true title: 'Enable Firefox Pop-up Blocker' description: |- The pop-up blocker can be enabled by setting dom.disable_window_open_feature.status to true. rationale: |- Popup windows may be used to launch an attack within a new browser window with altered settings. severity: medium identifiers: cce: "" references: disa: "" nist: ECSC-1 stigid: DTBF180 ocil_clause: 'it is not enabled' ocil: |- To verify that pop-up blocker is enabled, run the following command: 
$ grep 'dom.disable_window_open_feature.status' FIREFOX_INSTALL_DIR/*.cfg
The output should return: 
lockPref("dom.disable_window_open_feature.status", "true");
scap-security-guide-0.1.39/firefox/guide/firefox/firefox_preferences-search_update.rule000066400000000000000000000016231327242345500314250ustar00rootroot00000000000000documentation_complete: true title: 'Disable Installed Search Plugins Update Checking' description: |- Firefox automatically checks for updated versions of search plugins. To disable the automatic updates of plugins, set browser.search.update to false. rationale: |- Updates need to be controlled and installed from authorized and trusted servers. This setting overrides a number of other settings which may direct the application to access external URLs. severity: medium identifiers: cce: "" references: disa: "" nist: ECSC-1 stigid: DTBF085 ocil_clause: 'it is not disabled' ocil: |- To verify that search plugins cannot automatically update, run the following command: 
$ grep 'browser.search.update' FIREFOX_INSTALL_DIR/*.cfg
The output should return: 
lockPref("browser.search.update", "false");
scap-security-guide-0.1.39/firefox/guide/firefox/firefox_preferences-shell_protocol.rule000066400000000000000000000015651327242345500316530ustar00rootroot00000000000000documentation_complete: true title: 'Disable Firefox Access to Shell Protocols' description: |- Access to the shell is disabled by default but can be changed. To prevent shell access from being enabled, set network.protocol-handler.external.shell to false. rationale: |- If enabled, this setting would allow the browser to access the Windows shell. This could allow access to the underlying system. severity: medium identifiers: cce: "" references: disa: "" nist: ECSC-1 stigid: DTBF105 ocil_clause: 'it is not disabled' ocil: |- To verify that the shell protocol access is disabled, run the following command: 
$ grep 'network.protocol-handler.external.shell' FIREFOX_INSTALL_DIR/*.cfg
The output should return: 
lockPref("network.protocol-handler.external.shell", "false");
scap-security-guide-0.1.39/firefox/guide/firefox/firefox_preferences-ssl_protocol_tls.rule000066400000000000000000000012241327242345500322170ustar00rootroot00000000000000documentation_complete: true title: 'Enable TLS Usage in Firefox' description: 'To enable TLS, set security.enable_tls to true.' rationale: |- Earlier versions of SSL have known security vulnerabilities and are not authorized for use in DOD environments. severity: medium identifiers: cce: "" references: disa: "" nist: ECSC-1 stigid: DTBF030 ocil_clause: 'it is not enabled' ocil: |- To verify that TLS is enabled, run the following command: 
$ grep 'security.enable_tls' FIREFOX_INSTALL_DIR/*.cfg
The output should return: 
lockPref("security.enable_tls", "true");
scap-security-guide-0.1.39/firefox/guide/firefox/firefox_preferences-ssl_version_2.rule000066400000000000000000000015031327242345500314020ustar00rootroot00000000000000documentation_complete: true title: 'Disable SSL Version 2.0 in Firefox' description: |- SSL version 2 is not enabled by default and should not be enabled. To prevent SSL version 2 from being enabled set security.enable_ssl2 to false. rationale: |- Use of versions prior to TLS 1.0 are not permitted because these versions are non-standard. SSL 2.0 and SSL 3.0 contain a number of security flaws. severity: medium identifiers: cce: "" references: disa: "" nist: ECSC-1 stigid: DTBF010 ocil_clause: 'it is not disabled' ocil: |- To verify that SSL version 2.0 is disabled, run the following command: 
$ grep 'security.enable_ssl2' FIREFOX_INSTALL_DIR/*.cfg
The output should return: 
lockPref("security.enable_ssl2", "false");
scap-security-guide-0.1.39/firefox/guide/firefox/firefox_preferences-ssl_version_3.rule000066400000000000000000000013301327242345500314010ustar00rootroot00000000000000documentation_complete: true title: 'Disable SSL Version 3.0 in Firefox' description: |- SSL version 3.0 is vulnerable and should be disabled by setting security.enable_ssl3 to false. rationale: |- Earlier versions of SSL have known security vulnerabilities and are not authorized for use in DOD. severity: medium identifiers: cce: "" references: disa: "" nist: ECSC-1 stigid: DTBF020 ocil_clause: 'it is not enabled' ocil: |- To verify that SSL version 3 is disabled, run the following command: 
$ grep 'security.enable_ssl3' FIREFOX_INSTALL_DIR/*.cfg
The output should return: 
lockPref("security.enable_ssl3", "false");
scap-security-guide-0.1.39/firefox/guide/firefox/firefox_preferences-verification.rule000066400000000000000000000016571327242345500313070ustar00rootroot00000000000000documentation_complete: true title: 'Enable Certificate Verification' description: "Firefox can be configured to prompt the user to choose a certificate\nto present to a website when asked. To enable certificate verification, \nset security.default_personal_cert to Ask Every Time." rationale: |- Websites within DoD require user authentication for access which increases security for DoD information. Access will be denied to the user if certificate management is not configured. severity: medium identifiers: cce: "" references: disa: "" nist: ECSC-1 stigid: DTBF050 ocil_clause: 'it is not enabled' ocil: |- To verify that certificate verification is enabled, run the following command: 
$ grep 'security.default_personal_cert' FIREFOX_INSTALL_DIR/*.cfg
The output should return: 
lockPref("security.default_personal_cert", "Ask Every Time");
scap-security-guide-0.1.39/firefox/guide/firefox/installed_firefox_version_supported.rule000066400000000000000000000027431327242345500321540ustar00rootroot00000000000000documentation_complete: true title: 'Supported Version of Firefox Installed' description: |- If the system is joined to the Red Hat Network, a Red Hat Satellite Server, or a yum server, run the following command to install updates: 
$ sudo yum update
If the system is not configured to use one of these sources, updates (in the form of RPM packages) can be manually downloaded and installed using rpm. rationale: |- Use of versions of an application which are not supported by the vendor are not permitted. Vendors respond to security flaws with updates and patches. These updates are not available for unsupported version which can leave the application vulnerable to attack. severity: high identifiers: cce: "" references: disa: "" nist: DCMC-1 stigid: DTBF003 ocil_clause: 'it is not updated' ocil: |- If the system is joined to the Red Hat Network, a Red Hat Satellite Server, or a yum server which provides updates, invoking the following command will indicate if updates are available: 
$ sudo yum check-update
If the system is not configured to update from one of these sources, run the following command to list when each package was last updated: 
$ rpm -qa -last
Compare this to Red Hat Security Advisories (RHSA) listed at to determine if the system is missing applicable updates. scap-security-guide-0.1.39/firefox/guide/firefox/var_default_home_page.var000066400000000000000000000003371327242345500267170ustar00rootroot00000000000000documentation_complete: true title: 'The Default Firefox Home Page' description: 'The default home page for Firefox users.' type: string operator: interactive: false options: about_blank: about:blank default: scap-security-guide-0.1.39/firefox/guide/firefox/var_required_file_types.var000066400000000000000000000014361327242345500273330ustar00rootroot00000000000000documentation_complete: true title: 'The Default Required Firefox File Types' description: |- The default required file types that need to request usage confirmation in Firefox. type: string operator: interactive: false options: default: application/pdf,application/doc,application/xls,application/bat,application/ppt,application/mdb,application/mde,application/fdf,application/xfdf,application/lsl,application/lso,appliation/lss,application/iqy,application/rqy,application/xlk,application/pot,application/pps,application/dot,application/wbk,application/ps,application/eps,application/wch,application/wcm,application/wbi,application/wb1,application/wb3,application/rtf,application/wch,application/wcm,application/ad,application/adp,application/xlt,application/dos,application/wks scap-security-guide-0.1.39/firefox/guide/guide.benchmark000066400000000000000000000054321327242345500232150ustar00rootroot00000000000000--- documentation_complete: true title: Guide to the Secure Configuration of status: draft description: | This guide presents a catalog of security-relevant configuration settings for . It is a rendering of content structured in the eXtensible Configuration Checklist Description Format (XCCDF) in order to support security automation. The SCAP content is is available in the config_item="scap-security-guide" package which is developed at .

Providing system administrators with such guidance informs them how to securely configure systems under their control in a variety of network roles. Policy makers and baseline creators can use this catalog of settings, with its associated references to higher-level security control catalogs, in order to assist them in security baseline creation. This guide is a italics="catalog, not a checklist," and satisfaction of every item is not likely to be possible or sensible in many operational scenarios. However, the XCCDF format enables granular selection and adjustment of settings, and their association with OVAL and OCIL content provides an automated checking capability. Transformations of this document, and its associated automated checking content, are capable of providing baselines that meet a diverse set of policy objectives. Some example XCCDF italics="Profiles", which are selections of items that form checklists and can be used as baselines, are available with this guide. They can be processed, in an automated fashion, with tools that support the Security Content Automation Protocol (SCAP). The DISA STIG for , which provides required settings for US Department of Defense systems, is one example of a baseline created from this guidance. notice: id: terms_of_use description: | Do not attempt to implement any of the settings in this guide without first testing them in a non-operational environment. The creators of this guidance assume no responsibility whatsoever for its use by other parties, and makes no guarantees, expressed or implied, about its quality, reliability, or any other characteristic. front-matter: | The SCAP Security Guide Project
rear-matter: | Red Hat and Red Hat Enterprise Linux are either registered trademarks or trademarks of Red Hat, Inc. in the United States and other countries. All other names are registered trademarks or trademarks of their respective companies. cpes: - version: 0.9 scap-security-guide-0.1.39/firefox/overlays/000077500000000000000000000000001327242345500210075ustar00rootroot00000000000000scap-security-guide-0.1.39/firefox/overlays/stig_overlay.xml000066400000000000000000000156061327242345500242500ustar00rootroot00000000000000 Installed version of Firefox unsupported. The Firefox SSLV2 parameter is configured to allow use of SSL 2.0. The Firefox browser home page is not set to blank or a trusted site. Firefox is configured to allow use of SSL 3.0. Firefox is not configured to allow use of TLS 1.0. FireFox is configured to ask which certificate to present to a web site when a certificate is required. Firefox required security preferences can not be changed by user. Firefox application is set to auto-update. Firefox automatically checks for updated version of installed Search plugins. Firefox automatically updates installed add-ons and plugins. Firefox automatically executes or downloads MIME types which are not authorized for auto-download. Network shell protocol is enabled in FireFox. Firefox not configured to prompt user before download and opening for required file types. FireFox plug-in for ActiveX controls is installed. Firefox is not configured to provide warnings when a user switches from a secure (SSL-enabled) to a non-secure page. Firefox formfill assistance option is disabled. Firefox is configured to autofill passwords. FireFox is configured to use a password store with or without a master password. Firefox does not clear cookies upon closing. FireFox is not configured to block pop-up windows. FireFox is configured to allow JavaScript to move or resize windows. Firefox is configured to allow JavaScript to raise or lower windows. Firefox is must be configured to prevent JavaScript from disable or replace context menus. Firefox is configured to allow JavaScript to hide or change the status bar. Firefox is configured to allow JavaScript to change the status bar text. The DOD Root Certificate is not installed. scap-security-guide-0.1.39/firefox/product.yml000066400000000000000000000001111327242345500213370ustar00rootroot00000000000000product: firefox benchmark_root: "./guide" profiles_root: "./profiles" scap-security-guide-0.1.39/firefox/profiles/000077500000000000000000000000001327242345500207665ustar00rootroot00000000000000scap-security-guide-0.1.39/firefox/profiles/stig-firefox-upstream.profile000066400000000000000000000046121327242345500266170ustar00rootroot00000000000000documentation_complete: true title: 'Upstream Firefox STIG' description: |- This profile is developed under the DoD consensus model and DISA FSO Vendor STIG process, serving as the upstream development environment for the Firefox STIG. As a result of the upstream/downstream relationship between the SCAP Security Guide project and the official DISA FSO STIG baseline, users should expect variance between SSG and DISA FSO content. For official DISA FSO STIG content, refer to http://iase.disa.mil/stigs/app-security/browser-guidance/Pages/index.aspx. While this profile is packaged by Red Hat as part of the SCAP Security Guide package, please note that commercial support of this SCAP content is NOT available. This profile is provided as example SCAP content with no endorsement for suitability or production readiness. Support for this profile is provided by the upstream SCAP Security Guide community on a best-effort basis. The upstream project homepage is https://www.open-scap.org/security-policies/scap-security-guide/. selections: - var_default_home_page=about_blank - var_required_file_types=default - firefox_preferences-dod_root_certificate_installed - firefox_preferences-enable_ca_trust - firefox_preferences-addons_plugin_updates - firefox_preferences-auto-download_actions - firefox_preferences-autofill_forms - firefox_preferences-autofill_passwords - firefox_preferences-auto-update_of_firefox - firefox_preferences-cookies_clear - firefox_preferences-cookies_user_notice - firefox_preferences-lock_settings_obscure - firefox_preferences-lock_settings_config_file - firefox_preferences-open_confirmation - firefox_preferences-password_store - firefox_preferences-search_update - firefox_preferences-shell_protocol - firefox_preferences-ssl_version_2 - firefox_preferences-ssl_protocol_tls - firefox_preferences-verification - firefox_preferences-ssl_version_3 - firefox_preferences-home_page - installed_firefox_version_supported - firefox_preferences-javascript_status_bar_text - firefox_preferences-javascript_context_menus - firefox_preferences-javascript_status_bar_changes - firefox_preferences-javascript_window_resizing - firefox_preferences-javascript_window_changes - firefox_preferences-non-secure_page_warning - firefox_preferences-pop-up_windows scap-security-guide-0.1.39/firefox/transforms/000077500000000000000000000000001327242345500213415ustar00rootroot00000000000000scap-security-guide-0.1.39/firefox/transforms/cci2html.xsl000066400000000000000000000004661327242345500236040ustar00rootroot00000000000000 scap-security-guide-0.1.39/firefox/transforms/constants.xslt000066400000000000000000000020701327242345500242700ustar00rootroot00000000000000 Firefox Firefox FIREFOX_STIG firefox empty FIREFOX cpe:/a:mozilla:firefox scap-security-guide-0.1.39/firefox/transforms/shorthand2xccdf.xslt000066400000000000000000000005141327242345500253410ustar00rootroot00000000000000 unknown unlinked-firefox-oval.xml scap-security-guide-0.1.39/firefox/transforms/table-add-srgitems.xslt000066400000000000000000000010751327242345500257300ustar00rootroot00000000000000 scap-security-guide-0.1.39/firefox/transforms/table-sortbyref.xslt000066400000000000000000000005551327242345500253660ustar00rootroot00000000000000 scap-security-guide-0.1.39/firefox/transforms/table-srgmap.xslt000066400000000000000000000011401327242345500246270ustar00rootroot00000000000000 scap-security-guide-0.1.39/firefox/transforms/table-style.xslt000066400000000000000000000002511327242345500245000ustar00rootroot00000000000000 scap-security-guide-0.1.39/firefox/transforms/xccdf-apply-overlay-stig.xslt000066400000000000000000000007511327242345500271150ustar00rootroot00000000000000 scap-security-guide-0.1.39/firefox/transforms/xccdf2csv-stig.py000077500000000000000000000003651327242345500245530ustar00rootroot00000000000000#!/usr/bin/env python2 import sys # always use shared/modules version SHARED_MODULE_PATH = "../../shared/modules" sys.path.insert(0, SHARED_MODULE_PATH) import xccdf2csv_stig_module if __name__ == "__main__": xccdf2csv_stig_module.main() scap-security-guide-0.1.39/firefox/transforms/xccdf2stigformat.xslt000066400000000000000000000006751327242345500255360ustar00rootroot00000000000000 scap-security-guide-0.1.39/firefox/transforms/xccdf2table-byref.xslt000066400000000000000000000006741327242345500255520ustar00rootroot00000000000000 scap-security-guide-0.1.39/firefox/transforms/xccdf2table-cce.xslt000066400000000000000000000007331327242345500251710ustar00rootroot00000000000000 scap-security-guide-0.1.39/firefox/transforms/xccdf2table-profileccirefs.xslt000066400000000000000000000014111327242345500274300ustar00rootroot00000000000000 scap-security-guide-0.1.39/firefox/transforms/xccdf2table-profilecisrefs.xslt000066400000000000000000000007051327242345500274550ustar00rootroot00000000000000 scap-security-guide-0.1.39/firefox/transforms/xccdf2table-profilenistrefs.xslt000066400000000000000000000007051327242345500276540ustar00rootroot00000000000000 scap-security-guide-0.1.39/firefox/transforms/xccdf2table-stig.xslt000066400000000000000000000006731327242345500254100ustar00rootroot00000000000000 scap-security-guide-0.1.39/fuse6/000077500000000000000000000000001327242345500165315ustar00rootroot00000000000000scap-security-guide-0.1.39/fuse6/CMakeLists.txt000066400000000000000000000004641327242345500212750ustar00rootroot00000000000000# Sometimes our users will try to do: "cd jboss_fuse6; cmake ." That needs to error in a nice way. if ("${CMAKE_SOURCE_DIR}" STREQUAL "${CMAKE_CURRENT_SOURCE_DIR}") message(FATAL_ERROR "cmake has to be used on the root CMakeLists.txt, see BUILD.md for more details!") endif() ssg_build_product("fuse6") scap-security-guide-0.1.39/fuse6/checks/000077500000000000000000000000001327242345500177715ustar00rootroot00000000000000scap-security-guide-0.1.39/fuse6/checks/oval/000077500000000000000000000000001327242345500207325ustar00rootroot00000000000000scap-security-guide-0.1.39/fuse6/checks/oval/installed_app_is_fuse6.xml000066400000000000000000000035421327242345500261020ustar00rootroot00000000000000 JBoss Fuse 6 JBoss Fuse 6 The application installed is Fuse 6. FUSE_HOME /etc config.properties karaf\.framework\.felix=.*org\.apache\.felix\.framework-([0-9a-z\.-]{18})\.jar 1 4.0.3.redhat-60024 scap-security-guide-0.1.39/fuse6/checks/oval/jboss_karaf-vender_supported_version.xml000066400000000000000000000034361327242345500311010ustar00rootroot00000000000000 JBoss Fuse 6 JBoss Fuse 6 Fuse 6 is a vendor supported version. FUSE_HOME config.properties karaf\.framework\.felix=.*org\.apache\.felix\.framework-([0-9a-z\.-]{18})\.jar 1 4.0.3.redhat-60024 /etc/ scap-security-guide-0.1.39/fuse6/cpe/000077500000000000000000000000001327242345500173005ustar00rootroot00000000000000scap-security-guide-0.1.39/fuse6/cpe/fuse6-cpe-dictionary.xml000066400000000000000000000021171327242345500237630ustar00rootroot00000000000000 JBoss Fuse 6.0 installed_app_is_fuse6 scap-security-guide-0.1.39/fuse6/guide.xslt000066400000000000000000000043611327242345500205460ustar00rootroot00000000000000 A conditional clause for check statements. A conditional clause for check statements. This is a placeholder. scap-security-guide-0.1.39/fuse6/guide/000077500000000000000000000000001327242345500176265ustar00rootroot00000000000000scap-security-guide-0.1.39/fuse6/guide/fuse6/000077500000000000000000000000001327242345500206565ustar00rootroot00000000000000scap-security-guide-0.1.39/fuse6/guide/fuse6/amq/000077500000000000000000000000001327242345500214345ustar00rootroot00000000000000scap-security-guide-0.1.39/fuse6/guide/fuse6/amq/amq.group000066400000000000000000000002361327242345500232710ustar00rootroot00000000000000documentation_complete: true title: 'Apache ActiveMQ Configuration' description: |- The rules in this group validate Apache ActiveMQ related items. scap-security-guide-0.1.39/fuse6/guide/fuse6/amq/jboss_activemq-cleartext_passwords.rule000066400000000000000000000012061327242345500314330ustar00rootroot00000000000000documentation_complete: true title: 'Disable or Remove Clear-Text Passwords' description: |- Eliminate clear-text passwords in JBoss configuration files. All passwords should be encrypted and all password files should have restricted file permissions. rationale: |- Clear-text passwords are an unnecessary security vulnerability. While risk of exposure can be mitigated through configured permissions and file ownership, these methods do not completely remediate the risk. severity: medium identifiers: cce: "" references: cis: "" disa: "" nist: SC-28 ocil_clause: 'passwords are not encrypted' scap-security-guide-0.1.39/fuse6/guide/fuse6/amq/jboss_activemq-default_roles_removed.rule000066400000000000000000000010331327242345500317020ustar00rootroot00000000000000documentation_complete: true title: 'Ensure No Default Roles Exist' description: |- Remove, rename, or comment out the default roles defined in .properties files. rationale: |- Default configurations are commonly leveraged by attackers to gain entry into closed systems. Removing, renaming, or commenting out default roles makes malicious exploitation more complex. severity: medium identifiers: cce: "" references: cis: "" disa: "" nist: IA-5 ocil_clause: 'default JBoss roles should not exist' scap-security-guide-0.1.39/fuse6/guide/fuse6/amq/jboss_activemq-default_users_removed.rule000066400000000000000000000010671327242345500317260ustar00rootroot00000000000000documentation_complete: true title: 'Ensure No Default User Accounts Exist' description: |- Remove, rename, or comment out the default user accounts defined in .properties files. rationale: |- Default configurations are commonly leveraged by attackers to gain entry into closed systems. Removing, renaming, or commenting out default user accounts makes malicious exploitation more complex. severity: medium identifiers: cce: "" references: cis: "" disa: "" nist: IA-5 ocil_clause: 'default JBoss users should not exist' scap-security-guide-0.1.39/fuse6/guide/fuse6/amq/jboss_activemq-encrypted_passwords.rule000066400000000000000000000007371327242345500314450ustar00rootroot00000000000000documentation_complete: true title: 'Stored Passwords Must Be Encrypted' description: 'Stored passwords must be encrypted.' rationale: |- Passwords need to be protected at all times and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read and easily compromised. severity: high identifiers: cce: "" references: cis: "" disa: "" nist: "" ocil_clause: 'passwords are not encrypted' scap-security-guide-0.1.39/fuse6/guide/fuse6/amq/jboss_activemq-file_permissions.rule000066400000000000000000000013531327242345500307100ustar00rootroot00000000000000documentation_complete: true title: |- Ensure Only Administrators Can Modify Configuration Files description: |- Server should be protected with permission sets which allow only an application administrator to modify application resource configuration files. rationale: |- An access control flaw exists if users or processes can view or modify data to which they should not be permitted. This could result in situations ranging from information disclosure to system compromise and could potentially result in the compromise of other systems on the network. severity: medium identifiers: cce: "" references: cis: "" disa: "" nist: "" ocil_clause: 'non-administrators can modify files' scap-security-guide-0.1.39/fuse6/guide/fuse6/amq/jboss_activemq-java_aaa_service.rule000066400000000000000000000010141327242345500305730ustar00rootroot00000000000000documentation_complete: true title: |- Ensure Default System Java Authentication and Authorization Service Is In Use description: |- Using the default system JAAS configuration ensures user identification and authentication are performed by JBoss Fuse. rationale: |- Using an administrator specified JAAS configuration enables a more rigorous security posture. severity: medium identifiers: cce: "" references: cis: "" disa: "" nist: CM-6 ocil_clause: 'JAAS is not configured' scap-security-guide-0.1.39/fuse6/guide/fuse6/amq/jboss_activemq-pki_dod_certificates.rule000066400000000000000000000006551327242345500315000ustar00rootroot00000000000000documentation_complete: true title: 'All PKI Certificates Are Valid DoD Certificates' description: |- All PKI Certificates in use should be valid at the time of use. rationale: |- By using invalid certificates the server may allow unauthorized users access to the system. severity: high identifiers: cce: "" references: cis: "" disa: "" nist: "" ocil_clause: 'PKI certificates are not DoD' scap-security-guide-0.1.39/fuse6/guide/fuse6/amq/jboss_activemq-pki_web_console.rule000066400000000000000000000010241327242345500304730ustar00rootroot00000000000000documentation_complete: true title: 'Ensure ActiveMQ Web Console is using PKI' description: 'PKI should be enabled for the Web Console.' rationale: |- All applications requiring user authentication to access sensitive data must be PKI-enabled in compliance with DoDI 8520.2 PKI and PKI Enabling and are required to credentials approved under the DoD PKI program. severity: medium identifiers: cce: "" references: cis: "" disa: "" nist: "" ocil_clause: 'PKI is not enabled for the web console' scap-security-guide-0.1.39/fuse6/guide/fuse6/amq/jboss_activemq-security_config_attributes.rule000066400000000000000000000016151327242345500330010ustar00rootroot00000000000000documentation_complete: true title: |- Ensure Administrators Can Only Change Security Related Configuration Attributes description: |- Security attributes are typically associated with internal data structures and configuration (e.g., application deployment, logging, monitoring) within the application server and are used to enable the implementation of access control and flow control policies, reflect special dissemination, handling or distribution instructions, or support other aspects of the organizational information security policy. rationale: |- If unauthorized entities were able to change security attributes, the integrity and/or confidentiality of the server could be compromised. severity: medium identifiers: cce: "" references: cis: "" disa: "" nist: "" ocil_clause: 'non-administrators can change configuration attributes' scap-security-guide-0.1.39/fuse6/guide/fuse6/amq/jboss_activemq-ssl_enabled.rule000066400000000000000000000007671327242345500276210ustar00rootroot00000000000000documentation_complete: true title: 'SSL Is Enabled on the ActiveMQ Web Console' description: |- The server must utilize cryptography to protect the confidentiality of remote access management sessions. rationale: |- If cryptography is not used, then the session data traversing the remote connection could be intercepted and compromised. severity: medium identifiers: cce: "" references: cis: "" disa: "" nist: "" ocil_clause: 'SSL is enabled in the web console' scap-security-guide-0.1.39/fuse6/guide/fuse6/camel/000077500000000000000000000000001327242345500217375ustar00rootroot00000000000000scap-security-guide-0.1.39/fuse6/guide/fuse6/camel/camel.group000066400000000000000000000002301327242345500240710ustar00rootroot00000000000000documentation_complete: true title: 'Apache Camel Configuration' description: |- The rules in this group validate Apache Camel related items. scap-security-guide-0.1.39/fuse6/guide/fuse6/cxf/000077500000000000000000000000001327242345500214365ustar00rootroot00000000000000scap-security-guide-0.1.39/fuse6/guide/fuse6/cxf/cxf.group000066400000000000000000000002241327242345500232720ustar00rootroot00000000000000documentation_complete: true title: 'Apache CXF Configuration' description: |- The rules in this group validate Apache CXF related items. scap-security-guide-0.1.39/fuse6/guide/fuse6/fuse6.group000066400000000000000000000014771327242345500227750ustar00rootroot00000000000000documentation_complete: true title: 'JBoss Fuse 6' description: |- JBoss Fuse is an open source Enterprise Service Bus (ESB) with an elastic footprint that supports integration beyond the data center. The lack of license fees and the ability to deploy JBoss Fuse in several different configurations advances intelligent integration to all facets of your business – on premise or in the Cloud.

JBoss Fuse combines Apache Camel, Apache CXF, Apache ActiveMQ, Apache Karaf and Fuse Fabric in a single integrated distribution. Core messaging is provided by Apache ActiveMQ, services framework (SOAP, XML/HTTP, RESTful HTTP) is provided by Apache CXF and integration framework is provided by Apache Camel. Apache Karaf provides a lightweight OSGI-based runtime container. scap-security-guide-0.1.39/fuse6/guide/fuse6/karaf/000077500000000000000000000000001327242345500217425ustar00rootroot00000000000000scap-security-guide-0.1.39/fuse6/guide/fuse6/karaf/jboss_karaf-config_file_permissions.rule000066400000000000000000000013361327242345500320170ustar00rootroot00000000000000documentation_complete: true title: 'Ensure Only Administrators Can Modify Configuration Files' description: |- Server should be protected with permission sets which allow only an application administrator to modify application resource configuration files. rationale: |- An access control flaw exists if users or processes can view or modify data to which they should not be permitted. This could result in situations ranging from information disclosure to system compromise and could potentially result in the compromise of other systems on the network. severity: medium identifiers: cce: "" references: cis: "" disa: "" nist: "" ocil_clause: 'non-administrators can modify files' scap-security-guide-0.1.39/fuse6/guide/fuse6/karaf/jboss_karaf-deployed_java_file_permissions.rule000066400000000000000000000016551327242345500333640ustar00rootroot00000000000000documentation_complete: true title: 'Ensure Deployed Applications Have Restricted File Permissions' description: |- Deployed applications must not be granted file permissions - except to those that are dedicated to the application only. These permissions are enforced by the Java Security Manager and the policies it loads at startup. These permissions can be assigned or restricted in an application-specific, granular manner. rationale: |- Java permissions for deployed applications should be carefully restricted to enforce the least privilege principle. Granting unrestricted access to the host operating system creates a large attack vector for malicious users that have penetrated the JBoss server. severity: medium identifiers: cce: "" references: cis: "" disa: "" nist: AC-6 ocil_clause: 'proper permissions are not set for java.io.FilePermission for deployed applications' jboss_karaf-deployed_java_network_permissions.rule000066400000000000000000000013241327242345500340500ustar00rootroot00000000000000scap-security-guide-0.1.39/fuse6/guide/fuse6/karafdocumentation_complete: true title: 'Ensure Deployed Applications Do Not Have Network Permissions' description: |- Deployed applications must not be granted network permissions. These permissions are enforced by the Java Security Manager and the policies it loads at startup. These permissions can be assigned or restricted in an application-specific, granular manner. rationale: |- Java permissions for deployed applications should be carefully restricted to enforce the least privilege principle. severity: medium identifiers: cce: "" references: cis: "" disa: "" nist: AC-6 ocil_clause: 'proper permissions are not set for java.net.NetPermission for deployed applications' scap-security-guide-0.1.39/fuse6/guide/fuse6/karaf/jboss_karaf-deployed_permissions.rule000066400000000000000000000015011327242345500313520ustar00rootroot00000000000000documentation_complete: true title: 'Disable All Permission for Deployed Applications' description: |- Deployed applications must not be granted all permissions. These permissions are enforced by the Java Security Manager and the policies it loads at startup. These permissions can be assigned or restricted in an application-specific, granular manner. rationale: |- Java permissions for deployed applications should be carefully restricted to enforce the least privilege principle. Using AllPermissions is essentially disabling the Java security sandbox and is inadvisable in nearly every scenario. severity: medium identifiers: cce: "" references: cis: "" disa: "" nist: AC-6 ocil_clause: 'proper permissions are not set for java.security.AllPermission for deployed applications' scap-security-guide-0.1.39/fuse6/guide/fuse6/karaf/jboss_karaf-deployed_runtime_permissions.rule000066400000000000000000000017511327242345500331240ustar00rootroot00000000000000documentation_complete: true title: 'Disable Runtime Permissions for Deployed Applications' description: |- Deployed applications must not be granted runtime permissions. These permissions are enforced by the Java Security Manager and the policies it loads at startup. These permissions can be assigned or restricted in an application-specific, granular manner. rationale: |- Java permissions for deployed applications should be carefully restricted to enforce the least privilege principle. Granting RuntimePermission to applications allows these applications to modify classloaders or modify the running security manager. Either of these actions can be used to elevate permissions and increase the number of potential damaging actions that can be taken. severity: medium identifiers: cce: "" references: cis: "" disa: "" nist: AC-6 ocil_clause: 'proper permissions are not set for java.lang.RuntimePermission for deployed applications' scap-security-guide-0.1.39/fuse6/guide/fuse6/karaf/jboss_karaf-deployed_socket_permissions.rule000066400000000000000000000016431327242345500327310ustar00rootroot00000000000000documentation_complete: true title: 'Disable Socket Permissions for Deployed Applications' description: |- Deployed applications must not be granted any socket permissions. These permissions are enforced by the Java Security Manager and the policies it loads at startup. These permissions can be assigned or restricted in an application-specific, granular manner. rationale: |- Java permissions for deployed applications should be carefully restricted to enforce the least privilege principle. Most well-designed applications will not need to directly manipulate sockets for network access (access to datasources should be handled through datasources, which can be assigned SocketPermission. severity: medium identifiers: cce: "" references: cis: "" disa: "" nist: AC-6 ocil_clause: 'proper permissions are not set for java.net.SocketPermission for deployed applications' scap-security-guide-0.1.39/fuse6/guide/fuse6/karaf/jboss_karaf-disable_hot_deployment.rule000066400000000000000000000012361327242345500316340ustar00rootroot00000000000000documentation_complete: true title: 'Disable Hot Deployment' description: |- Hot deployment should be disabled on production servers. Hot Deployment allows for automatic deployment of Java applications by simply placing Java applications into the deploy directory. rationale: |- Hot deployments are not a recommended best practice for production environments. By requiring the additional step of restarting the JBoss server, application deployments become more deliberate and purposeful. severity: low identifiers: cce: "" references: cis: "" disa: "" nist: CM-7 ocil_clause: 'hot deployment has not been disabled' scap-security-guide-0.1.39/fuse6/guide/fuse6/karaf/jboss_karaf-disable_services_ports.rule000066400000000000000000000011531327242345500316520ustar00rootroot00000000000000documentation_complete: true title: 'Disable All Unused Ports, Protocols, And services' description: |- The server must prohibit or restrict the use of unauthorized functions, ports, protocols, and/or services. rationale: |- The server provides numerous processes, features and functionalities that utilize TCP/IP ports. Some of these processes may be deemed to be unnecessary or too insecure to run on a production system. severity: medium identifiers: cce: "" references: cis: "" disa: "" nist: "" ocil_clause: 'unused ports, protocols, and services have not been disabled' scap-security-guide-0.1.39/fuse6/guide/fuse6/karaf/jboss_karaf-dod_cns_certificates.rule000066400000000000000000000013051327242345500312520ustar00rootroot00000000000000documentation_complete: true title: 'Configure DoD or CNS approved PKI Class 3 and Class 4 Certificates' description: |- The server must use DoD or CNS approved PKI Class 3 or Class 4 certificates. rationale: |- Class 3 PKI certificates are used for servers and software signing rather than for identifying individuals. Class 4 certificates are used for business-to-business transactions. Utilizing unapproved certificates not issued or approved by DoD or CNS creates an integrity risk. severity: high identifiers: cce: "" references: cis: "" disa: "" nist: "" ocil_clause: 'DoD or CNS approved PKI Class 3 and Class 4 certificates are not configured or in use' scap-security-guide-0.1.39/fuse6/guide/fuse6/karaf/jboss_karaf-dod_hardware_pki_token.rule000066400000000000000000000021171327242345500316040ustar00rootroot00000000000000documentation_complete: true title: 'Enable CAC Card Usage for Deployed Applications' description: |- JBoss applications implementing authentication should utilize the DoD Public Key Infrastructure. The DoD Public Key Infrastructure is designed to use hardware tokens such as the Common Access Card in conjunction with issued X.509 certificates. These tokens are typically protected with a PIN that unlocks access to the private certificate stored on the token. rationale: |- Leveraging the DoD Public Key Infrastructure increases the security of an application because the DoD PKI raises the bar for exploitation of user identities. Applications that require authentication and do not utilize PKI must then rely on a less secure form of authentication, such as username and password. Additionally, current DoD guidance requires the use of DoD PKI over username and password. severity: medium identifiers: cce: "" references: cis: "" disa: "" nist: IA-5 ocil_clause: 'deployed JBoss applications do not have CAC card usage enabled' scap-security-guide-0.1.39/fuse6/guide/fuse6/karaf/jboss_karaf-downloaded_software_valid.rule000066400000000000000000000012061327242345500323250ustar00rootroot00000000000000documentation_complete: true title: 'Ensure All Downloaded Software Is Validated' description: |- Software and packages should be downloaded from redhat.com, and hash validated. rationale: |- Without validating downloaded files are authentic, malicious users may compromise software before it has even been installed. Attackers may redirect traffic to alternate download locations and attempt to trick administrators into downloading modified software. severity: medium identifiers: cce: "" references: cis: "" disa: "" nist: CM-6 ocil_clause: 'all JBoss software that has been downloaded is valid' scap-security-guide-0.1.39/fuse6/guide/fuse6/karaf/jboss_karaf-enable_encrypted_passwords.rule000066400000000000000000000010101327242345500325150ustar00rootroot00000000000000documentation_complete: true title: 'Enable Encrypted Passwords' description: |- Password hashing should be enabled in all security realms where plain-text passwords are currently in use. rationale: |- Failure to enable password hashing within a login module can result in plain-text exposure client passwords used for authentication. severity: medium identifiers: cce: "" references: cis: "" disa: "" nist: 'SC-8, SC-9' ocil_clause: 'encrypted passwords are not enable or in use' scap-security-guide-0.1.39/fuse6/guide/fuse6/karaf/jboss_karaf-enable_fips_authentication.rule000066400000000000000000000014771327242345500324740ustar00rootroot00000000000000documentation_complete: true title: 'Enable FIPS for User and Process Authentication' description: |- The Application Server must utilize FIPS 140-2 approved encryption modules when authenticating users and processes. rationale: |- Encryption is only as good as the encryption modules utilized. Unapproved cryptographic module algorithms cannot be verified, and cannot be relied upon to provide confidentiality or integrity and DoD data may be compromised due to weak algorithms. FIPS 140-2 is the current standard for validating cryptographic modules and NSA Type-X (where X=1, 2, 3, 4) products are NSA certified hardware-based encryption modules. severity: medium identifiers: cce: "" references: cis: "" disa: "" nist: "" ocil_clause: 'FIPS is not enabled or configured' scap-security-guide-0.1.39/fuse6/guide/fuse6/karaf/jboss_karaf-enable_fips_modules.rule000066400000000000000000000017661327242345500311260ustar00rootroot00000000000000documentation_complete: true title: 'Enable FIPS Compliant Modules' description: |- While JBoss itself has no need to load FIPS compliant modules, the underlying technologies such as Java do. Utilizing only FIPS compliant modules decreases compatibility with applications that are not FIPS enabled. rationale: |- Enabling FIPS compliant algorithms ensures that the underlying technologies that JBoss works through are using cryptographic modules that have been vetted by NIST for security, stability, and strength. Failure to utilize FIPS certified modules may cause the underlying technologies used by JBoss to utilize older, less secure algorithms. Failure to enable only FIPS compliant modules may also have regulatory consequences, as FIPS 140-2 requires the use of FIPS compliant modules by all federal agencies. severity: medium identifiers: cce: "" references: cis: "" disa: "" nist: SC-13 ocil_clause: 'FIPS compliant modules are not enabled' scap-security-guide-0.1.39/fuse6/guide/fuse6/karaf/jboss_karaf-enable_ldap_ssl.rule000066400000000000000000000007201327242345500302230ustar00rootroot00000000000000documentation_complete: true title: 'Enable SSL When LDAP Is Configured' description: |- The server must utilize encryption when using LDAP for authentication. rationale: |- Passwords need to be protected at all times and encryption is the standard method for protecting passwords during transmission. severity: high identifiers: cce: "" references: cis: "" disa: "" nist: "" ocil_clause: 'LDAP is not configured to use SSL' scap-security-guide-0.1.39/fuse6/guide/fuse6/karaf/jboss_karaf-enable_pki_web_console.rule000066400000000000000000000010151327242345500315620ustar00rootroot00000000000000documentation_complete: true title: 'Enable The Web Console To Use PKI' description: 'PKI should be enabled for the Web Console.' rationale: |- All applications requiring user authentication to access sensitive data must be PK-enabled in compliance with DoDI 8520.2 PKI and PK Enabling and are required to credentials approved under the DoD PKI program. severity: medium identifiers: cce: "" references: cis: "" disa: "" nist: "" ocil_clause: 'the web console is not configured to use PKI' scap-security-guide-0.1.39/fuse6/guide/fuse6/karaf/jboss_karaf-enable_secure_connections.rule000066400000000000000000000007441327242345500323200ustar00rootroot00000000000000documentation_complete: true title: 'Secure Remote Access Via SSH' description: |- The server must utilize cryptography to protect the confidentiality of remote access management sessions. rationale: |- If cryptography is not used, then the session data traversing the remote connection could be intercepted and compromised. severity: medium identifiers: cce: "" references: cis: "" disa: "" nist: "" ocil_clause: 'remote access is not secured' scap-security-guide-0.1.39/fuse6/guide/fuse6/karaf/jboss_karaf-enable_ssl.rule000066400000000000000000000007551327242345500272330ustar00rootroot00000000000000documentation_complete: true title: 'Enable SSL On The Web Console' description: |- The server must utilize cryptography to protect the confidentiality of remote access management sessions. rationale: |- If cryptography is not used, then the session data traversing the remote connection could be intercepted and compromised. severity: medium identifiers: cce: "" references: cis: "" disa: "" nist: "" ocil_clause: 'SSL is not enabled on the web brower' scap-security-guide-0.1.39/fuse6/guide/fuse6/karaf/jboss_karaf-file_permissions.rule000066400000000000000000000012021327242345500304620ustar00rootroot00000000000000documentation_complete: true title: 'Ensure JBoss Files Have Correct Permissions' description: |- All JBoss files within the installation directory should be readable by the JBoss process owner and JBoss administrators only. rationale: |- To prevent unauthorized modification or disclosure of JBoss configuration settings, access to all files within the installation directory should be restricted to the JBoss process owner account and Jboss administrators. severity: medium identifiers: cce: "" references: cis: "" disa: "" nist: 'AC-3, AC-6' ocil_clause: 'JBoss file permissions are not correct' scap-security-guide-0.1.39/fuse6/guide/fuse6/karaf/jboss_karaf-files_ownership.rule000066400000000000000000000011021327242345500303070ustar00rootroot00000000000000documentation_complete: true title: 'Ensure JBoss Files Are Owned By Appropriate Users' description: |- All JBoss Fuse files within the installation directory should be owned by the JBoss process owner account. rationale: |- To prevent unauthorized modification or disclosure of JBoss configuration settings, all files within the installation directory should be owned by the JBoss process owner account. severity: medium identifiers: cce: "" references: cis: "" disa: "" nist: AC-3 ocil_clause: 'JBoss files ownership is not correct' scap-security-guide-0.1.39/fuse6/guide/fuse6/karaf/jboss_karaf-java_aaa_service.rule000066400000000000000000000010021327242345500303510ustar00rootroot00000000000000documentation_complete: true title: 'Ensure Java Authentication and Authorization Service Is Configured' description: |- Using the default system JAAS configuration ensures user identification and authentication are performed by JBoss Fuse. rationale: |- Using an administrator specified JAAS configuration enables a more rigorous security posture. severity: medium identifiers: cce: "" references: cis: "" disa: "" nist: CM-6 ocil_clause: 'JAAS is not configured or in use' scap-security-guide-0.1.39/fuse6/guide/fuse6/karaf/jboss_karaf-java_vendor_supported.rule000066400000000000000000000013631327242345500315230ustar00rootroot00000000000000documentation_complete: true title: 'Ensure Java Runtime Environment Is A Vendor Supported Version' description: |- Evaluated JBoss installation must use a vendor supported Java virtual machine - i.e., one that has not reached end-of-life. Migration strategies should be developed when end-of-life is impending. rationale: |- Java installations should be a vendor supported version. If the Java virtual machine in use by JBoss is not supported by the vendor, this may result in outages, unresolvable problems, no access to security or functional updates, etc. severity: high identifiers: cce: "" references: cis: "" disa: "" nist: CM-6 ocil_clause: 'the Java Runtime Environment is not vendor supported' scap-security-guide-0.1.39/fuse6/guide/fuse6/karaf/jboss_karaf-ldap_securely_fail.rule000066400000000000000000000010621327242345500307420ustar00rootroot00000000000000documentation_complete: true title: 'Configure LDAP To Fail Securely' description: |- The server must fail securely in the event of an operational failure. rationale: |- Fail secure is a condition achieved by the server in order to ensure that in the event of an operational failure, the system does not enter into an unsecure state where intended security properties no longer hold. severity: medium identifiers: cce: "" references: cis: "" disa: "" nist: "" ocil_clause: 'LDAP is not configured to fail securely' scap-security-guide-0.1.39/fuse6/guide/fuse6/karaf/jboss_karaf-log_retention.rule000066400000000000000000000010761327242345500277710ustar00rootroot00000000000000documentation_complete: true title: 'Configure JBoss Logs Number of Days Retained' description: |- Logging should be configured to maintain logs for a organization defined continuous number of days. rationale: |- If adequate online audit storage capacity is not maintained, intrusion monitoring, security investigations, and forensic analysis can be negatively affected. severity: medium identifiers: cce: "" references: cis: "" disa: "" nist: "" ocil_clause: 'JBoss logs are not configured to retain for a defined period of days' scap-security-guide-0.1.39/fuse6/guide/fuse6/karaf/jboss_karaf-logging_access.rule000066400000000000000000000013751327242345500300720ustar00rootroot00000000000000documentation_complete: true title: 'Ensure Log Files Are Only Accessed By Authorized Users' description: 'Only authorized personnel may view log files.' rationale: |- If the application provides too much information in error logs and administrative messages to the screen, this could lead to compromise. The structure and content of error messages need to be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements. severity: medium identifiers: cce: "" references: cis: "" disa: "" nist: "" ocil_clause: 'log files can be accessed or viewed by any user' scap-security-guide-0.1.39/fuse6/guide/fuse6/karaf/jboss_karaf-non-essential_bundles_features.rule000066400000000000000000000014121327242345500333040ustar00rootroot00000000000000documentation_complete: true title: 'Remove All Non-Essential Bundles And Features' description: |- All non-essential bundles and features should be removed from production servers. rationale: |- The server provide a myriad of differing processes, features and functionalities. Some of these processes may be deemed to be unnecessary or too insecure to run on a production DoD system. Servers must provide the capability to disable or deactivate functionality and services that are deemed to be non-essential to the server mission or can adversely impact server performance. severity: medium identifiers: cce: "" references: cis: "" disa: "" nist: "" ocil_clause: 'non-essential bundles and features have not been removed' scap-security-guide-0.1.39/fuse6/guide/fuse6/karaf/jboss_karaf-pki_assocation_permission.rule000066400000000000000000000014201327242345500323700ustar00rootroot00000000000000documentation_complete: true title: 'Ensure Only Authorized Users Can Associate PKI Information' description: |- Throughout the course of normal usage, authorized users of application servers will have the need to associate security attributes in the form of PKI credentials with information. The server utilizes a role based authentication model when managing server resources and limits access according to user role. rationale: |- The server must ensure that only the users who are authorized to associate security attributes with information are allowed to do so. severity: medium identifiers: cce: "" references: cis: "" disa: "" nist: "" ocil_clause: 'unauthorized users can associate PKI information with security attributes' scap-security-guide-0.1.39/fuse6/guide/fuse6/karaf/jboss_karaf-policies_and_procedures/000077500000000000000000000000001327242345500311105ustar00rootroot00000000000000jboss_karaf-access_control_docs.rule000066400000000000000000000014601327242345500402160ustar00rootroot00000000000000scap-security-guide-0.1.39/fuse6/guide/fuse6/karaf/jboss_karaf-policies_and_proceduresdocumentation_complete: true title: 'Access Control Policy and Procedures' description: |- JBoss administrators must have access to guidance regarding account creation, permissions assignments, role assignments, etc. rationale: |- A consistent, cohesive access control policy is impossible to attain without a well-documented access control policy and related procedures. Failure to do so typically results in over-assignment of access permissions for users and applications, stale access for users and applications, and other access control misconfigurations that reduce the effectiveness of the security policy. severity: medium identifiers: cce: "" references: cis: "" disa: "" nist: AC-1 ocil_clause: 'there are no access control policy and procedures' jboss_karaf-application_data_flow_docs.rule000066400000000000000000000014111327242345500415340ustar00rootroot00000000000000scap-security-guide-0.1.39/fuse6/guide/fuse6/karaf/jboss_karaf-policies_and_proceduresdocumentation_complete: true title: 'Identify and Document Application Data Flows' description: |- It is recommended to identify and document application data flows. This will allow insight into what paths sensitive information takes through the application environment and what data source connections need to be encrypted. rationale: |- Failure to document an application's data flows reduces security, increases the chance for architectural and configuration errors, and can impede performance. Many applications use network services that are not immediately apparent. severity: medium identifiers: cce: "" references: cis: "" disa: "" nist: SC-8,SC-9,SC-23 ocil_clause: 'no application data flow documentation exists' jboss_karaf-assign_administator.rule000066400000000000000000000011121327242345500402410ustar00rootroot00000000000000scap-security-guide-0.1.39/fuse6/guide/fuse6/karaf/jboss_karaf-policies_and_proceduresdocumentation_complete: true title: 'Assign A JBoss Administrator' description: |- There must be one or more competent individuals who are assigned to manage JBoss Fuse, its environment and the security of the information it contains. rationale: |- Incompetent, careless, or negligent JBoss administrators can completely invalidate a secure JBoss configuration and create numberless problems for JBoss. severity: high identifiers: cce: "" references: cis: "" disa: "" nist: AT-2,AT-3,AT-4 ocil_clause: 'no JBoss Administrator is assigned' jboss_karaf-auditing_policy.rule000066400000000000000000000013061327242345500373670ustar00rootroot00000000000000scap-security-guide-0.1.39/fuse6/guide/fuse6/karaf/jboss_karaf-policies_and_proceduresdocumentation_complete: true title: 'Ensure Auditing Policy Exists' description: |- In order to effectively audit and review system logs, an audit policy should be written to identify data and trends of interest. rationale: |- Without a comprehensive audit policy and review procedures, organizations risk missing critical events or event trends within their environment. These missed events may indicate system anomalies ranging from malicious attacks, system instabilities, system misuse, etc. severity: medium identifiers: cce: jboss_karaf-auditing_policy references: cis: "" disa: "" nist: AU-1,AU-2,AU-3,AU-5 ocil_clause: 'no auditing policy exists' jboss_karaf-backup_schedule.rule000066400000000000000000000011141327242345500373220ustar00rootroot00000000000000scap-security-guide-0.1.39/fuse6/guide/fuse6/karaf/jboss_karaf-policies_and_proceduresdocumentation_complete: true title: 'Ensure Regular Backup Schedule' description: |- JBoss applications and configuration files should be backed up at least weekly, possibly more if needed by the environment. rationale: |- Failure to regularly backup JBoss configuration files and deployed applications can result in extensive downtime or information losses in the event of a disaster or other system outage. severity: medium identifiers: cce: "" references: cis: "" disa: "" nist: CP-9 ocil_clause: 'there are no regular backups scheduled' jboss_karaf-deployed_apps-java_perm_docs.rule000066400000000000000000000017031327242345500420070ustar00rootroot00000000000000scap-security-guide-0.1.39/fuse6/guide/fuse6/karaf/jboss_karaf-policies_and_proceduresdocumentation_complete: true title: 'Deployed Applications - Java Permission Deployment Docs' description: |- Java permissions for applications should be documented and carefully reviewed prior to deployment. Developers and administrators should strive to balance application permissions and application functionality. rationale: |- Java permissions for deployed applications should be carefully restricted to enforce the least privilege principle. Careful documentation, along with a thorough review will help prevent needlessly insecure permission assignments for applications. An overabundance of Java permissions can allow applications to circumvent one of Java's strongest security features - the Java Security Manager sandbox. severity: medium identifiers: cce: "" references: cis: "" disa: "" nist: AC-1 ocil_clause: 'there are no documents for java permissions for deployed applications' jboss_karaf-disaster_recovery.rule000066400000000000000000000014551327242345500377450ustar00rootroot00000000000000scap-security-guide-0.1.39/fuse6/guide/fuse6/karaf/jboss_karaf-policies_and_proceduresdocumentation_complete: true title: 'Document Disaster Recovery Procedures' description: |- Robust disaster recovery documentation and procedures should exist. This documentation should include provisions for the JBoss platform, deployed applications, required source code, and supporting applications (such as authentication stores or database servers). rationale: |- Planning for disasters and extended outages prior to a real-life scenario helps mitigate losses associated with identified disasters. Failure to adequately prepare, plan, and exercise for these scenarios can result in extensive losses. severity: medium identifiers: cce: "" references: cis: "" disa: "" nist: CP-1,CP-2 ocil_clause: 'there are no disastor recovery procedures in place' jboss_karaf-disaster_recovery_exerises.rule000066400000000000000000000015661327242345500416570ustar00rootroot00000000000000scap-security-guide-0.1.39/fuse6/guide/fuse6/karaf/jboss_karaf-policies_and_proceduresdocumentation_complete: true title: 'Perform Periodic Disaster Recovery Exercises' description: |- Production environments should exercise disaster recovery procedures that include provisions for the JBoss platform, deployed applications, and any required source code at least annually. Environments requiring higher assurances of disaster recovery ability should test procedures more often, possibly quarterly or even monthly. rationale: |- Planning for disasters and extended outages prior to a real-life scenario helps mitigate losses associated with identified disasters. Failure to adequately prepare, plan, and exercise for these scenarios can result in extensive losses. severity: medium identifiers: cce: "" references: cis: "" disa: "" nist: CP-4 ocil_clause: 'disaster recovery exercises have not been conducted' jboss_karaf-incident_response.rule000066400000000000000000000012111327242345500377120ustar00rootroot00000000000000scap-security-guide-0.1.39/fuse6/guide/fuse6/karaf/jboss_karaf-policies_and_proceduresdocumentation_complete: true title: 'Document Incident Response Procedures' description: |- Ensure well developed procedures exist for incident handling. Incidents include any events that are anomalous to the environment. rationale: |- Planning for incidents prior to real-life scenarios increases incident response time and mitigates damages. Failure to adequately prepare, plan, and exercise for these scenarios can result in extensive losses. severity: medium identifiers: cce: "" references: cis: "" disa: "" nist: 'IR-1, IR-8' ocil_clause: 'there are no incident response procedures in place' jboss_karaf-incident_response_exercises.rule000066400000000000000000000014121327242345500417670ustar00rootroot00000000000000scap-security-guide-0.1.39/fuse6/guide/fuse6/karaf/jboss_karaf-policies_and_proceduresdocumentation_complete: true title: 'Perform Periodic Incident Response Exercises' description: |- Production environments should exercise incident response procedures at least annually. Environments requiring higher assurances of security should test incident response procedures more often, possibly quarterly or even monthly. Incident response procedures should cover all anomalous events. rationale: |- Planning for incidents and practicing procedures to be followed prior to real-life scenario improves response time and mitigates damages/losses that occur with incidents. severity: medium identifiers: cce: "" references: cis: "" disa: "" nist: IR-3 ocil_clause: 'incident response exercises have not been conducted' jboss_karaf-password_complexity_policy.rule000066400000000000000000000020021327242345500416740ustar00rootroot00000000000000scap-security-guide-0.1.39/fuse6/guide/fuse6/karaf/jboss_karaf-policies_and_proceduresdocumentation_complete: true title: 'Define Minimum Password Complexity Requirement' description: |- Organizations should create an authenticator management policy that defines a minimum level of complexity for user accounts accessing JBoss and its deployed applications. These requirements should also restrict passwords from containing dictionary words and reusing previous passwords. rationale: |- Complex passwords increase password security and the length of time required to decrypt the password. Additionally, complex passwords are less likely to be found in password dictionaries. However, there are risks associated with requiring overly complex passwords, as users may take steps to circumvent policy; such as using repetitive passwords, writing password reminders, or writing down their passwords. severity: medium identifiers: cce: "" references: cis: "" disa: "" nist: IA-5 ocil_clause: 'no appropriate minimum password complexity policy exists' jboss_karaf-password_expiration_policy.rule000066400000000000000000000021761327242345500416750ustar00rootroot00000000000000scap-security-guide-0.1.39/fuse6/guide/fuse6/karaf/jboss_karaf-policies_and_proceduresdocumentation_complete: true title: 'Define Minimum Password Expiration Interval' description: |- Organizations should create an authenticator management policy that defines a maximum password age for user accounts accessing JBoss and its deployed applications. rationale: |- In combination with password length and complexity, regularly changing passwords can defeat many attacks. If a password or password hash is intercepted by a malicious party, changing the password can remove access or render invalid a cracking attempt on the hash. However, there are risks associated with frequently changing passwords. Users may take steps to circumvent policy such as using repetitive passwords or using password derivatives. Additionally, changing passwords for system or application accounts introduces an element of configuration risk. Poorly coordinated or documented changes can result in system outages or create other problems. severity: medium identifiers: cce: "" references: cis: "" disa: "" nist: IA-5 ocil_clause: 'no appropriate minimum password expiration policy exists' jboss_karaf-password_length_policy.rule000066400000000000000000000015561327242345500407750ustar00rootroot00000000000000scap-security-guide-0.1.39/fuse6/guide/fuse6/karaf/jboss_karaf-policies_and_proceduresdocumentation_complete: true title: 'Define Minimum and Maximum Password Length Requirement' description: |- Organizations should create an authenticator management policy that defines minimum and maximum password sizes for user accounts accessing JBoss and its deployed applications. rationale: |- In brute force scenarios, passwords of extended lengths increase password security and the length of time required to decrypt the password. However, there are risks associated with requiring passwords of great lengths, as users may take steps to circumvent policy; such as using repetitive passwords, writing password reminders, or writing down their passwords. severity: medium identifiers: cce: "" references: cis: "" disa: "" nist: IA-5 ocil_clause: 'no appropriate minimum and maximum password length policy exists' jboss_karaf-physical_protections.rule000066400000000000000000000016301327242345500404510ustar00rootroot00000000000000scap-security-guide-0.1.39/fuse6/guide/fuse6/karaf/jboss_karaf-policies_and_proceduresdocumentation_complete: true title: 'Ensure Adequate Physical Protections' description: |- The hardware and software executing JBoss Fuse, as well as the software critical to security policy enforcement must be protected from unauthorized modification including unauthorized modifications by potentially hostile outsiders. Reasonable physical security measures to ensure that unauthorized personnel do not have physical access to the hardware running the JBoss Enterprise Application Platform software must be implemented. rationale: |- Many software security precautions can easily be bypassed by personnel with physical access to hardware storing data or executing an application. severity: high identifiers: cce: "" references: cis: "" disa: "" nist: PE-1,PE-2,PE-3,PE-7,PE-18 ocil_clause: 'physical protections are not in place, or they are inadequate' jboss_karaf-policies_and_procedures.group000066400000000000000000000002541327242345500412560ustar00rootroot00000000000000scap-security-guide-0.1.39/fuse6/guide/fuse6/karaf/jboss_karaf-policies_and_proceduresdocumentation_complete: true title: 'Apache Karaf Policies and Procedures' description: |- The rules in this group validate Apache Karaf policies and procedures. scap-security-guide-0.1.39/fuse6/guide/fuse6/karaf/jboss_karaf-process_owner_console_access.rule000066400000000000000000000012651327242345500330540ustar00rootroot00000000000000documentation_complete: true title: 'Deny JBoss Process Owner Console Access' description: |- The JBoss process owner should not have interactive console login access. rationale: |- In order to limit access in the event of an exploitation of the Jboss or one of its deployed applications, the account owning the Jboss process should be limited in its ability to interact with the supporting operating system where possible. Thus, the JBoss process owner account should not have interactive console access. severity: medium identifiers: cce: "" references: cis: "" disa: "" nist: AC-6 ocil_clause: 'the JBoss process owner has console access' scap-security-guide-0.1.39/fuse6/guide/fuse6/karaf/jboss_karaf-process_owner_permissions.rule000066400000000000000000000016761327242345500324520ustar00rootroot00000000000000documentation_complete: true title: 'Ensure JBoss Process Owner Executes with Least Privilege' description: |- Operating environment permissions assigned to the JBoss process owner should be in compliance with the principle of least privilege. rationale: |- In order to reduce the potential impact of exploitation against the JBoss application server (and the rest of the operating environment), the JBoss process owner should execute with as few permissions as possible in the environment (if the account is not local to the operating system or is distributed across multiple operating systems). Failure to limit permissions can dramatically increase the severity of exploits against the JBoss server, such as the execution of arbitrary code. severity: medium identifiers: cce: "" references: cis: "" disa: "" nist: AC-6 ocil_clause: 'the JBoss process owner is not executing with least privilege' scap-security-guide-0.1.39/fuse6/guide/fuse6/karaf/jboss_karaf-reduce_logging.rule000066400000000000000000000015761327242345500301030ustar00rootroot00000000000000documentation_complete: true title: 'Reduce Logging To Decrease Storage Capacity Limitations' description: |- The server must configure auditing to reduce the likelihood of storage capacity being exceeded. rationale: |- The server auditing capability is critical for accurate forensic analysis. Alerting administrators when audit log size thresholds are exceeded helps ensure the administrators can respond to heavy activity in a timely manner. Failure to alert increases the probability that an adversary's actions will go undetected. The server or the configured Network Attached Storage Device (SAN) must alert administrators when audit log usage reaches a defined percentage of overall capacity. severity: low identifiers: cce: "" references: cis: "" disa: "" nist: "" ocil_clause: 'logging capacity has not been reduced' scap-security-guide-0.1.39/fuse6/guide/fuse6/karaf/jboss_karaf-remove_cleartext_passwords.rule000066400000000000000000000012211327242345500325660ustar00rootroot00000000000000documentation_complete: true title: 'Disable and Remove Clear-Text Passwords' description: |- Eliminate clear-text passwords in JBoss configuration files. All passwords should be encrypted and all password files should have restricted file permissions. rationale: |- Clear-text passwords are an unnecessary security vulnerability. While risk of exposure can be mitigated through configured permissions and file ownership, these methods do not completely remediate the risk. severity: medium identifiers: cce: "" references: cis: "" disa: "" nist: SC-28 ocil_clause: 'clear-text passwords exist or are enabled' scap-security-guide-0.1.39/fuse6/guide/fuse6/karaf/jboss_karaf-remove_default_roles.rule000066400000000000000000000010421327242345500313170ustar00rootroot00000000000000documentation_complete: true title: 'Ensure Default Roles Have Been Removed' description: |- Remove, rename, or comment out the default roles defined in .properties files. rationale: |- Default configurations are commonly leveraged by attackers to gain entry into closed systems. Removing, renaming, or commenting out default roles makes malicious exploitation more complex. severity: medium identifiers: cce: "" references: cis: "" disa: "" nist: IA-5 ocil_clause: 'the default user roles still exist' scap-security-guide-0.1.39/fuse6/guide/fuse6/karaf/jboss_karaf-remove_default_users.rule000066400000000000000000000011011327242345500313300ustar00rootroot00000000000000documentation_complete: true title: 'Ensure Default User Accounts Have Benn Removed' description: |- Remove, rename, or comment out the default user accounts defined in .properties files. rationale: |- Default configurations are commonly leveraged by attackers to gain entry into closed systems. Removing, renaming, or commenting out default user accounts makes malicious exploitation more complex. severity: medium identifiers: cce: "" references: cis: "" disa: "" nist: IA-5 ocil_clause: 'the default user accounts still exist' scap-security-guide-0.1.39/fuse6/guide/fuse6/karaf/jboss_karaf-secure_java_security_manager.rule000066400000000000000000000014641327242345500330320ustar00rootroot00000000000000documentation_complete: true title: 'Configure Java Security Manager To Use An Environment Policy' description: |- The Java Security Manager is a crucial piece of the Java security infrastructure. JBoss Fuse should be configured to load a Java security policy that has been vetted for use in the environment. rationale: |- A weak, default, or incomplete Java Security Manager policy file can completely compromise the security of a Java installation by granting excessive permissions to applications running within the sandbox. These permissions can be leveraged (maliciously or not) to run code against the operating system. severity: medium identifiers: cce: "" references: cis: "" disa: "" nist: SA-13 ocil_clause: 'no policy file exists or has been configured' scap-security-guide-0.1.39/fuse6/guide/fuse6/karaf/jboss_karaf-secure_jmx_access.rule000066400000000000000000000012341327242345500306020ustar00rootroot00000000000000documentation_complete: true title: 'Secure or Disable JMX Access' description: |- JMX access must be secured so it is accessible by trusted administrators only. If this condition is not met, the access must be disabled from the deployment. rationale: |- Failure to secure JMX against unauthorized access can quickly lead to system compromise. The default access included with JBoss is a well-known attack vector that can be leveraged to load malicious code to be executed on the server. severity: high identifiers: cce: "" references: cis: "" disa: "" nist: AC-3 ocil_clause: 'JMX access is not secured or disabled' scap-security-guide-0.1.39/fuse6/guide/fuse6/karaf/jboss_karaf-secure_logging.rule000066400000000000000000000014721327242345500301150ustar00rootroot00000000000000documentation_complete: true title: 'Ensure JBoss Logging Is Secured' description: |- Only error messages that provide information necessary for corrective actions without revealing sensitive or potentially harmful information in error logs and administrative messages should be generated. rationale: |- Any application providing too much information in error logs and in administrative messages to the screen risks compromising the data and security of the application and system. The structure and content of error messages needs to be carefully considered by the organization and development team. severity: medium identifiers: cce: "" references: cis: "" disa: "" nist: "" ocil_clause: 'logging is not configured to prevent sensitive information from being revealed' scap-security-guide-0.1.39/fuse6/guide/fuse6/karaf/jboss_karaf-secure_remote_access.rule000066400000000000000000000012411327242345500312750ustar00rootroot00000000000000documentation_complete: true title: 'Disable Or Secure Remote Access' description: |- Remote access must be secured so it is accessible by trusted administrators only. If this condition is not met, the access must be disabled from the deployment. rationale: |- Failure to secure against unauthorized access can quickly lead to system compromise. The default access included with JBoss is a well-known attack vector that can be leveraged to load malicious code to be executed on the server. severity: high identifiers: cce: "" references: cis: "" disa: "" nist: AC-3 ocil_clause: 'remote access is not secured or disabled' scap-security-guide-0.1.39/fuse6/guide/fuse6/karaf/jboss_karaf-secure_web_console.rule000066400000000000000000000013161327242345500307630ustar00rootroot00000000000000documentation_complete: true title: 'Secure or Remove Web Console' description: |- The Web Console application must be secured so it is accessible by trusted administrators only. If this condition is not met, the application must be removed (deleted) from deployment. rationale: |- Failure to secure the default consoles against unauthorized access can quickly lead to system compromise. The default consoles included with JBoss are a well-known attack vector that can be leveraged to load malicious code to be executed on the server. severity: high identifiers: cce: "" references: cis: "" disa: "" nist: AC-3 ocil_clause: 'the web console is not secure or removed' scap-security-guide-0.1.39/fuse6/guide/fuse6/karaf/jboss_karaf-security_config_attributes.rule000066400000000000000000000016271327242345500325650ustar00rootroot00000000000000documentation_complete: true title: |- Ensure Administrators Can Only Change Security Related Configuration Attributes description: |- Security attributes are typically associated with internal data structures and configuration (e.g., application deployment, logging, monitoring) within the application server and are used to enable the implementation of access control and flow control policies, reflect special dissemination, handling or distribution instructions, or support other aspects of the organizational information security policy. rationale: |- If unauthorized entities were able to change security attributes, the integrity and/or confidentiality of the server could be compromised. severity: medium identifiers: cce: "" references: cis: "" disa: "" nist: "" ocil_clause: 'non-administrators are allowed to change security related attributes' scap-security-guide-0.1.39/fuse6/guide/fuse6/karaf/jboss_karaf-stored_passwords_encrypted.rule000066400000000000000000000007511327242345500326020ustar00rootroot00000000000000documentation_complete: true title: 'Ensure Stored Passwords Are Encrypted' description: 'Stored passwords must be encrypted.' rationale: |- Passwords need to be protected at all times and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read and easily compromised. severity: high identifiers: cce: "" references: cis: "" disa: "" nist: "" ocil_clause: 'stored passwords are not encrypted' scap-security-guide-0.1.39/fuse6/guide/fuse6/karaf/jboss_karaf-system_admin_access.rule000066400000000000000000000016431327242345500311360ustar00rootroot00000000000000documentation_complete: true title: |- Ensure Only Approved Administrators Can Change System Configurations description: |- The server must enforce logical access restrictions associated with changes to application configuration. rationale: |- When dealing with access restrictions pertaining to change control, it should be noted that any changes to the hardware, software, and/or firmware components of the information system and/or application can potentially have significant effects on the overall security of the system. Accordingly, only qualified and authorized individuals should be allowed to obtain access to server components for the purposes of initiating changes, including upgrades and application modifications. severity: high identifiers: cce: "" references: cis: "" disa: "" nist: "" ocil_clause: 'unathorized users can make system changes' scap-security-guide-0.1.39/fuse6/guide/fuse6/karaf/jboss_karaf-valid_dod_certificates.rule000066400000000000000000000006541327242345500315740ustar00rootroot00000000000000documentation_complete: true title: 'All PKI Certificates Are Valid DoD Certificates' description: 'All PKI Certificates in use should be valid at the time of use.' rationale: |- By using invalid certificates the server may allow unauthorized users access to the system. severity: high identifiers: cce: "" references: cis: "" disa: "" nist: "" ocil_clause: 'certificates are not valid DoD certs' scap-security-guide-0.1.39/fuse6/guide/fuse6/karaf/jboss_karaf-vender_supported_version.rule000066400000000000000000000012021327242345500322450ustar00rootroot00000000000000documentation_complete: true title: 'Ensure JBoss Fuse Is A Vendor Supported Version' description: |- Evaluated JBoss installation must be a vendor supported version of JBoss Fuse 6. Organizations using JBoss Fuse must use a vendor supported version with an active support contract. rationale: |- Failure to utilize a supported version of JBoss in a production environment can lead to outages, unresolvable problems, no access to security or functional updates, etc. severity: medium identifiers: cce: "" references: cis: "" disa: "" nist: CM-6 ocil_clause: 'JBoss Fuse is not vender supported' scap-security-guide-0.1.39/fuse6/guide/fuse6/karaf/karaf.group000066400000000000000000000002301327242345500240770ustar00rootroot00000000000000documentation_complete: true title: 'Apache Karaf Configuration' description: |- The rules in this group validate Apache Karaf related items. scap-security-guide-0.1.39/fuse6/guide/fuse6/policy/000077500000000000000000000000001327242345500221555ustar00rootroot00000000000000scap-security-guide-0.1.39/fuse6/guide/fuse6/policy/policy.group000066400000000000000000000003161327242345500245320ustar00rootroot00000000000000documentation_complete: true title: 'JBoss Fuse Policy Guidelines' description: |- The rules in this group are used to manage Jboss servers in a secure manner. These rules are policy related. scap-security-guide-0.1.39/fuse6/guide/guide.benchmark000066400000000000000000000054321327242345500226030ustar00rootroot00000000000000--- documentation_complete: true title: Guide to the Secure Configuration of status: draft description: | This guide presents a catalog of security-relevant configuration settings for . It is a rendering of content structured in the eXtensible Configuration Checklist Description Format (XCCDF) in order to support security automation. The SCAP content is is available in the config_item="scap-security-guide" package which is developed at .

Providing system administrators with such guidance informs them how to securely configure systems under their control in a variety of network roles. Policy makers and baseline creators can use this catalog of settings, with its associated references to higher-level security control catalogs, in order to assist them in security baseline creation. This guide is a italics="catalog, not a checklist," and satisfaction of every item is not likely to be possible or sensible in many operational scenarios. However, the XCCDF format enables granular selection and adjustment of settings, and their association with OVAL and OCIL content provides an automated checking capability. Transformations of this document, and its associated automated checking content, are capable of providing baselines that meet a diverse set of policy objectives. Some example XCCDF italics="Profiles", which are selections of items that form checklists and can be used as baselines, are available with this guide. They can be processed, in an automated fashion, with tools that support the Security Content Automation Protocol (SCAP). The DISA STIG for , which provides required settings for US Department of Defense systems, is one example of a baseline created from this guidance. notice: id: terms_of_use description: | Do not attempt to implement any of the settings in this guide without first testing them in a non-operational environment. The creators of this guidance assume no responsibility whatsoever for its use by other parties, and makes no guarantees, expressed or implied, about its quality, reliability, or any other characteristic. front-matter: | The SCAP Security Guide Project
rear-matter: | Red Hat and Red Hat Enterprise Linux are either registered trademarks or trademarks of Red Hat, Inc. in the United States and other countries. All other names are registered trademarks or trademarks of their respective companies. cpes: - version: 0.9 scap-security-guide-0.1.39/fuse6/overlays/000077500000000000000000000000001327242345500203755ustar00rootroot00000000000000scap-security-guide-0.1.39/fuse6/overlays/.gitkeep000066400000000000000000000000001327242345500220140ustar00rootroot00000000000000scap-security-guide-0.1.39/fuse6/product.yml000066400000000000000000000001071327242345500207320ustar00rootroot00000000000000product: fuse6 benchmark_root: "./guide" profiles_root: "./profiles" scap-security-guide-0.1.39/fuse6/profiles/000077500000000000000000000000001327242345500203545ustar00rootroot00000000000000scap-security-guide-0.1.39/fuse6/profiles/standard.profile000066400000000000000000000056621327242345500235470ustar00rootroot00000000000000documentation_complete: true title: 'Standard System Security Profile for JBoss' description: |- This profile contains rules to ensure standard security baseline of JBoss Fuse. Regardless of your system's workload all of these checks should pass. selections: - jboss_activemq-default_users_removed - jboss_activemq-default_roles_removed - jboss_activemq-java_aaa_service - jboss_activemq-cleartext_passwords - jboss_activemq-security_config_attributes - jboss_activemq-ssl_enabled - jboss_activemq-encrypted_passwords - jboss_activemq-pki_web_console - jboss_activemq-pki_dod_certificates - jboss_activemq-file_permissions - jboss_karaf-physical_protections - jboss_karaf-assign_administator - jboss_karaf-incident_response - jboss_karaf-incident_response_exercises - jboss_karaf-disaster_recovery - jboss_karaf-disaster_recovery_exerises - jboss_karaf-application_data_flow_docs - jboss_karaf-deployed_apps-java_perm_docs - jboss_karaf-backup_schedule - jboss_karaf-auditing_policy - jboss_karaf-access_control_docs - jboss_karaf-password_length_policy - jboss_karaf-password_complexity_policy - jboss_karaf-password_expiration_policy - jboss_karaf-vender_supported_version - jboss_karaf-java_vendor_supported - jboss_karaf-downloaded_software_valid - jboss_karaf-disable_hot_deployment - jboss_karaf-remove_default_users - jboss_karaf-remove_default_roles - jboss_karaf-secure_java_security_manager - jboss_karaf-deployed_java_file_permissions - jboss_karaf-deployed_java_network_permissions - jboss_karaf-deployed_runtime_permissions - jboss_karaf-deployed_socket_permissions - jboss_karaf-deployed_permissions - jboss_karaf-java_aaa_service - jboss_karaf-dod_hardware_pki_token - jboss_karaf-enable_fips_modules - jboss_karaf-remove_cleartext_passwords - jboss_karaf-process_owner_permissions - jboss_karaf-process_owner_console_access - jboss_karaf-files_ownership - jboss_karaf-file_permissions - jboss_karaf-secure_remote_access - jboss_karaf-secure_web_console - jboss_karaf-secure_jmx_access - jboss_karaf-enable_encrypted_passwords - jboss_karaf-security_config_attributes - jboss_karaf-pki_assocation_permission - jboss_karaf-enable_ssl - jboss_karaf-enable_secure_connections - jboss_karaf-reduce_logging - jboss_karaf-log_retention - jboss_karaf-system_admin_access - jboss_karaf-non-essential_bundles_features - jboss_karaf-disable_services_ports - jboss_karaf-stored_passwords_encrypted - jboss_karaf-enable_ldap_ssl - jboss_karaf-enable_fips_authentication - jboss_karaf-dod_cns_certificates - jboss_karaf-ldap_securely_fail - jboss_karaf-secure_logging - jboss_karaf-logging_access - jboss_karaf-enable_pki_web_console - jboss_karaf-valid_dod_certificates - jboss_karaf-config_file_permissions scap-security-guide-0.1.39/fuse6/profiles/stig-amq-upstream.profile000066400000000000000000000004111327242345500253120ustar00rootroot00000000000000documentation_complete: true title: 'STIG for Apache ActiveMQ' description: 'This is a *draft* profile for STIG. This profile is being developed under the DoD consensus model to become a STIG in coordination with DISA FSO.' extends: standard selections: [] scap-security-guide-0.1.39/fuse6/profiles/stig-fuse6-upstream.profile000066400000000000000000000004061327242345500255700ustar00rootroot00000000000000documentation_complete: true title: 'STIG for JBoss Fuse 6' description: 'This is a *draft* profile for STIG. This profile is being developed under the DoD consensus model to become a STIG in coordination with DISA FSO.' extends: standard selections: [] scap-security-guide-0.1.39/fuse6/remedations/000077500000000000000000000000001327242345500210435ustar00rootroot00000000000000scap-security-guide-0.1.39/fuse6/remedations/.gitkeep000066400000000000000000000000001327242345500224620ustar00rootroot00000000000000scap-security-guide-0.1.39/fuse6/transforms/000077500000000000000000000000001327242345500207275ustar00rootroot00000000000000scap-security-guide-0.1.39/fuse6/transforms/cci2html.xsl000066400000000000000000000004661327242345500231720ustar00rootroot00000000000000 scap-security-guide-0.1.39/fuse6/transforms/constants.xslt000066400000000000000000000022201327242345500236530ustar00rootroot00000000000000 JBoss Fuse 6 Fuse 6 FUSE_6_STIG fuse6 empty Jboss-Fuse-6 cpe:/a:redhat:jboss_fuse:6.0,cpe:/a:redhat:jboss_fuse:6.1.0,cpe:/a:redhat:jboss_fuse_service_works:6.0 scap-security-guide-0.1.39/fuse6/transforms/shorthand2xccdf.xslt000066400000000000000000000005121327242345500247250ustar00rootroot00000000000000 unknown unlinked-fuse6-oval.xml scap-security-guide-0.1.39/fuse6/transforms/table-add-srgitems.xslt000066400000000000000000000010731327242345500253140ustar00rootroot00000000000000 scap-security-guide-0.1.39/fuse6/transforms/table-sortbyref.xslt000066400000000000000000000005551327242345500247540ustar00rootroot00000000000000 scap-security-guide-0.1.39/fuse6/transforms/table-srgmap.xslt000066400000000000000000000011401327242345500242150ustar00rootroot00000000000000 scap-security-guide-0.1.39/fuse6/transforms/table-style.xslt000066400000000000000000000002511327242345500240660ustar00rootroot00000000000000 scap-security-guide-0.1.39/fuse6/transforms/xccdf-apply-overlay-stig.xslt000066400000000000000000000007511327242345500265030ustar00rootroot00000000000000 scap-security-guide-0.1.39/fuse6/transforms/xccdf2csv-stig.py000077500000000000000000000003651327242345500241410ustar00rootroot00000000000000#!/usr/bin/env python2 import sys # always use shared/modules version SHARED_MODULE_PATH = "../../shared/modules" sys.path.insert(0, SHARED_MODULE_PATH) import xccdf2csv_stig_module if __name__ == "__main__": xccdf2csv_stig_module.main() scap-security-guide-0.1.39/fuse6/transforms/xccdf2stigformat.xslt000066400000000000000000000006751327242345500251240ustar00rootroot00000000000000 scap-security-guide-0.1.39/fuse6/transforms/xccdf2table-byref.xslt000066400000000000000000000006741327242345500251400ustar00rootroot00000000000000 scap-security-guide-0.1.39/fuse6/transforms/xccdf2table-cce.xslt000066400000000000000000000007331327242345500245570ustar00rootroot00000000000000 scap-security-guide-0.1.39/fuse6/transforms/xccdf2table-profileccirefs.xslt000066400000000000000000000014111327242345500270160ustar00rootroot00000000000000 scap-security-guide-0.1.39/fuse6/transforms/xccdf2table-profilecisrefs.xslt000066400000000000000000000007051327242345500270430ustar00rootroot00000000000000 scap-security-guide-0.1.39/fuse6/transforms/xccdf2table-profilenistrefs.xslt000066400000000000000000000007051327242345500272420ustar00rootroot00000000000000 scap-security-guide-0.1.39/fuse6/transforms/xccdf2table-stig.xslt000066400000000000000000000006731327242345500247760ustar00rootroot00000000000000 scap-security-guide-0.1.39/jre/000077500000000000000000000000001327242345500162615ustar00rootroot00000000000000scap-security-guide-0.1.39/jre/CMakeLists.txt000066400000000000000000000004521327242345500210220ustar00rootroot00000000000000# Sometimes our users will try to do: "cd jre; cmake ." That needs to error in a nice way. if ("${CMAKE_SOURCE_DIR}" STREQUAL "${CMAKE_CURRENT_SOURCE_DIR}") message(FATAL_ERROR "cmake has to be used on the root CMakeLists.txt, see BUILD.md for more details!") endif() ssg_build_product("jre") scap-security-guide-0.1.39/jre/checks/000077500000000000000000000000001327242345500175215ustar00rootroot00000000000000scap-security-guide-0.1.39/jre/checks/oval/000077500000000000000000000000001327242345500204625ustar00rootroot00000000000000scap-security-guide-0.1.39/jre/checks/oval/installed_app_is_java.xml000066400000000000000000000073421327242345500255250ustar00rootroot00000000000000 Java Runtime Environment Java Runtime Environment (JRE) The application installed on the system is Java. ^jre.*$ ^java.*oracle.*$ ^ibm-java.*$ .*1.6.0.* ^java.*ibm.*$ .*1.6.0.* ^java.*sun.*$ ^java.*openjdk.*$ scap-security-guide-0.1.39/jre/checks/oval/java_jre_deployment_config_exists.xml000066400000000000000000000016671327242345500301630ustar00rootroot00000000000000 The Java Configuration File Exists Java Runtime Environment A configuration file must be present to deploy properties for JRE. /etc/.java/deployment/deployment.config scap-security-guide-0.1.39/jre/checks/oval/java_jre_deployment_config_mandatory.xml000066400000000000000000000023461327242345500306350ustar00rootroot00000000000000 Configure The Java Deployment Mandatory Setting Java Runtime Environment The configuration file must contain proper keys and values to deploy settings correctly. /etc/.java/deployment/deployment.config ^deployment.system.config.mandatory=false$ 1 scap-security-guide-0.1.39/jre/checks/oval/java_jre_deployment_config_properties.xml000066400000000000000000000023131327242345500310250ustar00rootroot00000000000000 Configure the deployment.properties File Path Java Runtime Environment The configuration file must contain proper keys and values to deploy settings correctly. /etc/.java/deployment/deployment.config ^deployment.system.config=file:///etc/.java/deployment/deployment.properties$ 1 scap-security-guide-0.1.39/jre/checks/oval/java_jre_deployment_properties_exists.xml000066400000000000000000000017541327242345500311070ustar00rootroot00000000000000 The Java Properties File Exists Java Runtime Environment A properties file must be present to hold all the keys that establish properties within the Java control panel. /etc/.java/deployment/deployment.properties scap-security-guide-0.1.39/jre/checks/oval/java_jre_untrusted_sources.xml000066400000000000000000000023221327242345500266440ustar00rootroot00000000000000 Disable Java Execution From Untrusted Sources Java Runtime Environment The dialog to enable users to grant permissions to execute signed content from an un-trusted authority must be disabled. /etc/.java/deployment/deployment.properties ^deployment.security.askgrantdialog.notinca=false$ 1 scap-security-guide-0.1.39/jre/checks/oval/java_jre_untrusted_sources_locked.xml000066400000000000000000000024021327242345500301640ustar00rootroot00000000000000 Disable User Access to Untrusted Sources Setting Java Runtime Environment The dialog enabling users to grant permissions to execute signed content from an un-trusted authority must be locked. /etc/.java/deployment/deployment.properties ^deployment.security.askgrantdialog.notinca.locked$ 1 scap-security-guide-0.1.39/jre/checks/oval/java_jre_validation_crl.xml000066400000000000000000000022161327242345500260400ustar00rootroot00000000000000 Enable Revocation Checks for Publisher Certificates Java Runtime Environment The setting for users to check publisher certificates for revocation must be enabled. /etc/.java/deployment/deployment.properties ^deployment.security.validation.crl=true$ 1 scap-security-guide-0.1.39/jre/checks/oval/java_jre_validation_crl_locked.xml000066400000000000000000000023171327242345500273630ustar00rootroot00000000000000 Disable User Access to Revocation Check Settings Java Runtime Environment The setting enabling users to configure the check publisher certificates for revocation must be locked. /etc/.java/deployment/deployment.properties ^deployment.security.validation.crl.locked$ 1 scap-security-guide-0.1.39/jre/checks/oval/java_jre_validation_ocsp.xml000066400000000000000000000021651327242345500262270ustar00rootroot00000000000000 Enable Online Certificate Validation Java Runtime Environment The option to enable online certificate validation must be enabled. /etc/.java/deployment/deployment.properties ^deployment.security.validation.ocsp=true$ 1 scap-security-guide-0.1.39/jre/checks/oval/java_jre_validation_ocsp_locked.xml000066400000000000000000000023001327242345500275370ustar00rootroot00000000000000 Disable User Access to Online Certificate Validation Settings Java Runtime Environment The option to enable online certificate validation must be locked. /etc/.java/deployment/deployment.properties ^deployment.security.validation.ocsp.locked$ 1 scap-security-guide-0.1.39/jre/cpe/000077500000000000000000000000001327242345500170305ustar00rootroot00000000000000scap-security-guide-0.1.39/jre/cpe/jre-cpe-dictionary.xml000066400000000000000000000024561327242345500232510ustar00rootroot00000000000000 Oracle's Java Runtime Environment installed_app_is_java IBM Java Runtime Environment installed_app_is_java OpenJDK Java Runtime Environment installed_app_is_java Sun Java Runtime Environment installed_app_is_java scap-security-guide-0.1.39/jre/fixes/000077500000000000000000000000001327242345500173775ustar00rootroot00000000000000scap-security-guide-0.1.39/jre/fixes/bash/000077500000000000000000000000001327242345500203145ustar00rootroot00000000000000scap-security-guide-0.1.39/jre/fixes/bash/java_jre_deployment_config_exists.sh000066400000000000000000000004571327242345500276230ustar00rootroot00000000000000# platform = Java Runtime Environment JAVA_CONFIG="/etc/.java/deployment/deployment.config" JAVA_DIR="/etc/.java/deployment" if [ ! -d ${JAVA_DIR} ] ; then mkdir -p -m 755 ${JAVA_DIR} fi if [ ! -e ${JAVA_CONFIG} ]; then touch ${JAVA_CONFIG} && chmod 644 ${JAVA_CONFIG} fi chmod 644 ${JAVA_CONFIG}scap-security-guide-0.1.39/jre/fixes/bash/java_jre_deployment_config_mandatory.sh000066400000000000000000000005611327242345500302760ustar00rootroot00000000000000# platform = Java Runtime Environment JAVA_CONFIG="/etc/.java/deployment/deployment.config" grep -q "^deployment.system.config.mandatory=false$" ${JAVA_CONFIG} && \ sed -i "s/deployment.system.config.mandatory=.*/deployment.system.config.mandatory=false/g" ${JAVA_CONFIG} if ! [ $? -eq 0 ] ; then echo "deployment.system.config.mandatory=false" >> ${JAVA_CONFIG} fi scap-security-guide-0.1.39/jre/fixes/bash/java_jre_deployment_config_properties.sh000066400000000000000000000007011327242345500304700ustar00rootroot00000000000000# platform = Java Runtime Environment JAVA_CONFIG="/etc/.java/deployment/deployment.config" JAVA_PROPERTIES="/etc/.java/deployment/deployment.properties" grep -q "^deployment.system.config=file://${JAVA_CONFIG}$" ${JAVA_CONFIG} && \ sed -i "s;deployment.system.config=.*;deployment.system.config=file:\/\/${JAVA_PROPERTIES};g" ${JAVA_CONFIG} if ! [ $? -eq 0 ] ; then echo "deployment.system.config=file://${JAVA_PROPERTIES}" >> ${JAVA_CONFIG} fi scap-security-guide-0.1.39/jre/fixes/bash/java_jre_deployment_properties_exists.sh000066400000000000000000000005101327242345500305400ustar00rootroot00000000000000# platform = Java Runtime Environment JAVA_PROPERTIES="/etc/.java/deployment/deployment.properties" JAVA_DIR="/etc/.java/deployment" if [ ! -d ${JAVA_DIR} ] ; then mkdir -p -m 755 ${JAVA_DIR} fi if [ ! -e ${JAVA_PROPERTIES} ]; then touch ${JAVA_PROPERTIES} && chmod 644 ${JAVA_PROPERTIES} fi chmod 644 ${JAVA_PROPERTIES} scap-security-guide-0.1.39/jre/fixes/bash/java_jre_untrusted_sources.sh000066400000000000000000000006441327242345500263150ustar00rootroot00000000000000# platform = Java Runtime Environment JAVA_PROPERTIES="/etc/.java/deployment/deployment.properties" grep -q "^deployment.security.askgrantdialog.notinca=false$" ${JAVA_PROPERTIES} && \ sed -i "s/deployment.security.askgrantdialog.notinca=.*/deployment.security.askgrantdialog.notinca=false/g" ${JAVA_PROPERTIES} if ! [ $? -eq 0 ] ; then echo "deployment.security.askgrantdialog.notinca=false" >> ${JAVA_PROPERTIES} fiscap-security-guide-0.1.39/jre/fixes/bash/java_jre_untrusted_sources_locked.sh000066400000000000000000000006511327242345500276340ustar00rootroot00000000000000# platform = Java Runtime Environment JAVA_PROPERTIES="/etc/.java/deployment/deployment.properties" grep -q "^deployment.security.askgrantdialog.notinca.locked$" ${JAVA_PROPERTIES} && \ sed -i "s/deployment.security.askgrantdialog.notinca\..*/deployment.security.askgrantdialog.notinca.locked/g" ${JAVA_PROPERTIES} if ! [ $? -eq 0 ] ; then echo "deployment.security.askgrantdialog.notinca.locked" >> ${JAVA_PROPERTIES} fi scap-security-guide-0.1.39/jre/fixes/bash/java_jre_validation_crl.sh000066400000000000000000000006011327242345500255000ustar00rootroot00000000000000# platform = Java Runtime Environment JAVA_PROPERTIES="/etc/.java/deployment/deployment.properties" grep -q "^deployment.security.validation.crl=true$" ${JAVA_PROPERTIES} && \ sed -i "s/deployment.security.validation.crl=.*/deployment.security.validation.crl=true/g" ${JAVA_PROPERTIES} if ! [ $? -eq 0 ] ; then echo "deployment.security.validation.crl=true" >> ${JAVA_PROPERTIES} fiscap-security-guide-0.1.39/jre/fixes/bash/java_jre_validation_crl_locked.sh000066400000000000000000000006111327242345500270220ustar00rootroot00000000000000# platform = Java Runtime Environment JAVA_PROPERTIES="/etc/.java/deployment/deployment.properties" grep -q "^deployment.security.validation.crl.locked$" ${JAVA_PROPERTIES} && \ sed -i "s/deployment.security.validation.crl\..*/deployment.security.validation.crl.locked/g" ${JAVA_PROPERTIES} if ! [ $? -eq 0 ] ; then echo "deployment.security.validation.crl.locked" >> ${JAVA_PROPERTIES} fi scap-security-guide-0.1.39/jre/fixes/bash/java_jre_validation_ocsp.sh000066400000000000000000000006051327242345500256700ustar00rootroot00000000000000# platform = Java Runtime Environment JAVA_PROPERTIES="/etc/.java/deployment/deployment.properties" grep -q "^deployment.security.validation.ocsp=true$" ${JAVA_PROPERTIES} && \ sed -i "s/deployment.security.validation.ocsp=.*/deployment.security.validation.ocsp=true/g" ${JAVA_PROPERTIES} if ! [ $? -eq 0 ] ; then echo "deployment.security.validation.ocsp=true" >> ${JAVA_PROPERTIES} fiscap-security-guide-0.1.39/jre/fixes/bash/java_jre_validation_ocsp_locked.sh000066400000000000000000000006151327242345500272120ustar00rootroot00000000000000# platform = Java Runtime Environment JAVA_PROPERTIES="/etc/.java/deployment/deployment.properties" grep -q "^deployment.security.validation.ocsp.locked$" ${JAVA_PROPERTIES} && \ sed -i "s/deployment.security.validation.ocsp\..*/deployment.security.validation.ocsp.locked/g" ${JAVA_PROPERTIES} if ! [ $? -eq 0 ] ; then echo "deployment.security.validation.ocsp.locked" >> ${JAVA_PROPERTIES} fi scap-security-guide-0.1.39/jre/guide.xslt000066400000000000000000000034061327242345500202750ustar00rootroot00000000000000 A conditional clause for check statements. A conditional clause for check statements. This is a placeholder. scap-security-guide-0.1.39/jre/guide/000077500000000000000000000000001327242345500173565ustar00rootroot00000000000000scap-security-guide-0.1.39/jre/guide/guide.benchmark000066400000000000000000000054321327242345500223330ustar00rootroot00000000000000--- documentation_complete: true title: Guide to the Secure Configuration of status: draft description: | This guide presents a catalog of security-relevant configuration settings for . It is a rendering of content structured in the eXtensible Configuration Checklist Description Format (XCCDF) in order to support security automation. The SCAP content is is available in the config_item="scap-security-guide" package which is developed at .

Providing system administrators with such guidance informs them how to securely configure systems under their control in a variety of network roles. Policy makers and baseline creators can use this catalog of settings, with its associated references to higher-level security control catalogs, in order to assist them in security baseline creation. This guide is a italics="catalog, not a checklist," and satisfaction of every item is not likely to be possible or sensible in many operational scenarios. However, the XCCDF format enables granular selection and adjustment of settings, and their association with OVAL and OCIL content provides an automated checking capability. Transformations of this document, and its associated automated checking content, are capable of providing baselines that meet a diverse set of policy objectives. Some example XCCDF italics="Profiles", which are selections of items that form checklists and can be used as baselines, are available with this guide. They can be processed, in an automated fashion, with tools that support the Security Content Automation Protocol (SCAP). The DISA STIG for , which provides required settings for US Department of Defense systems, is one example of a baseline created from this guidance. notice: id: terms_of_use description: | Do not attempt to implement any of the settings in this guide without first testing them in a non-operational environment. The creators of this guidance assume no responsibility whatsoever for its use by other parties, and makes no guarantees, expressed or implied, about its quality, reliability, or any other characteristic. front-matter: | The SCAP Security Guide Project
rear-matter: | Red Hat and Red Hat Enterprise Linux are either registered trademarks or trademarks of Red Hat, Inc. in the United States and other countries. All other names are registered trademarks or trademarks of their respective companies. cpes: - version: 0.9 scap-security-guide-0.1.39/jre/guide/java/000077500000000000000000000000001327242345500202775ustar00rootroot00000000000000scap-security-guide-0.1.39/jre/guide/java/java.group000066400000000000000000000023251327242345500223000ustar00rootroot00000000000000documentation_complete: true title: Java description: |- Java is a general-purpose computer programming language. It is intended to let application developers "write once, run anywhere." Java applications are typically compiled to bytecode that can run on any Java virtual machine (JVM) regardless of computer architecture. As such, the Java runtime environment (JRE) is required to be installed so that Java applications can run. This section provides settings for configuring Java policies to meet compliance settings for Java running on Red Hat Enterprise Linux systems.

    Refer to
    • for a list of currently supported Java version 6 settings.
    Refer to
    • for a list of currently supported Java version 7 settings.
    Refer to
    • for a list of currently supported Java version 8 settings.
scap-security-guide-0.1.39/jre/guide/java/java_jre_deployment_config_configured/000077500000000000000000000000001327242345500300525ustar00rootroot00000000000000java_jre_deployment_config_configured.group000066400000000000000000000011221327242345500406200ustar00rootroot00000000000000scap-security-guide-0.1.39/jre/guide/java/java_jre_deployment_config_configureddocumentation_complete: true title: 'Configure the deployment.config File' description: |- The deployment.config file if used for specifying the System-level deployment.properties file. The System-level configuration for Java is configured in /etc/.java/deployment. By default, no deployment.config file exists. To ensure that the Java /etc/.java/deployment/deployment.config file is configured correctly, deployment.system.config and deployment.system.config.mandatory need to be set correctly. java_jre_deployment_config_exists.rule000066400000000000000000000020711327242345500376310ustar00rootroot00000000000000scap-security-guide-0.1.39/jre/guide/java/java_jre_deployment_config_configureddocumentation_complete: true title: 'The Java Configuration File Exists' description: |- If the Java configuration file does not exist, it can be added by running: 
$ sudo mkdir -p -m 755 /etc/.java/deployment
    $ sudo touch /etc/.java/deployment/deployment.config
    $ sudo chmod 644 /etc/.java/deployment/deployment.config
rationale: |- The deployment.config file is used for specifying the location and execution of system-level properties for the Java Runtime Environment. By default no deployment.config file exists; thus, no system-wide deployment.properties file exists. Without the deployment.config file, setting particular options for the Java control panel is impossible. severity: medium identifiers: cce: "" references: disa: "" nist: DCBP-1 stigid: JRE0070-UX ocil_clause: 'it does not exist' ocil: |- To verify that the deployment.config file exists, run the following command: 
$ ls /etc/.java/deployment
The output should contain: 
deployment.config
java_jre_deployment_config_mandatory.rule000066400000000000000000000021641327242345500403130ustar00rootroot00000000000000scap-security-guide-0.1.39/jre/guide/java/java_jre_deployment_config_configureddocumentation_complete: true title: 'Configure The Java Deployment Mandatory Setting' description: |- To configure the Java mandatory deployment setting, add or modify deployment.system.config.mandatory to equal false in /etc/.java/deployment/deployment.config. rationale: |- Without a proper path for the properties file, deployment would not be possible. If the path specified does not lead to a properties file, the value of the 'deployment.system.config.mandatory' key determines how to handle the situation. If the value of this key is true, JRE will not run if the path to the properties file is invalid. severity: medium identifiers: cce: "" references: disa: "" nist: DCBP-1 stigid: JRE0060-UX ocil_clause: 'it is not configured' ocil: |- To verify that deployment.config is configured properly, run the following command: 
$ grep 'deployment.system.config.mandatory' /etc/.java/deployment/deployment.config
If properly configured, the output should return: 
deployment.system.config.mandatory=false
java_jre_deployment_config_properties.rule000066400000000000000000000022741327242345500405130ustar00rootroot00000000000000scap-security-guide-0.1.39/jre/guide/java/java_jre_deployment_config_configureddocumentation_complete: true title: 'Configure the deployment.properties File Path' description: |- To ensure that the Java properties file is set in /etc/.java/deployment/deployment.config, add or modify deployment.system.config to equal file:///etc/.java/deployment/deployment.properties. rationale: |- Without a proper path for the properties file, deployment would not be possible. If the path specified does not lead to a properties file, the value of the 'deployment.system.config.mandatory' key determines how to handle the situation. If the value of this key is true, JRE will not run if the path to the properties file is invalid. severity: medium identifiers: cce: "" references: disa: "" nist: DCBP-1 stigid: JRE0060-UX ocil_clause: 'it is not configured' ocil: |- To verify that deployment.config is configured properly, run the following command: 
$ grep 'deployment.system.config=file' /etc/.java/deployment/deployment.config
If properly configured, the output should return: 
deployment.system.config=file:///etc/.java/deployment/deployment.properties
scap-security-guide-0.1.39/jre/guide/java/java_jre_deployment_properties_exists.rule000066400000000000000000000021161327242345500310640ustar00rootroot00000000000000documentation_complete: true title: 'The Java Properties File Exists' description: |- If the Java properties file does not exist, it can be added by running: 
$ sudo mkdir -p -m 755 /etc/.java/deployment
    $ sudo touch /etc/.java/deployment/deployment.properties
    $ sudo chmod 644 /etc/.java/deployment/deployment.properties
rationale: |- Each option in the Java control panel is represented by property keys. These keys adjust the options in the Java control panel based on the value assigned to that key. By default no deployment.properties file exists; thus, no system-wide exists. Without the deployment.properties file, setting particular options for the Java control panel is impossible. severity: medium identifiers: cce: "" references: disa: "" nist: DCBP-1 stigid: JRE0080-UX ocil_clause: 'it does not exist' ocil: |- To verify that the deployment.properties file exists, run the following command: 
$ ls /etc/.java/deployment
The output should contain: 
deployment.properties
scap-security-guide-0.1.39/jre/guide/java/java_jre_untrusted_sources.rule000066400000000000000000000017551327242345500266410ustar00rootroot00000000000000documentation_complete: true title: 'Disable Java Execution From Untrusted Sources' description: |- To ensure that Java cannot execute from untrusted sources, set deployment.security.askgrantdialog.notinca to equal false in /etc/.java/deployment/deployment.properties. rationale: |- Permitting execution of signed Java applets from un-trusted sources may result in acquiring malware, and risks system modification, invasion of privacy, or denial of service. severity: medium identifiers: cce: "" references: disa: "" nist: DCBP-1 stigid: JRE0001-UX ocil_clause: 'it does not exist or is not configured properly' ocil: |- To verify that Java cannot execute from untrusted sources, run the following command: 
$ grep 'askgrantdialog.notinca=false' /etc/.java/deployment/deployment.properties
If properly configured, the output should return: 
deployment.security.askgrantdialog.notinca=false
scap-security-guide-0.1.39/jre/guide/java/java_jre_untrusted_sources_locked.rule000066400000000000000000000022521327242345500301530ustar00rootroot00000000000000documentation_complete: true title: 'Disable User Access to Untrusted Sources Settings' description: |- To ensure that users cannot change the untrusted sources settings, add deployment.security.askgrantdialog.notinca.locked to /etc/.java/deployment/deployment.properties. rationale: |- Permitting execution of signed Java applets from un-trusted sources may result in malware running on the system, and risks system modification, invasion of privacy, or denial of service. As such, ensuring users cannot change the permission settings which control the execution of signed Java applets contributes to a more consistent security profile. severity: medium identifiers: cce: "" references: disa: "" nist: DCBP-1 stigid: JRE0010-UX ocil_clause: 'it does not exist or is not configured properly' ocil: |- To verify that users cannot change the untrusted sources settings, run the following command: 
$ grep 'askgrantdialog.notinca.locked' /etc/.java/deployment/deployment.properties
If properly configured, the output should return: 
deployment.security.askgrantdialog.notinca.locked
scap-security-guide-0.1.39/jre/guide/java/java_jre_updated.rule000066400000000000000000000024541327242345500244640ustar00rootroot00000000000000documentation_complete: true title: 'Ensure Java Patches Installed' description: |- If the system is joined to the Red Hat Network, a Red Hat Satellite Server, or a yum server, run the following command to install updates: 
$ sudo yum update
If the system is not configured to use one of these sources, updates (in the form of RPM packages) can be manually downloaded and installed using rpm. rationale: |- Running an older version of the JRE can introduce security vulnerabilities to the system. severity: medium identifiers: cce: "" references: disa: "" nist: DCBP-1 stigid: JRE0090-UX ocil_clause: 'it is not updated' ocil: |- If the system is joined to the Red Hat Network, a Red Hat Satellite Server, or a yum server which provides updates, invoking the following command will indicate if updates are available: 
$ sudo yum check-update
If the system is not configured to update from one of these sources, run the following command to list when each package was last updated: 
$ rpm -qa -last
Compare this to Red Hat Security Advisories (RHSA) listed at to determine if the system is missing applicable updates. scap-security-guide-0.1.39/jre/guide/java/java_jre_validation_crl.rule000066400000000000000000000021771327242345500260320ustar00rootroot00000000000000documentation_complete: true title: 'Enable Revocation Checks for Publisher Certificates' description: |- To ensure that certificate revocation checks are enabled, set deployment.security.validation.crl to equal true in /etc/.java/deployment/deployment.properties. rationale: |- Certificates may be revoked due to improper issuance, compromise of the certificate, and failure to adhere to policy. Therefore, any certificate found on a CRL should not be trusted. Permitting execution of an applet published with a revoked certificate may result in spoofing, malware, system modification, invasion of privacy, and denial of service. severity: medium identifiers: cce: "" references: disa: "" nist: DCBP-1 stigid: JRE0020-UX ocil_clause: 'it does not exist or is not configured properly' ocil: |- To verify that revocation checks are enabled, run the following command: 
$ grep 'validation.crl=true' /etc/.java/deployment/deployment.properties
If properly configured, the output should return: 
deployment.security.validation.crl=true
scap-security-guide-0.1.39/jre/guide/java/java_jre_validation_crl_locked.rule000066400000000000000000000020731327242345500273460ustar00rootroot00000000000000documentation_complete: true title: 'Disable User Access to Revocation Check Settings' description: |- To ensure that users cannot change certificate revocation check settings, add deployment.security.validation.crl.locked to /etc/.java/deployment/deployment.properties. rationale: |- Permitting execution of an applet published with a revoked certificate may result in spoofing, malware, system modification, invasion of privacy, and denial of service. As such, ensuring users cannot change settings contributes to a more consistent security profile. severity: medium identifiers: cce: "" references: disa: "" nist: DCBP-1 stigid: JRE0030-UX ocil_clause: 'it does not exist or is not configured properly' ocil: |- To verify that users cannot change revocation check settings, run the following command: 
$ grep 'validation.crl.locked' /etc/.java/deployment/deployment.properties
If properly configured, the output should return: 
deployment.security.validation.crl.locked
scap-security-guide-0.1.39/jre/guide/java/java_jre_validation_ocsp.rule000066400000000000000000000020731327242345500262110ustar00rootroot00000000000000documentation_complete: true title: 'Enable Online Certificate Validation' description: |- To ensure that online certificate verification is enabled, set deployment.security.validation.ocsp to equal true in /etc/.java/deployment/deployment.properties. rationale: |- Online certificate validation provides a greater degree of validation of certificates when running a signed Java applet. Permitting execution of an applet with an invalid certificate may result in malware execution , system modification, invasion of privacy, and denial of service. severity: medium identifiers: cce: "" references: disa: "" nist: DCBP-1 stigid: JRE0040-UX ocil_clause: 'it does not exist or is not configured properly' ocil: |- To verify that online certificate verification is enabled, run the following command: 
$ grep 'validation.ocsp=true' /etc/.java/deployment/deployment.properties
If properly configured, the output should return: 
deployment.security.validation.ocsp=true
scap-security-guide-0.1.39/jre/guide/java/java_jre_validation_ocsp_locked.rule000066400000000000000000000023151327242345500275310ustar00rootroot00000000000000documentation_complete: true title: 'Disable User Access to Online Certificate Validation Settings' description: |- To ensure that users cannot change the online certificate verification settings, add deployment.security.validation.ocsp.locked to /etc/.java/deployment/deployment.properties. rationale: |- Online certificate validation provides a greater degree of validation of certificates when running a signed Java applet. Permitting execution of an applet with an invalid certificate may result in malware execution , system modification, invasion of privacy, and denial of service. As such, ensuring users cannot change settings contributes to a more consistent security profile. severity: medium identifiers: cce: "" references: disa: "" nist: DCBP-1 stigid: JRE0050-UX ocil_clause: 'it does not exist or is not configured properly' ocil: |- To verify that users cannot change online certificate verification, run the following command: 
$ grep 'validation.ocsp.locked' /etc/.java/deployment/deployment.properties
If properly configured, the output should return: 
deployment.security.validation.ocsp.locked
scap-security-guide-0.1.39/jre/overlays/000077500000000000000000000000001327242345500201255ustar00rootroot00000000000000scap-security-guide-0.1.39/jre/overlays/stig_overlay.xml000066400000000000000000000056401327242345500233630ustar00rootroot00000000000000 The dialog to enable users to grant permissions to execute signed content from an un-trusted authority must be disabled. The dialog enabling users to grant permissions to execute signed content from an un-trusted authority must be locked. The setting for users to check publisher certificates for revocation must be enabled. The setting enabling users to configure the check publisher certificates for revocation must be locked. The option to enable online certificate validation must be enabled. The option to enable online certificate validation must be locked. The configuration file must contain proper keys and values to deploy settings correctly. A configuration file must be present to deploy properties for JRE. A properties file must be present to hold all the keys that establish properties within the Java control panel. The version of the JRE running on the system must be the most current available. scap-security-guide-0.1.39/jre/product.yml000066400000000000000000000001051327242345500204600ustar00rootroot00000000000000product: jre benchmark_root: "./guide" profiles_root: "./profiles" scap-security-guide-0.1.39/jre/profiles/000077500000000000000000000000001327242345500201045ustar00rootroot00000000000000scap-security-guide-0.1.39/jre/profiles/stig-java-upstream.profile000066400000000000000000000020361327242345500252120ustar00rootroot00000000000000documentation_complete: true title: 'Java Runtime Environment (JRE) STIG' description: |- The Java Runtime Environment (JRE) is a bundle developed and offered by Oracle Corporation which includes the Java Virtual Machine (JVM), class libraries, and other components necessary to run Java applications and applets. Certain default settings within the JRE pose a security risk so it is necessary to deploy system wide properties to ensure a higher degree of security when utilizing the JRE. The IBM Corporation also develops and bundles the Java Runtime Environment (JRE) as well as Red Hat with OpenJDK. selections: - java_jre_deployment_config_exists - java_jre_deployment_config_properties - java_jre_deployment_config_mandatory - java_jre_deployment_properties_exists - java_jre_untrusted_sources - java_jre_untrusted_sources_locked - java_jre_validation_crl - java_jre_validation_crl_locked - java_jre_validation_ocsp - java_jre_validation_ocsp_locked - java_jre_updated scap-security-guide-0.1.39/jre/transforms/000077500000000000000000000000001327242345500204575ustar00rootroot00000000000000scap-security-guide-0.1.39/jre/transforms/cci2html.xsl000066400000000000000000000004661327242345500227220ustar00rootroot00000000000000 scap-security-guide-0.1.39/jre/transforms/constants.xslt000066400000000000000000000021641327242345500234120ustar00rootroot00000000000000 Java Runtime Environment JRE JRE_STIG jre empty JRE cpe:/a:oracle:jre:,cpe:/a:sun:jre:,cpe:/a:redhat:openjdk:,cpe:/a:ibm:jre: scap-security-guide-0.1.39/jre/transforms/shorthand2xccdf.xslt000066400000000000000000000005101327242345500244530ustar00rootroot00000000000000 unknown unlinked-jre-oval.xml scap-security-guide-0.1.39/jre/transforms/table-add-srgitems.xslt000066400000000000000000000010711327242345500250420ustar00rootroot00000000000000 scap-security-guide-0.1.39/jre/transforms/table-sortbyref.xslt000066400000000000000000000005551327242345500245040ustar00rootroot00000000000000 scap-security-guide-0.1.39/jre/transforms/table-srgmap.xslt000066400000000000000000000011401327242345500237450ustar00rootroot00000000000000 scap-security-guide-0.1.39/jre/transforms/table-style.xslt000066400000000000000000000002511327242345500236160ustar00rootroot00000000000000 scap-security-guide-0.1.39/jre/transforms/xccdf-apply-overlay-stig.xslt000066400000000000000000000007511327242345500262330ustar00rootroot00000000000000 scap-security-guide-0.1.39/jre/transforms/xccdf2csv-stig.py000077500000000000000000000003651327242345500236710ustar00rootroot00000000000000#!/usr/bin/env python2 import sys # always use shared/modules version SHARED_MODULE_PATH = "../../shared/modules" sys.path.insert(0, SHARED_MODULE_PATH) import xccdf2csv_stig_module if __name__ == "__main__": xccdf2csv_stig_module.main() scap-security-guide-0.1.39/jre/transforms/xccdf2stigformat.xslt000066400000000000000000000006751327242345500246540ustar00rootroot00000000000000 scap-security-guide-0.1.39/jre/transforms/xccdf2table-byref.xslt000066400000000000000000000006741327242345500246700ustar00rootroot00000000000000 scap-security-guide-0.1.39/jre/transforms/xccdf2table-cce.xslt000066400000000000000000000007331327242345500243070ustar00rootroot00000000000000 scap-security-guide-0.1.39/jre/transforms/xccdf2table-profileccirefs.xslt000066400000000000000000000014111327242345500265460ustar00rootroot00000000000000 scap-security-guide-0.1.39/jre/transforms/xccdf2table-profilecisrefs.xslt000066400000000000000000000007051327242345500265730ustar00rootroot00000000000000 scap-security-guide-0.1.39/jre/transforms/xccdf2table-profilenistrefs.xslt000066400000000000000000000007051327242345500267720ustar00rootroot00000000000000 scap-security-guide-0.1.39/jre/transforms/xccdf2table-stig.xslt000066400000000000000000000006731327242345500245260ustar00rootroot00000000000000 scap-security-guide-0.1.39/ocp3/000077500000000000000000000000001327242345500163455ustar00rootroot00000000000000scap-security-guide-0.1.39/ocp3/CMakeLists.txt000066400000000000000000000016511327242345500211100ustar00rootroot00000000000000# Sometimes our users will try to do: "cd ocp3; cmake ." That needs to error in a nice way. if ("${CMAKE_SOURCE_DIR}" STREQUAL "${CMAKE_CURRENT_SOURCE_DIR}") message(FATAL_ERROR "cmake has to be used on the root CMakeLists.txt, see BUILD.md for more details!") endif() set(PRODUCT "ocp3") #set(DISA_SRG_TYPE "os") #ssg_build_product(${PRODUCT}) #ssg_build_html_table_by_ref(${PRODUCT} "nist") #ssg_build_html_table_by_ref(${PRODUCT} "cis") #ssg_build_html_table_by_ref(${PRODUCT} "cui") #ssg_build_html_table_by_ref(${PRODUCT} "pcidss") #ssg_build_html_nistrefs_table(${PRODUCT} "common") #ssg_build_html_nistrefs_table(${PRODUCT} "ospp-${PRODUCT}") #ssg_build_html_nistrefs_table(${PRODUCT} "C2S") #ssg_build_html_nistrefs_table(${PRODUCT} "stig-${PRODUCT}-disa") #ssg_build_html_cce_table(${PRODUCT}) #ssg_build_html_srgmap_tables(${PRODUCT} ${DISA_SRG_TYPE}) #ssg_build_html_stig_tables(${PRODUCT} "stig-${PRODUCT}-disa") scap-security-guide-0.1.39/ocp3/checks/000077500000000000000000000000001327242345500176055ustar00rootroot00000000000000scap-security-guide-0.1.39/ocp3/checks/oval/000077500000000000000000000000001327242345500205465ustar00rootroot00000000000000scap-security-guide-0.1.39/ocp3/checks/oval/.gitkeep000066400000000000000000000000001327242345500221650ustar00rootroot00000000000000scap-security-guide-0.1.39/ocp3/cpe/000077500000000000000000000000001327242345500171145ustar00rootroot00000000000000scap-security-guide-0.1.39/ocp3/cpe/ocp3-cpe-dictionary.xml000066400000000000000000000033171327242345500234160ustar00rootroot00000000000000 Red Hat Enterprise OpenShift Container Platform 3 installed_app_is_ocp3 Red Hat Enterprise OpenShift Container Platform 3 installed_app_is_ocp3 Container installed_env_is_a_container Bare-metal or Virtual Machine installed_env_is_a_machine scap-security-guide-0.1.39/ocp3/fixes/000077500000000000000000000000001327242345500174635ustar00rootroot00000000000000scap-security-guide-0.1.39/ocp3/fixes/ansible/000077500000000000000000000000001327242345500211005ustar00rootroot00000000000000scap-security-guide-0.1.39/ocp3/fixes/ansible/.gitkeep000066400000000000000000000000001327242345500225170ustar00rootroot00000000000000scap-security-guide-0.1.39/ocp3/fixes/bash/000077500000000000000000000000001327242345500204005ustar00rootroot00000000000000scap-security-guide-0.1.39/ocp3/fixes/bash/.gitkeep000066400000000000000000000000001327242345500220170ustar00rootroot00000000000000scap-security-guide-0.1.39/ocp3/guide.xslt000066400000000000000000000057411327242345500203650ustar00rootroot00000000000000 A conditional clause for check statements. A conditional clause for check statements. This is a placeholder. scap-security-guide-0.1.39/ocp3/overlays/000077500000000000000000000000001327242345500202115ustar00rootroot00000000000000scap-security-guide-0.1.39/ocp3/overlays/c2s_support.xml000066400000000000000000000044641327242345500232260ustar00rootroot00000000000000 scap-security-guide-0.1.39/ocp3/overlays/nist800171_support.xml000066400000000000000000000027761327242345500242010ustar00rootroot00000000000000 scap-security-guide-0.1.39/ocp3/overlays/nist_support.xml000066400000000000000000000102751327242345500235110ustar00rootroot00000000000000 scap-security-guide-0.1.39/ocp3/profiles/000077500000000000000000000000001327242345500201705ustar00rootroot00000000000000scap-security-guide-0.1.39/ocp3/profiles/C2S-ocp-master.profile000066400000000000000000000012521327242345500242110ustar00rootroot00000000000000documentation_complete: true title: 'C2S for Red Hat Enterprise OpenShift Container Platform 3 Master Node' description: |- This profile demonstrates compliance against the U.S. Government Commercial Cloud Services (C2S) baseline. This baseline was inspired by the Center for Internet Security (CIS) Kubernetes Benchmark, v1.2.0 - 01-31-2017. For the SCAP Security Guide project to remain in compliance with CIS' terms and conditions, specifically Restrictions(8), note there is no representation or claim that the C2S profile will ensure a system is in compliance or consistency with the CIS baseline. extends: C2S-ocp-node selections: [] scap-security-guide-0.1.39/ocp3/profiles/C2S-ocp-node.profile000066400000000000000000000012141327242345500236410ustar00rootroot00000000000000documentation_complete: true title: 'C2S for Red Hat Enterprise OpenShift Container Platform 3 Node' description: |- This profile demonstrates compliance against the U.S. Government Commercial Cloud Services (C2S) baseline. This baseline was inspired by the Center for Internet Security (CIS) Kubernetes Benchmark, v1.2.0 - 01-31-2017. For the SCAP Security Guide project to remain in compliance with CIS' terms and conditions, specifically Restrictions(8), note there is no representation or claim that the C2S profile will ensure a system is in compliance or consistency with the CIS baseline. selections: [] scap-security-guide-0.1.39/ocp3/templates/000077500000000000000000000000001327242345500203435ustar00rootroot00000000000000scap-security-guide-0.1.39/ocp3/templates/.gitkeep000066400000000000000000000000001327242345500217620ustar00rootroot00000000000000scap-security-guide-0.1.39/ocp3/transforms/000077500000000000000000000000001327242345500205435ustar00rootroot00000000000000scap-security-guide-0.1.39/ocp3/transforms/cci2html.xsl000066400000000000000000000004651327242345500230050ustar00rootroot00000000000000 scap-security-guide-0.1.39/ocp3/transforms/constants.xslt000066400000000000000000000024301327242345500234720ustar00rootroot00000000000000 Red Hat Enterprise OpenShift Container Platform 3 OCP 3 OCP_3_STIG OCP-3 cpe:/a:redhat:openshift:3.0,cpe:/a:redhat:openshift:3.1 OCP3 https://benchmarks.cisecurity.org/tools2/virtualization/CIS_Kubernetes_Benchmark_v1.2.0.pdf scap-security-guide-0.1.39/ocp3/transforms/shorthand2xccdf.xslt000066400000000000000000000004051327242345500245420ustar00rootroot00000000000000 unknown scap-security-guide-0.1.39/ocp3/transforms/table-add-srgitems.xslt000066400000000000000000000010731327242345500251300ustar00rootroot00000000000000 scap-security-guide-0.1.39/ocp3/transforms/table-sortbyref.xslt000066400000000000000000000005551327242345500245700ustar00rootroot00000000000000 scap-security-guide-0.1.39/ocp3/transforms/table-srgmap.xslt000066400000000000000000000011401327242345500240310ustar00rootroot00000000000000 scap-security-guide-0.1.39/ocp3/transforms/table-style.xslt000066400000000000000000000002511327242345500237020ustar00rootroot00000000000000 scap-security-guide-0.1.39/ocp3/transforms/xccdf-apply-overlay-stig.xslt000066400000000000000000000007511327242345500263170ustar00rootroot00000000000000 scap-security-guide-0.1.39/ocp3/transforms/xccdf2csv-stig.py000077500000000000000000000003651327242345500237550ustar00rootroot00000000000000#!/usr/bin/env python2 import sys # always use shared/modules version SHARED_MODULE_PATH = "../../shared/modules" sys.path.insert(0, SHARED_MODULE_PATH) import xccdf2csv_stig_module if __name__ == "__main__": xccdf2csv_stig_module.main() scap-security-guide-0.1.39/ocp3/transforms/xccdf2stigformat.xslt000066400000000000000000000006751327242345500247400ustar00rootroot00000000000000 scap-security-guide-0.1.39/ocp3/transforms/xccdf2table-byref.xslt000066400000000000000000000006741327242345500247540ustar00rootroot00000000000000 scap-security-guide-0.1.39/ocp3/transforms/xccdf2table-cce.xslt000066400000000000000000000007331327242345500243730ustar00rootroot00000000000000 scap-security-guide-0.1.39/ocp3/transforms/xccdf2table-profileccirefs.xslt000066400000000000000000000014111327242345500266320ustar00rootroot00000000000000 scap-security-guide-0.1.39/ocp3/transforms/xccdf2table-profilecisrefs.xslt000066400000000000000000000007051327242345500266570ustar00rootroot00000000000000 scap-security-guide-0.1.39/ocp3/transforms/xccdf2table-profilenistrefs-cui.xslt000066400000000000000000000007111327242345500276310ustar00rootroot00000000000000 scap-security-guide-0.1.39/ocp3/transforms/xccdf2table-profilenistrefs.xslt000066400000000000000000000007051327242345500270560ustar00rootroot00000000000000 scap-security-guide-0.1.39/ocp3/transforms/xccdf2table-stig.xslt000066400000000000000000000006731327242345500246120ustar00rootroot00000000000000 scap-security-guide-0.1.39/ol7/000077500000000000000000000000001327242345500162025ustar00rootroot00000000000000scap-security-guide-0.1.39/ol7/CMakeLists.txt000066400000000000000000000004521327242345500207430ustar00rootroot00000000000000# Sometimes our users will try to do: "cd ol7; cmake ." That needs to error in a nice way. if ("${CMAKE_SOURCE_DIR}" STREQUAL "${CMAKE_CURRENT_SOURCE_DIR}") message(FATAL_ERROR "cmake has to be used on the root CMakeLists.txt, see BUILD.md for more details!") endif() ssg_build_product("ol7") scap-security-guide-0.1.39/ol7/checks/000077500000000000000000000000001327242345500174425ustar00rootroot00000000000000scap-security-guide-0.1.39/ol7/checks/oval/000077500000000000000000000000001327242345500204035ustar00rootroot00000000000000scap-security-guide-0.1.39/ol7/checks/oval/file_permissions_unauthorized_sgid.xml000066400000000000000000000067251327242345500303200ustar00rootroot00000000000000 Find setgid files system packages Oracle Linux 7 All files with setgid should be owned by a base system package / ^.*$ state_file_permissions_unauthorized_sgid state_sgid_whitelist true /usr/bin/cgclassify /usr/bin/cgexec /usr/sbin/netreport /usr/bin/crontab /usr/bin/gnomine /usr/bin/iagno /usr/bin/locate /usr/bin/lockfile /usr/bin/same-gnome /usr/bin/screen /usr/bin/ssh-agent /usr/bin/wall /usr/bin/write /usr/lib/vte/gnome-pty-helper /usr/lib/vte-2.90/gnome-pty-helper /usr/lib/vte-2.91/gnome-pty-helper /usr/lib64/vte/gnome-pty-helper /usr/lib64/vte-2.90/gnome-pty-helper /usr/lib64/vte-2.91/gnome-pty-helper /usr/libexec/abrt-action-install-debuginfo-to-abrt-cache /usr/libexec/kde4/kdesud /usr/libexec/openssh/ssh-keysign /usr/libexec/utempter/utempter /usr/lib/mailman/cgi-bin/admindb /usr/lib/mailman/cgi-bin/admin /usr/lib/mailman/cgi-bin/confirm /usr/lib/mailman/cgi-bin/create /usr/lib/mailman/cgi-bin/edithtml /usr/lib/mailman/cgi-bin/listinfo /usr/lib/mailman/cgi-bin/options /usr/lib/mailman/cgi-bin/private /usr/lib/mailman/cgi-bin/rmlist /usr/lib/mailman/cgi-bin/roster /usr/lib/mailman/cgi-bin/subscribe /usr/lib/mailman/mail/mailman /usr/sbin/lockdev /usr/sbin/postdrop /usr/sbin/postqueue /usr/sbin/sendmail.sendmail scap-security-guide-0.1.39/ol7/checks/oval/file_permissions_unauthorized_suid.xml000066400000000000000000000100741327242345500303260ustar00rootroot00000000000000 Find setuid files from system packages Oracle Linux 7 All files with setuid should be owned by a base system package / ^.*$ state_file_permissions_unauthorized_suid state_suid_whitelist true /usr/bin/abrt-action-install-debuginfo-to-abrt-cache /usr/bin/at /usr/bin/chage /usr/bin/chfn /usr/bin/chsh /usr/bin/crontab /usr/bin/fusermount /usr/bin/gpasswd /usr/bin/ksu /usr/bin/mount /usr/bin/newgrp /usr/bin/passwd /usr/bin/pkexec /usr/bin/staprun /usr/bin/sudoedit /usr/bin/sudo /usr/bin/su /usr/bin/umount /usr/bin/Xorg /usr/lib64/amanda/application/amgtar /usr/lib64/amanda/application/amstar /usr/lib64/amanda/calcsize /usr/lib64/amanda/dumper /usr/lib64/amanda/killpgrp /usr/lib64/amanda/planner /usr/lib64/amanda/rundump /usr/lib64/amanda/runtar /usr/lib64/dbus-1/dbus-daemon-launch-helper /usr/lib/amanda/application/amgtar /usr/lib/amanda/application/amstar /usr/lib/amanda/calcsize /usr/lib/amanda/dumper /usr/lib/amanda/killpgrp /usr/lib/amanda/planner /usr/lib/amanda/rundump /usr/lib/amanda/runtar /usr/lib/dbus-1/dbus-daemon-launch-helper /usr/libexec/abrt-action-install-debuginfo-to-abrt-cache /usr/libexec/kde4/kpac_dhcp_helper /usr/libexec/qemu-bridge-helper /usr/libexec/spice-gtk-x86_64/spice-client-glib-usb-acl-helper /usr/libexec/sssd/krb5_child /usr/libexec/sssd/ldap_child /usr/libexec/sssd/proxy_child /usr/libexec/sssd/selinux_child /usr/lib/polkit-1/polkit-agent-helper-1 /usr/sbin/amcheck /usr/sbin/amservice /usr/sbin/mount.nfs /usr/sbin/pam_timestamp_check /usr/sbin/unix_chkpwd /usr/sbin/userhelper /usr/sbin/usernetctl scap-security-guide-0.1.39/ol7/cpe/000077500000000000000000000000001327242345500167515ustar00rootroot00000000000000scap-security-guide-0.1.39/ol7/cpe/ol7-cpe-dictionary.xml000066400000000000000000000011721327242345500231050ustar00rootroot00000000000000 Oracle Linux 7 installed_OS_is_ol7_family scap-security-guide-0.1.39/ol7/guide.xslt000066400000000000000000000207061327242345500202200ustar00rootroot00000000000000 A conditional clause for check statements. A conditional clause for check statements. This is a placeholder. scap-security-guide-0.1.39/ol7/kickstart/000077500000000000000000000000001327242345500202015ustar00rootroot00000000000000scap-security-guide-0.1.39/ol7/kickstart/.gitkeep000066400000000000000000000000001327242345500216200ustar00rootroot00000000000000scap-security-guide-0.1.39/ol7/overlays/000077500000000000000000000000001327242345500200465ustar00rootroot00000000000000scap-security-guide-0.1.39/ol7/overlays/.gitkeep000066400000000000000000000000001327242345500214650ustar00rootroot00000000000000scap-security-guide-0.1.39/ol7/product.yml000066400000000000000000000001401327242345500204000ustar00rootroot00000000000000product: ol7 benchmark_root: "../shared/guide" profiles_root: "./profiles" pkg_system: "rpm" scap-security-guide-0.1.39/ol7/profiles/000077500000000000000000000000001327242345500200255ustar00rootroot00000000000000scap-security-guide-0.1.39/ol7/profiles/sap.profile000066400000000000000000000010331327242345500221670ustar00rootroot00000000000000documentation_complete: true title: 'Security Profile of Oracle Linux 7 for SAP' description: |- This profile contains rules for Oracle Linux 7 Operating System in compliance with SAP note 2069760 and SAP Security Baseline v1.9 Item I-8 and section 4.1.2.2. Regardless of your system's workload all of these checks should pass. selections: - package_glibc_installed - package_uuidd_installed - file_permissions_etc_shadow - service_rlogin_disabled - service_rsh_disabled - no_rsh_trust_files scap-security-guide-0.1.39/ol7/profiles/standard.profile000066400000000000000000000014301327242345500232050ustar00rootroot00000000000000documentation_complete: true title: 'Standard System Security Profile for Oracle Linux 7' description: |- This profile contains rules to ensure standard security baseline of Oracle Linux 7 system. Regardless of your system's workload all of these checks should pass. selections: - ensure_oracle_gpgkey_installed - ensure_gpgcheck_globally_activated - rpm_verify_permissions - rpm_verify_hashes - no_empty_passwords - file_permissions_unauthorized_sgid - file_permissions_unauthorized_suid - file_permissions_unauthorized_world_writable - accounts_root_path_dirs_no_write - dir_perms_world_writable_sticky_bits - root_path_no_dot - accounts_password_all_shadowed - mount_option_dev_shm_nodev - mount_option_dev_shm_nosuid scap-security-guide-0.1.39/ol7/templates/000077500000000000000000000000001327242345500202005ustar00rootroot00000000000000scap-security-guide-0.1.39/ol7/templates/csv/000077500000000000000000000000001327242345500207735ustar00rootroot00000000000000scap-security-guide-0.1.39/ol7/templates/csv/mount_options.csv000066400000000000000000000000371327242345500244250ustar00rootroot00000000000000/dev/shm,nodev /dev/shm,nosuid scap-security-guide-0.1.39/ol7/templates/csv/oval_5.11/000077500000000000000000000000001327242345500224005ustar00rootroot00000000000000scap-security-guide-0.1.39/ol7/templates/csv/oval_5.11/services_disabled.csv000066400000000000000000000002361327242345500265700ustar00rootroot00000000000000# service_name, package_name, daemon_name (as recognized by chkconfig / systemd. To be used when daemon_name differs from service_name) sshd,, rlogin,, rsh,, scap-security-guide-0.1.39/ol7/templates/csv/packages_installed.csv000066400000000000000000000000611327242345500253220ustar00rootroot00000000000000openssh-server uuidd glibc,0:2.17-55.0.4.el7_0.3 scap-security-guide-0.1.39/ol7/templates/oval_5.11_templates/000077500000000000000000000000001327242345500236635ustar00rootroot00000000000000scap-security-guide-0.1.39/ol7/templates/oval_5.11_templates/template_OVAL_service_disabled000066400000000000000000000074261327242345500316220ustar00rootroot00000000000000 Service %SERVICENAME% Disabled Oracle Linux 7 The %SERVICENAME% service should be disabled if possible. multi-user.target %SERVICENAME%.service multi-user.target %SERVICENAME%.socket %SERVICENAME%\.(service|socket) ActiveState inactive scap-security-guide-0.1.39/ol7/templates/template_OVAL_kernel_module_disabled000066400000000000000000000112421327242345500273130ustar00rootroot00000000000000 Disable %KERNMODULE% Kernel Module Oracle Linux 7 The kernel module %KERNMODULE% should be disabled. /etc/modprobe.d ^.*\.conf$ ^\s*install\s+%KERNMODULE%\s+(/bin/false|/bin/true)$ 1 /etc/modprobe.conf ^\s*install\s+%KERNMODULE%\s+(/bin/false|/bin/true)$ 1 /etc/modules-load.d ^.*\.conf$ ^\s*install\s+%KERNMODULE%\s+(/bin/false|/bin/true)$ 1 /run/modules-load.d ^.*\.conf$ ^\s*install\s+%KERNMODULE%\s+(/bin/false|/bin/true)$ 1 /usr/lib/modules-load.d ^.*\.conf$ ^\s*install\s+%KERNMODULE%\s+(/bin/false|/bin/true)$ 1 scap-security-guide-0.1.39/ol7/transforms/000077500000000000000000000000001327242345500204005ustar00rootroot00000000000000scap-security-guide-0.1.39/ol7/transforms/constants.xslt000066400000000000000000000022271327242345500233330ustar00rootroot00000000000000 Oracle Linux 7 OL7 >OL_7_STIG ol7 https://benchmarks.cisecurity.org/tools2/linux/CIS_Oracle_Linux_7_Benchmark_v2.1.0.pdf OL-7 cpe:/o:oracle:linux:7 OL-07- scap-security-guide-0.1.39/ol7/transforms/shorthand2xccdf.xslt000066400000000000000000000005101327242345500243740ustar00rootroot00000000000000 unknown unlinked-ol7-oval.xml scap-security-guide-0.1.39/opensuse/000077500000000000000000000000001327242345500173425ustar00rootroot00000000000000scap-security-guide-0.1.39/opensuse/CMakeLists.txt000066400000000000000000000004641327242345500221060ustar00rootroot00000000000000# Sometimes our users will try to do: "cd opensuse; cmake ." That needs to error in a nice way. if ("${CMAKE_SOURCE_DIR}" STREQUAL "${CMAKE_CURRENT_SOURCE_DIR}") message(FATAL_ERROR "cmake has to be used on the root CMakeLists.txt, see BUILD.md for more details!") endif() ssg_build_product("opensuse") scap-security-guide-0.1.39/opensuse/cpe/000077500000000000000000000000001327242345500201115ustar00rootroot00000000000000scap-security-guide-0.1.39/opensuse/cpe/opensuse-cpe-dictionary.xml000066400000000000000000000024771327242345500254160ustar00rootroot00000000000000 openSUSE Leap 42.1 installed_OS_is_opensuse openSUSE Leap 42.2 installed_OS_is_opensuse openSUSE Leap 42.3 installed_OS_is_opensuse scap-security-guide-0.1.39/opensuse/fixes/000077500000000000000000000000001327242345500204605ustar00rootroot00000000000000scap-security-guide-0.1.39/opensuse/fixes/.gitkeep000066400000000000000000000000001327242345500220770ustar00rootroot00000000000000scap-security-guide-0.1.39/opensuse/guide.xslt000066400000000000000000000037561327242345500213660ustar00rootroot00000000000000 A conditional clause for check statements. A conditional clause for check statements. This is a placeholder. scap-security-guide-0.1.39/opensuse/overlays/000077500000000000000000000000001327242345500212065ustar00rootroot00000000000000scap-security-guide-0.1.39/opensuse/overlays/.gitkeep000066400000000000000000000000001327242345500226250ustar00rootroot00000000000000scap-security-guide-0.1.39/opensuse/product.yml000066400000000000000000000001451327242345500215450ustar00rootroot00000000000000product: opensuse benchmark_root: "../shared/guide" profiles_root: "./profiles" pkg_system: "rpm" scap-security-guide-0.1.39/opensuse/profiles/000077500000000000000000000000001327242345500211655ustar00rootroot00000000000000scap-security-guide-0.1.39/opensuse/profiles/standard.profile000066400000000000000000000005741327242345500243550ustar00rootroot00000000000000documentation_complete: true title: 'Standard System Security Profile for openSUSE' description: |- This profile contains rules to ensure standard security baseline of an openSUSE system. Regardless of your system's workload all of these checks should pass. selections: - file_owner_etc_passwd - file_groupowner_etc_passwd - file_permissions_etc_passwd scap-security-guide-0.1.39/opensuse/templates/000077500000000000000000000000001327242345500213405ustar00rootroot00000000000000scap-security-guide-0.1.39/opensuse/templates/csv/000077500000000000000000000000001327242345500221335ustar00rootroot00000000000000scap-security-guide-0.1.39/opensuse/templates/csv/file_groupowner.csv000066400000000000000000000000401327242345500260500ustar00rootroot00000000000000/etc/cron.allow,root,cron_allow scap-security-guide-0.1.39/opensuse/templates/csv/file_owner.csv000066400000000000000000000000401327242345500247730ustar00rootroot00000000000000/etc/cron.allow,root,cron_allow scap-security-guide-0.1.39/opensuse/templates/csv/oval_5.11/000077500000000000000000000000001327242345500235405ustar00rootroot00000000000000scap-security-guide-0.1.39/opensuse/templates/csv/oval_5.11/services_disabled.csv000066400000000000000000000002171327242345500277270ustar00rootroot00000000000000# service_name, package_name, daemon_name (as recognized by chkconfig / systemd. To be used when daemon_name differs from service_name) sshd,, scap-security-guide-0.1.39/opensuse/templates/csv/oval_5.11/services_enabled.csv000066400000000000000000000001011327242345500275420ustar00rootroot00000000000000auditd,audit, chronyd,chrony, crond,cronie, firewalld,firewalld, scap-security-guide-0.1.39/opensuse/templates/csv/packages_installed.csv000066400000000000000000000000671327242345500264700ustar00rootroot00000000000000audit chrony cronie firewalld libreswan openssh-server scap-security-guide-0.1.39/opensuse/templates/csv/services_enabled.csv000066400000000000000000000000461327242345500261450ustar00rootroot00000000000000chronyd,chrony,#only-for:bash,ansible scap-security-guide-0.1.39/opensuse/templates/oval_5.11_templates/000077500000000000000000000000001327242345500250235ustar00rootroot00000000000000scap-security-guide-0.1.39/opensuse/templates/oval_5.11_templates/template_OVAL_service_disabled000066400000000000000000000074201327242345500327540ustar00rootroot00000000000000 Service %SERVICENAME% Disabled openSUSE The %SERVICENAME% service should be disabled if possible. multi-user.target %SERVICENAME%.service multi-user.target %SERVICENAME%.socket %SERVICENAME%\.(service|socket) ActiveState inactive scap-security-guide-0.1.39/opensuse/templates/oval_5.11_templates/template_OVAL_service_enabled000066400000000000000000000032251327242345500325760ustar00rootroot00000000000000 Service %SERVICENAME% Enabled openSUSE The %SERVICENAME% service should be enabled if possible. multi-user.target %SERVICENAME%.service scap-security-guide-0.1.39/opensuse/templates/template_OVAL_kernel_module_disabled000066400000000000000000000112341327242345500304540ustar00rootroot00000000000000 Disable %KERNMODULE% Kernel Module openSUSE The kernel module %KERNMODULE% should be disabled. /etc/modprobe.d ^.*\.conf$ ^\s*install\s+%KERNMODULE%\s+(/bin/false|/bin/true)$ 1 /etc/modprobe.conf ^\s*install\s+%KERNMODULE%\s+(/bin/false|/bin/true)$ 1 /etc/modules-load.d ^.*\.conf$ ^\s*install\s+%KERNMODULE%\s+(/bin/false|/bin/true)$ 1 /run/modules-load.d ^.*\.conf$ ^\s*install\s+%KERNMODULE%\s+(/bin/false|/bin/true)$ 1 /usr/lib/modules-load.d ^.*\.conf$ ^\s*install\s+%KERNMODULE%\s+(/bin/false|/bin/true)$ 1 scap-security-guide-0.1.39/opensuse/transforms/000077500000000000000000000000001327242345500215405ustar00rootroot00000000000000scap-security-guide-0.1.39/opensuse/transforms/constants.xslt000066400000000000000000000021551327242345500244730ustar00rootroot00000000000000 openSUSE openSUSE empty OPENSUSE cpe:/o:opensuse:leap:42.1,cpe:/o:opensuse:leap:42.2,cpe:/o:opensuse:leap:42.3 opensuse empty scap-security-guide-0.1.39/opensuse/transforms/shorthand2xccdf.xslt000066400000000000000000000005151327242345500255410ustar00rootroot00000000000000 unknown unlinked-opensuse-oval.xml scap-security-guide-0.1.39/opensuse/transforms/xccdf2table-profilecisrefs.xslt000066400000000000000000000007051327242345500276540ustar00rootroot00000000000000 scap-security-guide-0.1.39/oval.config.in000066400000000000000000000023341327242345500202400ustar00rootroot00000000000000# This file contains variables that are settings for OVAL checks such as # OVAL Schema version, i.e. 5.10, or the operating system version # that the OVAL check currently supports, i.e. Red Hat Enterprise Linux 7. # # As OVAL checks support multiple operating system verions, the use of the # multi_platform_ variables allow developers to easily specify the multiple # operating system versions supported by a specific OVAL check. For example: # # Fedora 22 # Fedora 23 # Fedora 24 # # would be written in the OVAL check as: # # multi_platform_fedora # # with the multi_platform_fedora variable set as the following in this file: # # multi_platform_fedora = 24,23,22 # # Note: this file uses .ini style formatting # [Platform] multi_platform_oval = multi_platform_fedora, multi_platform_rhel, multi_platform_debian, multi_platform_buntu, multi_platform_wrlinux, multi_platform_ol multi_platform_fedora = 24,23 multi_platform_debian = 8 multi_platform_ubuntu = 1604,1404 multi_platform_wrlinux = 8 multi_platform_rhel = 6,7 multi_platform_openstack = multi_platform_opensuse = 42.1,42.2,42.3 multi_platform_sle = 11,12 multi_platform_ol = 7 scap-security-guide-0.1.39/rhel-osp7/000077500000000000000000000000001327242345500173215ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel-osp7/CMakeLists.txt000066400000000000000000000004631327242345500220640ustar00rootroot00000000000000# Sometimes our users will try to do: "cd rhosp7; cmake ." That needs to error in a nice way. if ("${CMAKE_SOURCE_DIR}" STREQUAL "${CMAKE_CURRENT_SOURCE_DIR}") message(FATAL_ERROR "cmake has to be used on the root CMakeLists.txt, see BUILD.md for more details!") endif() ssg_build_product("rhel-osp7") scap-security-guide-0.1.39/rhel-osp7/README000066400000000000000000000031201327242345500201750ustar00rootroot00000000000000Directory Structure of scap-security-guide ------------------------------------------ The input directory contains source files that generate SCAP content, such as XCCDF and OVAL. Since a single large XML file is an impractical format for multiple authors to collaborate on editing SCAP content, efforts are made to keep logically related guidance and checking content in individual files. The transforms directory contains resources that enable the files inside the input directory (or output directory) to be combined and reformatted into valid SCAP formats or human-readable formats. The output directory is used as a storage area for items generated by the files in the inputs directory. It should be empty in the repository, and built on users' individual systems (and rely on its .gitignore file to keep such files out). The output directory contains transitional output (which may only exist in order to be further transformed) as well as final output. The references directory should contain documents which are specified as references from within the SCAP content, or documents that are "seeds," viz. documents whose prose will be translated into SCAP formats, as well as other examples of SCAP content. The utils directory contains helper scripts and other items that are useful to developers but are not essential to producing the project's output. The dist directory contains final outputs, which could be shipped in an RPM for consumption by end-users. Updating the Makefile to copy an item from the outputs directory to the dist directory indicates that an item is considered a final output. scap-security-guide-0.1.39/rhel-osp7/checks/000077500000000000000000000000001327242345500205615ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel-osp7/checks/oval/000077500000000000000000000000001327242345500215225ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel-osp7/checks/oval/README000066400000000000000000000025001327242345500223770ustar00rootroot00000000000000OVAL checks here are currently defined in individual files of well-formed XML, each of which contains the elements necessary to conduct the check. Each file consists of one definition and the tests, states, objects and variables upon which it depends. When developing new OVAL content make sure that IDs assigned to new definitions, tests, objects, states, and variables are unique and not replicated in any other OVAL check in this directory. The presence of duplicate IDs will result in a "Duplicate ID" warning being printed when the "make all" command is issued. Because each of these XML files is eventually concatenated and reordered to create a valid OVAL document, the presence of duplicate IDs can introduce errors when evaluating the OVAL content. Please note that there may be times when it makes sense to duplicate an object assuming that the object is *exactly* the same across OVAL checks. This warning is meant to discourage the accidental introduction of duplicate IDs. Interrogatory checks (which cannot be automated) may be defined in the OCIL language and stored here. As soon as it supports newer OVAL versions, checks may also be defined in (or replaced by translations of) the SC language and compiled into OVAL using the scc tool. More information is available at: http://oss.tresys.com/projects/scc scap-security-guide-0.1.39/rhel-osp7/checks/oval/cinder_file_perms.xml000066400000000000000000000034671327242345500257270ustar00rootroot00000000000000 Verify /etc/cinder/api-paste.ini Permissions multi_platform_rhel This test makes sure that /etc/cinder/api-paste.ini is permission 640 or stricter. /etc/cinder/api-paste.ini false false false false false false false false false false false false scap-security-guide-0.1.39/rhel-osp7/checks/oval/horizon_csrf_cookie_secure.xml000066400000000000000000000025051327242345500276520ustar00rootroot00000000000000 Is CSRF_COOKIE_SECURE parameter set to True? multi_platform_all Is CSRF_COOKIE_SECURE parameter set to True? /etc/openstack-dashboard/local_settings ^[\s]*(?i)CSRF_COOKIE_SECURE(?-i)[\s]+True[\s]*(?:|(?:#.*))?$ 1 scap-security-guide-0.1.39/rhel-osp7/checks/oval/horizon_disable_password_reveal.xml000066400000000000000000000025741327242345500307070ustar00rootroot00000000000000 Is disable_password_reveal parameter set to True? multi_platform_all Is disable_password_reveal parameter set to True? /etc/openstack-dashboard/local_settings ^[\s]*(?i)disable_password_reveal(?-i)[\s]+True[\s]*(?:|(?:#.*))?$ 1 scap-security-guide-0.1.39/rhel-osp7/checks/oval/horizon_file_ownership.xml000066400000000000000000000024071327242345500270340ustar00rootroot00000000000000 Verify group who owns /etc/openstack-dashboard/local_settings file multi_platform_rhel The /etc/openstack-dashboard/local_settings file should be owned by the appropriate group. 0 /etc/openstack-dashboard/local_settings scap-security-guide-0.1.39/rhel-osp7/checks/oval/horizon_file_perms.xml000066400000000000000000000043341327242345500261450ustar00rootroot00000000000000 Verify /etc/openstack-dashboard/local_settings Permissions multi_platform_rhel This test makes sure that /etc/openstack-dashboard/local_settings is permission 640 or stricter. /etc/openstack-dashboard/local_settings 0 0 false false false false false false false false false false false false scap-security-guide-0.1.39/rhel-osp7/checks/oval/horizon_password_autocomplete.xml000066400000000000000000000025421327242345500304420ustar00rootroot00000000000000 Is password_autocomplete parameter set to off? multi_platform_all Is password_autocomplete parameter set to off? /etc/openstack-dashboard/local_settings ^[\s]*(?i)password_autocomplete(?-i)[\s]+off[\s]*(?:|(?:#.*))?$ 1 scap-security-guide-0.1.39/rhel-osp7/checks/oval/horizon_session_cookie_httponly.xml000066400000000000000000000025741327242345500310010ustar00rootroot00000000000000 Is SESSION_COOKIE_HTTPONLY parameter set to True? multi_platform_all Is SESSION_COOKIE_HTTPONLY parameter set to True? /etc/openstack-dashboard/local_settings ^[\s]*(?i)SESSION_COOKIE_HTTPONLY(?-i)[\s]+True[\s]*(?:|(?:#.*))?$ 1 scap-security-guide-0.1.39/rhel-osp7/checks/oval/horizon_session_cookie_secure.xml000066400000000000000000000025461327242345500304050ustar00rootroot00000000000000 Is SESSION_COOKIE_SECURE parameter set to True? multi_platform_all Is SESSION_COOKIE_SECURE parameter set to True? /etc/openstack-dashboard/local_settings ^[\s]*(?i)SESSION_COOKIE_SECURE(?-i)[\s]+True[\s]*(?:|(?:#.*))?$ 1 scap-security-guide-0.1.39/rhel-osp7/checks/oval/horizon_use_ssl.xml000066400000000000000000000023141327242345500254710ustar00rootroot00000000000000 Is USE_SSL parameter set to True? multi_platform_all Is USE_SSL parameter set to True? /etc/openstack-dashboard/local_settings ^[\s]*(?i)USE_SSL(?-i)[\s]+True[\s]*(?:|(?:#.*))?$ 1 scap-security-guide-0.1.39/rhel-osp7/checks/oval/installed_OS_is_rhel7.xml000066400000000000000000000050071327242345500264220ustar00rootroot00000000000000 Red Hat Enterprise Linux 7 multi_platform_all The operating system installed on the system is Red Hat Enterprise Linux 7 unix ^7.*$ redhat-release-workstation ^7.*$ redhat-release-server scap-security-guide-0.1.39/rhel-osp7/checks/oval/system_info_architecture_x86.xml000066400000000000000000000024301327242345500300510ustar00rootroot00000000000000 Test for x86 Architecture multi_platform_rhel multi_platform_fedora Generic test for x86 architecture to be used by other tests i686 scap-security-guide-0.1.39/rhel-osp7/checks/oval/system_info_architecture_x86_64.xml000066400000000000000000000024701327242345500303660ustar00rootroot00000000000000 Test for x86_64 Architecture multi_platform_rhel multi_platform_fedora Generic test for x86_64 architecture to be used by other tests x86_64 scap-security-guide-0.1.39/rhel-osp7/cpe/000077500000000000000000000000001327242345500200705ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel-osp7/cpe/rhel-osp7-cpe-dictionary.xml000066400000000000000000000025071327242345500253460ustar00rootroot00000000000000 Red Hat Enterprise Linux 7 installed_OS_is_rhel7 CentOS 7 installed_OS_is_centos7 Scientific Linux 7 installed_OS_is_sl7 scap-security-guide-0.1.39/rhel-osp7/cpe/rhel7-cpe-dictionary.xml000066400000000000000000000025071327242345500245470ustar00rootroot00000000000000 Red Hat Enterprise Linux 7 installed_OS_is_rhel7 CentOS 7 installed_OS_is_centos7 Scientific Linux 7 installed_OS_is_sl7 scap-security-guide-0.1.39/rhel-osp7/fixes/000077500000000000000000000000001327242345500204375ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel-osp7/fixes/bash/000077500000000000000000000000001327242345500213545ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel-osp7/fixes/bash/cinder_file_ownership.sh000066400000000000000000000003231327242345500262470ustar00rootroot00000000000000# platform = Red Hat Enterprise Linux 7 for file in /etc/cinder/cinder.conf \ /etc/cinder/api-paste.ini \ /etc/cinder/policy.json \ /etc/cinder/rootwrap.conf; do chown root $file chgrp cinder $file done scap-security-guide-0.1.39/rhel-osp7/fixes/bash/cinder_file_perms.sh000066400000000000000000000002641327242345500253630ustar00rootroot00000000000000# platform = Red Hat Enterprise Linux 7 chmod 640 /etc/cinder/cinder.conf chmod 640 /etc/cinder/api-paste.ini chmod 640 /etc/cinder/policy.json chmod 640 /etc/cinder/rootwrap.conf scap-security-guide-0.1.39/rhel-osp7/fixes/bash/cinder_glance_tls.sh000066400000000000000000000001711327242345500253460ustar00rootroot00000000000000# platform = Red Hat Enterprise Linux 7 openstack-config --set /etc/cinder/cinder.conf DEFAULT glance_api_insecure False scap-security-guide-0.1.39/rhel-osp7/fixes/bash/cinder_nova_tls.sh000066400000000000000000000001671327242345500250650ustar00rootroot00000000000000# platform = Red Hat Enterprise Linux 7 openstack-config --set /etc/cinder/cinder.conf DEFAULT nova_api_insecure False scap-security-guide-0.1.39/rhel-osp7/fixes/bash/cinder_osapi_max_request_body.sh000066400000000000000000000002021327242345500277730ustar00rootroot00000000000000# platform = Red Hat Enterprise Linux 7 openstack-config --set /etc/cinder/cinder.conf DEFAULT osapi_max_request_body_size 114688 scap-security-guide-0.1.39/rhel-osp7/fixes/bash/cinder_tls_enabled.sh000066400000000000000000000010351327242345500255070ustar00rootroot00000000000000# platform = Red Hat Enterprise Linux 7 OLD_IDENTITY_URL=$(openstack-config --get /etc/cinder/cinder.conf keystone_authtoken identity_uri) NEW_IDENTITY_URI="${OLD_IDENTITY_URI:0:4}s${OLD_IDENTITY_URI:4:-1}" openstack-config --set /etc/cinder/cinder.conf keystone_authtoken identity_uri $NEW_IDENTIY_URI OLD_AUTH_URI=$(openstack-config --get /etc/cinder/cinder.conf keystone_authtoken auth_uri) NEW_AUTH_URI="${OLD_AUTH_URI:0:4}s${OLD_AUTH_URI:4:-1}" openstack-config --set /etc/cinder/cinder.conf keystone_authtoken auth_uri $NEW_AUTH_URI scap-security-guide-0.1.39/rhel-osp7/fixes/bash/cinder_using_keystone.sh000066400000000000000000000001661327242345500263050ustar00rootroot00000000000000# platform = Red Hat Enterprise Linux 7 openstack-config --set /etc/cinder/cinder.conf DEFAULT auth_strategy keystone scap-security-guide-0.1.39/rhel-osp7/fixes/bash/horizon_csrf_cookie_secure.sh000066400000000000000000000002071327242345500273130ustar00rootroot00000000000000# platform = Red Hat Enterprise Linux 7 openstack-config --set /etc/openstack-dashboard/local_settings DEFAULT CSRF_COOKIE_SECURE True scap-security-guide-0.1.39/rhel-osp7/fixes/bash/horizon_disable_password_reveal.sh000066400000000000000000000002141327242345500303400ustar00rootroot00000000000000# platform = Red Hat Enterprise Linux 7 openstack-config --set /etc/openstack-dashboard/local_settings DEFAULT DISABLE_PASSWORD_REVEAL True scap-security-guide-0.1.39/rhel-osp7/fixes/bash/horizon_file_ownership.sh000066400000000000000000000002211327242345500264700ustar00rootroot00000000000000# platform = Red Hat Enterprise Linux 7 chown root /etc/openstack-dashboard/local_settings chgrp horizon /etc/openstack-dashboard/local_settings scap-security-guide-0.1.39/rhel-osp7/fixes/bash/horizon_file_perms.sh000066400000000000000000000001321327242345500256010ustar00rootroot00000000000000# platform = Red Hat Enterprise Linux 7 chmod 640 /etc/openstack-dashboard/local_settings scap-security-guide-0.1.39/rhel-osp7/fixes/bash/horizon_password_autocomplete.sh000066400000000000000000000002121327242345500300760ustar00rootroot00000000000000# platform = Red Hat Enterprise Linux 7 openstack-config --set /etc/openstack-dashboard/local_settings DEFAULT PASSWORD_AUTOCOMPLETE True scap-security-guide-0.1.39/rhel-osp7/fixes/bash/horizon_session_cookie_httponly.sh000066400000000000000000000002141327242345500304320ustar00rootroot00000000000000# platform = Red Hat Enterprise Linux 7 openstack-config --set /etc/openstack-dashboard/local_settings DEFAULT SESSION_COOKIE_HTTPONLY True scap-security-guide-0.1.39/rhel-osp7/fixes/bash/horizon_session_cookie_secure.sh000066400000000000000000000002121327242345500300350ustar00rootroot00000000000000# platform = Red Hat Enterprise Linux 7 openstack-config --set /etc/openstack-dashboard/local_settings DEFAULT SESSION_COOKIE_SECURE True scap-security-guide-0.1.39/rhel-osp7/fixes/bash/horizon_use_ssl.sh000066400000000000000000000001741327242345500251370ustar00rootroot00000000000000# platform = Red Hat Enterprise Linux 7 openstack-config --set /etc/openstack-dashboard/local_settings DEFAULT use_ssl True scap-security-guide-0.1.39/rhel-osp7/fixes/bash/neutron_api_use_ssl.sh000066400000000000000000000001561327242345500257720ustar00rootroot00000000000000# platform = Red Hat Enterprise Linux 7 openstack-config --set /etc/neutron/neutron.conf DEFAULT use_ssl True scap-security-guide-0.1.39/rhel-osp7/fixes/bash/neutron_file_ownership.sh000066400000000000000000000003311327242345500264740ustar00rootroot00000000000000# platform = Red Hat Enterprise Linux 7 for file in /etc/neutron/neutron.conf \ /etc/neutron/api-paste.ini \ /etc/neutron/policy.json \ /etc/neutron/rootwrap.conf; do chown root $file chgrp neutron $file done scap-security-guide-0.1.39/rhel-osp7/fixes/bash/neutron_file_perms.sh000066400000000000000000000002711327242345500256070ustar00rootroot00000000000000# platform = Red Hat Enterprise Linux 7 chmod 640 /etc/neutron/neutron.conf chmod 640 /etc/neutron/api-paste.ini chmod 640 /etc/neutron/policy.json chmod 640 /etc/neutron/rootwrap.conf scap-security-guide-0.1.39/rhel-osp7/fixes/bash/neutron_secure_authentication.sh000066400000000000000000000010411327242345500300430ustar00rootroot00000000000000# platform = Red Hat Enterprise Linux 7 STR_IDENTITY_URI=$(openstack-config --get /etc/neutron/neutron.conf keystone_authtoken identity_uri) NEW_IDENTITY_URI=${STR_IDENTITY_URI:0:4}s${STR_IDENTITY_URI:4:-1} openstack-config --set /etc/neutron/neutron.conf keystone_authtoken identity_uri $NEW_IDENTITY_URI STR_AUTH_URI=$(openstack-config --get /etc/neutron/neutron.conf keystone_authtoken auth_uri) NEW_AUTH_URI=${STR_AUTH_URI:0:4}s${STR_AUTH_URI:4:-1} openstack-config --set /etc/neutron/neutron.conf keystone_authtoken auth_uri $NEW_AUTH_URI scap-security-guide-0.1.39/rhel-osp7/fixes/bash/neutron_use_https.sh000066400000000000000000000010411327242345500254740ustar00rootroot00000000000000# platform = Red Hat Enterprise Linux 7 STR_IDENTITY_URI=$(openstack-config --get /etc/neutron/neutron.conf keystone_authtoken identity_uri) NEW_IDENTITY_URI=${STR_IDENTITY_URI:0:4}s${STR_IDENTITY_URI:4:-1} openstack-config --set /etc/neutron/neutron.conf keystone_authtoken identity_uri $NEW_IDENTITY_URI STR_AUTH_URI=$(openstack-config --get /etc/neutron/neutron.conf keystone_authtoken auth_uri) NEW_AUTH_URI=${STR_AUTH_URI:0:4}s${STR_AUTH_URI:4:-1} openstack-config --set /etc/neutron/neutron.conf keystone_authtoken auth_uri $NEW_AUTH_URI scap-security-guide-0.1.39/rhel-osp7/fixes/bash/neutron_use_keystone.sh000066400000000000000000000001701327242345500261750ustar00rootroot00000000000000# platform = Red Hat Enterprise Linux 7 openstack-config --set /etc/neutron/neutron.conf DEFAULT auth_strategy keystone scap-security-guide-0.1.39/rhel-osp7/fixes/bash/nova_file_ownership.sh000066400000000000000000000003071327242345500257500ustar00rootroot00000000000000# platform = Red Hat Enterprise Linux 7 for file in /etc/nova/nova.conf \ /etc/nova/api-paste.ini \ /etc/nova/policy.json \ /etc/nova/rootwrap.conf; do chown root $file chgrp nova $file done scap-security-guide-0.1.39/rhel-osp7/fixes/bash/nova_file_perms.sh000066400000000000000000000002521327242345500250570ustar00rootroot00000000000000# platform = Red Hat Enterprise Linux 7 chmod 640 /etc/nova/nova.conf chmod 640 /etc/nova/api-paste.ini chmod 640 /etc/nova/policy.json chmod 640 /etc/nova/rootwrap.conf scap-security-guide-0.1.39/rhel-osp7/fixes/bash/nova_secure_authentication.sh000066400000000000000000000010111327242345500273110ustar00rootroot00000000000000# platform = Red Hat Enterprise Linux 7 STR_IDENTITY_URI=$(openstack-config --get /etc/nova/nova.conf keystone_authtoken identity_uri) NEW_IDENTITY_URI=${STR_IDENTITY_URI:0:4}s${STR_IDENTITY_URI:4:-1} openstack-config --set /etc/nova/nova.conf keystone_authtoken identity_uri $NEW_IDENTITY_URI STR_AUTH_URI=$(openstack-config --get /etc/nova/nova.conf keystone_authtoken auth_uri) NEW_AUTH_URI=${STR_AUTH_URI:0:4}s${STR_AUTH_URI:4:-1} openstack-config --set /etc/nova/nova.conf keystone_authtoken auth_uri $NEW_AUTH_URI scap-security-guide-0.1.39/rhel-osp7/fixes/bash/nova_secure_glance.sh000066400000000000000000000002721327242345500255330ustar00rootroot00000000000000# platform = Red Hat Enterprise Linux 7 openstack-config --set /etc/nova/nova.conf DEFAULT glance_api_insecure False openstack-config --set /etc/nova/nova.conf glance api_insecure False scap-security-guide-0.1.39/rhel-osp7/fixes/bash/nova_use_keystone.sh000066400000000000000000000001621327242345500254470ustar00rootroot00000000000000# platform = Red Hat Enterprise Linux 7 openstack-config --set /etc/nova/nova.conf DEFAULT auth_strategy keystone scap-security-guide-0.1.39/rhel-osp7/guide.xslt000066400000000000000000000037721327242345500213430ustar00rootroot00000000000000 A conditional clause for check statements. A conditional clause for check statements. This is a placeholder. scap-security-guide-0.1.39/rhel-osp7/overlays/000077500000000000000000000000001327242345500211655ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel-osp7/overlays/nist_support.xml000066400000000000000000000102751327242345500244650ustar00rootroot00000000000000 scap-security-guide-0.1.39/rhel-osp7/product.yml000066400000000000000000000001461327242345500215250ustar00rootroot00000000000000product: rhel-osp7 benchmark_root: "../shared/guide" profiles_root: "./profiles" pkg_system: "rpm" scap-security-guide-0.1.39/rhel-osp7/profiles/000077500000000000000000000000001327242345500211445ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel-osp7/profiles/stig-openstack.profile000066400000000000000000000020201327242345500254530ustar00rootroot00000000000000documentation_complete: true title: 'RHEL OSP STIG' description: 'Sample profile description.' selections: - horizon_file_ownership - horizon_file_perms - horizon_use_ssl - horizon_csrf_cookie_secure - horizon_session_cookie_secure - horizon_session_cookie_httponly - horizon_password_autocomplete - horizon_disable_password_reveal - cinder_file_ownership - cinder_file_perms - cinder_using_keystone - cinder_tls_enabled - cinder_nova_tls - cinder_glance_tls - cinder_nas_secure_file_permissions - cinder_osapi_max_request_body - keystone_file_ownership - keystone_file_perms - keystone_use_ssl - keystone_algorithm_hashing - keystone_max_request_body_size - keystone_disable_admin_token - neutron_file_ownership - neutron_file_perms - neutron_use_keystone - neutron_use_https - neutron_api_use_ssl - nova_file_ownership - nova_file_perms - nova_use_keystone - nova_secure_authentication - nova_secure_glance scap-security-guide-0.1.39/rhel-osp7/templates/000077500000000000000000000000001327242345500213175ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel-osp7/templates/csv/000077500000000000000000000000001327242345500221125ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel-osp7/templates/csv/oval_5.11/000077500000000000000000000000001327242345500235175ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel-osp7/templates/csv/oval_5.11/packages_installed.csv000066400000000000000000000001131327242345500300440ustar00rootroot00000000000000audit chrony cronie firewalld irqbalance ntp psacct postfix rsyslog vsftpd scap-security-guide-0.1.39/rhel-osp7/templates/csv/oval_5.11/packages_removed.csv000066400000000000000000000005171327242345500275360ustar00rootroot00000000000000abrt acpid at autofs avahi bluez certmonger libcgroup libcgroup-tools cups dovecot httpd mdadm dbus dhcp bind nfs-utils ntpdate oddjob iputils kexec-tools kernel-tools rhnsd subscription-manager cyrus-sasl smartmontools samba net-snmp squid qpid-cpp-server quota-nld openssh-server portreserve sysstat tftp-server vsftpd xinetd ypbind scap-security-guide-0.1.39/rhel-osp7/templates/csv/oval_5.11/services_disabled.csv000066400000000000000000000015641327242345500277140ustar00rootroot00000000000000# service_name, package_name, daemon_name (as recognized by chkconfig / systemd. To be used when daemon_name differs from service_name) abrtd,abrt, acpid,acpid, atd,at, autofs,autofs, avahi-daemon,avahi, bluetooth,bluez, certmonger,certmonger, cgconfig,libcgroup, cgred,libcgroup-tools, cpupower,kernel-tools, cups,cups, dhcpd,dhcp, dovecot,dovecot, httpd,httpd, kdump,kexec-tools, mdmonitor,mdadm, messagebus,dbus, named,bind, netconsole,, nfs,nfs-utils, nfslock,nfs-utils, ntpdate,ntpdate, oddjobd,oddjob, portreserve,portreserve, rdisc,iputils, rhnsd,rhnsd, rhsmcertd,subscription-manager, rpcgssd,nfs-utils, rpcidmapd,nfs-utils, rpcsvcgssd,nfs-utils, saslauthd,cyrus-sasl, smartd,smartmontools, smb,samba, snmpd,net-snmp, squid,squid, qpidd,qpid-cpp-server, quota_nld,quota-nld, sshd,openssh-server, sysstat,sysstat, tftp,tftp-server, vsftpd,vsftpd, xinetd,xinetd, ypbind,ypbind, scap-security-guide-0.1.39/rhel-osp7/templates/csv/oval_5.11/services_enabled.csv000066400000000000000000000002231327242345500275260ustar00rootroot00000000000000auditd,audit, chronyd,chrony, crond,cronie, firewalld,firewalld, irqbalance,irqbalance, ntpd,ntp, psacct,psacct, postfix,postfix, rsyslog,rsyslog, scap-security-guide-0.1.39/rhel-osp7/templates/oval_5.11_templates/000077500000000000000000000000001327242345500250025ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel-osp7/templates/oval_5.11_templates/template_OVAL_service_disabled000066400000000000000000000074421327242345500327370ustar00rootroot00000000000000 Service %SERVICENAME% Disabled Red Hat Enterprise Linux 7 The %SERVICENAME% service should be disabled if possible. multi-user.target %SERVICENAME%.service multi-user.target %SERVICENAME%.socket %SERVICENAME%\.(service|socket) ActiveState inactive scap-security-guide-0.1.39/rhel-osp7/templates/oval_5.11_templates/template_OVAL_service_enabled000066400000000000000000000074641327242345500325660ustar00rootroot00000000000000 Service %SERVICENAME% Enabled Red Hat Enterprise Linux 7 The %SERVICENAME% service should be enabled if possible. multi-user.target %SERVICENAME%.service multi-user.target %SERVICENAME%.socket %SERVICENAME%\.(socket|service) ActiveState active scap-security-guide-0.1.39/rhel-osp7/transforms/000077500000000000000000000000001327242345500215175ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel-osp7/transforms/cci2html.xsl000066400000000000000000000004661327242345500237620ustar00rootroot00000000000000 scap-security-guide-0.1.39/rhel-osp7/transforms/constants.xslt000066400000000000000000000022651327242345500244540ustar00rootroot00000000000000 Red Hat OpenStack Platform 7 RHEL OSP 7 RHEL_OSP_7_STIG osp7 empty RHEL-7-OSP cpe:/o:redhat:enterprise_linux:7,cpe:/o:redhat:enterprise_linux:7::client,cpe:/o:redhat:enterprise_linux:7::computenode scap-security-guide-0.1.39/rhel-osp7/transforms/shorthand2xccdf.xslt000066400000000000000000000005161327242345500255210ustar00rootroot00000000000000 unknown unlinked-rhel-osp7-oval.xml scap-security-guide-0.1.39/rhel-osp7/transforms/table-add-srgitems.xslt000066400000000000000000000010771327242345500261100ustar00rootroot00000000000000 scap-security-guide-0.1.39/rhel-osp7/transforms/table-sortbyref.xslt000066400000000000000000000005551327242345500255440ustar00rootroot00000000000000 scap-security-guide-0.1.39/rhel-osp7/transforms/table-srgmap.xslt000066400000000000000000000011401327242345500250050ustar00rootroot00000000000000 scap-security-guide-0.1.39/rhel-osp7/transforms/table-style.xslt000066400000000000000000000002511327242345500246560ustar00rootroot00000000000000 scap-security-guide-0.1.39/rhel-osp7/transforms/xccdf-apply-overlay-stig.xslt000066400000000000000000000007511327242345500272730ustar00rootroot00000000000000 scap-security-guide-0.1.39/rhel-osp7/transforms/xccdf2csv-stig.py000077500000000000000000000003651327242345500247310ustar00rootroot00000000000000#!/usr/bin/env python2 import sys # always use shared/modules version SHARED_MODULE_PATH = "../../shared/modules" sys.path.insert(0, SHARED_MODULE_PATH) import xccdf2csv_stig_module if __name__ == "__main__": xccdf2csv_stig_module.main() scap-security-guide-0.1.39/rhel-osp7/transforms/xccdf2stigformat.xslt000066400000000000000000000006751327242345500257140ustar00rootroot00000000000000 scap-security-guide-0.1.39/rhel-osp7/transforms/xccdf2table-byref.xslt000066400000000000000000000006741327242345500257300ustar00rootroot00000000000000 scap-security-guide-0.1.39/rhel-osp7/transforms/xccdf2table-cce.xslt000066400000000000000000000007331327242345500253470ustar00rootroot00000000000000 scap-security-guide-0.1.39/rhel-osp7/transforms/xccdf2table-profileccirefs.xslt000066400000000000000000000014111327242345500276060ustar00rootroot00000000000000 scap-security-guide-0.1.39/rhel-osp7/transforms/xccdf2table-profilecisrefs.xslt000066400000000000000000000007051327242345500276330ustar00rootroot00000000000000 scap-security-guide-0.1.39/rhel-osp7/transforms/xccdf2table-profilenistrefs.xslt000066400000000000000000000007051327242345500300320ustar00rootroot00000000000000 scap-security-guide-0.1.39/rhel-osp7/transforms/xccdf2table-stig.xslt000066400000000000000000000006731327242345500255660ustar00rootroot00000000000000 scap-security-guide-0.1.39/rhel6/000077500000000000000000000000001327242345500165215ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/CMakeLists.txt000066400000000000000000000017151327242345500212650ustar00rootroot00000000000000# Sometimes our users will try to do: "cd rhel6; cmake ." That needs to error in a nice way. if ("${CMAKE_SOURCE_DIR}" STREQUAL "${CMAKE_CURRENT_SOURCE_DIR}") message(FATAL_ERROR "cmake has to be used on the root CMakeLists.txt, see BUILD.md for more details!") endif() set(PRODUCT "rhel6") set(DISA_SRG_TYPE "os") ssg_build_product(${PRODUCT}) ssg_build_html_table_by_ref(${PRODUCT} "nist") ssg_build_html_table_by_ref(${PRODUCT} "cis") ssg_build_html_table_by_ref(${PRODUCT} "pcidss") ssg_build_html_nistrefs_table(${PRODUCT} "common") ssg_build_html_nistrefs_table(${PRODUCT} "C2S") ssg_build_html_cce_table(${PRODUCT}) ssg_build_html_srgmap_tables(${PRODUCT} ${DISA_SRG_TYPE}) ssg_build_html_stig_tables(${PRODUCT} "stig-${PRODUCT}-disa") if (SSG_CENTOS_DERIVATIVES_ENABLED) ssg_build_derivative_product(${PRODUCT} "centos" "centos6") endif() if (SSG_SCIENTIFIC_LINUX_DERIVATIVES_ENABLED) ssg_build_derivative_product(${PRODUCT} "sl" "sl6") endif() scap-security-guide-0.1.39/rhel6/README000066400000000000000000000031201327242345500173750ustar00rootroot00000000000000Directory Structure of scap-security-guide ------------------------------------------ The input directory contains source files that generate SCAP content, such as XCCDF and OVAL. Since a single large XML file is an impractical format for multiple authors to collaborate on editing SCAP content, efforts are made to keep logically related guidance and checking content in individual files. The transforms directory contains resources that enable the files inside the input directory (or output directory) to be combined and reformatted into valid SCAP formats or human-readable formats. The output directory is used as a storage area for items generated by the files in the inputs directory. It should be empty in the repository, and built on users' individual systems (and rely on its .gitignore file to keep such files out). The output directory contains transitional output (which may only exist in order to be further transformed) as well as final output. The references directory should contain documents which are specified as references from within the SCAP content, or documents that are "seeds," viz. documents whose prose will be translated into SCAP formats, as well as other examples of SCAP content. The utils directory contains helper scripts and other items that are useful to developers but are not essential to producing the project's output. The dist directory contains final outputs, which could be shipped in an RPM for consumption by end-users. Updating the Makefile to copy an item from the outputs directory to the dist directory indicates that an item is considered a final output. scap-security-guide-0.1.39/rhel6/checks/000077500000000000000000000000001327242345500177615ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/checks/oval/000077500000000000000000000000001327242345500207225ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/checks/oval/accounts_password_pam_dcredit.xml000066400000000000000000000032151327242345500275410ustar00rootroot00000000000000 Set Password dcredit Requirements Red Hat Enterprise Linux 6 The password dcredit should meet minimum requirements /etc/pam.d/system-auth ^\s*password\s+(?:(?:required)|(?:requisite))\s+pam_cracklib\.so.*dcredit=(-?\d+)(?:[\s]|$) 1 1 scap-security-guide-0.1.39/rhel6/checks/oval/accounts_password_pam_difok.xml000066400000000000000000000031651327242345500272230ustar00rootroot00000000000000 Set Password difok Requirements Red Hat Enterprise Linux 6 The password difok should meet minimum requirements /etc/pam.d/system-auth ^\s*password\s+(?:(?:required)|(?:requisite))\s+pam_cracklib\.so.*difok=(\d+)(?:[\s]|$) 1 1 scap-security-guide-0.1.39/rhel6/checks/oval/accounts_password_pam_lcredit.xml000066400000000000000000000032151327242345500275510ustar00rootroot00000000000000 Set Password lcredit Requirements Red Hat Enterprise Linux 6 The password lcredit should meet minimum requirements /etc/pam.d/system-auth ^\s*password\s+(?:(?:required)|(?:requisite))\s+pam_cracklib\.so.*lcredit=(-?\d+)(?:[\s]|$) 1 1 scap-security-guide-0.1.39/rhel6/checks/oval/accounts_password_pam_maxrepeat.xml000066400000000000000000000032011327242345500301040ustar00rootroot00000000000000 Set Password maxrepeat Requirements Red Hat Enterprise Linux 6 The password maxrepeat should meet minimum requirements using pam_pwquality /etc/pam.d/system-auth ^\s*password\s+(?:(?:required)|(?:requisite))\s+pam_cracklib\.so.*maxrepeat=([0-9]*).*$ 1 scap-security-guide-0.1.39/rhel6/checks/oval/accounts_password_pam_minclass.xml000066400000000000000000000032741327242345500277410ustar00rootroot00000000000000 Set Password minclass Requirements Red Hat Enterprise Linux 6 The password minclass should meet the minimum requirements /etc/pam.d/system-auth ^[\s]*password[\s]+(?:(?:required)|(?:requisite))[\s]+[\w_\.\-=\s]+[\s]minclass=(\d+)(?:[\s]|$) 1 1 scap-security-guide-0.1.39/rhel6/checks/oval/accounts_password_pam_minlen.xml000066400000000000000000000031211327242345500274010ustar00rootroot00000000000000 Set Password minlen Requirements Red Hat Enterprise Linux 6 The password minlen should meet minimum requirements /etc/pam.d/system-auth ^\s*password\s+(?:(?:required)|(?:requisite))\s+pam_cracklib\.so.*minlen=(-?\d+)(?:[\s]|$) 1 1 scap-security-guide-0.1.39/rhel6/checks/oval/accounts_password_pam_ocredit.xml000066400000000000000000000032151327242345500275540ustar00rootroot00000000000000 Set Password ocredit Requirements Red Hat Enterprise Linux 6 The password ocredit should meet minimum requirements /etc/pam.d/system-auth ^\s*password\s+(?:(?:required)|(?:requisite))\s+pam_cracklib\.so.*ocredit=(-?\d+)(?:[\s]|$) 1 1 scap-security-guide-0.1.39/rhel6/checks/oval/accounts_password_pam_retry.xml000066400000000000000000000030231327242345500272650ustar00rootroot00000000000000 Set Password retry Requirements Red Hat Enterprise Linux 6 The password retry should meet minimum requirements /etc/pam.d/system-auth ^\s*password\s+(?:(?:required)|(?:requisite))\s+pam_cracklib\.so.*retry=([0-9]*).*$ 1 scap-security-guide-0.1.39/rhel6/checks/oval/accounts_password_pam_ucredit.xml000066400000000000000000000032151327242345500275620ustar00rootroot00000000000000 Set Password ucredit Requirements Red Hat Enterprise Linux 6 The password ucredit should meet minimum requirements /etc/pam.d/system-auth ^\s*password\s+(?:(?:required)|(?:requisite))\s+pam_cracklib\.so.*ucredit=(-?\d+)(?:[\s]|$) 1 1 scap-security-guide-0.1.39/rhel6/checks/oval/audit_rules_dac_modification_chmod.xml000066400000000000000000000075431327242345500305030ustar00rootroot00000000000000 Audit Discretionary Access Control Modification Events - chmod Red Hat Enterprise Linux 6 The changing of file permissions and attributes should be audited. /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*-S[\s]+chmod[\s]+)(?:.*-F\s+auid>=500[\s]+)(?:.*-F\s+auid!=4294967295[\s]+).*-k[\s]+[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*-S[\s]+chmod[\s]+)(?:.*-F\s+auid>=500[\s]+)(?:.*-F\s+auid!=4294967295[\s]+).*-k[\s]+[\S]+[\s]*$ 1 scap-security-guide-0.1.39/rhel6/checks/oval/audit_rules_dac_modification_chown.xml000066400000000000000000000075351327242345500305300ustar00rootroot00000000000000 Audit Discretionary Access Control Modification Events - chown Red Hat Enterprise Linux 6 The changing of file permissions and attributes should be audited. /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*-S[\s]+chown[\s]+)(?:.*-F\s+auid>=500[\s]+)(?:.*-F\s+auid!=4294967295[\s]+).*-k[\s]+[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*-S[\s]+chown[\s]+)(?:.*-F\s+auid>=500[\s]+)(?:.*-F\s+auid!=4294967295[\s]+).*-k[\s]+[\S]+[\s]*$ 1 scap-security-guide-0.1.39/rhel6/checks/oval/audit_rules_dac_modification_fchmod.xml000066400000000000000000000075651327242345500306550ustar00rootroot00000000000000 Audit Discretionary Access Control Modification Events - fchmod Red Hat Enterprise Linux 6 The changing of file permissions and attributes should be audited. /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*-S[\s]+fchmod[\s]+)(?:.*-F\s+auid>=500[\s]+)(?:.*-F\s+auid!=4294967295[\s]+).*-k[\s]+[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*-S[\s]+fchmod[\s]+)(?:.*-F\s+auid>=500[\s]+)(?:.*-F\s+auid!=4294967295[\s]+).*-k[\s]+[\S]+[\s]*$ 1 scap-security-guide-0.1.39/rhel6/checks/oval/audit_rules_dac_modification_fchmodat.xml000066400000000000000000000076451327242345500312010ustar00rootroot00000000000000 Audit Discretionary Access Control Modification Events - fchmodat Red Hat Enterprise Linux 6 The changing of file permissions and attributes should be audited. /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*-S[\s]+fchmodat[\s]+)(?:.*-F\s+auid>=500[\s]+)(?:.*-F\s+auid!=4294967295[\s]+).*-k[\s]+[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*-S[\s]+fchmodat[\s]+)(?:.*-F\s+auid>=500[\s]+)(?:.*-F\s+auid!=4294967295[\s]+).*-k[\s]+[\S]+[\s]*$ 1 scap-security-guide-0.1.39/rhel6/checks/oval/audit_rules_dac_modification_fchown.xml000066400000000000000000000075651327242345500307010ustar00rootroot00000000000000 Audit Discretionary Access Control Modification Events - fchown Red Hat Enterprise Linux 6 The changing of file permissions and attributes should be audited. /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*-S[\s]+fchown[\s]+)(?:.*-F\s+auid>=500[\s]+)(?:.*-F\s+auid!=4294967295[\s]+).*-k[\s]+[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*-S[\s]+fchown[\s]+)(?:.*-F\s+auid>=500[\s]+)(?:.*-F\s+auid!=4294967295[\s]+).*-k[\s]+[\S]+[\s]*$ 1 scap-security-guide-0.1.39/rhel6/checks/oval/audit_rules_dac_modification_fchownat.xml000066400000000000000000000076451327242345500312250ustar00rootroot00000000000000 Audit Discretionary Access Control Modification Events - fchownat Red Hat Enterprise Linux 6 The changing of file permissions and attributes should be audited. /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*-S[\s]+fchownat[\s]+)(?:.*-F\s+auid>=500[\s]+)(?:.*-F\s+auid!=4294967295[\s]+).*-k[\s]+[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*-S[\s]+fchownat[\s]+)(?:.*-F\s+auid>=500[\s]+)(?:.*-F\s+auid!=4294967295[\s]+).*-k[\s]+[\S]+[\s]*$ 1 scap-security-guide-0.1.39/rhel6/checks/oval/audit_rules_dac_modification_fremovexattr.xml000066400000000000000000000100131327242345500321210ustar00rootroot00000000000000 Audit Discretionary Access Control Modification Events - fremovexattr Red Hat Enterprise Linux 6 The changing of file permissions and attributes should be audited. /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*-S[\s]+fremovexattr[\s]+)(?:.*-F\s+auid>=500[\s]+)(?:.*-F\s+auid!=4294967295[\s]+).*-k[\s]+[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*-S[\s]+fremovexattr[\s]+)(?:.*-F\s+auid>=500[\s]+)(?:.*-F\s+auid!=4294967295[\s]+).*-k[\s]+[\S]+[\s]*$ 1 scap-security-guide-0.1.39/rhel6/checks/oval/audit_rules_dac_modification_fsetxattr.xml000066400000000000000000000077031327242345500314330ustar00rootroot00000000000000 Audit Discretionary Access Control Modification Events - fsetxattr Red Hat Enterprise Linux 6 The changing of file permissions and attributes should be audited. /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*-S[\s]+fsetxattr[\s]+)(?:.*-F\s+auid>=500[\s]+)(?:.*-F\s+auid!=4294967295[\s]+).*-k[\s]+[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*-S[\s]+fsetxattr[\s]+)(?:.*-F\s+auid>=500[\s]+)(?:.*-F\s+auid!=4294967295[\s]+).*-k[\s]+[\S]+[\s]*$ 1 scap-security-guide-0.1.39/rhel6/checks/oval/audit_rules_dac_modification_lchown.xml000066400000000000000000000075651327242345500307070ustar00rootroot00000000000000 Audit Discretionary Access Control Modification Events - lchown Red Hat Enterprise Linux 6 The changing of file permissions and attributes should be audited. /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*-S[\s]+lchown[\s]+)(?:.*-F\s+auid>=500[\s]+)(?:.*-F\s+auid!=4294967295[\s]+).*-k[\s]+[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*-S[\s]+lchown[\s]+)(?:.*-F\s+auid>=500[\s]+)(?:.*-F\s+auid!=4294967295[\s]+).*-k[\s]+[\S]+[\s]*$ 1 scap-security-guide-0.1.39/rhel6/checks/oval/audit_rules_dac_modification_lremovexattr.xml000066400000000000000000000100131327242345500321270ustar00rootroot00000000000000 Audit Discretionary Access Control Modification Events - lremovexattr Red Hat Enterprise Linux 6 The changing of file permissions and attributes should be audited. /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*-S[\s]+lremovexattr[\s]+)(?:.*-F\s+auid>=500[\s]+)(?:.*-F\s+auid!=4294967295[\s]+).*-k[\s]+[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*-S[\s]+lremovexattr[\s]+)(?:.*-F\s+auid>=500[\s]+)(?:.*-F\s+auid!=4294967295[\s]+).*-k[\s]+[\S]+[\s]*$ 1 scap-security-guide-0.1.39/rhel6/checks/oval/audit_rules_dac_modification_lsetxattr.xml000066400000000000000000000076731327242345500314470ustar00rootroot00000000000000 Audit Discretionary Access Control Modification Events - lsetxattr Red Hat Enterprise Linux 6 The changing of file permissions and attributes should be audited. /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*-S[\s]+lsetxattr[\s]+)(?:.*-F\s+auid>=500[\s]+)(?:.*-F\s+auid!=4294967295[\s]+).*-k[\s]+[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*-S[\s]+lsetxattr[\s]+)(?:.*-F\s+auid>=500[\s]+)(?:.*-F\s+auid!=4294967295[\s]+).*-k[\s]+[\S]+[\s]*$ 1 scap-security-guide-0.1.39/rhel6/checks/oval/audit_rules_dac_modification_removexattr.xml000066400000000000000000000077631327242345500317750ustar00rootroot00000000000000 Audit Discretionary Access Control Modification Events - removexattr Red Hat Enterprise Linux 6 The changing of file permissions and attributes should be audited. /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*-S[\s]+removexattr[\s]+)(?:.*-F\s+auid>=500[\s]+)(?:.*-F\s+auid!=4294967295[\s]+).*-k[\s]+[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*-S[\s]+removexattr[\s]+)(?:.*-F\s+auid>=500[\s]+)(?:.*-F\s+auid!=4294967295[\s]+).*-k[\s]+[\S]+[\s]*$ 1 scap-security-guide-0.1.39/rhel6/checks/oval/audit_rules_dac_modification_setxattr.xml000066400000000000000000000076451327242345500312720ustar00rootroot00000000000000 Audit Discretionary Access Control Modification Events - setxattr Red Hat Enterprise Linux 6 The changing of file permissions and attributes should be audited. /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*-S[\s]+setxattr[\s]+)(?:.*-F\s+auid>=500[\s]+)(?:.*-F\s+auid!=4294967295[\s]+).*-k[\s]+[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*-S[\s]+setxattr[\s]+)(?:.*-F\s+auid>=500[\s]+)(?:.*-F\s+auid!=4294967295[\s]+).*-k[\s]+[\S]+[\s]*$ 1 scap-security-guide-0.1.39/rhel6/checks/oval/audit_rules_file_deletion_events.xml000066400000000000000000000022611327242345500302330ustar00rootroot00000000000000 Audit File Deletion Events Red Hat Enterprise Linux 6 Audit files deletion events. /etc/audit/audit.rules ^\-a\s+always,exit\s+(\-F\s+arch=(b64|b32)\s+)?\-S\s+rmdir\s+\-S\s+unlink\s+\-S\s+unlinkat\s+\-S\s+rename\s+\-S\s+renameat\s+\-F\s+auid>=500\s+\-F\s+auid!=4294967295\s+\-k\s+[-\w]+\s*$ 1 scap-security-guide-0.1.39/rhel6/checks/oval/audit_rules_immutable.xml000066400000000000000000000017371327242345500260330ustar00rootroot00000000000000 Make Audit Configuration Immutable Red Hat Enterprise Linux 6 Force a reboot to change audit rules is enabled /etc/audit/audit.rules ^\-e\s+2\s*$ 1 scap-security-guide-0.1.39/rhel6/checks/oval/audit_rules_kernel_module_loading.xml000066400000000000000000000065061327242345500303750ustar00rootroot00000000000000 Audit Kernel Module Loading and Unloading Red Hat Enterprise Linux 6 The audit rules should be configured to log information about kernel module loading and unloading. /etc/audit/audit.rules ^\-w[\s]+/sbin/insmod[\s]+\-p[\s]+\b([raw]*x[raw]*)\b[\s]+\-k[\s]+[-\w]+[\s]*$ 1 /etc/audit/audit.rules ^\-w[\s]+/sbin/rmmod[\s]+\-p[\s]+\b([raw]*x[raw]*)\b[\s]+\-k[\s]+[-\w]+[\s]*$ 1 /etc/audit/audit.rules ^\-w\s+/sbin/modprobe[\s]+\-p[\s]+\b([raw]*x[raw]*)\b[\s]+\-k[\s]+[-\w]+[\s]*$ 1 /etc/audit/audit.rules ^\-a\s+always,exit\s+(\-F\s+arch=(b64|b32)\s+)?\-S\s+init_module\s+\-S\s+delete_module\s+\-k\s+[-\w]+\s*$ 1 scap-security-guide-0.1.39/rhel6/checks/oval/audit_rules_login_events.xml000066400000000000000000000046261327242345500265500ustar00rootroot00000000000000 Record Attempts to Alter Login and Logout Events Red Hat Enterprise Linux 6 Audit rules should be configured to log successful and unsuccessful login and logout events. /etc/audit/audit.rules ^\-w\s+/var/log/tallylog\s+\-p\s+wa\s+\-k\s+[-\w]+\s*$ 1 /etc/audit/audit.rules ^\-w\s+/var/run/faillock/\s+\-p\s+wa\s+\-k\s+[-\w]+\s*$ 1 /etc/audit/audit.rules ^\-w\s+/var/log/lastlog\s+\-p\s+wa\s+\-k\s+[-\w]+\s*$ 1 scap-security-guide-0.1.39/rhel6/checks/oval/audit_rules_mac_modification.xml000066400000000000000000000022741327242345500273360ustar00rootroot00000000000000 Record Events that Modify the System's Mandatory Access Controls Red Hat Enterprise Linux 6 Audit rules that detect changes to the system's mandatory access controls (SELinux) are enabled. /etc/audit/audit.rules ^\-w[\s]+/etc/selinux/[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+\-k[\s]+[-\w]+[\s]*$ 1 scap-security-guide-0.1.39/rhel6/checks/oval/audit_rules_media_export.xml000066400000000000000000000021561327242345500265300ustar00rootroot00000000000000 Audit Information Export To Media Red Hat Enterprise Linux 6 Audit rules that detect the mounting of filesystems should be enabled. /etc/audit/audit.rules ^\-a\s+always,exit\s+(\-F\s+arch=(b64|b32)\s+)?\-S\s+mount\s+\-F\s+auid>=500\s+\-F\s+auid!=4294967295\s+\-k\s+[-\w]+\s*$ 1 scap-security-guide-0.1.39/rhel6/checks/oval/audit_rules_networkconfig_modification.xml000066400000000000000000000110431327242345500314470ustar00rootroot00000000000000 Record Events that Modify the System's Network Environment Red Hat Enterprise Linux 6 The network environment should not be modified by anything other than administrator action. Any change to network parameters should be audited. /etc/audit/audit.rules ^\-a\s+always,exit\s+(\-F\s+arch=(b64|b32)\s+)?\-S\s+sethostname\s+\-S\s+setdomainname\s+\-k\s+[-\w]+\s*$ 1 /etc/audit/audit.rules ^\-w[\s]+/etc/issue[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+\-k[\s]+[-\w]+[\s]*$ 1 /etc/audit/audit.rules ^\-w[\s]+/etc/issue\.net[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+\-k[\s]+[-\w]+[\s]*$ 1 /etc/audit/audit.rules ^\-w[\s]+/etc/hosts[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+\-k[\s]+[-\w]+[\s]*$ 1 /etc/audit/audit.rules ^\-w[\s]+/etc/sysconfig/network[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+\-k[\s]+[-\w]+[\s]*$ 1 scap-security-guide-0.1.39/rhel6/checks/oval/audit_rules_privileged_commands.xml000066400000000000000000000214241327242345500300620ustar00rootroot00000000000000 Ensure auditd Collects Information on the Use of Privileged Commands Red Hat Enterprise Linux 6 Audit rules about the Information on the Use of Privileged Commands are enabled \/(?:(?!dev|proc|sys).)+ ^.*$ state_setuid_or_setgid_set true true -a always,exit -F path= -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged /etc/audit/audit.rules ^[\s]*(-a always,exit -F path=[^\n]+ -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged)[\s]*$ 1 state_proper_always_exit_rule_but_for_unprivileged_command variable_dimension_of_object_system_privileged_commands scap-security-guide-0.1.39/rhel6/checks/oval/audit_rules_session_events.xml000066400000000000000000000045311327242345500271160ustar00rootroot00000000000000 Record Attempts to Alter Process and Session Initiation Information Red Hat Enterprise Linux 6 Audit rules should capture information about session initiation. /etc/audit/audit.rules ^\-w\s+/var/run/utmp\s+\-p\s+wa\s+\-k\s+[-\w]+\s*$ 1 /etc/audit/audit.rules ^\-w\s+/var/log/btmp\s+\-p\s+wa\s+\-k\s+[-\w]+\s*$ 1 /etc/audit/audit.rules ^\-w\s+/var/log/wtmp\s+\-p\s+wa\s+\-k\s+[-\w]+\s*$ 1 scap-security-guide-0.1.39/rhel6/checks/oval/audit_rules_sysadmin_actions.xml000066400000000000000000000021501327242345500274110ustar00rootroot00000000000000 Audit System Administrator Actions Red Hat Enterprise Linux 6 Audit actions taken by system administrators on the system. /etc/audit/audit.rules ^\-w[\s]+/etc/sudoers[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+\-k[\s]+[-\w]+[\s]*$ 1 scap-security-guide-0.1.39/rhel6/checks/oval/audit_rules_time_adjtimex.xml000066400000000000000000000046221327242345500266730ustar00rootroot00000000000000 Record Attempts to Alter Time Through Adjtimex Red Hat Enterprise Linux 6 Record attempts to alter time through adjtimex. /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32.*-S[\s]+adjtimex[\s]+.*-k[\s]+[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64.*-S[\s]+adjtimex[\s]+.*-k[\s]+[\S]+[\s]*$ 1 scap-security-guide-0.1.39/rhel6/checks/oval/audit_rules_time_clock_settime.xml000066400000000000000000000050721327242345500277130ustar00rootroot00000000000000 Record Attempts to Alter Time Through Clock_settime Red Hat Enterprise Linux 6 Record attempts to alter time through clock_settime. /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+-S[\s]+clock_settime[\s]+-F[\s]+a0=(?:0x)?0[\s]+(?:-F[\s]+key=|-k[\s]+)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+-S[\s]+clock_settime[\s]+-F[\s]+a0=(?:0x)?0[\s]+(?:-F[\s]+key=|-k[\s]+)[\S]+[\s]*$ 1 scap-security-guide-0.1.39/rhel6/checks/oval/audit_rules_time_settimeofday.xml000066400000000000000000000047301327242345500275630ustar00rootroot00000000000000 Record Attempts to Alter Time Through Settimeofday Red Hat Enterprise Linux 6 Record attempts to alter time through settimeofday. /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32.*-S[\s]+settimeofday[\s]+.*-k[\s]+[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64.*-S[\s]+settimeofday[\s]+.*-k[\s]+[\S]+[\s]*$ 1 scap-security-guide-0.1.39/rhel6/checks/oval/audit_rules_time_stime.xml000066400000000000000000000032621327242345500262060ustar00rootroot00000000000000 Record Attempts to Alter Time Through Stime Red Hat Enterprise Linux 6 Record attempts to alter time through stime. Note that on 64-bit architectures the stime system call is not defined in the audit system calls lookup table. /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32.*-S[\s]+stime[\s]+.*-k[\s]+[\S]+[\s]*$ 1 scap-security-guide-0.1.39/rhel6/checks/oval/audit_rules_time_watch_localtime.xml000066400000000000000000000024601327242345500302230ustar00rootroot00000000000000 Record Attempts to Alter Time Through the Localtime File Red Hat Enterprise Linux 6 Record attempts to alter time through /etc/localtime /etc/audit/audit.rules ^[\s]*-w[\s]+\/etc\/localtime[\s]+-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*-k[\s]+[\S]+[\s]*$ 1 scap-security-guide-0.1.39/rhel6/checks/oval/audit_rules_unsuccessful_file_modification.xml000066400000000000000000000111151327242345500323110ustar00rootroot00000000000000 Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful) Red Hat Enterprise Linux 6 Audit rules about the Unauthorized Access Attempts to Files (unsuccessful) are enabled /etc/audit/audit.rules ^\-a\s+always,exit\s+\-F\s+arch=b32\s+?\-S\s+creat\s+\-S\s+open\s+\-S\s+openat\s+\-S\s+open_by_handle_at\s+\-S\s+truncate\s+\-S\s+ftruncate\s+\-F\s+exit=\-EACCES\s+\-F\s+auid>=500\s+\-F\s+auid!=4294967295\s+\-k\s+[-\w]+\s*$ 1 /etc/audit/audit.rules ^\-a\s+always,exit\s+\-F\s+arch=b32\s+?\-S\s+creat\s+\-S\s+open\s+\-S\s+openat\s+\-S\s+open_by_handle_at\s+\-S\s+truncate\s+\-S\s+ftruncate\s+\-F\s+exit=\-EPERM\s+\-F\s+auid>=500\s+\-F\s+auid!=4294967295\s+\-k\s+[-\w]+\s*$ 1 /etc/audit/audit.rules ^\-a\s+always,exit\s+\-F\s+arch=b64\s+?\-S\s+creat\s+\-S\s+open\s+\-S\s+openat\s+\-S\s+open_by_handle_at\s+\-S\s+truncate\s+\-S\s+ftruncate\s+\-F\s+exit=\-EACCES\s+\-F\s+auid>=500\s+\-F\s+auid!=4294967295\s+\-k\s+[-\w]+\s*$ 1 /etc/audit/audit.rules ^\-a\s+always,exit\s+\-F\s+arch=b64\s+?\-S\s+creat\s+\-S\s+open\s+\-S\s+openat\s+\-S\s+open_by_handle_at\s+\-S\s+truncate\s+\-S\s+ftruncate\s+\-F\s+exit=\-EPERM\s+\-F\s+auid>=500\s+\-F\s+auid!=4294967295\s+\-k\s+[-\w]+\s*$ 1 scap-security-guide-0.1.39/rhel6/checks/oval/audit_rules_usergroup_modification.xml000066400000000000000000000104321327242345500306240ustar00rootroot00000000000000 Audit User/Group Information Red Hat Enterprise Linux 6 Audit rules should detect modification to system files that hold information about users and groups. /etc/audit/audit.rules ^\-w[\s]+/etc/group[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s+]\-k[\s]+\w+[\s]*$ 1 /etc/audit/audit.rules ^\-w[\s]+/etc/passwd[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+\-k[\s]+\w+[\s]*$ 1 /etc/audit/audit.rules ^\-w[\s]+/etc/gshadow[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+\-k[\s]+\w+[\s]*$ 1 /etc/audit/audit.rules ^\-w[\s]+/etc/shadow[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+\-k[\s]+\w+[\s]*$ 1 /etc/audit/audit.rules ^\-w[\s]+/etc/security/opasswd[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+\-k[\s]+\w+[\s]*$ 1 scap-security-guide-0.1.39/rhel6/checks/oval/avahi_check_ttl.xml000066400000000000000000000024371327242345500245620ustar00rootroot00000000000000 Check Avahi Responses' to TTL Field Red Hat Enterprise Linux 6 Check that Avahi is ignoring packets unless the TTL field is 255. /etc/avahi/avahi-daemon.conf ^[\s]*check\-response\-ttl=yes$ 1 scap-security-guide-0.1.39/rhel6/checks/oval/avahi_disable_publishing.xml000066400000000000000000000024371327242345500264510ustar00rootroot00000000000000 Disable Avahi Publishing Red Hat Enterprise Linux 6 Disable Avahi from publishing records. /etc/avahi/avahi-daemon.conf ^[\s]*disable\-publishing=yes$ 1 scap-security-guide-0.1.39/rhel6/checks/oval/avahi_ip_only.xml000066400000000000000000000051621327242345500242710ustar00rootroot00000000000000 Serve Avahi Only via Required Protocol Red Hat Enterprise Linux 6 Require Avahi to run on IPv4 or IPv6. /etc/avahi/avahi-daemon.conf ^[\s]*use\-ipv4=yes$ 1 /etc/avahi/avahi-daemon.conf ^[\s]*use\-ipv6=yes$ 1 scap-security-guide-0.1.39/rhel6/checks/oval/avahi_prevent_port_sharing.xml000066400000000000000000000025511327242345500270610ustar00rootroot00000000000000 Prevent Other Programs from using Avahi's Port Red Hat Enterprise Linux 6 Ensures that only Avahi is responsible for mDNS traffic coming from the port on the system. /etc/avahi/avahi-daemon.conf ^[\s]*disallow\-other\-stacks=yes$ 1 scap-security-guide-0.1.39/rhel6/checks/oval/avahi_restrict_published_information.xml000066400000000000000000000111551327242345500311220ustar00rootroot00000000000000 Restrict Information Published by Avahi Red Hat Enterprise Linux 6 Prevent user applications from using Avahi to publish services. /etc/avahi/avahi-daemon.conf ^[\s]*disable\-user\-service\-publishing=yes$ 1 /etc/avahi/avahi-daemon.conf ^[\s]*publish\-addresses=no$ 1 /etc/avahi/avahi-daemon.conf ^[\s]*publish\-hinfo=no$ 1 /etc/avahi/avahi-daemon.conf ^[\s]*publish\-workstation=no$ 1 /etc/avahi/avahi-daemon.conf ^[\s]*publish\-domain=no$ 1 scap-security-guide-0.1.39/rhel6/checks/oval/bootloader_audit_argument.xml000066400000000000000000000026621327242345500266740ustar00rootroot00000000000000 Enable Auditing for Processes Which Start Prior to the Audit Daemon Red Hat Enterprise Linux 6 Look for argument audit=1 in the kernel line in /etc/grub.conf. /etc/grub.conf ^\s*kernel\s/vmlinuz(.*)$ 1 ^.*audit=1.*$ scap-security-guide-0.1.39/rhel6/checks/oval/bootloader_nousb_argument.xml000066400000000000000000000027351327242345500267150ustar00rootroot00000000000000 Disable Kernel Support for USB via Bootloader Configuration Red Hat Enterprise Linux 6 Look for argument "nousb" in the kernel line in /etc/grub.conf /etc/grub.conf ^\s*kernel\s/vmlinuz(.*)$ 1 ^.*nousb.*$ scap-security-guide-0.1.39/rhel6/checks/oval/bootloader_password.xml000066400000000000000000000021201327242345500255130ustar00rootroot00000000000000 Set Boot Loader Password Red Hat Enterprise Linux 6 The grub boot loader should have password protection enabled. /etc/grub.conf ^[\s]*password[\s]+--encrypted[\s]+.* 1 scap-security-guide-0.1.39/rhel6/checks/oval/dhcp_client_restrict_options.xml000066400000000000000000000171401327242345500274150ustar00rootroot00000000000000 Minimize DHCP Client Configured Options Red Hat Enterprise Linux 6 Limit the options that the DHCP gets and applies to the DHCP client. /etc/dhcp/dhclient.*\.conf ^[\s]*(request|require|supersede)[\s]+domain\-name[\s]*.*\;[\s]*(?:|(?:#.*))?$ 1 /etc/dhcp/dhclient.*\.conf ^[\s]*(request|require|supersede)[\s]+domain\-name\-servers[\s]*.*\;[\s]*(?:|(?:#.*))?$ 1 /etc/dhcp/dhclient.*\.conf ^[\s]*(request|require|supersede)[\s]+nis\-domain[\s]*.*\;[\s]*(?:|(?:#.*))?$ 1 /etc/dhcp/dhclient.*\.conf ^[\s]*(request|require|supersede)[\s]+nis\-servers[\s]*.*\;[\s]*(?:|(?:#.*))?$ 1 /etc/dhcp/dhclient.*\.conf ^[\s]*(request|require|supersede)[\s]+ntp\-servers[\s]*.*\;[\s]*(?:|(?:#.*))?$ 1 /etc/dhcp/dhclient.*\.conf ^[\s]*(request|require|supersede)[\s]+routers[\s]*.*\;[\s]*(?:|(?:#.*))?$ 1 /etc/dhcp/dhclient.*\.conf ^[\s]*(request|require|supersede)[\s]+time\-offset[\s]*.*\;[\s]*(?:|(?:#.*))?$ 1 /etc/dhcp/dhclient.*\.conf ^[\s]*(request|require|supersede)[\s]+subnet\-mask[\s]*.*\;[\s]*(?:|(?:#.*))?$ 1 /etc/dhcp/dhclient.*\.conf ^[\s]*(request|require|supersede)[\s]+broadcast\-address[\s]*.*\;[\s]*(?:|(?:#.*))?$ 1 scap-security-guide-0.1.39/rhel6/checks/oval/dhcp_server_configure_logging.xml000066400000000000000000000024471327242345500275260ustar00rootroot00000000000000 Configure DHCP Logging Red Hat Enterprise Linux 6 Configure rsyslog to record DHCP daemon errors. /etc/rsyslog.conf ^[\s]*daemon\.\*[\s]+\/var\/log\/daemon\.log$ 1 scap-security-guide-0.1.39/rhel6/checks/oval/dhcp_server_deny_bootp.xml000066400000000000000000000024071327242345500261750ustar00rootroot00000000000000 Deny BOOTP Requests Red Hat Enterprise Linux 6 Prevents the DHCP from responding to BOOTP requests. /etc/dhcp/dhcpd.conf ^[\s]*deny[\s]+bootp\;[\s]*(?:|(?:#.*))?$ 1 scap-security-guide-0.1.39/rhel6/checks/oval/dhcp_server_deny_decline.xml000066400000000000000000000024451327242345500264570ustar00rootroot00000000000000 Deny Decline Messages Red Hat Enterprise Linux 6 Prevents the DHCP from responding to the DHCPDECLINE messages. /etc/dhcp/dhcpd.conf ^[\s]*deny[\s]+declines\;[\s]*(?:|(?:#.*))?$ 1 scap-security-guide-0.1.39/rhel6/checks/oval/dhcp_server_disable_ddns.xml000066400000000000000000000025141327242345500264450ustar00rootroot00000000000000 Disable Dynamic DNS Red Hat Enterprise Linux 6 Prevents DHCP from publishing information about their clients using Dynamic DNS. /etc/dhcp/dhcpd.conf ^[\s]*ddns\-update\-style[\s]+none\;[\s]*(?:|(?:#.*))?$ 1 scap-security-guide-0.1.39/rhel6/checks/oval/dhcp_server_minimize_served_info.xml000066400000000000000000000131051327242345500302340ustar00rootroot00000000000000 Minimize Served DHCP Information Red Hat Enterprise Linux 6 Limits the amount of information that that the DHCP server provides to clients. /etc/dhcp/dhcpd.conf ^[\s]*option[\s]+domain\-name[\s]+.*\;[\s]*(?:|(?:#.*))?$ 1 /etc/dhcp/dhcpd.conf ^[\s]*option[\s]+domain\-name\-servers[\s]+.*\;[\s]*(?:|(?:#.*))?$ 1 /etc/dhcp/dhcpd.conf ^[\s]*option[\s]+nis\-domain[\s]+.*\;[\s]*(?:|(?:#.*))?$ 1 /etc/dhcp/dhcpd.conf ^[\s]*option[\s]+nis\-servers[\s]+.*\;[\s]*(?:|(?:#.*))?$ 1 /etc/dhcp/dhcpd.conf ^[\s]*option[\s]+ntp\-servers[\s]+.*\;[\s]*(?:|(?:#.*))?$ 1 /etc/dhcp/dhcpd.conf ^[\s]*option[\s]+routers[\s]+.*\;[\s]*(?:|(?:#.*))?$ 1 /etc/dhcp/dhcpd.conf ^[\s]*option[\s]+time\-offset[\s]+.*\;[\s]*(?:|(?:#.*))?$ 1 scap-security-guide-0.1.39/rhel6/checks/oval/dir_perms_world_writable_system_owned.xml000066400000000000000000000033651327242345500313370ustar00rootroot00000000000000 Find world writable directories not owned by a system account Red Hat Enterprise Linux 6 All world writable directories should be owned by a system user. / state_gid_is_user_and_world_writable 500 true scap-security-guide-0.1.39/rhel6/checks/oval/disable_ctrlaltdel_reboot.xml000066400000000000000000000034721327242345500266410ustar00rootroot00000000000000 Disable Ctrl-Alt-Del Reboot Activation Red Hat Enterprise Linux 6 By default, the system will reboot when the Ctrl-Alt-Del key sequence is pressed. /etc/init/control-alt-delete.override ^[\s]*exec[\s]*/sbin/shutdown[\s]*\-r[\s]*now.*$ 1 /etc/init/control-alt-delete.override scap-security-guide-0.1.39/rhel6/checks/oval/disable_interactive_boot.xml000066400000000000000000000050421327242345500264700ustar00rootroot00000000000000 Disable Interactive Boot Red Hat Enterprise Linux 6 The ability for users to perform interactive startups should be disabled. /etc/sysconfig/init ^[\s]*PROMPT=no[\s]+ 1 /etc/grub.conf ^[\s]*kernel[\s]+.*confirm.*$ 1 scap-security-guide-0.1.39/rhel6/checks/oval/display_login_attempts.xml000066400000000000000000000022161327242345500262230ustar00rootroot00000000000000 Set Last Login/Access Notification Red Hat Enterprise Linux 6 Configure the system to notify users of last login/access using pam_lastlog. /etc/pam.d/system-auth ^\s*session\s+(required|requisite)?\s+pam_lastlog.so[\s\w\d\=]+showfailed 1 scap-security-guide-0.1.39/rhel6/checks/oval/dovecot_disable_plaintext_auth.xml000066400000000000000000000025511327242345500277060ustar00rootroot00000000000000 Disable Plaintext Authentication in Dovecot Red Hat Enterprise Linux 6 Plaintext authentication of mail clients should be disabled. /etc/dovecot/conf.d/10-auth.conf ^[\s]*disable_plaintext_auth[\s]*=[\s]*yes[\s]*$ 1 scap-security-guide-0.1.39/rhel6/checks/oval/dovecot_enable_ssl.xml000066400000000000000000000023341327242345500253000ustar00rootroot00000000000000 Enable SSL in Dovecot Red Hat Enterprise Linux 6 SSL capabilities should be enabled for the mail server. /etc/dovecot/conf.d/10-ssl.conf ^[\s]*ssl[\s]*=[\s]*(yes|required)[\s]*$ 1 scap-security-guide-0.1.39/rhel6/checks/oval/enable_selinux_bootloader.xml000066400000000000000000000023561327242345500266610ustar00rootroot00000000000000 Enable SELinux in /etc/grub.conf Red Hat Enterprise Linux 6 Check if selinux=0 OR enforcing=0 within /etc/grub.conf lines, fail if found. /etc/grub.conf ^[\s]*kernel[\s]+.*(selinux|enforcing)=0.*$ 1 scap-security-guide-0.1.39/rhel6/checks/oval/file_group_owner_grub_conf.xml000066400000000000000000000034661327242345500270460ustar00rootroot00000000000000 File grub.conf Owned By root Group Red Hat Enterprise Linux 6 The grub.conf file should be owned by the root group. By default, this file is located at /boot/grub/grub.conf or, for EFI systems, at /boot/efi/EFI/redhat/grub.conf /boot/grub/grub.conf /boot/efi/EFI/redhat/grub.conf 0 scap-security-guide-0.1.39/rhel6/checks/oval/file_permissions_grub_conf.xml000066400000000000000000000026771327242345500270560ustar00rootroot00000000000000 File /boot/grub/grub.conf Permissions Red Hat Enterprise Linux 6 File permissions for /boot/grub/grub.conf should be set to 0600 (or stronger). /boot/grub/grub.conf false false false false false false false scap-security-guide-0.1.39/rhel6/checks/oval/file_permissions_unauthorized_sgid.xml000066400000000000000000000061731327242345500306340ustar00rootroot00000000000000 Find setgid files system packages Red Hat Enterprise Linux 6 All files with setgid should be owned by a base system package / ^.*$ state_file_permissions_unauthorized_sgid state_sgid_whitelist true /bin/cgclassify /bin/cgexec /sbin/netreport /usr/bin/crontab /usr/bin/gnomine /usr/bin/iagno /usr/bin/locate /usr/bin/lockfile /usr/bin/same-gnome /usr/bin/screen /usr/bin/ssh-agent /usr/bin/wall /usr/bin/write /usr/lib64/vte/gnome-pty-helper /usr/libexec/kde4/kdesud /usr/libexec/utempter/utempter /usr/lib/mailman/cgi-bin/admindb /usr/lib/mailman/cgi-bin/admin /usr/lib/mailman/cgi-bin/confirm /usr/lib/mailman/cgi-bin/create /usr/lib/mailman/cgi-bin/edithtml /usr/lib/mailman/cgi-bin/listinfo /usr/lib/mailman/cgi-bin/options /usr/lib/mailman/cgi-bin/private /usr/lib/mailman/cgi-bin/rmlist /usr/lib/mailman/cgi-bin/roster /usr/lib/mailman/cgi-bin/subscribe /usr/lib/mailman/mail/mailman /usr/lib/vte/gnome-pty-helper /usr/sbin/lockdev /usr/sbin/postdrop /usr/sbin/postqueue /usr/sbin/sendmail.sendmail scap-security-guide-0.1.39/rhel6/checks/oval/file_permissions_unauthorized_suid.xml000066400000000000000000000116411327242345500306460ustar00rootroot00000000000000 Find setuid files from system packages Red Hat Enterprise Linux 6 All files with setuid should be owned by a base system package / ^.*$ state_file_permissions_unauthorized_suid state_suid_whitelist true /bin/fusermount /bin/mount /bin/ping6 /bin/ping /bin/su /bin/umount /lib64/dbus-1/dbus-daemon-launch-helper /lib/dbus-1/dbus-daemon-launch-helper /sbin/mount.ecryptfs_private /sbin/mount.nfs /sbin/pam_timestamp_check /sbin/unix_chkpwd /usr/bin/abrt-action-install-debuginfo-to-abrt-cache /usr/bin/at /usr/bin/chage /usr/bin/chfn /usr/bin/chsh /usr/bin/crontab /usr/bin/gpasswd /usr/bin/kgrantpty /usr/bin/kpac_dhcp_helper /usr/bin/ksu /usr/bin/newgrp /usr/bin/newrole /usr/bin/passwd /usr/bin/pkexec /usr/bin/rcp /usr/bin/rlogin /usr/bin/rsh /usr/bin/sperl5.10.1 /usr/bin/staprun /usr/bin/sudoedit /usr/bin/sudo /usr/bin/Xorg /usr/lib64/amanda/calcsize /usr/lib64/amanda/dumper /usr/lib64/amanda/killpgrp /usr/lib64/amanda/planner /usr/lib64/amanda/rundump /usr/lib64/amanda/runtar /usr/lib64/nspluginwrapper/plugin-config /usr/lib/amanda/calcsize /usr/lib/amanda/dumper /usr/lib/amanda/killpgrp /usr/lib/amanda/planner /usr/lib/amanda/rundump /usr/lib/amanda/runtar /usr/libexec/abrt-action-install-debuginfo-to-abrt-cache /usr/libexec/spice-gtk-x86_64/spice-client-glib-usb-acl-helper /usr/libexec/mc/cons.saver /usr/libexec/openssh/ssh-keysign /usr/libexec/polkit-1/polkit-agent-helper-1 /usr/libexec/pt_chown /usr/libexec/pulse/proximity-helper /usr/lib/nspluginwrapper/plugin-config /usr/sbin/amcheck /usr/sbin/seunshare /usr/sbin/suexec /usr/sbin/userhelper /usr/sbin/usernetctl scap-security-guide-0.1.39/rhel6/checks/oval/file_user_owner_grub_conf.xml000066400000000000000000000034451327242345500266650ustar00rootroot00000000000000 File grub.conf Owned By root User Red Hat Enterprise Linux 6 The grub.conf file should be owned by the root user. By default, this file is located at /boot/grub/grub.conf or, for EFI systems, at /boot/efi/EFI/redhat/grub.conf /boot/grub/grub.conf /boot/efi/EFI/redhat/grub.conf 0 scap-security-guide-0.1.39/rhel6/checks/oval/ftp_configure_firewall.xml000066400000000000000000000024471327242345500261720ustar00rootroot00000000000000 Configure the Firewall to Protect the FTP Server Red Hat Enterprise Linux 6 Configure the FTP connection tracking module in iptables. /etc/sysconfig/iptables-config ^[\s]*IPTABLES_MODULES=\".*ip_conntrack_ftp.*\"$ 1 scap-security-guide-0.1.39/rhel6/checks/oval/ftp_disable_uploads.xml000066400000000000000000000022421327242345500254470ustar00rootroot00000000000000 Disable FTP Uploads Red Hat Enterprise Linux 6 Disable FTP Uploads. /etc/vsftpd/vsftpd.conf ^[\s]*write_enable=NO$ 1 scap-security-guide-0.1.39/rhel6/checks/oval/ftp_limit_users.xml000066400000000000000000000053661327242345500246660ustar00rootroot00000000000000 Limit Users Allowed to Access FTP Red Hat Enterprise Linux 6 Only authorized users should be able to access FTP. /etc/vsftpd/vsftpd.conf ^[\s]*userlist_enable=YES$ 1 /etc/vsftpd/vsftpd.conf ^[\s]*userlist_file=\/etc\/vsftp\.ftpusers$ 1 /etc/vsftpd/vsftpd.conf ^[\s]*userlist_deny=NO$ 1 scap-security-guide-0.1.39/rhel6/checks/oval/ftp_restrict_to_anon.xml000066400000000000000000000023231327242345500256710ustar00rootroot00000000000000 Restrict Anonymous Users Red Hat Enterprise Linux 6 Disable anonymous access to FTP. /etc/vsftpd/vsftpd.conf ^[\s]*local_enable=NO$ 1 scap-security-guide-0.1.39/rhel6/checks/oval/gconf_gdm_disable_user_list.xml000066400000000000000000000041061327242345500271440ustar00rootroot00000000000000 Disable the User List Red Hat Enterprise Linux 6 Disable the GUI listing of all known users on the login screen. /etc/gconf/gconf.xml.mandatory/%gconf-tree.xml /gconf/dir/dir/dir/entry[@name='disable_user_list']/@value /etc/gconf/gconf.xml.mandatory/apps/gdm/simple-greeter/%gconf.xml /gconf/entry[@name='disable_user_list']/@value true scap-security-guide-0.1.39/rhel6/checks/oval/gconf_gdm_enable_warning_gui_banner.xml000066400000000000000000000052541327242345500306210ustar00rootroot00000000000000 Enable GUI Warning Banner Red Hat Enterprise Linux 6 Enable the GUI warning banner. /var/lib/gdm/.gconf/apps/gdm/simple-greeter/%gconf.xml /gconf/entry[@name='banner_message_enable']/@value /etc/gconf/gconf.xml.mandatory/%gconf-tree.xml /gconf/dir/dir/dir/entry[@name='banner_message_enable']/@value /etc/gconf/gconf.xml.mandatory/apps/gdm/simple-greeter/%gconf.xml /gconf/entry[@name='banner_message_enable']/@value true scap-security-guide-0.1.39/rhel6/checks/oval/gconf_gdm_set_login_banner_text.xml000066400000000000000000000061551327242345500300320ustar00rootroot00000000000000 Set GUI Warning Banner Text Red Hat Enterprise Linux 6 The text to be displayed in the GUI warning banner should be set correctly. /var/lib/gdm/.gconf/apps/gdm/simple-greeter/%gconf.xml /gconf/entry[@name='banner_message_text']/stringvalue[1]/text() /etc/gconf/gconf.xml.mandatory/apps/gdm/simple-greeter/%gconf.xml /gconf/entry[@name='banner_message_text']/stringvalue[1]/text() /etc/gconf/gconf.xml.mandatory/%gconf-tree.xml /gconf/dir/dir/dir/entry[@name='banner_message_text']/stringvalue[1]/text() scap-security-guide-0.1.39/rhel6/checks/oval/gconf_gnome_disable_automount.xml000066400000000000000000000076561327242345500275410ustar00rootroot00000000000000 Disable GNOME Automounting Red Hat Enterprise Linux 6 The system's default desktop environment, GNOME, will mount devices and removable media (such as DVDs, CDs and USB flash drives) whenever they are inserted into the system. Disable automount and autorun within GNOME. /etc/gconf/gconf.xml.mandatory/apps/nautilus/preferences/%gconf.xml /gconf/entry[@name='media_automount']/@value /etc/gconf/gconf.xml.mandatory/%gconf-tree.xml /gconf/dir/dir/dir/entry[@name='media_automount']/@value false /etc/gconf/gconf.xml.mandatory/apps/nautilus/preferences/%gconf.xml /gconf/entry[@name='media_autorun_never']/@value /etc/gconf/gconf.xml.mandatory/%gconf-tree.xml /gconf/dir/dir/dir/entry[@name='media_autorun_never']/@value true scap-security-guide-0.1.39/rhel6/checks/oval/gconf_gnome_disable_clock_temperature.xml000066400000000000000000000041051327242345500312000ustar00rootroot00000000000000 Disable the GNOME Clock Temperature Feature Red Hat Enterprise Linux 6 The GNOME clock temperature feature should be disabled. /etc/gconf/gconf.xml.mandatory/apps/panel/applets/clock/prefs/%gconf.xml /gconf/entry[@name='show_temperature']/@value /etc/gconf/gconf.xml.mandatory/%gconf-tree.xml /gconf/dir/dir/dir/dir/dir/entry[@name='show_temperature']/@value false scap-security-guide-0.1.39/rhel6/checks/oval/gconf_gnome_disable_clock_weather.xml000066400000000000000000000037641327242345500303140ustar00rootroot00000000000000 Disable the GNOME Clock Weather Feature Red Hat Enterprise Linux 6 The GNOME clock weather feature should be disabled. /etc/gconf/gconf.xml.mandatory/apps/panel/applets/clock/prefs/%gconf.xml /gconf/entry[@name='show_weather']/@value /etc/gconf/gconf.xml.mandatory/%gconf-tree.xml /gconf/dir/dir/dir/dir/dir/entry[@name='show_weather']/@value true scap-security-guide-0.1.39/rhel6/checks/oval/gconf_gnome_disable_ctrlaltdel_reboot.xml000066400000000000000000000036711327242345500312030ustar00rootroot00000000000000 Disable Ctrl-Alt-Del Reboot Key Sequence in GNOME Red Hat Enterprise Linux 6 The Ctrl-Alt-Del reboot key sequence should be set to nothing. /etc/gconf/gconf.xml.mandatory/apps/gnome_settings_daemon/keybindings/%gconf.xml /gconf/entry[@name='power']/stringvalue[1][not(text())] /etc/gconf/gconf.xml.mandatory/%gconf-tree.xml /gconf/dir/dir/dir/entry[@name='power']/stringvalue[1][not(text())] scap-security-guide-0.1.39/rhel6/checks/oval/gconf_gnome_disable_restart_shutdown.xml000066400000000000000000000042661327242345500311170ustar00rootroot00000000000000 Disable the GNOME Login Restart and Shutdown Buttons Red Hat Enterprise Linux 6 Disable GNOME Login restart and shutdown buttons to prevent users from restarting or powering off the system from the login screen. /etc/gconf/gconf.xml.mandatory/apps/gdm/simple-greeter/%gconf.xml /gconf/entry[@name='disable_restart_buttons']/@value /etc/gconf/gconf.xml.mandatory/%gconf-tree.xml /gconf/dir/dir/dir/entry[@name='disable_restart_buttons']/@value true scap-security-guide-0.1.39/rhel6/checks/oval/gconf_gnome_disable_thumbnailers.xml000066400000000000000000000045401327242345500301700ustar00rootroot00000000000000 Disable All GNOME Thumbnailers Red Hat Enterprise Linux 6 The system's default desktop environment, GNOME, uses a number of different thumbnailer programs to generate thumbnails for any new or modified content in an opened folder. Disable the execution of these thumbnail applications within GNOME. /etc/gconf/gconf.xml.mandatory/desktop/gnome/thumbnailers/%gconf.xml /gconf/entry[@name='disable_all']/@value /etc/gconf/gconf.xml.mandatory/%gconf-tree.xml /gconf/dir/dir/dir/entry[@name='disable_all']/@value true scap-security-guide-0.1.39/rhel6/checks/oval/gconf_gnome_disable_wifi_create.xml000066400000000000000000000037621327242345500277610ustar00rootroot00000000000000 >Disable WIFI Network Connection Creation in GNOME Red Hat Enterprise Linux 6 Disable GNOME's ability to create a wifi connection. /etc/gconf/gconf.xml.mandatory/apps/nm-applet/%gconf.xml /gconf/entry[@name='disable-wifi-create']/@value /etc/gconf/gconf.xml.mandatory/%gconf-tree.xml /gconf/dir/dir/entry[@name='disable-wifi-create']/@value true scap-security-guide-0.1.39/rhel6/checks/oval/gconf_gnome_disable_wifi_disconnect.xml000066400000000000000000000041341327242345500306410ustar00rootroot00000000000000 Disable WIFI Network Disconnect Notification in GNOME Red Hat Enterprise Linux 6 Disable GNOME's ability to notify users when disconnecting from a wifi network. /etc/gconf/gconf.xml.mandatory/apps/nm-applet/%gconf.xml /gconf/entry[@name='disable-disconnected-notifications']/@value /etc/gconf/gconf.xml.mandatory/%gconf-tree.xml /gconf/dir/dir/entry[@name='disable-disconnected-notifications']/@value true scap-security-guide-0.1.39/rhel6/checks/oval/gconf_gnome_disable_wifi_notification.xml000066400000000000000000000042551327242345500312020ustar00rootroot00000000000000 Disable WIFI Network Connection Notification in GNOME Red Hat Enterprise Linux 6 Disable GNOME's ability to notify users when connecting to a wifi network. /etc/gconf/gconf.xml.mandatory/apps/nm-applet/%gconf.xml /gconf/entry[@name='disable-connected-notifications']/@value /etc/gconf/gconf.xml.mandatory/%gconf-tree.xml /gconf/dir/dir/entry[@name='disable-connected-notifications']/@value true scap-security-guide-0.1.39/rhel6/checks/oval/gconf_gnome_screen_locking_keybindings.xml000066400000000000000000000043731327242345500313670ustar00rootroot00000000000000 Set GNOME Screen Locking Keybindings Red Hat Enterprise Linux 6 GNOME Screen Locking Keybindings should be configured to lock the screen on entry. /etc/gconf/gconf.xml.mandatory/apps/gnome_settings_daemon/keybindings/%gconf.xml /gconf/entry[@name='screen']/stringvalue[1]/text() /etc/gconf/gconf.xml.mandatory/%gconf-tree.xml /gconf/dir/dir/dir/entry[@name='screen']/stringvalue[1]/text() <Control><Alt>l scap-security-guide-0.1.39/rhel6/checks/oval/gconf_gnome_screensaver_idle_activation_enabled.xml000066400000000000000000000043241327242345500332200ustar00rootroot00000000000000 Implement idle activation of screen saver Red Hat Enterprise Linux 6 Idle activation of the screen saver should be enabled. /etc/gconf/gconf.xml.mandatory/apps/gnome-screensaver/%gconf.xml /gconf/entry[@name='idle_activation_enabled']/@value /etc/gconf/gconf.xml.mandatory/%gconf-tree.xml /gconf/dir/dir/entry[@name='idle_activation_enabled']/@value true scap-security-guide-0.1.39/rhel6/checks/oval/gconf_gnome_screensaver_idle_delay.xml000066400000000000000000000045041327242345500305030ustar00rootroot00000000000000 Configure GUI Screen Locking Red Hat Enterprise Linux 6 The allowed period of inactivity before the screensaver is activated. /etc/gconf/gconf.xml.mandatory/desktop/gnome/session/%gconf.xml /gconf/entry[@name='idle_delay']/@value /etc/gconf/gconf.xml.mandatory/%gconf-tree.xml /gconf/dir/dir/dir/entry[@name='idle_delay']/@value scap-security-guide-0.1.39/rhel6/checks/oval/gconf_gnome_screensaver_lock_enabled.xml000066400000000000000000000040511327242345500310070ustar00rootroot00000000000000 Implement idle activation of screen lock Red Hat Enterprise Linux 6 Idle activation of the screen lock should be enabled. /etc/gconf/gconf.xml.mandatory/apps/gnome-screensaver/%gconf.xml /gconf/entry[@name='lock_enabled']/@value /etc/gconf/gconf.xml.mandatory/%gconf-tree.xml /gconf/dir/dir/entry[@name='lock_enabled']/@value true scap-security-guide-0.1.39/rhel6/checks/oval/gconf_gnome_screensaver_max_idle_action.xml000066400000000000000000000042741327242345500315330ustar00rootroot00000000000000 Set GNOME Login Maximum Allowed Inactivity Action Red Hat Enterprise Linux 6 Idle GNOME users should be logged off after a defined period of time. /etc/gconf/gconf.xml.mandatory/desktop/gnome/session/%gconf.xml /gconf/entry[@name='max_idle_action']/stringvalue[1]/text() /etc/gconf/gconf.xml.mandatory/%gconf-tree.xml /gconf/dir/dir/dir/entry[@name='max_idle_action']/stringvalue[1]/text() forced-logout scap-security-guide-0.1.39/rhel6/checks/oval/gconf_gnome_screensaver_max_idle_time.xml000066400000000000000000000046221327242345500312110ustar00rootroot00000000000000 Set GNOME Login Maximum Allowed Inactivity Red Hat Enterprise Linux 6 The allowed period of inactivity before a user is logged off the system. /etc/gconf/gconf.xml.mandatory/desktop/gnome/session/%gconf.xml /gconf/entry[@name='max_idle_time']/@value /etc/gconf/gconf.xml.mandatory/%gconf-tree.xml /gconf/dir/dir/dir/entry[@name='max_idle_time']/@value scap-security-guide-0.1.39/rhel6/checks/oval/gconf_gnome_screensaver_mode_blank.xml000066400000000000000000000040531327242345500305020ustar00rootroot00000000000000 Implement blank screen saver Red Hat Enterprise Linux 6 The screen saver should be blank. /etc/gconf/gconf.xml.mandatory/apps/gnome-screensaver/%gconf.xml /gconf/entry[@name='mode']/stringvalue[1]/text() /etc/gconf/gconf.xml.mandatory/%gconf-tree.xml /gconf/dir/dir/entry[@name='mode']/stringvalue[1]/text() blank-only scap-security-guide-0.1.39/rhel6/checks/oval/grub_enable_fips_mode.xml000066400000000000000000000032441327242345500257410ustar00rootroot00000000000000 Enable FIPS Mode in GRUB Red Hat Enterprise Linux 6 Look for argument fips=1 in the kernel line in /etc/grub.conf. /etc/grub.conf ^\s*kernel\s/vmlinuz(.*)$ 1 ^.*fips=1.*$ scap-security-guide-0.1.39/rhel6/checks/oval/iptables_sshd_disabled.xml000066400000000000000000000037621327242345500261270ustar00rootroot00000000000000 Disallow inbound firewall access to the SSH Server port. Red Hat Enterprise Linux 6 If inbound SSH access is not needed, the firewall should disallow or reject access to the SSH port (22). /etc/sysconfig/iptables ^-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT$ 1 /etc/sysconfig/ip6tables ^-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT$ 1 kernel_disable_entropy_contribution_for_solid_state_drives.xml000066400000000000000000000066011327242345500355260ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/checks/oval Configure solid-state drives (SSDs) not to contribute to random-number entropy pool Red Hat Enterprise Linux 6 The add_random sysfs variable should be set correctly for each SSD drive on the system. /sys/block/ [^\/]+ /queue/rotational ^0$ 1 /add_random ^1$ 1 scap-security-guide-0.1.39/rhel6/checks/oval/kernel_module_ipv6_option_disabled.xml000066400000000000000000000024661327242345500304640ustar00rootroot00000000000000 Disable IPv6 Kernel Module Functionality via Disable Option Red Hat Enterprise Linux 6 The disable option will allow the IPv6 module to be inserted, but prevent address assignment and activation of the network stack. /etc/modprobe.d ^.*\.conf$ ^\s*options\s+ipv6\s+.*disable=1.*$ 1 scap-security-guide-0.1.39/rhel6/checks/oval/ldap_client_start_tls.xml000066400000000000000000000024731327242345500260270ustar00rootroot00000000000000 Configure LDAP to Use TLS for All Transactions Red Hat Enterprise Linux 6 Require the use of TLS for ldap clients. /etc/pam_ldap.conf ^[\s]*ssl[\s]+start_tls[\s]*$ 1 scap-security-guide-0.1.39/rhel6/checks/oval/ldap_client_tls_cacertpath.xml000066400000000000000000000041001327242345500267750ustar00rootroot00000000000000 Configure LDAP CA Certificate Path Red Hat Enterprise Linux 6 Require the use of TLS for ldap clients. /etc/pam_ldap.conf ^[\s]*tls_cacertdir[\s]+/etc/pki/tls/CA$ 1 /etc/pam_ldap.conf ^[\s]*tls_cacertfile[\s]+/etc/pki/tls/CA/.*\.(pem|crt)$ 1 scap-security-guide-0.1.39/rhel6/checks/oval/network_ipv6_default_gateway.xml000066400000000000000000000024501327242345500273270ustar00rootroot00000000000000 Manually Assign IPv6 Router Address Red Hat Enterprise Linux 6 Define default gateways for IPv6 traffic /etc/sysconfig/network-scripts ifcfg-.* ^IPV6_DEFAULTGW=.+$ 1 scap-security-guide-0.1.39/rhel6/checks/oval/network_ipv6_privacy_extensions.xml000066400000000000000000000025531327242345500301220ustar00rootroot00000000000000 Enable Privacy Extensions for IPv6 Red Hat Enterprise Linux 6 Enable privacy extensions for IPv6 /etc/sysconfig/network-scripts ifcfg-.* ^IPV6_PRIVACY=rfc3041$ 1 scap-security-guide-0.1.39/rhel6/checks/oval/network_ipv6_static_address.xml000066400000000000000000000025201327242345500271540ustar00rootroot00000000000000 Manually Assign Global IPv6 Address Red Hat Enterprise Linux 6 Manually configure addresses for IPv6 /etc/sysconfig/network-scripts ifcfg-.* ^IPV6ADDR=.+$ 1 scap-security-guide-0.1.39/rhel6/checks/oval/no_all_squash_exports.xml000066400000000000000000000040761327242345500260670ustar00rootroot00000000000000 Ensure All-Squashing Disabled On All Exports Red Hat Enterprise Linux 6 The all_squash option maps all uids and gids to an anonymous user and should be disabled. /etc/exports ^\/.*\((\S+)\)$ 0 ^.*all_squash*$ /etc/exports ^\/.*$ 0 scap-security-guide-0.1.39/rhel6/checks/oval/ntpd_specify_multiple_servers.xml000066400000000000000000000022331327242345500276170ustar00rootroot00000000000000 Specify Multiple Remote ntpd NTP Server for Time Data Red Hat Enterprise Linux 6 Multiple ntpd NTP Servers for time synchronization should be specified. /etc/ntp.conf ^([\s]*server[\s]+.+$){2,}$ 1 scap-security-guide-0.1.39/rhel6/checks/oval/ntpd_specify_remote_server.xml000066400000000000000000000022411327242345500270730ustar00rootroot00000000000000 Specify a Remote ntpd NTP Server for Time Data Red Hat Enterprise Linux 6 A remote ntpd NTP Server for time synchronization should be specified (and dependencies are met) /etc/ntp.conf ^[\s]*server[\s]+.+$ 1 scap-security-guide-0.1.39/rhel6/checks/oval/package_openswan_installed.xml000066400000000000000000000021641327242345500270130ustar00rootroot00000000000000 Package openswan / libreswan Installed Red Hat Enterprise Linux 6 The RPM package openswan / libreswan should be installed. ^(open|libre)swan$ scap-security-guide-0.1.39/rhel6/checks/oval/postfix_network_listening_disabled.xml000066400000000000000000000030501327242345500306120ustar00rootroot00000000000000 Postfix network listening should be disabled Red Hat Enterprise Linux 6 Postfix network listening should be disabled /etc/postfix/main.cf ^[\s]*inet_interfaces[\s]*=[\s]*localhost[\s]*$ 1 scap-security-guide-0.1.39/rhel6/checks/oval/require_singleuser_auth.xml000066400000000000000000000023541327242345500264050ustar00rootroot00000000000000 Require Authentication for Single-User Mode Red Hat Enterprise Linux 6 The requirement for a password to boot into single-user mode should be configured correctly. /etc/sysconfig/init ^SINGLE=/sbin/sulogin[\s]* 1 scap-security-guide-0.1.39/rhel6/checks/oval/service_rexec_disabled.xml000066400000000000000000000026651327242345500261320ustar00rootroot00000000000000 Service rexec Disabled Red Hat Enterprise Linux 6 The rexec service should be disabled if possible. /etc/xinetd.d/rexec ^\s*disable\s+=\s+yes\s*$ 1 scap-security-guide-0.1.39/rhel6/checks/oval/service_rlogin_disabled.xml000066400000000000000000000027021327242345500263060ustar00rootroot00000000000000 Service rlogin Disabled Red Hat Enterprise Linux 6 The rlogin service should be disabled if possible. /etc/xinetd.d/rlogin ^\s*disable\s+=\s+yes\s*$ 1 scap-security-guide-0.1.39/rhel6/checks/oval/service_rsh_disabled.xml000066400000000000000000000026331327242345500256130ustar00rootroot00000000000000 Service rsh Disabled Red Hat Enterprise Linux 6 The rsh service should be disabled if possible. /etc/xinetd.d/rsh ^\s*disable\s+=\s+yes\s*$ 1 scap-security-guide-0.1.39/rhel6/checks/oval/service_telnetd_disabled.xml000066400000000000000000000024021327242345500264500ustar00rootroot00000000000000 Disable telnet Service Red Hat Enterprise Linux 6 Disable telnet Service /etc/xinetd.d/telnet ^\s*disable\s+=\s+no\s*$ 1 scap-security-guide-0.1.39/rhel6/checks/oval/set_ip6tables_default_rule.xml000066400000000000000000000035571327242345500267550ustar00rootroot00000000000000 Change the default policy to DROP (from ACCEPT) for the INPUT built-in chain Red Hat Enterprise Linux 6 Change the default policy to DROP (from ACCEPT) for the INPUT built-in chain. /etc/sysconfig/ip6tables ^[\s]*:INPUT\sDROP\s\[0:0\] 1 /etc/sysconfig/ip6tables ^[\s]*:INPUT\sACCEPT\s\[0:0\] 1 scap-security-guide-0.1.39/rhel6/checks/oval/set_iptables_default_rule.xml000066400000000000000000000035421327242345500266610ustar00rootroot00000000000000 Change the default policy to DROP (from ACCEPT) for the INPUT built-in chain Red Hat Enterprise Linux 6 Change the default policy to DROP (from ACCEPT) for the INPUT built-in chain. /etc/sysconfig/iptables ^[\s]*:INPUT\sDROP\s\[0:0\] 1 /etc/sysconfig/iptables ^[\s]*:INPUT\sACCEPT\s\[0:0\] 1 scap-security-guide-0.1.39/rhel6/checks/oval/set_iptables_default_rule_forward.xml000066400000000000000000000036121327242345500304030ustar00rootroot00000000000000 Change the default policy to DROP (from ACCEPT) for the FORWARD built-in chain Red Hat Enterprise Linux 6 Change the default policy to DROP (from ACCEPT) for the FORWARD built-in chain. /etc/sysconfig/iptables ^[\s]*:FORWARD\sDROP\s\[0:0\] 1 /etc/sysconfig/iptables ^[\s]*:FORWARD\sACCEPT\s\[0:0\] 1 scap-security-guide-0.1.39/rhel6/checks/oval/smartcard_auth.xml000066400000000000000000000166541327242345500244610ustar00rootroot00000000000000 Enable Smart Card Login Red Hat Enterprise Linux 6 Enable Smart Card logins /etc/pam_pkcs11/pam_pkcs11.conf ^[\s]*cert_policy=(.*)$ 1 ^.*ocsp_on.*$ \nauth[\s]+required[\s]+pam_env.so \nauth[\s]+\[success=1[\s]default=ignore\][\s]pam_succeed_if.so[\s]service[\s]notin[\s] login:gdm:xdm:kdm:xscreensaver:gnome-screensaver:kscreensaver[\s]quiet[\s]use_uid \nauth[\s]+\[success=done[\s]authinfo_unavail=ignore[\s]ignore=ignore[\s]default=die\][\s] pam_pkcs11.so[\s]card_only\n /etc/pam.d/system-auth 1 \nauth[\s]+required[\s]+pam_env.so \nauth[\s]+\[success=1[\s]default=ignore\][\s]pam_succeed_if.so[\s]service[\s]notin[\s] login:gdm:xdm:kdm:xscreensaver:gnome-screensaver:kscreensaver[\s]quiet[\s]use_uid \nauth[\s]+\[success=done[\s]ignore=ignore[\s]default=die\][\s] pam_pkcs11.so[\s]wait_for_card[\s]card_only\n /etc/pam.d/system-auth 1 \nauth[\s]+required[\s]+pam_env.so \nauth[\s]+\[success=done[\s]ignore=ignore[\s]default=die\][\s] pam_pkcs11.so[\s]wait_for_card[\s]card_only\n.* \npassword[\s]+required[\s]+pam_pkcs11.so\n /etc/pam.d/smartcard-auth 1 scap-security-guide-0.1.39/rhel6/checks/oval/xwindows_runlevel_setting.xml000066400000000000000000000020661327242345500270030ustar00rootroot00000000000000 Disable X Windows Startup By Setting Runlevel Red Hat Enterprise Linux 6 Checks /etc/inittab to ensure that default runlevel is set to 3. /etc/inittab ^[\s]*id:3:initdefault:[\s]*$ 1 scap-security-guide-0.1.39/rhel6/cpe/000077500000000000000000000000001327242345500172705ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/cpe/rhel6-cpe-dictionary.xml000066400000000000000000000053731327242345500237520ustar00rootroot00000000000000 Red Hat Enterprise Linux 6 installed_OS_is_rhel6 Red Hat Enterprise Linux 6 Client installed_OS_is_rhel6 Red Hat Enterprise Linux 6 ComputeNode installed_OS_is_rhel6 CentOS 6 installed_OS_is_centos6 Scientific Linux 6 installed_OS_is_sl6 Container installed_env_is_a_container Bare-metal or Virtual Machine installed_env_is_a_machine scap-security-guide-0.1.39/rhel6/fixes/000077500000000000000000000000001327242345500176375ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/fixes/bash/000077500000000000000000000000001327242345500205545ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/fixes/bash/account_disable_post_pw_expiration.sh000066400000000000000000000006131327242345500302440ustar00rootroot00000000000000# platform = Red Hat Enterprise Linux 6 . /usr/share/scap-security-guide/remediation_functions populate var_account_disable_post_pw_expiration grep -q ^INACTIVE /etc/default/useradd && \ sed -i "s/INACTIVE.*/INACTIVE=$var_account_disable_post_pw_expiration/g" /etc/default/useradd if ! [ $? -eq 0 ]; then echo "INACTIVE=$var_account_disable_post_pw_expiration" >> /etc/default/useradd fi scap-security-guide-0.1.39/rhel6/fixes/bash/accounts_maximum_age_login_defs.sh000066400000000000000000000006201327242345500274670ustar00rootroot00000000000000# platform = Red Hat Enterprise Linux 6 . /usr/share/scap-security-guide/remediation_functions populate var_accounts_maximum_age_login_defs grep -q ^PASS_MAX_DAYS /etc/login.defs && \ sed -i "s/PASS_MAX_DAYS.*/PASS_MAX_DAYS $var_accounts_maximum_age_login_defs/g" /etc/login.defs if ! [ $? -eq 0 ]; then echo "PASS_MAX_DAYS $var_accounts_maximum_age_login_defs" >> /etc/login.defs fi scap-security-guide-0.1.39/rhel6/fixes/bash/accounts_minimum_age_login_defs.sh000066400000000000000000000006201327242345500274650ustar00rootroot00000000000000# platform = Red Hat Enterprise Linux 6 . /usr/share/scap-security-guide/remediation_functions populate var_accounts_minimum_age_login_defs grep -q ^PASS_MIN_DAYS /etc/login.defs && \ sed -i "s/PASS_MIN_DAYS.*/PASS_MIN_DAYS $var_accounts_minimum_age_login_defs/g" /etc/login.defs if ! [ $? -eq 0 ]; then echo "PASS_MIN_DAYS $var_accounts_minimum_age_login_defs" >> /etc/login.defs fi scap-security-guide-0.1.39/rhel6/fixes/bash/accounts_no_uid_except_zero.sh000066400000000000000000000001651327242345500266750ustar00rootroot00000000000000# platform = Red Hat Enterprise Linux 6 awk -F: '$3 == 0 && $1 != "root" { print $1 }' /etc/passwd | xargs passwd -l scap-security-guide-0.1.39/rhel6/fixes/bash/accounts_password_minlen_login_defs.sh000066400000000000000000000006301327242345500304030ustar00rootroot00000000000000# platform = Red Hat Enterprise Linux 6 . /usr/share/scap-security-guide/remediation_functions populate var_accounts_password_minlen_login_defs grep -q ^PASS_MIN_LEN /etc/login.defs && \ sed -i "s/PASS_MIN_LEN.*/PASS_MIN_LEN $var_accounts_password_minlen_login_defs/g" /etc/login.defs if ! [ $? -eq 0 ]; then echo "PASS_MIN_LEN $var_accounts_password_minlen_login_defs" >> /etc/login.defs fi scap-security-guide-0.1.39/rhel6/fixes/bash/accounts_password_pam_dcredit.sh000066400000000000000000000006171327242345500272100ustar00rootroot00000000000000# platform = Red Hat Enterprise Linux 6 . /usr/share/scap-security-guide/remediation_functions populate var_password_pam_dcredit if grep -q "dcredit=" /etc/pam.d/system-auth; then sed -i --follow-symlinks "s/\(dcredit *= *\).*/\1$var_password_pam_dcredit/" /etc/pam.d/system-auth else sed -i --follow-symlinks "/pam_cracklib.so/ s/$/ dcredit=$var_password_pam_dcredit/" /etc/pam.d/system-auth fi scap-security-guide-0.1.39/rhel6/fixes/bash/accounts_password_pam_difok.sh000066400000000000000000000006061327242345500266640ustar00rootroot00000000000000# platform = Red Hat Enterprise Linux 6 . /usr/share/scap-security-guide/remediation_functions populate var_password_pam_difok if grep -q "difok=" /etc/pam.d/system-auth; then sed -i --follow-symlinks "s/\(difok *= *\).*/\1$var_password_pam_difok/" /etc/pam.d/system-auth else sed -i --follow-symlinks "/pam_cracklib.so/ s/$/ difok=$var_password_pam_difok/" /etc/pam.d/system-auth fi scap-security-guide-0.1.39/rhel6/fixes/bash/accounts_password_pam_lcredit.sh000066400000000000000000000006221327242345500272140ustar00rootroot00000000000000# platform = Red Hat Enterprise Linux 6 . /usr/share/scap-security-guide/remediation_functions populate var_password_pam_lcredit if grep -q "lcredit=" /etc/pam.d/system-auth; then sed -i --follow-symlinks "s/\(lcredit *= *\).*/\1$var_password_pam_lcredit/" /etc/pam.d/system-auth else sed -i --follow-symlinks "/pam_cracklib.so/ s/$/ lcredit=$var_password_pam_lcredit/" /etc/pam.d/system-auth fi scap-security-guide-0.1.39/rhel6/fixes/bash/accounts_password_pam_maxrepeat.sh000066400000000000000000000006361327242345500275610ustar00rootroot00000000000000# platform = Red Hat Enterprise Linux 6 . /usr/share/scap-security-guide/remediation_functions populate var_password_pam_maxrepeat if grep -q "maxrepeat=" /etc/pam.d/system-auth; then sed -i --follow-symlinks "s/\(maxrepeat *= *\).*/\1$var_password_pam_maxrepeat/" /etc/pam.d/system-auth else sed -i --follow-symlinks "/pam_cracklib.so/ s/$/ maxrepeat=$var_password_pam_maxrepeat/" /etc/pam.d/system-auth fi scap-security-guide-0.1.39/rhel6/fixes/bash/accounts_password_pam_minclass.sh000066400000000000000000000007571327242345500274100ustar00rootroot00000000000000# platform = Red Hat Enterprise Linux 6 . /usr/share/scap-security-guide/remediation_functions populate var_password_pam_minclass grep -q minclass /etc/pam.d/system-auth if [ $? = "0" ]; then sed --follow-symlinks -i "/pam_cracklib.so/s/minclass=[0-$var_password_pam_minclass]/minclass=$var_password_pam_minclass/" /etc/pam.d/system-auth else sed --follow-symlinks -i "/pam_cracklib.so/s/pam_cracklib.so /pam_cracklib.so minclass=$var_password_pam_minclass /" /etc/pam.d/system-auth fi scap-security-guide-0.1.39/rhel6/fixes/bash/accounts_password_pam_minlen.sh000066400000000000000000000006101327242345500270450ustar00rootroot00000000000000# platform = Red Hat Enterprise Linux 6 . /usr/share/scap-security-guide/remediation_functions populate var_password_pam_minlen if grep -q "minlen=" /etc/pam.d/system-auth then sed -i --follow-symlinks "s/\(minlen *= *\).*/\1$var_password_pam_minlen/" /etc/pam.d/system-auth else sed -i --follow-symlinks "/pam_cracklib.so/ s/$/ minlen=$var_password_pam_minlen/" /etc/pam.d/system-auth fi scap-security-guide-0.1.39/rhel6/fixes/bash/accounts_password_pam_ocredit.sh000066400000000000000000000006221327242345500272170ustar00rootroot00000000000000# platform = Red Hat Enterprise Linux 6 . /usr/share/scap-security-guide/remediation_functions populate var_password_pam_ocredit if grep -q "ocredit=" /etc/pam.d/system-auth; then sed -i --follow-symlinks "s/\(ocredit *= *\).*/\1$var_password_pam_ocredit/" /etc/pam.d/system-auth else sed -i --follow-symlinks "/pam_cracklib.so/ s/$/ ocredit=$var_password_pam_ocredit/" /etc/pam.d/system-auth fi scap-security-guide-0.1.39/rhel6/fixes/bash/accounts_password_pam_ucredit.sh000066400000000000000000000006221327242345500272250ustar00rootroot00000000000000# platform = Red Hat Enterprise Linux 6 . /usr/share/scap-security-guide/remediation_functions populate var_password_pam_ucredit if grep -q "ucredit=" /etc/pam.d/system-auth; then sed -i --follow-symlinks "s/\(ucredit *= *\).*/\1$var_password_pam_ucredit/" /etc/pam.d/system-auth else sed -i --follow-symlinks "/pam_cracklib.so/ s/$/ ucredit=$var_password_pam_ucredit/" /etc/pam.d/system-auth fi scap-security-guide-0.1.39/rhel6/fixes/bash/accounts_password_warn_age_login_defs.sh000066400000000000000000000006421327242345500307070ustar00rootroot00000000000000# platform = Red Hat Enterprise Linux 6 . /usr/share/scap-security-guide/remediation_functions populate var_accounts_password_warn_age_login_defs grep -q ^PASS_WARN_AGE /etc/login.defs && \ sed -i "s/PASS_WARN_AGE.*/PASS_WARN_AGE $var_accounts_password_warn_age_login_defs/g" /etc/login.defs if ! [ $? -eq 0 ]; then echo "PASS_WARN_AGE $var_accounts_password_warn_age_login_defs" >> /etc/login.defs fi scap-security-guide-0.1.39/rhel6/fixes/bash/audit_rules_dac_modification_chmod.sh000066400000000000000000000012131327242345500301330ustar00rootroot00000000000000# platform = Red Hat Enterprise Linux 6 # Include source function library. . /usr/share/scap-security-guide/remediation_functions # Perform the remediation for the syscall rule # Retrieve hardware architecture of the underlying system [ $(getconf LONG_BIT) = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") for ARCH in "${RULE_ARCHS[@]}" do PATTERN="-a always,exit -F arch=$ARCH -S .* -F auid>=500 -F auid!=4294967295 -k *" GROUP="chmod" FULL_RULE="-a always,exit -F arch=$ARCH -S chmod -S fchmod -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod" fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" done scap-security-guide-0.1.39/rhel6/fixes/bash/audit_rules_dac_modification_chown.sh000066400000000000000000000012231327242345500301600ustar00rootroot00000000000000# platform = Red Hat Enterprise Linux 6 # Include source function library. . /usr/share/scap-security-guide/remediation_functions # Perform the remediation for the syscall rule # Retrieve hardware architecture of the underlying system [ $(getconf LONG_BIT) = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") for ARCH in ${RULE_ARCHS[@]} do PATTERN="-a always,exit -F arch=$ARCH -S .* -F auid>=500 -F auid!=4294967295 -k *" GROUP="chown" FULL_RULE="-a always,exit -F arch=$ARCH -S chown -S fchown -S fchownat -S lchown -F auid>=500 -F auid!=4294967295 -k perm_mod" fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" done scap-security-guide-0.1.39/rhel6/fixes/bash/audit_rules_dac_modification_fchmod.sh000066400000000000000000000012131327242345500303010ustar00rootroot00000000000000# platform = Red Hat Enterprise Linux 6 # Include source function library. . /usr/share/scap-security-guide/remediation_functions # Perform the remediation for the syscall rule # Retrieve hardware architecture of the underlying system [ $(getconf LONG_BIT) = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") for ARCH in "${RULE_ARCHS[@]}" do PATTERN="-a always,exit -F arch=$ARCH -S .* -F auid>=500 -F auid!=4294967295 -k *" GROUP="chmod" FULL_RULE="-a always,exit -F arch=$ARCH -S chmod -S fchmod -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod" fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" done scap-security-guide-0.1.39/rhel6/fixes/bash/audit_rules_dac_modification_fchmodat.sh000066400000000000000000000012131327242345500306260ustar00rootroot00000000000000# platform = Red Hat Enterprise Linux 6 # Include source function library. . /usr/share/scap-security-guide/remediation_functions # Perform the remediation for the syscall rule # Retrieve hardware architecture of the underlying system [ $(getconf LONG_BIT) = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") for ARCH in "${RULE_ARCHS[@]}" do PATTERN="-a always,exit -F arch=$ARCH -S .* -F auid>=500 -F auid!=4294967295 -k *" GROUP="chmod" FULL_RULE="-a always,exit -F arch=$ARCH -S chmod -S fchmod -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod" fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" done scap-security-guide-0.1.39/rhel6/fixes/bash/audit_rules_dac_modification_fchown.sh000066400000000000000000000012231327242345500303260ustar00rootroot00000000000000# platform = Red Hat Enterprise Linux 6 # Include source function library. . /usr/share/scap-security-guide/remediation_functions # Perform the remediation for the syscall rule # Retrieve hardware architecture of the underlying system [ $(getconf LONG_BIT) = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") for ARCH in ${RULE_ARCHS[@]} do PATTERN="-a always,exit -F arch=$ARCH -S .* -F auid>=500 -F auid!=4294967295 -k *" GROUP="chown" FULL_RULE="-a always,exit -F arch=$ARCH -S chown -S fchown -S fchownat -S lchown -F auid>=500 -F auid!=4294967295 -k perm_mod" fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" done scap-security-guide-0.1.39/rhel6/fixes/bash/audit_rules_dac_modification_fchownat.sh000066400000000000000000000012231327242345500306530ustar00rootroot00000000000000# platform = Red Hat Enterprise Linux 6 # Include source function library. . /usr/share/scap-security-guide/remediation_functions # Perform the remediation for the syscall rule # Retrieve hardware architecture of the underlying system [ $(getconf LONG_BIT) = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") for ARCH in ${RULE_ARCHS[@]} do PATTERN="-a always,exit -F arch=$ARCH -S .* -F auid>=500 -F auid!=4294967295 -k *" GROUP="chown" FULL_RULE="-a always,exit -F arch=$ARCH -S chown -S fchown -S fchownat -S lchown -F auid>=500 -F auid!=4294967295 -k perm_mod" fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" done scap-security-guide-0.1.39/rhel6/fixes/bash/audit_rules_dac_modification_fremovexattr.sh000066400000000000000000000012621327242345500315730ustar00rootroot00000000000000# platform = Red Hat Enterprise Linux 6 # Include source function library. . /usr/share/scap-security-guide/remediation_functions # Perform the remediation for the syscall rule # Retrieve hardware architecture of the underlying system [ $(getconf LONG_BIT) = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") for ARCH in "${RULE_ARCHS[@]}" do PATTERN="-a always,exit .* -F auid>=500 -F auid!=4294967295 -k *" GROUP="xattr" FULL_RULE="-a always,exit -F arch=${ARCH} -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod" fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" done scap-security-guide-0.1.39/rhel6/fixes/bash/audit_rules_dac_modification_fsetxattr.sh000066400000000000000000000012621327242345500310710ustar00rootroot00000000000000# platform = Red Hat Enterprise Linux 6 # Include source function library. . /usr/share/scap-security-guide/remediation_functions # Perform the remediation for the syscall rule # Retrieve hardware architecture of the underlying system [ $(getconf LONG_BIT) = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") for ARCH in "${RULE_ARCHS[@]}" do PATTERN="-a always,exit .* -F auid>=500 -F auid!=4294967295 -k *" GROUP="xattr" FULL_RULE="-a always,exit -F arch=${ARCH} -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod" fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" done scap-security-guide-0.1.39/rhel6/fixes/bash/audit_rules_dac_modification_lchown.sh000066400000000000000000000012231327242345500303340ustar00rootroot00000000000000# platform = Red Hat Enterprise Linux 6 # Include source function library. . /usr/share/scap-security-guide/remediation_functions # Perform the remediation for the syscall rule # Retrieve hardware architecture of the underlying system [ $(getconf LONG_BIT) = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") for ARCH in ${RULE_ARCHS[@]} do PATTERN="-a always,exit -F arch=$ARCH -S .* -F auid>=500 -F auid!=4294967295 -k *" GROUP="chown" FULL_RULE="-a always,exit -F arch=$ARCH -S chown -S fchown -S fchownat -S lchown -F auid>=500 -F auid!=4294967295 -k perm_mod" fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" done scap-security-guide-0.1.39/rhel6/fixes/bash/audit_rules_dac_modification_lremovexattr.sh000066400000000000000000000012621327242345500316010ustar00rootroot00000000000000# platform = Red Hat Enterprise Linux 6 # Include source function library. . /usr/share/scap-security-guide/remediation_functions # Perform the remediation for the syscall rule # Retrieve hardware architecture of the underlying system [ $(getconf LONG_BIT) = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") for ARCH in "${RULE_ARCHS[@]}" do PATTERN="-a always,exit .* -F auid>=500 -F auid!=4294967295 -k *" GROUP="xattr" FULL_RULE="-a always,exit -F arch=${ARCH} -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod" fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" done scap-security-guide-0.1.39/rhel6/fixes/bash/audit_rules_dac_modification_lsetxattr.sh000066400000000000000000000012621327242345500310770ustar00rootroot00000000000000# platform = Red Hat Enterprise Linux 6 # Include source function library. . /usr/share/scap-security-guide/remediation_functions # Perform the remediation for the syscall rule # Retrieve hardware architecture of the underlying system [ $(getconf LONG_BIT) = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") for ARCH in "${RULE_ARCHS[@]}" do PATTERN="-a always,exit .* -F auid>=500 -F auid!=4294967295 -k *" GROUP="xattr" FULL_RULE="-a always,exit -F arch=${ARCH} -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod" fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" done scap-security-guide-0.1.39/rhel6/fixes/bash/audit_rules_dac_modification_removexattr.sh000066400000000000000000000012621327242345500314250ustar00rootroot00000000000000# platform = Red Hat Enterprise Linux 6 # Include source function library. . /usr/share/scap-security-guide/remediation_functions # Perform the remediation for the syscall rule # Retrieve hardware architecture of the underlying system [ $(getconf LONG_BIT) = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") for ARCH in "${RULE_ARCHS[@]}" do PATTERN="-a always,exit .* -F auid>=500 -F auid!=4294967295 -k *" GROUP="xattr" FULL_RULE="-a always,exit -F arch=${ARCH} -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod" fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" done scap-security-guide-0.1.39/rhel6/fixes/bash/audit_rules_dac_modification_setxattr.sh000066400000000000000000000012621327242345500307230ustar00rootroot00000000000000# platform = Red Hat Enterprise Linux 6 # Include source function library. . /usr/share/scap-security-guide/remediation_functions # Perform the remediation for the syscall rule # Retrieve hardware architecture of the underlying system [ $(getconf LONG_BIT) = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") for ARCH in "${RULE_ARCHS[@]}" do PATTERN="-a always,exit .* -F auid>=500 -F auid!=4294967295 -k *" GROUP="xattr" FULL_RULE="-a always,exit -F arch=${ARCH} -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod" fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" done scap-security-guide-0.1.39/rhel6/fixes/bash/audit_rules_file_deletion_events.sh000066400000000000000000000013451327242345500277010ustar00rootroot00000000000000# platform = Red Hat Enterprise Linux 6 # Include source function library. . /usr/share/scap-security-guide/remediation_functions # Perform the remediation for the syscall rule # Retrieve hardware architecture of the underlying system [ $(getconf LONG_BIT) = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") for ARCH in ${RULE_ARCHS[@]} do PATTERN="-a always,exit -F arch=$ARCH -S .* -F auid>=500 -F auid!=4294967295 -k delete" # Use escaped BRE regex to specify rule group GROUP="\(rmdir\|unlink\|rename\)" FULL_RULE="-a always,exit -F arch=$ARCH -S rmdir -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -k delete" fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" done scap-security-guide-0.1.39/rhel6/fixes/bash/audit_rules_immutable.sh000066400000000000000000000011051327242345500254640ustar00rootroot00000000000000# platform = Red Hat Enterprise Linux 6 readonly AUDIT_RULES='/etc/audit/audit.rules' # If '-e .*' setting present in audit.rules already, delete it since the # auditctl(8) manual page instructs it should be the last rule in configuration sed -i '/-e[[:space:]]\+.*/d' $AUDIT_RULES # Append '-e 2' requirement at the end of audit.rules echo '' >> $AUDIT_RULES echo '# Set the audit.rules configuration immutable per security requirements' >> $AUDIT_RULES echo '# Reboot is required to change audit rules once this setting is applied' >> $AUDIT_RULES echo '-e 2' >> $AUDIT_RULES scap-security-guide-0.1.39/rhel6/fixes/bash/audit_rules_kernel_module_loading.sh000066400000000000000000000022501327242345500300310ustar00rootroot00000000000000# platform = Red Hat Enterprise Linux 6 # Include source function library. . /usr/share/scap-security-guide/remediation_functions # First perform the remediation of the syscall rule # Retrieve hardware architecture of the underlying system # Note: 32-bit kernel modules can't be loaded / unloaded on 64-bit kernel => # it's not required on a 64-bit system to check also for the presence # of 32-bit's equivalent of the corresponding rule. Therefore for # each system it's enought to check presence of system's native rule form. [ $(getconf LONG_BIT) = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b64") for ARCH in "${RULE_ARCHS[@]}" do PATTERN="-a always,exit -F arch=$ARCH -S .* -k *" # Use escaped BRE regex to specify rule group GROUP="\(init\|delete\)_module" FULL_RULE="-a always,exit -F arch=$ARCH -S init_module -S delete_module -k modules" fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" done # Then perform the remediations for the watch rules fix_audit_watch_rule "auditctl" "/sbin/insmod" "x" "modules" fix_audit_watch_rule "auditctl" "/sbin/rmmod" "x" "modules" fix_audit_watch_rule "auditctl" "/sbin/modprobe" "x" "modules" scap-security-guide-0.1.39/rhel6/fixes/bash/audit_rules_login_events.sh000066400000000000000000000005451327242345500262100ustar00rootroot00000000000000# platform = Red Hat Enterprise Linux 6 # Include source function library. . /usr/share/scap-security-guide/remediation_functions # Perform the remediation fix_audit_watch_rule "auditctl" "/var/log/tallylog" "wa" "logins" fix_audit_watch_rule "auditctl" "/var/run/faillock/" "wa" "logins" fix_audit_watch_rule "auditctl" "/var/log/lastlog" "wa" "logins" scap-security-guide-0.1.39/rhel6/fixes/bash/audit_rules_mac_modification.sh000066400000000000000000000003401327242345500267720ustar00rootroot00000000000000# platform = Red Hat Enterprise Linux 6 # Include source function library. . /usr/share/scap-security-guide/remediation_functions # Perform the remediation fix_audit_watch_rule "auditctl" "/etc/selinux/" "wa" "MAC-policy" scap-security-guide-0.1.39/rhel6/fixes/bash/audit_rules_media_export.sh000066400000000000000000000011621327242345500261700ustar00rootroot00000000000000# platform = Red Hat Enterprise Linux 6 # Include source function library. . /usr/share/scap-security-guide/remediation_functions # Perform the remediation of the syscall rule # Retrieve hardware architecture of the underlying system [ $(getconf LONG_BIT) = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") for ARCH in "${RULE_ARCHS[@]}" do PATTERN="-a always,exit -F arch=$ARCH -S .* -F auid>=500 -F auid!=4294967295 -k *" GROUP="mount" FULL_RULE="-a always,exit -F arch=$ARCH -S mount -F auid>=500 -F auid!=4294967295 -k export" fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" done scap-security-guide-0.1.39/rhel6/fixes/bash/audit_rules_networkconfig_modification.sh000066400000000000000000000021371327242345500311170ustar00rootroot00000000000000# platform = Red Hat Enterprise Linux 6 # Include source function library. . /usr/share/scap-security-guide/remediation_functions # First perform the remediation of the syscall rule # Retrieve hardware architecture of the underlying system [ $(getconf LONG_BIT) = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") for ARCH in "${RULE_ARCHS[@]}" do PATTERN="-a always,exit -F arch=$ARCH -S .* -k *" # Use escaped BRE regex to specify rule group GROUP="set\(host\|domain\)name" FULL_RULE="-a always,exit -F arch=$ARCH -S sethostname -S setdomainname -k audit_rules_networkconfig_modification" fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" done # Then perform the remediations for the watch rules fix_audit_watch_rule "auditctl" "/etc/issue" "wa" "audit_rules_networkconfig_modification" fix_audit_watch_rule "auditctl" "/etc/issue.net" "wa" "audit_rules_networkconfig_modification" fix_audit_watch_rule "auditctl" "/etc/hosts" "wa" "audit_rules_networkconfig_modification" fix_audit_watch_rule "auditctl" "/etc/sysconfig/network" "wa" "audit_rules_networkconfig_modification" scap-security-guide-0.1.39/rhel6/fixes/bash/audit_rules_privileged_commands.sh000066400000000000000000000003431327242345500275230ustar00rootroot00000000000000# platform = Red Hat Enterprise Linux 6 # Include source function library. . /usr/share/scap-security-guide/remediation_functions # Perform the remediation perform_audit_rules_privileged_commands_remediation "auditctl" "500" scap-security-guide-0.1.39/rhel6/fixes/bash/audit_rules_session_events.sh000066400000000000000000000005331327242345500265600ustar00rootroot00000000000000# platform = Red Hat Enterprise Linux 6 # Include source function library. . /usr/share/scap-security-guide/remediation_functions # Perform the remediation fix_audit_watch_rule "auditctl" "/var/run/utmp" "wa" "session" fix_audit_watch_rule "auditctl" "/var/log/btmp" "wa" "session" fix_audit_watch_rule "auditctl" "/var/log/wtmp" "wa" "session" scap-security-guide-0.1.39/rhel6/fixes/bash/audit_rules_sysadmin_actions.sh000066400000000000000000000003341327242345500270570ustar00rootroot00000000000000# platform = Red Hat Enterprise Linux 6 # Include source function library. . /usr/share/scap-security-guide/remediation_functions # Perform the remediation fix_audit_watch_rule "auditctl" "/etc/sudoers" "wa" "actions" scap-security-guide-0.1.39/rhel6/fixes/bash/audit_rules_time_adjtimex.sh000066400000000000000000000003001327242345500263240ustar00rootroot00000000000000# platform = Red Hat Enterprise Linux 6 # Include source function library. . /usr/share/scap-security-guide/remediation_functions rhel6_perform_audit_adjtimex_settimeofday_stime_remediation scap-security-guide-0.1.39/rhel6/fixes/bash/audit_rules_time_clock_settime.sh000066400000000000000000000011711327242345500273530ustar00rootroot00000000000000# platform = Red Hat Enterprise Linux 6 # Include source function library. . /usr/share/scap-security-guide/remediation_functions # First perform the remediation of the syscall rule # Retrieve hardware architecture of the underlying system [ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") for ARCH in "${RULE_ARCHS[@]}" do PATTERN="-a always,exit -F arch=$ARCH -S clock_settime -F a0=.* \(-F key=\|-k \).*" GROUP="clock_settime" FULL_RULE="-a always,exit -F arch=$ARCH -S clock_settime -F a0=0x0 -k time-change" fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" done scap-security-guide-0.1.39/rhel6/fixes/bash/audit_rules_time_settimeofday.sh000066400000000000000000000003001327242345500272140ustar00rootroot00000000000000# platform = Red Hat Enterprise Linux 6 # Include source function library. . /usr/share/scap-security-guide/remediation_functions rhel6_perform_audit_adjtimex_settimeofday_stime_remediation scap-security-guide-0.1.39/rhel6/fixes/bash/audit_rules_time_stime.sh000066400000000000000000000003001327242345500256400ustar00rootroot00000000000000# platform = Red Hat Enterprise Linux 6 # Include source function library. . /usr/share/scap-security-guide/remediation_functions rhel6_perform_audit_adjtimex_settimeofday_stime_remediation scap-security-guide-0.1.39/rhel6/fixes/bash/audit_rules_time_watch_localtime.sh000066400000000000000000000003471327242345500276710ustar00rootroot00000000000000# platform = Red Hat Enterprise Linux 6 # Include source function library. . /usr/share/scap-security-guide/remediation_functions # Perform the remediation fix_audit_watch_rule "auditctl" "/etc/localtime" "wa" "audit_time_rules" scap-security-guide-0.1.39/rhel6/fixes/bash/audit_rules_unsuccessful_file_modification.sh000066400000000000000000000024261327242345500317620ustar00rootroot00000000000000# platform = Red Hat Enterprise Linux 6 # Include source function library. . /usr/share/scap-security-guide/remediation_functions # Perform the remediation of the syscall rule # Retrieve hardware architecture of the underlying system [ $(getconf LONG_BIT) = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") for ARCH in "${RULE_ARCHS[@]}" do # First fix the -EACCES requirement PATTERN="-a always,exit -F arch=$ARCH -S .* -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k *" # Use escaped BRE regex to specify rule group GROUP="\(creat\|open\|truncate\)" FULL_RULE="-a always,exit -F arch=$ARCH -S creat -S open -S openat -S open_by_handle_at -S truncate -S ftruncate -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access" fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" # Then fix the -EPERM requirement PATTERN="-a always,exit -F arch=$ARCH -S .* -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k *" # No need to change content of $GROUP variable - it's the same as for -EACCES case above FULL_RULE="-a always,exit -F arch=$ARCH -S creat -S open -S openat -S open_by_handle_at -S truncate -S ftruncate -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access" fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" done scap-security-guide-0.1.39/rhel6/fixes/bash/audit_rules_usergroup_modification.sh000066400000000000000000000011401327242345500302640ustar00rootroot00000000000000# platform = Red Hat Enterprise Linux 6 # Include source function library. . /usr/share/scap-security-guide/remediation_functions # Perform the remediation fix_audit_watch_rule "auditctl" "/etc/group" "wa" "audit_rules_usergroup_modification" fix_audit_watch_rule "auditctl" "/etc/passwd" "wa" "audit_rules_usergroup_modification" fix_audit_watch_rule "auditctl" "/etc/gshadow" "wa" "audit_rules_usergroup_modification" fix_audit_watch_rule "auditctl" "/etc/shadow" "wa" "audit_rules_usergroup_modification" fix_audit_watch_rule "auditctl" "/etc/security/opasswd" "wa" "audit_rules_usergroup_modification" scap-security-guide-0.1.39/rhel6/fixes/bash/auditd_data_retention_admin_space_left_action.sh000066400000000000000000000007051327242345500323360ustar00rootroot00000000000000# platform = Red Hat Enterprise Linux 6 . /usr/share/scap-security-guide/remediation_functions populate var_auditd_admin_space_left_action grep -q ^admin_space_left_action /etc/audit/auditd.conf && \ sed -i "s/admin_space_left_action.*/admin_space_left_action = $var_auditd_admin_space_left_action/g" /etc/audit/auditd.conf if ! [ $? -eq 0 ]; then echo "admin_space_left_action = $var_auditd_admin_space_left_action" >> /etc/audit/auditd.conf fi scap-security-guide-0.1.39/rhel6/fixes/bash/banner_etc_issue.sh000066400000000000000000000006241327242345500244220ustar00rootroot00000000000000# platform = Red Hat Enterprise Linux 6 . /usr/share/scap-security-guide/remediation_functions populate login_banner_text # There was a regular-expression matching various banners, needs to be expanded expanded=$(echo "$login_banner_text" | sed 's/\[\\s\\n\][+*]/ /g;s/\\//g;s/[^-]- /\n\n-/g') formatted=$(echo "$expanded" | fold -sw 80) cat </etc/issue $formatted EOF printf "\n" >> /etc/issue scap-security-guide-0.1.39/rhel6/fixes/bash/disable_ctrlaltdel_reboot.sh000066400000000000000000000010371327242345500263000ustar00rootroot00000000000000# platform = Red Hat Enterprise Linux 6 # If system does not contain control-alt-delete.override, if [ ! -f /etc/init/control-alt-delete.override ]; then # but does have control-alt-delete.conf file, if [ -f /etc/init/control-alt-delete.conf ]; then # then copy .conf to .override to maintain persistency cp /etc/init/control-alt-delete.conf /etc/init/control-alt-delete.override fi fi sed -i 's,^exec.*$,exec /usr/bin/logger -p authpriv.notice -t init "Ctrl-Alt-Del was pressed and ignored",' /etc/init/control-alt-delete.override scap-security-guide-0.1.39/rhel6/fixes/bash/disable_interactive_boot.sh000066400000000000000000000006561327242345500261420ustar00rootroot00000000000000# platform = Red Hat Enterprise Linux 6 # Ensure value of PROMPT key in /etc/sysconfig/init is set to 'no' grep -q ^PROMPT /etc/sysconfig/init && \ sed -i "s/PROMPT.*/PROMPT=no/g" /etc/sysconfig/init if ! [ $? -eq 0 ]; then echo "PROMPT=no" >> /etc/sysconfig/init fi # Ensure 'confirm' kernel boot argument is not present in some of # kernel lines in /etc/grub.conf sed -i --follow-symlinks "s/confirm//gI" /etc/grub.conf scap-security-guide-0.1.39/rhel6/fixes/bash/disable_prelink.sh000066400000000000000000000006261327242345500242430ustar00rootroot00000000000000# platform = Red Hat Enterprise Linux 6 # # Disable prelinking altogether # if grep -q ^PRELINKING /etc/sysconfig/prelink then sed -i 's/PRELINKING.*/PRELINKING=no/g' /etc/sysconfig/prelink else echo -e "\n# Set PRELINKING=no per security requirements" >> /etc/sysconfig/prelink echo "PRELINKING=no" >> /etc/sysconfig/prelink fi # # Undo previous prelink changes to binaries # /usr/sbin/prelink -ua scap-security-guide-0.1.39/rhel6/fixes/bash/disable_users_coredumps.sh000066400000000000000000000001431327242345500260130ustar00rootroot00000000000000# platform = Red Hat Enterprise Linux 6 echo "* hard core 0" >> /etc/security/limits.conf scap-security-guide-0.1.39/rhel6/fixes/bash/display_login_attempts.sh000066400000000000000000000002361327242345500256670ustar00rootroot00000000000000# platform = Red Hat Enterprise Linux 6 sed -i --follow-symlinks '/pam_limits.so/a session\t required\t pam_lastlog.so showfailed' /etc/pam.d/system-auth scap-security-guide-0.1.39/rhel6/fixes/bash/enable_selinux_bootloader.sh000066400000000000000000000002361327242345500263200ustar00rootroot00000000000000# platform = Red Hat Enterprise Linux 6 sed -i --follow-symlinks "s/selinux=0//gI" /etc/grub.conf sed -i --follow-symlinks "s/enforcing=0//gI" /etc/grub.conf scap-security-guide-0.1.39/rhel6/fixes/bash/file_group_owner_grub_conf.sh000066400000000000000000000001021327242345500264720ustar00rootroot00000000000000# platform = Red Hat Enterprise Linux 6 chgrp root /etc/grub.conf scap-security-guide-0.1.39/rhel6/fixes/bash/file_permissions_grub_conf.sh000066400000000000000000000001071327242345500265040ustar00rootroot00000000000000# platform = Red Hat Enterprise Linux 6 chmod 600 /boot/grub/grub.conf scap-security-guide-0.1.39/rhel6/fixes/bash/file_user_owner_grub_conf.sh000066400000000000000000000001021327242345500263140ustar00rootroot00000000000000# platform = Red Hat Enterprise Linux 6 chown root /etc/grub.conf scap-security-guide-0.1.39/rhel6/fixes/bash/gconf_gdm_disable_user_list.sh000066400000000000000000000007141327242345500266110ustar00rootroot00000000000000# platform = Red Hat Enterprise Linux 6 # platform = Red Hat Enterprise Linux 6 # Install GConf2 package if not installed if ! rpm -q GConf2; then yum -y install GConf2 fi # Disable displaying of all known system users in the GNOME Display Manager's # login screen gconftool-2 --direct \ --config-source "xml:readwrite:/etc/gconf/gconf.xml.mandatory" \ --type bool \ --set /apps/gdm/simple-greeter/disable_user_list true scap-security-guide-0.1.39/rhel6/fixes/bash/gconf_gdm_enable_warning_gui_banner.sh000066400000000000000000000006471327242345500302660ustar00rootroot00000000000000# platform = Red Hat Enterprise Linux 6 # Install GConf2 package if not installed if ! rpm -q GConf2; then yum -y install GConf2 fi # Enable displaying of a login warning banner in the GNOME Display Manager's # login screen gconftool-2 --direct \ --config-source "xml:readwrite:/etc/gconf/gconf.xml.mandatory" \ --type bool \ --set /apps/gdm/simple-greeter/banner_message_enable true scap-security-guide-0.1.39/rhel6/fixes/bash/gconf_gdm_set_login_banner_text.sh000066400000000000000000000012771327242345500274760ustar00rootroot00000000000000# platform = Red Hat Enterprise Linux 6 . /usr/share/scap-security-guide/remediation_functions populate login_banner_text # Install GConf2 package if not installed if ! rpm -q GConf2; then yum -y install GConf2 fi # Expand the login_banner_text value - there was a regular-expression # matching various banners, needs to be expanded banner_expanded=$(echo "$login_banner_text" | sed 's/\[\\s\\n\][*+]/ /g;s/\\//g;') # Set the text shown by the GNOME Display Manager in the login screen gconftool-2 --direct \ --config-source "xml:readwrite:/etc/gconf/gconf.xml.mandatory" \ --type string \ --set /apps/gdm/simple-greeter/banner_message_text "${banner_expanded}" scap-security-guide-0.1.39/rhel6/fixes/bash/gconf_gnome_screen_locking_keybindings.sh000066400000000000000000000006411327242345500310250ustar00rootroot00000000000000# platform = Red Hat Enterprise Linux 6 # Install GConf2 package if not installed if ! rpm -q GConf2; then yum -y install GConf2 fi # Set the screensaver mode in the GNOME desktop to a blank screen gconftool-2 --direct \ --config-source "xml:readwrite:/etc/gconf/gconf.xml.mandatory" \ --type string \ --set /apps/gnome_settings_daemon/keybindings/screensaver "l" scap-security-guide-0.1.39/rhel6/fixes/bash/gconf_gnome_screensaver_idle_activation_enabled.sh000066400000000000000000000006371327242345500326670ustar00rootroot00000000000000# platform = Red Hat Enterprise Linux 6 # Install GConf2 package if not installed if ! rpm -q GConf2; then yum -y install GConf2 fi # Set the screensaver activation in the GNOME desktop after a period of inactivity gconftool-2 --direct \ --config-source "xml:readwrite:/etc/gconf/gconf.xml.mandatory" \ --type bool \ --set /apps/gnome-screensaver/idle_activation_enabled true scap-security-guide-0.1.39/rhel6/fixes/bash/gconf_gnome_screensaver_idle_delay.sh000066400000000000000000000010121327242345500301360ustar00rootroot00000000000000# platform = Red Hat Enterprise Linux 6 . /usr/share/scap-security-guide/remediation_functions populate inactivity_timeout_value # Install GConf2 package if not installed if ! rpm -q GConf2; then yum -y install GConf2 fi # Set the idle time-out value for inactivity in the GNOME desktop to meet the # requirement gconftool-2 --direct \ --config-source "xml:readwrite:/etc/gconf/gconf.xml.mandatory" \ --type int \ --set /desktop/gnome/session/idle_delay ${inactivity_timeout_value} scap-security-guide-0.1.39/rhel6/fixes/bash/gconf_gnome_screensaver_lock_enabled.sh000066400000000000000000000006431327242345500304560ustar00rootroot00000000000000# platform = Red Hat Enterprise Linux 6 # Install GConf2 package if not installed if ! rpm -q GConf2; then yum -y install GConf2 fi # Set the screensaver locking activation in the GNOME desktop when the # screensaver is activated gconftool-2 --direct \ --config-source "xml:readwrite:/etc/gconf/gconf.xml.mandatory" \ --type bool \ --set /apps/gnome-screensaver/lock_enabled true scap-security-guide-0.1.39/rhel6/fixes/bash/gconf_gnome_screensaver_mode_blank.sh000066400000000000000000000006031327242345500301430ustar00rootroot00000000000000# platform = Red Hat Enterprise Linux 6 # Install GConf2 package if not installed if ! rpm -q GConf2; then yum -y install GConf2 fi # Set the screensaver mode in the GNOME desktop to a blank screen gconftool-2 --direct \ --config-source "xml:readwrite:/etc/gconf/gconf.xml.mandatory" \ --type string \ --set /apps/gnome-screensaver/mode blank-only scap-security-guide-0.1.39/rhel6/fixes/bash/groupowner_shadow_file.sh000066400000000000000000000000771327242345500256670ustar00rootroot00000000000000# platform = Red Hat Enterprise Linux 6 chgrp root /etc/shadow kernel_disable_entropy_contribution_for_solid_state_drives.sh000066400000000000000000000016021327242345500351660ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/fixes/bash# platform = Red Hat Enterprise Linux 6 # First obtain the list of block devices present on system into array # # Used lsblk options: # -o NAME Display only block device name # -a Display all devices (including empty ones) in the list # -d Don't print device holders or slaves information # -n Suppress printing of introductory heading line in the list SYSTEM_BLOCK_DEVICES=($(/bin/lsblk -o NAME -a -d -n)) # For each SSD block device from that list # (device where /sys/block/DEVICE/queue/rotation == 0) for BLOCK_DEVICE in "${SYSTEM_BLOCK_DEVICES[@]}" do # Verify the block device is SSD if grep -q "0" /sys/block/${BLOCK_DEVICE}/queue/rotational then # If particular SSD is configured to contribute to # random-number entropy pool, disable it if grep -q "1" /sys/block/${BLOCK_DEVICE}/queue/add_random then echo "0" > /sys/block/${BLOCK_DEVICE}/queue/add_random fi fi done scap-security-guide-0.1.39/rhel6/fixes/bash/kernel_module_ipv6_option_disabled.sh000066400000000000000000000020201327242345500301120ustar00rootroot00000000000000# platform = Red Hat Enterprise Linux 6 # Prevent the IPv6 kernel module (ipv6) from loading the IPv6 networking stack echo "options ipv6 disable=1" > /etc/modprobe.d/ipv6.conf # Since according to: https://access.redhat.com/solutions/72733 # "ipv6 disable=1" options doesn't always disable the IPv6 networking stack from # loading, instruct also sysctl configuration to disable IPv6 according to: # https://access.redhat.com/solutions/8709#rhel6disable declare -a IPV6_SETTINGS=("net.ipv6.conf.all.disable_ipv6" "net.ipv6.conf.default.disable_ipv6") for setting in ${IPV6_SETTINGS[@]} do # Set runtime =1 for setting /sbin/sysctl -q -n -w "$setting=1" # If setting is present in /etc/sysctl.conf, change value to "1" # else, add "$setting = 1" to /etc/sysctl.conf if grep -q ^"$setting" /etc/sysctl.conf ; then sed -i "s/^$setting.*/$setting = 1/g" /etc/sysctl.conf else echo "" >> /etc/sysctl.conf echo "# Set $setting = 1 per security requirements" >> /etc/sysctl.conf echo "$setting = 1" >> /etc/sysctl.conf fi done scap-security-guide-0.1.39/rhel6/fixes/bash/mount_option_nodev_nonroot_local_partitions.sh000066400000000000000000000061331327242345500322440ustar00rootroot00000000000000# platform = Red Hat Enterprise Linux 6 # NOTE: Run-time reconfiguration of partitions' mount options is not possible. # After performing this remediation be sure to also subsequently reboot the # system as soon as possible for the remediation to take the effect! # Shortened ID for frequently used character class SP="[:space:]" # Load /etc/fstab's content with LABEL= and UUID= tags expanded to real # device names into FSTAB_REAL_DEVICES array splitting items by newline IFS=$'\n' FSTAB_REAL_DEVICES=($(findmnt --fstab --evaluate --noheadings)) for line in ${FSTAB_REAL_DEVICES[@]} do # For each line: # * squeeze multiple space characters into one, # * split line content info four columns (target, source, fstype, and # mount options) by space delimiter IFS=$' ' read TARGET SOURCE FSTYPE MOUNT_OPTIONS <<< "$(echo $line | tr -s ' ')" # Filter the targets according to the following criteria: # * don't include record for root partition, # * include the target only if it has the form of '/word.*' (not to include # special entries like e.g swap), # * include the target only if its source has the form of '/dev.*' # (to process only local partitions) if [[ ! $TARGET =~ ^\/$ ]] && # Don't include root partition [[ $TARGET =~ ^\/[A-Za-z0-9_] ]] && # Include if target =~ '/word.*' [[ $SOURCE =~ ^\/dev ]] # Include if source =~ '/dev.*' then # Check the mount options column if it doesn't contain 'nodev' keyword yet if ! grep -q "nodev" <<< "$MOUNT_OPTIONS" then # Check if current mount options is empty string ('') meaning # particular /etc/fstab row contain just 'defaults' keyword if [[ ${#MOUNT_OPTIONS} == "0" ]] then # If so, add 'defaults' back and append 'nodev' keyword MOUNT_OPTIONS="defaults,nodev" else # Otherwise append just 'nodev' keyword MOUNT_OPTIONS="$MOUNT_OPTIONS,nodev" fi # Escape possible slash ('/') characters in target for use as sed # expression below TARGET_ESCAPED=${TARGET//$'/'/$'\/'} # This target doesn't contain 'nodev' in mount options yet (and meets # the above filtering criteria). Therefore obtain particular /etc/fstab's # row into FSTAB_TARGET_ROW variable separating the mount options field with # hash '#' character FSTAB_TARGET_ROW=$(sed -n "s/\(.*$TARGET_ESCAPED[$SP]\+$FSTYPE[$SP]\+\)\([^$SP]\+\)/\1#\2#/p" /etc/fstab) # Split the retrieved value by the hash '#' delimiter to get the # row's head & tail (i.e. columns other than mount options) which won't # get modified IFS=$'#' read TARGET_HEAD TARGET_OPTS TARGET_TAIL <<< "$FSTAB_TARGET_ROW" # Replace old mount options for particular /etc/fstab's row (for this target # and fstype) with new mount options sed -i "s#${TARGET_HEAD}\(.*\)${TARGET_TAIL}#${TARGET_HEAD}${MOUNT_OPTIONS}${TARGET_TAIL}#" /etc/fstab fi fi done scap-security-guide-0.1.39/rhel6/fixes/bash/network_disable_zeroconf.sh000066400000000000000000000001301327242345500261630ustar00rootroot00000000000000# platform = Red Hat Enterprise Linux 6 echo "NOZEROCONF=yes" >> /etc/sysconfig/network scap-security-guide-0.1.39/rhel6/fixes/bash/network_ipv6_disable_rpc.sh000066400000000000000000000005221327242345500260730ustar00rootroot00000000000000# platform = Red Hat Enterprise Linux 6 # Drop 'tcp6' and 'udp6' entries from /etc/netconfig to prevent RPC # services for NFSv4 from attempting to start IPv6 network listeners declare -a IPV6_RPC_ENTRIES=("tcp6" "udp6") for rpc_entry in ${IPV6_RPC_ENTRIES[@]} do sed -i "/^$rpc_entry[[:space:]]\+tpi\_.*inet6.*/d" /etc/netconfig done scap-security-guide-0.1.39/rhel6/fixes/bash/require_singleuser_auth.sh000066400000000000000000000003461327242345500260500ustar00rootroot00000000000000# platform = Red Hat Enterprise Linux 6 grep -q ^SINGLE /etc/sysconfig/init && \ sed -i "s/SINGLE.*/SINGLE=\/sbin\/sulogin/g" /etc/sysconfig/init if ! [ $? -eq 0 ]; then echo "SINGLE=/sbin/sulogin" >> /etc/sysconfig/init fi scap-security-guide-0.1.39/rhel6/fixes/bash/smartcard_auth.sh000066400000000000000000000100741327242345500241130ustar00rootroot00000000000000# platform = Red Hat Enterprise Linux 6 . /usr/share/scap-security-guide/remediation_functions # Install required packages yum -y install esc yum -y install pam_pkcs11 # Enable pcscd service service_command enable pcscd # Configure the expected /etc/pam.d/system-auth{,-ac} settings directly # # The code below will configure system authentication in the way smart card # logins will be enabled, but also user login(s) via other method to be allowed # # NOTE: In contrast to Red Hat Enterprise Linux 7 version of this remediation # script (based on the testing) it does NOT seem to be possible to use # the 'authconfig' command to perform the remediation for us. Because: # # * calling '/usr/sbin/authconfig --enablesmartcard --update' # does not update all the necessary files, while # # * calling '/usr/sbin/authconfig --enablesmartcard --updateall' # discards the necessary changes on /etc/pam_pkcs11/pam_pkcs11.conf # performed subsequently below # # Therefore we configure /etc/pam.d/system-auth{,-ac} settings directly. # # Define system-auth config location SYSTEM_AUTH_CONF="/etc/pam.d/system-auth" # Define expected 'pam_env.so' row in $SYSTEM_AUTH_CONF PAM_ENV_SO="auth.*required.*pam_env.so" # Define 'pam_succeed_if.so' row to be appended past $PAM_ENV_SO row into $SYSTEM_AUTH_CONF SYSTEM_AUTH_PAM_SUCCEED="\ auth \[success=1 default=ignore\] pam_succeed_if.so service notin \ login:gdm:xdm:kdm:xscreensaver:gnome-screensaver:kscreensaver quiet use_uid" # Define 'pam_pkcs11.so' row to be appended past $SYSTEM_AUTH_PAM_SUCCEED # row into SYSTEM_AUTH_CONF file SYSTEM_AUTH_PAM_PKCS11="\ auth \[success=done authinfo_unavail=ignore ignore=ignore default=die\] \ pam_pkcs11.so card_only" # Define smartcard-auth config location SMARTCARD_AUTH_CONF="/etc/pam.d/smartcard-auth" # Define 'pam_pkcs11.so' auth section to be appended past $PAM_ENV_SO into $SMARTCARD_AUTH_CONF SMARTCARD_AUTH_SECTION="\ auth [success=done ignore=ignore default=die] pam_pkcs11.so wait_for_card card_only" # Define expected 'pam_permit.so' row in $SMARTCARD_AUTH_CONF PAM_PERMIT_SO="account.*required.*pam_permit.so" # Define 'pam_pkcs11.so' password section SMARTCARD_PASSWORD_SECTION="\ password required pam_pkcs11.so" # First Correct the SYSTEM_AUTH_CONF configuration if ! grep -q 'pam_pkcs11.so' "$SYSTEM_AUTH_CONF" then # Append (expected) pam_succeed_if.so row past the pam_env.so into SYSTEM_AUTH_CONF file sed -i --follow-symlinks -e '/^'"$PAM_ENV_SO"'/a '"$SYSTEM_AUTH_PAM_SUCCEED" "$SYSTEM_AUTH_CONF" # Append (expected) pam_pkcs11.so row past the pam_succeed_if.so into SYSTEM_AUTH_CONF file sed -i --follow-symlinks -e '/^'"$SYSTEM_AUTH_PAM_SUCCEED"'/a '"$SYSTEM_AUTH_PAM_PKCS11" "$SYSTEM_AUTH_CONF" fi # Then also correct the SMARTCARD_AUTH_CONF if ! grep -q 'pam_pkcs11.so' "$SMARTCARD_AUTH_CONF" then # Append (expected) SMARTCARD_AUTH_SECTION row past the pam_env.so into SMARTCARD_AUTH_CONF file sed -i --follow-symlinks -e '/^'"$PAM_ENV_SO"'/a '"$SMARTCARD_AUTH_SECTION" "$SMARTCARD_AUTH_CONF" # Append (expected) SMARTCARD_PASSWORD_SECTION row past the pam_permit.so into SMARTCARD_AUTH_CONF file sed -i --follow-symlinks -e '/^'"$PAM_PERMIT_SO"'/a '"$SMARTCARD_PASSWORD_SECTION" "$SMARTCARD_AUTH_CONF" fi # Perform /etc/pam_pkcs11/pam_pkcs11.conf settings below # Define selected constants for later reuse SP="[:space:]" PAM_PKCS11_CONF="/etc/pam_pkcs11/pam_pkcs11.conf" # Ensure OCSP is turned on in $PAM_PKCS11_CONF # 1) First replace any occurrence of 'none' value of 'cert_policy' key setting with the correct configuration # On Red Hat Enterprise Linux 6 a space isn't required between 'cert_policy' key and value assignment !!! sed -i "s/^[$SP]*cert_policy=none;/ cert_policy=ca, ocsp_on, signature;/g" "$PAM_PKCS11_CONF" # 2) Then append 'ocsp_on' value setting to each 'cert_policy' key in $PAM_PKCS11_CONF configuration line, # which does not contain it yet # On Red Hat Enterprise Linux 6 a space isn't required between 'cert_policy' key and value assignment !!! sed -i "/ocsp_on/! s/^[$SP]*cert_policy=\(.*\);/ cert_policy=\1, ocsp_on;/" "$PAM_PKCS11_CONF" scap-security-guide-0.1.39/rhel6/fixes/bash/sshd_do_not_permit_user_env.sh000066400000000000000000000004151327242345500267010ustar00rootroot00000000000000# platform = Red Hat Enterprise Linux 6 grep -q ^PermitUserEnvironment /etc/ssh/sshd_config && \ sed -i "s/PermitUserEnvironment.*/PermitUserEnvironment no/g" /etc/ssh/sshd_config if ! [ $? -eq 0 ]; then echo "PermitUserEnvironment no" >> /etc/ssh/sshd_config fi scap-security-guide-0.1.39/rhel6/fixes/bash/sshd_enable_warning_banner.sh000066400000000000000000000003431327242345500264310ustar00rootroot00000000000000# platform = Red Hat Enterprise Linux 6 grep -q ^Banner /etc/ssh/sshd_config && \ sed -i "s/Banner.*/Banner \/etc\/issue/g" /etc/ssh/sshd_config if ! [ $? -eq 0 ]; then echo "Banner /etc/issue" >> /etc/ssh/sshd_config fi scap-security-guide-0.1.39/rhel6/fixes/bash/sshd_set_idle_timeout.sh000066400000000000000000000006121327242345500254660ustar00rootroot00000000000000# platform = Red Hat Enterprise Linux 6 . /usr/share/scap-security-guide/remediation_functions populate sshd_idle_timeout_value grep -q ^ClientAliveInterval /etc/ssh/sshd_config && \ sed -i "s/ClientAliveInterval.*/ClientAliveInterval $sshd_idle_timeout_value/g" /etc/ssh/sshd_config if ! [ $? -eq 0 ]; then echo "ClientAliveInterval $sshd_idle_timeout_value" >> /etc/ssh/sshd_config fi scap-security-guide-0.1.39/rhel6/fixes/bash/sshd_set_keepalive.sh000066400000000000000000000004031327242345500247460ustar00rootroot00000000000000# platform = Red Hat Enterprise Linux 6 grep -q ^ClientAliveCountMax /etc/ssh/sshd_config && \ sed -i "s/ClientAliveCountMax.*/ClientAliveCountMax 0/g" /etc/ssh/sshd_config if ! [ $? -eq 0 ]; then echo "ClientAliveCountMax 0" >> /etc/ssh/sshd_config fi scap-security-guide-0.1.39/rhel6/fixes/bash/sshd_use_approved_ciphers.sh000066400000000000000000000005451327242345500263460ustar00rootroot00000000000000# platform = Red Hat Enterprise Linux 6 grep -q ^Ciphers /etc/ssh/sshd_config && \ sed -i "s/Ciphers.*/Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc/g" /etc/ssh/sshd_config if ! [ $? -eq 0 ]; then echo "Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc" >> /etc/ssh/sshd_config fi scap-security-guide-0.1.39/rhel6/fixes/bash/umask_for_daemons.sh000066400000000000000000000005171327242345500246070ustar00rootroot00000000000000# platform = Red Hat Enterprise Linux 6 . /usr/share/scap-security-guide/remediation_functions populate var_umask_for_daemons grep -q ^umask /etc/init.d/functions && \ sed -i "s/umask.*/umask $var_umask_for_daemons/g" /etc/init.d/functions if ! [ $? -eq 0 ]; then echo "umask $var_umask_for_daemons" >> /etc/init.d/functions fi scap-security-guide-0.1.39/rhel6/fixes/bash/userowner_shadow_file.sh000066400000000000000000000000771327242345500255110ustar00rootroot00000000000000# platform = Red Hat Enterprise Linux 6 chown root /etc/shadow scap-security-guide-0.1.39/rhel6/guide.xslt000066400000000000000000000201741327242345500205360ustar00rootroot00000000000000 A conditional clause for check statements. A conditional clause for check statements. This is a placeholder. scap-security-guide-0.1.39/rhel6/guide/000077500000000000000000000000001327242345500176165ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/guide.benchmark000066400000000000000000000054321327242345500225730ustar00rootroot00000000000000--- documentation_complete: true title: Guide to the Secure Configuration of status: draft description: | This guide presents a catalog of security-relevant configuration settings for . It is a rendering of content structured in the eXtensible Configuration Checklist Description Format (XCCDF) in order to support security automation. The SCAP content is is available in the config_item="scap-security-guide" package which is developed at .

Providing system administrators with such guidance informs them how to securely configure systems under their control in a variety of network roles. Policy makers and baseline creators can use this catalog of settings, with its associated references to higher-level security control catalogs, in order to assist them in security baseline creation. This guide is a italics="catalog, not a checklist," and satisfaction of every item is not likely to be possible or sensible in many operational scenarios. However, the XCCDF format enables granular selection and adjustment of settings, and their association with OVAL and OCIL content provides an automated checking capability. Transformations of this document, and its associated automated checking content, are capable of providing baselines that meet a diverse set of policy objectives. Some example XCCDF italics="Profiles", which are selections of items that form checklists and can be used as baselines, are available with this guide. They can be processed, in an automated fashion, with tools that support the Security Content Automation Protocol (SCAP). The DISA STIG for , which provides required settings for US Department of Defense systems, is one example of a baseline created from this guidance. notice: id: terms_of_use description: | Do not attempt to implement any of the settings in this guide without first testing them in a non-operational environment. The creators of this guidance assume no responsibility whatsoever for its use by other parties, and makes no guarantees, expressed or implied, about its quality, reliability, or any other characteristic. front-matter: | The SCAP Security Guide Project
rear-matter: | Red Hat and Red Hat Enterprise Linux are either registered trademarks or trademarks of Red Hat, Inc. in the United States and other countries. All other names are registered trademarks or trademarks of their respective companies. cpes: - version: 0.9 scap-security-guide-0.1.39/rhel6/guide/services/000077500000000000000000000000001327242345500214415ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/services/avahi/000077500000000000000000000000001327242345500225315ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/services/avahi/avahi.group000066400000000000000000000006521327242345500247020ustar00rootroot00000000000000documentation_complete: true title: 'Avahi Server' description: |- The Avahi daemon implements the DNS Service Discovery and Multicast DNS protocols, which provide service and host discovery on a network. It allows a system to automatically identify resources on the network, such as printers or web servers. This capability is also known as mDNSresponder and is a major part of Zeroconf networking. scap-security-guide-0.1.39/rhel6/guide/services/avahi/avahi_configuration/000077500000000000000000000000001327242345500265505ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/services/avahi/avahi_configuration/avahi_check_ttl.rule000066400000000000000000000014701327242345500325530ustar00rootroot00000000000000documentation_complete: true title: 'Check Avahi Responses'' TTL Field' description: |- To make Avahi ignore packets unless the TTL field is 255, edit /etc/avahi/avahi-daemon.conf and ensure the following line appears in the [server] section: 
check-response-ttl=yes
rationale: |- This helps to ensure that only mDNS responses from the local network are processed, because the TTL field in a packet is decremented from its initial value of 255 whenever it is routed from one network to another. Although a properly-configured router or firewall should not allow mDNS packets into the local network at all, this option provides another check to ensure they are not permitted. severity: unknown identifiers: cce: 27340-9 references: nist: CM-7 scap-security-guide-0.1.39/rhel6/guide/services/avahi/avahi_configuration/avahi_configuration.group000066400000000000000000000010271327242345500336450ustar00rootroot00000000000000documentation_complete: true title: 'Configure Avahi if Necessary' description: |- If your system requires the Avahi daemon, its configuration can be restricted to improve security. The Avahi daemon configuration file is /etc/avahi/avahi-daemon.conf. The following security recommendations should be applied to this file: See the avahi-daemon.conf(5) man page, or documentation at , for more detailed information about the configuration options. avahi_disable_publishing.rule000066400000000000000000000006721327242345500343660ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/services/avahi/avahi_configurationdocumentation_complete: true title: 'Disable Avahi Publishing' description: |- To prevent Avahi from publishing its records, edit /etc/avahi/avahi-daemon.conf and ensure the following line appears in the [publish] section: 
disable-publishing=yes
rationale: 'This helps ensure that no record will be published by Avahi.' severity: unknown identifiers: cce: 27526-3 references: nist: CM-7 scap-security-guide-0.1.39/rhel6/guide/services/avahi/avahi_configuration/avahi_ip_only.rule000066400000000000000000000007271327242345500322700ustar00rootroot00000000000000documentation_complete: true title: 'Serve Avahi Only via Required Protocol' description: |- If you are using only IPv4, edit /etc/avahi/avahi-daemon.conf and ensure the following line exists in the [server] section: 
use-ipv6=no
Similarly, if you are using only IPv6, disable IPv4 sockets with the line: 
use-ipv4=no
rationale: "" severity: unknown identifiers: cce: 27590-9 references: nist: CM-7 avahi_prevent_port_sharing.rule000066400000000000000000000010031327242345500347660ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/services/avahi/avahi_configurationdocumentation_complete: true title: 'Prevent Other Programs from Using Avahi''s Port' description: |- To prevent other mDNS stacks from running, edit /etc/avahi/avahi-daemon.conf and ensure the following line appears in the [server] section: 
disallow-other-stacks=yes
rationale: |- This helps ensure that only Avahi is responsible for mDNS traffic coming from that port on the system. severity: unknown identifiers: cce: 27308-6 references: nist: CM-7 avahi_restrict_published_information.rule000066400000000000000000000024171327242345500370410ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/services/avahi/avahi_configurationdocumentation_complete: true title: 'Restrict Information Published by Avahi' description: |- If it is necessary to publish some information to the network, it should not be joined by any extraneous information, or by information supplied by a non-trusted source on the system. Prevent user applications from using Avahi to publish services by adding or correcting the following line in the [publish] section: 
disable-user-service-publishing=yes
Implement as many of the following lines as possible, to restrict the information published by Avahi. 
publish-addresses=no
    publish-hinfo=no
    publish-workstation=no
    publish-domain=no
Inspect the files in the directory /etc/avahi/services/. Unless there is an operational need to publish information about each of these services, delete the corresponding file. rationale: |- These options prevent publishing attempts from succeeding, and can be applied even if publishing is disabled entirely via disable-publishing. Alternatively, these can be used to restrict the types of published information in the event that some information must be published. severity: unknown identifiers: cce: 27300-3 references: nist: CM-7 scap-security-guide-0.1.39/rhel6/guide/services/avahi/service_avahi-daemon_disabled_group/000077500000000000000000000000001327242345500316455ustar00rootroot00000000000000service_avahi-daemon_disabled.rule000066400000000000000000000011071327242345500403560ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/services/avahi/service_avahi-daemon_disabled_groupdocumentation_complete: true title: 'Disable Avahi Server Software' description: '' rationale: |- Because the Avahi daemon service keeps an open network port, it is subject to network attacks. Its functionality is convenient but is only appropriate if the local network can be trusted. severity: unknown identifiers: cce: 27087-6 references: disa: 366 nist: CM-7 srg: SRG-OS-999999 stigid: RHEL-06-000246 ocil: '' service_avahi-daemon_disabled_group.group000066400000000000000000000004101327242345500417530ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/services/avahi/service_avahi-daemon_disabled_groupdocumentation_complete: true title: 'Disable Avahi Server if Possible' description: |- Because the Avahi daemon service keeps an open network port, it is subject to network attacks. Disabling it can reduce the system's vulnerability to such attacks. scap-security-guide-0.1.39/rhel6/guide/services/base/000077500000000000000000000000001327242345500223535ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/services/base/base.group000066400000000000000000000007441327242345500243500ustar00rootroot00000000000000documentation_complete: true title: 'Base Services' description: |- This section addresses the base services that are installed on a Red Hat Enterprise Linux 6 default installation which are not covered in other sections. Some of these services listen on the network and should be treated with particular discretion. Other services are local system utilities that may or may not be extraneous. In general, system services should be disabled if not required. scap-security-guide-0.1.39/rhel6/guide/services/base/service_abrtd_disabled.rule000066400000000000000000000016651327242345500277170ustar00rootroot00000000000000documentation_complete: true title: 'Disable Automatic Bug Reporting Tool (abrtd)' description: |- The Automatic Bug Reporting Tool (abrtd) daemon collects and reports crash data when an application crash is detected. Using a variety of plugins, abrtd can email crash reports to system administrators, log crash reports to files, or forward crash reports to a centralized issue tracking system such as RHTSupport. rationale: |- Mishandling crash data could expose sensitive information about vulnerabilities in software executing on the local system, as well as sensitive information from within a process's address space or registers. severity: unknown identifiers: cce: 27247-6 references: disa: 381 nist: CM-7 srg: SRG-OS-000096 stigid: RHEL-06-000261 ocil: '' scap-security-guide-0.1.39/rhel6/guide/services/base/service_acpid_disabled.rule000066400000000000000000000013731327242345500276770ustar00rootroot00000000000000documentation_complete: true title: 'Disable Advanced Configuration and Power Interface (acpid)' description: |- The Advanced Configuration and Power Interface Daemon (acpid) dispatches ACPI events (such as power/reset button depressed) to userspace programs. rationale: |- ACPI support is highly desirable for systems in some network roles, such as laptops or desktops. For other systems, such as servers, it may permit accidental or trivially achievable denial of service situations and disabling it is appropriate. severity: unknown identifiers: cce: 27061-1 references: nist: CM-7 ocil: '' scap-security-guide-0.1.39/rhel6/guide/services/base/service_certmonger_disabled.rule000066400000000000000000000014721327242345500307640ustar00rootroot00000000000000documentation_complete: true title: 'Disable Certmonger Service (certmonger)' description: |- Certmonger is a D-Bus based service that attempts to simplify interaction with certifying authorities on networks which use public-key infrastructure. It is often combined with Red Hat's IPA (Identity Policy Audit) security information management solution to aid in the management of certificates. rationale: |- The services provided by certmonger may be essential for systems fulfilling some roles a PKI infrastructure, but its functionality is not necessary for many other use cases. severity: unknown identifiers: cce: 27267-4 references: nist: CM-7 ocil: '' scap-security-guide-0.1.39/rhel6/guide/services/base/service_cgconfig_disabled.rule000066400000000000000000000013221327242345500303700ustar00rootroot00000000000000documentation_complete: true title: 'Disable Control Group Config (cgconfig)' description: |- Control groups allow an administrator to allocate system resources (such as CPU, memory, network bandwidth, etc) among a defined group (or groups) of processes executing on a system. The cgconfig daemon starts at boot and establishes the predefined control groups. rationale: |- Unless control groups are used to manage system resources, running the cgconfig service is not necessary. severity: unknown identifiers: cce: 27250-0 references: nist: CM-7 ocil: '' scap-security-guide-0.1.39/rhel6/guide/services/base/service_cgred_disabled.rule000066400000000000000000000011131327242345500276730ustar00rootroot00000000000000documentation_complete: true title: 'Disable Control Group Rules Engine (cgred)' description: |- The cgred service moves tasks into control groups according to parameters set in the /etc/cgrules.conf configuration file. rationale: |- Unless control groups are used to manage system resources, running the cgred service service is not necessary. severity: unknown identifiers: cce: 27252-6 references: nist: CM-7 ocil: '' scap-security-guide-0.1.39/rhel6/guide/services/base/service_cpuspeed_disabled.rule000066400000000000000000000014011327242345500304170ustar00rootroot00000000000000documentation_complete: true title: 'Disable CPU Speed (cpuspeed)' description: |- The cpuspeed service can adjust the clock speed of supported CPUs based upon the current processing load thereby conserving power and reducing heat. rationale: |- The cpuspeed service is only necessary if adjusting the CPU clock speed provides benefit. Traditionally this has included laptops (to enhance battery life), but may also apply to server or desktop environments where conserving power is highly desirable or necessary. severity: unknown identifiers: cce: 26973-8 references: nist: CM-7 ocil: '' scap-security-guide-0.1.39/rhel6/guide/services/base/service_haldaemon_disabled.rule000066400000000000000000000014401327242345500305420ustar00rootroot00000000000000documentation_complete: true title: 'Disable Hardware Abstraction Layer Service (haldaemon)' description: "The Hardware Abstraction Layer Daemon (haldaemon) collects\nand maintains information about the system's hardware configuration. \nThis service is required on a workstation\nrunning a desktop environment, and may be necessary on any system which\ndeals with removable media or devices.\n" rationale: |- The haldaemon provides essential functionality on systems that use removable media or devices, but can be disabled for systems that do not require these. severity: unknown identifiers: cce: 27086-8 references: nist: CM-7 ocil: '' scap-security-guide-0.1.39/rhel6/guide/services/base/service_irqbalance_enabled.rule000066400000000000000000000012021327242345500305320ustar00rootroot00000000000000documentation_complete: true title: 'Enable IRQ Balance (irqbalance)' description: |- The irqbalance service optimizes the balance between power savings and performance through distribution of hardware interrupts across multiple processors. rationale: |- In an environment with multiple processors (now common), the irqbalance service provides potential speedups for handling interrupt requests. severity: unknown identifiers: cce: 26990-2 references: nist: CM-7 ocil: '' scap-security-guide-0.1.39/rhel6/guide/services/base/service_kdump_disabled.rule000066400000000000000000000012621327242345500277340ustar00rootroot00000000000000documentation_complete: true title: 'Disable KDump Kernel Crash Analyzer (kdump)' description: |- The kdump service provides a kernel crash dump analyzer. It uses the kexec system call to boot a secondary kernel ("capture" kernel) following a system crash, which can load information from the crashed kernel for analysis. rationale: |- Unless the system is used for kernel development or testing, there is little need to run the kdump service. severity: unknown identifiers: cce: 26850-8 references: nist: CM-7 ocil: '' scap-security-guide-0.1.39/rhel6/guide/services/base/service_mdmonitor_disabled.rule000066400000000000000000000010441327242345500306220ustar00rootroot00000000000000documentation_complete: true title: 'Disable Software RAID Monitor (mdmonitor)' description: |- The mdmonitor service is used for monitoring a software RAID array; hardware RAID setups do not use this service. rationale: |- If software RAID monitoring is not required, there is no need to run this service. severity: unknown identifiers: cce: 27193-2 references: nist: CM-7 ocil: '' scap-security-guide-0.1.39/rhel6/guide/services/base/service_messagebus_disabled.rule000066400000000000000000000015131327242345500307510ustar00rootroot00000000000000documentation_complete: true title: 'Disable D-Bus IPC Service (messagebus)' description: "D-Bus provides an IPC mechanism used by \na growing list of programs, such as those used for Gnome, Bluetooth, and Avahi.\nDue to these dependencies, disabling D-Bus may not be practical for\nmany systems.\n" rationale: |- If no services which require D-Bus are needed, then it can be disabled. As a broker for IPC between processes of different privilege levels, it could be a target for attack. However, disabling D-Bus is likely to be impractical for any system which needs to provide a graphical login session. severity: unknown identifiers: cce: 26913-4 references: nist: CM-7 ocil: '' scap-security-guide-0.1.39/rhel6/guide/services/base/service_netconsole_disabled.rule000066400000000000000000000014101327242345500307600ustar00rootroot00000000000000documentation_complete: true title: 'Disable Network Console (netconsole)' description: |- The netconsole service is responsible for loading the netconsole kernel module, which logs kernel printk messages over UDP to a syslog server. This allows debugging of problems where disk logging fails and serial consoles are impractical. rationale: |- The netconsole service is not necessary unless there is a need to debug kernel panics, which is not common. severity: unknown identifiers: cce: 27254-2 references: disa: 381 nist: CM-7 srg: SRG-OS-000096 stigid: RHEL-06-000289 ocil: '' scap-security-guide-0.1.39/rhel6/guide/services/base/service_ntpdate_disabled.rule000066400000000000000000000017311327242345500302540ustar00rootroot00000000000000documentation_complete: true title: 'Disable ntpdate Service (ntpdate)' description: |- The ntpdate service sets the local hardware clock by polling NTP servers when the system boots. It synchronizes to the NTP servers listed in /etc/ntp/step-tickers or /etc/ntp.conf and then sets the local hardware clock to the newly synchronized system time. rationale: |- The ntpdate service may only be suitable for systems which are rebooted frequently enough that clock drift does not cause problems between reboots. In any event, the functionality of the ntpdate service is now available in the ntpd program and should be considered deprecated. severity: unknown identifiers: cce: 27256-7 references: disa: 382 nist: CM-7 srg: SRG-OS-000096 stigid: RHEL-06-000265 ocil: '' scap-security-guide-0.1.39/rhel6/guide/services/base/service_oddjobd_disabled.rule000066400000000000000000000016471327242345500302300ustar00rootroot00000000000000documentation_complete: true title: 'Disable Odd Job Daemon (oddjobd)' description: |- The oddjobd service exists to provide an interface and access control mechanism through which specified privileged tasks can run tasks for unprivileged client applications. Communication with oddjobd through the system message bus. rationale: |- The oddjobd service may provide necessary functionality in some environments, and can be disabled if it is not needed. Execution of tasks by privileged programs, on behalf of unprivileged ones, has traditionally been a source of privilege escalation security issues. severity: unknown identifiers: cce: 27257-5 references: disa: 381 nist: CM-7 srg: SRG-OS-000096 stigid: RHEL-06-000266 ocil: '' scap-security-guide-0.1.39/rhel6/guide/services/base/service_portreserve_disabled.rule000066400000000000000000000012671327242345500312010ustar00rootroot00000000000000documentation_complete: true title: 'Disable Portreserve (portreserve)' description: |- The portreserve service is a TCP port reservation utility that can be used to prevent portmap from binding to well known TCP ports that are required for other services. rationale: |- The portreserve service provides helpful functionality by preventing conflicting usage of ports in the reserved port range, but it can be disabled if not needed. severity: unknown identifiers: cce: 27258-3 references: nist: CM-7 ocil: '' scap-security-guide-0.1.39/rhel6/guide/services/base/service_psacct_enabled.rule000066400000000000000000000014221327242345500277120ustar00rootroot00000000000000documentation_complete: true title: 'Enable Process Accounting (psacct)' description: |- The process accounting service, psacct, works with programs including acct and ac to allow system administrators to view user activity, such as commands issued by users of the system. rationale: |- The psacct service can provide administrators a convenient view into some user activities. However, it should be noted that the auditing system and its audit records provide more authoritative and comprehensive records. severity: unknown identifiers: cce: 27259-1 references: nist: AU-12,CM-7 ocil: '' scap-security-guide-0.1.39/rhel6/guide/services/base/service_qpidd_disabled.rule000066400000000000000000000017321327242345500277170ustar00rootroot00000000000000documentation_complete: true title: 'Disable Apache Qpid (qpidd)' description: |- The qpidd service provides high speed, secure, guaranteed delivery services. It is an implementation of the Advanced Message Queuing Protocol. By default the qpidd service will bind to port 5672 and listen for connection attempts. rationale: "The qpidd service is automatically installed when the \"base\" \npackage selection is selected during installation. The qpidd service listens \nfor network connections, which increases the attack surface of the system. If \nthe system is not intended to receive AMQP traffic, then the qpidd \nservice is not needed and should be disabled or removed." severity: unknown identifiers: cce: 26928-2 references: disa: 382 nist: CM-7 srg: SRG-OS-000096 stigid: RHEL-06-000267 ocil: '' scap-security-guide-0.1.39/rhel6/guide/services/base/service_quota_nld_disabled.rule000066400000000000000000000016661327242345500306120ustar00rootroot00000000000000documentation_complete: true title: 'Disable Quota Netlink (quota_nld)' description: |- The quota_nld service provides notifications to users of disk space quota violations. It listens to the kernel via a netlink socket for disk quota violations and notifies the appropriate user of the violation using D-Bus or by sending a message to the terminal that the user has last accessed. rationale: |- If disk quotas are enforced on the local system, then the quota_nld service likely provides useful functionality and should remain enabled. However, if disk quotas are not used or user notification of disk quota violation is not desired then there is no need to run this service. severity: unknown identifiers: cce: 27260-9 references: nist: CM-7 ocil: '' scap-security-guide-0.1.39/rhel6/guide/services/base/service_rdisc_disabled.rule000066400000000000000000000017321327242345500277220ustar00rootroot00000000000000documentation_complete: true title: 'Disable Network Router Discovery Daemon (rdisc)' description: |- The rdisc service implements the client side of the ICMP Internet Router Discovery Protocol (IRDP), which allows discovery of routers on the local subnet. If a router is discovered then the local routing table is updated with a corresponding default route. By default this daemon is disabled. rationale: |- General-purpose systems typically have their network and routing information configured statically by a system administrator. Workstations or some special-purpose systems often use DHCP (instead of IRDP) to retrieve dynamic network configuration information. severity: unknown identifiers: cce: 27261-7 references: disa: 382 nist: AC-4,CM-7 srg: SRG-OS-000096 stigid: RHEL-06-000268 ocil: '' scap-security-guide-0.1.39/rhel6/guide/services/base/service_rhnsd_disabled.rule000066400000000000000000000017101327242345500277300ustar00rootroot00000000000000documentation_complete: true title: 'Disable Red Hat Network Service (rhnsd)' description: |- The Red Hat Network service automatically queries Red Hat Network servers to determine whether there are any actions that should be executed, such as package updates. This only occurs if the system was registered to an RHN server or satellite and managed as such. rationale: |- Although systems management and patching is extremely important to system security, management by a system outside the enterprise enclave is not desirable for some environments. However, if the system is being managed by RHN or RHN Satellite Server the rhnsd daemon can remain on. severity: unknown identifiers: cce: 26846-6 references: disa: 382 nist: CM-7 srg: SRG-OS-000096 stigid: RHEL-06-000009 ocil: '' scap-security-guide-0.1.39/rhel6/guide/services/base/service_rhsmcertd_disabled.rule000066400000000000000000000015311327242345500306060ustar00rootroot00000000000000documentation_complete: true title: 'Disable Red Hat Subscription Manager Daemon (rhsmcertd)' description: |- The Red Hat Subscription Manager (rhsmcertd) periodically checks for changes in the entitlement certificates for a registered system and updates it accordingly. rationale: |- The rhsmcertd service can provide administrators with some additional control over which of their systems are entitled to particular subscriptions. However, for systems that are managed locally or which are not expected to require remote changes to their subscription status, it is unnecessary and can be disabled. severity: unknown identifiers: cce: 27262-5 references: nist: CM-7 ocil: '' scap-security-guide-0.1.39/rhel6/guide/services/base/service_saslauthd_disabled.rule000066400000000000000000000017321327242345500306060ustar00rootroot00000000000000documentation_complete: true title: 'Disable Cyrus SASL Authentication Daemon (saslauthd)' description: |- The saslauthd service handles plaintext authentication requests on behalf of the SASL library. The service isolates all code requiring superuser privileges for SASL authentication into a single process, and can also be used to provide proxy authentication services to clients that do not understand SASL based authentication. rationale: |- The saslauthd service provides essential functionality for performing authentication in some directory environments, such as those which use Kerberos and LDAP. For others, however, in which only local files may be consulted, it is not necessary and should be disabled. severity: unknown identifiers: cce: 27263-3 references: nist: CM-7 ocil: '' scap-security-guide-0.1.39/rhel6/guide/services/base/service_smartd_disabled.rule000066400000000000000000000013321327242345500301040ustar00rootroot00000000000000documentation_complete: true title: 'Disable SMART Disk Monitoring Service (smartd)' description: |- SMART (Self-Monitoring, Analysis, and Reporting Technology) is a feature of hard drives that allows them to detect symptoms of disk failure and relay an appropriate warning. rationale: |- SMART can help protect against denial of service due to failing hardware. Nevertheless, if it is not needed or the system's drives are not SMART-capable (such as solid state drives), it can be disabled. severity: unknown identifiers: cce: 26853-2 references: nist: CM-7 ocil: '' scap-security-guide-0.1.39/rhel6/guide/services/base/service_sysstat_disabled.rule000066400000000000000000000014141327242345500303250ustar00rootroot00000000000000documentation_complete: true title: 'Disable System Statistics Reset Service (sysstat)' description: |- The sysstat service resets various I/O and CPU performance statistics to zero in order to begin counting from a fresh state at boot time. rationale: |- By default the sysstat service merely runs a program at boot to reset the statistics, which can be retrieved using programs such as sar and sadc. These may provide useful insight into system operation, but unless used this service can be disabled. severity: unknown identifiers: cce: 27265-8 references: nist: CM-7 ocil: '' scap-security-guide-0.1.39/rhel6/guide/services/cron_and_at/000077500000000000000000000000001327242345500237105ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/services/cron_and_at/cron_and_at.group000066400000000000000000000005651327242345500272430ustar00rootroot00000000000000documentation_complete: true title: 'Cron and At Daemons' description: |- The cron and at services are used to allow commands to be executed at a later time. The cron service is required by almost all systems to perform necessary maintenance tasks, while at may or may not be required on a given system. Both daemons should be configured defensively. scap-security-guide-0.1.39/rhel6/guide/services/cron_and_at/disable_anacron.rule000066400000000000000000000014071327242345500277070ustar00rootroot00000000000000documentation_complete: true title: 'Disable anacron Service' description: "The cronie-anacron package, which provides anacron\nfunctionality, is installed by default. \n" rationale: |- The anacron service provides cron functionality for systems such as laptops and workstations that may be shut down during the normal times that cron jobs are scheduled to run. On systems which do not require this additional functionality, anacron could needlessly increase the possible attack surface for an intruder. severity: unknown identifiers: cce: 27158-5 references: nist: CM-7 ocil: '' scap-security-guide-0.1.39/rhel6/guide/services/cron_and_at/restrict_at_cron_users/000077500000000000000000000000001327242345500304755ustar00rootroot00000000000000restrict_at_cron_users.group000066400000000000000000000025351327242345500362660ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/services/cron_and_at/restrict_at_cron_usersdocumentation_complete: true title: 'Restrict at and cron to Authorized Users if Necessary' description: |- The /etc/cron.allow and /etc/at.allow files contain lists of users who are allowed to use cron and at to delay execution of processes. If these files exist and if the corresponding files /etc/cron.deny and /etc/at.deny do not exist, then only users listed in the relevant allow files can run the crontab and at commands to submit jobs to be run at scheduled intervals. On many systems, only the system administrator needs the ability to schedule jobs. Note that even if a given user is not listed in cron.allow, cron jobs can still be run as that user. The cron.allow file controls only administrative access to the crontab command for scheduling and modifying cron jobs.

To restrict at and cron to only authorized users:
  • Remove the cron.deny file:
    $ sudo rm /etc/cron.deny
  • Edit /etc/cron.allow, adding one line for each user allowed to use the crontab command to create cron jobs.
  • Remove the at.deny file:
    $ sudo rm /etc/at.deny
  • Edit /etc/at.allow, adding one line for each user allowed to use the at command to create at jobs.
scap-security-guide-0.1.39/rhel6/guide/services/cron_and_at/service_atd_disabled.rule000066400000000000000000000017411327242345500307230ustar00rootroot00000000000000documentation_complete: true title: 'Disable At Service (atd)' description: |- The at and batch commands can be used to schedule tasks that are meant to be executed only once. This allows delayed execution in a manner similar to cron, except that it is not recurring. The daemon atd keeps track of tasks scheduled via at and batch, and executes them at the specified time. rationale: |- The atd service could be used by an unsophisticated insider to carry out activities outside of a normal login session, which could complicate accountability. Furthermore, the need to schedule tasks with at or batch is not common. severity: unknown identifiers: cce: 27249-2 references: disa: 381 nist: CM-7 srg: SRG-OS-000096 stigid: RHEL-06-000262 ocil: '' scap-security-guide-0.1.39/rhel6/guide/services/cron_and_at/service_crond_enabled.rule000066400000000000000000000012311327242345500310750ustar00rootroot00000000000000documentation_complete: true title: 'Enable cron Service' description: |- The crond service is used to execute commands at preconfigured times. It is required by almost all systems to perform necessary maintenance tasks, such as notifying root of system activity. rationale: |- Due to its usage for maintenance and security-supporting tasks, enabling the cron daemon is essential. severity: medium identifiers: cce: 27070-2 references: nist: CM-7 srg: SRG-OS-999999 stigid: RHEL-06-000224 ocil: '' scap-security-guide-0.1.39/rhel6/guide/services/dhcp/000077500000000000000000000000001327242345500223575ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/services/dhcp/dhcp.group000066400000000000000000000011261327242345500243530ustar00rootroot00000000000000documentation_complete: true title: DHCP description: "The Dynamic Host Configuration Protocol (DHCP) allows\nsystems to request and obtain an IP address and other configuration\nparameters from a server.\n

\nThis guide recommends configuring networking on clients by manually editing\nthe appropriate files under /etc/sysconfig. Use of DHCP can make client \nsystems vulnerable to compromise by rogue DHCP servers, and should be avoided \nunless necessary. If using DHCP is necessary, however, there are best practices \nthat should be followed to minimize security risk." scap-security-guide-0.1.39/rhel6/guide/services/dhcp/dhcp_client_configuration/000077500000000000000000000000001327242345500275625ustar00rootroot00000000000000dhcp_client_configuration.group000066400000000000000000000007161327242345500357700ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/services/dhcp/dhcp_client_configurationdocumentation_complete: true title: 'Configure DHCP Client if Necessary' description: |- If DHCP must be used, then certain configuration changes can minimize the amount of information it receives and applies from the network, and thus the amount of incorrect information a rogue DHCP server could successfully distribute. For more information on configuring dhclient, see the dhclient(8) and dhclient.conf(5) man pages. dhcp_client_restrict_options.rule000066400000000000000000000041341327242345500363440ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/services/dhcp/dhcp_client_configurationdocumentation_complete: true title: 'Minimize the DHCP-Configured Options' description: |- Create the file /etc/dhcp/dhclient.conf, and add an appropriate setting for each of the ten configuration settings which can be obtained via DHCP. For each setting, do one of the following:
If the setting should not be configured remotely by the DHCP server, select an appropriate static value, and add the line: 
supersede setting value;
If the setting should be configured remotely by the DHCP server, add the lines: 
request setting;
    require setting;
For example, suppose the DHCP server should provide only the IP address itself and the subnet mask. Then the entire file should look like: 
supersede domain-name "example.com";
    supersede domain-name-servers 192.168.1.2;
    supersede nis-domain "";
    supersede nis-servers "";
    supersede ntp-servers "ntp.example.com ";
    supersede routers 192.168.1.1;
    supersede time-offset -18000;
    request subnet-mask;
    require subnet-mask;
rationale: |- By default, the DHCP client program, dhclient, requests and applies ten configuration options (in addition to the IP address) from the DHCP server. subnet-mask, broadcast-address, time-offset, routers, domain-name, domain-name-servers, host-name, nis-domain, nis-servers, and ntp-servers. Many of the options requested and applied by dhclient may be the same for every system on a network. It is recommended that almost all configuration options be assigned statically, and only options which must vary on a host-by-host basis be assigned via DHCP. This limits the damage which can be done by a rogue DHCP server. If appropriate for your site, it is also possible to supersede the host-name directive in /etc/dhcp/dhclient.conf, establishing a static hostname for the system. However, dhclient does not use the host name option provided by the DHCP server (instead using the value provided by a reverse DNS lookup). severity: unknown scap-security-guide-0.1.39/rhel6/guide/services/dhcp/dhcp_server_configuration/000077500000000000000000000000001327242345500276125ustar00rootroot00000000000000dhcp_server_configuration.group000066400000000000000000000011661327242345500360500ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/services/dhcp/dhcp_server_configurationdocumentation_complete: true title: 'Disable DHCP Server' description: |- If the system must act as a DHCP server, the configuration information it serves should be minimized. Also, support for other protocols and DNS-updating schemes should be explicitly disabled unless needed. The configuration file for dhcpd is called /etc/dhcp/dhcpd.conf. The file begins with a number of global configuration options. The remainder of the file is divided into sections, one for each block of addresses offered by dhcpd, each of which contains configuration options specific to that address block. dhcp_server_configure_logging.rule000066400000000000000000000011511327242345500364750ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/services/dhcp/dhcp_server_configurationdocumentation_complete: true title: 'Configure Logging' description: |- Ensure that the following line exists in /etc/rsyslog.conf: 
daemon.*           /var/log/daemon.log
Configure logwatch or other log monitoring tools to summarize error conditions reported by the dhcpd process. rationale: |- By default, dhcpd logs notices to the daemon facility. Sending all daemon messages to a dedicated log file is part of the syslog configuration outlined in the Logging and Auditing section severity: unknown identifiers: cce: 26898-7 references: nist: AU-12 dhcp_server_deny_bootp.rule000066400000000000000000000010311327242345500351450ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/services/dhcp/dhcp_server_configurationdocumentation_complete: true title: 'Deny BOOTP Queries' description: |- Unless your network needs to support older BOOTP clients, disable support for the bootp protocol by adding or correcting the global option: 
deny bootp;
rationale: |- The bootp option tells dhcpd to respond to BOOTP queries. If support for this simpler protocol is not needed, it should be disabled to remove attack vectors against the DHCP server. severity: unknown identifiers: cce: 27077-7 references: nist: CM-7 dhcp_server_deny_decline.rule000066400000000000000000000012711327242345500354330ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/services/dhcp/dhcp_server_configurationdocumentation_complete: true title: 'Deny Decline Messages' description: |- Edit /etc/dhcp/dhcpd.conf and add or correct the following global option to prevent the DHCP server from responding the DHCPDECLINE messages, if possible: 
deny declines;
rationale: |- The DHCPDECLINE message can be sent by a DHCP client to indicate that it does not consider the lease offered by the server to be valid. By issuing many DHCPDECLINE messages, a malicious client can exhaust the DHCP server's pool of IP addresses, causing the DHCP server to forget old address allocations. severity: unknown identifiers: cce: 27106-4 references: nist: CM-7 dhcp_server_disable_ddns.rule000066400000000000000000000016601327242345500354260ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/services/dhcp/dhcp_server_configurationdocumentation_complete: true title: 'Do Not Use Dynamic DNS' description: |- To prevent the DHCP server from receiving DNS information from clients, edit /etc/dhcp/dhcpd.conf, and add or correct the following global option: 
ddns-update-style none;
rationale: |- The Dynamic DNS protocol is used to remotely update the data served by a DNS server. DHCP servers can use Dynamic DNS to publish information about their clients. This setup carries security risks, and its use is not recommended. If Dynamic DNS must be used despite the risks it poses, it is critical that Dynamic DNS transactions be protected using TSIG or some other cryptographic authentication mechanism. See dhcpd.conf(5) for more information about protecting the DHCP server from passing along malicious DNS data from its clients. severity: unknown identifiers: cce: 27049-6 references: nist: CM-7 dhcp_server_minimize_served_info.rule000066400000000000000000000016121327242345500372140ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/services/dhcp/dhcp_server_configurationdocumentation_complete: true title: 'Minimize Served Information' description: |- Edit /etc/dhcp/dhcpd.conf. Examine each address range section within the file, and ensure that the following options are not defined unless there is an operational need to provide this information via DHCP: 
option domain-name
    option domain-name-servers
    option nis-domain
    option nis-servers
    option ntp-servers
    option routers
    option time-offset
rationale: |- Because the configuration information provided by the DHCP server could be maliciously provided to clients by a rogue DHCP server, the amount of information provided via DHCP should be minimized. Remove these definitions from the DHCP server configuration to ensure that legitimate clients do not unnecessarily rely on DHCP for this information. severity: unknown references: nist: CM-7 scap-security-guide-0.1.39/rhel6/guide/services/dhcp/disabling_dhcp_client/000077500000000000000000000000001327242345500266475ustar00rootroot00000000000000disabling_dhcp_client.group000066400000000000000000000005301327242345500341340ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/services/dhcp/disabling_dhcp_clientdocumentation_complete: true title: 'Disable DHCP Client' description: |- DHCP is the default network configuration method provided by the system installer, and common on many networks. Nevertheless, manual management of IP addresses for systems implies a greater degree of management and accountability for network activity. sysconfig_networking_bootproto_ifcfg.rule000066400000000000000000000026501327242345500372040ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/services/dhcp/disabling_dhcp_clientdocumentation_complete: true title: 'Disable DHCP Client' description: |- For each interface on the system (e.g. eth0), edit /etc/sysconfig/network-scripts/ifcfg-interface and make the following changes:
  • Correct the BOOTPROTO line to read: 
    BOOTPROTO=none
  • Add or correct the following lines, substituting the appropriate values based on your site's addressing scheme: 
    NETMASK=255.255.255.0
    IPADDR=192.168.1.2
    GATEWAY=192.168.1.1
rationale: |- DHCP relies on trusting the local network. If the local network is not trusted, then it should not be used. However, the automatic configuration provided by DHCP is commonly used and the alternative, manual configuration, presents an unacceptable burden in many circumstances. severity: unknown identifiers: cce: 27021-5 references: disa: 366 nist: CM-7 srg: SRG-OS-999999 stigid: RHEL-06-000292 ocil_clause: 'it does not' ocil: |- To verify that DHCP is not being used, examine the following file for each interface: 
# /etc/sysconfig/network-scripts/ifcfg-interface
Look for the following: 
BOOTPROTO=none
and the following, substituting the appropriate values based on your site's addressing scheme: 
NETMASK=255.255.255.0
    IPADDR=192.168.1.2
    GATEWAY=192.168.1.1
scap-security-guide-0.1.39/rhel6/guide/services/dhcp/disabling_dhcp_server/000077500000000000000000000000001327242345500266775ustar00rootroot00000000000000disabling_dhcp_server.group000066400000000000000000000004531327242345500342200ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/services/dhcp/disabling_dhcp_serverdocumentation_complete: true title: 'Disable DHCP Server' description: |- The DHCP server dhcpd is not installed or activated by default. If the software was installed and activated, but the system does not need to act as a DHCP server, it should be disabled and removed. scap-security-guide-0.1.39/rhel6/guide/services/dhcp/disabling_dhcp_server/package_dhcp_removed.rule000066400000000000000000000010001327242345500336710ustar00rootroot00000000000000documentation_complete: true title: 'Uninstall DHCP Server Package' description: |- If the system does not need to act as a DHCP server, the dhcp package can be uninstalled. rationale: |- Removing the DHCP server ensures that it cannot be easily or accidentally reactivated and disrupt network operation. severity: medium identifiers: cce: 27120-5 references: disa: 366 nist: CM-7 ocil: '' service_dhcpd_disabled.rule000066400000000000000000000011421327242345500341400ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/services/dhcp/disabling_dhcp_serverdocumentation_complete: true title: 'Disable DHCP Service' description: |- The dhcpd service should be disabled on any system that does not need to act as a DHCP server. rationale: |- Unmanaged or unintentionally activated DHCP servers may provide faulty information to clients, interfering with the operation of a legitimate site DHCP server if there is one. severity: medium identifiers: cce: 27074-4 references: disa: 366 nist: CM-7 ocil: '' scap-security-guide-0.1.39/rhel6/guide/services/dns/000077500000000000000000000000001327242345500222255ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/services/dns/disabling_dns_server/000077500000000000000000000000001327242345500264135ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/services/dns/disabling_dns_server/disabling_dns_server.group000066400000000000000000000005741327242345500336650ustar00rootroot00000000000000documentation_complete: true title: 'Disable DNS Server' description: |- DNS software should be disabled on any machine which does not need to be a nameserver. Note that the BIND DNS server software is not installed on Red Hat Enterprise Linux 6 by default. The remainder of this section discusses secure configuration of machines which must be nameservers. scap-security-guide-0.1.39/rhel6/guide/services/dns/disabling_dns_server/package_bind_removed.rule000066400000000000000000000007761327242345500334260ustar00rootroot00000000000000documentation_complete: true title: 'Uninstall bind Package' description: |- To remove the bind package, which contains the named service, run the following command: 
$ sudo yum erase bind
rationale: |- If there is no need to make DNS server software available, removing it provides a safeguard against its activation. severity: unknown identifiers: cce: 27030-6 references: disa: 366 nist: CM-7 ocil: '' scap-security-guide-0.1.39/rhel6/guide/services/dns/disabling_dns_server/service_named_disabled.rule000066400000000000000000000006551327242345500337450ustar00rootroot00000000000000documentation_complete: true title: 'Disable DNS Server' description: '' rationale: |- All network services involve some risk of compromise due to implementation flaws and should be disabled if possible. severity: unknown identifiers: cce: 26873-0 references: disa: 366 nist: CM-7 ocil: '' scap-security-guide-0.1.39/rhel6/guide/services/dns/dns.group000066400000000000000000000004761327242345500240760ustar00rootroot00000000000000documentation_complete: true title: 'DNS Server' description: |- Most organizations have an operational need to run at least one nameserver. However, there are many common attacks involving DNS server software, and this server software should be disabled on any system on which it is not needed. scap-security-guide-0.1.39/rhel6/guide/services/dns/dns_server_isolation/000077500000000000000000000000001327242345500264605ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/services/dns/dns_server_isolation/dns_server_chroot/000077500000000000000000000000001327242345500322105ustar00rootroot00000000000000dns_server_chroot.group000066400000000000000000000016231327242345500367410ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/services/dns/dns_server_isolation/dns_server_chrootdocumentation_complete: true title: 'Run DNS Software in a chroot Jail' description: |- Install the bind-chroot package: 
$ sudo yum install bind-chroot
Place a valid named.conf file inside the chroot jail: 
$ sudo cp /etc/named.conf /var/named/chroot/etc/named.conf
    $ sudo chown root:root /var/named/chroot/etc/named.conf
    $ sudo chmod 644 /var/named/chroot/etc/named.conf
Create and populate an appropriate zone directory within the jail, based on the options directive. If your named.conf includes: 
options {
    directory "/path/to/DIRNAME ";
    ...
    }
then copy that directory and its contents from the original zone directory: 
$ sudo cp -r /path/to/DIRNAME /var/named/chroot/DIRNAME
Add or correct the following line within /etc/sysconfig/named: 
ROOTDIR=/var/named/chroot
scap-security-guide-0.1.39/rhel6/guide/services/dns/dns_server_isolation/dns_server_dedicated/000077500000000000000000000000001327242345500326205ustar00rootroot00000000000000dns_server_dedicated.group000066400000000000000000000005011327242345500377530ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/services/dns/dns_server_isolation/dns_server_dedicateddocumentation_complete: true title: 'Run DNS Software on Dedicated Servers' description: |- Since DNS is a high-risk service which must frequently be made available to the entire Internet, it is strongly recommended that no other services be offered by machines which act as organizational DNS servers. scap-security-guide-0.1.39/rhel6/guide/services/dns/dns_server_isolation/dns_server_isolation.group000066400000000000000000000005461327242345500337760ustar00rootroot00000000000000documentation_complete: true title: 'Isolate DNS from Other Services' description: |- This section discusses mechanisms for preventing the DNS server from interfering with other services. This is done both to protect the remainder of the network should a nameserver be compromised, and to make direct attacks on nameservers more difficult. scap-security-guide-0.1.39/rhel6/guide/services/dns/dns_server_protection/000077500000000000000000000000001327242345500266455ustar00rootroot00000000000000dns_server_authenticate_zone_transfers.rule000066400000000000000000000037701327242345500375200ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/services/dns/dns_server_protectiondocumentation_complete: true title: 'Authenticate Zone Transfers' description: |- If it is necessary for a secondary nameserver to receive zone data via zone transfer from the primary server, follow the instructions here. Use dnssec-keygen to create a symmetric key file in the current directory: 
$ cd /tmp
    $ sudo dnssec-keygen -a HMAC-MD5 -b 128 -n HOST dns.example.com
    Kdns.example.com .+aaa +iiiii
This output is the name of a file containing the new key. Read the file to find the base64-encoded key string: 
$ sudo cat Kdns.example.com .+NNN +MMMMM .key
    dns.example.com IN KEY 512 3 157 base64-key-string
Add the directives to /etc/named.conf on the primary server: 
key zone-transfer-key {
      algorithm hmac-md5;
      secret "base64-key-string ";
    };
    zone "example.com " IN {
      type master;
      allow-transfer { key zone-transfer-key; };
      ...
    };
Add the directives below to /etc/named.conf on the secondary nameserver: 
key zone-transfer-key {
      algorithm hmac-md5;
      secret "base64-key-string ";
    };

    server IP-OF-MASTER {
      keys { zone-transfer-key; };
    };

    zone "example.com " IN {
      type slave;
      masters { IP-OF-MASTER ; };
      ...
    };
rationale: |- The BIND transaction signature (TSIG) functionality allows primary and secondary nameservers to use a shared secret to verify authorization to perform zone transfers. This method is more secure than using IP-based limiting to restrict nameserver access, since IP addresses can be easily spoofed. However, if you cannot configure TSIG between your servers because, for instance, the secondary nameserver is not under your control and its administrators are unwilling to configure TSIG, you can configure an allow-transfer directive with numerical IP addresses or ACLs as a last resort. severity: unknown identifiers: cce: 27496-9 references: nist: CM-7 dns_server_disable_dynamic_updates.rule000066400000000000000000000017051327242345500365500ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/services/dns/dns_server_protectiondocumentation_complete: true title: 'Disable Dynamic Updates' description: |- Is there a mission-critical reason to enable the risky dynamic update functionality? If not, edit /etc/named.conf. For each zone specification, correct the following directive if necessary: 
zone "example.com " IN {
      allow-update { none; };
      ...
    };
rationale: |- Dynamic updates allow remote servers to add, delete, or modify any entries in your zone file. Therefore, they should be considered highly risky, and disabled unless there is a very good reason for their use. If dynamic updates must be allowed, IP-based ACLs are insufficient protection, since they are easily spoofed. Instead, use TSIG keys (see the previous section for an example), and consider using the update-policy directive to restrict changes to only the precise type of change needed. severity: unknown identifiers: cce: 27105-6 dns_server_disable_zone_transfers.rule000066400000000000000000000016361327242345500364440ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/services/dns/dns_server_protectiondocumentation_complete: true title: 'Disable Zone Transfers from the Nameserver' description: |- Is it necessary for a secondary nameserver to receive zone data via zone transfer from the primary server? If not, follow the instructions in this section. If so, see the next section for instructions on protecting zone transfers. Add or correct the following directive within /etc/named.conf: 
options {
      allow-transfer { none; };
      ...
    }
rationale: |- If both the primary and secondary nameserver are under your control, or if you have only one nameserver, it may be possible to use an external configuration management mechanism to distribute zone updates. In that case, it is not necessary to allow zone transfers within BIND itself, so they should be disabled to avoid the potential for abuse. severity: unknown identifiers: cce: 27528-9 dns_server_partition_with_views/000077500000000000000000000000001327242345500353015ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/services/dns/dns_server_protectiondns_server_partition_with_views.group000066400000000000000000000015331327242345500450740ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/services/dns/dns_server_protection/dns_server_partition_with_viewsdocumentation_complete: true title: 'Use Views to Partition External and Internal Information' description: |- If it is not possible to run external and internal nameservers on separate physical machines, run BIND9 and simulate this feature using views. Edit /etc/named.conf. Add or correct the following directives (where SUBNET is the numerical IP representation of your organization in the form xxx.xxx.xxx.xxx/xx): 
acl internal {
      SUBNET ;
      localhost;
    };
    view "internal-view" {
      match-clients { internal; };
      zone "." IN {
        type hint;
        file "db.cache";
      };
      zone "internal.example.com " IN {
        ...
      };
    };

    view "external-view" {
      match-clients { any; };
      recursion no;
      zone "example.com " IN {
        ...
      };
    };
dns_server_protection.group000066400000000000000000000004041327242345500342620ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/services/dns/dns_server_protectiondocumentation_complete: true title: 'Protect DNS Data from Tampering or Attack' description: |- This section discusses DNS configuration options which make it more difficult for attackers to gain access to private DNS data or to modify DNS data. dns_server_separate_internal_external/000077500000000000000000000000001327242345500364225ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/services/dns/dns_server_protectiondns_server_separate_internal_external.group000066400000000000000000000016121327242345500473340ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/services/dns/dns_server_protection/dns_server_separate_internal_externaldocumentation_complete: true title: 'Run Separate DNS Servers for External and Internal Queries' description: |- Is it possible to run external and internal nameservers on separate machines? If so, follow the configuration guidance in this section. On the external nameserver, edit /etc/named.conf to add or correct the following directives: 
options {
      allow-query { any; };
      recursion no;
      ...
    };
    zone "example.com " IN {
      ...
    };
On the internal nameserver, edit /etc/named.conf. Add or correct the following directives, where SUBNET is the numerical IP representation of your organization in the form xxx.xxx.xxx.xxx/xx: 
acl internal {
      SUBNET ;
      localhost;
    };
    options {
      allow-query { internal; };
      ...
    };
    zone "internal.example.com " IN {
      ...
    };
scap-security-guide-0.1.39/rhel6/guide/services/ftp/000077500000000000000000000000001327242345500222325ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/services/ftp/disabling_vsftpd/000077500000000000000000000000001327242345500255545ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/services/ftp/disabling_vsftpd/disabling_vsftpd.group000066400000000000000000000002321327242345500321510ustar00rootroot00000000000000documentation_complete: true title: 'Disable vsftpd if Possible' description: |- To minimize attack surface, disable vsftpd if at all possible. scap-security-guide-0.1.39/rhel6/guide/services/ftp/disabling_vsftpd/package_vsftpd_removed.rule000066400000000000000000000005621327242345500331520ustar00rootroot00000000000000documentation_complete: true title: 'Uninstall vsftpd Package' description: '' rationale: |- Removing the vsftpd package decreases the risk of its accidental activation. severity: unknown identifiers: cce: 26687-4 references: disa: 1436 nist: CM-7 ocil: '' scap-security-guide-0.1.39/rhel6/guide/services/ftp/disabling_vsftpd/service_vsftpd_disabled.rule000066400000000000000000000010331327242345500333170ustar00rootroot00000000000000documentation_complete: true title: 'Disable vsftpd Service' description: '' rationale: |- Running FTP server software provides a network-based avenue of attack, and should be disabled if not needed. Furthermore, the FTP protocol is unencrypted and creates a risk of compromising sensitive information. severity: unknown identifiers: cce: 26948-0 references: disa: 1436 nist: CM-7 ocil: '' scap-security-guide-0.1.39/rhel6/guide/services/ftp/ftp.group000066400000000000000000000012041327242345500240760ustar00rootroot00000000000000documentation_complete: true title: 'FTP Server' description: |- FTP is a common method for allowing remote access to files. Like telnet, the FTP protocol is unencrypted, which means that passwords and other data transmitted during the session can be captured and that the session is vulnerable to hijacking. Therefore, running the FTP server software is not recommended.

However, there are some FTP server configurations which may be appropriate for some environments, particularly those which allow only read-only anonymous access as a means of downloading data available to the public. scap-security-guide-0.1.39/rhel6/guide/services/ftp/ftp_configure_vsftpd/000077500000000000000000000000001327242345500264525ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/services/ftp/ftp_configure_vsftpd/ftp_configure_firewall.rule000066400000000000000000000020521327242345500340610ustar00rootroot00000000000000documentation_complete: true title: 'Configure Firewalls to Protect the FTP Server' description: |- By default, iptables blocks access to the ports used by the web server. Edit the file /etc/sysconfig/iptables-config. Ensure that the space-separated list of modules contains the FTP connection tracking module: 
IPTABLES_MODULES="ip_conntrack_ftp"
rationale: |- These settings configure iptables to allow connections to an FTP server. The first line allows initial connections to the FTP server port. FTP is an older protocol which is not very compatible with firewalls. During the initial FTP dialogue, the client and server negotiate an arbitrary port to be used for data transfer. The ip_conntrack_ftp module is used by iptables to listen to that dialogue and allow connections to the data ports which FTP negotiates. This allows an FTP server to operate on a system which is running a firewall. severity: unknown scap-security-guide-0.1.39/rhel6/guide/services/ftp/ftp_configure_vsftpd/ftp_configure_vsftpd.group000066400000000000000000000004001327242345500337420ustar00rootroot00000000000000documentation_complete: true title: 'Use vsftpd to Provide FTP Service if Necessary' description: |- The primary vsftpd configuration file is /etc/vsftpd.conf, if that file exists, or /etc/vsftpd/vsftpd.conf if it does not. scap-security-guide-0.1.39/rhel6/guide/services/ftp/ftp_configure_vsftpd/ftp_disable_uploads.rule000066400000000000000000000014701327242345500333500ustar00rootroot00000000000000documentation_complete: true title: 'Disable FTP Uploads if Possible' description: |- Is there a mission-critical reason for users to upload files via FTP? If not, edit the vsftpd configuration file to add or correct the following configuration options: 
write_enable=NO
If FTP uploads are necessary, follow the guidance in the remainder of this section to secure these transactions as much as possible. rationale: |- Anonymous FTP can be a convenient way to make files available for universal download. However, it is less common to have a need to allow unauthenticated users to place files on the FTP server. If this must be done, it is necessary to ensure that files cannot be uploaded and downloaded from the same directory. severity: unknown identifiers: cce: 27117-1 scap-security-guide-0.1.39/rhel6/guide/services/ftp/ftp_configure_vsftpd/ftp_home_partition.rule000066400000000000000000000010071327242345500332330ustar00rootroot00000000000000documentation_complete: true title: 'Place the FTP Home Directory on its Own Partition' description: |- By default, the anonymous FTP root is the home directory of the FTP user account. The df command can be used to verify that this directory is on its own partition. rationale: |- If there is a mission-critical reason for anonymous users to upload files, precautions must be taken to prevent these users from filling a disk used by other services. severity: unknown identifiers: cce: 27411-8 scap-security-guide-0.1.39/rhel6/guide/services/ftp/ftp_configure_vsftpd/ftp_log_transactions.rule000066400000000000000000000026021327242345500335650ustar00rootroot00000000000000documentation_complete: true title: 'Enable Logging of All FTP Transactions' description: |- Add or correct the following configuration options within the vsftpd configuration file, located at /etc/vsftpd/vsftpd.conf: 
xferlog_enable=YES
    xferlog_std_format=NO
    log_ftp_protocol=YES
rationale: |- To trace malicious activity facilitated by the FTP service, it must be configured to ensure that all commands sent to the FTP server are logged using the verbose vsftpd log format. The default vsftpd log file is /var/log/vsftpd.log. severity: unknown identifiers: cce: 27142-9 references: srg: SRG-OS-000037 stigid: RHEL-06-000339 ocil_clause: 'xferlog_enable is missing, or is not set to yes' ocil: |- Find if logging is applied to the FTP daemon.

Procedures:

If vsftpd is started by xinetd the following command will indicate the xinetd.d startup file: 
$ grep vsftpd /etc/xinetd.d/*
$ grep server_args vsftpd xinetd.d startup file
This will indicate the vsftpd config file used when starting through xinetd. If the server_args line is missing or does not include the vsftpd configuration file, then the default config file (/etc/vsftpd/vsftpd.conf) is used. 
$ sudo grep xferlog_enable vsftpd config file
scap-security-guide-0.1.39/rhel6/guide/services/ftp/ftp_configure_vsftpd/ftp_present_banner.rule000066400000000000000000000017241327242345500332250ustar00rootroot00000000000000documentation_complete: true title: 'Create Warning Banners for All FTP Users' description: |- Edit the vsftpd configuration file, which resides at /etc/vsftpd/vsftpd.conf by default. Add or correct the following configuration options: 
banner_file=/etc/issue
rationale: 'This setting will cause the system greeting banner to be used for FTP connections as well.' severity: medium identifiers: cce: 27145-2 references: disa: 48 srg: SRG-OS-000023 stigid: RHEL-06-000348 ocil_clause: 'it does not' ocil: |- If FTP services are not installed, this is not applicable.

To verify this configuration, run the following command: 
grep "banner_file" /etc/vsftpd/vsftpd.conf
The output should show the value of banner_file is set to /etc/issue, an example of which is shown below: 
$ sudo grep "banner_file" /etc/vsftpd/vsftpd.conf
    banner_file=/etc/issue
scap-security-guide-0.1.39/rhel6/guide/services/ftp/ftp_configure_vsftpd/ftp_restrict_users/000077500000000000000000000000001327242345500324035ustar00rootroot00000000000000ftp_limit_users.rule000066400000000000000000000026201327242345500364250ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/services/ftp/ftp_configure_vsftpd/ftp_restrict_usersdocumentation_complete: true title: 'Limit Users Allowed FTP Access if Necessary' description: |- If there is a mission-critical reason for users to access their accounts via the insecure FTP protocol, limit the set of users who are allowed this access. Edit the vsftpd configuration file. Add or correct the following configuration options: 
userlist_enable=YES
    userlist_file=/etc/vsftp.ftpusers
    userlist_deny=NO
Edit the file /etc/vsftp.ftpusers. For each user USERNAME who should be allowed to access the system via FTP, add a line containing that user's name: 
USERNAME
If anonymous access is also required, add the anonymous usernames to /etc/vsftp.ftpusers as well. 
anonymous
    ftp
rationale: 'Historically, the file /etc/ftpusers contained a list of users who were not allowed to access the system via FTP. It was used to prevent system users such as the root user from logging in via the insecure FTP protocol. However, when the configuration option userlist deny=NO is set, vsftpd interprets ftpusers as the set of users who are allowed to login via FTP. Since it should be possible for most users to access their accounts via secure protocols, it is recommended that this setting be used, so that non-anonymous FTP access can be limited to legacy users who have been explicitly identified.' severity: unknown ftp_restrict_to_anon.rule000066400000000000000000000016011327242345500374400ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/services/ftp/ftp_configure_vsftpd/ftp_restrict_usersdocumentation_complete: true title: 'Restrict Access to Anonymous Users if Possible' description: |- Is there a mission-critical reason for users to transfer files to/from their own accounts using FTP, rather than using a secure protocol like SCP/SFTP? If not, edit the vsftpd configuration file. Add or correct the following configuration option: 
local_enable=NO
If non-anonymous FTP logins are necessary, follow the guidance in the remainder of this section to secure these logins as much as possible. rationale: 'The use of non-anonymous FTP logins is strongly discouraged. Since SSH clients and servers are widely available, and since SSH provides support for a transfer mode which resembles FTP in user interface, there is no good reason to allow password-based FTP access.' severity: unknown identifiers: cce: 27115-5 references: nist: CM-7,AC-3 ftp_restrict_users.group000066400000000000000000000005631327242345500373370ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/services/ftp/ftp_configure_vsftpd/ftp_restrict_usersdocumentation_complete: true title: 'Restrict the Set of Users Allowed to Access FTP' description: |- This section describes how to disable non-anonymous (password-based) FTP logins, or, if it is not possible to do this entirely due to legacy applications, how to restrict insecure FTP login to only those users who have an identified need for this access. scap-security-guide-0.1.39/rhel6/guide/services/ftp/ftp_use_vsftpd/000077500000000000000000000000001327242345500252655ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/services/ftp/ftp_use_vsftpd/ftp_use_vsftpd.group000066400000000000000000000002771327242345500314040ustar00rootroot00000000000000documentation_complete: true title: 'Use vsftpd to Provide FTP Service if Necessary' description: |- If your use-case requires FTP service, install and set-up vsftpd to provide it. scap-security-guide-0.1.39/rhel6/guide/services/ftp/ftp_use_vsftpd/package_vsftpd_installed.rule000066400000000000000000000010641327242345500331770ustar00rootroot00000000000000documentation_complete: true title: 'Install vsftpd Package' description: |- If this system must operate as an FTP server, install the vsftpd package via the standard channels. 
$ sudo yum install vsftpd
rationale: |- After Red Hat Enterprise Linux 2.1, Red Hat switched from distributing wu-ftpd with Red Hat Enterprise Linux to distributing vsftpd. For security and for consistency with future Red Hat releases, the use of vsftpd is recommended. severity: unknown identifiers: cce: 27187-4 references: nist: CM-7 scap-security-guide-0.1.39/rhel6/guide/services/http/000077500000000000000000000000001327242345500224205ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/services/http/disabling_httpd/000077500000000000000000000000001327242345500255575ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/services/http/disabling_httpd/disabling_httpd.group000066400000000000000000000003631327242345500317760ustar00rootroot00000000000000documentation_complete: true title: 'Disable Apache if Possible' description: |- If Apache was installed and activated, but the system does not need to act as a web server, then it should be disabled and removed from the system. scap-security-guide-0.1.39/rhel6/guide/services/http/disabling_httpd/package_httpd_removed.rule000066400000000000000000000006131327242345500327670ustar00rootroot00000000000000documentation_complete: true title: 'Uninstall httpd Package' description: '' rationale: |- If there is no need to make the web server software available, removing it provides a safeguard against its activation. severity: unknown identifiers: cce: 27133-8 references: nist: CM-7 ocil: '' scap-security-guide-0.1.39/rhel6/guide/services/http/disabling_httpd/service_httpd_disabled.rule000066400000000000000000000006321327242345500331430ustar00rootroot00000000000000documentation_complete: true title: 'Disable httpd Service' description: '' rationale: |- Running web server software provides a network-based avenue of attack, and should be disabled if not needed. severity: unknown identifiers: cce: 27075-1 references: nist: CM-7 ocil: '' scap-security-guide-0.1.39/rhel6/guide/services/http/http.group000066400000000000000000000012031327242345500244510ustar00rootroot00000000000000documentation_complete: true title: 'Web Server' description: |- The web server is responsible for providing access to content via the HTTP protocol. Web servers represent a significant security risk because:

  • The HTTP port is commonly probed by malicious sources
  • Web server software is very complex, and includes a long history of vulnerabilities
  • The HTTP protocol is unencrypted and vulnerable to passive monitoring


The system's default web server software is Apache 2 and is provided in the RPM package httpd. scap-security-guide-0.1.39/rhel6/guide/services/http/installing_httpd/000077500000000000000000000000001327242345500257675ustar00rootroot00000000000000httpd_minimal_modules_installed/000077500000000000000000000000001327242345500343305ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/services/http/installing_httpdhttpd_minimal_modules_installed.group000066400000000000000000000014231327242345500440260ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/services/http/installing_httpd/httpd_minimal_modules_installeddocumentation_complete: true title: 'Confirm Minimal Built-in Modules Installed' description: |- The default httpd installation minimizes the number of modules that are compiled directly into the binary (core prefork http_core mod_so). This minimizes risk by limiting the capabilities allowed by the web server. Query the set of compiled-in modules using the following command: 
$ httpd -l
If the number of compiled-in modules is significantly larger than the aforementioned set, this guide recommends re-installing httpd with a reduced configuration. Minimizing the number of modules that are compiled into the httpd binary, reduces risk by limiting the capabilities allowed by the webserver. scap-security-guide-0.1.39/rhel6/guide/services/http/installing_httpd/installing_httpd.group000066400000000000000000000013151327242345500324140ustar00rootroot00000000000000documentation_complete: true title: 'Install Apache if Necessary' description: |- If httpd was not installed and activated, but the system needs to act as a web server, then it should be installed on the system. Follow these guidelines to install it defensively. The httpd package can be installed with the following command: 
$ sudo yum install httpd
This method of installation is recommended over installing the "Web Server" package group during the system installation process. The Web Server package group includes many packages which are likely extraneous, while the command-line method installs only the required httpd package itself. scap-security-guide-0.1.39/rhel6/guide/services/http/securing_httpd/000077500000000000000000000000001327242345500254425ustar00rootroot00000000000000httpd_configure_os_protect_web_server/000077500000000000000000000000001327242345500352335ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/services/http/securing_httpdhttpd_chroot/000077500000000000000000000000001327242345500377345ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/services/http/securing_httpd/httpd_configure_os_protect_web_serverhttpd_chroot.group000066400000000000000000000016661327242345500435240ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/services/http/securing_httpd/httpd_configure_os_protect_web_server/httpd_chrootdocumentation_complete: true title: 'Run httpd in a chroot Jail if Practical' description: |- Running httpd inside a chroot jail is designed to isolate the web server process to a small section of the filesystem, limiting the damage if it is compromised. Versions of Apache greater than 2.2.10 (such as the one included with Red Hat Enterprise Linux 6) provide the ChrootDir directive. To run Apache inside a chroot jail in /chroot/apache, add the following line to /etc/httpd/conf/httpd.conf: 
ChrootDir /chroot/apache
This necessitates placing all files required by httpd inside /chroot/apache , including httpd's binaries, modules, configuration files, and served web pages. The details of this configuration are beyond the scope of this guide. This may also require additional SELinux configuration. httpd_configure_iptables/000077500000000000000000000000001327242345500423025ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/services/http/securing_httpd/httpd_configure_os_protect_web_serverhttpd_configure_iptables.group000066400000000000000000000005161327242345500504310ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/services/http/securing_httpd/httpd_configure_os_protect_web_server/httpd_configure_iptablesdocumentation_complete: true title: 'Configure iptables to Allow Access to the Web Server' description: |- By default, iptables blocks access to the ports used by the web server. httpd_configure_os_protect_web_server.group000066400000000000000000000004301327242345500461560ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/services/http/securing_httpd/httpd_configure_os_protect_web_serverdocumentation_complete: true title: 'Configure Operating System to Protect Web Server' description: |- The following configuration steps should be taken on the system which hosts the web server, in order to provide as safe an environment as possible for the web server. httpd_restrict_file_dir_access/000077500000000000000000000000001327242345500434535ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/services/http/securing_httpd/httpd_configure_os_protect_web_serverdir_perms_etc_httpd_conf.rule000066400000000000000000000007431327242345500513770ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/services/http/securing_httpd/httpd_configure_os_protect_web_server/httpd_restrict_file_dir_accessdocumentation_complete: true title: 'Set Permissions on the /etc/httpd/conf/ Directory' description: |- Set permissions on the web server configuration directory to 750: 
$ sudo chmod 750 /etc/httpd/conf/
rationale: |- Access to the web server's configuration files may allow an unauthorized user or attacker to access information about the web server or alter the server's configuration files. severity: unknown identifiers: cce: 27487-8 dir_perms_var_log_httpd.rule000066400000000000000000000010231327242345500512400ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/services/http/securing_httpd/httpd_configure_os_protect_web_server/httpd_restrict_file_dir_accessdocumentation_complete: true title: 'Set Permissions on the /var/log/httpd/ Directory' description: |- Ensure that the permissions on the web server log directory is set to 700: 
$ sudo chmod 700 /var/log/httpd/
This is its default setting. rationale: |- Access to the web server's log files may allow an unauthorized user or attacker to access information about the web server or alter the server's log files. severity: unknown identifiers: cce: 27150-2 references: nist: CM-7 file_permissions_httpd_server_conf_files.rule000066400000000000000000000010201327242345500546670ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/services/http/securing_httpd/httpd_configure_os_protect_web_server/httpd_restrict_file_dir_accessdocumentation_complete: true title: 'Set Permissions on All Configuration Files Inside /etc/httpd/conf/' description: |- Set permissions on the web server configuration files to 640: 
$ sudo chmod 640 /etc/httpd/conf/*
rationale: |- Access to the web server's configuration files may allow an unauthorized user or attacker to access information about the web server or to alter the server's configuration files. severity: unknown identifiers: cce: 27316-9 references: nist: CM-7 httpd_restrict_file_dir_access.group000066400000000000000000000002341327242345500527500ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/services/http/securing_httpd/httpd_configure_os_protect_web_server/httpd_restrict_file_dir_accessdocumentation_complete: true title: 'Restrict File and Directory Access' description: 'Minimize access to critical httpd files and directories.' scap-security-guide-0.1.39/rhel6/guide/services/http/securing_httpd/httpd_configure_php_securely/000077500000000000000000000000001327242345500334105ustar00rootroot00000000000000httpd_configure_php_securely.group000066400000000000000000000022411327242345500423540ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/services/http/securing_httpd/httpd_configure_php_securelydocumentation_complete: true title: 'Configure PHP Securely' description: |- PHP is a widely-used and often misconfigured server-side scripting language. It should be used with caution, but configured appropriately when needed.

Review /etc/php.ini and make the following changes if possible: 
# Do not expose PHP error messages to external users
    display_errors = Off

    # Enable safe mode
    safe_mode = On

    # Only allow access to executables in isolated directory
    safe_mode_exec_dir = php-required-executables-path

    # Limit external access to PHP environment
    safe_mode_allowed_env_vars = PHP_

    # Restrict PHP information leakage
    expose_php = Off

    # Log all errors
    log_errors = On

    # Do not register globals for input data
    register_globals = Off

    # Minimize allowable PHP post size
    post_max_size = 1K

    # Ensure PHP redirects appropriately
    cgi.force_redirect = 0

    # Disallow uploading unless necessary
    file_uploads = Off

    # Disallow treatment of file requests as fopen calls
    allow_url_fopen = Off

    # Enable SQL safe mode
    sql.safe_mode = On
scap-security-guide-0.1.39/rhel6/guide/services/http/securing_httpd/httpd_directory_restrictions/000077500000000000000000000000001327242345500334615ustar00rootroot00000000000000httpd_directory_restrictions.group000066400000000000000000000004661327242345500425050ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/services/http/securing_httpd/httpd_directory_restrictionsdocumentation_complete: true title: 'Directory Restrictions' description: |- The Directory tags in the web server configuration file allow finer grained access control for a specified directory. All web directories should be configured on a case-by-case basis, allowing access only where needed. httpd_limit_available_methods.rule000066400000000000000000000016321327242345500423410ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/services/http/securing_httpd/httpd_directory_restrictionsdocumentation_complete: true title: 'Limit Available Methods' description: |- Web server methods are defined in section 9 of RFC 2616 (). If a web server does not require the implementation of all available methods, they should be disabled.

Note: GET and POST are the most common methods. A majority of the others are limited to the WebDAV protocol. 
<Directory /var/www/html>
    # ...
       # Only allow specific methods (this command is case-sensitive!)
       <LimitExcept GET POST>
          Order allow,deny
       </LimitExcept>
    # ...
    </Directory>
rationale: |- Minimizing the number of available methods to the web client reduces risk by limiting the capabilities allowed by the web server. severity: unknown identifiers: cce: 27581-8 httpd_restrict_critical_directories.rule000066400000000000000000000013451327242345500436060ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/services/http/securing_httpd/httpd_directory_restrictionsdocumentation_complete: true title: 'Restrict Other Critical Directories' description: |- All accessible web directories should be configured with similarly restrictive settings. The Options directive should be limited to necessary functionality and the AllowOverride directive should be used only if needed. The Order and Deny access control tags should be used to deny access by default, allowing access only where necessary. rationale: |- Directories accessible from a web client should be configured with the least amount of access possible in order to avoid unauthorized access to restricted content or server information. severity: unknown identifiers: cce: 27565-1 httpd_restrict_root_directory.rule000066400000000000000000000007441327242345500424710ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/services/http/securing_httpd/httpd_directory_restrictionsdocumentation_complete: true title: 'Restrict Root Directory' description: |- The httpd root directory should always have the most restrictive configuration enabled. 
<Directory / >
       Options None
       AllowOverride None
       Order allow,deny
    </Directory>
rationale: |- The Web Server's root directory content should be protected from unauthorized access by web clients. severity: unknown identifiers: cce: 27009-0 httpd_restrict_web_directory.rule000066400000000000000000000017241327242345500422620ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/services/http/securing_httpd/httpd_directory_restrictionsdocumentation_complete: true title: 'Restrict Web Directory' description: |- The default configuration for the web (/var/www/html) Directory allows directory indexing (Indexes) and the following of symbolic links (FollowSymLinks). Neither of these is recommended.

The /var/www/html directory hierarchy should not be viewable via the web, and symlinks should only be followed if the owner of the symlink also owns the linked file.

Ensure that this policy is adhered to by altering the related section of the configuration: 
<Directory "/var/www/html">
    #  ...
       Options SymLinksIfOwnerMatch
    #  ...
    </Directory>
rationale: |- Access to the web server's directory hierarchy could allow access to unauthorized files by web clients. Following symbolic links could also allow such access. severity: unknown identifiers: cce: 27574-3 scap-security-guide-0.1.39/rhel6/guide/services/http/securing_httpd/httpd_minimize_loadable_modules/000077500000000000000000000000001327242345500340415ustar00rootroot00000000000000httpd_core_modules/000077500000000000000000000000001327242345500376455ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/services/http/securing_httpd/httpd_minimize_loadable_moduleshttpd_basic_authentication/000077500000000000000000000000001327242345500452305ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/services/http/securing_httpd/httpd_minimize_loadable_modules/httpd_core_moduleshttpd_basic_authentication.group000066400000000000000000000025651327242345500537010ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/services/http/securing_httpd/httpd_minimize_loadable_modules/httpd_core_modules/httpd_basic_authenticationdocumentation_complete: true title: 'Minimize Modules for HTTP Basic Authentication' description: |- The following modules are necessary if this web server will provide content that will be restricted by a password.

Authentication can be performed using local plain text password files (authn_file), local DBM password files (authn_dbm) or an LDAP directory. The only module required by the web server depends on your choice of authentication. Comment out the modules you don't need from the following: 
LoadModule authn_file_module modules/mod_authn_file.so
    LoadModule authn_dbm_module modules/mod_authn_dbm.so
authn_alias allows for authentication based on aliases. authn_anon allows anonymous authentication similar to that of anonymous ftp sites. authz_owner allows authorization based on file ownership. authz_dbm allows for authorization based on group membership if the web server is using DBM authentication.

If the above functionality is unnecessary, comment out the related module: 
#LoadModule authn_alias_module modules/mod_authn_alias.so
    #LoadModule authn_anon_module modules/mod_authn_anon.so
    #LoadModule authz_owner_module modules/mod_authz_owner.so
    #LoadModule authz_dbm_module modules/mod_authz_dbm.so
httpd_cache_support.rule000066400000000000000000000014161327242345500446020ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/services/http/securing_httpd/httpd_minimize_loadable_modules/httpd_core_modulesdocumentation_complete: true title: 'Disable Cache Support' description: |- The cache module allows httpd to cache data, optimizing access to frequently accessed content. However, it introduces potential security flaws such as the possibility of circumventing Allow and Deny directives.

If this functionality is unnecessary, comment out the module: 
#LoadModule cache_module modules/mod_cache.so
If caching is required, it should not be enabled for any limited-access content. rationale: |- Minimizing the number of loadable modules available to the web server reduces risk by limiting the capabilities allowed by the web server. severity: unknown identifiers: cce: 26859-9 httpd_cgi_support.rule000066400000000000000000000011201327242345500442710ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/services/http/securing_httpd/httpd_minimize_loadable_modules/httpd_core_modulesdocumentation_complete: true title: 'Disable CGI Support' description: |- The cgi module allows HTML to interact with the CGI web programming language.

If this functionality is unnecessary, comment out the module: 
#LoadModule cgi_module modules/mod_cgi.so
If the web server requires the use of CGI, enable mod_cgi. rationale: |- Minimizing the number of loadable modules available to the web server reduces risk by limiting the capabilities allowed by the web server. severity: unknown identifiers: cce: 27362-3 httpd_core_modules.group000066400000000000000000000023211327242345500446040ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/services/http/securing_httpd/httpd_minimize_loadable_modules/httpd_core_modulesdocumentation_complete: true title: 'httpd Core Modules' description: |- These modules comprise a basic subset of modules that are likely needed for base httpd functionality; ensure they are not commented out in /etc/httpd/conf/httpd.conf: 
LoadModule auth_basic_module modules/mod_auth_basic.so
    LoadModule authn_default_module modules/mod_authn_default.so
    LoadModule authz_host_module modules/mod_authz_host.so
    LoadModule authz_user_module modules/mod_authz_user.so
    LoadModule authz_groupfile_module modules/mod_authz_groupfile.so
    LoadModule authz_default_module modules/mod_authz_default.so
    LoadModule log_config_module modules/mod_log_config.so
    LoadModule logio_module modules/mod_logio.so
    LoadModule setenvif_module modules/mod_setenvif.so
    LoadModule mime_module modules/mod_mome.so
    LoadModule autoindex_module modules/mod_autoindex.so
    LoadModule negotiation_module modules/mod_negotiation.so
    LoadModule dir_module modules/mod_dir.so
    LoadModule alias_module modules/mod_alias.so
Minimizing the number of loadable modules available to the web server reduces risk by limiting the capabilities allowed by the web server. httpd_digest_authentication.rule000066400000000000000000000010221327242345500463120ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/services/http/securing_httpd/httpd_minimize_loadable_modules/httpd_core_modulesdocumentation_complete: true title: 'Disable HTTP Digest Authentication' description: |- The auth_digest module provides encrypted authentication sessions. If this functionality is unnecessary, comment out the related module: 
#LoadModule auth_digest_module modules/mod_auth_digest.so
rationale: |- Minimizing the number of loadable modules available to the web server reduces risk by limiting the capabilities allowed by the web server. severity: unknown identifiers: cce: 27553-7 httpd_ldap_support.rule000066400000000000000000000011671327242345500444620ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/services/http/securing_httpd/httpd_minimize_loadable_modules/httpd_core_modulesdocumentation_complete: true title: 'Disable LDAP Support' description: |- The ldap module provides HTTP authentication via an LDAP directory. If its functionality is unnecessary, comment out the related modules: 
#LoadModule ldap_module modules/mod_ldap.so
    #LoadModule authnz_ldap_module modules/mod_authnz_ldap.so
If LDAP is to be used, SSL encryption should be used as well. rationale: |- Minimizing the number of loadable modules available to the web server reduces risk by limiting the capabilities allowed by the web server. severity: unknown identifiers: cce: 27395-3 httpd_mime_magic.rule000066400000000000000000000010541327242345500440300ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/services/http/securing_httpd/httpd_minimize_loadable_modules/httpd_core_modulesdocumentation_complete: true title: 'Disable MIME Magic' description: |- The mime_magic module provides a second layer of MIME support that in most configurations is likely extraneous. If its functionality is unnecessary, comment out the related module: 
#LoadModule mime_magic_module modules/mod_mime_magic.so
rationale: |- Minimizing the number of loadable modules available to the web server reduces risk by limiting the capabilities allowed by the web server. severity: unknown identifiers: cce: 27541-2 httpd_minimize_config_files_included/000077500000000000000000000000001327242345500472475ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/services/http/securing_httpd/httpd_minimize_loadable_modules/httpd_core_moduleshttpd_minimize_config_files_included/httpd_minimize_config_files_included.group000066400000000000000000000021141327242345500577250ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/services/http/securing_httpd/httpd_minimize_loadable_modules/httpd_core_modulesdocumentation_complete: true title: 'Minimize Configuration Files Included' description: |- The Include directive directs httpd to load supplementary configuration files from a provided path. The default configuration loads all files that end in .conf from the /etc/httpd/conf.d directory.

To restrict excess configuration, the following line should be commented out and replaced with Include directives that only reference required configuration files: 
#Include conf.d/*.conf
If the above change was made, ensure that the SSL encryption remains loaded by explicitly including the corresponding configuration file: 
Include conf.d/ssl.conf
If PHP is necessary, a similar alteration must be made: 
Include conf.d/php.conf
Explicitly listing the configuration files to be loaded during web server start-up avoids the possibility of unwanted or malicious configuration files to be automatically included as part of the server's running configuration. httpd_mod_rewrite.rule000066400000000000000000000011761327242345500442660ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/services/http/securing_httpd/httpd_minimize_loadable_modules/httpd_core_modulesdocumentation_complete: true title: 'Disable HTTP mod_rewrite' description: |- The mod_rewrite module is very powerful and can protect against certain classes of web attacks. However, it is also very complex and has a significant history of vulnerabilities itself. If its functionality is unnecessary, comment out the related module: 
#LoadModule rewrite_module modules/mod_rewrite.so
rationale: |- Minimizing the number of loadable modules available to the web server reduces risk by limiting the capabilities allowed by the web server. severity: unknown identifiers: cce: 27570-1 httpd_optional_components/000077500000000000000000000000001327242345500451425ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/services/http/securing_httpd/httpd_minimize_loadable_modules/httpd_core_moduleshttpd_optional_components.group000066400000000000000000000024561327242345500535240ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/services/http/securing_httpd/httpd_minimize_loadable_modules/httpd_core_modules/httpd_optional_componentsdocumentation_complete: true title: 'Minimize Various Optional Components' description: |- The following modules perform very specific tasks, sometimes providing access to just a few additional directives. If such functionality is not required (or if you are not using these directives), comment out the associated module:
  • External filtering (response passed through external program prior to client delivery) 
    #LoadModule ext_filter_module modules/mod_ext_filter.so
  • User-specified Cache Control and Expiration 
    #LoadModule expires_module modules/mod_expires.so
  • Compression Output Filter (provides content compression prior to client delivery) 
    #LoadModule deflate_module modules/mod_deflate.so
  • HTTP Response/Request Header Customization 
    #LoadModule headers_module modules/mod_headers.so
  • User activity monitoring via cookies 
    #LoadModule usertrack_module modules/mod_usertrack.so
  • Dynamically configured mass virtual hosting 
    #LoadModule vhost_alias_module modules/mod_vhost_alias.so
Minimizing the number of loadable modules available to the web server reduces risk by limiting the capabilities allowed by the web server. httpd_proxy_support.rule000066400000000000000000000017411327242345500447210ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/services/http/securing_httpd/httpd_minimize_loadable_modules/httpd_core_modulesdocumentation_complete: true title: 'Disable Proxy Support' description: |- The proxy module provides proxying support, allowing httpd to forward requests and serve as a gateway for other servers. If its functionality is unnecessary, comment out the module: 
#LoadModule proxy_module modules/mod_proxy.so
If proxy support is needed, load mod_proxy and the appropriate proxy protocol handler module (one of mod_proxy_http, mod_proxy_ftp, or mod_proxy_connect). Additionally, make certain that a server is secure before enabling proxying, as open proxy servers are a security risk. mod_proxy_balancer enables load balancing, but requires that mod status be enabled. rationale: |- Minimizing the number of loadable modules available to the web server reduces risk by limiting the capabilities allowed by the web server. severity: unknown identifiers: cce: 27442-3 httpd_server_activity_status.rule000066400000000000000000000014421327242345500465670ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/services/http/securing_httpd/httpd_minimize_loadable_modules/httpd_core_modulesdocumentation_complete: true title: 'Disable Server Activity Status' description: |- The status module provides real-time access to statistics on the internal operation of the web server. This may constitute an unnecessary information leak and should be disabled unless necessary. To do so, comment out the related module: 
#LoadModule status_module modules/mod_status.so
If there is a critical need for this module, ensure that access to the status page is properly restricted to a limited set of hosts in the status handler configuration. rationale: |- Minimizing the number of loadable modules available to the web server reduces risk by limiting the capabilities allowed by the web server. severity: unknown identifiers: cce: 27468-8 httpd_server_configuration_display.rule000066400000000000000000000013761327242345500477320ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/services/http/securing_httpd/httpd_minimize_loadable_modules/httpd_core_modulesdocumentation_complete: true title: 'Disable Web Server Configuration Display' description: |- The info module creates a web page illustrating the configuration of the web server. This can create an unnecessary security leak and should be disabled. If its functionality is unnecessary, comment out the module: 
#LoadModule info_module modules/mod_info.so
If there is a critical need for this module, use the Location directive to provide an access control list to restrict access to the information. rationale: |- Minimizing the number of loadable modules available to the web server reduces risk by limiting the capabilities allowed by the web server. severity: unknown identifiers: cce: 27507-3 httpd_server_side_includes.rule000066400000000000000000000016301327242345500461410ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/services/http/securing_httpd/httpd_minimize_loadable_modules/httpd_core_modulesdocumentation_complete: true title: 'Disable Server Side Includes' description: |- Server Side Includes provide a method of dynamically generating web pages through the insertion of server-side code. However, the technology is also deprecated and introduces significant security concerns. If this functionality is unnecessary, comment out the related module: 
#LoadModule include_module modules/mod_include.so
If there is a critical need for Server Side Includes, they should be enabled with the option IncludesNoExec to prevent arbitrary code execution. Additionally, user supplied data should be encoded to prevent cross-site scripting vulnerabilities. rationale: |- Minimizing the number of loadable modules available to the web server reduces risk by limiting the capabilities allowed by the web server. severity: unknown identifiers: cce: 27558-6 httpd_url_correction.rule000066400000000000000000000012141327242345500447700ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/services/http/securing_httpd/httpd_minimize_loadable_modules/httpd_core_modulesdocumentation_complete: true title: 'Disable URL Correction on Misspelled Entries' description: |- The speling module attempts to find a document match by allowing one misspelling in an otherwise failed request. If this functionality is unnecessary, comment out the module: 
#LoadModule speling_module modules/mod_speling.so
This functionality weakens server security by making site enumeration easier. rationale: |- Minimizing the number of loadable modules available to the web server reduces risk by limiting the capabilities allowed by the web server. severity: unknown identifiers: cce: 27276-5 httpd_webdav.rule000066400000000000000000000015601327242345500432130ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/services/http/securing_httpd/httpd_minimize_loadable_modules/httpd_core_modulesdocumentation_complete: true title: 'Disable WebDAV (Distributed Authoring and Versioning)' description: |- WebDAV is an extension of the HTTP protocol that provides distributed and collaborative access to web content. If its functionality is unnecessary, comment out the related modules: 
#LoadModule dav_module modules/mod_dav.so
    #LoadModule dav_fs_module modules/mod_dav_fs.so
If there is a critical need for WebDAV, extra care should be taken in its configuration. Since DAV access allows remote clients to manipulate server files, any location on the server that is DAV enabled should be protected by access controls. rationale: |- Minimizing the number of loadable modules available to the web server, reduces risk by limiting the capabilities allowed by the web server. severity: unknown identifiers: cce: 27329-2 httpd_minimize_loadable_modules.group000066400000000000000000000022551327242345500434430ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/services/http/securing_httpd/httpd_minimize_loadable_modulesdocumentation_complete: true title: 'Minimize Web Server Loadable Modules' description: |- A default installation of httpd includes a plethora of dynamically shared objects (DSO) that are loaded at run-time. Unlike the aforementioned compiled-in modules, a DSO can be disabled in the configuration file by removing the corresponding LoadModule directive.

Note: A DSO only provides additional functionality if associated directives are included in the httpd configuration file. It should also be noted that removing a DSO will produce errors on httpd startup if the configuration file contains directives that apply to that module. Refer to for details on which directives are associated with each DSO.

Following each DSO removal, the configuration can be tested with the following command to check if everything still works: 
$ sudo service httpd configtest
The purpose of each of the modules loaded by default will now be addressed one at a time. If none of a module's directives are being used, remove it. scap-security-guide-0.1.39/rhel6/guide/services/http/securing_httpd/httpd_modules_improve_security/000077500000000000000000000000001327242345500340055ustar00rootroot00000000000000httpd_deploy_mod_security/000077500000000000000000000000001327242345500412135ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/services/http/securing_httpd/httpd_modules_improve_securityhttpd_deploy_mod_security.group000066400000000000000000000014041327242345500475550ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/services/http/securing_httpd/httpd_modules_improve_security/httpd_deploy_mod_securitydocumentation_complete: true title: 'Deploy mod_security' description: |- The security module provides an application level firewall for httpd. Following its installation with the base ruleset, specific configuration advice can be found at to design a policy that best matches the security needs of the web applications. Usage of mod_security is highly recommended for some environments, but it should be noted this module does not ship with Red Hat Enterprise Linux itself, and instead is provided via Extra Packages for Enterprise Linux (EPEL). For more information on EPEL please refer to . httpd_install_mod_security.rule000066400000000000000000000006711327242345500475470ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/services/http/securing_httpd/httpd_modules_improve_security/httpd_deploy_mod_securitydocumentation_complete: true title: 'Install mod_security' description: |- Install the security module: 
$ sudo yum install mod_security
rationale: |- mod_security provides an additional level of protection for the web server by enabling the administrator to implement content access policies and filters at the application layer. severity: unknown identifiers: cce: 27525-5 httpd_deploy_mod_ssl/000077500000000000000000000000001327242345500401455ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/services/http/securing_httpd/httpd_modules_improve_securityhttpd_deploy_mod_ssl.group000066400000000000000000000012461327242345500454450ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/services/http/securing_httpd/httpd_modules_improve_security/httpd_deploy_mod_ssldocumentation_complete: true title: 'Deploy mod_ssl' description: |- Because HTTP is a plain text protocol, all traffic is susceptible to passive monitoring. If there is a need for confidentiality, SSL should be configured and enabled to encrypt content.

Note: mod_nss is a FIPS 140-2 certified alternative to mod_ssl. The modules share a considerable amount of code and should be nearly identical in functionality. If FIPS 140-2 validation is required, then mod_nss should be used. If it provides some feature or its greater compatibility is required, then mod_ssl should be used. httpd_install_mod_ssl.rule000066400000000000000000000007001327242345500454240ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/services/http/securing_httpd/httpd_modules_improve_security/httpd_deploy_mod_ssldocumentation_complete: true title: 'Install mod_ssl' description: |- Install the mod_ssl module: 
$ sudo yum install mod_ssl
rationale: |- mod_ssl provides encryption capabilities for the httpd Web server. Unencrypted content is transmitted in plain text which could be passively monitored and accessed by unauthorized parties. severity: unknown identifiers: cce: 27403-5 httpd_modules_improve_security.group000066400000000000000000000005231327242345500433470ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/services/http/securing_httpd/httpd_modules_improve_securitydocumentation_complete: true title: 'Use Appropriate Modules to Improve httpd''s Security' description: |- Among the modules available for httpd are several whose use may improve the security of the web server installation. This section recommends and discusses the deployment of security-relevant modules. scap-security-guide-0.1.39/rhel6/guide/services/http/securing_httpd/httpd_restrict_info_leakage/000077500000000000000000000000001327242345500331705ustar00rootroot00000000000000httpd_restrict_info_leakage.group000066400000000000000000000004151327242345500417150ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/services/http/securing_httpd/httpd_restrict_info_leakagedocumentation_complete: true title: 'Restrict Web Server Information Leakage' description: |- The ServerTokens and ServerSignature directives determine how much information the web server discloses about the configuration of the system. httpd_serversignature_off.rule000066400000000000000000000012371327242345500412720ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/services/http/securing_httpd/httpd_restrict_info_leakagedocumentation_complete: true title: 'Set httpd ServerSignature Directive to Off' description: |- ServerSignature Off restricts httpd from displaying server version number on error pages.

Add or correct the following directive in /etc/httpd/conf/httpd.conf: 
ServerSignature Off
rationale: |- Information disclosed to clients about the configuration of the web server and system could be used to plan an attack on the given system. This information disclosure should be restricted to a minimum. severity: unknown identifiers: cce: 27586-7 references: nist: CM-7 httpd_servertokens_prod.rule000066400000000000000000000012171327242345500407640ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/services/http/securing_httpd/httpd_restrict_info_leakagedocumentation_complete: true title: 'Set httpd ServerTokens Directive to Prod' description: |- ServerTokens Prod restricts information in page headers, returning only the word "Apache."

Add or correct the following directive in /etc/httpd/conf/httpd.conf: 
ServerTokens Prod
rationale: |- Information disclosed to clients about the configuration of the web server and system could be used to plan an attack on the given system. This information disclosure should be restricted to a minimum. severity: unknown identifiers: cce: 27425-8 references: nist: CM-7 httpd_use_dos_protection_modules/000077500000000000000000000000001327242345500342255ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/services/http/securing_httpdhttpd_use_dos_protection_modules.group000066400000000000000000000012151327242345500441440ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/services/http/securing_httpd/httpd_use_dos_protection_modulesdocumentation_complete: true title: 'Use Denial-of-Service Protection Modules' description: |- Denial-of-service attacks are difficult to detect and prevent while maintaining acceptable access to authorized users. However, some traffic-shaping modules can be used to address the problem. Well-known DoS protection modules include: 
mod_cband mod_bwshare mod_limitipconn mod_evasive
Denial-of-service prevention should be implemented for a web server if such a threat exists. However, specific configuration details are very dependent on the environment and often best left at the discretion of the administrator. scap-security-guide-0.1.39/rhel6/guide/services/http/securing_httpd/securing_httpd.group000066400000000000000000000003671327242345500315500ustar00rootroot00000000000000documentation_complete: true title: 'Secure Apache Configuration' description: |- The httpd configuration file is /etc/httpd/conf/httpd.conf. Apply the recommendations in the remainder of this section to this file. scap-security-guide-0.1.39/rhel6/guide/services/imap/000077500000000000000000000000001327242345500223675ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/services/imap/configure_dovecot/000077500000000000000000000000001327242345500260735ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/services/imap/configure_dovecot/configure_dovecot.group000066400000000000000000000003641327242345500326600ustar00rootroot00000000000000documentation_complete: true title: 'Configure Dovecot if Necessary' description: |- If the system will operate as an IMAP or POP3 server, the dovecot software should be configured securely by following the recommendations below. scap-security-guide-0.1.39/rhel6/guide/services/imap/configure_dovecot/dovecot_allow_imap_access/000077500000000000000000000000001327242345500332635ustar00rootroot00000000000000dovecot_allow_imap_access.group000066400000000000000000000006201327242345500414500ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/services/imap/configure_dovecot/dovecot_allow_imap_accessdocumentation_complete: true title: 'Allow IMAP Clients to Access the Server' description: "The default iptables configuration does not allow inbound \naccess to any services. This modification will allow remote hosts to \ninitiate connections to the IMAP daemon, while keeping all other ports \non the server in their default protected state. \n" scap-security-guide-0.1.39/rhel6/guide/services/imap/configure_dovecot/dovecot_enabling_ssl/000077500000000000000000000000001327242345500322565ustar00rootroot00000000000000dovecot_configure_ssl_cert.rule000066400000000000000000000015621327242345500404760ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/services/imap/configure_dovecot/dovecot_enabling_ssldocumentation_complete: true title: 'Configure Dovecot to Use the SSL Certificate file' description: "This option tells Dovecot where to find the the mail \nserver's SSL Certificate.\n

\nEdit /etc/dovecot/conf.d/10-ssl.conf and add or correct the following \nline (note: the path below is the default path set by the Dovecot installation. If \nyou are using a different path, ensure you reference the appropriate file):\n
ssl_cert = </etc/pki/dovecot/certs/dovecot.pem
" rationale: "SSL certificates are used by the client to authenticate the identity\nof the server, as well as to encrypt credentials and message traffic.\nNot using SSL to encrypt mail server traffic could allow unauthorized\naccess to credentials and mail messages since they are sent in plain \ntext over the network." severity: unknown identifiers: cce: 27459-7 dovecot_configure_ssl_key.rule000066400000000000000000000015431327242345500403300ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/services/imap/configure_dovecot/dovecot_enabling_ssldocumentation_complete: true title: 'Configure Dovecot to Use the SSL Key file' description: "This option tells Dovecot where to find the the mail \nserver's SSL Key.\n

\nEdit /etc/dovecot/conf.d/10-ssl.conf and add or correct the following \nline (note: the path below is the default path set by the Dovecot installation. If \nyou are using a different path, ensure you reference the appropriate file):\n
ssl_key = </etc/pki/dovecot/private/dovecot.pem
" rationale: "SSL certificates are used by the client to authenticate the identity\nof the server, as well as to encrypt credentials and message traffic.\nNot using SSL to encrypt mail server traffic could allow unauthorized\naccess to credentials and mail messages since they are sent in plain \ntext over the network." severity: unknown identifiers: cce: 27633-7 dovecot_disable_plaintext_auth.rule000066400000000000000000000007441327242345500413340ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/services/imap/configure_dovecot/dovecot_enabling_ssldocumentation_complete: true title: 'Disable Plaintext Authentication' description: "To prevent Dovecot from attempting plaintext \nauthentication of clients, edit /etc/dovecot/conf.d/10-auth.conf and add\nor correct the following line:\n
disable_plaintext_auth = yes
" rationale: "Using plain text authentication to the mail server could allow an \nattacker access to credentials by monitoring network traffic." severity: unknown identifiers: cce: 27144-5 dovecot_enable_ssl.rule000066400000000000000000000012711327242345500367230ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/services/imap/configure_dovecot/dovecot_enabling_ssldocumentation_complete: true title: 'Enable the SSL flag in /etc/dovecot.conf' description: |- To allow clients to make encrypted connections the ssl flag in Dovecot's configuration file needs to be set to yes.

Edit /etc/dovecot/conf.d/10-ssl.conf and add or correct the following line: 
ssl = yes
rationale: "SSL encrypt network traffic between the Dovecot server and its clients \nprotecting user credentials, mail as it is downloaded, and clients may use \nSSL certificates to authenticate the server, preventing another system from \nimpersonating the server." severity: unknown identifiers: cce: 27571-9 dovecot_enabling_ssl.group000066400000000000000000000007651327242345500374500ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/services/imap/configure_dovecot/dovecot_enabling_ssldocumentation_complete: true title: 'Enable SSL Support' description: "SSL should be used to encrypt network traffic between the \nDovecot server and its clients. Users must authenticate to the Dovecot \nserver in order to read their mail, and passwords should never be \ntransmitted in clear text. In addition, protecting mail as it is \ndownloaded is a privacy measure, and clients may use SSL certificates \nto authenticate the server, preventing another system from impersonating \nthe server." dovecot_support_necessary_protocols/000077500000000000000000000000001327242345500354335ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/services/imap/configure_dovecotdovecot_support_necessary_protocols.group000066400000000000000000000015511327242345500461320ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/services/imap/configure_dovecot/dovecot_support_necessary_protocolsdocumentation_complete: true title: 'Support Only the Necessary Protocols' description: "Dovecot supports the IMAP and POP3 protocols, as well as \nSSL-protected versions of those protocols. Configure the Dovecot server \nto support only the protocols needed by your site. Edit /etc/dovecot/dovecot.conf. \nAdd or correct the following lines, replacing PROTOCOL with \nonly the subset of protocols (imap, imaps, \npop3, pop3s) required:\n
protocols = PROTOCOL
\nIf possible, require SSL protection for all transactions. The SSL \nprotocol variants listen on alternate ports (995 instead of 110 for \npop3s, and 993 instead of 143 for imaps), and require SSL-aware clients. \nAn alternate approach is to listen on the standard port and require the \nclient to use the STARTTLS command before authenticating." scap-security-guide-0.1.39/rhel6/guide/services/imap/disabling_dovecot/000077500000000000000000000000001327242345500260465ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/services/imap/disabling_dovecot/disabling_dovecot.group000066400000000000000000000003071327242345500326030ustar00rootroot00000000000000documentation_complete: true title: 'Disable Dovecot' description: |- If the system does not need to operate as an IMAP or POP3 server, the dovecot software should be disabled and removed. scap-security-guide-0.1.39/rhel6/guide/services/imap/disabling_dovecot/package_dovecot_removed.rule000066400000000000000000000006771327242345500336100ustar00rootroot00000000000000documentation_complete: true title: 'Uninstall dovecot Package' description: |- The dovecot package can be uninstalled with the following command: 
$ sudo yum erase dovecot
rationale: |- If there is no need to make the Dovecot software available, removing it provides a safeguard against its activation. severity: unknown identifiers: cce: 27039-7 ocil: '' scap-security-guide-0.1.39/rhel6/guide/services/imap/disabling_dovecot/service_dovecot_disabled.rule000066400000000000000000000006071327242345500337540ustar00rootroot00000000000000documentation_complete: true title: 'Disable Dovecot Service' description: '' rationale: |- Running an IMAP or POP3 server provides a network-based avenue of attack, and should be disabled if not needed. severity: unknown identifiers: cce: 26922-5 ocil: '' scap-security-guide-0.1.39/rhel6/guide/services/imap/imap.group000066400000000000000000000004521327242345500243740ustar00rootroot00000000000000documentation_complete: true title: 'IMAP and POP3 Server' description: |- Dovecot provides IMAP and POP3 services. It is not installed by default. The project page at contains more detailed information about Dovecot configuration. scap-security-guide-0.1.39/rhel6/guide/services/ldap/000077500000000000000000000000001327242345500223615ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/services/ldap/ldap.group000066400000000000000000000004541327242345500243620ustar00rootroot00000000000000documentation_complete: true title: LDAP description: |- LDAP is a popular directory service, that is, a standardized way of looking up information from a central database. Red Hat Enterprise Linux 6 includes software that enables a system to act as both an LDAP client and server. scap-security-guide-0.1.39/rhel6/guide/services/ldap/openldap_client/000077500000000000000000000000001327242345500255215ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/services/ldap/openldap_client/ldap_client_start_tls.rule000066400000000000000000000016601327242345500327720ustar00rootroot00000000000000documentation_complete: true title: 'Configure LDAP Client to Use TLS For All Transactions' description: "Configure LDAP to enforce TLS use. First, edit the file \n/etc/pam_ldap.conf, and add or correct the following lines:\n
ssl start_tls
\nThen review the LDAP server and ensure TLS has been configured." rationale: |- The ssl directive specifies whether to use ssl or not. If not specified it will default to no. It should be set to start_tls rather than doing LDAP over SSL. severity: medium identifiers: cce: 26690-8 references: disa: 776,778,1453 nist: CM-7 stigid: RHEL-06-000252 ocil_clause: 'LDAP is not in use, the line is commented out, or not configured correctly' ocil: |- To ensure LDAP is configured to use TLS for all transactions, run the following command: 
$ grep start_tls /etc/pam_ldap.conf
The result should contain: 
ssl start_tls
scap-security-guide-0.1.39/rhel6/guide/services/ldap/openldap_client/ldap_client_tls_cacertpath.rule000066400000000000000000000024621327242345500337540ustar00rootroot00000000000000documentation_complete: true title: 'Configure Certificate Directives for LDAP Use of TLS' description: "Ensure a copy of a trusted CA certificate has been placed in\nthe file /etc/pki/tls/CA/cacert.pem. Configure LDAP to enforce TLS \nuse and to trust certificates signed by that CA. First, edit the file \n/etc/pam_ldap.conf, and add or correct either of the following lines:\n
tls_cacertdir /etc/pki/tls/CA
\nor\n
tls_cacertfile /etc/pki/tls/CA/cacert.pem
\nThen review the LDAP server and ensure TLS has been configured." rationale: |- The tls_cacertdir or tls_cacertfile directives are required when tls_checkpeer is configured (which is the default for openldap versions 2.1 and up). These directives define the path to the trust certificates signed by the site CA. severity: medium identifiers: cce: 27189-0 references: disa: 776,778,1453 nist: CM-7 stigid: RHEL-06-000253 ocil_clause: 'LDAP is not in use, the line is commented out, or not configured correctly' ocil: |- To ensure TLS is configured with trust certificates, run the following command: 
$ grep cert /etc/pam_ldap.conf
The result should return either 
tls_cacertdir /etc/pki/tls/CA
or 
tls_cacertfile /etc/pki/tls/CA/cacert.pem
scap-security-guide-0.1.39/rhel6/guide/services/ldap/openldap_client/openldap_client.group000066400000000000000000000017141327242345500317420ustar00rootroot00000000000000documentation_complete: true title: 'Configure OpenLDAP Clients' description: |- This section provides information on which security settings are important to configure in OpenLDAP clients by manually editing the appropriate configuration files. Red Hat Enterprise Linux 6 provides an automated configuration tool called authconfig and a graphical wrapper for authconfig called system-config-authentication. However, these tools do not provide as much control over configuration as manual editing of configuration files. The authconfig tools do not allow you to specify locations of SSL certificate files, which is useful when trying to use SSL cleanly across several protocols. Installation and configuration of OpenLDAP on Red Hat Enterprise Linux 6 is available at . scap-security-guide-0.1.39/rhel6/guide/services/ldap/openldap_server/000077500000000000000000000000001327242345500255515ustar00rootroot00000000000000ldap_server_config_certificate_files/000077500000000000000000000000001327242345500350515ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/services/ldap/openldap_serverldap_server_config_certificate_files.group000066400000000000000000000032421327242345500455070ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/services/ldap/openldap_server/ldap_server_config_certificate_filesdocumentation_complete: true title: 'Install and Protect LDAP Certificate Files' description: |- Create the PKI directory for LDAP certificates if it does not already exist: 
$ sudo mkdir /etc/pki/tls/ldap
    $ sudo chown root:root /etc/pki/tls/ldap
    $ sudo chmod 755 /etc/pki/tls/ldap
Using removable media or some other secure transmission format, install the certificate files onto the LDAP server:
  • /etc/pki/tls/ldap/serverkey.pem: the private key ldapserverkey.pem
  • /etc/pki/tls/ldap/servercert.pem: the certificate file ldapservercert.pem
Verify the ownership and permissions of these files: 
$ sudo chown root:ldap /etc/pki/tls/ldap/serverkey.pem
    $ sudo chown root:ldap /etc/pki/tls/ldap/servercert.pem
    $ sudo chmod 640 /etc/pki/tls/ldap/serverkey.pem
    $ sudo chmod 640 /etc/pki/tls/ldap/servercert.pem
Verify that the CA's public certificate file has been installed as /etc/pki/tls/CA/cacert.pem, and has the correct permissions: 
$ sudo mkdir /etc/pki/tls/CA
    $ sudo chown root:root /etc/pki/tls/CA/cacert.pem
    $ sudo chmod 644 /etc/pki/tls/CA/cacert.pem
As a result of these steps, the LDAP server will have access to its own private certificate and the key with which that certificate is encrypted, and to the public certificate file belonging to the CA. Note that it would be possible for the key to be protected further, so that processes running as ldap could not read it. If this were done, the LDAP server process would need to be restarted manually whenever the server rebooted. scap-security-guide-0.1.39/rhel6/guide/services/ldap/openldap_server/openldap_server.group000066400000000000000000000006361327242345500320240ustar00rootroot00000000000000documentation_complete: true title: 'Configure OpenLDAP Server' description: |- This section details some security-relevant settings for an OpenLDAP server. Installation and configuration of OpenLDAP on Red Hat Enterprise Linux 6 is available at: . package_openldap-servers_removed.rule000066400000000000000000000023771327242345500350610ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/services/ldap/openldap_serverdocumentation_complete: true title: 'Uninstall openldap-servers Package' description: |- The openldap-servers package should be removed if not in use. Is this system the OpenLDAP server? If not, remove the package. 
$ sudo yum erase openldap-servers
The openldap-servers RPM is not installed by default on Red Hat Enterprise Linux 6 systems. It is needed only by the OpenLDAP server, not by the clients which use LDAP for authentication. If the system is not intended for use as an LDAP Server it should be removed. rationale: |- The openldap-servers package is not installed by default on RHEL6 systems. It is needed only by the OpenLDAP server system, not clients which use LDAP for authentication. If the system is not intended for use as an LDAP server, openldap-servers should be removed. severity: unknown identifiers: cce: 26858-1 references: disa: 366 nist: CM-7 srg: SRG-OS-999999 stigid: RHEL-06-000256 ocil_clause: 'it does not' ocil: "To verify the openldap-servers package is not installed, \nrun the following command:\n
$ rpm -q openldap-servers
\nThe output should show the following:\n
package openldap-servers is not installed
" scap-security-guide-0.1.39/rhel6/guide/services/mail/000077500000000000000000000000001327242345500223635ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/services/mail/mail.group000066400000000000000000000027751327242345500243760ustar00rootroot00000000000000documentation_complete: true title: 'Mail Server Software' description: |- Mail servers are used to send and receive email over the network. Mail is a very common service, and Mail Transfer Agents (MTAs) are obvious targets of network attack. Ensure that systems are not running MTAs unnecessarily, and configure needed MTAs as defensively as possible.

Very few systems at any site should be configured to directly receive email over the network. Users should instead use mail client programs to retrieve email from a central server that supports protocols such as IMAP or POP3. However, it is normal for most systems to be independently capable of sending email, for instance so that cron jobs can report output to an administrator. Most MTAs, including Postfix, support a submission-only mode in which mail can be sent from the local system to a central site MTA (or directly delivered to a local account), but the system still cannot receive mail directly over a network.

The alternatives program in Red Hat Enterprise Linux permits selection of other mail server software (such as Sendmail), but Postfix is the default and is preferred. Postfix was coded with security in mind and can also be more effectively contained by SELinux as its modular design has resulted in separate processes performing specific actions. More information is available on its website, . scap-security-guide-0.1.39/rhel6/guide/services/mail/package_sendmail_removed.rule000066400000000000000000000011261327242345500302440ustar00rootroot00000000000000documentation_complete: true title: 'Uninstall Sendmail Package' description: |- Sendmail is not the default mail transfer agent and is not installed by default. rationale: |- The sendmail software was not developed with security in mind and its design prevents it from being effectively contained by SELinux. Postfix should be used instead. severity: medium identifiers: cce: 27515-6 references: nist: CM-7 srg: SRG-OS-999999 stigid: RHEL-06-000288 ocil: '' scap-security-guide-0.1.39/rhel6/guide/services/mail/postfix_client/000077500000000000000000000000001327242345500254155ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/services/mail/postfix_client/postfix_client.group000066400000000000000000000002671327242345500315320ustar00rootroot00000000000000documentation_complete: true title: 'Configure SMTP For Mail Clients' description: |- This section discusses settings for Postfix in a submission-only e-mail configuration. postfix_client_configure_mail_alias.rule000066400000000000000000000017451327242345500355040ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/services/mail/postfix_clientdocumentation_complete: true title: 'Configure System to Forward All Mail For The Root Account' description: |- Set up an alias for root that forwards to a monitored email address: 
$ sudo echo "root: " >> /etc/aliases
    $ sudo newaliases
rationale: |- A number of system services utilize email messages sent to the root user to notify system administrators of active or impending issues. These messages must be forwarded to at least one monitored email address. severity: medium identifiers: cce: 80508-5 references: disa: 366 nist: "" srg: SRG-OS-999999 stigid: RHEL-06-000521 ocil_clause: 'it is not' ocil: |- Find the list of alias maps used by the Postfix mail server: 
$ sudo postconf alias_maps
Query the Postfix alias maps for an alias for the root user: 
$ sudo postmap -q root hash:/etc/aliases
The output should return an alias. postfix_network_listening_disabled.rule000066400000000000000000000015451327242345500354040ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/services/mail/postfix_clientdocumentation_complete: true title: 'Disable Postfix Network Listening' description: |- Edit the file /etc/postfix/main.cf to ensure that only the following inet_interfaces line appears: 
inet_interfaces = localhost
rationale: |- This ensures postfix accepts mail messages (such as cron job reports) from the local system only, and not from the network, which protects it from network attack. severity: medium identifiers: cce: 26780-7 references: disa: 382 nist: CM-7 srg: SRG-OS-000096 stigid: RHEL-06-000249 ocil_clause: 'it does not' ocil: |- Run the following command to ensure postfix accepts mail messages from only the local system: 
$ grep inet_interfaces /etc/postfix/main.cf
If properly configured, the output should show only localhost. scap-security-guide-0.1.39/rhel6/guide/services/mail/postfix_client/var_postfix_root_mail_alias.var000066400000000000000000000003611327242345500337110ustar00rootroot00000000000000documentation_complete: true title: 'Postfix Root Mail Alias' description: 'Specify an email address (string) for a root mail alias.' type: string operator: equals interactive: false options: default: system.administrator@mail.mil scap-security-guide-0.1.39/rhel6/guide/services/mail/postfix_harden_os/000077500000000000000000000000001327242345500261015ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/services/mail/postfix_harden_os/postfix_configure_ssl_certs/000077500000000000000000000000001327242345500337175ustar00rootroot00000000000000postfix_configure_ssl_certs.group000066400000000000000000000010301327242345500425260ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/services/mail/postfix_harden_os/postfix_configure_ssl_certsdocumentation_complete: true title: 'Configure SSL Certificates for Use with SMTP AUTH' description: |- If SMTP AUTH is to be used, the use of SSL to protect credentials in transit is strongly recommended. There are also configurations for which it may be desirable to encrypt all mail in transit from one MTA to another, though such configurations are beyond the scope of this guide. In either event, the steps for creating and installing an SSL certificate are independent of the MTA in use, and are described here. postfix_install_ssl_cert/000077500000000000000000000000001327242345500407605ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/services/mail/postfix_harden_os/postfix_configure_ssl_certspostfix_install_ssl_cert.group000066400000000000000000000022161327242345500471570ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/services/mail/postfix_harden_os/postfix_configure_ssl_certs/postfix_install_ssl_certdocumentation_complete: true title: 'Ensure Security of Postfix SSL Certificate' description: |- Create the PKI directory for mail certificates, if it does not already exist: 
$ sudo mkdir /etc/pki/tls/mail
    $ sudo chown root:root /etc/pki/tls/mail
    $ sudo chmod 755 /etc/pki/tls/mail
Using removable media or some other secure transmission format, install the files generated in the previous step onto the mail server: 
/etc/pki/tls/mail/serverkey.pem: the private key mailserverkey.pem
    /etc/pki/tls/mail/servercert.pem: the certificate file mailservercert.pem
Verify the ownership and permissions of these files: 
$ sudo chown root:root /etc/pki/tls/mail/serverkey.pem
    $ sudo chown root:root /etc/pki/tls/mail/servercert.pem
    $ sudo chmod 600 /etc/pki/tls/mail/serverkey.pem
    $ sudo chmod 644 /etc/pki/tls/mail/servercert.pem
Verify that the CA's public certificate file has been installed as /etc/pki/tls/CA/cacert.pem, and has the correct permissions: 
$ sudo chown root:root /etc/pki/tls/CA/cacert.pem
    $ sudo chmod 644 /etc/pki/tls/CA/cacert.pem
scap-security-guide-0.1.39/rhel6/guide/services/mail/postfix_harden_os/postfix_harden_os.group000066400000000000000000000004371327242345500327010ustar00rootroot00000000000000documentation_complete: true title: 'Configure Operating System to Protect Mail Server' description: |- The guidance in this section is appropriate for any host which is operating as a site MTA, whether the mail server runs using Sendmail, Postfix, or some other software. scap-security-guide-0.1.39/rhel6/guide/services/mail/postfix_harden_os/postfix_server_configuration/000077500000000000000000000000001327242345500341125ustar00rootroot00000000000000postfix_server_banner.rule000066400000000000000000000020441327242345500413330ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/services/mail/postfix_harden_os/postfix_server_configurationdocumentation_complete: true title: 'Configure SMTP Greeting Banner' description: |- Edit /etc/postfix/main.cf, and add or correct the following line, substituting some other wording for the banner information if you prefer: 
smtpd_banner = $myhostname ESMTP
rationale: |- The default greeting banner discloses that the listening mail process is Postfix. When remote mail senders connect to the MTA on port 25, they are greeted by an initial banner as part of the SMTP dialogue. This banner is necessary, but it frequently gives away too much information, including the MTA software which is in use, and sometimes also its version number. Remote mail senders do not need this information in order to send mail, so the banner should be changed to reveal only the hostname (which is already known and may be useful) and the word ESMTP, to indicate that the modern SMTP protocol variant is supported. severity: medium identifiers: cce: 27508-1 references: nist: 'AC-22, AU-13' postfix_server_configuration.group000066400000000000000000000003651327242345500431260ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/services/mail/postfix_harden_os/postfix_server_configurationdocumentation_complete: true title: 'Configure Postfix if Necessary' description: |- Postfix stores its configuration files in the directory /etc/postfix by default. The primary configuration file is /etc/postfix/main.cf. postfix_server_denial_of_service/000077500000000000000000000000001327242345500426355ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/services/mail/postfix_harden_os/postfix_server_configurationpostfix_server_denial_of_service.group000066400000000000000000000010451327242345500525150ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/services/mail/postfix_harden_os/postfix_server_configuration/postfix_server_denial_of_servicedocumentation_complete: true title: 'Configure Postfix Resource Usage to Limit Denial of Service Attacks' description: |- Edit /etc/postfix/main.cf. Edit the following lines to configure the amount of system resources Postfix can consume: 
default_process_limit = 100
    smtpd_client_connection_count_limit = 10
    smtpd_client_connection_rate_limit = 30
    queue_minfree = 20971520
    header_size_limit = 51200
    message_size_limit = 10485760
    smtpd_recipient_limit = 100
The values here are examples. postfix_server_mail_relay/000077500000000000000000000000001327242345500413135ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/services/mail/postfix_harden_os/postfix_server_configurationpostfix_server_mail_relay.group000066400000000000000000000010451327242345500476510ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/services/mail/postfix_harden_os/postfix_server_configuration/postfix_server_mail_relaydocumentation_complete: true title: 'Control Mail Relaying' description: |- Postfix's mail relay controls are implemented with the help of the smtpd recipient restrictions option, which controls the restrictions placed on the SMTP dialogue once the sender and recipient envelope addresses are known. The guidance in the following sections should be applied to all systems. If there are systems which must be allowed to relay mail, but which cannot be trusted to relay unconditionally, configure SMTP AUTH with SSL support. postfix_server_mail_relay_require_tls_for_smtp_auth/000077500000000000000000000000001327242345500541435ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/services/mail/postfix_harden_os/postfix_server_configuration/postfix_server_mail_relay1a26fec698c5249222af28bf2d78300a97cec800.paxheader00006660000000000000000000000365132724234550020446xustar00rootroot00000000000000245 path=scap-security-guide-0.1.39/rhel6/guide/services/mail/postfix_harden_os/postfix_server_configuration/postfix_server_mail_relay/postfix_server_mail_relay_require_tls_for_smtp_auth/postfix_server_mail_relay_require_tls_for_smtp_auth.group 1a26fec698c5249222af28bf2d78300a97cec800.data000066400000000000000000000006741327242345500173070ustar00rootroot00000000000000documentation_complete: true title: 'Use TLS for SMTP AUTH' description: |- Postfix provides options to use TLS for certificate-based authentication and encrypted sessions. An encrypted session protects the information that is transmitted with SMTP mail or with SASL authentication. To configure Postfix to protect all SMTP AUTH transactions using TLS, see . postfix_server_mail_relay_set_trusted_networks/000077500000000000000000000000001327242345500531545ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/services/mail/postfix_harden_os/postfix_server_configuration/postfix_server_mail_relaypostfix_server_mail_relay_set_trusted_networks/postfix_server_mail_relay_set_trusted_networks.group000066400000000000000000000017201327242345500660730ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/services/mail/postfix_harden_os/postfix_server_configuration/postfix_server_mail_relaydocumentation_complete: true title: 'Configure Trusted Networks and Hosts' description: |- Edit /etc/postfix/main.cf, and configure the contents of the mynetworks variable in one of the following ways:
  • If any system in the subnet containing the MTA may be trusted to relay messages, add or correct the following line: 
    mynetworks_style = subnet
    This is also the default setting, and is in effect if all my_networks_style directives are commented.
  • If only the MTA host itself is trusted to relay messages, add or correct the following line: 
    mynetworks_style = host
  • If the set of systems which can relay is more complicated, manually specify an entry for each netblock or IP address which is trusted to relay by setting the mynetworks variable directly: 
    mynetworks = 10.0.0.0/16, 192.168.1.0/24, 127.0.0.1
postfix_server_mail_relay_smtp_auth_for_untrusted_networks/000077500000000000000000000000001327242345500555765ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/services/mail/postfix_harden_os/postfix_server_configuration/postfix_server_mail_relayd95e7ba6b31ba4877aa6d5d3d7925867dda69ba0.paxheader00006660000000000000000000000403132724234550020673xustar00rootroot00000000000000259 path=scap-security-guide-0.1.39/rhel6/guide/services/mail/postfix_harden_os/postfix_server_configuration/postfix_server_mail_relay/postfix_server_mail_relay_smtp_auth_for_untrusted_networks/postfix_server_mail_relay_smtp_auth_for_untrusted_networks.group d95e7ba6b31ba4877aa6d5d3d7925867dda69ba0.data000066400000000000000000000007231327242345500175360ustar00rootroot00000000000000documentation_complete: true title: 'Require SMTP AUTH Before Relaying from Untrusted Clients' description: |- SMTP authentication allows remote clients to relay mail safely by requiring them to authenticate before submitting mail. Postfix's SMTP AUTH uses an authentication library called SASL, which is not part of Postfix itself. To enable the use of SASL authentication, see postfix_server_mail_smtpd_recipient_restrictions/000077500000000000000000000000001327242345500534605ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/services/mail/postfix_harden_os/postfix_server_configuration/postfix_server_mail_relay553cd8b729cfa7a79f738652e00b7ed806b020b6.paxheader00006660000000000000000000000357132724234550020456xustar00rootroot00000000000000239 path=scap-security-guide-0.1.39/rhel6/guide/services/mail/postfix_harden_os/postfix_server_configuration/postfix_server_mail_relay/postfix_server_mail_smtpd_recipient_restrictions/postfix_server_mail_smtpd_recipient_restrictions.group 553cd8b729cfa7a79f738652e00b7ed806b020b6.data000066400000000000000000000015311327242345500173070ustar00rootroot00000000000000documentation_complete: true title: 'Enact SMTP Recipient Restrictions' description: |- To configure Postfix to restrict addresses to which it will send mail, see:
The full contents of smtpd_recipient_restrictions will vary by site, since this is a common place to put spam restrictions and other site-specific options. The permit_mynetworks option allows all mail to be relayed from the systems in mynetworks. Then, the reject_unauth_destination option denies all mail whose destination address is not local, preventing any other systems from relaying. These two options should always appear in this order, and should usually follow one another immediately unless SMTP AUTH is used. postfix_server_mail_smtpd_relay_restrictions/000077500000000000000000000000001327242345500526125ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/services/mail/postfix_harden_os/postfix_server_configuration/postfix_server_mail_relaypostfix_server_mail_smtpd_relay_restrictions/postfix_server_mail_smtpd_relay_restrictions.group000066400000000000000000000015251327242345500651720ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/services/mail/postfix_harden_os/postfix_server_configuration/postfix_server_mail_relaydocumentation_complete: true title: 'Enact SMTP Relay Restrictions' description: |- To configure Postfix to restrict addresses to which it will send mail, see:
The full contents of smtpd_recipient_restrictions will vary by site, since this is a common place to put spam restrictions and other site-specific options. The permit_mynetworks option allows all mail to be relayed from the systems in mynetworks. Then, the reject_unauth_destination option denies all mail whose destination address is not local, preventing any other systems from relaying. These two options should always appear in this order, and should usually follow one another immediately unless SMTP AUTH is used. scap-security-guide-0.1.39/rhel6/guide/services/mail/service_postfix_enabled.rule000066400000000000000000000014631327242345500301460ustar00rootroot00000000000000documentation_complete: true title: 'Enable Postfix Service' description: |- The Postfix mail transfer agent is used for local mail delivery within the system. The default configuration only listens for connections to the default SMTP port (port 25) on the loopback interface (127.0.0.1). It is recommended to leave this service enabled for local mail delivery. rationale: |- Local mail delivery is essential to some system maintenance and notification tasks. severity: unknown identifiers: cce: 26325-1 references: srg: SRG-OS-999999 stigid: RHEL-06-000287 ocil_clause: 'the system is not a cross domain solution and the service is not enabled' ocil: '' scap-security-guide-0.1.39/rhel6/guide/services/nfs_and_rpc/000077500000000000000000000000001327242345500237155ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/services/nfs_and_rpc/disabling_nfs/000077500000000000000000000000001327242345500265175ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/services/nfs_and_rpc/disabling_nfs/disabling_netfs/000077500000000000000000000000001327242345500316525ustar00rootroot00000000000000disabling_netfs.group000066400000000000000000000005131327242345500360030ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/services/nfs_and_rpc/disabling_nfs/disabling_netfsdocumentation_complete: true title: 'Disable netfs if Possible' description: |- To determine if any network filesystems handled by netfs are currently mounted on the system execute the following command: 
$ mount -t nfs,nfs4,smbfs,cifs,ncpfs
If the command did not return any output then disable netfs. service_netfs_disabled.rule000066400000000000000000000011121327242345500371450ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/services/nfs_and_rpc/disabling_nfs/disabling_netfsdocumentation_complete: true title: 'Disable Network File Systems (netfs)' description: |- The netfs script manages the boot-time mounting of several types of networked filesystems, of which NFS and Samba are the most common. If these filesystem types are not in use, the script can be disabled, protecting the system somewhat against accidental or malicious changes to /etc/fstab and against flaws in the netfs script itself. rationale: "" severity: unknown identifiers: cce: 27137-9 scap-security-guide-0.1.39/rhel6/guide/services/nfs_and_rpc/disabling_nfs/disabling_nfs.group000066400000000000000000000004251327242345500324000ustar00rootroot00000000000000documentation_complete: true title: 'Disable All NFS Services if Possible' description: |- If there is not a reason for the system to operate as either an NFS client or an NFS server, follow all instructions in this section to disable subsystems required by NFS. scap-security-guide-0.1.39/rhel6/guide/services/nfs_and_rpc/disabling_nfs/disabling_nfs_services/000077500000000000000000000000001327242345500332245ustar00rootroot00000000000000disabling_nfs_services.group000066400000000000000000000006011327242345500407250ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/services/nfs_and_rpc/disabling_nfs/disabling_nfs_servicesdocumentation_complete: true title: 'Disable Services Used Only by NFS' description: |- If NFS is not needed, disable the NFS client daemons nfslock, rpcgssd, and rpcidmapd.

All of these daemons run with elevated privileges, and many listen for network connections. If they are not needed, they should be disabled to improve system security posture. service_nfslock_disabled.rule000066400000000000000000000007741327242345500410540ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/services/nfs_and_rpc/disabling_nfs/disabling_nfs_servicesdocumentation_complete: true title: 'Disable Network File System Lock Service (nfslock)' description: |- The Network File System Lock (nfslock) service starts the required remote procedure call (RPC) processes which allow clients to lock files on the server. If the local system is not configured to mount NFS filesystems then this service should be disabled. rationale: "" severity: unknown identifiers: cce: 27104-9 service_rpcbind_disabled.rule000066400000000000000000000006401327242345500410260ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/services/nfs_and_rpc/disabling_nfs/disabling_nfs_servicesdocumentation_complete: true title: 'Disable RPC Bind service (rpcbind)' description: "The rpcbind utility is a server that converts RPC program numbers \ninto universal addresses. If RPC calls are not made to servers on the local \nsystem then this service should be disabled.\n" rationale: "" severity: unknown identifiers: cce: CCE-27430-8 service_rpcgssd_disabled.rule000066400000000000000000000007651327242345500410620ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/services/nfs_and_rpc/disabling_nfs/disabling_nfs_servicesdocumentation_complete: true title: 'Disable Secure RPC Client Service (rpcgssd)' description: |- The rpcgssd service manages RPCSEC GSS contexts required to secure protocols that use RPC (most often Kerberos and NFS). The rpcgssd service is the client-side of RPCSEC GSS. If the system does not require secure RPC then this service should be disabled. rationale: "" severity: unknown identifiers: cce: 26864-9 service_rpcidmapd_disabled.rule000066400000000000000000000006451327242345500413550ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/services/nfs_and_rpc/disabling_nfs/disabling_nfs_servicesdocumentation_complete: true title: 'Disable RPC ID Mapping Service (rpcidmapd)' description: |- The rpcidmapd service is used to map user names and groups to UID and GID numbers on NFSv4 mounts. If NFS is not in use on the local system then this service should be disabled. rationale: "" severity: unknown identifiers: cce: 26870-6 scap-security-guide-0.1.39/rhel6/guide/services/nfs_and_rpc/nfs_and_rpc.group000066400000000000000000000007611327242345500272530ustar00rootroot00000000000000documentation_complete: true title: 'NFS and RPC' description: |- The Network File System is a popular distributed filesystem for the Unix environment, and is very widely deployed. This section discusses the circumstances under which it is possible to disable NFS and its dependencies, and then details steps which should be taken to secure NFS's configuration. This section is relevant to systems operating as NFS clients, as well as to those operating as NFS servers. scap-security-guide-0.1.39/rhel6/guide/services/nfs_and_rpc/nfs_configuring_all_machines/000077500000000000000000000000001327242345500315745ustar00rootroot00000000000000nfs_client_or_server_not_both/000077500000000000000000000000001327242345500376235ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/services/nfs_and_rpc/nfs_configuring_all_machinesnfs_client_or_server_not_both.group000066400000000000000000000011421327242345500470050ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/services/nfs_and_rpc/nfs_configuring_all_machines/nfs_client_or_server_not_bothdocumentation_complete: true title: 'Make Each System a Client or a Server, not Both' description: |- If NFS must be used, it should be deployed in the simplest configuration possible to avoid maintainability problems which may lead to unnecessary security exposure. Due to the reliability and security problems caused by NFS (specially NFSv3 and NFSv2), it is not a good idea for systems which act as NFS servers to also mount filesystems via NFS. At the least, crossed mounts (the situation in which each of two servers mounts a filesystem from the other) should never be used. nfs_configure_fixed_ports/000077500000000000000000000000001327242345500367525ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/services/nfs_and_rpc/nfs_configuring_all_machinesnfs_configure_fixed_ports.group000066400000000000000000000024621327242345500452710ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/services/nfs_and_rpc/nfs_configuring_all_machines/nfs_configure_fixed_portsdocumentation_complete: true title: 'Configure NFS Services to Use Fixed Ports (NFSv3 and NFSv2)' description: |- Firewalling should be done at each host and at the border firewalls to protect the NFS daemons from remote access, since NFS servers should never be accessible from outside the organization. However, by default for NFSv3 and NFSv2, the RPC Bind service assigns each NFS service to a port dynamically at service startup time. Dynamic ports cannot be protected by port filtering firewalls such as iptables.

Therefore, restrict each service to always use a given port, so that firewalling can be done effectively. Note that, because of the way RPC is implemented, it is not possible to disable the RPC Bind service even if ports are assigned statically to all RPC services.

In NFSv4, the mounting and locking protocols have been incorporated into the protocol, and the server listens on the the well-known TCP port 2049. As such, NFSv4 does not need to interact with the rpcbind, lockd, and rpc.statd daemons, which can and should be disabled in a pure NFSv4 environment. The rpc.mountd daemon is still required on the NFS server to setup exports, but is not involved in any over-the-wire operations. nfs_fixed_lockd_tcp_port.rule000066400000000000000000000011641327242345500447000ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/services/nfs_and_rpc/nfs_configuring_all_machines/nfs_configure_fixed_portsdocumentation_complete: true title: 'Configure lockd to use static TCP port' description: |- Configure the lockd daemon to use a static TCP port as opposed to letting the RPC Bind service dynamically assign a port. Edit the file /etc/sysconfig/nfs. Add or correct the following line: 
LOCKD_TCPPORT=lockd-port
Where lockd-port is a port which is not used by any other service on your network. rationale: |- Restrict service to always use a given port, so that firewalling can be done effectively. severity: unknown identifiers: cce: 27149-4 nfs_fixed_lockd_udp_port.rule000066400000000000000000000011731327242345500447020ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/services/nfs_and_rpc/nfs_configuring_all_machines/nfs_configure_fixed_portsdocumentation_complete: true title: 'Configure lockd to use static UDP port' description: |- Configure the lockd daemon to use a static UDP port as opposed to letting the RPC Bind service dynamically assign a port. Edit the file /etc/sysconfig/nfs. Add or correct the following line: 
LOCKD_UDPPORT=lockd-port
Where lockd-port is a port which is not used by any other service on your network. rationale: |- Restricting services to always use a given port enables firewalling to be done more effectively. severity: unknown identifiers: cce: 27063-7 nfs_fixed_mountd_port.rule000066400000000000000000000011601327242345500442400ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/services/nfs_and_rpc/nfs_configuring_all_machines/nfs_configure_fixed_portsdocumentation_complete: true title: 'Configure mountd to use static port' description: |- Configure the mountd daemon to use a static port as opposed to letting the RPC Bind service dynamically assign a port. Edit the file /etc/sysconfig/nfs. Add or correct the following line: 
MOUNTD_PORT=statd-port
Where mountd-port is a port which is not used by any other service on your network. rationale: |- Restricting services to always use a given port enables firewalling to be done more effectively. severity: unknown identifiers: cce: 27114-8 nfs_fixed_statd_port.rule000066400000000000000000000011541327242345500440540ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/services/nfs_and_rpc/nfs_configuring_all_machines/nfs_configure_fixed_portsdocumentation_complete: true title: 'Configure statd to use static port' description: |- Configure the statd daemon to use a static port as opposed to letting the RPC Bind service dynamically assign a port. Edit the file /etc/sysconfig/nfs. Add or correct the following line: 
STATD_PORT=statd-port
Where statd-port is a port which is not used by any other service on your network. rationale: |- Restricting services to always use a given port enables firewalling to be done more effectively. severity: unknown identifiers: cce: 26889-6 nfs_configuring_all_machines.group000066400000000000000000000003341327242345500404520ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/services/nfs_and_rpc/nfs_configuring_all_machinesdocumentation_complete: true title: 'Configure All Systems which Use NFS' description: |- The steps in this section are appropriate for all systems which run NFS, whether they operate as clients or as servers. scap-security-guide-0.1.39/rhel6/guide/services/nfs_and_rpc/nfs_configuring_clients/000077500000000000000000000000001327242345500306165ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/services/nfs_and_rpc/nfs_configuring_clients/disabling_nfsd/000077500000000000000000000000001327242345500335645ustar00rootroot00000000000000disabling_nfsd.group000066400000000000000000000004741327242345500375360ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/services/nfs_and_rpc/nfs_configuring_clients/disabling_nfsddocumentation_complete: true title: 'Disable NFS Server Daemons' description: |- There is no need to run the NFS server daemons nfs and rpcsvcgssd except on a small number of properly secured systems designated as NFS servers. Ensure that these daemons are turned off on clients. nfs_no_anonymous.rule000066400000000000000000000023421327242345500377710ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/services/nfs_and_rpc/nfs_configuring_clients/disabling_nfsddocumentation_complete: true title: 'Specify UID and GID for Anonymous NFS Connections' description: |- To specify the UID and GID for remote root users, edit the /etc/exports file and add the following for each export: 
    anonuid=value greater than UID_MAX from /etc/login.defs
    anongid=value greater than GID_MAX from /etc/login.defs
Note that a value of "-1" is technically acceptable as this will randomize the anonuid and anongid values on a Red Hat Enterprise Linux 6 based NFS server. While acceptable from a security perspective, a value of -1 may cause interoperability issues, particularly with Red Hat Enterprise Linux 7 client systems. rationale: |- Specifying the anonymous UID and GID ensures that the remote root user is mapped to a local account which has no permissions on the system. severity: unknown identifiers: cce: 27414-2 ocil_clause: 'anonuid or anongid are not set to a value greater than UID_MAX (for anonuid) and GID_MAX (for anongid)' ocil: |- Inspect the mounts configured in /etc/exports. Each mount should specify a value greater than UID_MAX and GID_MAX as defined in /etc/login.defs. service_nfs_disabled.rule000066400000000000000000000022451327242345500405360ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/services/nfs_and_rpc/nfs_configuring_clients/disabling_nfsddocumentation_complete: true title: 'Disable Network File System (nfs)' description: |- The Network File System (NFS) service allows remote hosts to mount and interact with shared filesystems on the local system. If the local system is not designated as a NFS server then this service should be disabled. rationale: 'Unnecessary services should be disabled to decrease the attack surface of the system.' severity: unknown identifiers: cce: 27199-9 ocil_clause: 'it does not' ocil: "It is prudent to ensure the nfs service is disabled in system boot, as well as \nnot currently running. First, run the following to verify the service is stopped:\n
$ service nfs status
\nIf the service is stopped or disabled, it will return the following:\n
rpc.svcgssd is stopped\nrpc.mountd is stopped\nnfsd is stopped\nrpc.rquotad is stopped
\nTo verify that the nfs service is disabled, run the following command:\n
$ chkconfig --list nfs
\nIf properly configured, the output should look like:\n
nfs            \t0:off\t1:off\t2:off\t3:off\t4:off\t5:off\t6:off
" service_rpcsvcgssd_disabled.rule000066400000000000000000000012331327242345500421250ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/services/nfs_and_rpc/nfs_configuring_clients/disabling_nfsddocumentation_complete: true title: 'Disable Secure RPC Server Service (rpcsvcgssd)' description: |- The rpcsvcgssd service manages RPCSEC GSS contexts required to secure protocols that use RPC (most often Kerberos and NFS). The rpcsvcgssd service is the server-side of RPCSEC GSS. If the system does not require secure RPC then this service should be disabled. rationale: 'Unnecessary services should be disabled to decrease the attack surface of the system.' severity: unknown identifiers: cce: 27122-1 ocil: '' mounting_remote_filesystems/000077500000000000000000000000001327242345500364015ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/services/nfs_and_rpc/nfs_configuring_clientsmount_option_nodev_remote_filesystems.rule000066400000000000000000000013251327242345500472220ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/services/nfs_and_rpc/nfs_configuring_clients/mounting_remote_filesystemsdocumentation_complete: true title: 'Mount Remote Filesystems with nodev' description: '' rationale: |- Legitimate device files should only exist in the /dev directory. NFS mounts should not present device files to users. severity: medium identifiers: cce: 27090-0 references: nist: CM-7,MP-2 srg: SRG-OS-999999 stigid: RHEL-06-000269 ocil_clause: 'the setting does not show' ocil: "To verify the nodev option is configured for all NFS mounts, run the following command:\n
$ mount | grep nfs
\nAll NFS mounts should show the nodev setting in parentheses. This is not applicable if NFS is \nnot implemented." mount_option_nosuid_remote_filesystems.rule000066400000000000000000000013621327242345500474110ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/services/nfs_and_rpc/nfs_configuring_clients/mounting_remote_filesystemsdocumentation_complete: true title: 'Mount Remote Filesystems with nosuid' description: '' rationale: |- NFS mounts should not present suid binaries to users. Only vendor-supplied suid executables should be installed to their default location on the local filesystem. severity: medium identifiers: cce: 26972-0 references: srg: SRG-OS-999999 stigid: RHEL-06-000270 ocil_clause: 'the setting does not show' ocil: "To verify the nosuid option is configured for all NFS mounts, run the following command:\n
$ mount | grep nfs
\nAll NFS mounts should show the nosuid setting in parentheses. This is not applicable if NFS is \nnot implemented." mounting_remote_filesystems.group000066400000000000000000000015471327242345500453300ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/services/nfs_and_rpc/nfs_configuring_clients/mounting_remote_filesystemsdocumentation_complete: true title: 'Mount Remote Filesystems with Restrictive Options' description: |- Edit the file /etc/fstab. For each filesystem whose type (column 3) is nfs or nfs4, add the text ,nodev,nosuid to the list of mount options in column 4. If appropriate, also add ,noexec.

See the section titled "Restrict Partition Mount Options" for a description of the effects of these options. In general, execution of files mounted via NFS should be considered risky because of the possibility that an adversary could intercept the request and substitute a malicious file. Allowing setuid files to be executed from remote servers is particularly risky, both for this reason and because it requires the clients to extend root-level trust to the NFS server. nfs_configuring_clients.group000066400000000000000000000002411327242345500365130ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/services/nfs_and_rpc/nfs_configuring_clientsdocumentation_complete: true title: 'Configure NFS Clients' description: 'The steps in this section are appropriate for systems which operate as NFS clients.' scap-security-guide-0.1.39/rhel6/guide/services/nfs_and_rpc/nfs_configuring_servers/000077500000000000000000000000001327242345500306465ustar00rootroot00000000000000configure_exports_restrictively/000077500000000000000000000000001327242345500373245ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/services/nfs_and_rpc/nfs_configuring_serversconfigure_exports_restrictively.group000066400000000000000000000015241327242345500471410ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/services/nfs_and_rpc/nfs_configuring_servers/configure_exports_restrictivelydocumentation_complete: true title: 'Configure the Exports File Restrictively' description: "Linux's NFS implementation uses the file /etc/exports to control what filesystems\nand directories may be accessed via NFS. (See the exports(5) manpage for more information about the\nformat of this file.)\n

\nThe syntax of the exports file is not necessarily checked fully on reload, and syntax errors\ncan leave your NFS configuration more open than intended. Therefore, exercise caution when modifying\nthe file.\n

\nThe syntax of each line in /etc/exports is:\n
/DIR\thost1(opt1,opt2) host2(opt3)
\nwhere /DIR is a directory or filesystem to export, hostN is an IP address, netblock,\nhostname, domain, or netgroup to which to export, and optN is an option." export_filesystems_read_only/000077500000000000000000000000001327242345500365735ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/services/nfs_and_rpc/nfs_configuring_serversexport_filesystems_read_only.group000066400000000000000000000006711327242345500456610ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/services/nfs_and_rpc/nfs_configuring_servers/export_filesystems_read_onlydocumentation_complete: true title: 'Export Filesystems Read-Only if Possible' description: |- If a filesystem is being exported so that users can view the files in a convenient fashion, but there is no need for users to edit those files, exporting the filesystem read-only removes an attack vector against the server. The default filesystem export mode is ro, so do not specify rw without a good reason. nfs_configuring_servers.group000066400000000000000000000002411327242345500365730ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/services/nfs_and_rpc/nfs_configuring_serversdocumentation_complete: true title: 'Configure NFS Servers' description: 'The steps in this section are appropriate for systems which operate as NFS servers.' no_all_squash_exports.rule000066400000000000000000000013751327242345500361020ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/services/nfs_and_rpc/nfs_configuring_serversdocumentation_complete: true title: 'Ensure All-Squashing Disabled On All Exports' description: |- The all_squash maps all uids and gids to an anonymous user. This should be disabled by removing any instances of the all_squash option from the file /etc/exports. rationale: |- The all_squash option maps all client requests to a single anonymous uid/gid on the NFS server, negating the ability to track file access by user ID. severity: low identifiers: cce: 80505-1 references: disa: 764 srg: SRG-OS-000104 stigid: RHEL-06-000515 ocil_clause: 'there is output' ocil: |- To verify all squashing has been disabled, run the following command: 
$ grep all_squash /etc/exports
no_insecure_locks_exports.rule000066400000000000000000000022771327242345500367600ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/services/nfs_and_rpc/nfs_configuring_serversdocumentation_complete: true title: 'Ensure Insecure File Locking is Not Allowed' description: "By default the NFS server requires secure file-lock requests,\nwhich require credentials from the client in order to lock a file. Most NFS\nclients send credentials with file lock requests, however, there are a few\nclients that do not send credentials when requesting a file-lock, allowing the\nclient to only be able to lock world-readable files. To get around this, the\ninsecure_locks option can be used so these clients can access the\ndesired export. This poses a security risk by potentially allowing the client\naccess to data for which it does not have authorization.\nRemove any instances of the \ninsecure_locks option from the file /etc/exports." rationale: |- Allowing insecure file locking could allow for sensitive data to be viewed or edited by an unauthorized user. severity: high identifiers: cce: 27167-6 references: disa: 764 srg: SRG-OS-000104 stigid: RHEL-06-000309 ocil_clause: 'there is output' ocil: |- To verify insecure file locking has been disabled, run the following command: 
$ grep insecure_locks /etc/exports
restrict_nfs_clients_to_privileged_ports.rule000066400000000000000000000016661327242345500420620ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/services/nfs_and_rpc/nfs_configuring_serversdocumentation_complete: true title: 'Restrict NFS Clients to Privileged Ports' description: |- By default, the server NFS implementation requires that all client requests be made from ports less than 1024. If your organization has control over systems connected to its network, and if NFS requests are prohibited at the border firewall, this offers some protection against malicious requests from unprivileged users. Therefore, the default should not be changed.

To ensure that the default has not been changed, ensure no line in /etc/exports contains the option insecure. rationale: |- Allowing client requests to be made from ports higher than 1024 could allow a unprivileged user to initiate an NFS connection. If the unprivileged user account has been compromised, an attacker could gain access to data on the NFS server. severity: unknown identifiers: cce: 27121-3 use_acl_enforce_auth_restrictions/000077500000000000000000000000001327242345500375345ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/services/nfs_and_rpc/nfs_configuring_serversuse_acl_enforce_auth_restrictions.group000066400000000000000000000015741327242345500475660ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/services/nfs_and_rpc/nfs_configuring_servers/use_acl_enforce_auth_restrictionsdocumentation_complete: true title: 'Use Access Lists to Enforce Authorization Restrictions' description: |- When configuring NFS exports, ensure that each export line in /etc/exports contains a list of hosts which are allowed to access that export. If no hosts are specified on an export line, then that export is available to any remote host which requests it. All lines of the exports file should specify the hosts (or subnets, if needed) which are allowed to access the exported directory, so that unknown or remote hosts will be denied.

Authorized hosts can be specified in several different formats:
  • Name or alias that is recognized by the resolver
  • Fully qualified domain name
  • IP address
  • IP subnets in the format address/netmask or address/CIDR
use_root_squashing_all_exports.rule000066400000000000000000000013101327242345500400100ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/services/nfs_and_rpc/nfs_configuring_serversdocumentation_complete: true title: 'Use Root-Squashing on All Exports' description: |- If a filesystem is exported using root squashing, requests from root on the client are considered to be unprivileged (mapped to a user such as nobody). This provides some mild protection against remote abuse of an NFS server. Root squashing is enabled by default, and should not be disabled.

Ensure that no line in /etc/exports contains the option no_root_squash. rationale: |- If the NFS server allows root access to local file systems from remote hosts, this access could be used to compromise the system. severity: unknown identifiers: cce: 27138-7 scap-security-guide-0.1.39/rhel6/guide/services/ntp/000077500000000000000000000000001327242345500222425ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/services/ntp/ntp.group000066400000000000000000000032251327242345500241230ustar00rootroot00000000000000documentation_complete: true title: 'Network Time Protocol' description: |- The Network Time Protocol is used to manage the system clock over a network. Computer clocks are not very accurate, so time will drift unpredictably on unmanaged systems. Central time protocols can be used both to ensure that time is consistent among a network of systems, and that their time is consistent with the outside world.

If every system on a network reliably reports the same time, then it is much easier to correlate log messages in case of an attack. In addition, a number of cryptographic protocols (such as Kerberos) use timestamps to prevent certain types of attacks. If your network does not have synchronized time, these protocols may be unreliable or even unusable.

Depending on the specifics of the network, global time accuracy may be just as important as local synchronization, or not very important at all. If your network is connected to the Internet, using a public timeserver (or one provided by your enterprise) provides globally accurate timestamps which may be essential in investigating or responding to an attack which originated outside of your network.

A typical network setup involves a small number of internal systems operating as NTP servers, and the remainder obtaining time information from those internal servers.

More information on how to configure the NTP server software, including configuration of cryptographic authentication for time data, is available at . scap-security-guide-0.1.39/rhel6/guide/services/ntp/ntpd_specify_multiple_servers.rule000066400000000000000000000013571327242345500313140ustar00rootroot00000000000000documentation_complete: true title: 'Specify Additional Remote NTP Servers' description: |- Additional NTP servers can be specified for time synchronization in the file /etc/ntp.conf. To do so, add additional lines of the following form, substituting the IP address or hostname of a remote NTP server for ntpserver: 
server ntpserver
rationale: |- Specifying additional NTP servers increases the availability of accurate time data, in the event that one of the specified servers becomes unavailable. This is typical for a system acting as an NTP server for other systems. severity: unknown identifiers: cce: 26958-9 references: nist: AU-8(1) pcidss: Req-10.4.3 scap-security-guide-0.1.39/rhel6/guide/services/ntp/ntpd_specify_remote_server.rule000066400000000000000000000020721327242345500305640ustar00rootroot00000000000000documentation_complete: true title: 'Specify a Remote NTP Server' description: |- To specify a remote NTP server for time synchronization, edit the file /etc/ntp.conf. Add or correct the following lines, substituting the IP or hostname of a remote NTP server for ntpserver: 
server ntpserver
This instructs the NTP software to contact that remote server to obtain time data. rationale: |- Synchronizing with an NTP server makes it possible to collate system logs from multiple sources or correlate computer events with real time events. severity: medium identifiers: cce: 27098-3 references: disa: 160 nist: AU-8(1) pcidss: Req-10.4.1,Req-10.4.3 srg: SRG-OS-000056 stigid: RHEL-06-000248 ocil_clause: 'this is not the case' ocil: |- To verify that a remote NTP service is configured for time synchronization, open the following file: 
/etc/ntp.conf
In the file, there should be a section similar to the following: 
server ntpserver
scap-security-guide-0.1.39/rhel6/guide/services/ntp/service_ntpd_enabled.rule000066400000000000000000000021411327242345500272700ustar00rootroot00000000000000documentation_complete: true title: 'Enable the NTP Daemon' description: '' rationale: "Enabling the ntpd service ensures that the ntpd\nservice will be running and that the system will synchronize its time to\nany servers specified. This is important whether the system is configured to be\na client (and synchronize only its own clock) or it is also acting as an NTP\nserver to other systems. Synchronizing time is essential for authentication\nservices such as Kerberos, but it is also important for maintaining accurate\nlogs and auditing possible security breaches. \n

\nThe NTP daemon offers all of the functionality of ntpdate, which is now \ndeprecated. Additional information on this is available at \n" severity: medium identifiers: cce: 27093-4 references: disa: 160 nist: AU-8(1) pcidss: Req-10.4 srg: SRG-OS-000056 stigid: RHEL-06-000247 ocil: '' scap-security-guide-0.1.39/rhel6/guide/services/obsolete/000077500000000000000000000000001327242345500232555ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/services/obsolete/inetd_and_xinetd/000077500000000000000000000000001327242345500265555ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/services/obsolete/inetd_and_xinetd/inetd_and_xinetd.group000066400000000000000000000006531327242345500331370ustar00rootroot00000000000000documentation_complete: true title: Xinetd description: |- The xinetd service acts as a dedicated listener for some network services (mostly, obsolete ones) and can be used to provide access controls and perform some logging. It has been largely obsoleted by other features, and it is not installed by default. The older Inetd service is not even available as part of Red Hat Enterprise Linux 6. package_xinetd_removed.rule000066400000000000000000000011721327242345500340570ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/services/obsolete/inetd_and_xinetddocumentation_complete: true title: 'Uninstall xinetd Package' description: |- The xinetd package can be uninstalled with the following command: 
$ sudo yum erase xinetd
rationale: |- Removing the xinetd package decreases the risk of the xinetd service's accidental (or intentional) activation. severity: unknown identifiers: cce: 27005-8 references: disa: 305 nist: CM-7 srg: SRG-OS-000096 stigid: RHEL-06-000204 ocil: |- If network services are using the xinetd service, this is not applicable.

service_xinetd_disabled.rule000066400000000000000000000013341327242345500342320ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/services/obsolete/inetd_and_xinetddocumentation_complete: true title: 'Disable xinetd Service' description: '' rationale: |- The xinetd service provides a dedicated listener service for some programs, which is no longer necessary for commonly-used network services. Disabling it ensures that these uncommon services are not running, and also prevents attacks against xinetd itself. severity: medium identifiers: cce: 27046-2 references: disa: 305 nist: CM-7 srg: SRG-OS-000096 stigid: RHEL-06-000203 ocil: |- If network services are using the xinetd service, this is not applicable.

scap-security-guide-0.1.39/rhel6/guide/services/obsolete/nis/000077500000000000000000000000001327242345500240465ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/services/obsolete/nis/nis.group000066400000000000000000000006641327242345500257230ustar00rootroot00000000000000documentation_complete: true title: NIS description: |- The Network Information Service (NIS), also known as 'Yellow Pages' (YP), and its successor NIS+ have been made obsolete by Kerberos, LDAP, and other modern centralized authentication services. NIS should not be used because it suffers from security problems inherent in its design, such as inadequate protection of important authentication information. scap-security-guide-0.1.39/rhel6/guide/services/obsolete/nis/package_ypbind_removed.rule000066400000000000000000000014471327242345500314260ustar00rootroot00000000000000documentation_complete: true title: 'Remove NIS Client' description: |- The Network Information Service (NIS), formerly known as Yellow Pages, is a client-server directory service protocol used to distribute system configuration files. The NIS client (ypbind) was used to bind a system to an NIS server and receive the distributed configuration files. rationale: "The NIS service is inherently an insecure system that has been vulnerable\nto DOS attacks, buffer overflows and has poor authentication for querying NIS maps.\nNIS generally has been replaced by such protocols as Lightweight Directory Access \nProtocol (LDAP). It is recommended that the service be removed." severity: unknown identifiers: cce: 27372-2 ocil: '' scap-security-guide-0.1.39/rhel6/guide/services/obsolete/nis/package_ypserv_removed.rule000066400000000000000000000010441327242345500314620ustar00rootroot00000000000000documentation_complete: true title: 'Uninstall ypserv Package' description: |- The ypserv package can be uninstalled with the following command: 
$ sudo yum erase ypserv
rationale: |- Removing the ypserv package decreases the risk of the accidental (or intentional) activation of NIS or NIS+ services. severity: medium identifiers: cce: 27079-3 references: disa: 305,381 nist: CM-7 srg: SRG-OS-000095 stigid: RHEL-06-000220 ocil: '' scap-security-guide-0.1.39/rhel6/guide/services/obsolete/nis/service_ypbind_disabled.rule000066400000000000000000000011351327242345500315730ustar00rootroot00000000000000documentation_complete: true title: 'Disable ypbind Service' description: |- The ypbind service, which allows the system to act as a client in a NIS or NIS+ domain, should be disabled. rationale: |- Disabling the ypbind service ensures the system is not acting as a client in a NIS or NIS+ domain. severity: medium identifiers: cce: 26894-6 references: disa: 305 nist: CM-7 srg: SRG-OS-000096 stigid: RHEL-06-000221 ocil: '' scap-security-guide-0.1.39/rhel6/guide/services/obsolete/obsolete.group000066400000000000000000000016441327242345500261540ustar00rootroot00000000000000documentation_complete: true title: 'Obsolete Services' description: |- This section discusses a number of network-visible services which have historically caused problems for system security, and for which disabling or severely limiting the service has been the best available guidance for some time. As a result of this, many of these services are not installed as part of Red Hat Enterprise Linux 6 by default.

Organizations which are running these services should switch to more secure equivalents as soon as possible. If it remains absolutely necessary to run one of these services for legacy reasons, care should be taken to restrict the service as much as possible, for instance by configuring host firewall software such as iptables to restrict access to the vulnerable service to only those remote hosts which have a known need to use it. scap-security-guide-0.1.39/rhel6/guide/services/obsolete/r_services/000077500000000000000000000000001327242345500254215ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/services/obsolete/r_services/no_rsh_trust_files.rule000066400000000000000000000016751327242345500322360ustar00rootroot00000000000000documentation_complete: true title: 'Remove Rsh Trust Files' description: |- The files /etc/hosts.equiv and ~/.rhosts (in each user's home directory) list remote hosts and users that are trusted by the local system when using the rshd daemon. To remove these files, run the following command to delete them from any location: 
$ sudo rm /etc/hosts.equiv
$ rm ~/.rhosts
rationale: |- Trust files are convenient, but when used in conjunction with the R-services, they can allow unauthenticated access to a system. severity: high identifiers: cce: 27270-8 references: disa: 1436 nist: CM-7 srg: SRG-OS-000248 stigid: RHEL-06-000019 ocil_clause: 'these files exist' ocil: |- The existence of the file /etc/hosts.equiv or a file named .rhosts inside a user home directory indicates the presence of an Rsh trust relationship. scap-security-guide-0.1.39/rhel6/guide/services/obsolete/r_services/package_rsh-server_removed.rule000066400000000000000000000011561327242345500336110ustar00rootroot00000000000000documentation_complete: true title: 'Uninstall rsh-server Package' description: |- The rsh-server package can be uninstalled with the following command: 
$ sudo yum erase rsh-server
rationale: |- The rsh-server package provides several obsolete and insecure network services. Removing it decreases the risk of those services' accidental (or intentional) activation. severity: high identifiers: cce: 27062-9 references: disa: 305,381 nist: CM-7 srg: SRG-OS-000095 stigid: RHEL-06-000213 ocil: '' scap-security-guide-0.1.39/rhel6/guide/services/obsolete/r_services/package_rsh_removed.rule000066400000000000000000000013241327242345500323020ustar00rootroot00000000000000documentation_complete: true title: 'Uninstal rsh Package' description: |- The rsh package contains the client commands for the rsh services rationale: |- These legacy clients contain numerous security exposures and have been replaced with the more secure SSH package. Even if the server is removed, it is best to ensure the clients are also removed to prevent users from inadvertently attempting to use these commands and therefore exposing their credentials. Note that removing the rsh package removes the clients for rsh,rcp, and rlogin. severity: unknown identifiers: cce: 27359-9 ocil: '' scap-security-guide-0.1.39/rhel6/guide/services/obsolete/r_services/r_services.group000066400000000000000000000003151327242345500306420ustar00rootroot00000000000000documentation_complete: true title: 'Rlogin, Rsh, and Rexec' description: |- The Berkeley r-commands are legacy services which allow cleartext remote access and have an insecure trust model. scap-security-guide-0.1.39/rhel6/guide/services/obsolete/r_services/service_rexec_disabled.rule000066400000000000000000000014021327242345500327640ustar00rootroot00000000000000documentation_complete: true title: 'Disable rexec Service' description: |- The rexec service, which is available with the rsh-server package and runs as a service through xinetd, should be disabled. rationale: |- The rexec service uses unencrypted network communications, which means that data from the login session, including passwords and all other information transmitted during the session, can be stolen by eavesdroppers on the network. severity: high identifiers: cce: 27208-8 references: disa: 68,1436 nist: CM-7 srg: SRG-OS-000033 stigid: RHEL-06-000216 ocil: '' scap-security-guide-0.1.39/rhel6/guide/services/obsolete/r_services/service_rlogin_disabled.rule000066400000000000000000000014171327242345500331560ustar00rootroot00000000000000documentation_complete: true title: 'Disable rlogin Service' description: |- The rlogin service, which is available with the rsh-server package and runs as a service through xinetd, should be disabled. rationale: |- The rlogin service uses unencrypted network communications, which means that data from the login session, including passwords and all other information transmitted during the session, can be stolen by eavesdroppers on the network. severity: high identifiers: cce: 26865-6 references: disa: 1436 nist: CM-7,IA-5(1)(c) srg: SRG-OS-000248 stigid: RHEL-06-000218 ocil: '' scap-security-guide-0.1.39/rhel6/guide/services/obsolete/r_services/service_rsh_disabled.rule000066400000000000000000000014031327242345500324530ustar00rootroot00000000000000documentation_complete: true title: 'Disable rsh Service' description: |- The rsh service, which is available with the rsh-server package and runs as a service through xinetd, should be disabled. rationale: |- The rsh service uses unencrypted network communications, which means that data from the login session, including passwords and all other information transmitted during the session, can be stolen by eavesdroppers on the network. severity: high identifiers: cce: 26994-4 references: disa: 68,1436 nist: CM-7,IA-5(1)(c) srg: SRG-OS-000033 stigid: RHEL-06-000214 ocil: '' scap-security-guide-0.1.39/rhel6/guide/services/obsolete/talk/000077500000000000000000000000001327242345500242105ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/services/obsolete/talk/package_talk-server_removed.rule000066400000000000000000000007511327242345500325370ustar00rootroot00000000000000documentation_complete: true title: 'Uninstall talk-server Package' description: '' rationale: |- The talk software presents a security risk as it uses unencrypted protocols for communications. Removing the talk-server package decreases the risk of the accidental (or intentional) activation of talk services. severity: medium identifiers: cce: 27427-4 ocil: '' scap-security-guide-0.1.39/rhel6/guide/services/obsolete/talk/package_talk_removed.rule000066400000000000000000000012771327242345500312370ustar00rootroot00000000000000documentation_complete: true title: 'Uninstall talk Package' description: |- The talk package contains the client program for the Internet talk protocol, which allows the user to chat with other users on different systems. Talk is a communication program which copies lines from one terminal to the terminal of another user. rationale: |- The talk software presents a security risk as it uses unencrypted protocols for communications. Removing the talk package decreases the risk of the accidental (or intentional) activation of talk client program. severity: unknown identifiers: cce: 27373-0 ocil: '' scap-security-guide-0.1.39/rhel6/guide/services/obsolete/talk/talk.group000066400000000000000000000003161327242345500262210ustar00rootroot00000000000000documentation_complete: true title: 'Chat/Messaging Services' description: |- The talk software makes it possible for users to send and receive messages across systems through a terminal session. scap-security-guide-0.1.39/rhel6/guide/services/obsolete/telnet/000077500000000000000000000000001327242345500245505ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/services/obsolete/telnet/package_telnet-server_removed.rule000066400000000000000000000010761327242345500334400ustar00rootroot00000000000000documentation_complete: true title: 'Uninstall telnet-server Package' description: |- The telnet-server package can be uninstalled with the following command: 
$ sudo yum erase telnet-server
rationale: |- Removing the telnet-server package decreases the risk of the telnet service's accidental (or intentional) activation. severity: high identifiers: cce: 27073-6 references: disa: 305,381 nist: CM-7 srg: SRG-OS-000095 stigid: RHEL-06-000206 ocil: '' scap-security-guide-0.1.39/rhel6/guide/services/obsolete/telnet/package_telnet_removed.rule000066400000000000000000000011171327242345500321300ustar00rootroot00000000000000documentation_complete: true title: 'Remove telnet Clients' description: "The telnet client allows users to start connections to other \nsystems via the telnet protocol." rationale: |- The telnet protocol is insecure and unencrypted. The use of an unencrypted transmission medium could allow an unauthorized user to steal credentials. The ssh package provides an encrypted session and stronger security and is included in Red Hat Enterprise Linux. severity: low identifiers: cce: 27428-2 ocil: '' scap-security-guide-0.1.39/rhel6/guide/services/obsolete/telnet/service_telnetd_disabled.rule000066400000000000000000000013041327242345500324450ustar00rootroot00000000000000documentation_complete: true title: 'Disable telnet Service' description: '' rationale: |- The telnet protocol uses unencrypted network communication, which means that data from the login session, including passwords and all other information transmitted during the session, can be stolen by eavesdroppers on the network. The telnet protocol is also subject to man-in-the-middle attacks. severity: high identifiers: cce: 26836-7 references: disa: 68,1436,197,877,888 nist: CM-7,IA-5(1)(c) srg: SRG-OS-000129 stigid: RHEL-06-000211 ocil: '' scap-security-guide-0.1.39/rhel6/guide/services/obsolete/telnet/telnet.group000066400000000000000000000005271327242345500271250ustar00rootroot00000000000000documentation_complete: true title: Telnet description: |- The telnet protocol does not provide confidentiality or integrity for information transmitted on the network. This includes authentication information such as passwords. Organizations which use telnet should be actively working to migrate to a more secure protocol. scap-security-guide-0.1.39/rhel6/guide/services/obsolete/tftp/000077500000000000000000000000001327242345500242325ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/services/obsolete/tftp/package_tftp-server_removed.rule000066400000000000000000000007411327242345500326020ustar00rootroot00000000000000documentation_complete: true title: 'Uninstall tftp-server Package' description: '' rationale: |- Removing the tftp-server package decreases the risk of the accidental (or intentional) activation of tftp services. severity: medium identifiers: cce: 26946-4 references: disa: 305 nist: CM-7 srg: SRG-OS-000095 stigid: RHEL-06-000222 ocil: '' scap-security-guide-0.1.39/rhel6/guide/services/obsolete/tftp/package_tftp_removed.rule000066400000000000000000000013061327242345500312740ustar00rootroot00000000000000documentation_complete: true title: 'Remove tftp' description: |- Trivial File Transfer Protocol (TFTP) is a simple file transfer protocol, typically used to automatically transfer configuration or boot files between systems. TFTP does not support authentication and can be easily hacked. The package tftp is a client program that allows for connections to a tftp server. rationale: |- It is recommended that TFTP be remvoed, unless there is a specific need for TFTP (such as a boot server). In that case, use extreme caution when configuring the services. severity: unknown identifiers: cce: 27448-0 ocil: '' scap-security-guide-0.1.39/rhel6/guide/services/obsolete/tftp/service_tftp_disabled.rule000066400000000000000000000010551327242345500314500ustar00rootroot00000000000000documentation_complete: true title: 'Disable tftp Service' description: |- The tftp service should be disabled. rationale: |- Disabling the tftp service ensures the system is not acting as a TFTP server, which does not provide encryption or authentication. severity: medium identifiers: cce: 27055-3 references: disa: 1436 nist: CM-7 srg: SRG-OS-000248 stigid: RHEL-06-000223 ocil: '' scap-security-guide-0.1.39/rhel6/guide/services/obsolete/tftp/tftp.group000066400000000000000000000007451327242345500262730ustar00rootroot00000000000000documentation_complete: true title: 'TFTP Server' description: |- TFTP is a lightweight version of the FTP protocol which has traditionally been used to configure networking equipment. However, TFTP provides little security, and modern versions of networking operating systems frequently support configuration via SSH or other more secure protocols. A TFTP server should be run only if no more secure method of supporting existing equipment can be found. scap-security-guide-0.1.39/rhel6/guide/services/obsolete/tftp/tftpd_uses_secure_mode.rule000066400000000000000000000026021327242345500316550ustar00rootroot00000000000000documentation_complete: true title: 'Ensure tftp Daemon Uses Secure Mode' description: |- If running the tftp service is necessary, it should be configured to change its root directory at startup. To do so, ensure /etc/xinetd.d/tftp includes -s as a command line argument, as shown in the following example (which is also the default): 
server_args = -s /var/lib/tftpboot
rationale: |- Using the -s option causes the TFTP service to only serve files from the given directory. Serving files from an intentionally-specified directory reduces the risk of sharing files which should remain private. severity: high identifiers: cce: 27272-4 references: disa: 366 nist: CM-7 srg: SRG-OS-999999 stigid: RHEL-06-000338 ocil_clause: 'this flag is missing' ocil: "If TFTP is not installed, this is not applicable. To determine if TFTP is installed, \nrun the following command:\n
$ rpm -qa | grep tftp
\n

\nVerify tftp is configured by with the -s option by running the\nfollowing command:\n
grep \"server_args\" /etc/xinetd.d/tftp
\nThe output should indicate the server_args variable is configured with the -s\nflag, matching the example below:\n
 $ grep \"server_args\" /etc/xinetd.d/tftp\nserver_args = -s /var/lib/tftpboot
" scap-security-guide-0.1.39/rhel6/guide/services/printing/000077500000000000000000000000001327242345500232735ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/services/printing/configure_printing/000077500000000000000000000000001327242345500271665ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/services/printing/configure_printing/configure_printing.group000066400000000000000000000010531327242345500341360ustar00rootroot00000000000000documentation_complete: true title: 'Configure the CUPS Service if Necessary' description: |- CUPS provides the ability to easily share local printers with other systems over the network. It does this by allowing systems to share lists of available printers. Additionally, each system that runs the CUPS service can potentially act as a print server. Whenever possible, the printer sharing and print server capabilities of CUPS should be limited or disabled. The following recommendations should demonstrate how to do just that. cups_disable_browsing.rule000066400000000000000000000016071327242345500343530ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/services/printing/configure_printingdocumentation_complete: true title: 'Disable Printer Browsing Entirely if Possible' description: |- By default, CUPS listens on the network for printer list broadcasts on UDP port 631. This functionality is called printer browsing. To disable printer browsing entirely, edit the CUPS configuration file, located at /etc/cups/cupsd.conf, to include the following: 
Browsing Off
rationale: |- The CUPS print service can be configured to broadcast a list of available printers to the network. Other systems on the network, also running the CUPS print service, can be configured to listen to these broadcasts and add and configure these printers for immediate use. By disabling this browsing capability, the system will no longer generate or receive such broadcasts. severity: unknown identifiers: cce: 27108-0 references: nist: CM-7 cups_disable_printserver.rule000066400000000000000000000022461327242345500351040ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/services/printing/configure_printingdocumentation_complete: true title: 'Disable Print Server Capabilities' description: |- To prevent remote users from potentially connecting to and using locally configured printers, disable the CUPS print server sharing capabilities. To do so, limit how the server will listen for print jobs by removing the more generic port directive from /etc/cups/cupsd.conf: 
Port 631
and replacing it with the Listen directive: 
Listen localhost:631
This will prevent remote users from printing to locally configured printers while still allowing local users on the system to print normally. rationale: |- By default, locally configured printers will not be shared over the network, but if this functionality has somehow been enabled, these recommendations will disable it again. Be sure to disable outgoing printer list broadcasts, or remote users will still be able to see the locally configured printers, even if they cannot actually print to them. To limit print serving to a particular set of users, use the Policy directive. severity: unknown identifiers: cce: 27107-2 references: nist: CM-7 scap-security-guide-0.1.39/rhel6/guide/services/printing/printing.group000066400000000000000000000011171327242345500262030ustar00rootroot00000000000000documentation_complete: true title: 'Print Support' description: |- The Common Unix Printing System (CUPS) service provides both local and network printing support. A system running the CUPS service can accept print jobs from other systems, process them, and send them to the appropriate printer. It also provides an interface for remote administration through a web browser. The CUPS service is installed and activated by default. The project homepage and more detailed documentation are available at .

scap-security-guide-0.1.39/rhel6/guide/services/printing/service_cups_disabled.rule000066400000000000000000000005321327242345500305050ustar00rootroot00000000000000documentation_complete: true title: 'Disable the CUPS Service' description: '' rationale: 'Turn off unneeded services to reduce attack surface.' severity: unknown identifiers: cce: 26899-5 references: nist: CM-7 ocil: '' scap-security-guide-0.1.39/rhel6/guide/services/proxy/000077500000000000000000000000001327242345500226225ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/services/proxy/disabling_squid/000077500000000000000000000000001327242345500257635ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/services/proxy/disabling_squid/disabling_squid.group000066400000000000000000000003431327242345500322020ustar00rootroot00000000000000documentation_complete: true title: 'Disable Squid if Possible' description: |- If Squid was installed and activated, but the system does not need to act as a proxy server, then it should be disabled and removed. scap-security-guide-0.1.39/rhel6/guide/services/proxy/disabling_squid/package_squid_removed.rule000066400000000000000000000005611327242345500331770ustar00rootroot00000000000000documentation_complete: true title: 'Uninstall squid Package' description: '' rationale: |- If there is no need to make the proxy server software available, removing it provides a safeguard against its activation. severity: unknown identifiers: cce: 26977-9 ocil: '' scap-security-guide-0.1.39/rhel6/guide/services/proxy/disabling_squid/service_squid_disabled.rule000066400000000000000000000005671327242345500333600ustar00rootroot00000000000000documentation_complete: true title: 'Disable Squid' description: '' rationale: |- Running proxy server software provides a network-based avenue of attack, and should be removed if not needed. severity: unknown identifiers: cce: 27146-0 ocil: '' scap-security-guide-0.1.39/rhel6/guide/services/proxy/proxy.group000066400000000000000000000007741327242345500250710ustar00rootroot00000000000000documentation_complete: true title: 'Proxy Server' description: |- A proxy server is a very desirable target for a potential adversary because much (or all) sensitive data for a given infrastructure may flow through it. Therefore, if one is required, the system acting as a proxy server should be dedicated to that purpose alone and be stored in a physically secure location. The system's default proxy server software is Squid, and provided in an RPM package of the same name. scap-security-guide-0.1.39/rhel6/guide/services/services.group000066400000000000000000000013741327242345500243470ustar00rootroot00000000000000documentation_complete: true title: Services description: |- The best protection against vulnerable software is running less software. This section describes how to review the software which installs on a system and disable software which is not needed. It then enumerates the software packages installed on a default system and provides guidance about which ones can be safely disabled.

provides a convenient minimal install option that essentially installs the bare necessities for a functional system. When building systems, it is highly recommended to select the minimal packages and then build up the system from there. scap-security-guide-0.1.39/rhel6/guide/services/smb/000077500000000000000000000000001327242345500222225ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/services/smb/configuring_samba/000077500000000000000000000000001327242345500256775ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/services/smb/configuring_samba/configuring_samba.group000066400000000000000000000011161327242345500324310ustar00rootroot00000000000000documentation_complete: true title: 'Configure Samba if Necessary' description: |- All settings for the Samba daemon can be found in /etc/samba/smb.conf. Settings are divided between a [global] configuration section and a series of user created share definition sections meant to describe file or print shares on the system. By default, Samba will operate in user mode and allow client systems to access local home directories and printers. It is recommended that these settings be changed or that additional limitations be set in place. mount_option_smb_client_signing.rule000066400000000000000000000020111327242345500351520ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/services/smb/configuring_sambadocumentation_complete: true title: 'Require Client SMB Packet Signing, if using mount.cifs' description: |- Require packet signing of clients who mount Samba shares using the mount.cifs program (e.g., those who specify shares in /etc/fstab). To do so, ensure signing options (either sec=krb5i or sec=ntlmv2i) are used.

See the mount.cifs(8) man page for more information. A Samba client should only communicate with servers who can support SMB packet signing. rationale: |- Packet signing can prevent man-in-the-middle attacks which modify SMB packets in transit. severity: unknown identifiers: cce: 26792-2 references: srg: SRG-OS-999999 stigid: RHEL-06-000273 ocil_clause: 'it does not' ocil: |- To verify that Samba clients using mount.cifs must use packet signing, run the following command: 
$ grep sec /etc/fstab
The output should show either krb5i or ntlmv2i in use. package_samba-common_installed.rule000066400000000000000000000007171327242345500346010ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/services/smb/configuring_sambadocumentation_complete: true title: 'Install the Samba Common Package' description: |- The samba-common package should be installed. rationale: 'If the samba-common package is not installed, samba cannot be configured.' severity: medium identifiers: cce: RHEL6-CCE-TBD ocil_clause: 'the package is not installed' ocil: '' require_smb_client_signing.rule000066400000000000000000000017641327242345500341120ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/services/smb/configuring_sambadocumentation_complete: true title: 'Require Client SMB Packet Signing, if using smbclient' description: |- To require samba clients running smbclient to use packet signing, add the following to the [global] section of the Samba configuration file, /etc/samba/smb.conf: 
client signing = mandatory
Requiring samba clients such as smbclient to use packet signing ensures they can only communicate with servers that support packet signing. rationale: |- Packet signing can prevent man-in-the-middle attacks which modify SMB packets in transit. severity: unknown identifiers: cce: 26328-5 references: srg: SRG-OS-999999 stigid: RHEL-06-000272 ocil_clause: 'it is not' ocil: |- To verify that Samba clients running smbclient must use packet signing, run the following command: 
$ grep signing /etc/samba/smb.conf
The output should show: 
client signing = mandatory
scap-security-guide-0.1.39/rhel6/guide/services/smb/configuring_samba/smb_disable_printing/000077500000000000000000000000001327242345500320555ustar00rootroot00000000000000smb_disable_printing.group000066400000000000000000000025351327242345500372370ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/services/smb/configuring_samba/smb_disable_printingdocumentation_complete: true title: 'Restrict Printer Sharing' description: |- By default, Samba utilizes the CUPS printing service to enable printer sharing with Microsoft Windows workstations. If there are no printers on the local system, or if printer sharing with Microsoft Windows is not required, disable the printer sharing capability by commenting out the following lines, found in /etc/samba/smb.conf: 
[global]
      load printers = yes
      cups options = raw
    [printers]
      comment = All Printers
      path = /usr/spool/samba
      browseable = no
      guest ok = no
      writable = no
      printable = yes
There may be other options present, but these are the only options enabled and uncommented by default. Removing the [printers] share should be enough for most users. If the Samba printer sharing capability is needed, consider disabling the Samba network browsing capability or restricting access to a particular set of users or network addresses. Set the valid users parameter to a small subset of users or restrict it to a particular group of users with the shorthand @. Separate each user or group of users with a space. For example, under the [printers] share: 
[printers]
      valid users = user @printerusers
scap-security-guide-0.1.39/rhel6/guide/services/smb/configuring_samba/smb_restrict_file_sharing/000077500000000000000000000000001327242345500331115ustar00rootroot00000000000000smb_restrict_file_sharing.group000066400000000000000000000023111327242345500413170ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/services/smb/configuring_samba/smb_restrict_file_sharingdocumentation_complete: true title: 'Restrict SMB File Sharing to Configured Networks' description: |- Only users with local user accounts will be able to log in to Samba shares by default. Shares can be limited to particular users or network addresses. Use the hosts allow and hosts deny directives accordingly, and consider setting the valid users directive to a limited subset of users or to a group of users. Separate each address, user, or user group with a space as follows for a particular share or global: 
[share]
      hosts allow = 192.168.1. 127.0.0.1
      valid users = userone usertwo @usergroup
It is also possible to limit read and write access to particular users with the read list and write list options, though the permissions set by the system itself will override these settings. Set the read only attribute for each share to ensure that global settings will not accidentally override the individual share settings. Then, as with the valid users directive, separate each user or group of users with a space: 
[share]
      read only = yes
      write list = userone usertwo @usergroup
scap-security-guide-0.1.39/rhel6/guide/services/smb/configuring_samba/smb_server_disable_root.rule000066400000000000000000000014431327242345500334670ustar00rootroot00000000000000documentation_complete: true title: 'Disable Root Access to SMB Shares' description: |- Administrators should not use administrator accounts to access Samba file and printer shares. Disable the root user and the wheel administrator group: 
[share]
      invalid users = root @wheel
If administrator accounts cannot be disabled, ensure that local system passwords and Samba service passwords do not match. rationale: |- Typically, administrator access is required when Samba must create user and system accounts and shares. Domain member servers and standalone servers may not need administrator access at all. If that is the case, add the invalid users parameter to [global] instead. severity: unknown identifiers: cce: 27533-9 scap-security-guide-0.1.39/rhel6/guide/services/smb/disabling_samba/000077500000000000000000000000001327242345500253215ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/services/smb/disabling_samba/disabling_samba.group000066400000000000000000000004631327242345500315010ustar00rootroot00000000000000documentation_complete: true title: 'Disable Samba if Possible' description: |- Even after the Samba server package has been installed, it will remain disabled. Do not enable this service unless it is absolutely necessary to provide Microsoft Windows file and print sharing functionality. scap-security-guide-0.1.39/rhel6/guide/services/smb/disabling_samba/package_samba_removed.rule000066400000000000000000000006141327242345500324720ustar00rootroot00000000000000documentation_complete: true title: 'Uninstall samba Package' description: '' rationale: "If there is no need to mount directories and file systems to\nWindows systems, then this service can be deleted to reduce \nthe potential attack surface." severity: unknown identifiers: cce: CCE-27102-3 ocil: '' scap-security-guide-0.1.39/rhel6/guide/services/smb/disabling_samba/service_smb_disabled.rule000066400000000000000000000006111327242345500323400ustar00rootroot00000000000000documentation_complete: true title: 'Disable Samba' description: '' rationale: |- Running a Samba server provides a network-based avenue of attack, and should be disabled if not needed. severity: unknown identifiers: cce: 27143-7 references: disa: 1436 ocil: '' scap-security-guide-0.1.39/rhel6/guide/services/smb/smb.group000066400000000000000000000013321327242345500240600ustar00rootroot00000000000000documentation_complete: true title: 'Samba(SMB) Microsoft Windows File Sharing Server' description: |- When properly configured, the Samba service allows Linux systems to provide file and print sharing to Microsoft Windows systems. There are two software packages that provide Samba support. The first, samba-client, provides a series of command line tools that enable a client system to access Samba shares. The second, simply labeled samba, provides the Samba service. It is this second package that allows a Linux system to act as an Active Directory server, a domain controller, or as a domain member. Only the samba-client package is installed by default. scap-security-guide-0.1.39/rhel6/guide/services/snmp/000077500000000000000000000000001327242345500224165ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/services/snmp/disabling_snmp_service/000077500000000000000000000000001327242345500271275ustar00rootroot00000000000000disabling_snmp_service.group000066400000000000000000000004641327242345500346430ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/services/snmp/disabling_snmp_servicedocumentation_complete: true title: 'Disable SNMP Server if Possible' description: |- The system includes an SNMP daemon that allows for its remote monitoring, though it not installed by default. If it was installed and activated but is not needed, the software should be disabled and removed. package_net-snmp_removed.rule000066400000000000000000000007031327242345500346760ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/services/snmp/disabling_snmp_servicedocumentation_complete: true title: 'Uninstall net-snmp Package' description: |- The net-snmp package provides the snmpd service. rationale: |- If there is no need to run SNMP server software, removing the package provides a safeguard against its activation. severity: unknown identifiers: cce: 26332-7 ocil: '' service_snmpd_disabled.rule000066400000000000000000000006011327242345500344260ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/services/snmp/disabling_snmp_servicedocumentation_complete: true title: 'Disable snmpd Service' description: '' rationale: |- Running SNMP software provides a network-based avenue of attack, and should be disabled if not needed. severity: unknown identifiers: cce: 26906-8 ocil: '' scap-security-guide-0.1.39/rhel6/guide/services/snmp/snmp.group000066400000000000000000000006421327242345500244530ustar00rootroot00000000000000documentation_complete: true title: 'SNMP Server' description: |- The Simple Network Management Protocol allows administrators to monitor the state of network devices, including computers. Older versions of SNMP were well-known for weak security, such as plaintext transmission of the community string (used for authentication) and usage of easily-guessable choices for the community string. scap-security-guide-0.1.39/rhel6/guide/services/snmp/snmp_configure_server/000077500000000000000000000000001327242345500270225ustar00rootroot00000000000000snmp_configure_server.group000066400000000000000000000023701327242345500344270ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/services/snmp/snmp_configure_serverdocumentation_complete: true title: 'Configure SNMP Server if Necessary' description: |- If it is necessary to run the snmpd agent on the system, some best practices should be followed to minimize the security risk from the installation. The multiple security models implemented by SNMP cannot be fully covered here so only the following general configuration advice can be offered:
  • use only SNMP version 3 security models and enable the use of authentication and encryption
  • write access to the MIB (Management Information Base) should be allowed only if necessary
  • all access to the MIB should be restricted following a principle of least privilege
  • network access should be limited to the maximum extent possible including restricting to expected network addresses both in the configuration files and in the system firewall rules
  • ensure SNMP agents send traps only to, and accept SNMP queries only from, authorized management stations
  • ensure that permissions on the snmpd.conf configuration file (by default, in /etc/snmp) are 640 or more restrictive
  • ensure that any MIB files' permissions are also 640 or more restrictive
snmpd_not_default_password.rule000066400000000000000000000013611327242345500352640ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/services/snmp/snmp_configure_serverdocumentation_complete: true title: 'Ensure Default Password Is Not Used' description: "Edit /etc/snmp/snmpd.conf, remove default community string public. \nUpon doing that, restart the SNMP service:\n
$ sudo service snmpd restart
" rationale: |- Presence of the default SNMP password enables querying of different system aspects and could result in unauthorized knowledge of the system. severity: high identifiers: cce: 27593-3 references: srg: SRG-OS-999999 stigid: RHEL-06-000341 ocil_clause: 'there is output' ocil: |- To ensure the default password is not set, run the following command: 
$ sudo grep -v "^#" /etc/snmp/snmpd.conf| grep public
There should be no output. snmpd_use_newer_protocol.rule000066400000000000000000000015101327242345500347470ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/services/snmp/snmp_configure_serverdocumentation_complete: true title: 'Configure SNMP Service to Use Only SNMPv3 or Newer' description: |- Edit /etc/snmp/snmpd.conf, removing any references to rocommunity, rwcommunity, or com2sec. Upon doing that, restart the SNMP service: 
$ sudo service snmpd restart
rationale: "Earlier versions of SNMP are considered insecure, as they potentially allow \nunauthorized access to detailed system management information." severity: medium identifiers: cce: 27365-6 references: srg: SRG-OS-999999 stigid: RHEL-06-000340 ocil_clause: 'there is output' ocil: |- To ensure only SNMPv3 or newer is used, run the following command: 
$ sudo grep 'rocommunity\|rwcommunity\|com2sec' /etc/snmp/snmpd.conf | grep -v "^#"
There should be no output. scap-security-guide-0.1.39/rhel6/guide/services/ssh/000077500000000000000000000000001327242345500222365ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/services/ssh/iptables_sshd_disabled.rule000066400000000000000000000014721327242345500276060ustar00rootroot00000000000000documentation_complete: true title: 'Remove SSH Server iptables Firewall exception (Unusual)' description: "By default, inbound connections to SSH's port are allowed. If \nthe SSH server is not being used, this exception should be removed from the\nfirewall configuration.\n

\nEdit the files /etc/sysconfig/iptables and /etc/sysconfig/ip6tables\n(if IPv6 is in use). In each file, locate and delete the line:\n
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
\nThis is unusual, as SSH is a common method for encrypted and authenticated\nremote access." rationale: "If inbound SSH connections are not expected, disallowing access to the SSH port will \navoid possible exploitation of the port by an attacker." severity: unknown identifiers: cce: 27060-3 scap-security-guide-0.1.39/rhel6/guide/services/ssh/service_sshd_disabled.rule000066400000000000000000000006431327242345500274420ustar00rootroot00000000000000documentation_complete: true title: 'Disable SSH Server If Possible (Unusual)' description: |- The SSH server service, sshd, is commonly needed. However, if it can be disabled, do so. This is unusual, as SSH is a common method for encrypted and authenticated remote access. rationale: "" severity: unknown identifiers: cce: 27054-6 scap-security-guide-0.1.39/rhel6/guide/services/ssh/ssh.group000066400000000000000000000011421327242345500241070ustar00rootroot00000000000000documentation_complete: true title: 'SSH Server' description: |- The SSH protocol is recommended for remote login and remote file transfer. SSH provides confidentiality and integrity for data exchanged between two systems, as well as server authentication, through the use of public key cryptography. The implementation included with the system is called OpenSSH, and more detailed documentation is available from its website, . Its server program is called sshd and provided by the RPM package openssh-server. scap-security-guide-0.1.39/rhel6/guide/services/ssh/ssh_server/000077500000000000000000000000001327242345500244215ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/services/ssh/ssh_server/disable_host_auth.rule000066400000000000000000000015171327242345500307770ustar00rootroot00000000000000documentation_complete: true title: 'Disable Host-Based Authentication' description: |- SSH's cryptographic host-based authentication is more secure than .rhosts authentication. However, it is not recommended that hosts unilaterally trust one another, even within an organization.

To disable host-based authentication, add or correct the following line in /etc/ssh/sshd_config: 
HostbasedAuthentication no
rationale: |- SSH trust relationships mean a compromise on one host can allow an attacker to move trivially to other hosts. severity: medium identifiers: cce: 27091-8 references: disa: 765,766 nist: AC-3 srg: SRG-OS-000106 stigid: RHEL-06-000236 ocil: '' scap-security-guide-0.1.39/rhel6/guide/services/ssh/ssh_server/ssh_server.group000066400000000000000000000006161327242345500276650ustar00rootroot00000000000000documentation_complete: true title: 'Configure OpenSSH Server if Necessary' description: |- If the system needs to act as an SSH server, then certain changes should be made to the OpenSSH daemon configuration file /etc/ssh/sshd_config. The following recommendations can be applied to this file. See the sshd_config(5) man page for more detailed information. scap-security-guide-0.1.39/rhel6/guide/services/ssh/ssh_server/sshd_allow_only_protocol2.rule000066400000000000000000000015351327242345500325210ustar00rootroot00000000000000documentation_complete: true title: 'Allow Only SSH Protocol 2' description: |- Only SSH protocol version 2 connections should be permitted. The default setting in /etc/ssh/sshd_config is correct, and can be verified by ensuring that the following line appears: 
Protocol 2
rationale: |- SSH protocol version 1 suffers from design flaws that result in security vulnerabilities and should not be used. severity: high identifiers: cce: 27072-8 references: disa: 776,774,1436 nist: AC-3(10),IA-5(1)(c) srg: SRG-OS-000112 stigid: RHEL-06-000227 ocil_clause: 'it is not' ocil: |- To check which SSH protocol version is allowed, run the following command: 
$ sudo grep Protocol /etc/ssh/sshd_config
If configured properly, output should be 
Protocol 2
scap-security-guide-0.1.39/rhel6/guide/services/ssh/ssh_server/sshd_disable_empty_passwords.rule000066400000000000000000000015661327242345500332710ustar00rootroot00000000000000documentation_complete: true title: 'Disable SSH Access via Empty Passwords' description: |- To explicitly disallow remote login from accounts with empty passwords, add or correct the following line in /etc/ssh/sshd_config: 
PermitEmptyPasswords no
Any accounts with empty passwords should be disabled immediately, and PAM configuration should prevent users from being able to assign themselves empty passwords. rationale: |- Configuring this setting for the SSH daemon provides additional assurance that remote login via SSH will require a password, even in the event of misconfiguration elsewhere. severity: high identifiers: cce: 26887-0 references: disa: 765,766 nist: AC-3 srg: SRG-OS-000106 stigid: RHEL-06-000239 ocil: '' scap-security-guide-0.1.39/rhel6/guide/services/ssh/ssh_server/sshd_disable_rhosts.rule000066400000000000000000000014031327242345500313360ustar00rootroot00000000000000documentation_complete: true title: 'Disable SSH Support for .rhosts Files' description: |- SSH can emulate the behavior of the obsolete rsh command in allowing users to enable insecure access to their accounts via .rhosts files.

To ensure this behavior is disabled, add or correct the following line in /etc/ssh/sshd_config: 
IgnoreRhosts yes
rationale: |- SSH trust relationships mean a compromise on one host can allow an attacker to move trivially to other hosts. severity: medium identifiers: cce: 27124-7 references: disa: 765,766 nist: AC-3 srg: SRG-OS-000106 stigid: RHEL-06-000234 ocil: '' scap-security-guide-0.1.39/rhel6/guide/services/ssh/ssh_server/sshd_disable_root_login.rule000066400000000000000000000013451327242345500321740ustar00rootroot00000000000000documentation_complete: true title: 'Disable SSH Root Login' description: |- The root user should never be allowed to login to a system directly over a network. To disable root login via SSH, add or correct the following line in /etc/ssh/sshd_config: 
PermitRootLogin no
rationale: |- Permitting direct root login reduces auditable information about who ran privileged commands on the system and also allows direct attack attempts on root's password. severity: medium identifiers: cce: 27100-7 references: disa: 770 nist: AC-3,AC-6(2),IA-2(1) srg: SRG-OS-000109 stigid: RHEL-06-000237 ocil: '' scap-security-guide-0.1.39/rhel6/guide/services/ssh/ssh_server/sshd_do_not_permit_user_env.rule000066400000000000000000000014741327242345500331110ustar00rootroot00000000000000documentation_complete: true title: 'Do Not Allow SSH Environment Options' description: |- To ensure users are not able to present environment options to the SSH daemon, add or correct the following line in /etc/ssh/sshd_config: 
PermitUserEnvironment no
rationale: |- SSH environment options potentially allow users to bypass access restriction in some configurations. severity: unknown identifiers: cce: 27201-3 references: disa: 1414 srg: SRG-OS-000242 stigid: RHEL-06-000241 ocil_clause: 'it is not' ocil: |- To ensure users are not able to present environment daemons, run the following command: 
$ sudo grep PermitUserEnvironment /etc/ssh/sshd_config
If properly configured, output should be: 
PermitUserEnvironment no
scap-security-guide-0.1.39/rhel6/guide/services/ssh/ssh_server/sshd_enable_warning_banner.rule000066400000000000000000000015701327242345500326360ustar00rootroot00000000000000documentation_complete: true title: 'Enable SSH Warning Banner' description: |- To enable the warning banner and ensure it is consistent across the system, add or correct the following line in /etc/ssh/sshd_config: 
Banner /etc/issue
Another section contains information on how to create an appropriate system-wide warning banner. rationale: |- The warning message reinforces policy awareness during the login process and facilitates possible legal action against attackers. Alternatively, systems whose ownership should not be obvious should ensure usage of a banner that does not provide easy attribution. severity: medium identifiers: cce: 27112-2 references: disa: 48 nist: AC-8(a) srg: SRG-OS-000023 stigid: RHEL-06-000240 ocil: '' scap-security-guide-0.1.39/rhel6/guide/services/ssh/ssh_server/sshd_limit_user_access.rule000066400000000000000000000012361327242345500320320ustar00rootroot00000000000000documentation_complete: true title: 'Limit Users'' SSH Access' description: "By default, the SSH configuration allows any user with an account\nto access the system. In order to specify the users that are allowed to login\nvia SSH and deny all other users, add or correct the following line in the \n/etc/ssh/sshd_config file:\n
DenyUsers USER1 USER2
\nWhere USER1 and USER2 are valid user names." rationale: "Specifying which accounts are allowed SSH access into the system reduces the \npossibility of unauthorized access to the system." severity: unknown identifiers: cce: 27556-0 references: disa: "" nist: AC-3 scap-security-guide-0.1.39/rhel6/guide/services/ssh/ssh_server/sshd_print_last_log.rule000066400000000000000000000015561327242345500313620ustar00rootroot00000000000000documentation_complete: true title: 'Print Last Log' description: |- When enabled, SSH will display the date and time of the last successful account logon. To enable LastLog in SSH, add or correct the following line in the /etc/ssh/sshd_config file: 
PrintLastLog yes
rationale: |- Providing users feedback on when account accesses last occurred facilitates user recognition and reporting of unauthorized account use. severity: medium identifiers: cce: 80504-4 references: disa: 52 nist: AC-9 srg: SRG-OS-000025 stigid: RHEL-06-000507 ocil_clause: 'it is commented out or is not enabled' ocil: |- To check if PrintLastLog is enabled or set correctly, run the following command: 
$ sudo grep PrintLastLog /etc/ssh/sshd_config
If configured properly, output should be 
yes
scap-security-guide-0.1.39/rhel6/guide/services/ssh/ssh_server/sshd_set_idle_timeout.rule000066400000000000000000000025761327242345500317030ustar00rootroot00000000000000documentation_complete: true title: 'Set SSH Idle Timeout Interval' description: |- SSH allows administrators to set an idle timeout interval. After this interval has passed, the idle user will be automatically logged out.

To set an idle timeout interval, edit the following line in /etc/ssh/sshd_config as follows: 
ClientAliveInterval
The timeout interval is given in seconds. To have a timeout of 15 minutes, set interval to 900.

If a shorter timeout has already been set for the login shell, that value will preempt any SSH setting made here. Keep in mind that some processes may stop SSH from correctly detecting that the user is idle. rationale: |- Causing idle users to be automatically logged out guards against compromises one system leading trivially to compromises on another. severity: unknown identifiers: cce: 26919-1 references: disa: 879,1133 nist: AC-2(5),SA-8 pcidss: Req-8.1.8 srg: SRG-OS-000163 stigid: RHEL-06-000230 ocil_clause: 'it is not' ocil: |- Run the following command to see what the timeout interval is: 
$ sudo grep ClientAliveInterval /etc/ssh/sshd_config
If properly configured, the output should be: 
ClientAliveInterval 900
scap-security-guide-0.1.39/rhel6/guide/services/ssh/ssh_server/sshd_set_keepalive.rule000066400000000000000000000015321327242345500311540ustar00rootroot00000000000000documentation_complete: true title: 'Set SSH Client Alive Count' description: |- To ensure the SSH idle timeout occurs precisely when the ClientAliveCountMax is set, edit /etc/ssh/sshd_config as follows: 
ClientAliveCountMax 0
rationale: |- This ensures a user login will be terminated as soon as the ClientAliveCountMax is reached. severity: unknown identifiers: cce: 26282-4 references: disa: 879,1133 nist: AC-2(5),SA-8 srg: SRG-OS-000126 stigid: RHEL-06-000231 ocil_clause: 'it is not' ocil: |- To ensure the SSH idle timeout will occur when the ClientAliveCountMax is set, run the following command: 
$ sudo grep ClientAliveCountMax /etc/ssh/sshd_config
If properly configured, output should be: 
ClientAliveCountMax 0
scap-security-guide-0.1.39/rhel6/guide/services/ssh/ssh_server/sshd_strengthen_firewall/000077500000000000000000000000001327242345500315105ustar00rootroot00000000000000sshd_strengthen_firewall.group000066400000000000000000000015201327242345500375740ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/services/ssh/ssh_server/sshd_strengthen_firewalldocumentation_complete: true title: 'Strengthen Firewall Configuration if Possible' description: "If the SSH server is expected to only receive connections from \nthe local network, then strengthen the default firewall rule for the SSH service\nto only accept connections from the appropriate network segment(s).\n

\nDetermine an appropriate network block, netwk, and network mask, mask, \nrepresenting the systems on your network which will be allowed to access this SSH server.\n

\nEdit the files etc/sysconfig/iptables and /etc/sysconfig/ip6tables\n(if IPv6 is in use). In each file, locate the line:\n
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
\nand replace it with:\n
-A INPUT -s netwk/mask -m state --state NEW -p tcp --dport 22 -j ACCEPT
" scap-security-guide-0.1.39/rhel6/guide/services/ssh/ssh_server/sshd_use_approved_ciphers.rule000066400000000000000000000022271327242345500325470ustar00rootroot00000000000000documentation_complete: true title: 'Use Only Approved Ciphers' description: |- Limit the ciphers to those algorithms which are FIPS-approved. Counter (CTR) mode is also preferred over cipher-block chaining (CBC) mode. The following line in /etc/ssh/sshd_config demonstrates use of FIPS-approved ciphers: 
Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc
The man page sshd_config(5) contains a list of supported ciphers. rationale: |- Approved algorithms should impart some level of confidence in their implementation. These are also required for compliance. severity: medium identifiers: cce: 26555-3 references: disa: 803,1144,1145,1146 nist: AC-3,AC-17(2),SI-7,IA-5(1)(c),IA-7 srg: SRG-OS-000169 stigid: RHEL-06-000243 ocil_clause: 'that is not the case' ocil: "Only FIPS-approved ciphers should be used. To verify that only FIPS-approved \nciphers are in use, run the following command:\n
$ sudo grep Ciphers /etc/ssh/sshd_config
\nThe output should contain only those ciphers which are FIPS-approved, namely, the \nAES and 3DES ciphers." scap-security-guide-0.1.39/rhel6/guide/services/ssh/ssh_server/sshd_use_approved_macs.rule000066400000000000000000000017441327242345500320400ustar00rootroot00000000000000documentation_complete: true title: 'Use Only Approved MACs' description: |- Limit the MACs to those hash algorithms which are FIPS-approved. The following line in /etc/ssh/sshd_config demonstrates use of FIPS-approved MACs: 
MACs hmac-sha2-512,hmac-sha2-256,hmac-sha1
The man page sshd_config(5) contains a list of supported MACs. rationale: |- Approved algorithms should impart some level of confidence in their implementation. These are also required for compliance. severity: unknown references: disa: 68,1453,803,2449,2450 nist: AC-17(2),IA-7,SC-13 ocil_clause: 'that is not the case' ocil: |- Only FIPS-approved MACs should be used. To verify that only FIPS-approved MACs are in use, run the following command: 
$ sudo grep -i macs /etc/ssh/sshd_config
The output should contain only those MACs which are FIPS-approved, namely, hmac-sha2-512, hmac-sha2-256, and hmac-sha1 hash functions. scap-security-guide-0.1.39/rhel6/guide/services/ssh/sshd_idle_timeout_value.var000066400000000000000000000004511327242345500276500ustar00rootroot00000000000000documentation_complete: true title: 'SSH session Idle time' description: 'Specify duration of allowed idle time.' type: number operator: equals interactive: false options: 10_minutes: 600 120_minutes: 7200 15_minutes: 900 5_minutes: 300 60_minutes: 3600 default: 300 scap-security-guide-0.1.39/rhel6/guide/services/ssh/sshd_required.var000066400000000000000000000013111327242345500256050ustar00rootroot00000000000000documentation_complete: true title: 'SSH is required to be installed' description: |- Specify if the Policy requires SSH to be installed. Used by SSH Rules to determine if SSH should be uninstalled or configured.
A value of 0 means that the policy doesn't care if OpenSSH server is installed or not. If it is installed, scanner will check for it's configuration, if it's not installed, the check will pass.
A value of 1 indicates that OpenSSH server package is not required by the policy;
A value of 2 indicates that OpenSSH server package is required by the policy.
type: number operator: equals interactive: false options: default: "0" no: 1 yes: 2 scap-security-guide-0.1.39/rhel6/guide/services/sssd/000077500000000000000000000000001327242345500224155ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/services/sssd/package_sssd_installed.rule000066400000000000000000000010111327242345500277650ustar00rootroot00000000000000documentation_complete: true prodtype: rhel6,rhel7 title: 'Install the SSSD Package' description: |- The sssd package should be installed. rationale: "" severity: medium identifiers: cce@rhel6: RHEL6-CCE-TBD cce@rhel7: 80362-7 references: disa: TBD disa@rhel6: TBD nist: IA-5(10) nist@rhel6: IA-5(10) srg: TBD stigid@rhel7: TBD ocil_clause: 'the package is not installed' ocil: '' scap-security-guide-0.1.39/rhel6/guide/services/sssd/service_sssd_enabled.rule000066400000000000000000000010241327242345500274510ustar00rootroot00000000000000documentation_complete: true prodtype: rhel6,rhel7 title: 'Enable the SSSD Service' description: |- The SSSD service should be enabled. rationale: "" severity: medium identifiers: cce@rhel6: RHEL6-CCE-TBD cce@rhel7: 80363-5 references: disa: TBD disa@rhel6: TBD nist: IA-5(10) nist@rhel6: IA-5(10) srg: TBD stigid@rhel7: TBD ocil_clause: 'the service is not enabled' ocil: '' scap-security-guide-0.1.39/rhel6/guide/services/sssd/sssd-ldap/000077500000000000000000000000001327242345500243075ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/services/sssd/sssd-ldap/sssd-ldap.group000066400000000000000000000013351327242345500272610ustar00rootroot00000000000000documentation_complete: true prodtype: rhel7 title: 'System Security Services Daemon (SSSD) - LDAP' description: |- The System Security Services Daemon (SSSD) is a system daemon that provides access to different identity and authentication providers such as Red Hat's IdM, Microsoft's AD, openLDAP, MIT Kerberos, etc. It uses a common framework that can provide caching and offline support to systems utilizing SSSD. SSSD using caching to reduce load on authentication servers permit offline authentication as well as store extended user data.

SSSD can support many backends including LDAP. The sssd-ldap backend allows SSSD to fetch identity information from an LDAP server. scap-security-guide-0.1.39/rhel6/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_ca.rule000066400000000000000000000026761327242345500325550ustar00rootroot00000000000000documentation_complete: true prodtype: rhel7 title: 'Configure SSSD LDAP Backend Client CA Certificate' description: |- Configure SSSD to implement cryptography to protect the integrity of LDAP remote access sessions. By setting the 
ldap_tls_cacert
option in 
/etc/sssd/sssd.conf
to point to the path for the X.509 certificates used for peer authentication. 
ldap_tls_cacert /path/to/tls/ca.cert
rationale: |- Without cryptographic integrity protections, information can be altered by unauthorized users without detection.

Cryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the key used to generate the hash. severity: medium identifiers: cce: 80516-8 references: disa: 1453 nist: "" srg: SRG-OS-000250-GPOS-00093 stigid: "040200" ocil_clause: 'the TLS CA cert is not configured' ocil: |- To verify the operating system implements cryptography to protect the integrity of remote ldap access sessions, run the following command: 
$ sudo grep ldap_tls_cacert /etc/sssd/sssd.conf
The output should return the following with a correctly configured CA cert path: 
ldap_tls_cacert /path/to/tls/ca.cert
scap-security-guide-0.1.39/rhel6/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_ca_dir.rule000066400000000000000000000027211327242345500334020ustar00rootroot00000000000000documentation_complete: true prodtype: rhel7 title: 'Configure SSSD LDAP Backend Client CA Certificate Location' description: |- Configure SSSD to implement cryptography to protect the integrity of LDAP remote access sessions. By setting the 
ldap_tls_cacertdir
option in 
/etc/sssd/sssd.conf
to point to the path for the X.509 certificates used for peer authentication. 
ldap_tls_cacertdir /path/to/tls/cacert
rationale: |- Without cryptographic integrity protections, information can be altered by unauthorized users without detection.

Cryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the key used to generate the hash. severity: medium identifiers: cce: 80515-0 references: disa: 1453 nist: "" srg: SRG-OS-000250-GPOS-00093 stigid: "040190" ocil_clause: 'the TLS CA cert is not configured' ocil: |- To verify the operating system implements cryptography to protect the integrity of remote ldap access sessions, run the following command: 
$ sudo grep ldap_tls_cacertdir /etc/sssd/sssd.conf
The output should return the following with a correctly configured CA cert path: 
ldap_tls_cacertdir /path/to/tls/cacert
scap-security-guide-0.1.39/rhel6/guide/services/sssd/sssd-ldap/sssd_ldap_start_tls.rule000066400000000000000000000025051327242345500312550ustar00rootroot00000000000000documentation_complete: true prodtype: rhel7 title: 'Configure SSSD LDAP Backend to Use TLS For All Transactions' description: |- This check verifies that RHEL7 implements cryptography to protect the integrity of remote LDAP authentication sessions.

To determine if LDAP is being used for authentication, use the following command: 
$ sudo grep -i useldapauth /etc/sysconfig/authconfig


If USELDAPAUTH=yes, then LDAP is being used. To check if LDAP is configured to use TLS, use the following command: 
$ sudo grep -i ldap_id_use_start_tls /etc/sssd/sssd.conf
rationale: |- Without cryptographic integrity protections, information can be altered by unauthorized users without detection. The ssl directive specifies whether to use TLS or not. If not specified it will default to no. It should be set to start_tls rather than doing LDAP over SSL. severity: medium identifiers: cce@rhel7: 80546-5 references: disa: 1453 nist: AC-17(2),CM-7 srg: SRG-OS-000250-GPOS-00093 stigid@rhel7: "040180" ocil_clause: 'the ''ldap_id_use_start_tls'' option is not set to ''True''' ocil: |- If the system is not using TLS, set the ldap_id_use_start_tls option in /etc/sssd/sssd.conf to True. scap-security-guide-0.1.39/rhel6/guide/services/sssd/sssd.group000066400000000000000000000017561327242345500244600ustar00rootroot00000000000000documentation_complete: true prodtype: rhel6,rhel7 title: 'System Security Services Daemon' description: |- The System Security Services Daemon (SSSD) is a system daemon that provides access to different identity and authentication providers such as Red Hat's IdM, Microsoft's AD, openLDAP, MIT Kerberos, etc. It uses a common framework that can provide caching and offline support to systems utilizing SSSD. SSSD using caching to reduce load on authentication servers permit offline authentication as well as store extended user data.

For more information, see scap-security-guide-0.1.39/rhel6/guide/services/sssd/sssd_enable_pam_services.rule000066400000000000000000000023301327242345500303260ustar00rootroot00000000000000documentation_complete: true prodtype: rhel7 title: 'Configure PAM in SSSD Services' description: |- SSSD should be configured to run SSSD pam services. To configure SSSD to known SSH hosts, add pam to services under the [sssd] section in /etc/sssd/sssd.conf. For example: 
[sssd]
    services = sudo, autofs, pam
rationale: |- Using an authentication device, such as a CAC or token that is separate from the information system, ensures that even if the information system is compromised, that compromise will not affect credentials stored on the authentication device. severity: medium identifiers: cce@rhel7: 80437-7 references: disa: 1948,1953,1954 nist: IA-2(11) srg: SRG-OS-000375-GPOS-00160,SRG-OS-000375-GPOS-00161,SRG-OS-000375-GPOS-00162 stigid@rhel7: "041002" ocil_clause: 'it does not exist or ''pam'' is not added to the ''services'' option under the ''sssd'' section' ocil: |- To verify that SSSD is configured for PAM services, run the following command: 
$ sudo grep services /etc/sssd/sssd.conf
If configured properly, output should be similar to 
services = pam
scap-security-guide-0.1.39/rhel6/guide/services/sssd/sssd_memcache_timeout.rule000066400000000000000000000021201327242345500276450ustar00rootroot00000000000000documentation_complete: true prodtype: rhel6,rhel7 title: 'Configure SSSD''s Memory Cache to Expire' description: |- SSSD's memory cache should be configured to set to expire records after 1 day. To configure SSSD to expire memory cache, set memcache_timeout to 86400 under the [nss] section in /etc/sssd/sssd.conf. For example: 
[nss]
    memcache_timeout = 86400
rationale: |- If cached authentication information is out-of-date, the validity of the authentication information may be questionable. severity: medium identifiers: cce@rhel6: RHEL6-CCE-TBD cce@rhel7: 80364-3 references: disa: 2007 disa@rhel6: 2007 nist: IA-5(13) nist@rhel6: IA-5(10) srg: SRG-OS-000383-GPOS-00166 ocil_clause: 'it does not exist or is not configured properly' ocil: |- To verify that SSSD's in-memory cache expires after a day, run the following command: 
$ sudo grep memcache_timeout /etc/sssd/sssd.conf
If configured properly, output should be 
memcache_timeout = 86400
. scap-security-guide-0.1.39/rhel6/guide/services/sssd/sssd_offline_cred_expiration.rule000066400000000000000000000021661327242345500312300ustar00rootroot00000000000000documentation_complete: true prodtype: rhel6,rhel7 title: 'Configure SSSD to Expire Offline Credentials' description: |- SSSD should be configured to expire offline credentials after 1 day. To configure SSSD to expire offline credentials, set offline_credentials_expiration to 1 under the [pam] section in /etc/sssd/sssd.conf. For example: 
[pam]
    offline_credentials_expiration = 1
rationale: |- If cached authentication information is out-of-date, the validity of the authentication information may be questionable. severity: medium identifiers: cce@rhel6: RHEL6-CCE-TBD cce@rhel7: 80365-0 references: disa: 2007 disa@rhel6: 2007 nist: IA-5(13) nist@rhel6: IA-5(13) srg: SRG-OS-000383-GPOS-00166 ocil_clause: 'it does not exist or is not configured properly' ocil: |- To verify that SSSD expires offline credentials, run the following command: 
$ sudo grep offline_credentials_expiration /etc/sssd/sssd.conf
If configured properly, output should be 
offline_credentials_expiration = 1
scap-security-guide-0.1.39/rhel6/guide/services/sssd/sssd_ssh_known_hosts_timeout.rule000066400000000000000000000020571327242345500313450ustar00rootroot00000000000000documentation_complete: true prodtype: rhel6,rhel7 title: 'Configure SSSD to Expire SSH Known Hosts' description: |- SSSD should be configured to expire keys from known SSH hosts after 1 day. To configure SSSD to known SSH hosts, set ssh_known_hosts_timeout to 86400 under the [ssh] section in /etc/sssd/sssd.conf. For example: 
[ssh]
    ssh_known_hosts_timeout = 86400
rationale: |- If cached authentication information is out-of-date, the validity of the authentication information may be questionable. severity: medium identifiers: cce@rhel6: RHEL6-CCE-TBD cce@rhel7: 80366-8 references: disa: 2007 nist: IA-5(13) srg: SRG-OS-000383-GPOS-00166 ocil_clause: 'it does not exist or is not configured properly' ocil: |- To verify that SSSD expires known SSH host keys, run the following command: 
$ sudo grep ssh_known_hosts_timeout /etc/sssd/sssd.conf
If configured properly, output should be 
ssh_known_hosts_timeout = 86400
scap-security-guide-0.1.39/rhel6/guide/services/xwindows/000077500000000000000000000000001327242345500233235ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/services/xwindows/disabling_xwindows/000077500000000000000000000000001327242345500272215ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/services/xwindows/disabling_xwindows/disabling_xwindows.group000066400000000000000000000010141327242345500341710ustar00rootroot00000000000000documentation_complete: true title: 'Disable X Windows' description: |- Unless there is a mission-critical reason for the system to run a graphical user interface, ensure X is not set to start automatically at boot and remove the X Windows software packages. There is usually no reason to run X Windows on a dedicated server system, as it increases the system's attack surface and consumes system resources. Administrators of server systems should instead login via SSH or on the text console. package_xorg-x11-server-common_removed.rule000066400000000000000000000014311327242345500374060ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/services/xwindows/disabling_xwindowsdocumentation_complete: true title: 'Remove the X Windows Package Group' description: |- Removing all packages which constitute the X Window System ensures users or malicious software cannot start X. To do so, run the following command: 
$ sudo yum groupremove "X Window System"
rationale: 'Unnecessary packages should not be installed to decrease the attack surface of the system.' severity: unknown identifiers: cce: 27198-1 references: disa: 366 srg: SRG-OS-999999 stigid: RHEL-06-000291 ocil_clause: 'it is not' ocil: |- To ensure the X Windows package group is removed, run the following command: 
$ rpm -qi xorg-x11-server-common
The output should be: 
package xorg-x11-server-common is not installed
xwindows_runlevel_setting.rule000066400000000000000000000014311327242345500353650ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/services/xwindows/disabling_xwindowsdocumentation_complete: true title: 'Disable X Windows Startup By Setting Runlevel' description: |- Setting the system's runlevel to 3 will prevent automatic startup of the X server. To do so, ensure the following line in /etc/inittab features a 3 as shown: 
id:3:initdefault:
rationale: 'Unnecessary services should be disabled to decrease the attack surface of the system.' severity: unknown identifiers: cce: 27119-7 references: disa: 366 nist: AC-3 srg: SRG-OS-000248 stigid: RHEL-06-000290 ocil_clause: 'it does not' ocil: |- To verify the default runlevel is 3, run the following command: 
$ grep initdefault /etc/inittab
The output should show the following: 
id:3:initdefault:
scap-security-guide-0.1.39/rhel6/guide/services/xwindows/xwindows.group000066400000000000000000000002351327242345500262630ustar00rootroot00000000000000documentation_complete: true title: 'X Window System' description: |- The X Window System implementation included with the system is called X.org. scap-security-guide-0.1.39/rhel6/guide/system/000077500000000000000000000000001327242345500211425ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/accounts/000077500000000000000000000000001327242345500227615ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/accounts/accounts-banners/000077500000000000000000000000001327242345500262265ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/accounts/accounts-banners/accounts-banners.group000066400000000000000000000016751327242345500325620ustar00rootroot00000000000000documentation_complete: true title: 'Warning Banners for System Accesses' description: |- Each system should expose as little information about itself as possible.

System banners, which are typically displayed just before a login prompt, give out information about the service or the host's operating system. This might include the distribution name and the system kernel version, and the particular version of a network service. This information can assist intruders in gaining access to the system as it can reveal whether the system is running vulnerable software. Most network services can be configured to limit what information is displayed.

Many organizations implement security policies that require a system banner provide notice of the system's ownership, provide warning to unauthorized users, and remind authorized users of their consent to monitoring. scap-security-guide-0.1.39/rhel6/guide/system/accounts/accounts-banners/banner_etc_issue.rule000066400000000000000000000074501327242345500324350ustar00rootroot00000000000000documentation_complete: true title: 'Modify the System Login Banner' description: "To configure the system login banner:\n

\nEdit /etc/issue. Replace the default text with a message\ncompliant with the local site policy or a legal disclaimer.\n\nThe DoD required text is either:\n

\nYou are accessing a U.S. Government (USG) Information System (IS) that is\nprovided for USG-authorized use only. By using this IS (which includes any\ndevice attached to this IS), you consent to the following conditions: \n
-The USG routinely intercepts and monitors communications on this IS for purposes\nincluding, but not limited to, penetration testing, COMSEC monitoring, network\noperations and defense, personnel misconduct (PM), law enforcement (LE), and\ncounterintelligence (CI) investigations. \n
-At any time, the USG may inspect and seize data stored on this IS. \n
-Communications using, or data stored on, this IS are not private, are subject \nto routine monitoring, interception, and search, and may be disclosed or used\ \ \nfor any USG-authorized purpose. \n
-This IS includes security measures (e.g., authentication and access controls) \nto protect USG interests -- not for your personal benefit or privacy. \n
-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative\nsearching or monitoring of the content of privileged communications, or work\nproduct, related to personal representation or services by attorneys,\npsychotherapists, or clergy, and their assistants. Such communications and work\nproduct are private and confidential. See User Agreement for details.\n

\nOR:\n

\nUse of this or any other DoD interest computer system constitutes consent to monitoring at all times.\n
This is a DoD interest computer system. All DoD interest computer systems and related equipment are intended\nfor the communication, transmission, processing, and storage of official U.S. Government or other authorized\ninformation only. All\ \ DoD interest computer systems are subject to monitoring at all times to ensure proper\nfunctioning of equipment and systems including security devices and systems, to prevent unauthorized use and\nviolations of statutes and security regulations, to deter criminal activity, and for other similar purposes. Any user of\na DoD interest computer system should be aware that any information placed in the system is subject to\nmonitoring and is not subject to any expectation of privacy.\n
If monitoring of this or any other DoD interest computer system reveals possible evidence of violation of criminal\nstatutes, this evidence and any other related information, including identification information about the user, may\nbe provided to law enforcement officials. If monitoring of this or any other DoD interest computer systems reveals\nviolations of security regulations or unauthorized use, employees who violate security regulations or make\nunauthorized use of DoD interest computer systems\ \ are subject to appropriate disciplinary action.\n
Use of this or any other DoD interest computer system constitutes consent to monitoring at all times.\n

\nOR:\n

\nI've read & consent to terms in IS user agreem't." rationale: |- An appropriate warning message reinforces policy awareness during the login process and facilitates possible legal action against attackers. severity: medium identifiers: cce: 26974-6 references: disa: 48,1384,1385,1386,1387,1388 nist: AC-8(a),AC-8(b),AC-8(c) srg: SRG-OS-000228 stigid: RHEL-06-000073 ocil_clause: 'it does not display the required banner' ocil: |- To check if the system login banner is compliant, run the following command: 
$ cat /etc/issue
scap-security-guide-0.1.39/rhel6/guide/system/accounts/accounts-banners/gui_login_banner/000077500000000000000000000000001327242345500315275ustar00rootroot00000000000000gconf_gdm_enable_warning_gui_banner.rule000066400000000000000000000021741327242345500415140ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/accounts/accounts-banners/gui_login_bannerdocumentation_complete: true title: 'Enable GUI Warning Banner' description: |- To enable displaying a login warning banner in the GNOME Display Manager's login screen, run the following command: 
$ sudo gconftool-2 --direct \
      --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \
      --type bool \
      --set /apps/gdm/simple-greeter/banner_message_enable true
To display a banner, this setting must be enabled and then banner text must also be set. rationale: |- An appropriate warning message reinforces policy awareness during the login process and facilitates possible legal action against attackers. severity: medium identifiers: cce: 27195-7 references: disa: 48,50 nist: AC-8(a),AC-8(b),AC-8(c) srg: SRG-OS-000024 stigid: RHEL-06-000324 ocil_clause: 'it is not' ocil: |- To ensure a login warning banner is enabled, run the following: 
$ gconftool-2 -g /apps/gdm/simple-greeter/banner_message_enable
Search for the banner_message_enable schema. If properly configured, the default value should be true. gconf_gdm_set_login_banner_text.rule000066400000000000000000000026531327242345500407260ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/accounts/accounts-banners/gui_login_bannerdocumentation_complete: true title: 'Set GUI Warning Banner Text' description: |- To set the text shown by the GNOME Display Manager in the login screen, run the following command: 
$ sudo gconftool-2 --direct \
      --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \
      --type string \
      --set /apps/gdm/simple-greeter/banner_message_text \
      "Text of the warning banner here"
When entering a warning banner that spans several lines, remember to begin and end the string with ". This command writes directly either to the /etc/gconf/gconf.xml.mandatory/%gconf-tree.xml if it exists or to the file /etc/gconf/gconf.xml.mandatory/apps/gdm/simple-greeter/%gconf.xml. Either of these files can later be edited directly if necessary. rationale: |- An appropriate warning message reinforces policy awareness during the login process and facilitates possible legal action against attackers. severity: medium identifiers: cce: 27017-3 references: disa: 48,1384,1385,1386,1387,1388 nist: AC-8(a),AC-8(b),AC-8(c) srg: SRG-OS-000228 stigid: RHEL-06-000326 ocil_clause: 'it does not' ocil: |- To ensure the login warning banner text is properly set, run the following: 
$ gconftool-2 -g /apps/gdm/simple-greeter/banner_message_text
If properly configured, the proper banner text will appear within this schema. gui_login_banner.group000066400000000000000000000006461327242345500360350ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/accounts/accounts-banners/gui_login_bannerdocumentation_complete: true title: 'Implement a GUI Warning Banner' description: |- In the default graphical environment, users logging directly into the system are greeted with a login screen provided by the GNOME Display Manager (GDM). The warning banner should be displayed in this graphical environment for these users. The following sections describe how to configure the GDM login banner. scap-security-guide-0.1.39/rhel6/guide/system/accounts/accounts-banners/login_banner_text.var000066400000000000000000000161151327242345500324450ustar00rootroot00000000000000documentation_complete: true title: 'Login Banner Verbiage' description: |- Enter an appropriate login banner for your organization. Please note that new lines must be expressed by the '\n' character and special characters like parentheses and quotation marks must be escaped with '\'. type: string operator: equals interactive: false options: dod_default: You[\s\n]+are[\s\n]+accessing[\s\n]+a[\s\n]+U.S.[\s\n]+Government[\s\n]+\(USG\)[\s\n]+Information[\s\n]+System[\s\n]+\(IS\)[\s\n]+that[\s\n]+is[\s\n]+provided[\s\n]+for[\s\n]+USG-authorized[\s\n]+use[\s\n]+only.[\s\n]*By[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+\(which[\s\n]+includes[\s\n]+any[\s\n]+device[\s\n]+attached[\s\n]+to[\s\n]+this[\s\n]+IS\),[\s\n]+you[\s\n]+consent[\s\n]+to[\s\n]+the[\s\n]+following[\s\n]+conditions\:[\s\n]*-[\s\n]*The[\s\n]+USG[\s\n]+routinely[\s\n]+intercepts[\s\n]+and[\s\n]+monitors[\s\n]+communications[\s\n]+on[\s\n]+this[\s\n]+IS[\s\n]+for[\s\n]+purposes[\s\n]+including,[\s\n]+but[\s\n]+not[\s\n]+limited[\s\n]+to,[\s\n]+penetration[\s\n]+testing,[\s\n]+COMSEC[\s\n]+monitoring,[\s\n]+network[\s\n]+operations[\s\n]+and[\s\n]+defense,[\s\n]+personnel[\s\n]+misconduct[\s\n]+\(PM\),[\s\n]+law[\s\n]+enforcement[\s\n]+\(LE\),[\s\n]+and[\s\n]+counterintelligence[\s\n]+\(CI\)[\s\n]+investigations.[\s\n]*-[\s\n]*At[\s\n]+any[\s\n]+time,[\s\n]+the[\s\n]+USG[\s\n]+may[\s\n]+inspect[\s\n]+and[\s\n]+seize[\s\n]+data[\s\n]+stored[\s\n]+on[\s\n]+this[\s\n]+IS.[\s\n]*-[\s\n]*Communications[\s\n]+using,[\s\n]+or[\s\n]+data[\s\n]+stored[\s\n]+on,[\s\n]+this[\s\n]+IS[\s\n]+are[\s\n]+not[\s\n]+private,[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+routine[\s\n]+monitoring,[\s\n]+interception,[\s\n]+and[\s\n]+search,[\s\n]+and[\s\n]+may[\s\n]+be[\s\n]+disclosed[\s\n]+or[\s\n]+used[\s\n]+for[\s\n]+any[\s\n]+USG-authorized[\s\n]+purpose.[\s\n]*-[\s\n]*This[\s\n]+IS[\s\n]+includes[\s\n]+security[\s\n]+measures[\s\n]+\(e.g.,[\s\n]+authentication[\s\n]+and[\s\n]+access[\s\n]+controls\)[\s\n]+to[\s\n]+protect[\s\n]+USG[\s\n]+interests--not[\s\n]+for[\s\n]+your[\s\n]+personal[\s\n]+benefit[\s\n]+or[\s\n]+privacy.[\s\n]*-[\s\n]*Notwithstanding[\s\n]+the[\s\n]+above,[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+does[\s\n]+not[\s\n]+constitute[\s\n]+consent[\s\n]+to[\s\n]+PM,[\s\n]+LE[\s\n]+or[\s\n]+CI[\s\n]+investigative[\s\n]+searching[\s\n]+or[\s\n]+monitoring[\s\n]+of[\s\n]+the[\s\n]+content[\s\n]+of[\s\n]+privileged[\s\n]+communications,[\s\n]+or[\s\n]+work[\s\n]+product,[\s\n]+related[\s\n]+to[\s\n]+personal[\s\n]+representation[\s\n]+or[\s\n]+services[\s\n]+by[\s\n]+attorneys,[\s\n]+psychotherapists,[\s\n]+or[\s\n]+clergy,[\s\n]+and[\s\n]+their[\s\n]+assistants.[\s\n]+Such[\s\n]+communications[\s\n]+and[\s\n]+work[\s\n]+product[\s\n]+are[\s\n]+private[\s\n]+and[\s\n]+confidential.[\s\n]+See[\s\n]+User[\s\n]+Agreement[\s\n]+for[\s\n]+details. dod_short: I\'ve[\s\n]+read[\s\n]+\&[\s\n]+consent[\s\n]+to[\s\n]+terms[\s\n]+in[\s\n]+IS[\s\n]+user[\s\n]+agreem\'t. dss_odaa_default: "[\\s\\n]+Use[\\s\\n]+of[\\s\\n]+this[\\s\\n]+or[\\s\\n]+any[\\s\\n]+other[\\s\\n]+DoD[\\s\\n]+interest[\\s\\n]+computer[\\s\\n]+system[\\s\\n]+constitutes[\\s\\n]+consent[\\s\\n]+to[\\s\\n]+monitoring[\\s\\n]+at[\\s\\n]+all[\\s\\n]+times.[\\s\\n]+This[\\s\\n]+is[\\s\\n]+a[\\s\\n]+DoD[\\s\\n]+interest[\\s\\n]+computer[\\s\\n]+system.[\\s\\n]+All[\\s\\n]+DoD[\\s\\n]+interest[\\s\\n]+computer[\\s\\n]+systems[\\s\\n]+and[\\s\\n]+related[\\s\\n]+equipment[\\s\\n]+are[\\s\\n]+intended[\\s\\n]+for[\\s\\n]+the[\\s\\n]+communication,[\\s\\n]+transmission,[\\s\\n]+processing,[\\s\\n]+and[\\s\\n]+storage[\\s\\n]+of[\\s\\n]+official[\\s\\n]+U.S.[\\s\\n]+Government[\\s\\n]+or[\\s\\n]+other[\\s\\n]+authorized[\\s\\n]+information[\\s\\n]+only.[\\s\\n]+All[\\s\\n]+DoD[\\s\\n]+interest[\\s\\n]+computer[\\s\\n]+systems[\\s\\n]+are[\\s\\n]+subject[\\s\\n]+to[\\s\\n]+monitoring[\\s\\n]+at[\\s\\n]+all[\\s\\n]+times[\\s\\n]+to[\\s\\n]+ensure[\\s\\n]+proper[\\s\\n]+functioning[\\s\\n]+of[\\\ s\\n]+equipment[\\s\\n]+and[\\s\\n]+systems[\\s\\n]+including[\\s\\n]+security[\\s\\n]+devices[\\s\\n]+and[\\s\\n]+systems,[\\s\\n]+to[\\s\\n]+prevent[\\s\\n]+unauthorized[\\s\\n]+use[\\s\\n]+and[\\s\\n]+violations[\\s\\n]+of[\\s\\n]+statutes[\\s\\n]+and[\\s\\n]+security[\\s\\n]+regulations,[\\s\\n]+to[\\s\\n]+deter[\\s\\n]+criminal[\\s\\n]+activity,[\\s\\n]+and[\\s\\n]+for[\\s\\n]+other[\\s\\n]+similar[\\s\\n]+purposes.[\\s\\n]+Any[\\s\\n]+user[\\s\\n]+of[\\s\\n]+a[\\s\\n]+DoD[\\s\\n]+interest[\\s\\n]+computer[\\s\\n]+system[\\s\\n]+should[\\s\\n]+be[\\s\\n]+aware[\\s\\n]+that[\\s\\n]+any[\\s\\n]+information[\\s\\n]+placed[\\s\\n]+in[\\s\\n]+the[\\s\\n]+system[\\s\\n]+is[\\s\\n]+subject[\\s\\n]+to[\\s\\n]+monitoring[\\s\\n]+and[\\s\\n]+is[\\s\\n]+not[\\s\\n]+subject[\\s\\n]+to[\\s\\n]+any[\\s\\n]+expectation[\\s\\n]+of[\\s\\n]+privacy.[\\s\\n]+If[\\s\\n]+monitoring[\\s\\n]+of[\\s\\n]+this[\\s\\n]+or[\\s\\n]+any[\\s\\n]+other[\\s\\n]+DoD[\\s\\n]+interest[\\s\\n]+computer[\\s\\n]+system[\\\ s\\n]+reveals[\\s\\n]+possible[\\s\\n]+evidence[\\s\\n]+of[\\s\\n]+violation[\\s\\n]+of[\\s\\n]+criminal[\\s\\n]+statutes,[\\s\\n]+this[\\s\\n]+evidence[\\s\\n]+and[\\s\\n]+any[\\s\\n]+other[\\s\\n]+related[\\s\\n]+information,[\\s\\n]+including[\\s\\n]+identification[\\s\\n]+information[\\s\\n]+about[\\s\\n]+the[\\s\\n]+user,[\\s\\n]+may[\\s\\n]+be[\\s\\n]+provided[\\s\\n]+to[\\s\\n]+law[\\s\\n]+enforcement[\\s\\n]+officials.[\\s\\n]+If[\\s\\n]+monitoring[\\s\\n]+of[\\s\\n]+this[\\s\\n]+or[\\s\\n]+any[\\s\\n]+other[\\s\\n]+DoD[\\s\\n]+interest[\\s\\n]+computer[\\s\\n]+systems[\\s\\n]+reveals[\\s\\n]+violations[\\s\\n]+of[\\s\\n]+security[\\s\\n]+regulations[\\s\\n]+or[\\s\\n]+unauthorized[\\s\\n]+use,[\\s\\n]+employees[\\s\\n]+who[\\s\\n]+violate[\\s\\n]+security[\\s\\n]+regulations[\\s\\n]+or[\\s\\n]+make[\\s\\n]+unauthorized[\\s\\n]+use[\\s\\n]+of[\\s\\n]+DoD[\\s\\n]+interest[\\s\\n]+computer[\\s\\n]+systems[\\s\\n]+are[\\s\\n]+subject[\\s\\n]+to[\\s\\n]+appropriate[\\s\\n]+disciplinary[\\\ s\\n]+action.[\\s\\n]+Use[\\s\\n]+of[\\s\\n]+this[\\s\\n]+or[\\s\\n]+any[\\s\\n]+other[\\s\\n]+DoD[\\s\\n]+interest[\\s\\n]+computer[\\s\\n]+system[\\s\\n]+constitutes[\\s\\n]+consent[\\s\\n]+to[\\s\\n]+monitoring[\\s\\n]+at[\\s\\n]+all[\\s\\n]+times." usgcb_default: --[\s\n]+WARNING[\s\n]+--[\s\n]*This[\s\n]+system[\s\n]+is[\s\n]+for[\s\n]+the[\s\n]+use[\s\n]+of[\s\n]+authorized[\s\n]+users[\s\n]+only.[\s\n]+Individuals[\s\n]*using[\s\n]+this[\s\n]+computer[\s\n]+system[\s\n]+without[\s\n]+authority[\s\n]+or[\s\n]+in[\s\n]+excess[\s\n]+of[\s\n]+their[\s\n]*authority[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+having[\s\n]+all[\s\n]+their[\s\n]+activities[\s\n]+on[\s\n]+this[\s\n]+system[\s\n]*monitored[\s\n]+and[\s\n]+recorded[\s\n]+by[\s\n]+system[\s\n]+personnel.[\s\n]+Anyone[\s\n]+using[\s\n]+this[\s\n]*system[\s\n]+expressly[\s\n]+consents[\s\n]+to[\s\n]+such[\s\n]+monitoring[\s\n]+and[\s\n]+is[\s\n]+advised[\s\n]+that[\s\n]*if[\s\n]+such[\s\n]+monitoring[\s\n]+reveals[\s\n]+possible[\s\n]+evidence[\s\n]+of[\s\n]+criminal[\s\n]+activity[\s\n]*system[\s\n]+personnel[\s\n]+may[\s\n]+provide[\s\n]+the[\s\n]+evidence[\s\n]+of[\s\n]+such[\s\n]+monitoring[\s\n]+to[\s\n]+law[\s\n]*enforcement[\s\n]+officials. scap-security-guide-0.1.39/rhel6/guide/system/accounts/accounts-pam/000077500000000000000000000000001327242345500253535ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/accounts/accounts-pam/accounts-pam.group000066400000000000000000000034021327242345500310220ustar00rootroot00000000000000documentation_complete: true title: 'Protect Accounts by Configuring PAM' description: |- PAM, or Pluggable Authentication Modules, is a system which implements modular authentication for Linux programs. PAM provides a flexible and configurable architecture for authentication, and it should be configured to minimize exposure to unnecessary risk. This section contains guidance on how to accomplish that.

PAM is implemented as a set of shared objects which are loaded and invoked whenever an application wishes to authenticate a user. Typically, the application must be running as root in order to take advantage of PAM, because PAM's modules often need to be able to access sensitive stores of account information, such as /etc/shadow. Traditional privileged network listeners (e.g. sshd) or SUID programs (e.g. sudo) already meet this requirement. An SUID root application, userhelper, is provided so that programs which are not SUID or privileged themselves can still take advantage of PAM.

PAM looks in the directory /etc/pam.d for application-specific configuration information. For instance, if the program login attempts to authenticate a user, then PAM's libraries follow the instructions in the file /etc/pam.d/login to determine what actions should be taken.

One very important file in /etc/pam.d is /etc/pam.d/system-auth. This file, which is included by many other PAM configuration files, defines 'default' system authentication measures. Modifying this file is a good way to make far-reaching authentication changes, for instance when implementing a centralized authentication service. scap-security-guide-0.1.39/rhel6/guide/system/accounts/accounts-pam/display_login_attempts.rule000066400000000000000000000021301327242345500330160ustar00rootroot00000000000000documentation_complete: true title: 'Set Last Login/Access Notification' description: |- To configure the system to notify users of last login/access using pam_lastlog, add the following line immediately after session required pam_limits.so: 
session       required     pam_lastlog.so showfailed
rationale: |- Users need to be aware of activity that occurs regarding their account. Providing users with information regarding the number of unsuccessful attempts that were made to login to their account allows the user to determine if any unauthorized activity has occurred and gives them an opportunity to notify administrators. severity: unknown identifiers: cce: 27291-4 references: disa: 366 pcidss: Req-10.2.4 srg: SRG-OS-999999 stigid: RHEL-06-000372 ocil_clause: 'that is not the case' ocil: |- To ensure that last login/access notification is configured correctly, run the following command: 
$ grep pam_lastlog.so /etc/pam.d/system-auth
The output should show output showfailed. scap-security-guide-0.1.39/rhel6/guide/system/accounts/accounts-pam/locking_out_password_attempts/000077500000000000000000000000001327242345500335335ustar00rootroot00000000000000accounts_password_pam_unix_remember.rule000066400000000000000000000030021327242345500436570ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/accounts/accounts-pam/locking_out_password_attemptsdocumentation_complete: true title: 'Limit Password Reuse' description: |- Do not allow users to reuse recent passwords. This can be accomplished by using the remember option for the pam_unix or pam_pwhistory PAM modules. In the file /etc/pam.d/system-auth, append remember= to the line which refers to the pam_unix.so or pam_pwhistory.somodule, as shown below:
  • for the pam_unix.so case: 
    password sufficient pam_unix.so existing_options remember=
  • for the pam_pwhistory.so case: 
    password requisite pam_pwhistory.so existing_options remember=
The DoD STIG requirement is 5 passwords. rationale: 'Preventing re-use of previous passwords helps ensure that a compromised password is not re-used by a user.' severity: medium identifiers: cce: 26741-9 references: disa: 200 nist: IA-5(f),IA-5(1)(e) pcidss: Req-8.2.5 srg: SRG-OS-000077 stigid: RHEL-06-000274 ocil_clause: 'it does not' ocil: |- To verify the password reuse setting is compliant, run the following command: 
$ grep remember /etc/pam.d/system-auth
The output should show the following at the end of the line: 
remember=
accounts_passwords_pam_faillock_deny.rule000066400000000000000000000036551327242345500440220ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/accounts/accounts-pam/locking_out_password_attemptsdocumentation_complete: true title: 'Set Deny For Failed Password Attempts' description: |- To configure the system to lock out accounts after a number of incorrect login attempts using pam_faillock.so, modify the content of both /etc/pam.d/system-auth and /etc/pam.d/password-auth as follows:

  • Add the following line immediately before the pam_unix.so statement in the AUTH section: 
    auth required pam_faillock.so preauth silent deny= unlock_time= fail_interval=
  • Add the following line immediately after the pam_unix.so statement in the AUTH section: 
    auth [default=die] pam_faillock.so authfail deny= unlock_time= fail_interval=
  • Add the following line immediately before the pam_unix.so statement in the ACCOUNT section: 
    account required pam_faillock.so
rationale: |- Locking out user accounts after a number of incorrect attempts prevents direct password guessing attacks. severity: medium identifiers: cce: 26844-1 references: disa: 44 nist: AC-7(a) pcidss: Req-8.1.6 srg: SRG-OS-000021 stigid: RHEL-06-000061 ocil_clause: 'that is not the case' ocil: |- To ensure the failed password attempt policy is configured correctly, run the following command: 
$ grep pam_faillock /etc/pam.d/system-auth
The output should show deny=. accounts_passwords_pam_faillock_interval.rule000066400000000000000000000042501327242345500446770ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/accounts/accounts-pam/locking_out_password_attemptsdocumentation_complete: true title: 'Set Interval For Counting Failed Password Attempts' description: |- Utilizing pam_faillock.so, the fail_interval directive configures the system to lock out accounts after a number of incorrect login attempts. Modify the content of both /etc/pam.d/system-auth and /etc/pam.d/password-auth as follows:

  • Add the following line immediately before the pam_unix.so statement in the AUTH section: 
    auth required pam_faillock.so preauth silent deny= unlock_time= fail_interval=
  • Add the following line immediately after the pam_unix.so statement in the AUTH section: 
    auth [default=die] pam_faillock.so authfail deny= unlock_time= fail_interval=
  • Add the following line immediately before the pam_unix.so statement in the ACCOUNT section: 
    account required pam_faillock.so
rationale: |- Locking out user accounts after a number of incorrect attempts within a specific period of time prevents direct password guessing attacks. severity: medium identifiers: cce: 27215-3 references: disa: 1452 nist: AC-7(a) srg: SRG-OS-000249 stigid: RHEL-06-000357 ocil_clause: 'that is not the case' ocil: |- To ensure the failed password attempt policy is configured correctly, run the following command: 
$ grep pam_faillock /etc/pam.d/system-auth /etc/pam.d/password-auth
For each file, the output should show fail_interval=<interval-in-seconds> where interval-in-seconds is 900 (15 minutes) or greater. If the fail_interval parameter is not set, the default setting of 900 seconds is acceptable. accounts_passwords_pam_faillock_unlock_time.rule000066400000000000000000000042441327242345500453670ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/accounts/accounts-pam/locking_out_password_attemptsdocumentation_complete: true title: 'Set Lockout Time For Failed Password Attempts' description: |- To configure the system to lock out accounts after a number of incorrect login attempts and require an administrator to unlock the account using pam_faillock.so, modify the content of both /etc/pam.d/system-auth and /etc/pam.d/password-auth as follows:

  • Add the following line immediately before the pam_unix.so statement in the AUTH section: 
    auth required pam_faillock.so preauth silent deny= unlock_time= fail_interval=
  • Add the following line immediately after the pam_unix.so statement in the AUTH section: 
    auth [default=die] pam_faillock.so authfail deny= unlock_time= fail_interval=
  • Add the following line immediately before the pam_unix.so statement in the ACCOUNT section: 
    account required pam_faillock.so
rationale: |- Locking out user accounts after a number of incorrect attempts prevents direct password guessing attacks. Ensuring that an administrator is involved in unlocking locked accounts draws appropriate attention to such situations. severity: medium identifiers: cce: 27110-6 references: cidss: Req-8.1.7 disa: 47 nist: AC-7(b) srg: SRG-OS-000022 stigid: RHEL-06-000356 ocil_clause: 'that is not the case' ocil: |- To ensure the failed password attempt policy is configured correctly, run the following command: 
$ grep pam_faillock /etc/pam.d/system-auth /etc/pam.d/password-auth
The output should show unlock_time=<some-large-number>; the largest acceptable value is 604800 seconds (one week). locking_out_password_attempts.group000066400000000000000000000005431327242345500427140ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/accounts/accounts-pam/locking_out_password_attemptsdocumentation_complete: true title: 'Set Lockouts for Failed Password Attempts' description: |- The pam_faillock PAM module provides the capability to lock out user accounts after a number of failed login attempts. Its documentation is available in /usr/share/doc/pam-VERSION/txts/README.pam_faillock.

scap-security-guide-0.1.39/rhel6/guide/system/accounts/accounts-pam/password_quality/000077500000000000000000000000001327242345500307655ustar00rootroot00000000000000password_quality.group000066400000000000000000000011731327242345500354000ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/accounts/accounts-pam/password_qualitydocumentation_complete: true title: 'Set Password Quality Requirements' description: |- The default pam_cracklib PAM module provides strength checking for passwords. It performs a number of checks, such as making sure passwords are not similar to dictionary words, are of at least a certain length, are not the previous password reversed, and are not simply a change of case from the previous password. It can also require passwords to be in certain character classes.

The man page pam_cracklib(8) provides information on the capabilities and configuration of each. password_quality_pamcracklib/000077500000000000000000000000001327242345500366505ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/accounts/accounts-pam/password_qualityaccounts_password_pam_dcredit.rule000066400000000000000000000022771327242345500456450ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/accounts/accounts-pam/password_quality/password_quality_pamcracklibdocumentation_complete: true title: 'Set Password Strength Minimum Digit Characters' description: "The pam_cracklib module's dcredit parameter controls requirements for\nusage of digits in a password. When set to a negative number, any password will be required to\ncontain that many digits. When set to a positive number, pam_cracklib will grant +1 additional\nlength credit for each digit. \nAdd dcredit=-1 after pam_cracklib.so to require use of a digit in passwords." rationale: |- Requiring digits makes password guessing attacks more difficult by ensuring a larger search space. severity: unknown identifiers: cce: 26374-9 references: disa: 194 nist: IA-5(b),IA-5(c) pcidss: Req-8.2.3 srg: SRG-OS-000071 stigid: RHEL-06-000056 ocil_clause: 'dcredit is not found or not set to the required value' ocil: |- To check how many digits are required in a password, run the following command: 
$ grep pam_cracklib /etc/pam.d/system-auth
The dcredit parameter (as a negative number) will indicate how many digits are required. The DoD requires at least one digit in a password. This would appear as dcredit=-1. accounts_password_pam_difok.rule000066400000000000000000000024371327242345500453210ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/accounts/accounts-pam/password_quality/password_quality_pamcracklibdocumentation_complete: true title: 'Set Password Strength Minimum Different Characters' description: |- The pam_cracklib module's difok parameter controls requirements for usage of different characters during a password change. Add difok= after pam_cracklib.so to require differing characters when changing passwords. The DoD requirement is 4. rationale: |- Requiring a minimum number of different characters during password changes ensures that newly changed passwords should not resemble previously compromised ones. Note that passwords which are changed on compromised systems will still be compromised, however. severity: unknown identifiers: cce: 26615-5 references: disa: 195 nist: IA-5(b),IA-5(c),IA-5(1)(b) srg: SRG-OS-000072 stigid: RHEL-06-000060 ocil_clause: 'difok is not found or not set to the required value' ocil: |- To check how many characters must differ during a password change, run the following command: 
$ grep pam_cracklib /etc/pam.d/system-auth
The difok parameter will indicate how many characters must differ. The DoD requires four characters differ during a password change. This would appear as difok=4. accounts_password_pam_lcredit.rule000066400000000000000000000025461327242345500456540ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/accounts/accounts-pam/password_quality/password_quality_pamcracklibdocumentation_complete: true title: 'Set Password Strength Minimum Lowercase Characters' description: |- The pam_cracklib module's lcredit= parameter controls requirements for usage of lowercase letters in a password. When set to a negative number, any password will be required to contain that many lowercase characters. When set to a positive number, pam_cracklib will grant +1 additional length credit for each lowercase character. Add lcredit=-1 after pam_cracklib.so to require use of a lowercase character in passwords. rationale: |- Requiring a minimum number of lowercase characters makes password guessing attacks more difficult by ensuring a larger search space. severity: unknown identifiers: cce: 26631-2 references: disa: 193 nist: IA-5(b),IA-5(c),IA-5(1)(a) pcidss: Req-8.2.3 srg: SRG-OS-000070 stigid: RHEL-06-000059 ocil_clause: 'lcredit is not found or not set to the required value' ocil: |- To check how many lowercase characters are required in a password, run the following command: 
$ grep pam_cracklib /etc/pam.d/system-auth
The lcredit parameter (as a negative number) will indicate how many special characters are required. The DoD and FISMA require at least one lowercase character in a password. This would appear as lcredit=-1. accounts_password_pam_maxrepeat.rule000066400000000000000000000023371327242345500462120ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/accounts/accounts-pam/password_quality/password_quality_pamcracklibdocumentation_complete: true title: 'Set Password to Maximum of Three Consecutive Repeating Characters' description: |- The pam_cracklib module's maxrepeat parameter controls requirements for consecutive repeating characters. When set to a positive number, it will reject passwords which contain more than that number of consecutive characters. Add maxrepeat= after pam_cracklib.so to prevent a run of ( + 1) or more identical characters:
password required pam_cracklib.so maxrepeat=
rationale: 'Passwords with excessive repeating characters may be more vulnerable to password-guessing attacks.' severity: unknown identifiers: cce: 27227-8 references: disa: 366 nist: IA-5(c) srg: SRG-OS-999999 stigid: RHEL-06-000299 ocil_clause: 'maxrepeat is not found or not set to the required value' ocil: |- To check the maximum value for consecutive repeating characters, run the following command: 
$ grep pam_cracklib /etc/pam.d/system-auth
Look for the value of the maxrepeat parameter. The DoD requirement is 3. accounts_password_pam_minclass.rule000066400000000000000000000034711327242345500460350ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/accounts/accounts-pam/password_quality/password_quality_pamcracklibdocumentation_complete: true title: 'Set Password Strength Minimum Different Categories' description: |- The pam_cracklib module's minclass parameter controls requirements for usage of different character classes, or types, of character that must exist in a password before it is considered valid. For example, setting this value to three (3) requires that any password must have characters from at least three different categories in order to be approved. The default value is zero (0), meaning there are no required classes. There are four categories available: 
    * Upper-case characters
    * Lower-case characters
    * Digits
    * Special characters (for example, punctuation)
Add minclass= after pam_cracklib.so entry into the /etc/pam.d/system-auth file in order to require differing categories of characters when changing passwords. For example to require at least three character classes to be used in password, use minclass=3. rationale: |- Requiring a minimum number of character categories makes password guessing attacks more difficult by ensuring a larger search space. severity: unknown identifiers: cce: CCE-27115-5 ocil_clause: 'minclass is not found or not set to the required value' ocil: |- To check how many categories of characters must be used in password during a password change, run the following command: 
$ grep pam_cracklib /etc/pam.d/system-auth
The minclass parameter will indicate how many character classes must be used. If the requirement was for the password to contain characters from three different categories, then this would appear as minclass=3. accounts_password_pam_minlen.rule000066400000000000000000000020461327242345500455030ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/accounts/accounts-pam/password_quality/password_quality_pamcracklibdocumentation_complete: true title: 'Set Password Minimum Length' description: |- The pam_cracklib module's minlen parameter controls requirements for minimum characters required in a password. Add minlen= after pam_pwquality to set minimum password length requirements. rationale: |- Password length is one factor of several that helps to determine strength and how long it takes to crack a password. Use of more characters in a password helps to exponentially increase the time and/or resources required to compromise the password. severity: unknown identifiers: cce: 26615-5 references: disa: 205 nist: IA-5(1)(a) pcidss: Req-8.2.3 ocil_clause: 'minlen is not found or not set to the required value (or higher)' ocil: |- To check how many characters are required in a password, run the following command: 
$ grep cracklib /etc/pam.d/system-auth
Your output should contain minlen= accounts_password_pam_ocredit.rule000066400000000000000000000025711327242345500456550ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/accounts/accounts-pam/password_quality/password_quality_pamcracklibdocumentation_complete: true title: 'Set Password Strength Minimum Special Characters' description: |- The pam_cracklib module's ocredit= parameter controls requirements for usage of special (or ``other'') characters in a password. When set to a negative number, any password will be required to contain that many special characters. When set to a positive number, pam_cracklib will grant +1 additional length credit for each special character. Add ocredit= after pam_cracklib.so to require use of a special character in passwords. rationale: |- Requiring a minimum number of special characters makes password guessing attacks more difficult by ensuring a larger search space. severity: unknown identifiers: cce: 26409-3 references: disa: 1619 nist: IA-5(b),IA-5(c),IA-5(1)(a) srg: SRG-OS-000266 stigid: RHEL-06-000058 ocil_clause: 'ocredit is not found or not set to the required value' ocil: |- To check how many special characters are required in a password, run the following command: 
$ grep pam_cracklib /etc/pam.d/system-auth
The ocredit parameter (as a negative number) will indicate how many special characters are required. The DoD and FISMA require at least one special character in a password. This would appear as ocredit=-1. accounts_password_pam_retry.rule000066400000000000000000000024701327242345500453670ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/accounts/accounts-pam/password_quality/password_quality_pamcracklibdocumentation_complete: true title: 'Set Password Retry Prompts Permitted Per-Session' description: "To configure the number of retry prompts that are permitted per-session:\n

\nEdit the pam_cracklib.so statement in /etc/pam.d/system-auth to \nshow retry=, or a lower value if site policy is more restrictive.\n

\nThe DoD requirement is a maximum of 3 prompts per session." rationale: |- Setting the password retry prompts that are permitted on a per-session basis to a low value requires some software, such as SSH, to re-connect. This can slow down and draw additional attention to some types of password-guessing attacks. Note that this is different from account lockout, which is provided by the pam_faillock module. severity: unknown identifiers: cce: 27123-9 references: disa: 1092 nist: IA-5(c) ocil_clause: 'it is not the required value' ocil: |- To check how many retry attempts are permitted on a per-session basis, run the following command: 
$ grep pam_cracklib /etc/pam.d/system-auth
The retry parameter will indicate how many attempts are permitted. The DoD required value is less than or equal to 3. This would appear as retry=3, or a lower value. accounts_password_pam_ucredit.rule000066400000000000000000000025711327242345500456630ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/accounts/accounts-pam/password_quality/password_quality_pamcracklibdocumentation_complete: true title: 'Set Password Strength Minimum Uppercase Characters' description: |- The pam_cracklib module's ucredit= parameter controls requirements for usage of uppercase letters in a password. When set to a negative number, any password will be required to contain that many uppercase characters. When set to a positive number, pam_cracklib will grant +1 additional length credit for each uppercase character. Add ucredit=-1 after pam_cracklib.so to require use of an upper case character in passwords. rationale: |- Requiring a minimum number of uppercase characters makes password guessing attacks more difficult by ensuring a larger search space. severity: unknown identifiers: cce: 26601-5 references: cui: 3.5.7 disa: 192 nist: IA-5(b),IA-5(c),IA-5(1)(a) pcidss: Req-8.2.3 srg: SRG-OS-000069 stigid: RHEL-06-000057 ocil_clause: 'ucredit is not found or not set to the required value' ocil: |- To check how many uppercase characters are required in a password, run the following command: 
$ grep pam_cracklib /etc/pam.d/system-auth
The ucredit parameter (as a negative number) will indicate how many uppercase characters are required. The DoD and FISMA require at least one uppercase character in a password. This would appear as ucredit=-1. password_quality_pamcracklib.group000066400000000000000000000017231327242345500456730ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/accounts/accounts-pam/password_quality/password_quality_pamcracklibdocumentation_complete: true title: |- Set Password Quality Requirements, if using pam_cracklib description: |- The pam_cracklib PAM module can be configured to meet requirements for a variety of policies.

For example, to configure pam_cracklib to require at least one uppercase character, lowercase character, digit, and other (special) character, locate the following line in /etc/pam.d/system-auth: 
password requisite pam_cracklib.so try_first_pass retry=3
and then alter it to read: 
password required pam_cracklib.so try_first_pass retry=3 maxrepeat=3 minlen=14 dcredit=-1 ucredit=-1 ocredit=-1 lcredit=-1 difok=4
If no such line exists, add one as the first line of the password section in /etc/pam.d/system-auth. The arguments can be modified to ensure compliance with your organization's security policy. Discussion of each parameter follows. var_accounts_passwords_pam_faillock_deny.var000066400000000000000000000003511327242345500476750ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/accounts/accounts-pam/password_quality/password_quality_pamcracklibdocumentation_complete: true title: fail_deny description: 'Number of failed login attempts before account lockout' type: number operator: equals interactive: false options: 10: 10 3: 3 5: 5 6: 6 default: 3 var_accounts_passwords_pam_faillock_fail_interval.var000066400000000000000000000004521327242345500515570ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/accounts/accounts-pam/password_quality/password_quality_pamcracklibdocumentation_complete: true title: fail_interval description: 'Interval for counting failed login attempts before account lockout' type: number operator: equals interactive: false options: 100000000: 100000000 1800: 1800 3600: 3600 86400: 86400 900: 900 default: 900 var_accounts_passwords_pam_faillock_unlock_time.var000066400000000000000000000004501327242345500512470ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/accounts/accounts-pam/password_quality/password_quality_pamcracklibdocumentation_complete: true title: fail_unlock_time description: 'Seconds before automatic unlocking after excessive failed logins' type: number operator: equals interactive: false options: 1800: 1800 3600: 3600 604800: 604800 86400: 86400 900: 900 default: 604800 var_password_pam_dcredit.var000066400000000000000000000003211327242345500444230ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/accounts/accounts-pam/password_quality/password_quality_pamcracklibdocumentation_complete: true title: dcredit description: 'Minimum number of digits in password' type: number operator: equals interactive: false options: "0": "0" 1: -1 2: -2 default: -1 var_password_pam_difok.var000066400000000000000000000003561327242345500441110ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/accounts/accounts-pam/password_quality/password_quality_pamcracklibdocumentation_complete: true title: difok description: |- Minimum number of characters not present in old password type: number operator: equals interactive: false options: 2: 2 3: 3 4: 4 5: 5 default: 4 var_password_pam_lcredit.var000066400000000000000000000003251327242345500444370ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/accounts/accounts-pam/password_quality/password_quality_pamcracklibdocumentation_complete: true title: lcredit description: 'Minimum number of lower case in password' type: number operator: equals interactive: false options: "0": "0" 1: -1 2: -2 default: -1 var_password_pam_maxrepeat.var000066400000000000000000000003501327242345500447750ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/accounts/accounts-pam/password_quality/password_quality_pamcracklibdocumentation_complete: true title: maxrepeat description: 'Maximum Number of Consecutive Repeating Characters in a Password' type: number operator: equals interactive: false options: 1: 1 2: 2 3: 3 default: 3 var_password_pam_minclass.var000066400000000000000000000003701327242345500446220ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/accounts/accounts-pam/password_quality/password_quality_pamcracklibdocumentation_complete: true title: minclass description: 'Minimum number of categories of characters that must exist in a password' type: number operator: equals interactive: false options: 1: 1 2: 2 3: 3 4: 4 default: 3 var_password_pam_minlen.var000066400000000000000000000003721327242345500442750ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/accounts/accounts-pam/password_quality/password_quality_pamcracklibdocumentation_complete: true title: minlen description: 'Minimum number of characters in password' type: number operator: equals interactive: false options: 10: 10 12: 12 14: 14 15: 15 6: 6 7: 7 8: 8 default: 14 var_password_pam_ocredit.var000066400000000000000000000003561327242345500444460ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/accounts/accounts-pam/password_quality/password_quality_pamcracklibdocumentation_complete: true title: ocredit description: |- Minimum number of other (special characters) in password type: number operator: equals interactive: false options: "0": "0" 1: -1 2: -2 default: -1 var_password_pam_retry.var000066400000000000000000000003201327242345500441510ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/accounts/accounts-pam/password_quality/password_quality_pamcracklibdocumentation_complete: true title: retry description: 'Number of retry attempts before erroring out' type: number operator: equals interactive: false options: 1: 1 2: 2 3: 3 default: 3 var_password_pam_ucredit.var000066400000000000000000000003251327242345500444500ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/accounts/accounts-pam/password_quality/password_quality_pamcracklibdocumentation_complete: true title: ucredit description: 'Minimum number of upper case in password' type: number operator: equals interactive: false options: "0": "0" 1: -1 2: -2 default: -1 scap-security-guide-0.1.39/rhel6/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/000077500000000000000000000000001327242345500336375ustar00rootroot00000000000000set_password_hashing_algorithm.group000066400000000000000000000003571327242345500431270ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/accounts/accounts-pam/set_password_hashing_algorithmdocumentation_complete: true title: 'Set Password Hashing Algorithm' description: |- The system's default algorithm for storing password hashes in /etc/shadow is SHA-512. This can be configured in several locations. set_password_hashing_algorithm_libuserconf.rule000066400000000000000000000014471327242345500453360ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/accounts/accounts-pam/set_password_hashing_algorithmdocumentation_complete: true title: 'Set Password Hashing Algorithm in /etc/libuser.conf' description: |- In /etc/libuser.conf, add or correct the following line in its [defaults] section to ensure the system will use the SHA-512 algorithm for password hashing: 
crypt_style = sha512
rationale: 'Using a stronger hashing algorithm makes password cracking attacks more difficult.' severity: medium identifiers: cce: 27229-4 references: disa: 803 nist: IA-5(b),IA-5(c),IA-5(1)(c),IA-7 pcidss: Req-8.2.1 srg: SRG-OS-000120 stigid: RHEL-06-000064 ocil_clause: 'it does not' ocil: |- Inspect /etc/libuser.conf and ensure the following line appears in the [default] section: 
crypt_style = sha512
set_password_hashing_algorithm_logindefs.rule000066400000000000000000000013141327242345500447660ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/accounts/accounts-pam/set_password_hashing_algorithmdocumentation_complete: true title: 'Set Password Hashing Algorithm in /etc/login.defs' description: |- In /etc/login.defs, add or correct the following line to ensure the system will use SHA-512 as the hashing algorithm: 
ENCRYPT_METHOD SHA512
rationale: 'Using a stronger hashing algorithm makes password cracking attacks more difficult.' severity: medium identifiers: cce: 27228-6 references: disa: 803 nist: IA-5(b),IA-5(c),IA-5(1)(c),IA-7 pcidss: Req-8.2.1 srg: SRG-OS-000120 stigid: RHEL-06-000063 ocil_clause: 'it does not' ocil: |- Inspect /etc/login.defs and ensure the following line appears: 
ENCRYPT_METHOD SHA512
set_password_hashing_algorithm_systemauth.rule000066400000000000000000000022621327242345500452250ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/accounts/accounts-pam/set_password_hashing_algorithmdocumentation_complete: true title: 'Set Password Hashing Algorithm in /etc/pam.d/system-auth' description: |- In /etc/pam.d/system-auth, the password section of the file controls which PAM modules execute during a password change. Set the pam_unix.so module in the password section to include the argument sha512, as shown below: 
password    sufficient    pam_unix.so sha512 other arguments...
This will help ensure when local users change their passwords, hashes for the new passwords will be generated using the SHA-512 algorithm. This is the default. rationale: 'Using a stronger hashing algorithm makes password cracking attacks more difficult.' severity: medium identifiers: cce: 26303-8 references: disa: 803 nist: IA-5(b),IA-5(c),IA-5(1)(c),IA-7 pcidss: Req-8.2.1 srg: SRG-OS-000120 stigid: RHEL-06-000062 ocil_clause: 'it does not' ocil: |- Inspect the password section of /etc/pam.d/system-auth and ensure that the pam_unix.so module includes the argument sha512: 
$ grep sha512 /etc/pam.d/system-auth
var_password_pam_unix_remember.var000066400000000000000000000006271327242345500343030ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/accounts/accounts-pamdocumentation_complete: true title: remember description: |- The last n passwords for each user are saved in /etc/security/opasswd in order to force password change history and keep the user from alternating between the same password too frequently. type: number operator: equals interactive: false options: "0": "0" 10: 10 24: 24 4: 4 5: 5 default: 5 scap-security-guide-0.1.39/rhel6/guide/system/accounts/accounts-physical/000077500000000000000000000000001327242345500264125ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/accounts/accounts-physical/accounts-physical.group000066400000000000000000000006611327242345500331240ustar00rootroot00000000000000documentation_complete: true title: 'Protect Physical Console Access' description: |- It is impossible to fully protect a system from an attacker with physical access, so securing the space in which the system is located should be considered a necessary step. However, there are some steps which, if taken, make it more difficult for an attacker to quickly or undetectably modify a system from its console. scap-security-guide-0.1.39/rhel6/guide/system/accounts/accounts-physical/bootloader/000077500000000000000000000000001327242345500305445ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/accounts/accounts-physical/bootloader/bootloader.group000066400000000000000000000014371327242345500337610ustar00rootroot00000000000000documentation_complete: true title: 'Set Boot Loader Password' description: |- During the boot process, the boot loader is responsible for starting the execution of the kernel and passing options to it. The boot loader allows for the selection of different kernels - possibly on different partitions or media. The default Red Hat Enterprise Linux boot loader for x86 systems is called GRUB. Options it can pass to the kernel include single-user mode, which provides root access without any authentication, and the ability to disable SELinux. To prevent local users from modifying the boot parameters and endangering security, protect the boot loader configuration with a password and ensure its configuration file's permissions are set properly. bootloader_password.rule000066400000000000000000000025421327242345500354350ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/accounts/accounts-physical/bootloaderdocumentation_complete: true title: 'Set Boot Loader Password' description: |- The grub boot loader should have password protection enabled to protect boot-time settings. To do so, select a password and then generate a hash from it by running the following command: 
$ grub-crypt --sha-512
When prompted to enter a password, insert the following line into /etc/grub.conf immediately after the header comments. (Use the output from grub-crypt as the value of password-hash): 
password --encrypted password-hash
NOTE: To meet FISMA Moderate, the bootloader password MUST differ from the root password. rationale: |- Password protection on the boot loader configuration ensures users with physical access cannot trivially alter important bootloader settings. These include which kernel to use, and whether to enter single-user mode. severity: medium identifiers: cce: 26911-8 references: disa: 213 nist: 'IA-2(1),IA-5(e) AC-3' srg: SRG-OS-000080 stigid: RHEL-06-000068 ocil_clause: 'it does not' ocil: |- To verify the boot loader password has been set and encrypted, run the following command: 
$ sudo grep password /etc/grub.conf
The output should show the following: 
password --encrypted password-hash
file_group_owner_grub_conf.rule000066400000000000000000000013011327242345500367420ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/accounts/accounts-physical/bootloaderdocumentation_complete: true title: 'Verify /etc/grub.conf Group Ownership' description: "The file /etc/grub.conf should \nbe group-owned by the root group to prevent \ndestruction or modification of the file.\n" rationale: |- The root group is a highly-privileged group. Furthermore, the group-owner of this file should not have any access privileges anyway. severity: medium identifiers: cce: 27022-3 references: disa: 225 nist: AC-6(7) pcidss: Req-7.1 srg: SRG-OS-999999 stigid: RHEL-06-000066 ocil: '' file_permissions_grub_conf.rule000066400000000000000000000013731327242345500367600ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/accounts/accounts-physical/bootloaderdocumentation_complete: true title: 'Verify /boot/grub/grub.conf Permissions' description: |- File permissions for /boot/grub/grub.conf should be set to 600, which is the default. rationale: |- Proper permissions ensure that only the root user can modify important boot parameters. severity: medium identifiers: cce: 26949-8 references: disa: 225 nist: AC-6(7) srg: SRG-OS-999999 stigid: RHEL-06-000067 ocil_clause: 'it does not' ocil: "To check the permissions of /etc/grub.conf, run the command:\n
$ sudo ls -lL /etc/grub.conf
\nIf properly configured, the output should indicate the following \npermissions: -rw-------" file_user_owner_grub_conf.rule000066400000000000000000000011261327242345500365710ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/accounts/accounts-physical/bootloaderdocumentation_complete: true title: 'Verify /etc/grub.conf User Ownership' description: "The file /etc/grub.conf should \nbe owned by the root user to prevent destruction \nor modification of the file.\n" rationale: 'Only root should be able to modify important boot parameters.' severity: medium identifiers: cce: 26995-1 references: disa: 225 nist: AC-6(7) pcidss: Req-7.1 srg: SRG-OS-999999 stigid: RHEL-06-000065 ocil: '' disable_ctrlaltdel_reboot.rule000066400000000000000000000034171327242345500344200ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/accounts/accounts-physicaldocumentation_complete: true title: 'Disable Ctrl-Alt-Del Reboot Activation' description: |- By default, the system includes the following line in /etc/init/control-alt-delete.conf to reboot the system when the Ctrl-Alt-Del key sequence is pressed: 
exec /sbin/shutdown -r now "Control-Alt-Delete pressed"

To configure the system to log a message instead of rebooting the system, alter that line to read as follows: 
exec /usr/bin/logger -p security.info "Control-Alt-Delete pressed"
rationale: |- A locally logged-in user who presses Ctrl-Alt-Del, when at the console, can reboot the system. If accidentally pressed, as could happen in the case of mixed OS environment, this can create the risk of short-term loss of availability of systems due to unintentional reboot. In the GNOME graphical environment, risk of unintentional reboot from the Ctrl-Alt-Del sequence is reduced because the user will be prompted before any action is taken. NOTE: When updating the initscripts package on a Red Hat Enterprise Linux 6 system, custom changes to /etc/init/control-alt-delete.conf may be overwritten. Refer to for additional information. severity: high identifiers: cce: 27567-7 references: srg: SRG-OS-999999 stigid: RHEL-06-000286 ocil_clause: 'the system is configured to run the shutdown command' ocil: "To ensure the system is configured to log a message instead of rebooting the system when \nCtrl-Alt-Del is pressed, ensure the following line is in /etc/init/control-alt-delete.conf:\n
exec /usr/bin/logger -p security.info \"Control-Alt-Delete pressed\"
" disable_interactive_boot.rule000066400000000000000000000027321327242345500342530ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/accounts/accounts-physicaldocumentation_complete: true title: 'Disable Interactive Boot' description: |- To disable the ability for users to perform interactive startups, perform both of the following:
  1. Edit the file /etc/sysconfig/init. Add or correct the line: 
    PROMPT=no
  2. Inspect the kernel boot arguments (which follow the word kernel) in /etc/grub.conf and ensure the confirm argument is not present.
Both the PROMPT option of the /etc/sysconfig/init file and the confirm kernel boot argument of the /etc/grub.conf file allow the console user to perform an interactive system startup, in which it is possible to select the set of services which are started on boot. rationale: |- Using interactive boot, the console user could disable auditing, firewalls, or other services, weakening system security. severity: medium identifiers: cce: 27043-9 references: disa: 213 nist: SC-2,AC-3 srg: SRG-OS-000080 stigid: RHEL-06-000070 ocil_clause: 'it does not' ocil: |- To check whether interactive boot is disabled, run the following commands: 
  1. $ grep PROMPT /etc/sysconfig/init
    If interactive boot is disabled, the output will show: 
    PROMPT=no
  2. $ grep confirm /etc/grub.conf
    If interactive boot is disabled, there should be no output.
require_singleuser_auth.rule000066400000000000000000000022671327242345500341700ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/accounts/accounts-physicaldocumentation_complete: true title: 'Require Authentication for Single User Mode' description: |- Single-user mode is intended as a system recovery method, providing a single user root access to the system by providing a boot option at startup. By default, no authentication is performed if single-user mode is selected.

To require entry of the root password even if the system is started in single-user mode, add or correct the following line in the file /etc/sysconfig/init: 
SINGLE=/sbin/sulogin
rationale: |- This prevents attackers with physical access from trivially bypassing security on the machine and gaining root access. Such accesses are further prevented by configuring the bootloader password. severity: medium identifiers: cce: 27040-5 references: disa: 213 nist: IA-2(1),AC-3 srg: SRG-OS-000080 stigid: RHEL-06-000069 ocil_clause: 'the output is different' ocil: |- To check if authentication is required for single-user mode, run the following command: 
$ grep SINGLE /etc/sysconfig/init
The output should be the following: 
SINGLE=/sbin/sulogin
scap-security-guide-0.1.39/rhel6/guide/system/accounts/accounts-physical/screen_locking/000077500000000000000000000000001327242345500313775ustar00rootroot00000000000000console_screen_locking/000077500000000000000000000000001327242345500360275ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/accounts/accounts-physical/screen_lockingconsole_screen_locking.group000066400000000000000000000003231327242345500436120ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/accounts/accounts-physical/screen_locking/console_screen_lockingdocumentation_complete: true title: 'Configure Console Screen Locking' description: |- A console screen locking mechanism is provided in the screen package, which is not installed by default. package_screen_installed.rule000066400000000000000000000013761327242345500437200ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/accounts/accounts-physical/screen_locking/console_screen_lockingdocumentation_complete: true title: 'Install the screen Package' description: |- To enable console screen locking, install the screen package: 
$ sudo yum install screen
Instruct users to begin new terminal sessions with the following command: 
$ screen
The console can now be locked with the following key combination: 
ctrl+a x
rationale: |- Installing screen ensures a console locking capability is available for users who may need to suspend console logins. severity: unknown identifiers: cce: 26940-7 references: disa: 58 srg: SRG-OS-000030 stigid: RHEL-06-000071 ocil_clause: 'the package is not installed' ocil: '' screen_locking.group000066400000000000000000000010031327242345500353550ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/accounts/accounts-physical/screen_lockingdocumentation_complete: true title: 'Configure Screen Locking' description: |- When a user must temporarily leave an account logged-in, screen locking should be employed to prevent passersby from abusing the account. User education and training is particularly important for screen locking to be effective, and policies can be implemented to reinforce this.

Automatic screen locking is only meant as a safeguard for those cases where a user forgot to lock the screen. smart_card_login/000077500000000000000000000000001327242345500346275ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/accounts/accounts-physical/screen_lockingsmart_card_login.group000066400000000000000000000006151327242345500412160ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/accounts/accounts-physical/screen_locking/smart_card_logindocumentation_complete: true title: 'Hardware Tokens for Authentication' description: |- The use of hardware tokens such as smart cards for system login provides stronger, two-factor authentication than using a username and password. In Red Hat Enterprise Linux servers and workstations, hardware token login is not enabled by default and must be enabled in the system settings. smartcard_auth.rule000066400000000000000000000034371327242345500405300ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/accounts/accounts-physical/screen_locking/smart_card_logindocumentation_complete: true title: 'Enable Smart Card Login' description: |- To enable smart card authentication, consult the documentation at:
For guidance on enabling SSH to authenticate against a Common Access Card (CAC), consult documentation at:
rationale: |- Smart card login provides two-factor authentication stronger than that provided by a username and password combination. Smart cards leverage PKI (public key infrastructure) in order to provide and verify credentials. severity: medium identifiers: cce: 27440-7 references: disa: 765,766,767,768,771,772,884 pcidss: Req-8.3 srg: SRG-OS-000105 stigid: RHEL-06-000349 ocil_clause: 'non-exempt accounts are not using CAC authentication' ocil: "Interview the SA to determine if all accounts not exempted by policy are using\nCAC authentication. For DoD systems, the following systems and accounts are\nexempt from using smart card (CAC) authentication:\n
    \n
  • SIPRNET systems
    • \n
  • Standalone systems
    • \n
  • Application accounts
    • \n
  • Temporary employee accounts, such as students or interns, who cannot easily receive a CAC or PIV
    • \n
  • Operational tactical locations that are not collocated with RAPIDS workstations to issue CAC or ALT
    • \n
  • Test systems, such as those with an Interim Approval to Test (IATT) and use a separate VPN, firewall, or security measure preventing access to network and system components from outside the protection boundary documented in the IATT.
    • \n
" scap-security-guide-0.1.39/rhel6/guide/system/accounts/accounts-restrictions/000077500000000000000000000000001327242345500273265ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/accounts/accounts-restrictions/account_expiration/000077500000000000000000000000001327242345500332245ustar00rootroot00000000000000account_disable_post_pw_expiration.rule000066400000000000000000000035511327242345500431760ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/accounts/accounts-restrictions/account_expirationdocumentation_complete: true title: 'Set Account Expiration Following Inactivity' description: "To specify the number of days after a password expires (which\nsignifies inactivity) until an account is permanently disabled, add or correct\nthe following lines in /etc/default/useradd, substituting\nNUM_DAYS appropriately:\n
INACTIVE=
\nA value of 35 is recommended. \nIf a password is currently on the\nverge of expiration, then 35 days remain until the account is automatically\ndisabled. However, if the password will not expire for another 60 days, then 95\ndays could elapse until the account would be automatically disabled. See the\nuseradd man page for more information. Determining the inactivity\ntimeout must be done with careful consideration of the length of a \"normal\"\nperiod of inactivity for users in the particular environment. Setting\nthe timeout too low incurs support costs and also has the potential to impact\navailability of the system to legitimate users." rationale: |- Disabling inactive accounts ensures that accounts which may not have been responsibly removed are not available to attackers who may have compromised their credentials. severity: unknown identifiers: cce: 27283-1 references: disa: 16,17,795 nist: 'AC-2(2), AC-2(3)' pcidss: Req-8.1.4 srg: SRG-OS-000118 stigid: RHEL-06-000334 ocil_clause: 'it does not' ocil: |- To verify the INACTIVE setting, run the following command: 
grep "INACTIVE" /etc/default/useradd
The output should indicate the INACTIVE configuration option is set to an appropriate integer as shown in the example below: 
$ sudo grep "INACTIVE" /etc/default/useradd
    INACTIVE=
account_expiration.group000066400000000000000000000020461327242345500401230ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/accounts/accounts-restrictions/account_expirationdocumentation_complete: true title: 'Set Account Expiration Parameters' description: |- Accounts can be configured to be automatically disabled after a certain time period, meaning that they will require administrator interaction to become usable again. Expiration of accounts after inactivity can be set for all accounts by default and also on a per-account basis, such as for accounts that are known to be temporary. To configure automatic expiration of an account following the expiration of its password (that is, after the password has expired and not been changed), run the following command, substituting NUM_DAYS and USER appropriately: 
$ sudo chage -I NUM_DAYS USER
Accounts, such as temporary accounts, can also be configured to expire on an explicitly-set date with the -E option. The file /etc/default/useradd controls default settings for all newly-created accounts created with the system's normal command line utilities. account_temp_expire_date.rule000066400000000000000000000025531327242345500410750ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/accounts/accounts-restrictions/account_expirationdocumentation_complete: true title: 'Assign Expiration Date to Temporary Accounts' description: |- In the event temporary or emergency accounts are required, configure the system to terminate them after a documented time period. For every temporary and emergency account, run the following command to set an expiration date on it, substituting USER and YYYY-MM-DD appropriately: 
$ sudo chage -E YYYY-MM-DD USER
YYYY-MM-DD indicates the documented expiration date for the account. rationale: "When temporary and emergency accounts are created, there is a risk they may\nremain in place and active after the need for them no longer exists. Account\nexpiration greatly reduces the risk of accounts being misused or hijacked. \n
" severity: unknown identifiers: cce: 27474-6 references: disa: 16,1682 nist: AC-2(2),AC-2(3) srg: SRG-OS-000121,SRG-OS-000123 stigid: RHEL-06-000297 ocil_clause: 'any temporary or emergency accounts have no expiration date set or do not expire within a documented time frame' ocil: |- For every temporary and emergency account, run the following command to obtain its account aging and expiration information: 
$ sudo chage -l USER
Verify each of these accounts has an expiration date set as documented. account_unique_name.rule000066400000000000000000000011331327242345500400560ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/accounts/accounts-restrictions/account_expirationdocumentation_complete: true title: 'Ensure All Accounts on the System Have Unique Names' description: 'Change usernames, or delete accounts, so each has a unique name.' rationale: 'Unique usernames allow for accountability on the system.' severity: unknown identifiers: cce: 27609-7 references: disa: 770,804 pcidss: Req-8.1.1 srg: SRG-OS-000121 stigid: RHEL-06-000296 ocil_clause: 'a line is returned' ocil: |- Run the following command to check for duplicate account names: 
$ sudo pwck -qr
If there are no duplicate names, no line will be returned. account_use_centralized_automated_auth.rule000066400000000000000000000024371327242345500440240ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/accounts/accounts-restrictions/account_expirationdocumentation_complete: true title: 'Use Centralized and Automated Authentication' description: |- Implement an automated system for managing user accounts that minimizes the risk of errors, either intentional or deliberate. This system should integrate with an existing enterprise user management system, such as one based on Identity Management tools such as Active Directory, Kerberos, Directory Server, etc. rationale: |- A comprehensive account management process that includes automation helps to ensure the accounts designated as requiring attention are consistently and promptly addressed. Enterprise environments make user account management challenging and complex. A user management process requiring administrators to manually address account management functions adds risk of potential oversight. severity: medium identifiers: cce: 80509-3 references: disa: 15 nist: "" srg: SRG-OS-000001 stigid: RHEL-06-000524 ocil_clause: 'the system is not using a centralized authentication mechanism, or it is not automated' ocil: |- Verify that the system is integrated with a centralized authentication mechanism such as as Active Directory, Kerberos, Directory Server, etc. that has automated account mechanisms in place. var_account_disable_post_pw_expiration.var000066400000000000000000000005711327242345500436660ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/accounts/accounts-restrictions/account_expirationdocumentation_complete: true title: 'number of days after a password expires until the account is permanently disabled' description: 'The number of days to wait after a password expires, until the account will be permanently disabled.' type: number operator: interactive: false options: 180: 180 30: 30 35: 35 40: 40 60: 60 90: 90 default: 35 accounts-restrictions.group000066400000000000000000000012511327242345500346710ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/accounts/accounts-restrictionsdocumentation_complete: true title: 'Protect Accounts by Restricting Password-Based Login' description: |- Conventionally, Unix shell accounts are accessed by providing a username and password to a login program, which tests these values for correctness using the /etc/passwd and /etc/shadow files. Password-based login is vulnerable to guessing of weak passwords, and to sniffing and man-in-the-middle attacks against passwords entered over a network or at an insecure console. Therefore, mechanisms for accessing accounts by entering usernames and passwords should be restricted to those which are operationally necessary. scap-security-guide-0.1.39/rhel6/guide/system/accounts/accounts-restrictions/password_expiration/000077500000000000000000000000001327242345500334325ustar00rootroot00000000000000accounts_maximum_age_login_defs.rule000066400000000000000000000022471327242345500426320ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/accounts/accounts-restrictions/password_expirationdocumentation_complete: true title: 'Set Password Maximum Age' description: "To specify password maximum age for new accounts,\nedit the file /etc/login.defs\nand add or correct the following line:\n
PASS_MAX_DAYS
\nA value of 180 days is sufficient for many environments. \nThe DoD requirement is 60." rationale: |- Setting the password maximum age ensures users are required to periodically change their passwords. This could possibly decrease the utility of a stolen password. Requiring shorter password lifetimes increases the risk of users writing down the password in a convenient location subject to physical compromise. severity: medium identifiers: cce: 26985-2 references: disa: 180,199 nist: IA-5(f),IA-5(g),IA-5(1)(d) pcidss: Req-8.2.4 srg: SRG-OS-000076 stigid: RHEL-06-000053 ocil_clause: 'it is not set to the required value' ocil: |- To check the maximum password age, run the command: 
$ grep PASS_MAX_DAYS /etc/login.defs
The DoD and FISMA requirement is 60. A value of 180 days is sufficient for many environments. accounts_minimum_age_login_defs.rule000066400000000000000000000016611327242345500426270ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/accounts/accounts-restrictions/password_expirationdocumentation_complete: true title: 'Set Password Minimum Age' description: |- To specify password minimum age for new accounts, edit the file /etc/login.defs and add or correct the following line: 
PASS_MIN_DAYS
A value of 1 day is considered sufficient for many environments. The DoD requirement is 1. rationale: |- Setting the minimum password age protects against users cycling back to a favorite password after satisfying the password reuse requirement. severity: medium identifiers: cce: 27013-2 references: disa: 198 nist: IA-5(f),IA-5(1)(d) srg: SRG-OS-000075 stigid: RHEL-06-000051 ocil_clause: 'it is not set to the required value' ocil: |- To check the minimum password age, run the command: 
$ grep PASS_MIN_DAYS /etc/login.defs
The DoD and FISMA requirement is 1. accounts_password_minlen_login_defs.rule000066400000000000000000000027051327242345500435440ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/accounts/accounts-restrictions/password_expirationdocumentation_complete: true title: 'Set Password Minimum Length in login.defs' description: |- To specify password length requirements for new accounts, edit the file /etc/login.defs and add or correct the following lines: 
PASS_MIN_LEN


As of the DISA Red Hat 6 STIG - Ver 1, Rel 13 (28-OCT-2016), the DoD requirement is now 15. The FISMA requirement is 12. If a program consults /etc/login.defs and also another PAM module (such as pam_cracklib) during a password change operation, then the most restrictive must be satisfied. See PAM section for more information about enforcing password quality requirements. rationale: |- Requiring a minimum password length makes password cracking attacks more difficult by ensuring a larger search space. However, any security benefit from an onerous requirement must be carefully weighed against usability problems, support costs, or counterproductive behavior that may result. severity: medium identifiers: cce: 27002-5 references: disa: 205 nist: IA-5(f),IA-5(1)(a) srg: SRG-OS-000078 stigid: RHEL-06-000050 ocil_clause: 'it is not set to the required value' ocil: |- To check the minimum password length, run the command: 
$ grep PASS_MIN_LEN /etc/login.defs
The DoD requirement is 15. accounts_password_warn_age_login_defs.rule000066400000000000000000000015131327242345500440410ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/accounts/accounts-restrictions/password_expirationdocumentation_complete: true title: 'Set Password Warning Age' description: |- To specify how many days prior to password expiration that a warning will be issued to users, edit the file /etc/login.defs and add or correct the following line: 
PASS_WARN_AGE
The DoD requirement is 7. rationale: |- Setting the password warning age enables users to make the change at a practical time. severity: unknown identifiers: cce: 26988-6 references: nist: AC-2(2),IA-5(f) srg: SRG-OS-999999 stigid: RHEL-06-000054 ocil_clause: 'it is not set to the required value' ocil: |- To check the password warning age, run the command: 
$ grep PASS_WARN_AGE /etc/login.defs
The DoD requirement is 7. password_expiration.group000066400000000000000000000032621327242345500405400ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/accounts/accounts-restrictions/password_expirationdocumentation_complete: true title: 'Set Password Expiration Parameters' description: |- The file /etc/login.defs controls several password-related settings. Programs such as passwd, su, and login consult /etc/login.defs to determine behavior with regard to password aging, expiration warnings, and length. See the man page login.defs(5) for more information.

Users should be forced to change their passwords, in order to decrease the utility of compromised passwords. However, the need to change passwords often should be balanced against the risk that users will reuse or write down passwords if forced to change them too often. Forcing password changes every 90-360 days, depending on the environment, is recommended. Set the appropriate value as PASS_MAX_DAYS and apply it to existing accounts with the -M flag.

The PASS_MIN_DAYS (-m) setting prevents password changes for 7 days after the first change, to discourage password cycling. If you use this setting, train users to contact an administrator for an emergency password change in case a new password becomes compromised. The PASS_WARN_AGE (-W) setting gives users 7 days of warnings at login time that their passwords are about to expire.

For example, for each existing human user USER, expiration parameters could be adjusted to a 180 day maximum password age, 7 day minimum password age, and 7 day warning period with the following command: 
$ sudo chage -M 180 -m 7 -W 7 USER
var_accounts_maximum_age_login_defs.var000066400000000000000000000003431327242345500433160ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/accounts/accounts-restrictions/password_expirationdocumentation_complete: true title: 'maximum password age' description: 'Maximum age of password in days' type: number operator: interactive: false options: 120: 120 180: 180 60: 60 90: 90 default: 60 var_accounts_minimum_age_login_defs.var000066400000000000000000000003431327242345500433140ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/accounts/accounts-restrictions/password_expirationdocumentation_complete: true title: 'minimum password age' description: 'Minimum age of password in days' type: number operator: interactive: false options: "0": "0" 1: 1 2: 2 5: 5 7: 7 default: 7 var_accounts_password_minlen_login_defs.var000066400000000000000000000003751327242345500442360ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/accounts/accounts-restrictions/password_expirationdocumentation_complete: true title: 'minimum password length' description: 'Minimum number of characters in password' type: number operator: interactive: false options: 10: 10 12: 12 14: 14 15: 15 6: 6 8: 8 default: 14 var_accounts_password_warn_age_login_defs.var000066400000000000000000000004011327242345500445250ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/accounts/accounts-restrictions/password_expirationdocumentation_complete: true title: 'warning days before password expires' description: 'The number of days'' warning given before a password expires.' type: number operator: interactive: false options: "0": "0" 14: 14 7: 7 default: 7 scap-security-guide-0.1.39/rhel6/guide/system/accounts/accounts-restrictions/password_storage/000077500000000000000000000000001327242345500327145ustar00rootroot00000000000000accounts_password_all_shadowed.rule000066400000000000000000000021001327242345500417660ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/accounts/accounts-restrictions/password_storagedocumentation_complete: true title: 'Verify All Account Password Hashes are Shadowed' description: |- If any password hashes are stored in /etc/passwd (in the second field, instead of an x), the cause of this misconfiguration should be investigated. The account should have its password reset and the hash should be properly stored, or the account should be deleted entirely. rationale: |- The hashes for all user account passwords should be stored in the file /etc/shadow and never in /etc/passwd, which is readable by all users. severity: medium identifiers: cce: 26476-2 references: disa: 201 nist: IA-5(h) pcidss: Req-8.2.1 srg: SRG-OS-999999 stigid: RHEL-06-000031 ocil_clause: 'any stored hashes are found in /etc/passwd' ocil: |- To check that no password hashes are stored in /etc/passwd, run the following command: 
$ awk -F: '($2 != "x") {print}' /etc/passwd
If it produces any output, then a password hash is stored in /etc/passwd. gid_passwd_group_same.rule000066400000000000000000000013121327242345500400700ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/accounts/accounts-restrictions/password_storagedocumentation_complete: true title: 'All GIDs referenced in /etc/passwd must be defined in /etc/group' description: 'Add a group to the system for each GID referenced without a corresponding group.' rationale: 'Inconsistency in GIDs between /etc/passwd and /etc/group could lead to a user having unintended rights.' severity: unknown identifiers: cce: 27379-7 references: disa: 366 pcidss: Req-8.5.a rg: SRG-OS-999999 stigid: RHEL-06-000294 ocil_clause: 'there is output' ocil: |- To ensure all GIDs referenced in /etc/passwd are defined in /etc/group, run the following command: 
$ sudo pwck -qr
There should be no output. no_empty_passwords.rule000066400000000000000000000020741327242345500374700ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/accounts/accounts-restrictions/password_storagedocumentation_complete: true title: 'Prevent Log In to Accounts With Empty Password' description: |- If an account is configured for password authentication but does not have an assigned password, it may be possible to log onto the account without authentication. Remove any instances of the nullok option in /etc/pam.d/system-auth to prevent logins with empty passwords. rationale: |- If an account has an empty password, anyone could log in and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments. severity: high identifiers: cce: 27038-9 references: nist: IA-5(b),IA-5(c),IA-5(1)(a) pcidss: Req-8.2.3 srg: SRG-OS-999999 stigid: RHEL-06-000030 ocil_clause: 'NULL passwords can be used' ocil: |- To verify that null passwords cannot be used, run the following command: 
$ grep nullok /etc/pam.d/system-auth
If this produces any output, it may be possible to log into accounts with empty passwords. no_netrc_files.rule000066400000000000000000000017301327242345500365200ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/accounts/accounts-restrictions/password_storagedocumentation_complete: true title: 'Verify No netrc Files Exist' description: |- The .netrc files contain login information used to auto-login into FTP servers and reside in the user's home directory. These files may contain unencrypted passwords to remote FTP servers making them susceptible to access by unauthorized users and should not be used. Any .netrc files should be removed. rationale: |- Unencrypted passwords for remote FTP servers may be stored in .netrc files. DoD policy requires passwords be encrypted in storage and not used in access scripts. severity: medium identifiers: cce: 27225-2 references: disa: 196 nist: IA-5(h),AC-3 srg: SRG-OS-000073 stigid: RHEL-06-000347 ocil_clause: 'any .netrc files exist' ocil: |- To check the system for the existence of any .netrc files, run the following command: 
$ sudo find /root /home -xdev -name .netrc
password_storage.group000066400000000000000000000014151327242345500373020ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/accounts/accounts-restrictions/password_storagedocumentation_complete: true title: |- Verify Proper Storage and Existence of Password Hashes description: |- By default, password hashes for local accounts are stored in the second field (colon-separated) in /etc/shadow. This file should be readable only by processes running with root credentials, preventing users from casually accessing others' password hashes and attempting to crack them. However, it remains possible to misconfigure the system and store password hashes in world-readable files such as /etc/passwd, or to even store passwords themselves in plaintext on the system. Using system-provided tools for password change/creation should allow administrators to avoid such misconfiguration. scap-security-guide-0.1.39/rhel6/guide/system/accounts/accounts-restrictions/root_logins/000077500000000000000000000000001327242345500316645ustar00rootroot00000000000000accounts_no_uid_except_zero.rule000066400000000000000000000020161327242345500402600ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/accounts/accounts-restrictions/root_loginsdocumentation_complete: true title: 'Verify Only Root Has UID 0' description: |- If any account other than root has a UID of 0, this misconfiguration should be investigated and the accounts other than root should be removed or have their UID changed. rationale: |- An account has root authority if it has a UID of 0. Multiple accounts with a UID of 0 afford more opportunity for potential intruders to guess a password for a privileged account. Proper configuration of sudo is recommended to afford multiple system administrators access to root privileges in an accountable manner. severity: medium identifiers: cce: 26971-2 references: disa: 366 nist: AC-6,IA-2(1) srg: SRG-OS-999999 stigid: RHEL-06-000032 ocil_clause: 'any account other than root has a UID of 0' ocil: |- To list all password file entries for accounts with UID 0, run the following command: 
$ awk -F: '($3 == 0) {print}' /etc/passwd
This should print only one line, for the user root. no_direct_root_logins.rule000066400000000000000000000031461327242345500370660ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/accounts/accounts-restrictions/root_loginsdocumentation_complete: true title: 'Direct root Logins Not Allowed' description: |- To further limit access to the root account, administrators can disable root logins at the console by editing the /etc/securetty file. This file lists all devices the root user is allowed to login to. If the file does not exist at all, the root user can login through any communication device on the system, whether via the console or via a raw network interface. This is dangerous as user can login to his machine as root via Telnet, which sends the password in plain text over the network. By default, Red Hat Enteprise Linux's /etc/securetty file only allows the root user to login at the console physically attached to the machine. To prevent root from logging in, remove the contents of this file. To prevent direct root logins, remove the contents of this file by typing the following command: 
    $ sudo echo > /etc/securetty
rationale: |- Disabling direct root logins ensures proper accountability and multifactor authentication to privileged accounts. Users will first login, then escalate to privileged (root) access via su / sudo. This is required for FISMA Low and FISMA Moderate systems. severity: medium identifiers: cce: 26891-2 references: nist: IA-2(1) ocil_clause: 'the /etc/securetty file is not empty' ocil: |- To ensure root may not directly login to the system over physical consoles, run the following command: 
cat /etc/securetty
If any output is returned, this is a finding. no_password_auth_for_systemaccounts.rule000066400000000000000000000031161327242345500420700ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/accounts/accounts-restrictions/root_loginsdocumentation_complete: true title: 'Ensure that System Accounts Are Locked' description: |- Some accounts are not associated with a human user of the system, and exist to perform some administrative function. An attacker should not be able to log into these accounts.

System accounts are those user accounts with a user ID less than UID_MIN, where value of the UID_MIN directive is set in /etc/login.defs configuration file. In the default configuration UID_MIN is set to 500, thus system accounts are those user accounts with a user ID less than 500. If any system account SYSACCT (other than root) has an unlocked password, disable it with the command: 
$ sudo passwd -l SYSACCT
rationale: |- Disabling authentication for default system accounts makes it more difficult for attackers to make use of them to compromise a system.false severity: medium identifiers: cce: 80510-1 references: disa: 366 nist: "" srg: SRG-OS-999999 stigid: RHEL-06-000029 ocil_clause: 'it is not' ocil: |- To obtain a listing of all users and the contents of their shadow password field, run the command: 
$ sudo awk -F: '$1 !~ /^root$/ && $2 !~ /^[!*]/ {print $1 ":" $2}' /etc/shadow
Identify the system accounts from this listing. These will primarily be the accounts with UID numbers less than UID_MIN, other than root. Value of the UID_MIN directive is set in /etc/login.defs configuration file. In the default configuration, UID_MIN is set to 500. no_root_webbrowsing.rule000066400000000000000000000013271327242345500365700ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/accounts/accounts-restrictions/root_loginsdocumentation_complete: true title: 'Restrict Web Browser Use for Administrative Accounts' description: |- Enforce policy requiring administrative accounts use web browsers only for local service administration. rationale: |- If a browser vulnerability is exploited while running with administrative privileges, the entire system could be compromised. Specific exceptions for local service administration should be documented in site-defined policy. severity: unknown identifiers: cce: 26795-5 ocil_clause: 'this is not the case' ocil: |- Check the root home directory for a .mozilla directory. If one exists, ensure browsing is limited to local service administration. no_shelllogin_for_systemaccounts.rule000066400000000000000000000033161327242345500413470ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/accounts/accounts-restrictions/root_loginsdocumentation_complete: true title: 'Ensure that System Accounts Do Not Run a Shell Upon Login' description: |- Some accounts are not associated with a human user of the system, and exist to perform some administrative function. Should an attacker be able to log into these accounts, they should not be granted access to a shell.

The login shell for each local account is stored in the last field of each line in /etc/passwd. System accounts are those user accounts with a user ID less than UID_MIN, where value of the UID_MIN directive is set in /etc/login.defs configuration file. In the default configuration UID_MIN is set to 500, thus system accounts are those user accounts with a user ID less than 500. The user ID is stored in the third field. If any system account SYSACCT (other than root) has a login shell, disable it with the command: 
$ sudo usermod -s /sbin/nologin SYSACCT
rationale: |- Ensuring shells are not given to system accounts upon login makes it more difficult for attackers to make use of system accounts. severity: medium identifiers: cce: 26966-2 references: disa: 178 nist: AC-2 ocil_clause: 'any system account (other than root) has a login shell' ocil: |- To obtain a listing of all users, their UIDs, and their shells, run the command: 
$ awk -F: '{print $1 ":" $3 ":" $7}' /etc/passwd
Identify the system accounts from this listing. These will primarily be the accounts with UID numbers less than UID_MIN, other than root. Value of the UID_MIN directive is set in /etc/login.defs configuration file. In the default configuration UID_MIN is set to 500. restrict_serial_port_logins.rule000066400000000000000000000015131327242345500403130ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/accounts/accounts-restrictions/root_loginsdocumentation_complete: true title: 'Restrict Serial Port Root Logins' description: |- To restrict root logins on serial ports, ensure lines of this form do not appear in /etc/securetty: 
ttyS0
    ttyS1
rationale: |- Preventing direct root login to serial port interfaces helps ensure accountability for actions taken on the systems using the root account. severity: unknown identifiers: cce: 27047-0 references: disa: 770 nist: AC-6(2) srg: SRG-OS-000109 stigid: RHEL-06-000028 ocil_clause: 'root login over serial ports is permitted' ocil: |- To check for serial port entries which permit root login, run the following command: 
$ sudo grep ^ttyS/[0-9] /etc/securetty
If any output is returned, then root login over serial ports is permitted. root_logins.group000066400000000000000000000024371327242345500352270ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/accounts/accounts-restrictions/root_loginsdocumentation_complete: true title: 'Restrict Root Logins' description: |- Direct root logins should be allowed only for emergency use. In normal situations, the administrator should access the system via a unique unprivileged account, and then use su or sudo to execute privileged commands. Discouraging administrators from accessing the root account directly ensures an audit trail in organizations with multiple administrators. Locking down the channels through which root can connect directly also reduces opportunities for password-guessing against the root account. The login program uses the file /etc/securetty to determine which interfaces should allow root logins. The virtual devices /dev/console and /dev/tty* represent the system consoles (accessible via the Ctrl-Alt-F1 through Ctrl-Alt-F6 keyboard sequences on a default installation). The default securetty file also contains /dev/vc/*. These are likely to be deprecated in most environments, but may be retained for compatibility. Root should also be prohibited from connecting via network protocols. Other sections of this document include guidance describing how to prevent root from logging in via SSH. root_path_default.rule000066400000000000000000000016201327242345500362000ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/accounts/accounts-restrictions/root_loginsdocumentation_complete: true title: 'Root Path Must Be Vendor Default' description: |- Assuming root shell is bash, edit the following files: 
~/.profile
~/.bashrc
Change any PATH variables to the vendor default for root and remove any empty PATH entries or references to relative paths. rationale: |- The root account's executable search path must be the vendor default, and must contain only absolute paths. severity: unknown identifiers: cce: 27125-4 references: nist: SA-8 ocil_clause: 'any of these conditions are not met' ocil: |- To view the root user's PATH, run the following command: 
$ sudo env | grep PATH
If correctly configured, the PATH must: use vendor default settings, have no empty entries, and have no entries beginning with a character other than a slash (/). securetty_root_login_console_only.rule000066400000000000000000000016301327242345500415430ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/accounts/accounts-restrictions/root_loginsdocumentation_complete: true title: 'Restrict Virtual Console Root Logins' description: |- To restrict root logins through the (deprecated) virtual console devices, ensure lines of this form do not appear in /etc/securetty: 
vc/1
    vc/2
    vc/3
    vc/4
rationale: |- Preventing direct root login to virtual console devices helps ensure accountability for actions taken on the system using the root account. severity: medium identifiers: cce: 26855-7 references: disa: 770 nist: AC-6(2) srg: SRG-OS-000109 stigid: RHEL-06-000027 ocil_clause: 'root login over virtual console devices is permitted' ocil: |- To check for virtual console entries which permit root login, run the following command: 
$ sudo grep ^vc/[0-9] /etc/securetty
If any output is returned, then root logins over virtual console devices is permitted. scap-security-guide-0.1.39/rhel6/guide/system/accounts/accounts-session/000077500000000000000000000000001327242345500262615ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/accounts/accounts-session/accounts-session.group000066400000000000000000000013371327242345500326430ustar00rootroot00000000000000documentation_complete: true title: 'Secure Session Configuration Files for Login Accounts' description: |- When a user logs into a Unix account, the system configures the user's session by reading a number of files. Many of these files are located in the user's home directory, and may have weak permissions as a result of user error or misconfiguration. If an attacker can modify or even read certain types of account configuration information, they can often gain full access to the affected user's account. Therefore, it is important to test and correct configuration file permissions for interactive accounts, particularly those of privileged users such as root or system administrators. accounts_max_concurrent_login_sessions.rule000066400000000000000000000025571327242345500371500ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/accounts/accounts-sessiondocumentation_complete: true title: 'Limit the Number of Concurrent Login Sessions Allowed Per User' description: |- Limiting the number of allowed users and sessions per user can limit risks related to Denial of Service attacks. This addresses concurrent sessions for a single account and does not address concurrent sessions by a single user via multiple accounts. The DoD requirement is 10. To set the number of concurrent sessions per user add the following line in /etc/security/limits.conf: 
* hard maxlogins
rationale: |- Limiting simultaneous user logins can insulate the system from denial of service problems caused by excessive logins. Automated login processes operating improperly or maliciously may result in an exceptional number of simultaneous login sessions. severity: unknown identifiers: cce: 27457-1 references: disa: 54 nist: AC-10 srg: SRG-OS-000027 stigid: RHEL-06-000319 ocil_clause: 'it is not similar' ocil: "Run the following command to ensure the maxlogins value is configured for all users\non the system:\n
$ grep \"maxlogins\" /etc/security/limits.conf
\nYou should receive output similar to the following:\n
*\t\thard\tmaxlogins\t
" scap-security-guide-0.1.39/rhel6/guide/system/accounts/accounts-session/accounts_tmout.rule000066400000000000000000000011701327242345500322200ustar00rootroot00000000000000documentation_complete: true title: 'Set Interactive Session Timeout' description: "Terminating an idle session within a short time period reduces \nthe window of opportunity for unauthorized personnel to take control of a \nmanagement session enabled on the console or console port that has been \nleft unattended." rationale: "" severity: unknown identifiers: cce: 27333-4 ocil_clause: 'value of TMOUT is not greater than or equal to expected setting' ocil: |- Run the following command to ensure the TMOUT value is configured for all users on the system: 
$ sudo grep TMOUT /etc/profile
file_permissions_home_dirs.rule000066400000000000000000000025351327242345500345030ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/accounts/accounts-sessiondocumentation_complete: true title: 'Ensure that User Home Directories are not Group-Writable or World-Readable' description: |- For each human user of the system, view the permissions of the user's home directory: 
$ sudo ls -ld /home/USER
Ensure that the directory is not group-writable and that it is not world-readable. If necessary, repair the permissions: 
$ sudo chmod g-w /home/USER
    $ sudo chmod o-rwx /home/USER
rationale: |- User home directories contain many configuration files which affect the behavior of a user's account. No user should ever have write permission to another user's home directory. Group shared directories can be configured in sub-directories or elsewhere in the filesystem if they are needed. Typically, user home directories should not be world-readable, as it would disclose file names to other users. If a subset of users need read access to one another's home directories, this can be provided using groups or ACLs. severity: unknown identifiers: cce: 26981-1 references: nist: AC-6(7) ocil_clause: 'the user home directory is group-writable or world-readable' ocil: |- To ensure the user home directory is not group-writable or world-readable, run the following: 
$ sudo ls -ld /home/USER
scap-security-guide-0.1.39/rhel6/guide/system/accounts/accounts-session/root_paths/000077500000000000000000000000001327242345500304435ustar00rootroot00000000000000accounts_root_path_dirs_no_write.rule000066400000000000000000000014051327242345500401020ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/accounts/accounts-session/root_pathsdocumentation_complete: true title: 'Ensure that Root''s Path Does Not Include World or Group-Writable Directories' description: |- For each element in root's path, run: 
$ sudo ls -ld DIR
and ensure that write permissions are disabled for group and other. rationale: |- Such entries increase the risk that root could execute code provided by unprivileged users, and potentially malicious code. severity: unknown identifiers: cce: 26768-2 references: disa: 366 nist: CM-6(b) ocil_clause: 'group or other write permissions exist' ocil: |- To ensure write permissions are disabled for group and other for each element in root's path, run the following command: 
$ sudo ls -ld DIR
root_path_no_dot.rule000066400000000000000000000015201327242345500346140ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/accounts/accounts-session/root_pathsdocumentation_complete: true title: 'Ensure that Root''s Path Does Not Include Relative Paths or Null Directories' description: |- Ensure that none of the directories in root's path is equal to a single . character, or that it contains any instances that lead to relative path traversal, such as .. or beginning a path without the slash (/) character. Also ensure that there are no "empty" elements in the path, such as in these examples: 
PATH=:/bin
    PATH=/bin:
    PATH=/bin::/sbin
These empty elements have the same effect as a single . character. rationale: |- Including these entries increases the risk that root could execute code from an untrusted location. severity: unknown identifiers: cce: 26826-8 references: disa: 366 nist: CM-6(b) scap-security-guide-0.1.39/rhel6/guide/system/accounts/accounts-session/root_paths/root_paths.group000066400000000000000000000016631327242345500337110ustar00rootroot00000000000000documentation_complete: true title: 'Ensure that No Dangerous Directories Exist in Root''s Path' description: |- The active path of the root account can be obtained by starting a new root shell and running: 
$ sudo echo $PATH
This will produce a colon-separated list of directories in the path.

Certain path elements could be considered dangerous, as they could lead to root executing unknown or untrusted programs, which could contain malicious code. Since root may sometimes work inside untrusted directories, the . character, which represents the current directory, should never be in the root path, nor should any directory which can be written to by an unprivileged or semi-privileged (system) user.

It is a good practice for administrators to always execute privileged commands by typing the full path to the command. scap-security-guide-0.1.39/rhel6/guide/system/accounts/accounts-session/user_umask/000077500000000000000000000000001327242345500304375ustar00rootroot00000000000000accounts_umask_etc_bashrc.rule000066400000000000000000000022761327242345500364540ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/accounts/accounts-session/user_umaskdocumentation_complete: true title: 'Ensure the Default Bash Umask is Set Correctly' description: |- To ensure the default umask for users of the Bash shell is set properly, add or correct the umask setting in /etc/bashrc to read as follows: 
umask
rationale: |- The umask value influences the permissions assigned to files when they are created. A misconfigured umask value could result in files with excessive permissions that can be read or written to by unauthorized users. severity: unknown identifiers: cce: 26917-5 references: disa: 366 nist: SA-8 srg: SRG-OS-999999 stigid: RHEL-06-000342 ocil_clause: 'the above command returns no output, or if the umask is configured incorrectly' ocil: |- Verify the umask setting is configured correctly in the /etc/bashrc file by running the following command: 
$ grep "umask" /etc/bashrc
All output must show the value of umask set as shown below: 
$ grep "umask" /etc/bashrc
    umask 
    umask
accounts_umask_etc_csh_cshrc.rule000066400000000000000000000022331327242345500371420ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/accounts/accounts-session/user_umaskdocumentation_complete: true title: 'Ensure the Default C Shell Umask is Set Correctly' description: |- To ensure the default umask for users of the C shell is set properly, add or correct the umask setting in /etc/csh.cshrc to read as follows: 
umask
rationale: |- The umask value influences the permissions assigned to files when they are created. A misconfigured umask value could result in files with excessive permissions that can be read or written to by unauthorized users. severity: unknown identifiers: cce: 27034-8 references: disa: 366 nist: SA-8 srg: SRG-OS-999999 stigid: RHEL-06-000343 ocil_clause: 'the above command returns no output, or if the umask is configured incorrectly' ocil: |- Verify the umask setting is configured correctly in the /etc/csh.cshrc file by running the following command: 
$ grep "umask" /etc/csh.cshrc
All output must show the value of umask set as shown in the below: 
$ grep "umask" /etc/csh.cshrc
    umask
accounts_umask_etc_login_defs.rule000066400000000000000000000022721327242345500373170ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/accounts/accounts-session/user_umaskdocumentation_complete: true title: 'Ensure the Default Umask is Set Correctly in login.defs' description: |- To ensure the default umask controlled by /etc/login.defs is set properly, add or correct the UMASK setting in /etc/login.defs to read as follows: 
UMASK
rationale: |- The umask value influences the permissions assigned to files when they are created. A misconfigured umask value could result in files with excessive permissions that can be read and written to by unauthorized users. severity: unknown identifiers: cce: 26371-5 references: disa: 366 nist: SA-8 srg: SRG-OS-999999 stigid: RHEL-06-000345 ocil_clause: 'the above command returns no output, or if the umask is configured incorrectly' ocil: |- Verify the UMASK setting is configured correctly in the /etc/login.defs file by running the following command: 
$ grep -i "UMASK" /etc/login.defs
All output must show the value of umask set as shown in the below: 
$ grep -i "UMASK" /etc/login.defs
    umask
accounts_umask_etc_profile.rule000066400000000000000000000022461327242345500366470ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/accounts/accounts-session/user_umaskdocumentation_complete: true title: 'Ensure the Default Umask is Set Correctly in /etc/profile' description: |- To ensure the default umask controlled by /etc/profile is set properly, add or correct the umask setting in /etc/profile to read as follows: 
umask
rationale: |- The umask value influences the permissions assigned to files when they are created. A misconfigured umask value could result in files with excessive permissions that can be read or written to by unauthorized users. severity: unknown identifiers: cce: 26669-2 references: disa: 366 nist: SA-8 srg: SRG-OS-999999 stigid: RHEL-06-000344 ocil_clause: 'the above command returns no output, or if the umask is configured incorrectly' ocil: |- Verify the umask setting is configured correctly in the /etc/profile file by running the following command: 
$ grep "umask" /etc/profile
All output must show the value of umask set as shown in the below: 
$ grep "umask" /etc/profile
    umask
scap-security-guide-0.1.39/rhel6/guide/system/accounts/accounts-session/user_umask/user_umask.group000066400000000000000000000017231327242345500336760ustar00rootroot00000000000000documentation_complete: true title: 'Ensure that Users Have Sensible Umask Values' description: |- The umask setting controls the default permissions for the creation of new files. With a default umask setting of 077, files and directories created by users will not be readable by any other user on the system. Users who wish to make specific files group- or world-readable can accomplish this by using the chmod command. Additionally, users can make all their files readable to their group by default by setting a umask of 027 in their shell configuration files. If default per-user groups exist (that is, if every user has a default group whose name is the same as that user's username and whose only member is the user), then it may even be safe for users to select a umask of 007, making it very easy to intentionally share files with groups of which the user is a member.

var_accounts_user_umask.var000066400000000000000000000003641327242345500360220ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/accounts/accounts-session/user_umaskdocumentation_complete: true title: 'Sensible umask' description: 'Enter default user umask' type: string operator: equals interactive: false options: "007": "007" "022": "022" "027": "027" "077": "077" default: "027" var_accounts_max_concurrent_login_sessions.var000066400000000000000000000004221327242345500376260ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/accounts/accounts-sessiondocumentation_complete: true title: 'Maximum concurrent login sessions' description: 'Maximum number of concurrent sessions by a user' type: number operator: equals interactive: false options: 1: 1 10: 10 15: 15 20: 20 3: 3 5: 5 default: 1 scap-security-guide-0.1.39/rhel6/guide/system/accounts/accounts-session/var_accounts_tmout.var000066400000000000000000000006761327242345500327230ustar00rootroot00000000000000documentation_complete: true title: 'Account Inactivity Timeout (minutes)' description: |- In an interactive shell, the value is interpreted as the number of seconds to wait for input after issueing the primary prompt. Bash terminates after waiting for that number of seconds if input does not arrive. type: number operator: equals interactive: false options: 10_min: 600 15_min: 900 5_min: 300 default: 600 scap-security-guide-0.1.39/rhel6/guide/system/accounts/accounts.group000066400000000000000000000010611327242345500256540ustar00rootroot00000000000000documentation_complete: true title: 'Account and Access Control' description: |- In traditional Unix security, if an attacker gains shell access to a certain login account, they can perform any action or access any file to which that account has access. Therefore, making it more difficult for unauthorized people to gain shell access to accounts, particularly to privileged accounts, is a necessary part of securing a system. This section introduces mechanisms for restricting access to accounts under . scap-security-guide-0.1.39/rhel6/guide/system/auditing/000077500000000000000000000000001327242345500227465ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/auditing/auditd_configure_rules/000077500000000000000000000000001327242345500274735ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/auditing/auditd_configure_rules/audit_dac_actions/000077500000000000000000000000001327242345500331305ustar00rootroot00000000000000audit_dac_actions.group000066400000000000000000000031671327242345500375730ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/auditing/auditd_configure_rules/audit_dac_actionsdocumentation_complete: true title: 'Record Events that Modify the System''s Discretionary Access Controls' description: "At a minimum, the audit system should collect file permission \nchanges for all users and root. Note that the \"-F arch=b32\" lines should be \npresent even on a 64 bit system. These commands identify system calls for \nauditing. Even if the system is 64 bit it can still execute 32 bit system \ncalls. Additionally, these rules can be configured in a number of ways while \nstill achieving the desired effect. An example of this is that the \"-S\" calls \ncould be split up and placed on separate lines, however, this is less efficient.\nAdd the following to /etc/audit/audit.rules:\n
-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod\n    -a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=500 -F auid!=4294967295 -k perm_mod\n    -a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod
\n\ If your system is 64 bit then these lines should be duplicated and the \narch=b32 replaced with arch=b64 as follows:\n
-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod\n    -a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=500 -F auid!=4294967295 -k perm_mod\n    -a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod
" audit_rules_dac_modification_chmod.rule000066400000000000000000000022601327242345500427700ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/auditing/auditd_configure_rules/audit_dac_actionsdocumentation_complete: true title: 'Record Events that Modify the System''s Discretionary Access Controls - chmod' description: |- At a minimum the audit system should collect file permission changes for all users and root. Add the following to /etc/audit/audit.rules: 
-a always,exit -F arch=b32 -S chmod -F auid>=500 -F auid!=4294967295 -k perm_mod
If the system is 64 bit then also add the following: 
-a always,exit -F arch=b64 -S chmod  -F auid>=500 -F auid!=4294967295 -k perm_mod
rationale: |- The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users. severity: unknown identifiers: cce: 26280-8 references: disa: 126 nist: AC-3(10),AU-1(b),AU-2(a),AU-2(c),AU-2(d),AU-12(a),AU-12(c),IR-5 pcidss: Req-10.5.5 srg: SRG-OS-000064 stigid: RHEL-06-000184 ocil_clause: 'the system is not configured to audit permission changes' ocil: '' audit_rules_dac_modification_chown.rule000066400000000000000000000021461327242345500430170ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/auditing/auditd_configure_rules/audit_dac_actionsdocumentation_complete: true title: 'Record Events that Modify the System''s Discretionary Access Controls - chown' description: |- At a minimum the audit system should collect file permission changes for all users and root. Add the following to /etc/audit/audit.rules: 
-a always,exit -F arch=b32 -S chown -F auid>=500 -F auid!=4294967295 -k perm_mod
If the system is 64 bit then also add the following: 
-a always,exit -F arch=b64 -S chown -F auid>=500 -F auid!=4294967295 -k perm_mod
rationale: |- The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users. severity: unknown identifiers: cce: 27173-4 references: disa: 126 nist: AC-3(10),AU-1(b),AU-2(a),AU-2(c),AU-2(d),AU-12(a),AU-12(c),IR-5 pcidss: Req-10.5.5 srg: SRG-OS-000064 stigid: RHEL-06-000185 ocil: '' audit_rules_dac_modification_fchmod.rule000066400000000000000000000021521327242345500431360ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/auditing/auditd_configure_rules/audit_dac_actionsdocumentation_complete: true title: 'Record Events that Modify the System''s Discretionary Access Controls - fchmod' description: |- At a minimum the audit system should collect file permission changes for all users and root. Add the following to /etc/audit/audit.rules: 
-a always,exit -F arch=b32 -S fchmod -F auid>=500 -F auid!=4294967295 -k perm_mod
If the system is 64 bit then also add the following: 
-a always,exit -F arch=b64 -S fchmod -F auid>=500 -F auid!=4294967295 -k perm_mod
rationale: |- The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users. severity: unknown identifiers: cce: 27174-2 references: disa: 126 nist: AC-3(10),AU-1(b),AU-2(a),AU-2(c),AU-2(d),AU-12(a),AU-12(c),IR-5 pcidss: Req-10.5.5 srg: SRG-OS-000064 stigid: RHEL-06-000186 ocil: '' audit_rules_dac_modification_fchmodat.rule000066400000000000000000000021621327242345500434640ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/auditing/auditd_configure_rules/audit_dac_actionsdocumentation_complete: true title: 'Record Events that Modify the System''s Discretionary Access Controls - fchmodat' description: |- At a minimum the audit system should collect file permission changes for all users and root. Add the following to /etc/audit/audit.rules: 
-a always,exit -F arch=b32 -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod
If the system is 64 bit then also add the following: 
-a always,exit -F arch=b64 -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod
rationale: |- The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users. severity: unknown identifiers: cce: 27175-9 references: disa: 126 nist: AC-3(10),AU-1(b),AU-2(a),AU-2(c),AU-2(d),AU-12(a),AU-12(c),IR-5 pcidss: Req-10.5.5 srg: SRG-OS-000064 stigid: RHEL-06-000187 ocil: '' audit_rules_dac_modification_fchown.rule000066400000000000000000000021521327242345500431620ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/auditing/auditd_configure_rules/audit_dac_actionsdocumentation_complete: true title: 'Record Events that Modify the System''s Discretionary Access Controls - fchown' description: |- At a minimum the audit system should collect file permission changes for all users and root. Add the following to /etc/audit/audit.rules: 
-a always,exit -F arch=b32 -S fchown -F auid>=500 -F auid!=4294967295 -k perm_mod
If the system is 64 bit then also add the following: 
-a always,exit -F arch=b64 -S fchown -F auid>=500 -F auid!=4294967295 -k perm_mod
rationale: |- The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users. severity: unknown identifiers: cce: 27177-5 references: disa: 126 nist: AC-3(10),AU-1(b),AU-2(a),AU-2(c),AU-2(d),AU-12(a),AU-12(c),IR-5 pcidss: Req-10.5.5 srg: SRG-OS-000064 stigid: RHEL-06-000188 ocil: '' audit_rules_dac_modification_fchownat.rule000066400000000000000000000021621327242345500435100ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/auditing/auditd_configure_rules/audit_dac_actionsdocumentation_complete: true title: 'Record Events that Modify the System''s Discretionary Access Controls - fchownat' description: |- At a minimum the audit system should collect file permission changes for all users and root. Add the following to /etc/audit/audit.rules: 
-a always,exit -F arch=b32 -S fchownat -F auid>=500 -F auid!=4294967295 -k perm_mod
If the system is 64 bit then also add the following: 
-a always,exit -F arch=b64 -S fchownat -F auid>=500 -F auid!=4294967295 -k perm_mod
rationale: |- The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users. severity: unknown identifiers: cce: 27178-3 references: disa: 126 nist: AC-3(10),AU-1(b),AU-2(a),AU-2(c),AU-2(d),AU-12(a),AU-12(c),IR-5 pcidss: Req-10.5.5 srg: SRG-OS-000064 stigid: RHEL-06-000189 ocil: '' audit_rules_dac_modification_fremovexattr.rule000066400000000000000000000022021327242345500444200ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/auditing/auditd_configure_rules/audit_dac_actionsdocumentation_complete: true title: 'Record Events that Modify the System''s Discretionary Access Controls - fremovexattr' description: |- At a minimum the audit system should collect file permission changes for all users and root. Add the following to /etc/audit/audit.rules: 
-a always,exit -F arch=b32 -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod
If the system is 64 bit then also add the following: 
-a always,exit -F arch=b64 -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod
rationale: |- The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users. severity: unknown identifiers: cce: 27179-1 references: disa: 126 nist: AC-3(10),AU-1(b),AU-2(a),AU-2(c),AU-2(d),AU-12(a),AU-12(c),IR-5 pcidss: Req-10.5.5 srg: SRG-OS-000064 stigid: RHEL-06-000190 ocil: '' audit_rules_dac_modification_fsetxattr.rule000066400000000000000000000021661327242345500437270ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/auditing/auditd_configure_rules/audit_dac_actionsdocumentation_complete: true title: 'Record Events that Modify the System''s Discretionary Access Controls - fsetxattr' description: |- At a minimum the audit system should collect file permission changes for all users and root. Add the following to /etc/audit/audit.rules: 
-a always,exit -F arch=b32 -S fsetxattr -F auid>=500 -F auid!=4294967295 -k perm_mod
If the system is 64 bit then also add the following: 
-a always,exit -F arch=b64 -S fsetxattr -F auid>=500 -F auid!=4294967295 -k perm_mod
rationale: |- The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users. severity: unknown identifiers: cce: 27180-9 references: disa: 126 nist: AC-3(10),AU-1(b),AU-2(a),AU-2(c),AU-2(d),AU-12(a),AU-12(c),IR-5 pcidss: Req-10.5.5 srg: SRG-OS-000064 stigid: RHEL-06-000191 ocil: '' audit_rules_dac_modification_lchown.rule000066400000000000000000000021271327242345500431720ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/auditing/auditd_configure_rules/audit_dac_actionsdocumentation_complete: true title: 'Record Events that Modify the System''s Discretionary Access Controls - lchown' description: "At a minimum the audit system should collect file \npermission changes for all users and root. Add the following to\n/etc/audit/audit.rules:\n
-a always,exit -F arch=b32 -S lchown -F auid>=500 -F auid!=4294967295 -k perm_mod
\nIf the system is 64 bit then also add the following:\n
-a always,exit -F arch=b64 -S lchown -F auid>=500 -F auid!=4294967295 -k perm_mod
" rationale: |- The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users. severity: unknown identifiers: cce: 27181-7 references: disa: 126 nist: AC-3(10),AU-1(b),AU-2(a),AU-2(c),AU-2(d),AU-12(a),AU-12(c),IR-5 pcidss: Req-10.5.5 srg: SRG-OS-000064 stigid: RHEL-06-000192 ocil: '' audit_rules_dac_modification_lremovexattr.rule000066400000000000000000000022021327242345500444260ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/auditing/auditd_configure_rules/audit_dac_actionsdocumentation_complete: true title: 'Record Events that Modify the System''s Discretionary Access Controls - lremovexattr' description: |- At a minimum the audit system should collect file permission changes for all users and root. Add the following to /etc/audit/audit.rules: 
-a always,exit -F arch=b32 -S lremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod
If the system is 64 bit then also add the following: 
-a always,exit -F arch=b64 -S lremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod
rationale: |- The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users. severity: unknown identifiers: cce: 27182-5 references: disa: 126 nist: AC-3(10),AU-1(b),AU-2(a),AU-2(c),AU-2(d),AU-12(a),AU-12(c),IR-5 pcidss: Req-10.5.5 srg: SRG-OS-000064 stigid: RHEL-06-000193 ocil: '' audit_rules_dac_modification_lsetxattr.rule000066400000000000000000000021661327242345500437350ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/auditing/auditd_configure_rules/audit_dac_actionsdocumentation_complete: true title: 'Record Events that Modify the System''s Discretionary Access Controls - lsetxattr' description: |- At a minimum the audit system should collect file permission changes for all users and root. Add the following to /etc/audit/audit.rules: 
-a always,exit -F arch=b32 -S lsetxattr -F auid>=500 -F auid!=4294967295 -k perm_mod
If the system is 64 bit then also add the following: 
-a always,exit -F arch=b64 -S lsetxattr -F auid>=500 -F auid!=4294967295 -k perm_mod
rationale: |- The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users. severity: unknown identifiers: cce: 27183-3 references: disa: 126 nist: AC-3(10),AU-1(b),AU-2(a),AU-2(c),AU-2(d),AU-12(a),AU-12(c),IR-5 pcidss: Req-10.5.5 srg: SRG-OS-000064 stigid: RHEL-06-000194 ocil: '' audit_rules_dac_modification_removexattr.rule000066400000000000000000000021761327242345500442640ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/auditing/auditd_configure_rules/audit_dac_actionsdocumentation_complete: true title: 'Record Events that Modify the System''s Discretionary Access Controls - removexattr' description: |- At a minimum the audit system should collect file permission changes for all users and root. Add the following to /etc/audit/audit.rules: 
-a always,exit -F arch=b32 -S removexattr -F auid>=500 -F auid!=4294967295 -k perm_mod
If the system is 64 bit then also add the following: 
-a always,exit -F arch=b64 -S removexattr -F auid>=500 -F auid!=4294967295 -k perm_mod
rationale: |- The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users. severity: unknown identifiers: cce: 27184-1 references: disa: 126 nist: AC-3(10),AU-1(b),AU-2(a),AU-2(c),AU-2(d),AU-12(a),AU-12(c),IR-5 pcidss: Req-10.5.5 srg: SRG-OS-000064 stigid: RHEL-06-000195 ocil: '' audit_rules_dac_modification_setxattr.rule000066400000000000000000000021621327242345500435550ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/auditing/auditd_configure_rules/audit_dac_actionsdocumentation_complete: true title: 'Record Events that Modify the System''s Discretionary Access Controls - setxattr' description: |- At a minimum the audit system should collect file permission changes for all users and root. Add the following to /etc/audit/audit.rules: 
-a always,exit -F arch=b32 -S setxattr -F auid>=500 -F auid!=4294967295 -k perm_mod
If the system is 64 bit then also add the following: 
-a always,exit -F arch=b64 -S setxattr -F auid>=500 -F auid!=4294967295 -k perm_mod
rationale: |- The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users. severity: unknown identifiers: cce: 27185-8 references: disa: 126 nist: AC-3(10),AU-1(b),AU-2(a),AU-2(c),AU-2(d),AU-12(a),AU-12(c),IR-5 pcidss: Req-10.5.5 srg: SRG-OS-000064 stigid: RHEL-06-000196 ocil: '' audit_rules_file_deletion_events.rule000066400000000000000000000023011327242345500370670ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/auditing/auditd_configure_rulesdocumentation_complete: true title: 'Ensure auditd Collects File Deletion Events by User' description: |- At a minimum the audit system should collect file deletion events for all users and root. Add the following to /etc/audit/audit.rules, setting ARCH to either b32 or b64 as appropriate for your system: 
-a always,exit -F arch=ARCH -S rmdir -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -k delete
rationale: |- Auditing file deletions will create an audit trail for files that are removed from the system. The audit trail could aid in system troubleshooting, as well as, detecting malicious processes that attempt to delete log files to conceal their presence. severity: unknown identifiers: cce: 26651-0 references: disa: 126 nist: AC-3(10),AU-1(b),AU-2(a),AU-2(c),AU-2(d),AU-12(a),AU-12(c),IR-5 pcidss: Req-10.2.2,Req-10.2.5.b srg: SRG-OS-000064 stigid: RHEL-06-000200 ocil: |- audit_rules_immutable.rule000066400000000000000000000012541327242345500346660ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/auditing/auditd_configure_rulesdocumentation_complete: true title: 'Make the auditd Configuration Immutable' description: |- Add the following to /etc/audit/audit.rules in order to make the configuration immutable: 
-e 2
With this setting, a reboot will be required to change any audit rules. rationale: |- Making the audit configuration immutable prevents accidental as well as malicious modification of the audit rules, although it may be problematic if legitimate changes are needed during system operation severity: unknown identifiers: cce: 26612-2 references: nist: AC-6,AU-1(b),AU-2(a),AU-2(c),AU-2(d),IR-5 pcidss: Req-10.5.2 audit_rules_kernel_module_loading.rule000066400000000000000000000021731327242345500372320ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/auditing/auditd_configure_rulesdocumentation_complete: true title: 'Ensure auditd Collects Information on Kernel Module Loading and Unloading' description: |- Add the following to /etc/audit/audit.rules in order to capture kernel module loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system: 
-w /sbin/insmod -p x -k modules
    -w /sbin/rmmod -p x -k modules
    -w /sbin/modprobe -p x -k modules
    -a always,exit -F arch=ARCH -S init_module -S delete_module -k modules
rationale: |- The addition/removal of kernel modules can be used to alter the behavior of the kernel and potentially introduce malicious code into kernel space. It is important to have an audit trail of modules that have been introduced into the kernel. severity: unknown identifiers: cce: 26611-4 references: disa: 126 nist: AC-3(10),AU-1(b),AU-2(a),AU-2(c),AU-2(d),AU-12(a),AU-12(c),IR-5 pcidss: Req-10.2.7 srg: SRG-OS-000064 stigid: RHEL-06-000202 ocil: |- audit_rules_login_events.rule000066400000000000000000000013131327242345500353770ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/auditing/auditd_configure_rulesdocumentation_complete: true title: 'Record Attempts to Alter Login and Logout Events' description: |- The audit system already collects login info for all users and root. To watch for attempted manual edits of files involved in storing login events, add the following to /etc/audit/audit.rules: 
-w /var/log/tallylog -p wa -k logins
    -w /var/run/faillock/ -p wa -k logins
    -w /var/log/lastlog -p wa -k logins
rationale: |- Manual editing of these files may indicate nefarious activity, such as an attacker attempting to remove evidence of an intrusion. severity: unknown identifiers: cce: 26691-6 references: nist: AC-3(10),AU-1(b),AU-12(a),AU-12(c),IR-5 audit_rules_mac_modification.rule000066400000000000000000000021321327242345500361700ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/auditing/auditd_configure_rulesdocumentation_complete: true title: 'Record Events that Modify the System''s Mandatory Access Controls' description: |- Add the following to /etc/audit/audit.rules: 
-w /etc/selinux/ -p wa -k MAC-policy
rationale: |- The system's mandatory access policy (SELinux) should not be arbitrarily changed by anything other than administrator action. All changes to MAC policy should be audited. severity: unknown identifiers: cce: 26657-7 references: nist: AC-3(10),AU-1(b),AU-2(a),AU-2(c),AU-2(d),AU-12(a),AU-12(c),IR-5 pcidss: Req-10.5.5 srg: SRG-OS-999999 stigid: RHEL-06-000183 ocil_clause: 'the system is not configured to audit attempts to change the MAC policy' ocil: |- To determine if the system is configured to audit changes to its SELinux configuration files, run the following command: 
$ sudo auditctl -l | grep "dir=/etc/selinux"
If the system is configured to watch for changes to its SELinux configuration, a line should be returned (including perm=wa indicating permissions that are watched). audit_rules_media_export.rule000066400000000000000000000023241327242345500353660ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/auditing/auditd_configure_rulesdocumentation_complete: true title: 'Ensure auditd Collects Information on Exporting to Media (successful)' description: |- At a minimum the audit system should collect media exportation events for all users and root. Add the following to /etc/audit/audit.rules, setting ARCH to either b32 or b64 as appropriate for your system: 
-a always,exit -F arch=ARCH -S mount -F auid>=500 -F auid!=4294967295 -k export
rationale: |- The unauthorized exportation of data to external media could result in an information leak where classified information, Privacy Act information, and intellectual property could be lost. An audit trail should be created each time a filesystem is mounted to help identify and guard against information loss. severity: unknown identifiers: cce: 26573-6 references: disa: 126 nist: AC-3(10),AU-1(b),AU-2(a),AU-2(c),AU-2(d),AU-12(a),AU-12(c),IR-5 pcidss: Req-10.2.7 srg: SRG-OS-000064 stigid: RHEL-06-000199 ocil_clause: 'there is not output' ocil: |- To verify that auditing is configured for all media exportation events, run the following command: 
$ sudo auditctl -l | grep syscall | grep mount
audit_rules_networkconfig_modification.rule000066400000000000000000000030451327242345500403130ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/auditing/auditd_configure_rulesdocumentation_complete: true title: 'Record Events that Modify the System''s Network Environment' description: |- Add the following to /etc/audit/audit.rules, setting ARCH to either b32 or b64 as appropriate for your system: 
# audit_rules_networkconfig_modification
    -a always,exit -F arch=ARCH -S sethostname -S setdomainname -k audit_rules_networkconfig_modification
    -w /etc/issue -p wa -k audit_rules_networkconfig_modification
    -w /etc/issue.net -p wa -k audit_rules_networkconfig_modification
    -w /etc/hosts -p wa -k audit_rules_networkconfig_modification
    -w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modification
rationale: |- The network environment should not be modified by anything other than administrator action. Any change to network parameters should be audited. severity: unknown identifiers: cce: 26648-6 references: nist: AC-3(10),AU-1(b),AU-2(a),AU-2(c),AU-2(d),AU-12(a),AU-12(c),IR-5 pcidss: Req-10.5.5 srg: SRG-OS-999999 stigid: RHEL-06-000182 ocil_clause: 'the system is not configured to audit changes of the network configuration' ocil: |- To determine if the system is configured to audit changes to its network configuration, run the following command: 
auditctl -l | egrep '(/etc/issue|/etc/issue.net|/etc/hosts|/etc/sysconfig/network)'
If the system is configured to watch for network configuration changes, a line should be returned for each file specified (and perm=wa should be indicated for each). audit_rules_privileged_commands.rule000066400000000000000000000036221327242345500367230ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/auditing/auditd_configure_rulesdocumentation_complete: true title: 'Ensure auditd Collects Information on the Use of Privileged Commands' description: |- At a minimum the audit system should collect the execution of privileged commands for all users and root. To find the relevant setuid / setgid programs, run the following command for each local partition PART: 
$ sudo find PART -xdev -type f -perm -4000 -o -type f -perm -2000 2>/dev/null
Then, for each setuid / setgid program on the system, add a line of the following form to /etc/audit/audit.rules, where SETUID_PROG_PATH is the full path to each setuid / setgid program in the list: 
-a always,exit -F path=SETUID_PROG_PATH -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged
rationale: |- Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity. severity: unknown identifiers: cce: 26457-2 references: disa: 40 nist: AC-3(10)),AU-1(b),AU-2(a),AU-2(c),AU-2(d),AC-6(9),AU-12(a),AU-12(c),IR-5 pcidss: Req-10.2.2 srg: SRG-OS-000020 stigid: RHEL-06-000198 ocil_clause: 'that is not the case' ocil: |- To verify that auditing of privileged command use is configured, run the following command for each local partition PART to find relevant setuid / setgid programs: 
$ sudo find PART -xdev -type f -perm -4000 -o -type f -perm -2000 2>/dev/null
Run the following command to verify entries in the audit rules for all programs found with the previous command: 
$ sudo grep path /etc/audit/audit.rules
It should be the case that all relevant setuid / setgid programs have a line in the audit rules. audit_rules_session_events.rule000066400000000000000000000014411327242345500357540ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/auditing/auditd_configure_rulesdocumentation_complete: true title: 'Record Attempts to Alter Process and Session Initiation Information' description: |- The audit system already collects process information for all users and root. To watch for attempted manual edits of files involved in storing such process information, add the following to /etc/audit/audit.rules: 
-w /var/run/utmp -p wa -k session
    -w /var/log/btmp -p wa -k session
    -w /var/log/wtmp -p wa -k session
rationale: |- Manual editing of these files may indicate nefarious activity, such as an attacker attempting to remove evidence of an intrusion. severity: unknown identifiers: cce: 26610-6 references: nist: AC-3(10),AU-1(b),AU-2(a),AU-2(c),AU-2(d),AU-12(a),AU-12(c),IR-5 pcidss: Req-10.2.3 audit_rules_sysadmin_actions.rule000066400000000000000000000016771327242345500362670ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/auditing/auditd_configure_rulesdocumentation_complete: true title: 'Ensure auditd Collects System Administrator Actions' description: |- At a minimum the audit system should collect administrator actions for all users and root. Add the following to /etc/audit/audit.rules: 
-w /etc/sudoers -p wa -k actions
rationale: |- The actions taken by system administrators should be audited to keep a record of what was executed on the system, as well as, for accountability purposes. severity: unknown identifiers: cce: 26662-7 references: disa: 126 nist: AC-2(7)(b),AC-3(10),AU-1(b),AU-2(a),AU-2(c),AU-2(d),AU-12(a),AU-12(c),IR-5 pcidss: Req-10.2.2,Req-10.2.5.b srg: SRG-OS-000064 stigid: RHEL-06-000201 ocil_clause: 'there is not output' ocil: |- To verify that auditing is configured for system administrator actions, run the following command: 
$ sudo auditctl -l | grep "watch=/etc/sudoers"
audit_rules_unsuccessful_file_modification.rule000066400000000000000000000035021327242345500411530ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/auditing/auditd_configure_rulesdocumentation_complete: true title: 'Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful)' description: |- At a minimum the audit system should collect unauthorized file accesses for all users and root. Add the following to /etc/audit/audit.rules: 
-a always,exit -F arch=b32 -S creat -S open -S openat -S open_by_handle_at -S truncate -S ftruncate -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access
    -a always,exit -F arch=b32 -S creat -S open -S openat -S open_by_handle_at -S truncate -S ftruncate -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access
If the system is 64 bit then also add the following: 
    -a always,exit -F arch=b64 -S creat -S open -S openat -S open_by_handle_at -S truncate -S ftruncate -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access
    -a always,exit -F arch=b64 -S creat -S open -S openat -S open_by_handle_at -S truncate -S ftruncate -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access
rationale: |- Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise. severity: unknown identifiers: cce: 26712-0 references: disa: 126 nist: AC-3(10),AU-1(b),AU-2(a),AU-2(c),AU-2(d),AU-12(a),AU-12(c),IR-5 pcidss: Req-10.2.4,Req-10.2.1 srg: SRG-OS-000064 stigid: RHEL-06-000197 ocil_clause: '32-bit and 64-bit system calls to creat, open, openat, open_by_handle_at, truncate, and ftruncate are not audited during EACCES and EPERM' ocil: |- To verify that the audit system collects unauthorized file accesses, run the following commands: 
$ sudo grep EACCES /etc/audit/audit.rules
$ sudo grep EPERM /etc/audit/audit.rules
audit_rules_usergroup_modification.rule000066400000000000000000000030751327242345500374720ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/auditing/auditd_configure_rulesdocumentation_complete: true title: 'Record Events that Modify User/Group Information' description: |- Add the following to /etc/audit/audit.rules, in order to capture events that modify account changes: 
# audit_rules_usergroup_modification
    -w /etc/group -p wa -k audit_rules_usergroup_modification
    -w /etc/passwd -p wa -k audit_rules_usergroup_modification
    -w /etc/gshadow -p wa -k audit_rules_usergroup_modification
    -w /etc/shadow -p wa -k audit_rules_usergroup_modification
    -w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification
rationale: |- In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy. severity: unknown identifiers: cce: 26664-3 references: disa: 18,1403,1404,1405,1684,1683,1685,1686 nist: AC-2(4),AC-3(10),AU-1(b),AU-2(a),AU-2(c),AU-2(d),AU-12(a),AU-12(c),IR-5 pcidss: Req-10.2.5 srg: SRG-OS-000004,SRG-OS-000239,SRG-OS-000240,SRG-OS-000241 stigid: RHEL-06-000174 ocil_clause: 'the system is not configured to audit account changes' ocil: |- To determine if the system is configured to audit account changes, run the following command: 
auditctl -l | egrep '(/etc/passwd|/etc/shadow|/etc/group|/etc/gshadow|/etc/security/opasswd)'
If the system is configured to watch for account changes, lines should be returned for each file specified (and with perm=wa for each). scap-security-guide-0.1.39/rhel6/guide/system/auditing/auditd_configure_rules/audit_time_rules/000077500000000000000000000000001327242345500330315ustar00rootroot00000000000000audit_rules_time_adjtimex.rule000066400000000000000000000026551327242345500410760ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/auditing/auditd_configure_rules/audit_time_rulesdocumentation_complete: true title: 'Record attempts to alter time through adjtimex' description: "On a 32-bit system, add the following to /etc/audit/audit.rules:\n
# audit_time_rules\n-a always,exit -F arch=b32 -S adjtimex -k audit_time_rules
\nOn a 64-bit system, add the following to /etc/audit/audit.rules:\n
# audit_time_rules\n-a always,exit -F arch=b64 -S adjtimex -k audit_time_rules
\nThe -k option allows for the specification of a key in string form that can \nbe used for better reporting capability through ausearch and aureport.\nMultiple system calls can be defined on the same line to save space if \ndesired, but is not required. See an example of multiple combined syscalls:\n
-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k audit_time_rules
" rationale: "Arbitrary changes to the system time can be used to obfuscate \nnefarious activities in log files, as well as to confuse network services that \nare highly dependent upon an accurate system time (such as sshd). All changes \nto the system time should be audited." severity: unknown identifiers: cce: 26242-8 references: disa: 1487,169 nist: AC-3(10),AU-1(b),AU-2(a),AU-2(c),AU-2(d),AU-12(a),AU-12(c),IR-5 pcidss: Req-10.4.2.b srg: SRG-OS-000062 stigid: RHEL-06-000165 ocil_clause: 'the system is not configured to audit time changes' ocil: '' audit_rules_time_clock_settime.rule000066400000000000000000000027111327242345500421070ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/auditing/auditd_configure_rules/audit_time_rulesdocumentation_complete: true title: 'Record Attempts to Alter Time Through clock_settime' description: "On a 32-bit system, add the following to /etc/audit/audit.rules:\n
# time-change\n-a always,exit -F arch=b32 -S clock_settime -F a0=0x0 -F key=time-change
\nOn a 64-bit system, add the following to /etc/audit/audit.rules:\n
# time-change\n-a always,exit -F arch=b64 -S clock_settime -F a0=0x0 -F key=time-change
\nThe -k option allows for the specification of a key in string form that can \nbe used for better reporting capability through ausearch and aureport.\nMultiple system calls can be defined on the same line to save space if \ndesired, but is not required. See an example of multiple combined syscalls:\n
-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k audit_time_rules
" rationale: "Arbitrary changes to the system time can be used to obfuscate \nnefarious activities in log files, as well as to confuse network services that \nare highly dependent upon an accurate system time (such as sshd). All changes \nto the system time should be audited." severity: unknown identifiers: cce: 27170-0 references: disa: 1487,169 nist: AC-3(10),AU-1(b),AU-2(a),AU-2(c),AU-2(d),AU-12(a),AU-12(c),IR-5 pcidss: Req-10.4.2.b srg: SRG-OS-000062 stigid: RHEL-06-000171 ocil_clause: 'the system is not configured to audit time changes' ocil: '' audit_rules_time_settimeofday.rule000066400000000000000000000026751327242345500417700ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/auditing/auditd_configure_rules/audit_time_rulesdocumentation_complete: true title: 'Record attempts to alter time through settimeofday' description: "On a 32-bit system, add the following to /etc/audit/audit.rules:\n
# audit_time_rules\n-a always,exit -F arch=b32 -S settimeofday -k audit_time_rules
\nOn a 64-bit system, add the following to /etc/audit/audit.rules:\n
# audit_time_rules\n-a always,exit -F arch=b64 -S settimeofday -k audit_time_rules
\nThe -k option allows for the specification of a key in string form that can \nbe used for better reporting capability through ausearch and aureport.\nMultiple system calls can be defined on the same line to save space if \ndesired, but is not required. See an example of multiple combined syscalls:\n
-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k audit_time_rules
" rationale: "Arbitrary changes to the system time can be used to obfuscate \nnefarious activities in log files, as well as to confuse network services that \nare highly dependent upon an accurate system time (such as sshd). All changes \nto the system time should be audited." severity: unknown identifiers: cce: 27203-9 references: disa: 1487,169 nist: AC-3(10),AU-1(b),AU-2(a),AU-2(c),AU-2(d),AU-12(a),AU-12(c),IR-5 pcidss: Req-10.4.2.b srg: SRG-OS-000062 stigid: RHEL-06-000167 ocil_clause: 'the system is not configured to audit time changes' ocil: '' audit_rules_time_stime.rule000066400000000000000000000032721327242345500404060ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/auditing/auditd_configure_rules/audit_time_rulesdocumentation_complete: true title: 'Record Attempts to Alter Time Through stime' description: |- Add the following line to /etc/audit/audit.rules for both 32-bit and 64-bit systems: 
# audit_time_rules
    -a always,exit -F arch=b32 -S stime -k audit_time_rules
Since the 64-bit version of the "stime" system call is not defined in the audit lookup table, the corresponding "-F arch=b64" form of this rule is not expected to be defined on 64-bit systems (the aforementioned "-F arch=b32" stime rule form itself is sufficient for both 32-bit and 64-bit systems). The -k option allows for the specification of a key in string form that can be used for better reporting capability through ausearch and aureport. Multiple system calls can be defined on the same line to save space if desired, but is not required. See an example of multiple combined syscalls: 
-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k audit_time_rules
rationale: |- Arbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited. severity: unknown identifiers: cce: 27169-2 references: disa: 1487,169 nist: AC-3(10),AU-1(b),AU-2(a),AU-2(c),AU-2(d),AU-12(a),AU-12(c),IR-5 pcidss: Req-10.4.2.b srg: SRG-OS-000062 stigid: RHEL-06-000169 ocil_clause: 'the system is not configured to audit time changes' ocil: |- If the system is 64-bit only, this is not applicable.
audit_rules_time_watch_localtime.rule000066400000000000000000000023471327242345500424260ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/auditing/auditd_configure_rules/audit_time_rulesdocumentation_complete: true title: 'Record Attempts to Alter the localtime File' description: "Add the following to /etc/audit/audit.rules:\n
-w /etc/localtime -p wa -k audit_time_rules
\nThe -k option allows for the specification of a key in string form that can \nbe used for better reporting capability through ausearch and aureport and\nshould always be used." rationale: "Arbitrary changes to the system time can be used to obfuscate \nnefarious activities in log files, as well as to confuse network services that \nare highly dependent upon an accurate system time (such as sshd). All changes \nto the system time should be audited." severity: unknown identifiers: cce: 27172-6 references: disa: 1487,169 nist: AC-3(10),AU-1(b),AU-2(a),AU-2(c),AU-2(d),AU-12(a),AU-12(c),IR-5 pcidss: Req-10.4.2.b srg: SRG-OS-000062 stigid: RHEL-06-000173 ocil_clause: 'the system is not configured to audit time changes' ocil: |- To determine if the system is configured to audit attempts to alter time via the /etc/localtime file, run the following command: 
$ sudo auditctl -l | grep "watch=/etc/localtime"
If the system is configured to audit this activity, it will return a line. audit_time_rules.group000066400000000000000000000005441327242345500373710ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/auditing/auditd_configure_rules/audit_time_rulesdocumentation_complete: true title: 'Records Events that Modify Date and Time Information' description: "Arbitrary changes to the system time can be used to obfuscate \nnefarious activities in log files, as well as to confuse network services that \nare highly dependent upon an accurate system time. All changes to the system \ntime should be audited." auditd_configure_rules.group000066400000000000000000000036731327242345500352300ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/auditing/auditd_configure_rulesdocumentation_complete: true title: 'Configure auditd Rules for Comprehensive Auditing' description: |- The auditd program can perform comprehensive monitoring of system activity. This section describes recommended configuration settings for comprehensive auditing, but a full description of the auditing system's capabilities is beyond the scope of this guide. The mailing list linux-audit@redhat.com exists to facilitate community discussion of the auditing system.

The audit subsystem supports extensive collection of events, including:
  • Tracing of arbitrary system calls (identified by name or number) on entry or exit.
  • Filtering by PID, UID, call success, system call argument (with some limitations), etc.
  • Monitoring of specific files for modifications to the file's contents or metadata.

Auditing rules at startup are controlled by the file /etc/audit/audit.rules. Add rules to it to meet the auditing requirements for your organization. Each line in /etc/audit/audit.rules represents a series of arguments that can be passed to auditctl and can be individually tested during runtime. See documentation in /usr/share/doc/audit-VERSION and in the related man pages for more details.

If copying any example audit rulesets from /usr/share/doc/audit-VERSION, be sure to comment out the lines containing arch= which are not appropriate for your system's architecture. Then review and understand the following rules, ensuring rules are activated as needed for the appropriate architecture.

After reviewing all the rules, reading the following sections, and editing as needed, the new rules can be activated as follows: 
$ sudo service auditd restart
directory_permissions_var_log_audit.rule000066400000000000000000000017231327242345500376460ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/auditing/auditd_configure_rulesdocumentation_complete: true title: 'System Audit Logs Must Have Mode 0750 or Less Permissive' description: |- If log_group in /etc/audit/auditd.conf is set to a group other than the root group account, change the mode of the audit log files with the following command: 
$ sudo chmod 0750 /var/log/audit

Otherwise, change the mode of the audit log files with the following command: 
$ sudo chmod 0700 /var/log/audit
rationale: 'If users can write to audit logs, audit trails can be modified or destroyed.' severity: unknown identifiers: cce: 80502-8 references: disa: 164 nist: AC-6,AU-1(b),AU-9,IR-5 srg: SRG-OS-000059 stigid: RHEL-06-000385 ocil_clause: 'any are more permissive' ocil: |- Run the following command to check the mode of the system audit logs: 
$ sudo ls -ld /var/log/audit
Audit log directories must be mode 0700 or less permissive. file_ownership_var_log_audit.rule000066400000000000000000000010651327242345500362230ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/auditing/auditd_configure_rulesdocumentation_complete: true title: 'System Audit Logs Must Be Owned By Root' description: '' rationale: "Failure to give ownership of the audit log files to root allows the designated \nowner, and unauthorized users, potential access to sensitive information." severity: unknown identifiers: cce: 27244-3 references: disa: 166 nist: AC-6,AU-1(b),AU-9,IR-5 pcidss: Req-10.5.1 srg: SRG-OS-000057 stigid: RHEL-06-000384 ocil: '' file_permissions_var_log_audit.rule000066400000000000000000000017421327242345500365620ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/auditing/auditd_configure_rulesdocumentation_complete: true title: 'System Audit Logs Must Have Mode 0640 or Less Permissive' description: |- If log_group in /etc/audit/auditd.conf is set to a group other than the root group account, change the mode of the audit log files with the following command: 
$ sudo chmod 0640 audit_file

Otherwise, change the mode of the audit log files with the following command: 
$ sudo chmod 0600 audit_file
rationale: 'If users can write to audit logs, audit trails can be modified or destroyed.' severity: unknown identifiers: cce: 27243-5 references: disa: 166 nist: AC-6,AU-1(b),AU-9,IR-5 pcidss: Req-10.5 srg: SRG-OS-000058 stigid: RHEL-06-000383 ocil_clause: 'any are more permissive' ocil: |- Run the following command to check the mode of the system audit logs: 
$ sudo ls -l /var/log/audit
Audit logs must be mode 0640 or less permissive. scap-security-guide-0.1.39/rhel6/guide/system/auditing/auditing.group000066400000000000000000000104431327242345500256320ustar00rootroot00000000000000documentation_complete: true title: 'System Accounting with auditd' description: "The audit service provides substantial capabilities\nfor recording system activities. By default, the service audits about\nSELinux AVC denials and certain types of security-relevant events\nsuch as system logins, account modifications, and authentication\nevents performed by programs such as sudo.\nUnder its default configuration, auditd has modest disk space\nrequirements, and should not noticeably impact system performance.\n

\nGovernment networks often have substantial auditing\nrequirements and auditd can be configured to meet these\nrequirements.\nExamining some example audit records demonstrates how the Linux audit system\nsatisfies common requirements. \nThe following example from Fedora Documentation available at \n\nshows the substantial amount of information\ \ captured in a\ntwo typical \"raw\" audit messages, followed by a breakdown of the most important\nfields. In this example the message is SELinux-related and reports an AVC\ndenial (and the associated system call) that occurred when the Apache HTTP\nServer attempted to access the /var/www/html/file1 file (labeled with\nthe samba_share_t type):\n
type=AVC msg=audit(1226874073.147:96): avc:  denied  { getattr } for pid=2465 comm=\"httpd\"\npath=\"/var/www/html/file1\" dev=dm-0 ino=284133 scontext=unconfined_u:system_r:httpd_t:s0 \ntcontext=unconfined_u:object_r:samba_share_t:s0 tclass=file\n\ntype=SYSCALL msg=audit(1226874073.147:96): arch=40000003 syscall=196 success=no exit=-13 \na0=b98df198 a1=bfec85dc a2=54dff4 a3=2008171 items=0 ppid=2463 pid=2465 auid=502 uid=48\ngid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=6 comm=\"httpd\"\nexe=\"/usr/sbin/httpd\" subj=unconfined_u:system_r:httpd_t:s0 key=(null)\n
\n
    \n
  • msg=audit(1226874073.147:96)\n\
    • The number in parentheses is the unformatted time stamp (Epoch time)\nfor the event, which can be converted to standard time by using the\ndate command.\n
    \n
    • \n
  • { getattr }\n
    • The item in braces indicates the permission that was denied. getattr\nindicates the source process was trying to read the target file's status information.\nThis occurs before reading files. This action is denied due to the file being\naccessed having the wrong label. Commonly seen permissions include getattr,\nread, and write.
    \n
    • \n
  • comm=\"httpd\"\n
    • The executable that launched the process. The full path of the executable is\nfound in the exe= section of the system call (SYSCALL) message,\nwhich in this case, is exe=\"/usr/sbin/httpd\".\n
    \n
    • \n
  • path=\"/var/www/html/file1\"\n
    • The path to the object (target) the process attempted to access.\n\
    \n
    • \n
  • scontext=\"unconfined_u:system_r:httpd_t:s0\"\n
    • The SELinux context of the process that attempted the denied action. In\nthis case, it is the SELinux context of the Apache HTTP Server, which is running\nin the httpd_t domain.\n
    \n
    • \n
  • tcontext=\"unconfined_u:object_r:samba_share_t:s0\"\n
    • The SELinux context of the object (target) the process attempted to access.\nIn this case, it is the SELinux context of file1. Note: the samba_share_t\ntype is not accessible to processes running in the httpd_t domain.
      • \n
    \n
    • \n
  • From the system call (SYSCALL) message, two items are of interest:\n
    • success=no: indicates whether the denial (AVC) was enforced or not.\nsuccess=no indicates the system call was not successful (SELinux denied\naccess). success=yes indicates the system call was successful - this can\nbe seen for permissive domains\ \ or unconfined domains, such as initrc_t\nand kernel_t.\n
      • \n
    • exe=\"/usr/sbin/httpd\": the full path to the executable that launched\nthe process, which in this case, is exe=\"/usr/sbin/httpd\".\n
    \n
" scap-security-guide-0.1.39/rhel6/guide/system/auditing/bootloader_audit_argument.rule000066400000000000000000000022741327242345500310660ustar00rootroot00000000000000documentation_complete: true title: 'Enable Auditing for Processes Which Start Prior to the Audit Daemon' description: |- To ensure all processes can be audited, even those which start prior to the audit daemon, add the argument audit=1 to the kernel line in /etc/grub.conf, in the manner below: 
kernel /vmlinuz-version ro vga=ext root=/dev/VolGroup00/LogVol00 rhgb quiet audit=1
rationale: |- Each process on the system carries an "auditable" flag which indicates whether its activities can be audited. Although auditd takes care of enabling this for all processes which launch after it does, adding the kernel argument ensures it is set for every process during boot. severity: low identifiers: cce: 26785-6 references: disa: 169 nist: AC-17(1),AU-14(1),AU-1(b),AU-2(a),AU-2(c),AU-2(d),AU-10,IR-5 pcidss: Req-10.3 srg: SRG-OS-000062 stigid: RHEL-06-000525 ocil_clause: 'auditing is not enabled at boot time' ocil: |- Inspect the kernel boot arguments (which follow the word kernel) in /etc/grub.conf. If they include audit=1, then auditing is enabled at boot time. scap-security-guide-0.1.39/rhel6/guide/system/auditing/configure_auditd_data_retention/000077500000000000000000000000001327242345500313415ustar00rootroot00000000000000auditd_audispd_syslog_plugin_activated.rule000066400000000000000000000021361327242345500421420ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/auditing/configure_auditd_data_retentiondocumentation_complete: true title: 'Configure auditd to use audispd''s syslog plugin' description: |- To configure the auditd service to use the syslog plug-in of the audispd audit event multiplexor, set the active line in /etc/audisp/plugins.d/syslog.conf to yes. Restart the auditd service: 
$ sudo service auditd restart
rationale: |- The auditd service does not include the ability to send audit records to a centralized server for management directly. It does, however, include a plug-in for audit event multiplexor (audispd) to pass audit records to the local syslog server severity: low identifiers: cce: 26933-2 references: disa: 136 nist: AU-1(b),AU-3(2),IR-5 pcidss: Req-10.5.3 srg: SRG-OS-000043 stigid: RHEL-06-000509 ocil_clause: 'it is not' ocil: |- To verify the audispd's syslog plugin is active, run the following command: 
$ sudo grep active /etc/audisp/plugins.d/syslog.conf
If the plugin is active, the output will show yes. auditd_data_disk_error_action.rule000066400000000000000000000027571327242345500402110ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/auditing/configure_auditd_data_retentiondocumentation_complete: true title: 'Configure auditd Disk Error Action on Disk Error' description: |- The auditd service can be configured to take an action when there is a disk error. Edit the file /etc/audit/auditd.conf. Add or modify the following line, substituting ACTION appropriately: 
disk_error_action = ACTION
Set this value to single to cause the system to switch to single-user mode for corrective action. Acceptable values also include syslog, exec, single, and halt. For certain systems, the need for availability outweighs the need to log all actions, and a different setting should be determined. Details regarding all possible values for ACTION are described in the auditd.conf man page. rationale: |- Taking appropriate action in case of disk errors will minimize the possibility of losing audit records. severity: medium identifiers: cce: 80501-0 references: disa: 140 nist: AU-1(b),AU-4,AU-5(b),IR-5 srg: SRG-OS-999999 stigid: RHEL-06-000511 ocil_clause: 'the system is not configured to switch to single-user mode for corrective action' ocil: |- Inspect /etc/audit/auditd.conf and locate the following line to determine if the system is configured to either log to syslog, switch to single-user mode, execute a script, or halt when the disk errors: 
disk_error_action single
auditd_data_disk_full_action.rule000066400000000000000000000031021327242345500400030ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/auditing/configure_auditd_data_retentiondocumentation_complete: true title: 'Configure auditd Disk Full Action when Disk Space Is Full' description: |- The auditd service can be configured to take an action when disk space is running low but prior to running out of space completely. Edit the file /etc/audit/auditd.conf. Add or modify the following line, substituting ACTION appropriately: 
disk_full_action = ACTION
Set this value to single to cause the system to switch to single-user mode for corrective action. Acceptable values also include syslog, exec, single, and halt. For certain systems, the need for availability outweighs the need to log all actions, and a different setting should be determined. Details regarding all possible values for ACTION are described in the auditd.conf man page. rationale: |- Taking appropriate action in case of a filled audit storage volume will minimize the possibility of losing audit records. severity: medium identifiers: cce: 80500-2 references: disa: 140 nist: AU-1(b),AU-4,AU-5(b),IR-5 srg: SRG-OS-000047 stigid: RHEL-06-000510 ocil_clause: 'the system is not configured to switch to single-user mode for corrective action' ocil: |- Inspect /etc/audit/auditd.conf and locate the following line to determine if the system is configured to either log to syslog, switch to single-user mode, execute a script, or halt when the disk is out of space: 
disk_full_action single
auditd_data_retention_action_mail_acct.rule000066400000000000000000000021241327242345500420350ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/auditing/configure_auditd_data_retentiondocumentation_complete: true title: 'Configure auditd mail_acct Action on Low Disk Space' description: |- The auditd service can be configured to send email to a designated account in certain situations. Add or correct the following line in /etc/audit/auditd.conf to ensure that administrators are notified via email for those situations: 
action_mail_acct =
rationale: |- Email sent to the root account is typically aliased to the administrators of the system, who can take appropriate action. severity: medium identifiers: cce: 27241-9 references: disa: 139,144 nist: AU-1(b),AU-4,AU-5(a),IR-5 pcidss: Req-10.7.a srg: SRG-OS-000046 stigid: RHEL-06-000313 ocil_clause: 'auditd is not configured to send emails per identified actions' ocil: |- Inspect /etc/audit/auditd.conf and locate the following line to determine if the system is configured to send email to an account when it needs to notify an administrator: 
action_mail_acct = root
auditd_data_retention_admin_space_left_action.rule000066400000000000000000000031411327242345500433760ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/auditing/configure_auditd_data_retentiondocumentation_complete: true title: 'Configure auditd admin_space_left Action on Low Disk Space' description: "The auditd service can be configured to take an action\nwhen disk space is running low but prior to running out of space completely. \nEdit the file /etc/audit/auditd.conf. Add or modify the following line,\nsubstituting ACTION appropriately:\n
admin_space_left_action = ACTION
\nSet this value to single to cause the system to switch to single-user\nmode for corrective action. Acceptable values also include suspend and\nhalt. For certain systems, the need for availability\noutweighs the need to log all actions, and a different setting should be\ndetermined. Details regarding all possible values for ACTION are described in the\nauditd.conf man page." rationale: |- Administrators should be made aware of an inability to record audit records. If a separate partition or logical volume of adequate size is used, running low on space for audit records should never occur. severity: medium identifiers: cce: 27239-3 references: disa: 140,1343 nist: AU-1(b),AU-4,AU-5(b),IR-5 pcidss: Req-10.7 srg: SRG-OS-999999 stigid: RHEL-06-000163 ocil_clause: 'the system is not configured to switch to single-user mode for corrective action' ocil: |- Inspect /etc/audit/auditd.conf and locate the following line to determine if the system is configured to either suspend, switch to single-user mode, or halt when disk space has run low: 
admin_space_left_action single
auditd_data_retention_flush.rule000066400000000000000000000021301327242345500377020ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/auditing/configure_auditd_data_retentiondocumentation_complete: true title: 'Configure auditd flush priority' description: "The auditd service can be configured to \nsynchronously write audit event data to disk. Add or correct the following \nline in /etc/audit/auditd.conf to ensure that audit event data is \nfully synchronized with the log files on the disk:\n
flush =
" rationale: "Audit data should be synchronously written to disk to ensure \nlog integrity. These parameters assure that all audit event data is fully \nsynchronized with the log files on the disk." severity: unknown references: disa: 1576 nist: AU-9,AU-12(1) ocil_clause: 'auditd is not configured to synchronously write audit event data to disk' ocil: "Inspect /etc/audit/auditd.conf and locate the following line to\ndetermine if the system is configured to synchronize audit event data \nwith the log files on the disk:\n$ sudo grep flush /etc/audit/auditd.conf\n
flush = DATA
\nAcceptable values are DATA, and SYNC. The setting is \ncase-insensitive." auditd_data_retention_max_log_file.rule000066400000000000000000000024121327242345500412110ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/auditing/configure_auditd_data_retentiondocumentation_complete: true title: 'Configure auditd Max Log File Size' description: |- Determine the amount of audit data (in megabytes) which should be retained in each log file. Edit the file /etc/audit/auditd.conf. Add or modify the following line, substituting the correct value of for STOREMB: 
max_log_file = STOREMB
Set the value to 6 (MB) or higher for general-purpose systems. Larger values, of course, support retention of even more audit data. rationale: |- The total storage for audit log files must be large enough to retain log information over the period required. This is a function of the maximum log file size and the number of logs retained. severity: medium identifiers: cce: 27550-3 references: nist: AU-1(b),AU-11,IR-5 pcidss: Req-10.7 srg: SRG-OS-999999 stigid: RHEL-06-000160 ocil_clause: 'the system audit data threshold has not been properly configured' ocil: |- Inspect /etc/audit/auditd.conf and locate the following line to determine how much data the system will retain in each audit log file: $ sudo grep max_log_file /etc/audit/auditd.conf 
max_log_file = 6
auditd_data_retention_max_log_file_action.rule000066400000000000000000000033171327242345500425530ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/auditing/configure_auditd_data_retentiondocumentation_complete: true title: 'Configure auditd max_log_file_action Upon Reaching Maximum Log Size' description: |- The default action to take when the logs reach their maximum size is to rotate the log files, discarding the oldest one. To configure the action taken by auditd, add or correct the line in /etc/audit/auditd.conf: 
max_log_file_action = ACTION
Possible values for ACTION are described in the auditd.conf man page. These include:
  • ignore
  • syslog
  • suspend
  • rotate
  • keep_logs
Set the ACTION to rotate to ensure log rotation occurs. This is the default. The setting is case-insensitive. rationale: |- Automatically rotating logs (by setting this to rotate) minimizes the chances of the system unexpectedly running out of disk space by being overwhelmed with log data. However, for systems that must never discard log data, or which use external processes to transfer it and reclaim space, keep_logs can be employed. severity: medium identifiers: cce: 27237-7 references: nist: AU-1(b),AU-4,AU-11,IR-5 pcidss: Req-10.7 srg: SRG-OS-999999 stigid: RHEL-06-000161 ocil_clause: 'the system has not been properly configured to rotate audit logs' ocil: "Inspect /etc/audit/auditd.conf and locate the following line to\ndetermine if the system is configured to rotate logs when they reach their\nmaximum size: \n$ sudo grep max_log_file_action /etc/audit/auditd.conf\n
max_log_file_action rotate
" auditd_data_retention_num_logs.rule000066400000000000000000000022721327242345500404130ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/auditing/configure_auditd_data_retentiondocumentation_complete: true title: 'Configure auditd Number of Logs Retained' description: "Determine how many log files\nauditd should retain when it rotates logs.\nEdit the file /etc/audit/auditd.conf. Add or modify the following\nline, substituting NUMLOGS with the correct value of :\n
num_logs = NUMLOGS
\nSet the value to 5 for general-purpose systems. \nNote that values less than 2 result in no log rotation." rationale: |- The total storage for audit log files must be large enough to retain log information over the period required. This is a function of the maximum log file size and the number of logs retained. severity: medium identifiers: cce: 27522-2 references: nist: AU-1(b),AU-11,IR-5 pcidss: Req-10.7 srg: SRG-OS-999999 stigid: RHEL-06-000159 ocil_clause: 'the system log file retention has not been properly configured' ocil: |- Inspect /etc/audit/auditd.conf and locate the following line to determine how many logs the system is configured to retain after rotation: $ sudo grep num_logs /etc/audit/auditd.conf 
num_logs = 5
auditd_data_retention_space_left.rule000066400000000000000000000022101327242345500406650ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/auditing/configure_auditd_data_retentiondocumentation_complete: true title: 'Configure auditd space_left on Low Disk Space' description: |- The auditd service can be configured to take an action when disk space is running low but prior to running out of space completely. Edit the file /etc/audit/auditd.conf. Add or modify the following line, substituting SIZE_in_MB appropriately: 
space_left = SIZE_in_MB
Set this value to the appropriate size in Megabytes cause the system to notify the user of an issue. rationale: |- Notifying administrators of an impending disk space problem may allow them to take corrective action prior to any disruption. severity: medium identifiers: cce: 80507-7 references: disa: 143 nist: AU-1(b),AU-4,AU-5(b),IR-5 pcidss: Req-10.7 srg: SRG-OS-000048 stigid: RHEL-06-000311 ocil_clause: 'the system is not configured a specfic size in MB to notify administrators of an issue' ocil: |- Inspect /etc/audit/auditd.conf and locate the following line to determine if the system is configured correctly: 
space_left SIZE_in_MB
auditd_data_retention_space_left_action.rule000066400000000000000000000033231327242345500422300ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/auditing/configure_auditd_data_retentiondocumentation_complete: true title: 'Configure auditd space_left Action on Low Disk Space' description: "The auditd service can be configured to take an action\nwhen disk space starts to run low. \nEdit the file /etc/audit/auditd.conf. Modify the following line,\nsubstituting ACTION appropriately:\n
space_left_action = ACTION
\nPossible values for ACTION are described in the auditd.conf man page.\nThese include:\n
    \n
  • ignore
    • \n
  • syslog
    • \n
  • email
    • \n
  • exec
    • \n
  • suspend
    • \n
  • single
    • \n
  • halt
    • \n
\nSet this to email (instead of the default,\nwhich is suspend) as it is more likely to get prompt attention. Acceptable values\nalso include suspend, single, and halt." rationale: |- Notifying administrators of an impending disk space problem may allow them to take corrective action prior to any disruption. severity: medium identifiers: cce: 27238-5 references: disa: 140,143 nist: AU-1(b),AU-4,AU-5(b),IR-5 pcidss: Req-10.7 srg: SRG-OS-000045 stigid: RHEL-06-000005 ocil_clause: 'the system is not configured to send an email to the system administrator when disk space is starting to run low' ocil: |- Inspect /etc/audit/auditd.conf and locate the following line to determine if the system is configured to email the administrator when disk space is starting to run low: $ sudo grep space_left_action /etc/audit/auditd.conf 
space_left_action
Acceptable values are email, suspend, single, and halt. configure_auditd_data_retention.group000066400000000000000000000041411327242345500407330ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/auditing/configure_auditd_data_retentiondocumentation_complete: true title: 'Configure auditd Data Retention' description: |- The audit system writes data to /var/log/audit/audit.log. By default, auditd rotates 5 logs by size (6MB), retaining a maximum of 30MB of data in total, and refuses to write entries when the disk is too full. This minimizes the risk of audit data filling its partition and impacting other services. This also minimizes the risk of the audit daemon temporarily disabling the system if it cannot write audit log (which it can be configured to do). For a busy system or a system which is thoroughly auditing system activity, the default settings for data retention may be insufficient. The log file size needed will depend heavily on what types of events are being audited. First configure auditing to log all the events of interest. Then monitor the log size manually for awhile to determine what file size will allow you to keep the required data for the correct time period.

Using a dedicated partition for /var/log/audit prevents the auditd logs from disrupting system functionality if they fill, and, more importantly, prevents other activity in /var from filling the partition and stopping the audit trail. (The audit logs are size-limited and therefore unlikely to grow without bound unless configured to do so.) Some machines may have requirements that no actions occur which cannot be audited. If this is the case, then auditd can be configured to halt the machine if it runs out of space. Note: Since older logs are rotated, configuring auditd this way does not prevent older logs from being rotated away before they can be viewed. If your system is configured to halt when logging cannot be performed, make sure this can never happen under normal circumstances! Ensure that /var/log/audit is on its own partition, and that this partition is larger than the maximum amount of data auditd will retain normally. var_auditd_action_mail_acct.var000066400000000000000000000004201327242345500374430ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/auditing/configure_auditd_data_retentiondocumentation_complete: true title: 'Account for auditd to send email when actions occurs' description: 'The setting for action_mail_acct in /etc/audit/auditd.conf' type: string operator: interactive: false options: admin: admin default: root root: root var_auditd_admin_space_left_action.var000066400000000000000000000005721327242345500410140ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/auditing/configure_auditd_data_retentiondocumentation_complete: true title: 'Action for auditd to take when disk space runs dangerously low' description: 'The setting for space_left_action in /etc/audit/auditd.conf' type: string operator: interactive: false options: default: single email: email exec: exec halt: halt ignore: ignore single: single suspend: suspend syslog: syslog var_auditd_disk_error_action.var000066400000000000000000000004761327242345500377050ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/auditing/configure_auditd_data_retentiondocumentation_complete: true title: 'Action for auditd to take when disk errors' description: 'The setting for disk_error_action in /etc/audit/auditd.conf' type: string operator: interactive: false options: default: single email: email exec: exec halt: halt single: single syslog: syslog var_auditd_disk_full_action.var000066400000000000000000000004761327242345500375160ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/auditing/configure_auditd_data_retentiondocumentation_complete: true title: 'Action for auditd to take when disk is full' description: 'The setting for disk_full_action in /etc/audit/auditd.conf' type: string operator: interactive: false options: default: single email: email exec: exec halt: halt single: single syslog: syslog var_auditd_flush.var000066400000000000000000000004441327242345500353210ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/auditing/configure_auditd_data_retentiondocumentation_complete: true title: 'Auditd priority for flushing data to disk' description: 'The setting for flush in /etc/audit/auditd.conf' type: string operator: interactive: false options: data: data default: data incremental: incremental none: none sync: sync var_auditd_max_log_file.var000066400000000000000000000004141327242345500366220ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/auditing/configure_auditd_data_retentiondocumentation_complete: true title: 'Maximum audit log file size for auditd' description: 'The setting for max_log_size in /etc/audit/auditd.conf' type: number operator: interactive: false options: 1: 1 10: 10 20: 20 5: 5 6: 6 default: 6 var_auditd_max_log_file_action.var000066400000000000000000000005511327242345500401610ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/auditing/configure_auditd_data_retentiondocumentation_complete: true title: 'Action for auditd to take when log files reach their maximum size' description: 'The setting for max_log_file_action in /etc/audit/auditd.conf' type: string operator: interactive: false options: default: rotate ignore: ignore keep_logs: keep_logs rotate: rotate suspend: suspend syslog: syslog var_auditd_num_logs.var000066400000000000000000000004231327242345500360200ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/auditing/configure_auditd_data_retentiondocumentation_complete: true title: 'Number of log files for auditd to retain' description: 'The setting for num_logs in /etc/audit/auditd.conf' type: number operator: interactive: false options: "0": "0" 1: 1 2: 2 3: 3 4: 4 5: 5 default: 5 var_auditd_space_left.var000066400000000000000000000005061327242345500363040ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/auditing/configure_auditd_data_retentiondocumentation_complete: true title: 'Size remaining in disk space before prompting space_left_action' description: 'The setting for space_left (MB) in /etc/audit/auditd.conf' type: number operator: interactive: false options: 1000MB: 1000 100MB: 100 250MB: 250 500MB: 500 750MB: 750 default: 100 var_auditd_space_left_action.var000066400000000000000000000005731327242345500376450ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/auditing/configure_auditd_data_retentiondocumentation_complete: true title: 'Action for auditd to take when disk space just starts to run low' description: 'The setting for space_left_action in /etc/audit/auditd.conf' type: string operator: interactive: false options: default: email email: email exec: exec halt: halt ignore: ignore single: single suspend: suspend syslog: syslog scap-security-guide-0.1.39/rhel6/guide/system/auditing/service_auditd_enabled.rule000066400000000000000000000015531327242345500303070ustar00rootroot00000000000000documentation_complete: true title: 'Enable auditd Service' description: |- The auditd service is an essential userspace component of the Linux Auditing System, as it is responsible for writing audit records to disk. rationale: "Ensuring the auditd service is active ensures \naudit records generated by the kernel can be written to disk, or that appropriate\nactions will be taken if other obstacles exist." severity: medium identifiers: cce: 27058-7 references: disa: 347,157,172,880,1353,1462,1487,1115,1454,067,158,831,1190,1312,1263,130,120,1589 nist: AC-17(1),AU-1(b),AU-10,AU-12(a),AU-12(c),IR-5 pcidss: Req-10 srg: SRG-OS-000255,SRG-OS-000032,SRG-OS-000037 stigid: RHEL-06-000145 ocil: '' scap-security-guide-0.1.39/rhel6/guide/system/entropy/000077500000000000000000000000001327242345500226425ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/entropy/entropy.group000066400000000000000000000006361327242345500254250ustar00rootroot00000000000000documentation_complete: true title: 'Protect Random-Number Entropy Pool' description: |- The I/O operations of the Linux kernel block layer due to their inherently unpredictable execution times have been traditionally considered as a reliable source to contribute to random-number entropy pool of the Linux kernel. This has changed with introduction of solid-state storage devices (SSDs) though. kernel_disable_entropy_contribution_for_solid_state_drives.rule000066400000000000000000000011111327242345500376040ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/entropydocumentation_complete: true title: 'Ensure Solid State Drives Do Not Contribute To Random-Number Entropy Pool' description: |- For each solid-state drive on the system, run: 
 # echo 0 > /sys/block/DRIVE/queue/add_random
rationale: |- In contrast to traditional electromechanical magnetic disks, containing spinning disks and / or movable read / write heads, the solid-state storage devices (SSDs) do not contain moving / mechanical components. Therefore the I/O operation completion times are much more predictable for them. severity: medium scap-security-guide-0.1.39/rhel6/guide/system/logging/000077500000000000000000000000001327242345500225705ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/logging/configure_logwatch_on_logserver/000077500000000000000000000000001327242345500312255ustar00rootroot00000000000000configure_logwatch_on_logserver.group000066400000000000000000000003331327242345500406600ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/logging/configure_logwatch_on_logserverdocumentation_complete: true title: 'Configure Logwatch on the Central Log Server' description: 'Is this machine the central log server? If so, edit the file /etc/logwatch/conf/logwatch.conf as shown below.' logwatch_configured_hostlimit.rule000066400000000000000000000006671327242345500401610ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/logging/configure_logwatch_on_logserverdocumentation_complete: true title: 'Configure Logwatch HostLimit Line' description: "On a central logserver, you want Logwatch to summarize all syslog entries, including those which did not originate \non the logserver itself. The HostLimit setting tells Logwatch to report on all hosts, not just the one on which it \nis running. \n
 HostLimit = no
" rationale: "" severity: unknown identifiers: cce: 27197-3 logwatch_configured_splithosts.rule000066400000000000000000000007151327242345500403530ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/logging/configure_logwatch_on_logserverdocumentation_complete: true title: 'Configure Logwatch SplitHosts Line' description: "If SplitHosts is set, Logwatch will separate entries by hostname. This makes the report longer but significantly \nmore usable. If it is not set, then Logwatch will not report which host generated a given log entry, and that \ninformation is almost always necessary\n
 SplitHosts = yes
" rationale: "" severity: unknown identifiers: cce: 27069-4 scap-security-guide-0.1.39/rhel6/guide/system/logging/disable_logwatch_for_logserver.rule000066400000000000000000000011471327242345500317150ustar00rootroot00000000000000documentation_complete: true title: 'Disable Logwatch on Clients if a Logserver Exists' description: "Does your site have a central logserver which has been configured to report on logs received from all systems? \nIf so:\n
 \n$ sudo rm /etc/cron.daily/0logwatch \n
\nIf no logserver exists, it will be necessary for each machine to run Logwatch individually. Using a central \nlogserver provides the security and reliability benefits discussed earlier, and also makes monitoring logs easier \nand less time-intensive for administrators." rationale: "" severity: unknown identifiers: cce: 27162-7 scap-security-guide-0.1.39/rhel6/guide/system/logging/ensure_rsyslog_log_file_configuration/000077500000000000000000000000001327242345500324425ustar00rootroot00000000000000ensure_rsyslog_log_file_configuration.group000066400000000000000000000026211327242345500433140ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/logging/ensure_rsyslog_log_file_configurationdocumentation_complete: true title: 'Ensure Proper Configuration of Log Files' description: "The file /etc/rsyslog.conf controls where log message are written.\nThese are controlled by lines called rules, which consist of a\nselector and an action.\nThese rules are often customized depending on the role of the system, the\nrequirements of the environment, and whatever may enable\nthe administrator to most effectively make use of log data.\nThe default rules in Red Hat Enterprise Linux 6 are:\n
*.info;mail.none;authpriv.none;cron.none                /var/log/messages\nauthpriv.*                                              /var/log/secure\nmail.*                                                  -/var/log/maillog\ncron.*                                                  /var/log/cron\n*.emerg                                                 *\nuucp,news.crit                                          /var/log/spooler\nlocal7.*                                                /var/log/boot.log
\nSee the man page rsyslog.conf(5)\ \ for more information.\nNote that the rsyslog daemon can be configured to use a timestamp format that\nsome log processing programs may not understand. If this occurs, \nedit the file /etc/rsyslog.conf and add or edit the following line:\n
$ ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
" file_groupowner_logfiles_value.var000066400000000000000000000003631327242345500413650ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/logging/ensure_rsyslog_log_file_configurationdocumentation_complete: true title: 'group who owns log files' description: |- Specify group owner of all logfiles specified in /etc/rsyslog.conf. type: string operator: equals interactive: false options: root: root file_owner_logfiles_value.var000066400000000000000000000003611327242345500403060ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/logging/ensure_rsyslog_log_file_configurationdocumentation_complete: true title: 'User who owns log files' description: |- Specify user owner of all logfiles specified in /etc/rsyslog.conf. type: string operator: equals interactive: false options: root: root rsyslog_files_groupownership.rule000066400000000000000000000026751327242345500413250ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/logging/ensure_rsyslog_log_file_configurationdocumentation_complete: true title: 'Ensure Log Files Are Owned By Appropriate Group' description: |- The group-owner of all log files written by rsyslog should be root. These log files are determined by the second part of each Rule line in /etc/rsyslog.conf and typically all appear in /var/log. For each log file LOGFILE referenced in /etc/rsyslog.conf, run the following command to inspect the file's group owner: 
$ ls -l LOGFILE
If the owner is not root, run the following command to correct this: 
$ sudo chgrp root LOGFILE
rationale: |- The log files generated by rsyslog contain valuable information regarding system configuration, user authentication, and other such information. Log files should be protected from unauthorized access. severity: medium identifiers: cce: 26821-9 references: disa: 1314 nist: AC-6,SI-11 pcidss: Req-10.5.1,Req-10.5.2 srg: SRG-OS-000206 stigid: RHEL-06-000134 ocil_clause: 'the group-owner is not root' ocil: |- The group-owner of all log files written by rsyslog should be root. These log files are determined by the second part of each Rule line in /etc/rsyslog.conf and typically all appear in /var/log. To see the group-owner of a given log file, run the following command: 
$ ls -l LOGFILE
rsyslog_files_ownership.rule000066400000000000000000000026361327242345500402450ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/logging/ensure_rsyslog_log_file_configurationdocumentation_complete: true title: 'Ensure Log Files Are Owned By Appropriate User' description: |- The owner of all log files written by rsyslog should be root. These log files are determined by the second part of each Rule line in /etc/rsyslog.conf and typically all appear in /var/log. For each log file LOGFILE referenced in /etc/rsyslog.conf, run the following command to inspect the file's owner: 
$ ls -l LOGFILE
If the owner is not root, run the following command to correct this: 
$ sudo chown root LOGFILE
rationale: |- The log files generated by rsyslog contain valuable information regarding system configuration, user authentication, and other such information. Log files should be protected from unauthorized access. severity: medium identifiers: cce: 26812-8 references: disa: 1314 nist: AC-6,SI-11 pcidss: Req-10.5.1,Req-10.5.2 srg: SRG-OS-000206 stigid: RHEL-06-000133 ocil_clause: 'the owner is not root' ocil: |- The owner of all log files written by rsyslog should be root. These log files are determined by the second part of each Rule line in /etc/rsyslog.conf and typically all appear in /var/log. To see the owner of a given log file, run the following command: 
$ ls -l LOGFILE
rsyslog_files_permissions.rule000066400000000000000000000032621327242345500405760ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/logging/ensure_rsyslog_log_file_configurationdocumentation_complete: true title: 'Ensure System Log Files Have Correct Permissions' description: "The file permissions for all log files written by\nrsyslog should be set to 600, or more restrictive.\nThese log files are determined by the second part of each Rule line in\n/etc/rsyslog.conf and typically all appear in /var/log. \nFor each log file LOGFILE referenced in /etc/rsyslog.conf,\nrun the following command to inspect the file's permissions:\n
$ ls -l LOGFILE
\nIf the permissions are not 600 or more restrictive,\nrun the following command to correct this:\n
$ sudo chmod 0600 LOGFILE
" rationale: |- Log files can contain valuable information regarding system configuration. If the system log files are not protected unauthorized users could change the logged data, eliminating their forensic value. severity: medium identifiers: cce: 27190-8 references: disa: 1314 nist: SI-11 pcidss: Req-10.5.1,Req-10.5.2 srg: SRG-OS-000206 stigid: RHEL-06-000135 ocil_clause: 'the permissions are not correct' ocil: "The file permissions for all log files written by rsyslog \nshould be set to 600, or more restrictive.\nThese log files are determined by the second part of each Rule line in\n/etc/rsyslog.conf and typically all appear in /var/log.\nTo see the permissions of a given log file, run the following command:\n
$ ls -l LOGFILE
\nThe permissions should be 600, or more restrictive. Some log files referenced\nin /etc/rsyslog.conf may be created by other programs and may require \nexclusion from consideration, such as /var/log/boot.log." scap-security-guide-0.1.39/rhel6/guide/system/logging/log_rotation/000077500000000000000000000000001327242345500252705ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/logging/log_rotation/ensure_logrotate_activated.rule000066400000000000000000000021401327242345500335630ustar00rootroot00000000000000documentation_complete: true title: 'Ensure Logrotate Runs Periodically' description: "The logrotate utility allows for the automatic rotation of \nlog files. The frequency of rotation is specified in /etc/logrotate.conf, \nwhich triggers a cron task. To configure logrotate to run daily, add or correct \nthe following line in /etc/logrotate.conf:\n
# rotate log files frequency\ndaily
" rationale: |- Log files that are not properly rotated run the risk of growing so large that they fill up the /var/log partition. Valuable logging information could be lost if the /var/log partition becomes full. severity: unknown identifiers: cce: 27014-0 references: disa: 366 nist: AU-9 pcidss: Req-10.7 srg: SRG-OS-999999 stigid: RHEL-06-000138 ocil_clause: 'logrotate is not configured to run daily' ocil: "To determine the status and frequency of logrotate, run the following command:\n
$ sudo grep logrotate /var/log/cron*
\nIf logrotate is configured properly, output should include references to \n/etc/cron.daily." scap-security-guide-0.1.39/rhel6/guide/system/logging/log_rotation/log_rotation.group000066400000000000000000000024311327242345500310460ustar00rootroot00000000000000documentation_complete: true title: 'Ensure All Logs are Rotated by logrotate' description: |- Edit the file /etc/logrotate.d/syslog. Find the first line, which should look like this (wrapped for clarity): 
/var/log/messages /var/log/secure /var/log/maillog /var/log/spooler \
      /var/log/boot.log /var/log/cron {
Edit this line so that it contains a one-space-separated listing of each log file referenced in /etc/rsyslog.conf.

All logs in use on a system must be rotated regularly, or the log files will consume disk space over time, eventually interfering with system operation. The file /etc/logrotate.d/syslog is the configuration file used by the logrotate program to maintain all log files written by syslog. By default, it rotates logs weekly and stores four archival copies of each log. These settings can be modified by editing /etc/logrotate.conf, but the defaults are sufficient for purposes of this guide.

Note that logrotate is run nightly by the cron job /etc/cron.daily/logrotate. If particularly active logs need to be rotated more often than once a day, some other mechanism must be used. scap-security-guide-0.1.39/rhel6/guide/system/logging/logging.group000066400000000000000000000017701327242345500253010ustar00rootroot00000000000000documentation_complete: true title: 'Configure Syslog' description: |- The syslog service has been the default Unix logging mechanism for many years. It has a number of downsides, including inconsistent log format, lack of authentication for received messages, and lack of authentication, encryption, or reliable transport for messages sent over a network. However, due to its long history, syslog is a de facto standard which is supported by almost all Unix applications.

In Red Hat Enterprise Linux 6, rsyslog has replaced ksyslogd as the syslog daemon of choice, and it includes some additional security features such as reliable, connection-oriented (i.e. TCP) transmission of logs, the option to log to database formats, and the encryption of log data en route to a central logging server. This section discusses how to configure rsyslog for best effect, and how to use tools provided with the system to maintain and monitor logs. scap-security-guide-0.1.39/rhel6/guide/system/logging/package_rsyslog_installed.rule000066400000000000000000000007351327242345500307020ustar00rootroot00000000000000documentation_complete: true title: 'Ensure rsyslog is Installed' description: "Rsyslog is installed by default. \n" rationale: |- The rsyslog package provides the rsyslog daemon, which provides system logging services. severity: medium identifiers: cce: 26809-4 references: disa: 1311,1312 nist: AU-9(2) ocil_clause: 'the package is not installed' ocil: '' scap-security-guide-0.1.39/rhel6/guide/system/logging/rsyslog_accepting_remote_messages/000077500000000000000000000000001327242345500315515ustar00rootroot00000000000000rsyslog_accept_remote_messages_udp.rule000066400000000000000000000014021327242345500415130ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/logging/rsyslog_accepting_remote_messagesdocumentation_complete: true title: 'Enable rsyslog to Accept Messages via UDP, if Acting As Log Server' description: |- The rsyslog daemon should not accept remote messages unless the system acts as a log server. If the system needs to act as a central log server, add the following lines to /etc/rsyslog.conf to enable reception of messages over UDP: 
$ModLoad imudp
    $UDPServerRun 514
rationale: |- Many devices, such as switches, routers, and other Unix-like systems, may only support the traditional syslog transmission over UDP. If the system must act as a log server, this enables it to receive their messages as well. severity: unknown identifiers: cce: 27236-9 references: nist: AU-9 rsyslog_accepting_remote_messages.group000066400000000000000000000007731327242345500415400ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/logging/rsyslog_accepting_remote_messagesdocumentation_complete: true title: 'Configure rsyslogd to Accept Remote Messages If Acting as a Log Server' description: |- By default, rsyslog does not listen over the network for log messages. If needed, modules can be enabled to allow the rsyslog daemon to receive messages from other systems and for the system thus to act as a log server. If the machine is not a log server, then lines concerning these modules should remain commented out.

rsyslog_listen_tcp.rule000066400000000000000000000012311327242345500363060ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/logging/rsyslog_accepting_remote_messagesdocumentation_complete: true title: 'Enable rsyslog to Accept Messages via TCP, if Acting As Log Server' description: |- The rsyslog daemon should not accept remote messages unless the system acts as a log server. If the system needs to act as a central log server, add the following lines to /etc/rsyslog.conf to enable reception of messages over TCP: 
$ModLoad imtcp
    $InputTCPServerRun 514
rationale: |- If the system needs to act as a log server, this ensures that it can receive messages over a reliable TCP connection. severity: unknown identifiers: cce: 27235-1 references: nist: AU-9 rsyslog_nolisten.rule000066400000000000000000000015251327242345500360030ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/logging/rsyslog_accepting_remote_messagesdocumentation_complete: true title: 'Ensure rsyslog Does Not Accept Remote Messages Unless Acting As Log Server' description: |- The rsyslog daemon should not accept remote messages unless the system acts as a log server. To ensure that it is not listening on the network, ensure the following lines are not found in /etc/rsyslog.conf: 
$ModLoad imtcp
    $InputTCPServerRun port
    $ModLoad imudp
    $UDPServerRun port
    $ModLoad imrelp
    $InputRELPServerRun port
rationale: |- Any process which receives messages from the network incurs some risk of receiving malicious messages. This risk can be eliminated for rsyslog by configuring it not to listen on the network. severity: unknown identifiers: cce: 26803-7 references: nist: AU-9(2),AC-4 scap-security-guide-0.1.39/rhel6/guide/system/logging/rsyslog_sending_messages/000077500000000000000000000000001327242345500276705ustar00rootroot00000000000000rsyslog_remote_loghost.rule000066400000000000000000000040311327242345500353140ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/logging/rsyslog_sending_messagesdocumentation_complete: true title: 'Ensure Logs Sent To Remote Host' description: "To configure rsyslog to send logs to a remote log server,\nopen /etc/rsyslog.conf and read and understand the last section of the file,\nwhich describes the multiple directives necessary to activate remote\nlogging.\nAlong with these other directives, the system can be configured\nto forward its logs to a particular log server by\nadding or correcting one of the following lines,\nsubstituting loghost.example.com appropriately.\nThe choice of protocol depends on the environment of the system; \nalthough TCP and RELP provide more reliable message delivery, \nthey may not be supported in all environments.\n
\nTo use UDP for log message delivery:\n
*.* @loghost.example.com
\n
\nTo use TCP for log message delivery:\n
*.* @@loghost.example.com
\n
\nTo use RELP for log message delivery:\n
*.* :omrelp:loghost.example.com
" rationale: |- A log server (loghost) receives syslog messages from one or more systems. This data can be used as an additional log source in the event a system is compromised and its local logs are suspect. Forwarding log messages to a remote loghost also provides system administrators with a centralized place to view the status of multiple hosts within the enterprise. severity: unknown identifiers: cce: 26801-1 references: disa: '1348, 136' nist: AU-3(2),AU-9 srg: SRG-OS-000215,SRG-OS-000043 stigid: RHEL-06-000136 ocil_clause: 'none of these are present' ocil: |- To ensure logs are sent to a remote host, examine the file /etc/rsyslog.conf. If using UDP, a line similar to the following should be present: 
 *.* @loghost.example.com
If using TCP, a line similar to the following should be present: 
 *.* @@loghost.example.com
If using RELP, a line similar to the following should be present: 
 *.* :omrelp:loghost.example.com
rsyslog_remote_loghost_address.var000066400000000000000000000003671327242345500366520ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/logging/rsyslog_sending_messagesdocumentation_complete: true title: 'Remote Log Server' description: 'Specify an URI or IP address of a remote host where the log messages will be sent and stored.' type: string operator: equals interactive: false options: default: NULL rsyslog_sending_messages.group000066400000000000000000000024311327242345500357670ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/logging/rsyslog_sending_messagesdocumentation_complete: true title: 'Rsyslog Logs Sent To Remote Host' description: |- If system logs are to be useful in detecting malicious activities, it is necessary to send logs to a remote server. An intruder who has compromised the root account on a machine may delete the log entries which indicate that the system was attacked before they are seen by an administrator.

However, it is recommended that logs be stored on the local host in addition to being sent to the loghost, especially if rsyslog has been configured to use the UDP protocol to send messages over a network. UDP does not guarantee reliable delivery, and moderately busy sites will lose log messages occasionally, especially in periods of high traffic which may be the result of an attack. In addition, remote rsyslog messages are not authenticated in any way by default, so it is easy for an attacker to introduce spurious messages to the central log server. Also, some problems cause loss of network connectivity, which will prevent the sending of messages to the central server. For all of these reasons, it is better to store log messages both centrally and on each host, so that they can be correlated if necessary. scap-security-guide-0.1.39/rhel6/guide/system/logging/service_rsyslog_enabled.rule000066400000000000000000000010701327242345500303530ustar00rootroot00000000000000documentation_complete: true title: 'Enable rsyslog Service' description: |- The rsyslog service provides syslog-style logging by default on Red Hat Enterprise Linux 6. rationale: |- The rsyslog service must be running in order to provide logging services, which are essential to system administration. severity: medium identifiers: cce: 26807-8 references: disa: 1557,1312,1311 nist: AU-12 ocil: '' scap-security-guide-0.1.39/rhel6/guide/system/network/000077500000000000000000000000001327242345500226335ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/network/network-ipsec/000077500000000000000000000000001327242345500254255ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/network/network-ipsec/network-ipsec.group000066400000000000000000000003361327242345500312770ustar00rootroot00000000000000documentation_complete: true title: 'IPSec Support' description: |- Support for Internet Protocol Security (IPsec) is provided in Red Hat Enterprise Linux 6 with openswan and libreswan packages respectively. scap-security-guide-0.1.39/rhel6/guide/system/network/network-ipsec/package_openswan_installed.rule000066400000000000000000000017261327242345500336700ustar00rootroot00000000000000documentation_complete: true title: 'Install openswan or libreswan Package' description: |- The openswan and libreswan packages provide an implementation of IPsec and IKE, which permits the creation of secure tunnels over untrusted networks. rationale: |- Providing the ability for remote users or systems to initiate a secure VPN connection protects information when it is transmitted over a wide area network. severity: unknown identifiers: cce: 27626-1 references: disa: 1130,1131 nist: 'AC-17, MA-4, SC-8' pcidss: Req-4.1 srg: SRG-OS-000160 stigid: RHEL-06-000321 ocil_clause: 'the package is not installed' ocil: |-

If the system does not communicate over untrusted networks, this is not applicable. scap-security-guide-0.1.39/rhel6/guide/system/network/network-iptables/000077500000000000000000000000001327242345500261255ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/network/network-iptables/iptables_activation/000077500000000000000000000000001327242345500321515ustar00rootroot00000000000000iptables_activation.group000066400000000000000000000024261327242345500372000ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/network/network-iptables/iptables_activationdocumentation_complete: true title: 'Inspect and Activate Default Rules' description: "View the currently-enforced iptables rules by running\nthe command:\n
$ sudo iptables -nL --line-numbers
\nThe command is analogous for ip6tables.\n

\nIf the firewall does not appear to be active (i.e., no rules\nappear), activate it and ensure that it starts at boot by issuing\nthe following commands (and analogously for ip6tables):\n
$ sudo service iptables restart
\nThe default iptables rules are:\n
Chain INPUT (policy ACCEPT)\nnum  target     prot opt source       destination\n1    ACCEPT     all  --  0.0.0.0/0    0.0.0.0/0    state RELATED,ESTABLISHED \n2    ACCEPT     icmp --  0.0.0.0/0    0.0.0.0/0\n3    ACCEPT     all  --  0.0.0.0/0    0.0.0.0/0\n4    ACCEPT     tcp  --  0.0.0.0/0    0.0.0.0/0    state NEW tcp dpt:22 \n5    REJECT     all  --  0.0.0.0/0    0.0.0.0/0    reject-with icmp-host-prohibited \n\nChain FORWARD (policy ACCEPT)\nnum  target     prot opt source       destination\n1    REJECT     all \
    \ --  0.0.0.0/0    0.0.0.0/0    reject-with icmp-host-prohibited \n\nChain OUTPUT (policy ACCEPT)\nnum  target     prot opt source       destination
\nThe ip6tables default rules are essentially the same." service_ip6tables_enabled.rule000066400000000000000000000012111327242345500400410ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/network/network-iptables/iptables_activationdocumentation_complete: true title: 'Verify ip6tables Enabled if Using IPv6' description: '' rationale: |- The ip6tables service provides the system's host-based firewalling capability for IPv6 and ICMPv6. severity: medium identifiers: cce: 27006-6 references: disa: 32,66,1115,1118,1092,1117,1098,1100,1097,1414 nist: AC-4,CA-3(c),CM-7 srg: SRG-OS-000152,SRG-OS-000145,SRG-OS-000146 stigid: RHEL-06-000103 ocil: |- If IPv6 is disabled, this is not applicable.

service_iptables_enabled.rule000066400000000000000000000010561327242345500377620ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/network/network-iptables/iptables_activationdocumentation_complete: true title: 'Verify iptables Enabled' description: '' rationale: |- The iptables service provides the system's host-based firewalling capability for IPv4 and ICMP. severity: medium identifiers: cce: 27018-1 references: disa: 32,66,1115,1118,1092,1117,1098,1100,1097,1414 nist: AC-4,CA-3(c),CM-7 srg: SRG-OS-000146,SRG-OS-000152,SRG-OS-000145 stigid: RHEL-06-000117 ocil: '' set_ip6tables_default_rule.rule000066400000000000000000000023561327242345500402700ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/network/network-iptables/iptables_activationdocumentation_complete: true title: 'Set Default ip6tables Policy for Incoming Packets' description: |- To set the default policy to DROP (instead of ACCEPT) for the built-in INPUT chain which processes incoming packets, add or correct the following line in /etc/sysconfig/ip6tables: 
:INPUT DROP [0:0]
If changes were required, reload the ip6tables rules: 
$ sudo service ip6tables reload
rationale: |- In ip6tables, the default policy is applied only after all the applicable rules in the table are examined for a match. Setting the default policy to DROP implements proper design for a firewall, i.e. any packets which are not explicitly permitted should not be accepted. severity: medium identifiers: cce: 27317-7 references: disa: 66 nist: CM-7 srg: SRG-OS-000231 stigid: RHEL-06-000523 ocil_clause: 'the default policy for the INPUT chain is not set to DROP' ocil: |- If IPv6 is disabled, this is not applicable.

Inspect the file /etc/sysconfig/ip6tables to determine the default policy for the INPUT chain. It should be set to DROP: 
$ sudo grep ":INPUT" /etc/sysconfig/ip6tables
scap-security-guide-0.1.39/rhel6/guide/system/network/network-iptables/network-iptables.group000066400000000000000000000021751327242345500325020ustar00rootroot00000000000000documentation_complete: true title: 'iptables and ip6tables' description: |- A host-based firewall called netfilter is included as part of the Linux kernel distributed with the system. It is activated by default. This firewall is controlled by the program iptables, and the entire capability is frequently referred to by this name. An analogous program called ip6tables handles filtering for IPv6.

Unlike TCP Wrappers, which depends on the network server program to support and respect the rules written, netfilter filtering occurs at the kernel level, before a program can even process the data from the network packet. As such, any program on the system is affected by the rules written.

This section provides basic information about strengthening the iptables and ip6tables configurations included with the system. For more complete information that may allow the construction of a sophisticated ruleset tailored to your environment, please consult the references at the end of this section. scap-security-guide-0.1.39/rhel6/guide/system/network/network-iptables/ruleset_modifications/000077500000000000000000000000001327242345500325205ustar00rootroot00000000000000iptables_icmp_disabled/000077500000000000000000000000001327242345500371035ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/network/network-iptables/ruleset_modificationsiptables_icmp_disabled.group000066400000000000000000000031341327242345500446240ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/network/network-iptables/ruleset_modifications/iptables_icmp_disableddocumentation_complete: true title: 'Restrict ICMP Message Types' description: |- In /etc/sysconfig/iptables, the accepted ICMP messages types can be restricted. To accept only ICMP echo reply, destination unreachable, and time exceeded messages, remove the line:
-A INPUT -p icmp --icmp-type any -j ACCEPT
and insert the lines: 
-A INPUT -p icmp --icmp-type echo-reply -j ACCEPT
    -A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT
    -A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT
To allow the system to respond to pings, also insert the following line: 
-A INPUT -p icmp --icmp-type echo-request -j ACCEPT
Ping responses can also be limited to certain networks or hosts by using the -s option in the previous rule. Because IPv6 depends so heavily on ICMPv6, it is preferable to deny the ICMPv6 packets you know you don't need (e.g. ping requests) in /etc/sysconfig/ip6tables, while letting everything else through: 
-A INPUT -p icmpv6 --icmpv6-type echo-request -j DROP
If you are going to statically configure the system's address, it should ignore Router Advertisements which could add another IPv6 address to the interface or alter important network settings: 
-A INPUT -p icmpv6 --icmpv6-type router-advertisement -j DROP
Restricting ICMPv6 message types in /etc/sysconfig/ip6tables is not recommended because the operation of IPv6 depends heavily on ICMPv6. Thus, great care must be taken if any other ICMPv6 types are blocked. iptables_log_and_drop_suspicious/000077500000000000000000000000001327242345500412415ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/network/network-iptables/ruleset_modificationsiptables_log_and_drop_suspicious.group000066400000000000000000000066361327242345500511320ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/network/network-iptables/ruleset_modifications/iptables_log_and_drop_suspiciousdocumentation_complete: true title: 'Log and Drop Packets with Suspicious Source Addresses' description: |- Packets with non-routable source addresses should be rejected, as they may indicate spoofing. Because the modified policy will reject non-matching packets, you only need to add these rules if you are interested in also logging these spoofing or suspicious attempts before they are dropped. If you do choose to log various suspicious traffic, add identical rules with a target of DROP after each LOG. To log and then drop these IPv4 packets, insert the following rules in /etc/sysconfig/iptables (excepting any that are intentionally used): 
-A INPUT -s 10.0.0.0/8 -j LOG --log-prefix "IP DROP SPOOF A: "
    -A INPUT -s 172.16.0.0/12 -j LOG --log-prefix "IP DROP SPOOF B: "
    -A INPUT -s 192.168.0.0/16 -j LOG --log-prefix "IP DROP SPOOF C: "
    -A INPUT -s 224.0.0.0/4 -j LOG --log-prefix "IP DROP MULTICAST D: "
    -A INPUT -s 240.0.0.0/5 -j LOG --log-prefix "IP DROP SPOOF E: "
    -A INPUT -d 127.0.0.0/8 -j LOG --log-prefix "IP DROP LOOPBACK: "
Similarly, you might wish to log packets containing some IPv6 reserved addresses if they are not expected on your network: 
-A INPUT -i eth0 -s ::1 -j LOG --log-prefix "IPv6 DROP LOOPBACK: "
    -A INPUT -s 2002:E000::/20 -j LOG --log-prefix "IPv6 6to4 TRAFFIC: "
    -A INPUT -s 2002:7F00::/24 -j LOG --log-prefix "IPv6 6to4 TRAFFIC: "
    -A INPUT -s 2002:0000::/24 -j LOG --log-prefix "IPv6 6to4 TRAFFIC: "
    -A INPUT -s 2002:FF00::/24 -j LOG --log-prefix "IPv6 6to4 TRAFFIC: "
    -A INPUT -s 2002:0A00::/24 -j LOG --log-prefix "IPv6 6to4 TRAFFIC: "
    -A INPUT -s 2002:AC10::/28 -j LOG --log-prefix "IPv6 6to4 TRAFFIC: "
    -A INPUT -s 2002:C0A8::/32 -j LOG --log-prefix "IPv6 6to4 TRAFFIC: "
If you are not expecting to see site-local multicast or auto-tunneled traffic, you can log those: 
-A INPUT -s FF05::/16 -j LOG --log-prefix "IPv6 SITE-LOCAL MULTICAST: "
    -A INPUT -s ::0.0.0.0/96 -j LOG --log-prefix "IPv4 COMPATIBLE IPv6 ADDR: "
If you wish to block multicasts to all link-local nodes (e.g. if you are not using router auto-configuration and do not plan to have any services that multicast to the entire local network), you can block the link-local all-nodes multicast address (before accepting incoming ICMPv6): 
-A INPUT -d FF02::1 -j LOG --log-prefix "Link-local All-Nodes Multicast: "
However, if you're going to allow IPv4 compatible IPv6 addresses (of the form ::0.0.0.0/96), you should then consider logging the non-routable IPv4-compatible addresses: 
-A INPUT -s ::0.0.0.0/104 -j LOG --log-prefix "IP NON-ROUTABLE ADDR: "
    -A INPUT -s ::127.0.0.0/104 -j LOG --log-prefix "IP DROP LOOPBACK: "
    -A INPUT -s ::224.0.0.0.0/100 -j LOG --log-prefix "IP DROP MULTICAST D: "
    -A INPUT -s ::255.0.0.0/104 -j LOG --log-prefix "IP BROADCAST: "
If you are not expecting to see any IPv4 (or IPv4-compatible) traffic on your network, consider logging it before it gets dropped: 
-A INPUT -s ::FFFF:0.0.0.0/96 -j LOG --log-prefix "IPv4 MAPPED IPv6 ADDR: "
    -A INPUT -s 2002::/16 -j LOG --log-prefix "IPv6 6to4 ADDR: "
The following rule will log all traffic originating from a site-local address, which is deprecated address space: 
-A INPUT -s FEC0::/10 -j LOG --log-prefix "SITE-LOCAL ADDRESS TRAFFIC: "
ruleset_modifications.group000066400000000000000000000024211327242345500401110ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/network/network-iptables/ruleset_modificationsdocumentation_complete: true title: 'Strengthen the Default Ruleset' description: |- The default rules can be strengthened. The system scripts that activate the firewall rules expect them to be defined in the configuration files iptables and ip6tables in the directory /etc/sysconfig. Many of the lines in these files are similar to the command line arguments that would be provided to the programs /sbin/iptables or /sbin/ip6tables - but some are quite different.

The following recommendations describe how to strengthen the default ruleset configuration file. An alternative to editing this configuration file is to create a shell script that makes calls to the iptables program to load in rules, and then invokes service iptables save to write those loaded rules to /etc/sysconfig/iptables.

The following alterations can be made directly to /etc/sysconfig/iptables and /etc/sysconfig/ip6tables. Instructions apply to both unless otherwise noted. Language and address conventions for regular iptables are used throughout this section; configuration for ip6tables will be either analogous or explicitly covered. set_iptables_default_rule.rule000066400000000000000000000021141327242345500405410ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/network/network-iptables/ruleset_modificationsdocumentation_complete: true title: 'Set Default iptables Policy for Incoming Packets' description: |- To set the default policy to DROP (instead of ACCEPT) for the built-in INPUT chain which processes incoming packets, add or correct the following line in /etc/sysconfig/iptables: 
:INPUT DROP [0:0]
rationale: |- In iptables the default policy is applied only after all the applicable rules in the table are examined for a match. Setting the default policy to DROP implements proper design for a firewall, i.e. any packets which are not explicitly permitted should not be accepted. severity: medium identifiers: cce: 26444-0 references: disa: 66,1109,1154,1414 nist: CM-7 srg: SRG-OS-000231 stigid: RHEL-06-000120 ocil_clause: 'the default policy for the INPUT chain is not set to DROP' ocil: |- Inspect the file /etc/sysconfig/iptables to determine the default policy for the INPUT chain. It should be set to DROP: 
$ sudo grep ":INPUT" /etc/sysconfig/iptables
set_iptables_default_rule_forward.rule000066400000000000000000000023171327242345500422720ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/network/network-iptables/ruleset_modificationsdocumentation_complete: true title: 'Set Default iptables Policy for Forwarded Packets' description: |- To set the default policy to DROP (instead of ACCEPT) for the built-in FORWARD chain which processes packets that will be forwarded from one interface to another, add or correct the following line in /etc/sysconfig/iptables: 
:FORWARD DROP [0:0]
rationale: |- In iptables, the default policy is applied only after all the applicable rules in the table are examined for a match. Setting the default policy to DROP implements proper design for a firewall, i.e. any packets which are not explicitly permitted should not be accepted. severity: medium identifiers: cce: 27186-6 references: disa: 1109 nist: CM-7 srg: SRG-OS-000147 stigid: RHEL-06-000320 ocil_clause: 'the default policy for the FORWARD chain is not set to DROP' ocil: |- Run the following command to ensure the default FORWARD policy is DROP: 
grep ":FORWARD" /etc/sysconfig/iptables
The output should be similar to the following: 
$ sudo grep ":FORWARD" /etc/sysconfig/iptables
    :FORWARD DROP [0:0
scap-security-guide-0.1.39/rhel6/guide/system/network/network-ipv6/000077500000000000000000000000001327242345500252065ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/network/network-ipv6/configuring_ipv6/000077500000000000000000000000001327242345500304645ustar00rootroot00000000000000configuring_ipv6.group000066400000000000000000000006711327242345500347450ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/network/network-ipv6/configuring_ipv6documentation_complete: true title: 'Configure IPv6 Settings if Necessary' description: |- A major feature of IPv6 is the extent to which systems implementing it can automatically configure their networking devices using information from the network. From a security perspective, manually configuring important configuration information is preferable to accepting it from the network in an unauthenticated fashion. disabling_ipv6_autoconfig/000077500000000000000000000000001327242345500355235ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/network/network-ipv6/configuring_ipv6disabling_ipv6_autoconfig.group000066400000000000000000000005351327242345500437220ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/network/network-ipv6/configuring_ipv6/disabling_ipv6_autoconfigdocumentation_complete: true title: 'Disable Automatic Configuration' description: |- Disable the system's acceptance of router advertisements and redirects by adding or correcting the following line in /etc/sysconfig/network (note that this does not disable sending router solicitations): 
IPV6_AUTOCONF=no
sysconfig_network_IPV6_AUTOCONF_value.var000066400000000000000000000004131327242345500453060ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/network/network-ipv6/configuring_ipv6/disabling_ipv6_autoconfigdocumentation_complete: true title: IPV6_AUTOCONF description: |- Toggle global IPv6 auto-configuration (only, if global forwarding is disabled) type: string operator: equals interactive: false options: default: no disabled: no enabled: yes sysctl_net_ipv6_conf_all_accept_ra.rule000066400000000000000000000007011327242345500454030ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/network/network-ipv6/configuring_ipv6/disabling_ipv6_autoconfigdocumentation_complete: true title: 'Configure Accepting IPv6 Router Advertisements' description: '' rationale: 'An illicit router advertisement message could result in a man-in-the-middle attack.' severity: unknown identifiers: cce: RHEL6-CCE-TBD references: cis: 4.4.1.1 nist: CM-7 ocil: '' sysctl_net_ipv6_conf_all_accept_ra_value.var000066400000000000000000000003431327242345500464220ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/network/network-ipv6/configuring_ipv6/disabling_ipv6_autoconfigdocumentation_complete: true title: net.ipv6.conf.all.accept_ra description: 'Accept all router advertisements?' type: number operator: equals interactive: false options: default: "0" disabled: "0" enabled: 1 sysctl_net_ipv6_conf_all_accept_redirects.rule000066400000000000000000000007251327242345500467730ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/network/network-ipv6/configuring_ipv6/disabling_ipv6_autoconfigdocumentation_complete: true title: 'Configure Accepting IPv6 Redirects By Default' description: '' rationale: 'An illicit ICMP redirect message could result in a man-in-the-middle attack.' severity: medium identifiers: cce: RHEL6-CCE-TBD references: cis: 4.4.1.2 disa: 1551 nist: CM-7 ocil: '' sysctl_net_ipv6_conf_all_accept_redirects_value.var000066400000000000000000000003501327242345500500020ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/network/network-ipv6/configuring_ipv6/disabling_ipv6_autoconfigdocumentation_complete: true title: net.ipv6.conf.all.accept_redirects description: 'Toggle ICMP Redirect Acceptance' type: number operator: equals interactive: false options: default: "0" disabled: "0" enabled: 1 sysctl_net_ipv6_conf_all_accept_source_route.rule000066400000000000000000000016521327242345500475250ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/network/network-ipv6/configuring_ipv6/disabling_ipv6_autoconfigdocumentation_complete: true title: 'Configure Kernel Parameter for Accepting Source-Routed Packets for All Interfaces' description: '' rationale: |- Source-routed packets allow the source of the packet to suggest routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routerd traffic, such as when IPv6 forwarding is enabled and the system is functioning as a router. Accepting source-routed packets in the IPv6 protocol has few legitimate uses. It should be disabled unless it is absolutely required. severity: medium identifiers: cce: RHEL6-CCE-TBD references: disa: 366 nist: AC-4 ocil: '' sysctl_net_ipv6_conf_all_accept_source_route_value.var000066400000000000000000000005601327242345500505370ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/network/network-ipv6/configuring_ipv6/disabling_ipv6_autoconfigdocumentation_complete: true title: net.ipv6.conf.all.accept_source_route description: |- Trackers could be using source-routed packets to generate traffic that seems to be intra-net, but actually was created outside and has been redirected. type: number operator: equals interactive: false options: default: "0" disabled: "0" enabled: 1 sysctl_net_ipv6_conf_all_forwarding.rule000066400000000000000000000012251327242345500456260ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/network/network-ipv6/configuring_ipv6/disabling_ipv6_autoconfigdocumentation_complete: true title: 'Disable Kernel Parameter for IPv6 Forwarding' description: '' rationale: |- IP forwarding permits the kernel to forward packets from one network interface to another. The ability to forward packets between two networks is only appropriate for systems acting as routers. severity: medium identifiers: cce: RHEL6-CCE-TBD references: cis: 4.1.1 disa: 366 nist: CM-7,SC-5 ocil: |- The ability to forward packets is only appropriate for routers. sysctl_net_ipv6_conf_all_forwarding_value.var000066400000000000000000000003311327242345500466400ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/network/network-ipv6/configuring_ipv6/disabling_ipv6_autoconfigdocumentation_complete: true title: net.ipv6.conf.all.forwarding description: 'Toggle IPv6 Forwarding' type: number operator: equals interactive: false options: default: "0" disabled: "0" enabled: 1 sysctl_net_ipv6_conf_default_accept_ra.rule000066400000000000000000000007031327242345500462610ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/network/network-ipv6/configuring_ipv6/disabling_ipv6_autoconfigdocumentation_complete: true title: 'Configure Accepting IPv6 Router Advertisements' description: '' rationale: 'An illicit router advertisement message could result in a man-in-the-middle attack.' severity: unknown identifiers: cce: 27164-3 references: cis: 4.4.1.1 nist: CM-7 ocil: '' sysctl_net_ipv6_conf_default_accept_ra_value.var000066400000000000000000000003661327242345500473030ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/network/network-ipv6/configuring_ipv6/disabling_ipv6_autoconfigdocumentation_complete: true title: net.ipv6.conf.default.accept_ra description: 'Accept default router advertisements by default?' type: number operator: equals interactive: false options: default: "0" disabled: "0" enabled: 1 sysctl_net_ipv6_conf_default_accept_redirects.rule000066400000000000000000000010111327242345500476340ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/network/network-ipv6/configuring_ipv6/disabling_ipv6_autoconfigdocumentation_complete: true title: 'Configure Accepting IPv6 Redirects By Default' description: '' rationale: 'An illicit ICMP redirect message could result in a man-in-the-middle attack.' severity: medium identifiers: cce: 27166-8 references: cis: 4.4.1.2 disa: 1551 nist: CM-7 srg: SRG-OS-999999 stigid: RHEL-06-000099 ocil: '' sysctl_net_ipv6_conf_default_accept_redirects_value.var000066400000000000000000000003671327242345500506660ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/network/network-ipv6/configuring_ipv6/disabling_ipv6_autoconfigdocumentation_complete: true title: net.ipv6.conf.default.accept_redirects description: 'Toggle ICMP Redirect Acceptance By Default' type: number operator: equals interactive: false options: default: "0" disabled: "0" enabled: 1 sysctl_net_ipv6_conf_default_accept_source_route.rule000066400000000000000000000016711327242345500504020ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/network/network-ipv6/configuring_ipv6/disabling_ipv6_autoconfigdocumentation_complete: true title: 'Configure Kernel Parameter for Accepting Source-Routed Packets for Interfaces By Default' description: '' rationale: |- Source-routed packets allow the source of the packet to suggest routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routerd traffic, such as when IPv6 forwarding is enabled and the system is functioning as a router. Accepting source-routed packets in the IPv6 protocol has few legitimate uses. It should be disabled unless it is absolutely required. severity: medium identifiers: cce: RHEL6-CCE-TBD references: disa: 366 nist: AC-4 ocil: '' sysctl_net_ipv6_conf_default_accept_source_route_value.var000066400000000000000000000005641327242345500514170ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/network/network-ipv6/configuring_ipv6/disabling_ipv6_autoconfigdocumentation_complete: true title: net.ipv6.conf.default.accept_source_route description: |- Trackers could be using source-routed packets to generate traffic that seems to be intra-net, but actually was created outside and has been redirected. type: number operator: equals interactive: false options: default: "0" disabled: "0" enabled: 1 network_ipv6_default_gateway.rule000066400000000000000000000010161327242345500371560ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/network/network-ipv6/configuring_ipv6documentation_complete: true title: 'Manually Assign IPv6 Router Address' description: |- Edit the file /etc/sysconfig/network-scripts/ifcfg-interface, and add or correct the following line (substituting your gateway IP as appropriate): 
IPV6_DEFAULTGW=2001:0DB8::0001
Router addresses should be manually set and not accepted via any auto-configuration or router advertisement. rationale: "" severity: unknown identifiers: cce: 27234-4 references: nist: CM-6(b) network_ipv6_limit_requests/000077500000000000000000000000001327242345500361735ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/network/network-ipv6/configuring_ipv6network_ipv6_limit_requests.group000066400000000000000000000036541327242345500450470ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/network/network-ipv6/configuring_ipv6/network_ipv6_limit_requestsdocumentation_complete: true title: 'Limit Network-Transmitted Configuration if Using Static IPv6 Addresses' description: |- To limit the configuration information requested from other systems and accepted from the network on a system that uses statically-configured IPv6 addresses, add the following lines to /etc/sysctl.conf: 
net.ipv6.conf.default.router_solicitations = 0
    net.ipv6.conf.default.accept_ra_rtr_pref = 0
    net.ipv6.conf.default.accept_ra_pinfo = 0
    net.ipv6.conf.default.accept_ra_defrtr = 0
    net.ipv6.conf.default.autoconf = 0
    net.ipv6.conf.default.dad_transmits = 0
    net.ipv6.conf.default.max_addresses = 1
The router_solicitations setting determines how many router solicitations are sent when bringing up the interface. If addresses are statically assigned, there is no need to send any solicitations.

The accept_ra_pinfo setting controls whether the system will accept prefix info from the router.

The accept_ra_defrtr setting controls whether the system will accept Hop Limit settings from a router advertisement. Setting it to 0 prevents a router from changing your default IPv6 Hop Limit for outgoing packets.

The autoconf setting controls whether router advertisements can cause the system to assign a global unicast address to an interface.

The dad_transmits setting determines how many neighbor solicitations to send out per address (global and link-local) when bringing up an interface to ensure the desired address is unique on the network.

The max_addresses setting determines how many global unicast IPv6 addresses can be assigned to each interface. The default is 16, but it should be set to exactly the number of statically configured global addresses required. network_ipv6_privacy_extensions.rule000066400000000000000000000013521327242345500377500ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/network/network-ipv6/configuring_ipv6documentation_complete: true title: 'Use Privacy Extensions for Address' description: |- To introduce randomness into the automatic generation of IPv6 addresses, add or correct the following line in /etc/sysconfig/network-scripts/ifcfg-interface: 
IPV6_PRIVACY=rfc3041
Automatically-generated IPv6 addresses are based on the underlying hardware (e.g. Ethernet) address, and so it becomes possible to track a piece of hardware over its lifetime using its traffic. If it is important for a system's IP address to not trivially reveal its hardware address, this setting should be applied. rationale: "" severity: unknown identifiers: cce: 27154-4 references: nist: CM-6(b) network_ipv6_static_address.rule000066400000000000000000000012371327242345500370120ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/network/network-ipv6/configuring_ipv6documentation_complete: true title: 'Manually Assign Global IPv6 Address' description: |- To manually assign an IP address for an interface, edit the file /etc/sysconfig/network-scripts/ifcfg-interface. Add or correct the following line (substituting the correct IPv6 address): 
IPV6ADDR=2001:0DB8::ABCD/64
Manually assigning an IP address is preferable to accepting one from routers or from the network otherwise. The example address here is an IPv6 address reserved for documentation purposes, as defined by RFC3849. rationale: "" severity: unknown identifiers: cce: 27233-6 references: nist: CM-6(b) scap-security-guide-0.1.39/rhel6/guide/system/network/network-ipv6/disabling_ipv6/000077500000000000000000000000001327242345500301065ustar00rootroot00000000000000disabling_ipv6.group000066400000000000000000000006461327242345500340130ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/network/network-ipv6/disabling_ipv6documentation_complete: true title: 'Disable Support for IPv6 Unless Needed' description: |- Despite configuration that suggests support for IPv6 has been disabled, link-local IPv6 address auto-configuration occurs even when only an IPv4 address is assigned. The only way to effectively prevent execution of the IPv6 networking stack is to instruct the system not to activate the IPv6 kernel module. kernel_module_ipv6_option_disabled.rule000066400000000000000000000030611327242345500377300ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/network/network-ipv6/disabling_ipv6documentation_complete: true title: 'Disable IPv6 Networking Support Automatic Loading' description: |- To prevent the IPv6 kernel module (ipv6) from binding to the IPv6 networking stack, add the following line to /etc/modprobe.d/disabled.conf (or another file in /etc/modprobe.d): 
options ipv6 disable=1
This permits the IPv6 module to be loaded (and thus satisfy other modules that depend on it), while disabling support for the IPv6 protocol. rationale: |- Any unnecessary network stacks - including IPv6 - should be disabled, to reduce the vulnerability to exploitation. severity: medium identifiers: cce: 27153-6 references: disa: 1551 nist: CM-7 srg: SRG-OS-999999 stigid: RHEL-06-000098 ocil_clause: 'the ipv6 kernel module is not disabled' ocil: |- If the system uses IPv6, this is not applicable.

If the system is configured to disable the ipv6 kernel module, it will contain a line of the form: 
options ipv6 disable=1
Such lines may be inside any file in /etc/modprobe.d or the deprecated/etc/modprobe.conf. This permits insertion of the IPv6 kernel module (which other parts of the system expect to be present), but otherwise keeps it inactive. Run the following command to search for such lines in all files in /etc/modprobe.d and the deprecated /etc/modprobe.conf: 
$ grep -r ipv6 /etc/modprobe.conf /etc/modprobe.d
network_ipv6_disable_interfaces.rule000066400000000000000000000004721327242345500372460ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/network/network-ipv6/disabling_ipv6documentation_complete: true title: 'Disable Interface Usage of IPv6' description: |- To disable interface usage of IPv6, add or correct the following lines in /etc/sysconfig/network: 
NETWORKING_IPV6=no
    IPV6INIT=no
rationale: "" severity: unknown identifiers: cce: 27161-9 network_ipv6_disable_rpc.rule000066400000000000000000000012351327242345500357050ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/network/network-ipv6/disabling_ipv6documentation_complete: true title: 'Disable Support for RPC IPv6' description: |- RPC services for NFSv4 try to load transport modules for udp6 and tcp6 by default, even if IPv6 has been disabled in /etc/modprobe.d. To prevent RPC services such as rpc.mountd from attempting to start IPv6 network listeners, remove or comment out the following two lines in /etc/netconfig: 
udp6       tpi_clts      v     inet6    udp     -       -
    tcp6       tpi_cots_ord  v     inet6    tcp     -       -
rationale: "" severity: unknown identifiers: cce: 27232-8 references: nist: CM-7 scap-security-guide-0.1.39/rhel6/guide/system/network/network-ipv6/network-ipv6.group000066400000000000000000000005341327242345500306410ustar00rootroot00000000000000documentation_complete: true title: IPv6 description: |- The system includes support for Internet Protocol version 6. A major and often-mentioned improvement over IPv4 is its enormous increase in the number of available addresses. Another important feature is its support for automatic configuration of many network settings. scap-security-guide-0.1.39/rhel6/guide/system/network/network-kernel/000077500000000000000000000000001327242345500256025ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/network/network-kernel/network-kernel.group000066400000000000000000000004611327242345500316300ustar00rootroot00000000000000documentation_complete: true title: 'Kernel Parameters Which Affect Networking' description: |- The sysctl utility is used to set parameters which affect the operation of the Linux kernel. Kernel parameters which affect networking and have security implications are described here. network_host_and_router_parameters/000077500000000000000000000000001327242345500347165ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/network/network-kernelnetwork_host_and_router_parameters.group000066400000000000000000000004731327242345500451730ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/network/network-kernel/network_host_and_router_parametersdocumentation_complete: true title: 'Network Related Kernel Runtime Parameters for Hosts and Routers' description: |- Certain kernel parameters should be set for systems which are acting as either hosts or routers to improve the system's ability defend against certain types of IPv4 protocol attacks. sysctl_net_ipv4_conf_all_accept_redirects.rule000066400000000000000000000010751327242345500461630ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/network/network-kernel/network_host_and_router_parametersdocumentation_complete: true title: 'Configure Kernel Parameter for Accepting ICMP Redirects for All Interfaces' description: '' rationale: |- Accepting ICMP redirects has few legitimate uses. It should be disabled unless it is absolutely required. severity: medium identifiers: cce: 27027-2 references: disa: 1503,1551 nist: CM-7,SC-5 srg: SRG-OS-999999 stigid: RHEL-06-000084 ocil: '' sysctl_net_ipv4_conf_all_accept_redirects_value.var000066400000000000000000000003511327242345500471740ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/network/network-kernel/network_host_and_router_parametersdocumentation_complete: true title: net.ipv4.conf.all.accept_redirects description: 'Disable ICMP Redirect Acceptance' type: number operator: equals interactive: false options: default: "0" disabled: "0" enabled: 1 sysctl_net_ipv4_conf_all_accept_source_route.rule000066400000000000000000000011411327242345500467070ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/network/network-kernel/network_host_and_router_parametersdocumentation_complete: true title: 'Configure Kernel Parameter for Accepting Source-Routed Packets for All Interfaces' description: '' rationale: |- Accepting source-routed packets in the IPv4 protocol has few legitimate uses. It should be disabled unless it is absolutely required. severity: medium identifiers: cce: 27037-1 references: disa: 1551 nist: CM-7,SC-5 srg: SRG-OS-999999 stigid: RHEL-06-000083 ocil: '' sysctl_net_ipv4_conf_all_accept_source_route_value.var000066400000000000000000000005601327242345500477300ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/network/network-kernel/network_host_and_router_parametersdocumentation_complete: true title: net.ipv4.conf.all.accept_source_route description: |- Trackers could be using source-routed packets to generate traffic that seems to be intra-net, but actually was created outside and has been redirected. type: number operator: equals interactive: false options: default: "0" disabled: "0" enabled: 1 sysctl_net_ipv4_conf_all_log_martians.rule000066400000000000000000000012611327242345500453340ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/network/network-kernel/network_host_and_router_parametersdocumentation_complete: true title: 'Configure Kernel Parameter to Log Martian Packets' description: '' rationale: |- The presence of "martian" packets (which have impossible addresses) as well as spoofed packets, source-routed packets, and redirects could be a sign of nefarious network activity. Logging these packets enables this activity to be detected. severity: unknown identifiers: cce: 27066-0 references: disa: 126 nist: AC-3(10),CM-7,SC-5(3) srg: SRG-OS-999999 stigid: RHEL-06-000088 ocil: '' sysctl_net_ipv4_conf_all_log_martians_value.var000066400000000000000000000004371327242345500463550ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/network/network-kernel/network_host_and_router_parametersdocumentation_complete: true title: net.ipv4.conf.all.log_martians description: |- Disable so you don't Log Spoofed Packets, Source Routed Packets, Redirect Packets type: number operator: equals interactive: false options: default: "0" disabled: "0" enabled: 1 sysctl_net_ipv4_conf_all_rp_filter.rule000066400000000000000000000013721327242345500446460ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/network/network-kernel/network_host_and_router_parametersdocumentation_complete: true title: 'Configure Kernel Parameter to Use Reverse Path Filtering for All Interfaces' description: '' rationale: |- Enabling reverse path filtering drops packets with source addresses that should not have been able to be received on the interface they were received on. It should not be used on systems which are routers for complicated networks, but is helpful for end hosts and routers serving small networks. severity: medium identifiers: cce: 26979-5 references: disa: 1551 nist: AC-4,SC-5,SC-7 srg: SRG-OS-999999 stigid: RHEL-06-000096 ocil: '' sysctl_net_ipv4_conf_all_rp_filter_value.var000066400000000000000000000007361327242345500456660ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/network/network-kernel/network_host_and_router_parametersdocumentation_complete: true title: net.ipv4.conf.all.rp_filter description: |- Enable to enforce sanity checking, also called ingress filtering or egress filtering. The point is to drop a packet if the source and destination IP addresses in the IP header do not make sense when considered in light of the physical interface on which it arrived. type: number operator: equals interactive: false options: default: 1 disabled: "0" enabled: 1 sysctl_net_ipv4_conf_all_secure_redirects.rule000066400000000000000000000012021327242345500462020ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/network/network-kernel/network_host_and_router_parametersdocumentation_complete: true title: 'Configure Kernel Parameter for Accepting Secure Redirects for All Interfaces' description: '' rationale: |- Accepting "secure" ICMP redirects (from those gateways listed as default gateways) has few legitimate uses. It should be disabled unless it is absolutely required. severity: medium identifiers: cce: 26854-0 references: disa: 1503,1551 nist: AC-4,CM-7,SC-5 srg: SRG-OS-999999 stigid: RHEL-06-000086 ocil: '' sysctl_net_ipv4_conf_all_secure_redirects_value.var000066400000000000000000000005001327242345500472170ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/network/network-kernel/network_host_and_router_parametersdocumentation_complete: true title: net.ipv4.conf.all.secure_redirects description: |- Enable to prevent hijacking of routing path by only allowing redirects from gateways known in routing table. type: number operator: equals interactive: false options: default: 1 disabled: "0" enabled: 1 sysctl_net_ipv4_conf_default_accept_redirects.rule000066400000000000000000000011141327242345500470310ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/network/network-kernel/network_host_and_router_parametersdocumentation_complete: true title: 'Configure Kernel Parameter for Accepting ICMP Redirects By Default' description: '' rationale: |- This feature of the IPv4 protocol has few legitimate uses. It should be disabled unless it is absolutely required. severity: unknown identifiers: cce: 27015-7 references: disa: 1551 nist: AC-4,CM-7,SC-5,SC-7 srg: SRG-OS-999999 stigid: RHEL-06-000091 ocil: '' sysctl_net_ipv4_conf_default_accept_redirects_value.var000066400000000000000000000003561327242345500500550ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/network/network-kernel/network_host_and_router_parametersdocumentation_complete: true title: net.ipv4.conf.default.accept_redirects description: 'Disable ICMP Redirect Acceptance?' type: number operator: equals interactive: false options: default: "0" disabled: "0" enabled: 1 sysctl_net_ipv4_conf_default_accept_source_route.rule000066400000000000000000000011531327242345500475660ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/network/network-kernel/network_host_and_router_parametersdocumentation_complete: true title: 'Configure Kernel Parameter for Accepting Source-Routed Packets By Default' description: '' rationale: |- Accepting source-routed packets in the IPv4 protocol has few legitimate uses. It should be disabled unless it is absolutely required. severity: medium identifiers: cce: 26983-7 references: disa: 1551 nist: AC-4,CM-7,SC-5,SC-7 srg: SRG-OS-999999 stigid: RHEL-06-000089 ocil: '' sysctl_net_ipv4_conf_default_accept_source_route_value.var000066400000000000000000000003521327242345500506030ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/network/network-kernel/network_host_and_router_parametersdocumentation_complete: true title: net.ipv4.conf.default.accept_source_route description: 'Disable IP source routing?' type: number operator: equals interactive: false options: default: "0" disabled: "0" enabled: 1 sysctl_net_ipv4_conf_default_rp_filter.rule000066400000000000000000000013531327242345500455210ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/network/network-kernel/network_host_and_router_parametersdocumentation_complete: true title: 'Configure Kernel Parameter to Use Reverse Path Filtering by Default' description: '' rationale: |- Enabling reverse path filtering drops packets with source addresses that should not have been able to be received on the interface they were received on. It should not be used on systems which are routers for complicated networks, but is helpful for end hosts and routers serving small networks. severity: medium identifiers: cce: 26915-9 references: nist: AC-4,SC-5,SC-7 srg: SRG-OS-999999 stigid: RHEL-06-000097 ocil: '' sysctl_net_ipv4_conf_default_rp_filter_value.var000066400000000000000000000003451327242345500465360ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/network/network-kernel/network_host_and_router_parametersdocumentation_complete: true title: net.ipv4.conf.default.rp_filter description: 'Enables source route verification' type: number operator: equals interactive: false options: default: 1 disabled: "0" enabled: 1 sysctl_net_ipv4_conf_default_secure_redirects.rule000066400000000000000000000012021327242345500470560ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/network/network-kernel/network_host_and_router_parametersdocumentation_complete: true title: 'Configure Kernel Parameter for Accepting Secure Redirects By Default' description: '' rationale: |- Accepting "secure" ICMP redirects (from those gateways listed as default gateways) has few legitimate uses. It should be disabled unless it is absolutely required. severity: medium identifiers: cce: 26831-8 references: disa: 1551 nist: AC-4,CM-7,SC-5,SC-7 srg: SRG-OS-999999 stigid: RHEL-06-000090 ocil: '' sysctl_net_ipv4_conf_default_secure_redirects_value.var000066400000000000000000000004101327242345500500730ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/network/network-kernel/network_host_and_router_parametersdocumentation_complete: true title: net.ipv4.conf.default.secure_redirects description: |- Log packets with impossible addresses to kernel log? type: number operator: equals interactive: false options: default: 1 disabled: "0" enabled: 1 sysctl_net_ipv4_icmp_echo_ignore_broadcasts.rule000066400000000000000000000011351327242345500465160ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/network/network-kernel/network_host_and_router_parametersdocumentation_complete: true title: 'Configure Kernel Parameter to Ignore ICMP Broadcast Echo Requests' description: '' rationale: |- Ignoring ICMP echo requests (pings) sent to broadcast or multicast addresses makes the system slightly more difficult to enumerate on the network. severity: unknown identifiers: cce: 26883-9 references: disa: 1551 nist: CM-7,SC-5 srg: SRG-OS-999999 stigid: RHEL-06-000092 ocil: '' sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value.var000066400000000000000000000004401327242345500475310ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/network/network-kernel/network_host_and_router_parametersdocumentation_complete: true title: net.ipv4.icmp_echo_ignore_broadcasts description: |- Ignore all ICMP ECHO and TIMESTAMP requests sent to it via broadcast/multicast type: number operator: equals interactive: false options: default: 1 disabled: "0" enabled: 1 sysctl_net_ipv4_icmp_ignore_bogus_error_responses.rule000066400000000000000000000010471327242345500500260ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/network/network-kernel/network_host_and_router_parametersdocumentation_complete: true title: 'Configure Kernel Parameter to Ignore Bogus ICMP Error Responses' description: '' rationale: |- Ignoring bogus ICMP error responses reduces log size, although some activity would not be logged. severity: unknown identifiers: cce: 26993-6 references: nist: CM-7,SC-5 srg: SRG-OS-999999 stigid: RHEL-06-000093 ocil: '' sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value.var000066400000000000000000000003641327242345500510440ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/network/network-kernel/network_host_and_router_parametersdocumentation_complete: true title: net.ipv4.icmp_ignore_bogus_error_responses description: 'Enable to prevent unnecessary logging' type: number operator: equals interactive: false options: default: 1 disabled: "0" enabled: 1 sysctl_net_ipv4_tcp_syncookies.rule000066400000000000000000000015631327242345500440610ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/network/network-kernel/network_host_and_router_parametersdocumentation_complete: true title: 'Configure Kernel Parameter to Use TCP Syncookies' description: '' rationale: |- A TCP SYN flood attack can cause a denial of service by filling a system's TCP connection table with connections in the SYN_RCVD state. Syncookies can be used to track a connection when a subsequent ACK is received, verifying the initiator is attempting a valid connection and is not a flood source. This feature is activated when a flood condition is detected, and enables the system to continue servicing valid connection requests. severity: medium identifiers: cce: 27053-8 references: disa: '1092, 1095' nist: AC-4,SC-5(2),SC-5(3) srg: SRG-OS-000142 stigid: RHEL-06-000095 ocil: '' sysctl_net_ipv4_tcp_syncookies_value.var000066400000000000000000000003601327242345500450700ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/network/network-kernel/network_host_and_router_parametersdocumentation_complete: true title: net.ipv4.tcp_syncookies description: |- Enable to turn on TCP SYN Cookie Protection type: number operator: equals interactive: false options: default: 1 disabled: "0" enabled: 1 scap-security-guide-0.1.39/rhel6/guide/system/network/network-kernel/network_host_parameters/000077500000000000000000000000001327242345500325535ustar00rootroot00000000000000network_host_parameters.group000066400000000000000000000004021327242345500405170ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/network/network-kernel/network_host_parametersdocumentation_complete: true title: 'Network Parameters for Hosts Only' description: |- If the system is not going to be used as a router, then setting certain kernel parameters ensure that the host will not perform routing of network traffic. sysctl_net_ipv4_conf_all_send_redirects.rule000066400000000000000000000012151327242345500434270ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/network/network-kernel/network_host_parametersdocumentation_complete: true title: 'Disable Kernel Parameter for Sending ICMP Redirects for All Interfaces' description: '' rationale: |- Sending ICMP redirects permits the system to instruct other systems to update their routing information. The ability to send ICMP redirects is only appropriate for systems acting as routers. severity: medium identifiers: cce: 27004-1 references: disa: 1551 nist: CM-7,SC-5(1) srg: SRG-OS-999999 stigid: RHEL-06-000081 ocil: '' sysctl_net_ipv4_conf_default_send_redirects.rule000066400000000000000000000012241327242345500443030ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/network/network-kernel/network_host_parametersdocumentation_complete: true title: 'Disable Kernel Parameter for Sending ICMP Redirects by Default' description: '' rationale: |- Sending ICMP redirects permits the system to instruct other systems to update their routing information. The ability to send ICMP redirects is only appropriate for systems acting as routers. severity: medium identifiers: cce: 27001-7 references: disa: 1551 nist: AC-4,CM-7,SC-5,SC-7 srg: SRG-OS-999999 stigid: RHEL-06-000080 ocil: '' sysctl_net_ipv4_ip_forward.rule000066400000000000000000000012411327242345500407300ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/network/network-kernel/network_host_parametersdocumentation_complete: true title: 'Disable Kernel Parameter for IP Forwarding' description: '' rationale: |- IP forwarding permits the kernel to forward packets from one network interface to another. The ability to forward packets between two networks is only appropriate for systems acting as routers. severity: medium identifiers: cce: 26866-4 references: disa: 366 nist: 'CM-7, SC-5' srg: SRG-OS-999999 stigid: RHEL-06-000082 ocil: |- The ability to forward packets is only appropriate for routers. scap-security-guide-0.1.39/rhel6/guide/system/network/network-uncommon/000077500000000000000000000000001327242345500261555ustar00rootroot00000000000000kernel_module_dccp_disabled.rule000066400000000000000000000011131327242345500344300ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/network/network-uncommondocumentation_complete: true title: 'Disable DCCP Support' description: |- The Datagram Congestion Control Protocol (DCCP) is a relatively new transport layer protocol, designed to support streaming media and telephony. rationale: |- Disabling DCCP protects the system against exploitation of any flaws in its implementation. severity: medium identifiers: cce: 26448-1 references: disa: 382 nist: CM-7 srg: SRG-OS-000096 stigid: RHEL-06-000124 ocil: '' kernel_module_rds_disabled.rule000066400000000000000000000011471327242345500343160ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/network/network-uncommondocumentation_complete: true title: 'Disable RDS Support' description: |- The Reliable Datagram Sockets (RDS) protocol is a transport layer protocol designed to provide reliable high- bandwidth, low-latency communications between nodes in a cluster. rationale: |- Disabling RDS protects the system against exploitation of any flaws in its implementation. severity: unknown identifiers: cce: 26239-4 references: disa: 382 nist: CM-7 srg: SRG-OS-000096 stigid: RHEL-06-000126 ocil: '' kernel_module_sctp_disabled.rule000066400000000000000000000012051327242345500344720ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/network/network-uncommondocumentation_complete: true title: 'Disable SCTP Support' description: |- The Stream Control Transmission Protocol (SCTP) is a transport layer protocol, designed to support the idea of message-oriented communication, with several streams of messages within one connection. rationale: |- Disabling SCTP protects the system against exploitation of any flaws in its implementation. severity: medium identifiers: cce: 26410-1 references: disa: 382 nist: CM-7 srg: SRG-OS-000096 stigid: RHEL-06-000125 ocil: '' kernel_module_tipc_disabled.rule000066400000000000000000000010701327242345500344600ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/network/network-uncommondocumentation_complete: true title: 'Disable TIPC Support' description: |- The Transparent Inter-Process Communication (TIPC) protocol is designed to provide communications between nodes in a cluster. rationale: |- Disabling TIPC protects the system against exploitation of any flaws in its implementation. severity: medium identifiers: cce: 26696-5 references: disa: 382 nist: CM-7 srg: SRG-OS-000096 stigid: RHEL-06-000127 ocil: '' scap-security-guide-0.1.39/rhel6/guide/system/network/network-uncommon/network-uncommon.group000066400000000000000000000006651327242345500325640ustar00rootroot00000000000000documentation_complete: true title: 'Uncommon Network Protocols' description: "The system includes support for several network\nprotocols which are not commonly used. Although security vulnerabilities \nin kernel networking code are not frequently\ndiscovered, the consequences can be dramatic. Ensuring uncommon\nnetwork protocols are disabled reduces the system's risk to attacks\ntargeted at its implementation of those protocols." scap-security-guide-0.1.39/rhel6/guide/system/network/network-wireless/000077500000000000000000000000001327242345500261575ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/network/network-wireless/network-wireless.group000066400000000000000000000015021327242345500325570ustar00rootroot00000000000000documentation_complete: true title: 'Wireless Networking' description: "Wireless networking, such as 802.11\n(WiFi) and Bluetooth, can present a security risk to sensitive or\nclassified systems and networks. Wireless networking hardware is\nmuch more likely to be included in laptop or portable systems than\nin desktops or servers. \n

\nRemoval of hardware provides the greatest assurance that the wireless\ncapability remains disabled. Acquisition policies often include provisions to\nprevent the purchase of equipment that will be used in sensitive spaces and\nincludes wireless capabilities. If it is impractical to remove the wireless\nhardware, and policy permits the device to enter sensitive spaces as long\nas wireless is disabled, efforts should instead focus on disabling wireless capability\nvia software." scap-security-guide-0.1.39/rhel6/guide/system/network/network-wireless/wireless_software/000077500000000000000000000000001327242345500317265ustar00rootroot00000000000000kernel_module_bluetooth_disabled.rule000066400000000000000000000014231327242345500413010ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/network/network-wireless/wireless_softwaredocumentation_complete: true title: 'Disable Bluetooth Kernel Modules' description: |- The kernel's module loading system can be configured to prevent loading of the Bluetooth module. Add the following to the appropriate /etc/modprobe.d configuration file to prevent the loading of the Bluetooth module: 
install bluetooth /bin/true
rationale: |- If Bluetooth functionality must be disabled, preventing the kernel from loading the kernel module provides an additional safeguard against its activation. severity: medium identifiers: cce: 26763-3 references: disa: 85,1551 nist: AC-18(a),AC-18(d),AC-18(3),CM-7 srg: SRG-OS-000034 stigid: RHEL-06-000315 ocil: '' service_bluetooth_disabled.rule000066400000000000000000000022601327242345500401140ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/network/network-wireless/wireless_softwaredocumentation_complete: true title: 'Disable Bluetooth Service' description: |- 
$ sudo service bluetooth stop
rationale: |- Disabling the bluetooth service prevents the system from attempting connections to Bluetooth devices, which entails some security risk. Nevertheless, variation in this risk decision may be expected due to the utility of Bluetooth connectivity and its limited range. severity: medium identifiers: cce: 27081-9 references: disa: 85,1551 nist: AC-18(a),AC-18(d),AC-18(3),CM-7 srg: SRG-OS-000034 stigid: RHEL-06-000331 ocil_clause: 'the service is configured to run' ocil: "To check that the bluetooth service is disabled in system boot configuration, run the following command: \n
# chkconfig bluetooth --list
\nOutput should indicate the bluetooth service has either not been installed or has been disabled at all runlevels, as shown in the example below:\n
# chkconfig bluetooth --list\nbluetooth       0:off   1:off   2:off   3:off   4:off   5:off   6:off
" wireless_disable_in_bios.rule000066400000000000000000000011401327242345500375560ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/network/network-wireless/wireless_softwaredocumentation_complete: true title: 'Disable WiFi or Bluetooth in BIOS' description: |- Some systems that include built-in wireless support offer the ability to disable the device through the BIOS. This is system-specific; consult your hardware manual or explore the BIOS setup during boot. rationale: |- Disabling wireless support in the BIOS prevents easy activation of the wireless interface, generally requiring administrators to reboot the system first. severity: unknown identifiers: cce: 26878-9 references: disa: 85 nist: AC-18(a),AC-18(d),AC-18(3),CM-7 wireless_disable_interfaces.rule000066400000000000000000000036601327242345500402700ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/network/network-wireless/wireless_softwaredocumentation_complete: true title: 'Deactivate Wireless Network Interfaces' description: |- Deactivating wireless network interfaces should prevent normal usage of the wireless capability.

First, identify the interfaces available with the command: 
$ ifconfig -a
Additionally, the following command may be used to determine whether wireless support is included for a particular interface, though this may not always be a clear indicator: 
$ iwconfig
After identifying any wireless interfaces (which may have names like wlan0, ath0, wifi0, em1 or eth0), deactivate the interface with the command: 
$ sudo ifdown interface
These changes will only last until the next reboot. To disable the interface for future boots, remove the appropriate interface file from /etc/sysconfig/network-scripts: 
$ sudo rm /etc/sysconfig/network-scripts/ifcfg-interface
rationale: |- The use of wireless networking can introduce many different attack vectors into the organization's network. Common attack vectors such as malicious association and ad hoc networks will allow an attacker to spoof a wireless access point (AP), allowing validated systems to connect to the malicious AP and enabling the attacker to monitor and record network traffic. These malicious APs can also serve to create a man-in-the-middle attack or be used to create a denial of service to valid network resources. severity: medium identifiers: cce: 27057-9 references: disa: 85,2418 nist: AC-18(a),AC-18(d),AC-18(3),CM-7 srg: "" stigid: RHEL-06-000293 ocil_clause: 'it is not' ocil: |- To verify that wireless interfaces have been disabled, run the following command: 
$ ifconfig -a
The output should not contain any wireless interface. wireless_software.group000066400000000000000000000007011327242345500364720ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/network/network-wireless/wireless_softwaredocumentation_complete: true title: 'Disable Wireless Through Software Configuration' description: |- If it is impossible to remove the wireless hardware from the device in question, disable as much of it as possible through software. The following methods can disable software support for wireless networking, but note that these methods do not prevent malicious software or careless users from re-activating the devices. scap-security-guide-0.1.39/rhel6/guide/system/network/network.group000066400000000000000000000015151327242345500254040ustar00rootroot00000000000000documentation_complete: true title: 'Network Configuration and Firewalls' description: |- Most machines must be connected to a network of some sort, and this brings with it the substantial risk of network attack. This section discusses the security impact of decisions about networking which must be made when configuring a system.

This section also discusses firewalls, network access controls, and other network security frameworks, which allow system-level rules to be written that can limit an attackers' ability to connect to your system. These rules can specify that network traffic should be allowed or denied from certain IP addresses, hosts, and networks. The rules can also specify which of the system's network services are available to particular hosts or networks. scap-security-guide-0.1.39/rhel6/guide/system/network/network_disable_unused_interfaces/000077500000000000000000000000001327242345500315755ustar00rootroot00000000000000network_disable_unused_interfaces.group000066400000000000000000000013751327242345500415440ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/network/network_disable_unused_interfacesdocumentation_complete: true title: 'Disable Unused Interfaces' description: "Network interfaces expand the attack surface of the \nsystem. Unused interfaces are not monitored or controlled, and \nshould be disabled.\n

\nIf the system does not require network communications but still\nneeds to use the loopback interface, remove all files of the form\nifcfg-interface except for ifcfg-lo from\n/etc/sysconfig/network-scripts:\n
$ sudo rm /etc/sysconfig/network-scripts/ifcfg-interface
\nIf the system is a standalone machine with no need for network access or even\ncommunication over the loopback device, then disable this service.\n" scap-security-guide-0.1.39/rhel6/guide/system/network/network_disable_zeroconf.rule000066400000000000000000000016141327242345500306070ustar00rootroot00000000000000documentation_complete: true title: 'Disable Zeroconf Networking' description: |- Zeroconf networking allows the system to assign itself an IP address and engage in IP communication without a statically-assigned address or even a DHCP server. Automatic address assignment via Zeroconf (or DHCP) is not recommended. To disable Zeroconf automatic route assignment in the 169.254.0.0 subnet, add or correct the following line in /etc/sysconfig/network: 
NOZEROCONF=yes
rationale: |- Zeroconf addresses are in the network 169.254.0.0. The networking scripts add entries to the system's routing table for these addresses. Zeroconf address assignment commonly occurs when the system is configured to use DHCP but fails to receive an address assignment from the DHCP server. severity: unknown identifiers: cce: 27151-0 references: nist: CM-7 scap-security-guide-0.1.39/rhel6/guide/system/network/network_sniffer_disabled.rule000066400000000000000000000011611327242345500305570ustar00rootroot00000000000000documentation_complete: true title: 'Ensure System is Not Acting as a Network Sniffer' description: |- The system should not be acting as a network sniffer, which can capture all traffic on the network to which it is connected. Run the following to determine if any interface is running in promiscuous mode: 
$ ip link | grep PROMISC
rationale: |- If any results are returned, then a sniffing process (such as tcpdump or Wireshark) is likely to be using the interface and this should be investigated. severity: unknown identifiers: cce: 27152-8 references: nist: CM-7,MA-3 scap-security-guide-0.1.39/rhel6/guide/system/network/network_ssl/000077500000000000000000000000001327242345500252055ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/network/network_ssl/network_ssl.group000066400000000000000000000015441327242345500306410ustar00rootroot00000000000000documentation_complete: true title: 'Transport Layer Security Support' description: |- Support for Transport Layer Security (TLS), and its predecessor, the Secure Sockets Layer (SSL), is included in Red Hat Enterprise Linux in the OpenSSL software (RPM package openssl). TLS provides encrypted and authenticated network communications, and many network services include support for it. TLS or SSL can be leveraged to avoid any plaintext transmission of sensitive data.
For information on how to use OpenSSL, see . Information on FIPS validation of OpenSSL is available at and . scap-security-guide-0.1.39/rhel6/guide/system/permissions/000077500000000000000000000000001327242345500235155ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/permissions/files/000077500000000000000000000000001327242345500246175ustar00rootroot00000000000000dir_perms_world_writable_sticky_bits.rule000066400000000000000000000033521327242345500351270ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/permissions/filesdocumentation_complete: true title: 'Verify that All World-Writable Directories Have Sticky Bits Set' description: |- When the so-called 'sticky bit' is set on a directory, only the owner of a given file may remove that file from the directory. Without the sticky bit, any user with write access to a directory may remove any file in the directory. Setting the sticky bit prevents users from removing each other's files. In cases where there is no reason for a directory to be world-writable, a better solution is to remove that permission rather than to set the sticky bit. However, if a directory is used by a particular application, consult that application's documentation instead of blindly changing modes.
To set the sticky bit on a world-writable directory DIR, run the following command: 
$ sudo chmod +t DIR
rationale: "Failing to set the sticky bit on public directories allows unauthorized users to delete files in the directory structure.\n

\nThe only authorized public directories are those temporary directories supplied with the system, \nor those designed to be temporary file repositories. The setting is normally reserved for directories \nused by the system, by users for temporary file storage (such as /tmp), and for directories \nrequiring global read/write access." severity: unknown identifiers: cce: 26840-9 references: nist: AC-6 srg: SRG-OS-999999 stigid: RHEL-06-000336 ocil_clause: 'any world-writable directories are missing the sticky bit' ocil: |- To find world-writable directories that lack the sticky bit, run the following command: 
$ sudo find / -xdev -type d -perm 002 ! -perm 1000
dir_perms_world_writable_system_owned.rule000066400000000000000000000022271327242345500353200ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/permissions/filesdocumentation_complete: true title: 'Ensure All World-Writable Directories Are Owned by a System Account' description: |- All directories in local partitions which are world-writable should be owned by root or another system account. If any world-writable directories are not owned by a system account, this should be investigated. Following this, the files should be deleted or assigned to an appropriate group. rationale: |- Allowing a user account to own a world-writable directory is undesirable because it allows the owner of that directory to remove or replace any files that may be placed in the directory by other users. severity: unknown identifiers: cce: 26642-9 references: nist: AC-6 srg: SRG-OS-999999 stigid: RHEL-06-000337 ocil_clause: 'there is output' ocil: |- The following command will discover and print world-writable directories that are not owned by a system account, given the assumption that only system accounts have a uid lower than 500. Run it once for each local partition PART: 
$ sudo find PART -xdev -type d -perm -0002 -uid +499 -print
file_permissions_unauthorized_sgid.rule000066400000000000000000000017031327242345500346130ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/permissions/filesdocumentation_complete: true title: 'Ensure All SGID Executables Are Authorized' description: |- The SGID (set group id) bit should be set only on files that were installed via authorized means. A straightforward means of identifying unauthorized SGID files is determine if any were not installed as part of an RPM package, which is cryptographically verified. Investigate the origin of any unpackaged SGID files. rationale: |- Executable files with the SGID permission run with the privileges of the owner of the file. SGID files of uncertain provenance could allow for unprivileged users to elevate privileges. The presence of these files should be strictly controlled on the system. severity: unknown identifiers: cce: 26769-0 references: nist: AC-6(1) ocil_clause: 'there is output' ocil: |- To find world-writable files, run the following command: 
$ sudo find / -xdev -type f -perm -002
file_permissions_unauthorized_suid.rule000066400000000000000000000016421327242345500346330ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/permissions/filesdocumentation_complete: true title: 'Ensure All SUID Executables Are Authorized' description: |- The SUID (set user id) bit should be set only on files that were installed via authorized means. A straightforward means of identifying unauthorized SGID files is determine if any were not installed as part of an RPM package, which is cryptographically verified. Investigate the origin of any unpackaged SUID files. rationale: |- Executable files with the SUID permission run with the privileges of the owner of the file. SUID files of uncertain provenance could allow for unprivileged users to elevate privileges. The presence of these files should be strictly controlled on the system. severity: unknown identifiers: cce: 26497-8 references: nist: AC-6(1) ocil: |- To find world-writable files, run the following command: 
$ sudo find / -xdev -type f -perm -002
file_permissions_unauthorized_world_writable.rule000066400000000000000000000022051327242345500367030ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/permissions/filesdocumentation_complete: true title: 'Ensure No World-Writable Files Exist' description: |- It is generally a good idea to remove global (other) write access to a file when it is discovered. However, check with documentation for specific applications before making changes. Also, monitor for recurring world-writable files, as these may be symptoms of a misconfigured application or user account. Finally, this applies to real files and not virtual files that are a part of pseudo file systems such as sysfs or procfs. rationale: |- Data in world-writable files can be modified by any user on the system. In almost all circumstances, files can be configured using a combination of user and group permissions to support whatever legitimate access is needed without the risk caused by world-writable files. severity: medium identifiers: cce: 26910-0 references: nist: AC-6 srg: SRG-OS-999999 stigid: RHEL-06-000282 ocil_clause: 'there is output' ocil: |- To find world-writable files, run the following command: 
$ sudo find / -xdev -type f -perm -002
scap-security-guide-0.1.39/rhel6/guide/system/permissions/files/file_permissions_ungroupowned.rule000066400000000000000000000021661327242345500337030ustar00rootroot00000000000000documentation_complete: true title: 'Ensure All Files Are Owned by a Group' description: |- If any files are not owned by a group, then the cause of their lack of group-ownership should be investigated. Following this, the files should be deleted or assigned to an appropriate group. rationale: |- Unowned files do not directly imply a security problem, but they are generally a sign that something is amiss. They may be caused by an intruder, by incorrect software installation or draft software removal, or by failure to remove all files belonging to a deleted account. The files should be repaired so they will not cause problems when accounts are created in the future, and the cause should be discovered and addressed. severity: unknown identifiers: cce: 26872-2 references: disa: 224 nist: AC-6 ocil_clause: 'there is output' ocil: |- The following command will discover and print any files on local partitions which do not belong to a valid group. Run it once for each local partition PART: 
$ sudo find PART -xdev -nogroup -print
scap-security-guide-0.1.39/rhel6/guide/system/permissions/files/files.group000066400000000000000000000006131327242345500267770ustar00rootroot00000000000000documentation_complete: true title: |- Verify Permissions on Important Files and Directories description: |- Permissions for many files on a system must be set restrictively to ensure sensitive information is properly protected. This section discusses important permission restrictions which can be verified to ensure that no harmful discrepancies have arisen. scap-security-guide-0.1.39/rhel6/guide/system/permissions/files/no_files_unowned_by_user.rule000066400000000000000000000022121327242345500325720ustar00rootroot00000000000000documentation_complete: true title: 'Ensure All Files Are Owned by a User' description: |- If any files are not owned by a user, then the cause of their lack of ownership should be investigated. Following this, the files should be deleted or assigned to an appropriate user. rationale: |- Unowned files do not directly imply a security problem, but they are generally a sign that something is amiss. They may be caused by an intruder, by incorrect software installation or draft software removal, or by failure to remove all files belonging to a deleted account. The files should be repaired so they will not cause problems when accounts are created in the future, and the cause should be discovered and addressed. severity: unknown identifiers: cce: 27032-2 references: disa: 224 nist: AC-6 ocil_clause: 'files exist that are not owned by a valid user' ocil: |- The following command will discover and print any files on local partitions which do not belong to a valid user. Run it once for each local partition PART: 
$ sudo find PART -xdev -nouser -print
scap-security-guide-0.1.39/rhel6/guide/system/permissions/files/permissions_important_account_files/000077500000000000000000000000001327242345500341655ustar00rootroot00000000000000file_groupowner_etc_group.rule000066400000000000000000000010771327242345500422610ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/permissions/files/permissions_important_account_filesdocumentation_complete: true title: 'Verify Group Who Owns group File' description: '' rationale: |- The /etc/group file contains information regarding groups that are configured on the system. Protection of this file is important for system security. severity: medium identifiers: cce: 26930-8 references: disa: 225 nist: AC-6 pcidss: Req-8.7.c srg: SRG-OS-999999 stigid: RHEL-06-000043 ocil: '' file_groupowner_etc_gshadow.rule000066400000000000000000000010071327242345500425520ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/permissions/files/permissions_important_account_filesdocumentation_complete: true title: 'Verify Group Who Owns gshadow File' description: '' rationale: |- The /etc/gshadow file contains group password hashes. Protection of this file is critical for system security. severity: medium identifiers: cce: 26975-3 references: disa: 225 nist: AC-6 srg: SRG-OS-999999 stigid: RHEL-06-000037 ocil: '' file_groupowner_etc_passwd.rule000066400000000000000000000011011327242345500424120ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/permissions/files/permissions_important_account_filesdocumentation_complete: true title: 'Verify Group Who Owns passwd File' description: '' rationale: |- The /etc/passwd file contains information about the users that are configured on the system. Protection of this file is critical for system security. severity: medium identifiers: cce: 26856-5 references: disa: 225 nist: AC-6 pcidss: Req-8.7.c srg: SRG-OS-999999 stigid: RHEL-06-000040 ocil: '' file_owner_etc_group.rule000066400000000000000000000010461327242345500412000ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/permissions/files/permissions_important_account_filesdocumentation_complete: true title: 'Verify User Who Owns group File' description: '' rationale: |- The /etc/group file contains information regarding groups that are configured on the system. Protection of this file is important for system security. severity: medium identifiers: cce: 26822-7 references: nist: AC-6 pcidss: Req-8.7.c srg: SRG-OS-999999 stigid: RHEL-06-000042 ocil: '' file_owner_etc_gshadow.rule000066400000000000000000000007741327242345500415070ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/permissions/files/permissions_important_account_filesdocumentation_complete: true title: 'Verify User Who Owns gshadow File' description: '' rationale: |- The /etc/gshadow file contains group password hashes. Protection of this file is critical for system security. severity: medium identifiers: cce: 27026-4 references: disa: 366 nist: AC-6 srg: SRG-OS-999999 stigid: RHEL-06-000036 ocil: '' file_owner_etc_passwd.rule000066400000000000000000000010661327242345500413470ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/permissions/files/permissions_important_account_filesdocumentation_complete: true title: 'Verify User Who Owns passwd File' description: '' rationale: |- The /etc/passwd file contains information about the users that are configured on the system. Protection of this file is critical for system security. severity: medium identifiers: cce: 26953-0 references: disa: 225 nist: AC-6 pcidss: Req-8.7.c srg: SRG-OS-999999 stigid: RHEL-06-000039 ocil: '' file_permissions_etc_group.rule000066400000000000000000000010721327242345500424200ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/permissions/files/permissions_important_account_filesdocumentation_complete: true title: 'Verify Permissions on group File' description: '' rationale: |- The /etc/group file contains information regarding groups that are configured on the system. Protection of this file is important for system security. severity: medium identifiers: cce: 26954-8 references: disa: 225 nist: AC-6 pcidss: Req-8.7.c srg: SRG-OS-999999 stigid: RHEL-06-000044 ocil: '' file_permissions_etc_gshadow.rule000066400000000000000000000010031327242345500427120ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/permissions/files/permissions_important_account_filesdocumentation_complete: true title: 'Verify Permissions on gshadow File' description: '' rationale: |- The /etc/gshadow file contains group password hashes. Protection of this file is critical for system security. severity: medium identifiers: cce: 26951-4 references: disa: 225 nist: AC-6 srg: SRG-OS-999999 stigid: RHEL-06-000038 ocil: '' file_permissions_etc_passwd.rule000066400000000000000000000012501327242345500425630ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/permissions/files/permissions_important_account_filesdocumentation_complete: true title: 'Verify Permissions on passwd File' description: '' rationale: |- If the /etc/passwd file is writable by a group-owner or the world the risk of its compromise is increased. The file contains the list of accounts on the system and associated information, and protection of this file is critical for system security. severity: medium identifiers: cce: 26868-0 references: disa: 225 nist: AC-6 pcidss: Req-8.7.c srg: SRG-OS-999999 stigid: RHEL-06-000041 ocil: '' file_permissions_etc_shadow.rule000066400000000000000000000013521327242345500425520ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/permissions/files/permissions_important_account_filesdocumentation_complete: true title: 'Verify Permissions on shadow File' description: '' rationale: |- The /etc/shadow file contains the list of local system accounts and stores password hashes. Protection of this file is critical for system security. Failure to give ownership of this file to root provides the designated owner with access to sensitive information which could weaken the system security posture. severity: medium identifiers: cce: 26992-8 references: disa: 225 nist: AC-6 pcidss: Req-8.7.c srg: SRG-OS-999999 stigid: RHEL-06-000035 ocil: '' groupowner_shadow_file.rule000066400000000000000000000010211327242345500415440ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/permissions/files/permissions_important_account_filesdocumentation_complete: true title: 'Verify Group Who Owns shadow File' description: '' rationale: |- The /etc/shadow file stores password hashes. Protection of this file is critical for system security. severity: medium identifiers: cce: 26967-0 references: disa: 225 nist: AC-6 pcidss: Req-8.7.c srg: SRG-OS-999999 stigid: RHEL-06-000034 ocil: '' permissions_important_account_files.group000066400000000000000000000010641327242345500445330ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/permissions/files/permissions_important_account_filesdocumentation_complete: true title: 'Verify Permissions on Files with Local Account Information and Credentials' description: |- The default restrictive permissions for files which act as important security databases such as passwd, shadow, group, and gshadow files must be maintained. Many utilities need read access to the passwd file in order to function properly, but read access to the shadow file allows malicious attacks against system passwords, and should never be enabled. userowner_shadow_file.rule000066400000000000000000000013431327242345500413750ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/permissions/files/permissions_important_account_filesdocumentation_complete: true title: 'Verify User Who Owns shadow File' description: '' rationale: |- The /etc/shadow file contains the list of local system accounts and stores password hashes. Protection of this file is critical for system security. Failure to give ownership of this file to root provides the designated owner with access to sensitive information which could weaken the system security posture. severity: medium identifiers: cce: 26947-2 references: disa: 225 nist: AC-6 pcidss: Req-8.7.c srg: SRG-OS-999999 stigid: RHEL-06-000033 ocil: '' scap-security-guide-0.1.39/rhel6/guide/system/permissions/files/permissions_within_important_dirs/000077500000000000000000000000001327242345500336725ustar00rootroot00000000000000file_ownership_binary_dirs.rule000066400000000000000000000026111327242345500421060ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/permissions/files/permissions_within_important_dirsdocumentation_complete: true title: 'Verify that System Executables Have Root Ownership' description: |- System executables are stored in the following directories by default: 
/bin
    /sbin
    /usr/bin
    /usr/libexec
    /usr/local/bin
    /usr/local/sbin
    /usr/sbin
All files in these directories should be owned by the root user. If any file FILE in these directories is found to be owned by a user other than root, correct its ownership with the following command: 
$ sudo chown root FILE
rationale: |- System binaries are executed by privileged users as well as system services, and restrictive permissions are necessary to ensure that their execution of these programs cannot be co-opted. severity: medium identifiers: cce: 27623-8 references: disa: 1499 nist: AC-6 srg: SRG-OS-000259 stigid: RHEL-06-000048 ocil_clause: 'any system executables are found to not be owned by root' ocil: |- System executables are stored in the following directories by default: 
/bin
    /sbin
    /usr/bin
    /usr/libexec
    /usr/local/bin
    /usr/local/sbin
    /usr/sbin
To find system executables that are not owned by root, run the following command for each directory DIR which contains system executables: 
$ sudo find DIR/ \! -user root
file_ownership_library_dirs.rule000066400000000000000000000026741327242345500422770ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/permissions/files/permissions_within_important_dirsdocumentation_complete: true title: 'Verify that Shared Library Files Have Root Ownership' description: |- System-wide shared library files, which are linked to executables during process load time or run time, are stored in the following directories by default: 
/lib
    /lib64
    /usr/lib
    /usr/lib64
Kernel modules, which can be added to the kernel during runtime, are also stored in /lib/modules. All files in these directories should be owned by the root user. If the directory, or any file in these directories, is found to be owned by a user other than root correct its ownership with the following command: 
$ sudo chown root FILE
rationale: |- Files from shared library directories are loaded into the address space of processes (including privileged ones) or of the kernel itself at runtime. Proper ownership is necessary to protect the integrity of the system. severity: medium identifiers: cce: 27424-1 references: disa: 1499 nist: AC-6 srg: SRG-OS-000259 stigid: RHEL-06-000046 ocil_clause: 'any of these files are not owned by root' ocil: "Shared libraries are stored in the following directories:\n
/lib\n/lib64\n/usr/lib\n/usr/lib64\n
\nFor each of these directories, run the following command to find files not \nowned by root:\n
$ sudo find -L $DIR \\! -user root -exec chown root {} \\;
" file_permissions_binary_dirs.rule000066400000000000000000000026421327242345500424470ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/permissions/files/permissions_within_important_dirsdocumentation_complete: true title: 'Verify that System Executables Have Restrictive Permissions' description: |- System executables are stored in the following directories by default: 
/bin
    /sbin
    /usr/bin
    /usr/libexec
    /usr/local/bin
    /usr/local/sbin
    /usr/sbin
All files in these directories should not be group-writable or world-writable. If any file FILE in these directories is found to be group-writable or world-writable, correct its permission with the following command: 
$ sudo chmod go-w FILE
rationale: |- System binaries are executed by privileged users, as well as system services, and restrictive permissions are necessary to ensure execution of these programs cannot be co-opted. severity: medium identifiers: cce: 27289-8 references: disa: 1499 nist: AC-6 srg: SRG-OS-000259 stigid: RHEL-06-000047 ocil_clause: 'any system executables are found to be group or world writable' ocil: |- System executables are stored in the following directories by default: 
/bin
    /sbin
    /usr/bin
    /usr/libexec
    /usr/local/bin
    /usr/local/sbin
    /usr/sbin
To find system executables that are group-writable or world-writable, run the following command for each directory DIR which contains system executables: 
$ sudo find -L DIR -perm /022 -type f
file_permissions_library_dirs.rule000066400000000000000000000030261327242345500426240ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/permissions/files/permissions_within_important_dirsdocumentation_complete: true title: 'Verify that Shared Library Files Have Restrictive Permissions' description: |- System-wide shared library files, which are linked to executables during process load time or run time, are stored in the following directories by default: 
/lib
    /lib64
    /usr/lib
    /usr/lib64
Kernel modules, which can be added to the kernel during runtime, are stored in /lib/modules. All files in these directories should not be group-writable or world-writable. If any file in these directories is found to be group-writable or world-writable, correct its permission with the following command: 
$ sudo chmod go-w FILE
rationale: |- Files from shared library directories are loaded into the address space of processes (including privileged ones) or of the kernel itself at runtime. Restrictive permissions are necessary to protect the integrity of the system. severity: medium identifiers: cce: 27381-3 references: disa: 1499 nist: AC-6 srg: SRG-OS-000259 stigid: RHEL-06-000045 ocil_clause: 'any of these files are group-writable or world-writable' ocil: |- Shared libraries are stored in the following directories: 
/lib
    /lib64
    /usr/lib
    /usr/lib64
To find shared libraries that are group-writable or world-writable, run the following command for each directory DIR which contains shared libraries: 
$ sudo find -L DIR -perm /022 -type f
permissions_within_important_dirs.group000066400000000000000000000007201327242345500437430ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/permissions/files/permissions_within_important_dirsdocumentation_complete: true title: 'Verify File Permissions Within Some Important Directories' description: |- Some directories contain files whose confidentiality or integrity is notably important and may also be susceptible to misconfiguration over time, particularly if unpackaged software is installed. As such, an argument exists to verify that files' permissions within these directories remain configured correctly and restrictively. scap-security-guide-0.1.39/rhel6/guide/system/permissions/mounting/000077500000000000000000000000001327242345500253555ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/permissions/mounting/bios_assign_password.rule000066400000000000000000000014501327242345500324700ustar00rootroot00000000000000documentation_complete: true title: 'Assign Password to Prevent Changes to Boot Firmware Configuration' description: "Assign a password to the system boot firmware (historically called BIOS on PC \nsystems) to require a password for any configuration changes." rationale: |- Assigning a password to the system boot firmware prevents anyone with physical access from configuring the system to boot from local media and circumvent the operating system's access controls. For systems in physically secure locations, such as a data center or Sensitive Compartmented Information Facility (SCIF), this risk must be weighed against the risk of administrative personnel being unable to conduct recovery operations in a timely fashion. severity: unknown identifiers: cce: 27131-2 scap-security-guide-0.1.39/rhel6/guide/system/permissions/mounting/bios_disable_usb_boot.rule000066400000000000000000000010731327242345500325620ustar00rootroot00000000000000documentation_complete: true title: 'Disable Booting from USB Devices in Boot Firmware' description: |- Configure the system boot firmware (historically called BIOS on PC systems) to disallow booting from USB drives. rationale: |- Booting a system from a USB device would allow an attacker to circumvent any security measures provided by the operating system. Attackers could mount partitions and modify the configuration of the OS. severity: unknown identifiers: cce: 26923-3 references: disa: 1250 nist: AC-19(a),AC-19(d),AC-19(e) scap-security-guide-0.1.39/rhel6/guide/system/permissions/mounting/bootloader_nousb_argument.rule000066400000000000000000000017031327242345500335110ustar00rootroot00000000000000documentation_complete: true title: 'Disable Kernel Support for USB via Bootloader Configuration' description: "All USB support can be disabled by adding the nousb\nargument to the kernel's boot loader configuration. To do so, \nappend \"nousb\" to the kernel line in /etc/grub.conf as shown:\n
kernel /vmlinuz-VERSION ro vga=ext root=/dev/VolGroup00/LogVol00 rhgb quiet nousb
\nWARNING: Disabling all kernel support for USB will cause problems for\nsystems with USB-based keyboards, mice, or printers. This configuration is\ninfeasible for systems which require USB devices, which is common." rationale: |- Disabling the USB subsystem within the Linux kernel at system boot will protect against potentially malicious USB devices, although it is only practical in specialized systems. severity: unknown identifiers: cce: 27011-6 references: disa: 1250 nist: AC-19(a),AC-19(d),AC-19(e) kernel_module_cramfs_disabled.rule000066400000000000000000000006341327242345500342010ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/permissions/mountingdocumentation_complete: true title: 'Disable Mounting of cramfs' description: |- This effectively prevents usage of this uncommon filesystem. rationale: |- Linux kernel modules which implement filesystems that are not needed by the local system should be disabled. severity: unknown identifiers: cce: 26340-0 references: nist: CM-7 kernel_module_freevxfs_disabled.rule000066400000000000000000000006401327242345500345530ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/permissions/mountingdocumentation_complete: true title: 'Disable Mounting of freevxfs' description: |- This effectively prevents usage of this uncommon filesystem. rationale: |- Linux kernel modules which implement filesystems that are not needed by the local system should be disabled. severity: unknown identifiers: cce: 26544-7 references: nist: CM-7 scap-security-guide-0.1.39/rhel6/guide/system/permissions/mounting/kernel_module_hfs_disabled.rule000066400000000000000000000006261327242345500335660ustar00rootroot00000000000000documentation_complete: true title: 'Disable Mounting of hfs' description: |- This effectively prevents usage of this uncommon filesystem. rationale: |- Linux kernel modules which implement filesystems that are not needed by the local system should be disabled. severity: unknown identifiers: cce: 26800-3 references: nist: CM-7 kernel_module_hfsplus_disabled.rule000066400000000000000000000006361327242345500344140ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/permissions/mountingdocumentation_complete: true title: 'Disable Mounting of hfsplus' description: |- This effectively prevents usage of this uncommon filesystem. rationale: |- Linux kernel modules which implement filesystems that are not needed by the local system should be disabled. severity: unknown identifiers: cce: 26361-6 references: nist: CM-7 scap-security-guide-0.1.39/rhel6/guide/system/permissions/mounting/kernel_module_jffs2_disabled.rule000066400000000000000000000006321327242345500340150ustar00rootroot00000000000000documentation_complete: true title: 'Disable Mounting of jffs2' description: |- This effectively prevents usage of this uncommon filesystem. rationale: |- Linux kernel modules which implement filesystems that are not needed by the local system should be disabled. severity: unknown identifiers: cce: 26670-0 references: nist: CM-7 kernel_module_squashfs_disabled.rule000066400000000000000000000006401327242345500345600ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/permissions/mountingdocumentation_complete: true title: 'Disable Mounting of squashfs' description: |- This effectively prevents usage of this uncommon filesystem. rationale: |- Linux kernel modules which implement filesystems that are not needed by the local system should be disabled. severity: unknown identifiers: cce: 26404-4 references: nist: CM-7 scap-security-guide-0.1.39/rhel6/guide/system/permissions/mounting/kernel_module_udf_disabled.rule000066400000000000000000000006261327242345500335640ustar00rootroot00000000000000documentation_complete: true title: 'Disable Mounting of udf' description: |- This effectively prevents usage of this uncommon filesystem. rationale: |- Linux kernel modules which implement filesystems that are not needed by the local system should be disabled. severity: unknown identifiers: cce: 26677-5 references: nist: CM-7 kernel_module_usb-storage_disabled.rule000066400000000000000000000015361327242345500351630ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/permissions/mountingdocumentation_complete: true title: 'Disable Modprobe Loading of USB Storage Driver' description: "To prevent USB storage devices from being used, configure the kernel module loading system\nto prevent automatic loading of the USB storage driver. \n\nThis will prevent the modprobe program from loading the usb-storage\nmodule, but will not prevent an administrator (or another program) from using the\ninsmod program to load the module manually." rationale: |- USB storage devices such as thumb drives can be used to introduce malicious software. severity: unknown identifiers: cce: 27016-5 references: disa: 1250,85 nist: AC-19(a),AC-19(d),AC-19(e) srg: SRG-OS-000273 stigid: RHEL-06-000503 ocil: '' scap-security-guide-0.1.39/rhel6/guide/system/permissions/mounting/mounting.group000066400000000000000000000016101327242345500302710ustar00rootroot00000000000000documentation_complete: true title: |- Restrict Dynamic Mounting and Unmounting of Filesystems description: |- Linux includes a number of facilities for the automated addition and removal of filesystems on a running system. These facilities may be necessary in many environments, but this capability also carries some risk -- whether direct risk from allowing users to introduce arbitrary filesystems, or risk that software flaws in the automated mount facility itself could allow an attacker to compromise the system.

This command can be used to list the types of filesystems that are available to the currently executing kernel: 
$ find /lib/modules/`uname -r`/kernel/fs -type f -name '*.ko'
If these filesystems are not required then they can be explicitly disabled in a configuratio file in /etc/modprobe.d. scap-security-guide-0.1.39/rhel6/guide/system/permissions/mounting/service_autofs_disabled.rule000066400000000000000000000021151327242345500331150ustar00rootroot00000000000000documentation_complete: true title: 'Disable the Automounter' description: |- The autofs daemon mounts and unmounts filesystems, such as user home directories shared via NFS, on demand. In addition, autofs can be used to handle removable media, and the default configuration provides the cdrom device as /misc/cd. However, this method of providing access to removable media is not common, so autofs can almost always be disabled if NFS is not in use. Even if NFS is required, it may be possible to configure filesystem mounts statically by editing /etc/fstab rather than relying on the automounter.

rationale: "Disabling the automounter permits the administrator to \nstatically control filesystem mounting through /etc/fstab." severity: low identifiers: cce: 26976-1 references: disa: 366 nist: AC-19(a),AC-19(d),AC-19(e) srg: SRG-OS-999999 stigid: RHEL-06-000526 ocil: '' scap-security-guide-0.1.39/rhel6/guide/system/permissions/partitions/000077500000000000000000000000001327242345500257115ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/permissions/partitions/mount_option_dev_shm_nodev.rule000066400000000000000000000011511327242345500342320ustar00rootroot00000000000000documentation_complete: true title: 'Add nodev Option to /dev/shm' description: "The nodev mount option can be used to prevent creation\nof device files in /dev/shm.\nLegitimate character and block devices should not exist\nwithin temporary directories like /dev/shm. \n" rationale: |- The only legitimate location for device files is the /dev directory located on the root partition. The only exception to this is chroot jails. severity: unknown identifiers: cce: 26778-1 references: nist: 'CM-7, MP-2' mount_option_dev_shm_noexec.rule000066400000000000000000000012131327242345500343200ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/permissions/partitionsdocumentation_complete: true title: 'Add noexec Option to /dev/shm' description: |- The noexec mount option can be used to prevent binaries from being executed out of /dev/shm. It can be dangerous to allow the execution of binaries from world-writable temporary storage directories such as /dev/shm. rationale: |- Allowing users to execute binaries from world-writable directories such as /dev/shm can expose the system to potential compromise. severity: unknown identifiers: cce: 26622-1 references: nist: 'CM-7, MP-2' mount_option_dev_shm_nosuid.rule000066400000000000000000000011631327242345500343440ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/permissions/partitionsdocumentation_complete: true title: 'Add nosuid Option to /dev/shm' description: |- The nosuid mount option can be used to prevent execution of setuid programs in /dev/shm. The SUID and SGID permissions should not be required in these world-writable directories. rationale: |- The presence of SUID and SGID executables should be tightly controlled. Users should not be able to execute SUID or SGID binaries from temporary storage partitions. severity: unknown identifiers: cce: 26486-1 references: nist: 'CM-7, MP-2' mount_option_nodev_nonroot_local_partitions.rule000066400000000000000000000015631327242345500376610ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/permissions/partitionsdocumentation_complete: true title: 'Add nodev Option to Non-Root Local Partitions' description: "The nodev mount option prevents files from being\ninterpreted as character or block devices. \nLegitimate character and block devices should exist only in\nthe /dev directory on the root partition or within chroot\njails built for system services.\n" rationale: |- The nodev mount option prevents files from being interpreted as character or block devices. The only legitimate location for device files is the /dev directory located on the root partition. The only exception to this is chroot jails, for which it is not advised to set nodev on these filesystems. severity: unknown identifiers: cce: 27045-4 references: nist: CM-7 mount_option_nodev_removable_partitions.rule000066400000000000000000000015151327242345500367620ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/permissions/partitionsdocumentation_complete: true title: 'Add nodev Option to Removable Media Partitions' description: |- The nodev mount option prevents files from being interpreted as character or block devices. Legitimate character and block devices should exist only in the /dev directory on the root partition or within chroot jails built for system services. rationale: |- The only legitimate location for device files is the /dev directory located on the root partition. An exception to this is chroot jails, and it is not advised to set nodev on partitions which contain their root filesystems. severity: unknown identifiers: cce: 26860-7 references: nist: AC-19(a),AC-19(d),AC-19(e),CM-7,MP-2 mount_option_noexec_removable_partitions.rule000066400000000000000000000021731327242345500371310ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/permissions/partitionsdocumentation_complete: true title: 'Add noexec Option to Removable Media Partitions' description: "The noexec mount option prevents the direct\nexecution of binaries on the mounted filesystem. \nPreventing the direct execution of binaries from removable media (such as a USB\nkey) provides a defense against malicious software that may be present on such\nuntrusted media.\n" rationale: |- Allowing users to execute binaries from removable media such as USB keys exposes the system to potential compromise. severity: unknown identifiers: cce: 27196-5 references: disa: 87 nist: AC-19(a),AC-19(d),AC-19(e),CM-7,MP-2 srg: SRG-OS-000035 stigid: RHEL-06-000271 ocil_clause: 'removable media partitions are present' ocil: |- To verify that binaries cannot be directly executed from removable media, run the following command: 
$ grep -v noexec /etc/fstab
The resulting output will show partitions which do not have the noexec flag. Verify all partitions in the output are not removable media. mount_option_nosuid_removable_partitions.rule000066400000000000000000000016761327242345500371600ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/permissions/partitionsdocumentation_complete: true title: 'Add nosuid Option to Removable Media Partitions' description: |- The nosuid mount option prevents set-user-identifier (SUID) and set-group-identifier (SGID) permissions from taking effect. These permissions allow users to execute binaries with the same permissions as the owner and group of the file respectively. Users should not be allowed to introduce SUID and SGID files into the system via partitions mounted from removeable media. rationale: |- The presence of SUID and SGID executables should be tightly controlled. Allowing users to introduce SUID or SGID binaries from partitions mounted off of removable media would allow them to introduce their own highly-privileged programs. severity: unknown identifiers: cce: 27056-1 references: nist: AC-19(a),AC-19(d),AC-19(e),CM-7,MP-2 scap-security-guide-0.1.39/rhel6/guide/system/permissions/partitions/mount_option_tmp_nodev.rule000066400000000000000000000011401327242345500334030ustar00rootroot00000000000000documentation_complete: true title: 'Add nodev Option to /tmp' description: "The nodev mount option can be used to prevent device files from\nbeing created in /tmp.\nLegitimate character and block devices should not exist\nwithin temporary directories like /tmp. \n" rationale: |- The only legitimate location for device files is the /dev directory located on the root partition. The only exception to this is chroot jails. severity: unknown identifiers: cce: 26499-4 references: nist: 'CM-7, MP-2' scap-security-guide-0.1.39/rhel6/guide/system/permissions/partitions/mount_option_tmp_noexec.rule000066400000000000000000000011421327242345500335530ustar00rootroot00000000000000documentation_complete: true title: 'Add noexec Option to /tmp' description: |- The noexec mount option can be used to prevent binaries from being executed out of /tmp. rationale: |- Allowing users to execute binaries from world-writable directories such as /tmp should never be necessary in normal operation and can expose the system to potential compromise. severity: unknown identifiers: cce: 26720-3 references: disa: 381 nist: CM-7,MP-2 srg: SRG-OS-999999 stigid: RHEL-06-000528 scap-security-guide-0.1.39/rhel6/guide/system/permissions/partitions/mount_option_tmp_nosuid.rule000066400000000000000000000011461327242345500335770ustar00rootroot00000000000000documentation_complete: true title: 'Add nosuid Option to /tmp' description: |- The nosuid mount option can be used to prevent execution of setuid programs in /tmp. The SUID and SGID permissions should not be required in these world-writable directories. rationale: |- The presence of SUID and SGID executables should be tightly controlled. Users should not be able to execute SUID or SGID binaries from temporary storage partitions. severity: unknown identifiers: cce: 26762-5 references: nist: 'CM-7, MP-2' scap-security-guide-0.1.39/rhel6/guide/system/permissions/partitions/mount_option_var_tmp_bind.rule000066400000000000000000000015221327242345500340600ustar00rootroot00000000000000documentation_complete: true title: 'Bind Mount /var/tmp To /tmp' description: "The /var/tmp directory is a world-writable directory. \nBind-mount it to /tmp in order to consolidate temporary storage into\none location protected by the same techniques as /tmp. To do so, edit\n/etc/fstab and add the following line:\n
/tmp     /var/tmp     none     rw,nodev,noexec,nosuid,bind     0 0
\nSee the mount(8) man page for further explanation of bind mounting." rationale: |- Having multiple locations for temporary storage is not required. Unless absolutely necessary to meet requirements, the storage location /var/tmp should be bind mounted to /tmp and thus share the same protections. severity: unknown identifiers: cce: 26582-7 references: nist: CM-7 scap-security-guide-0.1.39/rhel6/guide/system/permissions/partitions/partitions.group000066400000000000000000000005421327242345500311640ustar00rootroot00000000000000documentation_complete: true title: 'Restrict Partition Mount Options' description: |- System partitions can be mounted with certain options that limit what files on those partitions can do. These options are set in the /etc/fstab configuration file, and can be used to make certain types of malicious behavior more difficult. scap-security-guide-0.1.39/rhel6/guide/system/permissions/partitions/var_removable_partition.var000066400000000000000000000011061327242345500333360ustar00rootroot00000000000000documentation_complete: true title: 'Removable Partition' description: |- This value is used by the checks mount_option_nodev_removable_partitions, mount_option_nodev_removable_partitions, and mount_option_nodev_removable_partitions to ensure that the correct mount options are set on partitions mounted from removable media such as CD-ROMs, USB keys, and floppy drives. This value should be modified to reflect any removable partitions that are required on the local system. type: string operator: equals interactive: false options: dev_cdrom: /dev/cdrom scap-security-guide-0.1.39/rhel6/guide/system/permissions/permissions.group000066400000000000000000000017321327242345500271510ustar00rootroot00000000000000documentation_complete: true title: 'File Permissions and Masks' description: "Traditional Unix security relies heavily on file and\ndirectory permissions to prevent unauthorized users from reading or\nmodifying files to which they should not have access. \n

\nSeveral of the commands in this section search filesystems\nfor files or directories with certain characteristics, and are\nintended to be run on every local partition on a given system.\nWhen the variable PART appears in one of the commands below,\nit means that the command is intended to be run repeatedly, with the\nname of each local partition substituted for PART in turn.\n

\nThe following command prints a list of all xfs partitions on the local\nsystem, which is the default filesystem for Red Hat Enterprise Linux\n7 installations:\n
$ mount -t xfs | awk '{print $3}'
\nFor any systems that use a different\nlocal filesystem type, modify this command as appropriate." scap-security-guide-0.1.39/rhel6/guide/system/permissions/restrictions/000077500000000000000000000000001327242345500262455ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/permissions/restrictions/coredumps/000077500000000000000000000000001327242345500302465ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/permissions/restrictions/coredumps/coredumps.group000066400000000000000000000017561327242345500333360ustar00rootroot00000000000000documentation_complete: true title: 'Disable Core Dumps' description: |- A core dump file is the memory image of an executable program when it was terminated by the operating system due to errant behavior. In most cases, only software developers legitimately need to access these files. The core dump files may also contain sensitive information, or unnecessarily occupy large amounts of disk space.

Once a hard limit is set in /etc/security/limits.conf, a user cannot increase that limit within his or her own session. If access to core dumps is required, consider restricting them to only certain users or groups. See the limits.conf man page for more information.

The core dumps of setuid programs are further protected. The sysctl variable fs.suid_dumpable controls whether the kernel allows core dumps from these programs at all. The default value of 0 is recommended. disable_users_coredumps.rule000066400000000000000000000015151327242345500357670ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/permissions/restrictions/coredumpsdocumentation_complete: true title: 'Disable Core Dumps for All Users' description: |- To disable core dumps for all users, add the following line to /etc/security/limits.conf: 
*     hard   core    0
rationale: |- A core dump includes a memory image taken at the time the operating system terminates an application. The memory image could contain sensitive data and is generally useful only for developers trying to debug problems. severity: unknown identifiers: cce: 27033-0 references: nist: SC-5 srg: SRG-OS-999999 stigid: RHEL-06-000308 ocil_clause: 'it is not' ocil: |- To verify that core dumps are disabled for all users, run the following command: 
$ grep core /etc/security/limits.conf
The output should be: 
*     hard   core    0
sysctl_fs_suid_dumpable.rule000066400000000000000000000011741327242345500357710ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/permissions/restrictions/coredumpsdocumentation_complete: true title: 'Disable Core Dumps for SUID programs' description: '' rationale: |- The core dump of a setuid program is more likely to contain sensitive data, as the program itself runs with greater privileges than the user who initiated execution of the program. Disabling the ability for any setuid program to write a core file decreases the risk of unauthorized access of such data. severity: unknown identifiers: cce: 27044-7 references: nist: SI-11 ocil: '' scap-security-guide-0.1.39/rhel6/guide/system/permissions/restrictions/daemon_umask/000077500000000000000000000000001327242345500307105ustar00rootroot00000000000000daemon_umask.group000066400000000000000000000004431327242345500343530ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/permissions/restrictions/daemon_umaskdocumentation_complete: true title: 'Daemon Umask' description: |- The umask is a per-process setting which limits the default permissions for creation of new files and directories. The system includes initialization scripts which set the default umask for system daemons. umask_for_daemons.rule000066400000000000000000000023451327242345500352220ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/permissions/restrictions/daemon_umaskdocumentation_complete: true title: 'Set Daemon Umask' description: |- The file /etc/init.d/functions includes initialization parameters for most or all daemons started at boot time. The default umask of 022 prevents creation of group- or world-writable files. To set the default umask for daemons, edit the following line, inserting 022 or 027 for umask appropriately: 
umask
Setting the umask to too restrictive a setting can cause serious errors at runtime. Many daemons on the system already individually restrict themselves to a umask of 077 in their own init scripts. rationale: |- The umask influences the permissions assigned to files created by a process at run time. An unnecessarily permissive umask could result in files being created with insecure permissions. severity: unknown identifiers: cce: 27031-4 references: nist: AC-6 srg: SRG-OS-999999 stigid: RHEL-06-000346 ocil_clause: 'it does not' ocil: |- To check the value of the umask, run the following command: 
$ grep umask /etc/init.d/functions
The output should show either 022 or 027. var_umask_for_daemons.var000066400000000000000000000003171327242345500357100ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/permissions/restrictions/daemon_umaskdocumentation_complete: true title: 'daemon umask' description: 'Enter umask for daemons' type: string operator: equals interactive: false options: "022": "022" "027": "027" default: "022" scap-security-guide-0.1.39/rhel6/guide/system/permissions/restrictions/enable_execshield_settings/000077500000000000000000000000001327242345500336105ustar00rootroot00000000000000enable_execshield_settings.group000066400000000000000000000010771327242345500421570ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/permissions/restrictions/enable_execshield_settingsdocumentation_complete: true title: 'Enable ExecShield' description: |- ExecShield describes kernel features that provide protection against exploitation of memory corruption errors such as buffer overflows. These features include random placement of the stack and other memory regions, prevention of execution in memory that should only hold data, and special handling of text buffers. These protections are enabled by default and controlled through sysctl variables kernel.exec-shield and kernel.randomize_va_space. sysctl_kernel_exec_shield.rule000066400000000000000000000014341327242345500416410ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/permissions/restrictions/enable_execshield_settingsdocumentation_complete: true title: 'Enable ExecShield' description: '' rationale: |- ExecShield uses the segmentation feature on all x86 systems to prevent execution in memory higher than a certain address. It writes an address as a limit in the code segment descriptor, to control where code can be executed, on a per-process basis. When the kernel places a process's memory regions such as the stack and heap higher than this address, the hardware prevents execution in that address range. severity: medium identifiers: cce: 27007-4 references: disa: 2530 nist: SC-39 srg: SRG-OS-999999 stigid: RHEL-06-000079 ocil: '' sysctl_kernel_randomize_va_space.rule000066400000000000000000000014171327242345500432170ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/permissions/restrictions/enable_execshield_settingsdocumentation_complete: true title: 'Enable Randomized Layout of Virtual Address Space' description: '' rationale: "Address space layout randomization (ASLR) makes it more difficult\nfor an attacker to predict the location of attack code they have introduced\ninto a process's address space during an attempt at exploitation. Additionally, ASLR \nmakes it more difficult for an attacker to know the location of existing code\nin order to re-purpose it using return oriented programming (ROP) techniques." severity: medium identifiers: cce: 26999-3 references: nist: SC-30(2) srg: SRG-OS-999999 stigid: RHEL-06-000078 ocil: '' scap-security-guide-0.1.39/rhel6/guide/system/permissions/restrictions/enable_nx/000077500000000000000000000000001327242345500302005ustar00rootroot00000000000000bios_enable_execution_restrictions.rule000066400000000000000000000012351327242345500401500ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/permissions/restrictions/enable_nxdocumentation_complete: true title: 'Enable NX or XD Support in the BIOS' description: |- Reboot the system and enter the BIOS or Setup configuration menu. Navigate the BIOS configuration menu and make sure that the option is enabled. The setting may be located under a Security section. Look for Execute Disable (XD) on Intel-based systems and No Execute (NX) on AMD-based systems. rationale: |- Computers with the ability to prevent this type of code execution frequently put an option in the BIOS that will allow users to turn the feature on or off at will. severity: unknown identifiers: cce: 27163-5 references: nist: CM-6(b) scap-security-guide-0.1.39/rhel6/guide/system/permissions/restrictions/enable_nx/enable_nx.group000066400000000000000000000014451327242345500332150ustar00rootroot00000000000000documentation_complete: true title: |- Enable Execute Disable (XD) or No Execute (NX) Support on x86 Systems description: |- Recent processors in the x86 family support the ability to prevent code execution on a per memory page basis. Generically and on AMD processors, this ability is called No Execute (NX), while on Intel processors it is called Execute Disable (XD). This ability can help prevent exploitation of buffer overflow vulnerabilities and should be activated whenever possible. Extra steps must be taken to ensure that this protection is enabled, particularly on 32-bit x86 systems. Other processors, such as Itanium and POWER, have included such support since inception and the standard kernel for those platforms supports the feature. install_PAE_kernel_on_x86-32.rule000066400000000000000000000017061327242345500361340ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/permissions/restrictions/enable_nxdocumentation_complete: true title: 'Install PAE Kernel on Supported 32-bit x86 Systems' description: |- Systems that are using the 64-bit x86 kernel package do not need to install the kernel-PAE package because the 64-bit x86 kernel already includes this support. However, if the system is 32-bit and also supports the PAE and NX features as determined in the previous section, the kernel-PAE package should be installed to enable XD or NX support: 
$ sudo yum install kernel-PAE
The installation process should also have configured the bootloader to load the new kernel at boot. Verify this at reboot and modify /etc/grub.conf if necessary. rationale: |- On 32-bit systems that support the XD or NX bit, the vendor-supplied PAE kernel is required to enable either Execute Disable (XD) or No Execute (NX) support. severity: unknown identifiers: cce: 27010-8 references: nist: CM-6(b) scap-security-guide-0.1.39/rhel6/guide/system/permissions/restrictions/restrictions.group000066400000000000000000000006761327242345500320640ustar00rootroot00000000000000documentation_complete: true title: 'Restrict Programs from Dangerous Execution Patterns' description: |- The recommendations in this section are designed to ensure that the system's features to protect against potentially dangerous program execution are activated. These protections are applied at the system initialization or kernel level, and defend against certain types of badly-configured or compromised programs. sysctl_kernel_dmesg_restrict.rule000066400000000000000000000006041327242345500350360ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/permissions/restrictionsdocumentation_complete: true title: 'Restrict Access to Kernel Message Buffer' description: '' rationale: "Unprivileged access to the kernel syslog can expose sensitive kernel \naddress information." severity: unknown identifiers: cce: 27366-4 ocil: '' scap-security-guide-0.1.39/rhel6/guide/system/selinux/000077500000000000000000000000001327242345500226315ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/selinux/enable_selinux_bootloader.rule000066400000000000000000000017301327242345500307320ustar00rootroot00000000000000documentation_complete: true title: 'Ensure SELinux Not Disabled in /etc/grub.conf' description: |- SELinux can be disabled at boot time by an argument in /etc/grub.conf. Remove any instances of selinux=0 from the kernel arguments in that file to prevent SELinux from being disabled at boot. rationale: |- Disabling a major host protection feature, such as SELinux, at boot time prevents it from confining system services at boot time. Further, it increases the chances that it will remain off during system operation. severity: medium identifiers: cce: 26956-3 references: disa: 22,32 nist: AC-3,AC-3(3),AC-6,AU-9 srg: SRG-OS-999999 stigid: RHEL-06-000017 ocil_clause: 'SELinux is disabled at boot time' ocil: |- Inspect /etc/grub.conf for any instances of selinux=0 in the kernel boot arguments. Presence of selinux=0 indicates that SELinux is disabled at boot time. scap-security-guide-0.1.39/rhel6/guide/system/selinux/package_mcstrans_removed.rule000066400000000000000000000012671327242345500305560ustar00rootroot00000000000000documentation_complete: true title: 'Uninstall mcstrans Package' description: |- The mcstransd daemon provides category label information to client processes requesting information. The label translations are defined in /etc/selinux/targeted/setrans.conf. rationale: |- Since this service is not used very often, disable it to reduce the amount of potentially vulnerable code running on the system. NOTE: This rule was added in support of the CIS RHEL6 v1.2.0 benchmark. Please note that Red Hat does not feel this rule is security relevant. severity: unknown identifiers: cce: 27404-3 scap-security-guide-0.1.39/rhel6/guide/system/selinux/package_setroubleshoot_removed.rule000066400000000000000000000007621327242345500320040ustar00rootroot00000000000000documentation_complete: true title: 'Uninstall setroubleshoot Package' description: |- The SETroubleshoot service notifies desktop users of SELinux denials. The service provides information around configuration errors, unauthorized intrusions, and other potential errors. rationale: |- The SETroubleshoot service is an unnecessary daemon to have running on a server severity: unknown identifiers: cce: 27421-7 scap-security-guide-0.1.39/rhel6/guide/system/selinux/selinux.group000066400000000000000000000022661327242345500254040ustar00rootroot00000000000000documentation_complete: true title: SELinux description: |- SELinux is a feature of the Linux kernel which can be used to guard against misconfigured or compromised programs. SELinux enforces the idea that programs should be limited in what files they can access and what actions they can take.

The default SELinux policy, as configured on Red Hat Enterprise Linux 6, has been sufficiently developed and debugged that it should be usable on almost any Red Hat machine with minimal configuration and a small amount of system administrator training. This policy prevents system services - including most of the common network-visible services such as mail servers, FTP servers, and DNS servers - from accessing files which those services have no valid reason to access. This action alone prevents a huge amount of possible damage from network attacks against services, from trojaned software, and so forth.

This guide recommends that SELinux be enabled using the default (targeted) policy on every Red Hat system, unless that system has unusual requirements which make a stronger policy appropriate. scap-security-guide-0.1.39/rhel6/guide/system/selinux/selinux_all_devicefiles_labeled.rule000066400000000000000000000017361327242345500320620ustar00rootroot00000000000000documentation_complete: true title: 'Ensure No Device Files are Unknown to SELinux' description: |- Device files, which are used for communication with important system resources, should be labeled with proper SELinux types. If any device files carry the SELinux type device_t, report the bug so that policy can be corrected. Supply information about what the device is and what programs use it. rationale: |- If a device file carries the SELinux type device_t, then SELinux cannot properly restrict access to the device file. severity: unknown identifiers: cce: 26774-0 references: disa: 22,32 nist: AC-6,AU-9,CM-7 srg: SRG-OS-999999 stigid: RHEL-06-000025 ocil_clause: 'there is output' ocil: |- To check for unlabeled device files, run the following command: 
$ sudo find /dev -context *:device_t:* \( -type c -o -type b \) -printf "%p %Z\n"
It should produce no output in a well-configured system. scap-security-guide-0.1.39/rhel6/guide/system/selinux/selinux_confinement_of_daemons.rule000066400000000000000000000015271327242345500317750ustar00rootroot00000000000000documentation_complete: true title: 'Ensure No Daemons are Unconfined by SELinux' description: |- Daemons for which the SELinux policy does not contain rules will inherit the context of the parent process. Because daemons are launched during startup and descend from the init process, they inherit the initrc_t context.

To check for unconfined daemons, run the following command: 
$ sudo ps -eZ | egrep "initrc" | egrep -vw "tr|ps|egrep|bash|awk" | tr ':' ' ' | awk '{ print $NF }'
It should produce no output in a well-configured system. rationale: |- Daemons which run with the initrc_t context may cause AVC denials, or allow privileges that the daemon does not require. severity: medium identifiers: cce: 27111-4 references: nist: AC-6,AU-9,CM-7 scap-security-guide-0.1.39/rhel6/guide/system/selinux/selinux_policytype.rule000066400000000000000000000027301327242345500274740ustar00rootroot00000000000000documentation_complete: true title: 'Configure SELinux Policy' description: |- The SELinux targeted policy is appropriate for general-purpose desktops and servers, as well as systems in many other roles. To configure the system to use this policy, add or correct the following line in /etc/selinux/config: 
SELINUXTYPE=
Other policies, such as mls, provide additional security labeling and greater confinement but are not compatible with many general-purpose use cases. rationale: "Setting the SELinux policy to targeted or a more specialized policy\nensures the system will confine processes that are likely to be\ntargeted for exploitation, such as network or system services.\n\nNote: During the development or debugging of SELinux modules, it is common to \ntemporarily place non-production systems in permissive mode. In such \ntemporary cases, SELinux policies should be developed, and once work\nis completed, the system should be reconfigured to\n." severity: unknown identifiers: cce: 26875-5 references: disa: 22,32 nist: AC-3,AC-3(3),AC-4,AC-6,AU-9 srg: SRG-OS-999999 stigid: RHEL-06-000023 ocil_clause: 'it does not' ocil: |- Check the file /etc/selinux/config and ensure the following line appears: 
SELINUXTYPE=
scap-security-guide-0.1.39/rhel6/guide/system/selinux/selinux_state.rule000066400000000000000000000020051327242345500264060ustar00rootroot00000000000000documentation_complete: true title: 'Ensure SELinux State is Enforcing' description: |- The SELinux state should be set to at system boot time. In the file /etc/selinux/config, add or correct the following line to configure the system to boot into enforcing mode: 
SELINUX=
rationale: |- Setting the SELinux state to enforcing ensures SELinux is able to confine potentially compromised processes to the security policy, which is designed to prevent them from causing damage to the system or further elevating their privileges. severity: medium identifiers: cce: 26969-6 references: disa: 22,32,26 nist: AC-3,AC-3(3),AC-4,AC-6,AU-9 srg: SRG-OS-999999 stigid: RHEL-06-000020 ocil_clause: 'SELINUX is not set to enforcing' ocil: |- Check the file /etc/selinux/config and ensure the following line appears: 
SELINUX=
scap-security-guide-0.1.39/rhel6/guide/system/selinux/service_restorecond_enabled.rule000066400000000000000000000014301327242345500312410ustar00rootroot00000000000000documentation_complete: true title: 'Enable the SELinux Context Restoration Service (restorecond)' description: |- The restorecond service utilizes inotify to look for the creation of new files listed in the /etc/selinux/restorecond.conf configuration file. When a file is created, restorecond ensures the file receives the proper SELinux security context. rationale: |- The restorecond service helps ensure that the default SELinux file context is applied to files. This allows automatic correction of file contexts created by some programs. severity: unknown identifiers: cce: 26991-0 references: nist: AC-3,AC-3(3),AC-4,AC-6,AU-9 scap-security-guide-0.1.39/rhel6/guide/system/selinux/var_selinux_policy_name.var000066400000000000000000000006111327242345500302570ustar00rootroot00000000000000documentation_complete: true title: 'SELinux policy' description: |- Type of policy in use. Possible values are:
targeted - Only targeted network daemons are protected.
strict - Full SELinux protection.
mls - Multiple levels of security type: string operator: equals interactive: false options: default: targeted mls: mls targeted: targeted scap-security-guide-0.1.39/rhel6/guide/system/selinux/var_selinux_state.var000066400000000000000000000006201327242345500271000ustar00rootroot00000000000000documentation_complete: true title: 'SELinux state' description: |- enforcing - SELinux security policy is enforced.
permissive - SELinux prints warnings instead of enforcing.
disabled - SELinux is fully disabled. type: string operator: equals interactive: false options: default: enforcing disabled: disabled enforcing: enforcing permissive: permissive scap-security-guide-0.1.39/rhel6/guide/system/software/000077500000000000000000000000001327242345500227745ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/software/disk_partitioning/000077500000000000000000000000001327242345500265155ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/software/disk_partitioning/disk_partitioning.group000066400000000000000000000025461327242345500333230ustar00rootroot00000000000000documentation_complete: true title: 'Disk Partitioning' description: "To ensure separation and protection of data, there\nare top-level system directories which should be placed on their\nown physical partition or logical volume. The installer's default\npartitioning scheme creates separate logical volumes for \n/, /boot, and swap.\n
    \n
  • If starting with any of the default layouts, check the box to\n\"Review and modify partitioning.\" This allows for the easy creation\nof additional logical volumes inside the volume group already\ncreated, though it may require making /'s logical volume smaller to\ncreate space. In general, using logical volumes is preferable to\nusing partitions because they can be more easily adjusted\nlater.
    • \n
  • If creating a custom layout, create the partitions mentioned in\nthe previous paragraph (which the installer will require anyway),\nas well as separate ones described in the following sections.
    • \n
\nIf a system has already been installed, and the default\npartitioning\ \ scheme was used, it is possible but nontrivial to\nmodify it to create separate logical volumes for the directories\nlisted above. The Logical Volume Manager (LVM) makes this possible.\nSee the LVM HOWTO at for more\ndetailed information on LVM." scap-security-guide-0.1.39/rhel6/guide/system/software/disk_partitioning/encrypt_partitions.rule000066400000000000000000000045051327242345500333520ustar00rootroot00000000000000documentation_complete: true title: 'Encrypt Partitions' description: "Red Hat Enterprise Linux 6 natively supports partition encryption through the\nLinux Unified Key Setup-on-disk-format (LUKS) technology. The easiest way to \nencrypt a partition is during installation time.\n

\nFor manual installations, select the Encrypt checkbox during\npartition creation to encrypt the partition. When this\noption is selected the system will prompt for a passphrase to use in\ndecrypting the partition. The passphrase will subsequently need to be entered manually\nevery time the system boots.\n

\nFor automated/unattended installations, it is possible to use Kickstart by adding\nthe --encrypted and --passphrase= options to the definition of each partition to be\nencrypted. For example, the following line would encrypt the root partition:\n
part / --fstype=ext3 --size=100 --onpart=hda1 --encrypted --passphrase=PASSPHRASE
\nAny PASSPHRASE is stored in the Kickstart in plaintext, and the Kickstart\ \ must then be protected accordingly.\nOmitting the --passphrase= option from the partition definition will cause the\ninstaller to pause and interactively ask for the passphrase during installation.\n

\nBy default, the Anaconda installer uses aes-xts-plain64 cipher\nwith a minimum 512 bit key size which should be compatible with FIPS enabled.\n

\nDetailed information on encrypting partitions using LUKS or LUKS ciphers can be found on\nthe Red Hat Documentation web site:
\n" rationale: |- The risk of a system's physical compromise, particularly mobile systems such as laptops, places its data at risk of compromise. Encrypting this data mitigates the risk of its loss if the system is lost. severity: unknown identifiers: cce: 27596-6 references: disa: 1019,1199,1200 nist: 'SC-13, SC-28' srg: SRG-OS-000131,SRG-OS-000185,SRG-OS-000230 stigid: RHEL-06-000275 ocil_clause: 'encryption must be used and is not employed' ocil: 'Determine if encryption must be used to protect data on the system.' scap-security-guide-0.1.39/rhel6/guide/system/software/disk_partitioning/partition_for_home.rule000066400000000000000000000016161327242345500333010ustar00rootroot00000000000000documentation_complete: true title: 'Ensure /home Located On Separate Partition' description: |- If user home directories will be stored locally, create a separate partition for /home at installation time (or migrate it later using LVM). If /home will be mounted from another system such as an NFS server, then creating a separate partition is not necessary at installation time, and the mountpoint can instead be configured later. rationale: |- Ensuring that /home is mounted on its own partition enables the setting of more restrictive mount options, and also helps ensure that users cannot trivially fill partitions used for log or audit data storage. severity: unknown identifiers: cce: 26557-9 references: disa: 1208 nist: SC-32 srg: SRG-OS-999999 stigid: RHEL-06-000007 ocil: '' scap-security-guide-0.1.39/rhel6/guide/system/software/disk_partitioning/partition_for_tmp.rule000066400000000000000000000013401327242345500331430ustar00rootroot00000000000000documentation_complete: true title: 'Ensure /tmp Located On Separate Partition' description: |- The /tmp directory is a world-writable directory used for temporary file storage. Ensure it has its own partition or logical volume at installation time, or migrate it using LVM. rationale: |- The /tmp partition is used as temporary storage by many programs. Placing /tmp in its own partition enables the setting of more restrictive mount options, which can help protect programs which use it. severity: unknown identifiers: cce: 26435-8 references: disa: 1208 nist: SC-32 srg: SRG-OS-999999 stigid: RHEL-06-000001 ocil: '' scap-security-guide-0.1.39/rhel6/guide/system/software/disk_partitioning/partition_for_var.rule000066400000000000000000000015631327242345500331420ustar00rootroot00000000000000documentation_complete: true title: 'Ensure /var Located On Separate Partition' description: |- The /var directory is used by daemons and other system services to store frequently-changing data. Ensure that /var has its own partition or logical volume at installation time, or migrate it using LVM. rationale: |- Ensuring that /var is mounted on its own partition enables the setting of more restrictive mount options. This helps protect system services such as daemons or other programs which use it. It is not uncommon for the /var directory to contain world-writable directories installed by other software packages. severity: unknown identifiers: cce: 26639-5 references: disa: 1208 nist: SC-32 srg: SRG-OS-999999 stigid: RHEL-06-000002 ocil: '' scap-security-guide-0.1.39/rhel6/guide/system/software/disk_partitioning/partition_for_var_log.rule000066400000000000000000000011651327242345500340010ustar00rootroot00000000000000documentation_complete: true title: 'Ensure /var/log Located On Separate Partition' description: |- System logs are stored in the /var/log directory. Ensure that it has its own partition or logical volume at installation time, or migrate it using LVM. rationale: |- Placing /var/log in its own partition enables better separation between log files and other files in /var/. severity: unknown identifiers: cce: 26215-4 references: disa: 1208 nist: AU-9,SC-32 srg: SRG-OS-999999 stigid: RHEL-06-000003 ocil: '' partition_for_var_log_audit.rule000066400000000000000000000015541327242345500351120ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/software/disk_partitioningdocumentation_complete: true title: 'Ensure /var/log/audit Located On Separate Partition' description: |- Audit logs are stored in the /var/log/audit directory. Ensure that it has its own partition or logical volume at installation time, or migrate it later using LVM. Make absolutely certain that it is large enough to store all audit logs that will be created by the auditing daemon. rationale: |- Placing /var/log/audit in its own partition enables better separation between audit files and other files, and helps ensure that auditing cannot be halted due to the partition running out of space. severity: unknown identifiers: cce: 26436-6 references: disa: 137,138,1208 nist: AU-4,AU-9,SC-32 srg: SRG-OS-000044 stigid: RHEL-06-000004 ocil: '' scap-security-guide-0.1.39/rhel6/guide/system/software/gnome/000077500000000000000000000000001327242345500241015ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/software/gnome/gnome.group000066400000000000000000000012301327242345500262600ustar00rootroot00000000000000documentation_complete: true title: 'GNOME Desktop Environment' description: |- GNOME is a graphical desktop environment bundled with many Linux distributions that allow users to easily interact with the operating system graphically rather than textually. The GNOME Graphical Display Manager (GDM) provides login, logout, and user switching contexts as well as display server management.

GNOME is developed by the GNOME Project and is considered the default Red Hat Graphical environment.

For more information on GNOME and the GNOME Project, see scap-security-guide-0.1.39/rhel6/guide/system/software/gnome/gnome_login_screen/000077500000000000000000000000001327242345500277355ustar00rootroot00000000000000gconf_gdm_disable_user_list.rule000066400000000000000000000021041327242345500362430ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/software/gnome/gnome_login_screendocumentation_complete: true title: 'Disable the User List' description: |- In the default graphical environment, users logging directly into the system are greeted with a login screen that displays all known users. This functionality should be disabled.

Run the following command to disable the user list: 
$ sudo gconftool-2 --direct \
      --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \
      --type bool \
      --set /apps/gdm/simple-greeter/disable_user_list true
rationale: |- Leaving the user list enabled is a security risk since it allows anyone with physical access to the system to quickly enumerate known user accounts without logging in. severity: medium identifiers: cce: 27230-2 references: disa: 366 nist: AC-23 srg: SRG-OS-999999 stigid: RHEL-06-000527 ocil_clause: 'it is not' ocil: |- To ensure the user list is disabled, run the following command: 
$ gconftool-2 -g /apps/gdm/simple-greeter/disable_user_list
The output should be true. gconf_gnome_disable_restart_shutdown.rule000066400000000000000000000022751327242345500402200ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/software/gnome/gnome_login_screendocumentation_complete: true title: 'Disable the GNOME Login Restart and Shutdown Buttons' description: |- In the default graphical environment, users logging directly into the system are greeted with a login screen that allows any user, known or unknown, the ability shutdown or restart the system. This functionality should be disabled by running the following: 
$ sudo gconftool-2 --direct \
      --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \
      --type bool \
      --set /apps/gdm/simple-greeter/disable_restart_buttons true
rationale: |- A user who is at the console can reboot the system at the login screen. If restart or shutdown buttons are pressed at the login screen, this can create the risk of short-term loss of availability of systems due to reboot. severity: high references: disa: 366 nist: AC-6 stigid: "" ocil_clause: 'disable-restart-buttons has not been configured or is not disabled' ocil: |- To ensure disable and restart on the login screen are disabled, run the following command: 
$ gconftool-2 -g /apps/gdm/simple-greeter/disable_restart_buttons
The output should be true. gnome_gdm_disable_automatic_login.rule000066400000000000000000000021111327242345500374170ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/software/gnome/gnome_login_screendocumentation_complete: true title: 'Disable GDM Automatic Login' description: |- The GNOME Display Manager (GDM) can allow users to automatically login without user interaction or credentials. User should always be required to authenticate themselves to the system that they are authorized to use. To disable user ability to automatically login to the system, set the AutomaticLoginEnable to false in the [daemon] section in /etc/gdm/custom.conf. For example: 
[daemon]
    AutomaticLoginEnable=false
rationale: |- Failure to restrict system access to authenticated users negatively impacts operating system security. severity: high references: disa: 366 nist: CM-6(b) stigid: "" ocil_clause: 'GDM allows users to automatically login' ocil: |- To verify that automatic logins are disabled, run the following command: 
$ grep -Pzoi "^\[daemon]\\nautomaticlogin.*" /etc/gdm/custom.conf
The output should show the following: 
[daemon]
    AutomaticLoginEnable=false
gnome_gdm_disable_guest_login.rule000066400000000000000000000021151327242345500365640ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/software/gnome/gnome_login_screendocumentation_complete: true title: 'Disable GDM Guest Login' description: |- The GNOME Display Manager (GDM) can allow users to login without credentials which can be useful for public kiosk scenarios. Allowing users to login without credentials or "guest" account access has inherent security risks and should be disabled. To do disable timed logins or guest account access, set the TimedLoginEnable to false in the [daemon] section in /etc/gdm/custom.conf. For example: 
[daemon]
    TimedLoginEnable=false
rationale: |- Failure to restrict system access to authenticated users negatively impacts operating system security. severity: high references: disa: 366 nist: CM-6(b) stigid: "" ocil_clause: 'GDM allows a guest to login without credentials' ocil: |- To verify that timed logins are disabled, run the following command: 
$ grep -Pzoi "^\[daemon]\\ntimedlogin.*" /etc/gdm/custom.conf
The output should show the following: 
[daemon]
    TimedLoginEnable=false
gnome_login_screen.group000066400000000000000000000011541327242345500345710ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/software/gnome/gnome_login_screendocumentation_complete: true title: 'Configure GNOME Login Screen' description: |- In the default GNOME desktop, the login is displayed after system boot and can display user accounts, allow users to reboot the system, and allow users to login automatically and/or with a guest account. The login screen should be configured to prevent such behavior.

For more information about enforcing preferences in the GNOME environment using the GConf configuration system, see and the man page gconftool-2(1). scap-security-guide-0.1.39/rhel6/guide/system/software/gnome/gnome_media_settings/000077500000000000000000000000001327242345500302655ustar00rootroot00000000000000gconf_gnome_disable_automount.rule000066400000000000000000000025731327242345500371650ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/software/gnome/gnome_media_settingsdocumentation_complete: true title: 'Disable GNOME Automounting' description: |- The system's default desktop environment, GNOME, will mount devices and removable media (such as DVDs, CDs and USB flash drives) whenever they are inserted into the system. Disable automount and autorun within GNOME by running the following: 
$ sudo gconftool-2 --direct \
      --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \
      --type bool \
      --set /apps/nautilus/preferences/media_automount false
    $ sudo gconftool-2 --direct \
      --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \
      --type bool \
      --set /apps/nautilus/preferences/media_autorun_never true
rationale: |- Disabling automatic mounting in GNOME can prevent the introduction of malware via removable media. It will, however, also prevent desktop users from legitimate use of removable media. severity: unknown identifiers: cce: 27035-5 references: nist: AC-19(a),AC-19(d),AC-19(e) ocil_clause: 'GNOME automounting is not disabled' ocil: |- These settings can be verified by running the following: 
$ gconftool-2 -g /apps/nautilus/preferences/media_automount
The output should return false. 
$ gconftool-2 -g /apps/nautilus/preferences/media_autorun_never
The output should return true. gconf_gnome_disable_thumbnailers.rule000066400000000000000000000027531327242345500376270ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/software/gnome/gnome_media_settingsdocumentation_complete: true title: 'Disable All GNOME Thumbnailers' description: |- The system's default desktop environment, GNOME, uses a number of different thumbnailer programs to generate thumbnails for any new or modified content in an opened folder. The following command can disable the execution of these thumbnail applications: 
$ sudo gconftool-2 --direct \
      --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \
      --type bool \
      --set /desktop/gnome/thumbnailers/disable_all true
This effectively prevents an attacker from gaining access to a system through a flaw in GNOME's Nautilus thumbnail creators. rationale: |- An attacker with knowledge of a flaw in a GNOME3 thumbnailer application could craft a malicious file to exploit this flaw. Assuming the attacker could place the malicious file on the local filesystem (via a web upload for example) and assuming a user browses the same location using Nautilus, the malicious file would exploit the thumbnailer with the potential for malicious code execution. It is best to disable these thumbnailer applications unless they are explicitly required. severity: unknown identifiers: cce: 27224-5 references: nist: CM-7 ocil_clause: 'GNOME thumbnailers are not disabled' ocil: |- These settings can be verified by running the following: 
$ gconftool-2 -g /desktop/gnome/thumbnailers/disable_all
The output should return true. gnome_media_settings.group000066400000000000000000000002101327242345500354410ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/software/gnome/gnome_media_settingsdocumentation_complete: true title: 'GNOME Media Settings' description: 'GNOME media settings that apply to the graphical interface.' scap-security-guide-0.1.39/rhel6/guide/system/software/gnome/gnome_network_settings/000077500000000000000000000000001327242345500306775ustar00rootroot00000000000000gconf_gnome_disable_wifi_create.rule000066400000000000000000000016541327242345500400240ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/software/gnome/gnome_network_settingsdocumentation_complete: true title: 'Disable WIFI Network Connection Creation in GNOME' description: |- GNOME allows users to create ad-hoc wireless connections through the NetworkManager applet. Wireless connections should be disabled by running the following: 
$ sudo gconftool-2 --direct \
      --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \
      --type bool \
      --set /apps/nm-applet/disable-wifi-create true
rationale: |- Wireless network connections should not be allowed to be configured by general users on a given system as it could open the system to backdoor attacks. severity: medium ocil_clause: 'WIFI connections can be created through GNOME' ocil: |- To ensure that WIFI connections cannot be created, run the following command: 
$ gconftool-2 -g /apps/nm-applet/disable-wifi-create
The output should return true. gconf_gnome_disable_wifi_disconnect.rule000066400000000000000000000022711327242345500407060ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/software/gnome/gnome_network_settingsdocumentation_complete: true title: 'Disable WIFI Network Disconnect Notification in GNOME' description: |- By default, GNOME disables WIFI notification when disconnecting from a wireless network. This should be permanently set so that users do not connect to a wireless network when the system finds one. While useful for mobile devices, this setting should be disabled for all other systems. To configure the system to disable the WIFI notication, run the following: 
$ sudo gconftool-2 --direct \
      --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \
      --type bool \
      --set /apps/nm-applet/disable-disconnected-notifications true
rationale: |- Wireless network connections should not be allowed to be configured by general users on a given system as it could open the system to backdoor attacks. severity: medium ocil_clause: 'wireless disconnecting network notification is enabled and not disabled' ocil: |- To ensure that wireless network notification is disabled, run the following command: 
$ gconftool-2 -g /apps/nm-applet/disable-disconnected-notifications
The output should return true. gconf_gnome_disable_wifi_notification.rule000066400000000000000000000022531327242345500412430ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/software/gnome/gnome_network_settingsdocumentation_complete: true title: 'Disable WIFI Network Connection Notification in GNOME' description: |- By default, GNOME disables WIFI notification when connecting to a wireless network. This should be permanently set so that users do not connect to a wireless network when the system finds one. While useful for mobile devices, this setting should be disabled for all other systems. To configure the system to disable the WIFI notication, run the following: 
$ sudo gconftool-2 --direct \
      --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \
      --type bool \
      --set /apps/nm-applet/disable-connected-notifications true
rationale: |- Wireless network connections should not be allowed to be configured by general users on a given system as it could open the system to backdoor attacks. severity: medium ocil_clause: 'wireless connecting network notification is enabled and not disabled' ocil: |- To ensure that wireless network notification is disabled, run the following command: 
$ gconftool-2 -g /apps/nm-applet/disable-connected-notifications
The output should return true. gnome_network_settings.group000066400000000000000000000002141327242345500364710ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/software/gnome/gnome_network_settingsdocumentation_complete: true title: 'GNOME Network Settings' description: 'GNOME network settings that apply to the graphical interface.' scap-security-guide-0.1.39/rhel6/guide/system/software/gnome/gnome_remote_access_settings/000077500000000000000000000000001327242345500320225ustar00rootroot00000000000000gnome_remote_access_settings.group000066400000000000000000000002301327242345500407350ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/software/gnome/gnome_remote_access_settingsdocumentation_complete: true title: 'GNOME Remote Access Settings' description: 'GNOME remote access settings that apply to the graphical interface.' scap-security-guide-0.1.39/rhel6/guide/system/software/gnome/gnome_screen_locking/000077500000000000000000000000001327242345500302535ustar00rootroot00000000000000gconf_gnome_screen_locking_keybindings.rule000066400000000000000000000020651327242345500410040ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/software/gnome/gnome_screen_lockingdocumentation_complete: true title: 'Set GNOME Screen Locking Keybindings' description: "Run the following command to prevent changes to the screensaver\nlock keybindings: \n
$ sudo gconftool-2 --direct \\\n  --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \\\n  --type string \\\n  --set /apps/gnome_settings_daemon/keybindings/screensaver \"<Control><Alt>l\"
" rationale: |- The ability to lock graphical desktop sessions manually allows users to easily secure their accounts should they need to depart from their workstations temporarily. severity: low identifiers: cce: 80503-6 references: disa: 58 nist: AC-6 srg: SRG-OS-000030 stigid: RHEL-06-000508 ocil_clause: 'GNOME screensaver locking keybindings are configured and cannot be changed' ocil: |- To check the screensaver locking keybindings, run the following command: 
$ gconftool-2 -g /apps/gnome_settings_daemon/keybindings/screensaver
If properly configured, the output should be <Control><Alt>l. gconf_gnome_screensaver_idle_activation_enabled.rule000066400000000000000000000022571327242345500426440ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/software/gnome/gnome_screen_lockingdocumentation_complete: true title: 'GNOME Desktop Screensaver Mandatory Use' description: |- Run the following command to activate the screensaver in the GNOME desktop after a period of inactivity: 
$ sudo gconftool-2 --direct \
      --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \
      --type bool \
      --set /apps/gnome-screensaver/idle_activation_enabled true
rationale: |- Enabling idle activation of the screensaver ensures the screensaver will be activated after the idle delay. Applications requiring continuous, real-time screen display (such as network management products) require the login session does not have administrator rights and the display station is located in a controlled-access area. severity: medium identifiers: cce: 26600-7 references: disa: 57 nist: AC-11(a) pcidss: Req-8.1.8 srg: SRG-OS-000029 stigid: RHEL-06-000258 ocil_clause: 'it is not' ocil: |- To check the screensaver mandatory use status, run the following command: 
$ gconftool-2 -g /apps/gnome-screensaver/idle_activation_enabled
If properly configured, the output should be true. gconf_gnome_screensaver_idle_delay.rule000066400000000000000000000020701327242345500401200ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/software/gnome/gnome_screen_lockingdocumentation_complete: true title: 'Set GNOME Login Inactivity Timeout' description: |- Run the following command to set the idle time-out value for inactivity in the GNOME desktop to minutes: 
$ sudo gconftool-2 \
      --direct \
      --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \
      --type int \
      --set /desktop/gnome/session/idle_delay
rationale: |- Setting the idle delay controls when the screensaver will start, and can be combined with screen locking to prevent access from passersby. severity: medium identifiers: cce: 26828-4 references: disa: 57 nist: AC-11(a) pcidss: Req-8.1.8 srg: SRG-OS-000029 stigid: RHEL-06-000257 ocil_clause: 'it is not' ocil: |- To check the current idle time-out value, run the following command: 
$ gconftool-2 -g /desktop/gnome/session/idle_delay
If properly configured, the output should be . gconf_gnome_screensaver_lock_enabled.rule000066400000000000000000000020001327242345500404200ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/software/gnome/gnome_screen_lockingdocumentation_complete: true title: 'Enable Screen Lock Activation After Idle Period' description: |- Run the following command to activate locking of the screensaver in the GNOME desktop when it is activated: 
$ sudo gconftool-2 --direct \
      --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \
      --type bool \
      --set /apps/gnome-screensaver/lock_enabled true
rationale: |- Enabling the activation of the screen lock after an idle period ensures password entry will be required in order to access the system, preventing access by passersby. severity: medium identifiers: cce: 26235-2 references: disa: 57 nist: AC-11(a) pcidss: Req-8.1.8 srg: SRG-OS-000029 stigid: RHEL-06-000259 ocil_clause: 'it is not' ocil: |- To check the status of the idle screen lock activation, run the following command: 
$ gconftool-2 -g /apps/gnome-screensaver/lock_enabled
If properly configured, the output should be true. gconf_gnome_screensaver_max_idle_action.rule000066400000000000000000000016671327242345500411570ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/software/gnome/gnome_screen_lockingdocumentation_complete: true title: 'Set GNOME Login Maximum Allowed Inactivity Action' description: |- Run the following command to set force logout an inactive user when the maximum allowed inactivity period has expired: 
$ sudo gconftool-2 --direct \
      --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \
      --type string \
      --set /desktop/gnome/session/max_idle_action "forced-logout"
rationale: |- Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session and will also free up resources utilized by an idle session. severity: medium ocil_clause: 'it is not' ocil: |- To check the current idle time-out value, run the following command: 
$ gconftool-2 -g /desktop/gnome/session/max_idle_action
If properly configured, the output should be forced-logout. gconf_gnome_screensaver_max_idle_time.rule000066400000000000000000000020211327242345500406210ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/software/gnome/gnome_screen_lockingdocumentation_complete: true title: 'Set GNOME Login Maximum Allowed Inactivity' description: |- Run the following command to set the maximum allowed period of inactivity for an inactive user in the GNOME desktop to minutes: 
$ sudo gconftool-2 \
      --direct \
      --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \
      --type int \
      --set /desktop/gnome/session/max_idle_time
rationale: |- Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session and will also free up resources utilized by an idle session. severity: medium ocil_clause: 'it is not' ocil: |- To check the current idle time-out value, run the following command: 
$ gconftool-2 -g /desktop/gnome/session/max_idle_time
If properly configured, the output should be . gconf_gnome_screensaver_mode_blank.rule000066400000000000000000000016161327242345500401250ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/software/gnome/gnome_screen_lockingdocumentation_complete: true title: 'Implement Blank Screensaver' description: |- Run the following command to set the screensaver mode in the GNOME desktop to a blank screen: 
$ sudo gconftool-2 --direct \
      --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \
      --type string \
      --set /apps/gnome-screensaver/mode blank-only
rationale: |- Setting the screensaver mode to blank-only conceals the contents of the display from passersby. severity: unknown identifiers: cce: 26638-7 references: disa: 60 nist: AC-11(b) pcidss: Req-8.1.8 srg: SRG-OS-000031 stigid: RHEL-06-000260 ocil_clause: 'it is not' ocil: |- To ensure the screensaver is configured to be blank, run the following command: 
$ gconftool-2 -g /apps/gnome-screensaver/mode
If properly configured, the output should be blank-only gnome_screen_locking.group000066400000000000000000000030161327242345500354240ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/software/gnome/gnome_screen_lockingdocumentation_complete: true title: 'Configure GNOME Screen Locking' description: |- In the default GNOME desktop, the screen can be locked by choosing Lock Screen from the System menu.

The gconftool-2 program can be used to enforce mandatory screen locking settings for the default GNOME environment. The following sections detail commands to enforce idle activation of the screensaver, screen locking, a blank-screen screensaver, and an idle activation time.

Because users should be trained to lock the screen when they step away from the computer, the automatic locking feature is only meant as a backup. The Lock Screen icon from the System menu can also be dragged to the taskbar in order to facilitate even more convenient screen-locking.

The root account cannot be screen-locked, but this should have no practical effect as the root account should never be used to log into an X Windows environment, and should only be used to for direct login via console in emergency circumstances.

For more information about configuring GNOME screensaver, see . For more information about enforcing preferences in the GNOME environment using the GConf configuration system, see and the man page gconftool-2(1). inactivity_timeout_value.var000066400000000000000000000004651327242345500360400ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/software/gnome/gnome_screen_lockingdocumentation_complete: true title: 'Inactivity timeout' description: 'Choose allowed duration of inactive SSH connections, shells, and X sessions' type: number operator: equals interactive: false options: 10_minutes: 600 15_minutes: 900 30_minutes: 1800 5_minutes: 300 default: 900 scap-security-guide-0.1.39/rhel6/guide/system/software/gnome/gnome_system_settings/000077500000000000000000000000001327242345500305325ustar00rootroot00000000000000gconf_gnome_disable_clock_temperature.rule000066400000000000000000000015721327242345500411050ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/software/gnome/gnome_system_settingsdocumentation_complete: true title: 'Disable the GNOME Clock Temperature Feature' description: |- Run the following command to activate locking of the screensaver in the GNOME desktop when it is activated: 
$ sudo gconftool-2 --direct \
      --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \
      --type bool \
      --set /apps/panel/applets/clock/prefs/show_temperature false
rationale: |- Disabling the temperature feature in the GNOME clock prevents the system from connecting to the internet and diclosing the system location when set by a user. severity: medium ocil_clause: 'it is not' ocil: |- To check the status of the idle screen lock activation, run the following command: 
$ gconftool-2 -g /apps/panel/applets/clock/prefs/show_temperature
If properly configured, the output should be false. gconf_gnome_disable_clock_weather.rule000066400000000000000000000015521327242345500402050ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/software/gnome/gnome_system_settingsdocumentation_complete: true title: 'Disable the GNOME Clock Weather Feature' description: |- Run the following command to activate locking of the screensaver in the GNOME desktop when it is activated: 
$ sudo gconftool-2 --direct \
      --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \
      --type bool \
      --set /apps/panel/applets/clock/prefs/show_weather false
rationale: |- Disabling the weather feature in the GNOME clock prevents the system from connecting to the internet and diclosing the system location when set by a user. severity: medium ocil_clause: 'it is not' ocil: |- To check the status of the idle screen lock activation, run the following command: 
$ gconftool-2 -g /apps/panel/applets/clock/prefs/show_weather
If properly configured, the output should be false. gconf_gnome_disable_ctrlaltdel_reboot.rule000066400000000000000000000024041327242345500410740ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/software/gnome/gnome_system_settingsdocumentation_complete: true title: 'Disable Ctrl-Alt-Del Reboot Key Sequence in GNOME' description: |- By default, GNOME will reboot the system if the Ctrl-Alt-Del key sequence is pressed.
To configure the system to ignore the Ctrl-Alt-Del key sequence from the Graphical User Interface (GUI) instead of rebooting the system, run the following: 
$ sudo gconftool-2 --direct \
      --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \
      --type string \
      --set /apps/gnome_settings_daemon/keybindings/power ""
rationale: |- A locally logged-in user who presses Ctrl-Alt-Del, when at the console, can reboot the system. If accidentally pressed, as could happen in the case of mixed OS environment, this can create the risk of short-term loss of availability of systems due to unintentional reboot. severity: high references: disa: 366 nist: AC-6 stigid: "" ocil_clause: 'GNOME is configured to reboot when Ctrl-Alt-Del is pressed' ocil: |- To ensure the system is configured to ignore the Ctrl-Alt-Del sequence, run the following command: 
$ gconftool-2 -g /apps/gnome_settings_daemon/keybindings/power
The output should return nothing. gnome_system_settings.group000066400000000000000000000010021327242345500361530ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/software/gnome/gnome_system_settingsdocumentation_complete: true title: 'GNOME System Settings' description: |- GNOME provides configuration and functionality to a graphical desktop environment that changes grahical configurations or allow a user to perform actions that users normally would not be able to do in non-graphical mode such as remote access configuration, power policies, Geo-location, etc. Configuring such settings in GNOME will prevent accidential graphical configuration changes by users from taking place. scap-security-guide-0.1.39/rhel6/guide/system/software/integrity/000077500000000000000000000000001327242345500250125ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/software/integrity/additional_security_software/000077500000000000000000000000001327242345500327635ustar00rootroot00000000000000additional_security_software.group000066400000000000000000000005541327242345500417370ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/software/integrity/additional_security_softwaredocumentation_complete: true title: 'Additional Security Software' description: |- Additional security software that is not provided or supported by Red Hat can be installed to provide complementary or duplicative security capabilities to those provided by the base platform. Add-on software may not be appropriate for some specialized systems. configure_user_data_backups.rule000066400000000000000000000015231327242345500413160ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/software/integrity/additional_security_softwaredocumentation_complete: true title: 'Configure Backups of User Data' description: |- The operating system must conduct backups of user data contained in the operating system. The operating system provides utilities for automating backups of user data. Commercial and open-source products are also available. rationale: |- Operating system backup is a critical step in maintaining data assurance and availability. User-level information is data generated by information system and/or application users. Backups shall be consistent with organizational recovery time and recovery point objectives.false severity: medium identifiers: cce: 80511-9 references: disa: 535 nist: "" srg: SRG-OS-000099 stigid: RHEL-06-000504 ocil_clause: 'it is not' ocil: 'Verify that the system backups user data.' install_antivirus.rule000066400000000000000000000031111327242345500373430ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/software/integrity/additional_security_softwaredocumentation_complete: true title: 'Install Virus Scanning Software' description: "Install virus scanning software, which uses signatures to search for the\npresence of viruses on the filesystem. \nThe McAfee VirusScan Enterprise for Linux virus scanning tool is provided for DoD systems.\nEnsure virus definition files are no older than 7 days, or their last release.\n\nConfigure the virus scanning software to perform scans dynamically on all\naccessed files. If this is not possible, configure the\nsystem to scan all altered files on the system on a daily\nbasis. If the system processes inbound SMTP mail, configure the virus scanner\nto scan all received mail." rationale: |- Virus scanning software can be used to detect if a system has been compromised by computer viruses, as well as to limit their spread to other systems. severity: unknown identifiers: cce: 27529-7 references: disa: 1239,1668 nist: 'SC-28, SI-3' srg: SRG-OS-000270 stigid: RHEL-06-000284 ocil_clause: 'virus scanning software does not run continuously, or at least daily, or has signatures that are out of date' ocil: |- Inspect the system for a cron job or system service which executes a virus scanning tool regularly.
To verify the McAfee VSEL system service is operational, run the following command: 
$ sudo /sbin/service nails status

To check on the age of uvscan virus definition files, run the following command: 
$ sudo cd /opt/NAI/LinuxShield/engine/dat
    $ sudo ls -la avvscan.dat avvnames.dat avvclean.dat
install_hids.rule000066400000000000000000000022721327242345500362550ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/software/integrity/additional_security_softwaredocumentation_complete: true title: 'Install Intrusion Detection Software' description: |- The base Red Hat platform already includes a sophisticated auditing system that can detect intruder activity, as well as SELinux, which provides host-based intrusion prevention capabilities by confining privileged programs and user sessions which may become compromised.
In DoD environments, supplemental intrusion detection tools, such as, the McAfee Host-based Security System, are available to integrate with existing infrastructure. When these supplemental tools interfere with the proper functioning of SELinux, SELinux takes precedence.
rationale: |- Host-based intrusion detection tools provide a system-level defense when an intruder gains access to a system or network. severity: medium identifiers: cce: 27409-2 references: disa: 1263 nist: SC-7 pcidss: Req-11.4 srg: SRG-OS-000196 stigid: RHEL-06-000285 ocil_clause: 'no host-based intrusion detection tools are installed' ocil: "Inspect the system to determine if intrusion detection software has been installed. \nVerify this intrusion detection software is active." scap-security-guide-0.1.39/rhel6/guide/system/software/integrity/aide/000077500000000000000000000000001327242345500257145ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/software/integrity/aide/aide.group000066400000000000000000000007161327242345500277000ustar00rootroot00000000000000documentation_complete: true title: 'Verify Integrity with AIDE' description: |- AIDE conducts integrity checks by comparing information about files with previously-gathered information. Ideally, the AIDE database is created immediately after initial system configuration, and then again after any software update. AIDE is highly configurable, with further configuration information located in /usr/share/doc/aide-VERSION. scap-security-guide-0.1.39/rhel6/guide/system/software/integrity/aide/aide_build_database.rule000066400000000000000000000026441327242345500325200ustar00rootroot00000000000000documentation_complete: true title: 'Build and Test AIDE Database' description: |- Run the following command to generate a new database: 
$ sudo /usr/sbin/aide --init
By default, the database will be written to the file /var/lib/aide/aide.db.new.gz. Storing the database, the configuration file /etc/aide.conf, and the binary /usr/sbin/aide (or hashes of these files), in a secure location (such as on read-only media) provides additional assurance about their integrity. The newly-generated database can be installed as follows: 
$ sudo cp /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz
To initiate a manual check, run the following command: 
$ sudo /usr/sbin/aide --check
If this check produces any unexpected output, investigate. rationale: |- For AIDE to be effective, an initial database of "known-good" information about files must be captured and it should be able to be verified against the installed files. severity: medium identifiers: cce: 27135-3 references: disa: 374,416,1069,1263,1297,1589 nist: CM-3(d),CM-3(e),CM-6(d),SC-28,SI-7 pcidss: Req-11.5 srg: SRG-OS-000232 stigid: RHEL-06-000018 ocil_clause: 'there is no database file' ocil: |- To find the location of the AIDE databse file, run the following command: 
$ sudo ls -l DBDIR/database_file_name
aide_periodic_cron_checking.rule000066400000000000000000000017341327242345500341670ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/software/integrity/aidedocumentation_complete: true title: 'Configure Periodic Execution of AIDE' description: |- To implement a daily execution of AIDE at 4:05am using cron, add the following line to /etc/crontab: 
05 4 * * * root /usr/sbin/aide --check
AIDE can be executed periodically through other means; this is merely one example. rationale: |- By default, AIDE does not install itself for periodic execution. Periodically running AIDE is necessary to reveal unexpected changes in installed files. severity: medium identifiers: cce: 27222-9 references: disa: 374,416,1069,1263,1297,1589 nist: CM-3(d),CM-3(e),CM-6(d),SC-28,SI-7 pcidss: Req-11.5 srg: SRG-OS-000202,SRG-OS-000094,SRG-OS-000098,SRG-OS-000232,SRG-OS-000196,SRG-OS-000265 stigid: RHEL-06-000306 ocil_clause: 'there is no output' ocil: |- To determine that periodic AIDE execution has been scheduled, run the following command: 
$ grep aide /etc/crontab
scap-security-guide-0.1.39/rhel6/guide/system/software/integrity/aide/package_aide_installed.rule000066400000000000000000000010361327242345500332210ustar00rootroot00000000000000documentation_complete: true title: 'Install AIDE' description: |- Install the AIDE package with the command: 
$ sudo yum install aide
rationale: 'The AIDE package must be installed if it is to be available for integrity checking.' severity: medium identifiers: cce: 27024-9 references: disa: 1069 nist: 'CM-3(d),CM-3(e),CM-6(d),SC-28, SI-7' pcidss: Req-11.5 srg: SRG-OS-000232 stigid: RHEL-06-000016 ocil_clause: 'the package is not installed' ocil: '' scap-security-guide-0.1.39/rhel6/guide/system/software/integrity/certified-vendor/000077500000000000000000000000001327242345500302435ustar00rootroot00000000000000certified-vendor.group000066400000000000000000000010751327242345500344760ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/software/integrity/certified-vendordocumentation_complete: true title: 'Operating System Vendor Support and Certification' description: |- The assurance of a vendor to provide operating system support and maintenance for their product is an important criterion to ensure product stability and security over the life of the product. A certified product that follows the necessary standards and government certification requirements guarantees that known software vulnerabilities will be remediated, and proper guidance for protecting and securing the operating system will be given. installed_OS_is_certified.rule000066400000000000000000000023621327242345500361510ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/software/integrity/certified-vendordocumentation_complete: true title: 'The Installed Operating System Is Vendor Supported and Certified' description: |- The installed operating system must be maintained and certified by a vendor. Red Hat Enterprise Linux is supported by Red Hat, Inc. As the Red Hat Enterprise Linux vendor, Red Hat, Inc. is responsible for providing security patches as well as meeting and maintaining goverment certifications and standards. rationale: |- An operating system is considered "supported" if the vendor continues to provide security patches for the product as well as maintain government certification requirements. With an unsupported release, it will not be possible to resolve security issue discovered in the system software as well as meet government certifications. severity: high identifiers: cce: RHEL6-CCE-TBD references: disa: 366 nist: SI-2(c) ocil_clause: 'the installed operating system is not supported or certified' ocil: |- To verify that the installed operating system is supported or certified, run the following command: 
$ grep -i "red hat" /etc/redhat-release
The output should contain something similar to: 
Red Hat Enterprise Linux Server 6.3 (Santiago)
scap-security-guide-0.1.39/rhel6/guide/system/software/integrity/disable_prelink.rule000066400000000000000000000013241327242345500310320ustar00rootroot00000000000000documentation_complete: true title: 'Disable Prelinking' description: |- The prelinking feature changes binaries in an attempt to decrease their startup time. In order to disable it, change or add the following line inside the file /etc/sysconfig/prelink: 
PRELINKING=no
Next, run the following command to return binaries to a normal, non-prelinked state: 
$ sudo /usr/sbin/prelink -ua
rationale: |- Because the prelinking feature changes binaries, it can interfere with the operation of certain software and/or modes such as AIDE, FIPS, etc. severity: unknown identifiers: cce: 27221-1 references: nist: 'CM-6(d),SC-28, SI-7' pcidss: Req-11.5 scap-security-guide-0.1.39/rhel6/guide/system/software/integrity/fips/000077500000000000000000000000001327242345500257535ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/software/integrity/fips/fips.group000066400000000000000000000016611327242345500277760ustar00rootroot00000000000000documentation_complete: true title: 'Federal Information Processing Standard (FIPS)' description: |- The Federal Information Processing Standard (FIPS) is a computer security standard which is developed by the U.S. Government and industry working groups to validate the quality of cryptographic modules. The FIPS standard provides four security levels to ensure adequate coverage of different industries, implementation of cryptographic modules, and organizational sizes and requirements.

FIPS 140-2 is the current standard for validating that mechanisms used to access cryptographic modules utilize authentication that meets industry and government requirements. For government systems, this allows Security Levels 1, 2, 3, or 4 for use on Red Hat Enterprise Linux.

See for more information. scap-security-guide-0.1.39/rhel6/guide/system/software/integrity/fips/grub_enable_fips_mode.rule000066400000000000000000000022251327242345500331370ustar00rootroot00000000000000documentation_complete: true title: 'Enable FIPS Mode in GRUB' description: |- To ensure FIPS mode is enabled, rebuild initramfs by running the following command: 
dracut -f
After the dracut command has been run, add the argument fips=1 to the default GRUB kernel line for the Linux operating system in /etc/grub.conf, in the manner below: 
kernel /vmlinuz-version ro vga=ext root=/dev/VolGroup00/LogVol00 rhgb quiet fips=1
rationale: |- Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. The operating system must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides assurance they have been tested and validated. severity: medium identifiers: cce: RHEL6-CCE-TBD references: disa: 68,2450 nist: AC-17(2) ocil_clause: 'FIPS is not configured or enabled in grub' ocil: |- To verify that FIPS is enabled properly in grub, run the following command: 
$ grep fips /etc/grub.conf
The output should contain fips=1 package_dracut-fips_installed.rule000066400000000000000000000014131327242345500345170ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/software/integrity/fipsdocumentation_complete: true title: 'Install the dracut-fips Package' description: |- To enable FIPS, the system requires that the dracut-fips package be installed. rationale: |- Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. The operating system must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides assurance they have been tested and validated. severity: medium identifiers: cce: RHEL6-CCE-TBD references: disa: 68,2450 nist: AC-17(2) ocil_clause: 'the package is not installed' ocil: '' scap-security-guide-0.1.39/rhel6/guide/system/software/integrity/integrity.group000066400000000000000000000016521327242345500301120ustar00rootroot00000000000000documentation_complete: true title: 'Software Integrity Checking' description: |- Both the AIDE (Advanced Intrusion Detection Environment) software and the RPM package management system provide mechanisms for verifying the integrity of installed software. AIDE uses snapshots of file metadata (such as hashes) and compares these to current system files in order to detect changes. The RPM package management system can conduct integrity checks by comparing information in its metadata database with files installed on the system.

Integrity checking cannot prevent intrusions, but can detect that they have occurred. Requirements for software integrity checking may be highly dependent on the environment in which the system will be used. Snapshot-based approaches such as AIDE may induce considerable overhead in the presence of frequent software updates. scap-security-guide-0.1.39/rhel6/guide/system/software/integrity/rpm_verification/000077500000000000000000000000001327242345500303525ustar00rootroot00000000000000rpm_verification.group000066400000000000000000000013031327242345500347060ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/software/integrity/rpm_verificationdocumentation_complete: true title: 'Verify Integrity with RPM' description: |- The RPM package management system includes the ability to verify the integrity of installed packages by comparing the installed files with information about the files taken from the package metadata stored in the RPM database. Although an attacker could corrupt the RPM database (analogous to attacking the AIDE database as described above), this check can still reveal modification of important files. To list which files on the system differ from what is expected by the RPM database: 
$ rpm -qVa
See the man page for rpm to see a complete explanation of each column. rpm_verify_hashes.rule000066400000000000000000000033131327242345500347010ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/software/integrity/rpm_verificationdocumentation_complete: true title: 'Verify File Hashes with RPM' description: |- The RPM package management system can check the hashes of installed software packages, including many that are important to system security. Run the following command to list which files on the system have hashes that differ from what is expected by the RPM database: 
$ rpm -Va | grep '^..5'
A "c" in the second column indicates that a file is a configuration file, which may appropriately be expected to change. If the file was not expected to change, investigate the cause of the change using audit logs or other means. The package can then be reinstalled to restore the file. Run the following command to determine which package owns the file: 
$ rpm -qf FILENAME
The package can be reinstalled from a yum repository using the command: 
$ sudo yum reinstall PACKAGENAME
Alternatively, the package can be reinstalled from trusted media using the command: 
$ sudo rpm -Uvh PACKAGENAME
rationale: |- The hashes of important files like system executables should match the information given by the RPM database. Executables with erroneous hashes could be a sign of nefarious activity on the system. severity: unknown identifiers: cce: 27223-7 references: disa: 1496 nist: CM-6(d),SI-7 pcidss: Req-11.5 srg: SRG-OS-999999,SRG-OS-000278 stigid: RHEL-06-000519 ocil_clause: 'there is output' ocil: "The following command will list which files on the system \nhave file hashes different from what is expected by the RPM database. \n
$ rpm -Va | awk '$1 ~ /..5/ && $2 != \"c\"'
" rpm_verify_ownership.rule000066400000000000000000000024521327242345500354470ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/software/integrity/rpm_verificationdocumentation_complete: true title: 'Verify and Correct Ownership with RPM' description: |- The RPM package management system can check file ownership permissions of installed software packages, including many that are important to system security. After locating a file with incorrect permissions, which can be found with 
rpm -Va | grep "^.....\(U\|.G\)"
run the following command to determine which package owns it: 
$ rpm -qf FILENAME
Next, run the following command to reset its permissions to the correct values: 
$ sudo rpm --setugids PACKAGENAME
rationale: |- Ownership of binaries and configuration files that is incorrect could allow an unauthorized user to gain privileges that they should not have. The ownership set by the vendor should be maintained. Any deviations from this baseline should be investigated. severity: unknown identifiers: cce: 80499-7 references: disa: 1494 nist: AC-6,CM-6(d),SI-7 srg: SRG-OS-000257,SRG-OS-000258 stigid: RHEL-06-000279 ocil_clause: 'there is output' ocil: |- The following command will list which files on the system have ownership different from what is expected by the RPM database: 
$ rpm -Va | grep "^.....\(U\|.G\)"
rpm_verify_permissions.rule000066400000000000000000000024501327242345500360020ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/software/integrity/rpm_verificationdocumentation_complete: true title: 'Verify and Correct File Permissions with RPM' description: "The RPM package management system can check file access\npermissions of installed software packages, including many that are\nimportant to system security. After locating a file with incorrect\npermissions which can be found with 
$ rpm -Va | grep '^.M'
,\nrun the following command to determine which package owns it:\n
$ rpm -qf FILENAME
\nNext, run the following command to reset its permissions to \nthe correct values:\n
$ sudo rpm --setperms PACKAGENAME
" rationale: |- Permissions on system binaries and configuration files that are too generous could allow an unauthorized user to gain privileges that they should not have. The permissions set by the vendor should be maintained. Any deviations from this baseline should be investigated. severity: unknown identifiers: cce: 26731-0 references: disa: 1493,1494,1495 nist: AC-6,CM-6(d),SI-7 pcidss: Req-11.5 srg: SRG-OS-999999,SRG-OS-000256 stigid: RHEL-06-000518 ocil_clause: 'there is output' ocil: |- The following command will list which files on the system have permissions different from what is expected by the RPM database: 
$ rpm -Va | grep '^.M'
scap-security-guide-0.1.39/rhel6/guide/system/software/software.group000066400000000000000000000004201327242345500257000ustar00rootroot00000000000000documentation_complete: true title: 'Installing and Maintaining Software' description: |- The following sections contain information on security-relevant choices during the initial operating system installation process and the setup of software updates. scap-security-guide-0.1.39/rhel6/guide/system/software/sudo/000077500000000000000000000000001327242345500237465ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/software/sudo/sudo.group000066400000000000000000000010441327242345500257750ustar00rootroot00000000000000documentation_complete: true title: Sudo description: "Sudo, which stands for \"su 'do'\", provides the ability to delegate authority\nto certain users, groups of users, or system administrators. When configured for system \nusers and/or groups, Sudo can allow a user or group to execute privileged commands\nthat normally only root is allowed to execute.\n

\nFor more information on Sudo and addition Sudo configuration options, see\n" scap-security-guide-0.1.39/rhel6/guide/system/software/sudo/sudo_require_authentication.rule000066400000000000000000000023431327242345500324460ustar00rootroot00000000000000documentation_complete: true title: 'Ensure Users Re-Authenticate for Privilege Escalation - sudo' description: "The sudo NOPASSWD and !authenticate option, when specified, allows a\nuser to execute commands using sudo without having to authenticate. This should be\ndisabled by making sure that NOPASSWD and/or !authenticate do not exist\nin /etc/sudoers configuration file or \nany sudo configuration snippets in /etc/sudoers.d/." rationale: |- Without re-authentication, users may access resources or perform tasks for which they do not have authorization.

When operating systems provide the capability to escalate a functional capability, it is critical that the user re-authenticate. severity: medium identifiers: cce: 80506-9 references: disa: 2038 nist: IA-11 srg: SRG-OS-000373 stigid: RHEL-06-000529 ocil_clause: 'nopasswd and/or !authenticate is enabled in sudo' ocil: |- To determine if NOPASSWD or !authenticate have been configured for sudo, run the following command: 
$ sudo grep -ri "nopasswd\|\!authenticate" /etc/sudoers /etc/sudoers.d/
The command should return no output. scap-security-guide-0.1.39/rhel6/guide/system/software/updating/000077500000000000000000000000001327242345500246075ustar00rootroot00000000000000ensure_gpgcheck_globally_activated.rule000066400000000000000000000023121327242345500344640ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/guide/system/software/updatingdocumentation_complete: true title: 'Ensure gpgcheck Enabled In Main Yum Configuration' description: |- The gpgcheck option controls whether RPM packages' signatures are always checked prior to installation. To configure yum to check package signatures before installing them, ensure the following line appears in /etc/yum.conf in the [main] section: 
gpgcheck=1
rationale: |- Ensuring the validity of packages' cryptographic signatures prior to installation ensures the authenticity of the software and protects against malicious tampering. severity: medium identifiers: cce: 26709-6 references: disa: 352,663 nist: SI-7,MA-1(b) pcidss: Req-6.2 srg: SRG-OS-000103 stigid: RHEL-06-000013 ocil_clause: 'GPG checking is not enabled' ocil: |- To determine whether yum is configured to use gpgcheck, inspect /etc/yum.conf and ensure the following appears in the [main] section: 
gpgcheck=1
A value of 1 indicates that gpgcheck is enabled. Absence of a gpgcheck line or a setting of 0 indicates that it is disabled. scap-security-guide-0.1.39/rhel6/guide/system/software/updating/ensure_gpgcheck_never_disabled.rule000066400000000000000000000020021327242345500336540ustar00rootroot00000000000000documentation_complete: true title: 'Ensure gpgcheck Enabled For All Yum Package Repositories' description: |- To ensure signature checking is not disabled for any repos, remove any lines from files in /etc/yum.repos.d of the form: 
gpgcheck=0
rationale: |- Ensuring all packages' cryptographic signatures are valid prior to installation ensures the authenticity of the software and protects against malicious tampering. severity: low identifiers: cce: 26647-8 references: disa: 352,663 nist: SI-7,MA-1(b) pcidss: Req-6.2 srg: SRG-OS-000103 stigid: RHEL-06-000015 ocil_clause: 'GPG checking is disabled' ocil: |- To determine whether yum has been configured to disable gpgcheck for any repos, inspect all files in /etc/yum.repos.d and ensure the following does not appear in any sections: 
gpgcheck=0
A value of 0 indicates that gpgcheck has been disabled for that repo. scap-security-guide-0.1.39/rhel6/guide/system/software/updating/ensure_redhat_gpgkey_installed.rule000066400000000000000000000024431327242345500337400ustar00rootroot00000000000000documentation_complete: true title: 'Ensure Red Hat GPG Key Installed' description: "To ensure the system can cryptographically verify base software\npackages come from Red Hat (and to connect to the Red Hat Network to\nreceive them), the Red Hat GPG key must properly be installed. \nTo install the Red Hat GPG key, run:\n
$ sudo subscription-manager register
\nIf the system is not connected to the Internet or an RHN Satellite,\nthen install the Red Hat GPG key from trusted media such as\nthe Red Hat installation CD-ROM or DVD. Assuming the disc is mounted\nin /media/cdrom, use the following command as the root user to import\nit into the keyring:\n
$ sudo rpm --import /media/cdrom/RPM-GPG-KEY
" rationale: |- The Red Hat GPG key is necessary to cryptographically verify packages are from Red Hat. severity: high identifiers: cce: 26506-6 references: disa: 351 nist: SI-7,MA-1(b) pcidss: Req-6.2 srg: SRG-OS-000090 stigid: RHEL-06-000008 ocil_clause: 'the Red Hat GPG Key is not installed' ocil: |- To ensure that the GPG key is installed, run: 
$ rpm -q --queryformat "%{SUMMARY}\n" gpg-pubkey
The command should return the string below: 
gpg(Red Hat, Inc. (release key 2)  <security@redhat.com>
scap-security-guide-0.1.39/rhel6/guide/system/software/updating/security_patches_up_to_date.rule000066400000000000000000000026541327242345500332700ustar00rootroot00000000000000documentation_complete: true title: 'Ensure Software Patches Installed' description: |- If the system is joined to the Red Hat Network, a Red Hat Satellite Server, or a yum server, run the following command to install updates: 
$ sudo yum update
If the system is not configured to use one of these sources, updates (in the form of RPM packages) can be manually downloaded from the Red Hat Network and installed using rpm. rationale: |- Installing software updates is a fundamental mitigation against the exploitation of publicly-known vulnerabilities. severity: medium identifiers: cce: 27635-2 references: disa: 1227,1233 nist: SI-2,MA-1(b) pcidss: Req-6.2 srg: SRG-OS-000191 stigid: RHEL-06-000011 ocil_clause: 'updates are not installed' ocil: |- If the system is joined to the Red Hat Network, a Red Hat Satellite Server, or a yum server which provides updates, invoking the following command will indicate if updates are available: 
$ sudo yum check-update
If the system is not configured to update from one of these sources, run the following command to list when each package was last updated: 
$ rpm -qa -last
Compare this to Red Hat Security Advisories (RHSA) listed at to determine if the system is missing applicable updates. scap-security-guide-0.1.39/rhel6/guide/system/software/updating/updating.group000066400000000000000000000012601327242345500274770ustar00rootroot00000000000000documentation_complete: true title: 'Updating Software' description: |- The yum command line tool is used to install and update software packages. The system also provides a graphical software update tool in the System menu, in the Administration submenu, called Software Update.

Red Hat Enterprise Linux systems contain an installed software catalog called the RPM database, which records metadata of installed packages. Consistently using yum or the graphical Software Update for all software installation allows for insight into the current inventory of installed software on the system. scap-security-guide-0.1.39/rhel6/guide/system/system.group000066400000000000000000000001721327242345500235440ustar00rootroot00000000000000documentation_complete: true title: 'System Settings' description: 'Contains rules that check correct system settings.' scap-security-guide-0.1.39/rhel6/kickstart/000077500000000000000000000000001327242345500205205ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/kickstart/ssg-rhel6-pci-dss-with-gui-ks.cfg000066400000000000000000000145241327242345500265270ustar00rootroot00000000000000# SCAP Security Guide PCI-DSS profile kickstart for Red Hat Enterprise Linux 6 Server # Version: 0.0.1 # Date: 2015-04-11 # # Based on: # http://fedoraproject.org/wiki/Anaconda/Kickstart # https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Installation_Guide/s1-kickstart2-options.html # http://usgcb.nist.gov/usgcb/content/configuration/workstation-ks.cfg # Install a fresh new system (optional) install # Specify installation method to use for installation # To use a different one comment out the 'url' one below, update # the selected choice with proper options & un-comment it # # Install from an installation tree on a remote server via FTP or HTTP: # --url the URL to install from # # Example: # # url --url=http://192.168.122.1/image # # Modify concrete URL in the above example appropriately to reflect the actual # environment machine is to be installed in # # Other possible / supported installation methods: # * install from the first CD-ROM/DVD drive on the system: # # cdrom # # * install from a directory of ISO images on a local drive: # # harddrive --partition=hdb2 --dir=/tmp/install-tree # # * install from provided NFS server: # # nfs --server= --dir= [--opts=] # # Set language to use during installation and the default language to use on the # installed system (required) lang en_US.UTF-8 # Set system keyboard type / layout (required) keyboard us # Configure network information for target system and activate network devices # in the installer environment (optional) # --onboot enable device at a boot time # --device device to be activated and / or configured with the network command # --bootproto method to obtain networking configuration for device (default dhcp) # --noipv6 disable IPv6 on this device network --onboot yes --device eth0 --bootproto dhcp --noipv6 # Set the system's root password (required) # Plaintext password is: server # Refer to e.g. http://fedoraproject.org/wiki/Anaconda/Kickstart#rootpw to see how to create # encrypted password form for different plaintext password rootpw --iscrypted $6$rhel6usgcb$aS6oPGXcPKp3OtFArSrhRwu6sN8q2.yEGY7AIwDOQd23YCtiz9c5mXbid1BzX9bmXTEZi.hCzTEXFosVBI5ng0 # Configure firewall settings for the system (optional) # --enabled reject incoming connections that are not in response to outbound requests # --ssh allow sshd service through the firewall firewall --enabled --ssh # Set up the authentication options for the system (required) # --enableshadow enable shadowed passwords by default # --passalgo hash / crypt algorithm for new passwords # See the manual page for authconfig for a complete list of possible options. authconfig --enableshadow --passalgo=sha512 # State of SELinux on the installed system (optional) # Defaults to enforcing selinux --enforcing # Set the system time zone (required) timezone --utc America/New_York # Specify how the bootloader should be installed (required) # Plaintext password is: password # Refer to e.g. http://fedoraproject.org/wiki/Anaconda/Kickstart#rootpw to see how to create # encrypted password form for different plaintext password bootloader --location=mbr --append="crashkernel=auto rhgb quiet" --password=$6$rhel6usgcb$kOzIfC4zLbuo3ECp1er99NRYikN419wxYMmons8Vm/37Qtg0T8aB9dKxHwqapz8wWAFuVkuI/UJqQBU92bA5C0 # Initialize (format) all disks (optional) zerombr # The following partition layout scheme assumes disk of size 20GB or larger # Modify size of partitions appropriately to reflect actual machine's hardware # # Remove Linux partitions from the system prior to creating new ones (optional) # --linux erase all Linux partitions # --initlabel initialize the disk label to the default based on the underlying architecture clearpart --linux --initlabel # Create primary system partitions (required for installs) part /boot --fstype=ext4 --size=512 part pv.01 --grow --size=1 # Create a Logical Volume Management (LVM) group (optional) volgroup vg_sys --pesize=4096 pv.01 # Create particular logical volumes (optional) logvol / --fstype=ext4 --name=lv_root --vgname=vg_sys --size=12288 --grow # CCE-26557-9: Ensure /home Located On Separate Partition logvol /home --fstype=ext4 --name=lv_home --vgname=vg_sys --size=1024 --fsoptions="nodev" # CCE-26435-8: Ensure /tmp Located On Separate Partition logvol /tmp --fstype=ext4 --name=lv_tmp --vgname=vg_sys --size=1024 --fsoptions="nodev,noexec,nosuid" # CCE-26639-5: Ensure /var Located On Separate Partition logvol /var --fstype=ext4 --name=lv_var --vgname=vg_sys --size=2048 --fsoptions="nodev" # CCE-26215-4: Ensure /var/log Located On Separate Partition logvol /var/log --fstype=ext4 --name=lv_var_log --vgname=vg_sys --size=1024 --fsoptions="nodev" # CCE-26436-6: Ensure /var/log/audit Located On Separate Partition logvol /var/log/audit --fstype=ext4 --name=lv_var_log_audit --vgname=vg_sys --size=512 --fsoptions="nodev" logvol swap --name=lv_swap --vgname=vg_sys --size=2016 # Packages selection (%packages section is required) %packages @additional-devel @base @basic-desktop @desktop-debugging @dial-up @directory-client @mail-server @fonts @general-desktop @graphical-admin-tools @hardware-monitoring @input-methods @internet-browser @java-platform @large-systems @legacy-unix @legacy-x @nfs-file-server @network-server @network-file-system-client @network-tools @performance @perl-runtime @print-server @print-client @system-management-snmp @server-platform @web-server @x11 # Install git package so we can clone SCAP Security Guide repository below git # Install selected additional packages (required by PCI DSS profile for Red Hat # Enterprise Linux 6 Server) # CCE-27024-9: Install AIDE aide # Install openscap-scanner so it's possible to perform remediation once the # installation is complete openscap-scanner scap-security-guide %end # End of %packages section %post --log /root/oscap.log # Perform post installation system remediation according to the PCI DSS profile # for Red Hat Enterprise Linux 6 Server via the oscap tool To create a system # compliant against different RHEL-6 SCAP Security Guide profile specify # selected profile name after the --profile oscap tool option oscap xccdf eval --remediate --profile pci-dss --report /root/oscap_pci-dss_remediation_report.html \ /usr/share/xml/scap/ssg/content/ssg-rhel6-xccdf.xml %end # End of %post section # Reboot after the installation is complete (optional) # --eject attempt to eject CD or DVD media before rebooting reboot --eject scap-security-guide-0.1.39/rhel6/kickstart/ssg-rhel6-stig-ks.cfg000066400000000000000000000304701327242345500243760ustar00rootroot00000000000000# SCAP Security Guide DoD STIG profile kickstart for Red Hat Enterprise Linux 6 Server # Version: 0.0.1 # Date: 2015-04-08 # # Based on: # http://fedoraproject.org/wiki/Anaconda/Kickstart # https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Installation_Guide/s1-kickstart2-options.html # http://usgcb.nist.gov/usgcb/content/configuration/workstation-ks.cfg # # NOTE: This kickstart attempts to stay within the bounds of RHEL6's Common Criteria certification, # while applying DoD-specific controls (and ignoring those waived by DoD) # # Install a fresh new system (optional) install # Specify installation method to use for installation # To use a different one comment out the 'url' one below, update # the selected choice with proper options & un-comment it # # Install from an installation tree on a remote server via FTP or HTTP: # --url the URL to install from # #url --url=http://192.168.122.1/image # # Other possible / supported installation methods: # * install from the first CD-ROM/DVD drive on the system: # # cdrom # # * install from a directory of ISO images on a local drive: # # harddrive --partition=hdb2 --dir=/tmp/install-tree # # * install from provided NFS server: # # nfs --server= --dir= [--opts=] # # Set language to use during installation and the default language to use on the installed system (required) lang en_US.UTF-8 # Set system keyboard type / layout (required) keyboard us # Configure network information for target system and activate network devices in the installer environment (optional) # --onboot enable device at a boot time # --device device to be activated and / or configured with the network command # --bootproto method to obtain networking configuration for device (default dhcp) # --noipv6 disable IPv6 on this device # # NOTE: Usage of DHCP will fail CCE-27021-5 (DISA FSO RHEL-06-000292). To use static IP configuration, # "--bootproto=static" must be used. For example: # network --bootproto=static --ip=10.0.2.15 --netmask=255.255.255.0 --gateway=10.0.2.254 --nameserver 192.168.2.1,192.168.3.1 # network --onboot yes --device eth0 --bootproto dhcp --noipv6 # Set the system's root password (required) # Plaintext password is: server # Refer to e.g. http://fedoraproject.org/wiki/Anaconda/Kickstart#rootpw to see how to create # encrypted password form for different plaintext password rootpw --iscrypted $6$rhel6usgcb$aS6oPGXcPKp3OtFArSrhRwu6sN8q2.yEGY7AIwDOQd23YCtiz9c5mXbid1BzX9bmXTEZi.hCzTEXFosVBI5ng0 # Configure firewall settings for the system (optional) # --enabled reject incoming connections that are not in response to outbound requests # --ssh allow sshd service through the firewall firewall --enabled --ssh # Set up the authentication options for the system (required) # --enableshadow enable shadowed passwords by default # --passalgo hash / crypt algorithm for new passwords # See the manual page for authconfig for a complete list of possible options. authconfig --enableshadow --passalgo=sha512 # State of SELinux on the installed system (optional) # Defaults to enforcing selinux --enforcing # Set the system time zone (required) timezone --utc America/New_York # Specify how the bootloader should be installed (required) # Plaintext password is: password # Refer to e.g. http://fedoraproject.org/wiki/Anaconda/Kickstart#rootpw to see how to create # encrypted password form for different plaintext password bootloader --location=mbr --append="crashkernel=auto rhgb quiet" --password=$6$rhel6usgcb$kOzIfC4zLbuo3ECp1er99NRYikN419wxYMmons8Vm/37Qtg0T8aB9dKxHwqapz8wWAFuVkuI/UJqQBU92bA5C0 # Initialize (format) all disks (optional) zerombr # The following partition layout scheme assumes disk of size 20GB or larger # Modify size of partitions appropriately to reflect actual machine's hardware # # Remove Linux partitions from the system prior to creating new ones (optional) # --linux erase all Linux partitions # --initlabel initialize the disk label to the default based on the underlying architecture clearpart --linux --initlabel # Create primary system partitions (required for installs) part /boot --fstype=ext4 --size=512 part pv.01 --grow --size=1 # Create a Logical Volume Management (LVM) group (optional) volgroup vg_sys --pesize=4096 pv.01 # Create particular logical volumes (optional) logvol / --fstype=ext4 --name=lv_root --vgname=vg_sys --size=12288 --grow # CCE-26557-9: Ensure /home Located On Separate Partition logvol /home --fstype=ext4 --name=lv_home --vgname=vg_sys --size=1024 --fsoptions="nodev" # CCE-26435-8: Ensure /tmp Located On Separate Partition logvol /tmp --fstype=ext4 --name=lv_tmp --vgname=vg_sys --size=1024 --fsoptions="nodev,noexec,nosuid" # CCE-26639-5: Ensure /var Located On Separate Partition logvol /var --fstype=ext4 --name=lv_var --vgname=vg_sys --size=2048 --fsoptions="nodev" # CCE-26215-4: Ensure /var/log Located On Separate Partition logvol /var/log --fstype=ext4 --name=lv_var_log --vgname=vg_sys --size=1024 --fsoptions="nodev" # CCE-26436-6: Ensure /var/log/audit Located On Separate Partition logvol /var/log/audit --fstype=ext4 --name=lv_var_log_audit --vgname=vg_sys --size=512 --fsoptions="nodev" logvol swap --name=lv_swap --vgname=vg_sys --size=2016 # Packages selection (%packages section is required) # %packages ################################################ ## ## Package listing ## --------------- ## ## The following list specifies the packages installed onto a bare minimum ## system. To allow an administrator to install the absolute minimum ## set of packages, the list is partitioned into common sets which are marked ## to belong to one of the following categories. ## ## Categories and their meaning: ## ## Mandatory You MUST install the set of packages if the given condition ## applies. ## Default You MAY choose to not install the packages. However, these ## packages provide functionality specified in the Security ## Target that is outlined in the package set description. ## If you intend to enable the respective functionality, you ## MUST use these packages. Any other package from the ## distribution that would provide similar functionality MUST NOT ## be used as it is not ensured that those packages implement ## all required functional aspects. ## Note that you either MUST install all packages or none out of ## the given set. ## Optional You MAY choose to not install the packages. Packages can be ## selectively installed per package set (i.e. it is not ## required to fully install all packages for one package set ## or none at all). ## Prohibited These packages MUST NOT be installed. This is ensured by ## listing the packages with a minus sign prepended. Therefore ## you MUST NOT add comment signs to these sets. ## ################################################ ## Package set: base packages ## Condition: Mandatory in Base and MLS mode ## audit bridge-utils libnl policycoreutils python-rhsm python-simplejson PyXML prelink rdate rng-tools screen sudo virt-what ################################################ ## Package set: This package set provides the functionality to allow the ## system to send audit data to a central audit server ## Condition: Default in Base and MLS mode ## audispd-plugins ################################################ ## Package set: base packages providing MLS environment ## Condition: Mandatory in MLS mode, Optional in Base mode ## checkpolicy policycoreutils-newrole policycoreutils-python #selinux-policy-mls #xinetd ################################################ ## Package set: Disk encryption support utilities to use a dm-crypt partition ## Condition: Default in Base and MLS mode cryptsetup-luks ################################################ ## Package set: Labeled printing support ## Condition: Default in MLS mode, Optional in Base mode cups foomatic ghostscript ghostscript-fonts ################################################ ## Package set: CIPSO labeled networking support ## Condition: Default in MLS mode, Optional in Base mode (labeled networking ## functionality unusable in Base mode) netlabel_tools ################################################ ## Package set: IPSec-based labeled networking support ## Condition: Default in MLS mode, Optional in Base mode (labeled networking ## functionality unusable in Base mode) iproute iputils openswan ################################################ ## Package set: FIPS 140-2 mode support - this package MUST be installed ## if the TOE shall be operated in FIPS 140-2 compliant mode ## for all cryptographic modules - as FIPS 140-2 is no requirement ## for the Common Criteria evaluation, this package set is ## considered to be optional. ## Condition: Optional in Base and MLS mode dracut-fips ################################################ ## Package set: Prohibited packages in any configuration ## Condition: Prohibited in Base and MLS mode -sendmail -krb5-workstation -abrt-addon-kerneloops -abrt-addon-python -abrt-addon-ccpp -abrt-plugin-rhtsupport -abrt-plugin-logger -abrt-plugin-sosreport -abrt-cli -abrt -subscription-manager ################################################ ## Package set: Convenience functions to provide administrators with ## utilities that he may expect from other systems. ## Condition: Optional in Base and MLS mode ## aide lsof openssh-clients man-pages man-pages-overrides mlocate parted pciutils postfix quota rsync scrub smartmontools stunnel tcpdump traceroute vim-enhanced wget ################################################ ## Package set: Minimal development environment used to perform the ## testing of the system. ## Condition: Optional in Base and MLS mode ## audit-libs-devel autoconf automake bison cvs cyrus-sasl-devel.x86_64 elinks expect flex gcc gcc-c++ keyutils-libs keyutils-libs-devel kpartx libattr-devel libcap-devel libvirt-python libselinux-devel.x86_64 libsepol-devel.x86_64 make openscap openssl-devel.x86_64 pam-devel.x86_64 perl-devel perl-Digest-HMAC perl-Digest-SHA1 python-devel python-virtinst readline-devel rpm-build setools-console strace swig tcl texinfo tk zlib-devel ################################################ ## Package set: Base packages required for the x86_64 environment ## Condition: Mandatory in Base and MLS mode ## dmidecode glibc.i686 glibc-devel.i686 glibc-devel.x86_64 libgcc.i686 libgcc.x86_64 libattr.i686 cracklib.i686 audit-libs.i686 openssl.i686 openssl-devel.i686 libgcrypt.i686 ################################################ ## Package set: Convenience functions to provide administrators with ## utilities that he may expect from other systems. ## Condition: Optional in Base and MLS mode ## acpid cpuspeed irqbalance usbutils ################################################ ## Package set: Virtualization environment support packages to enable the ## KVM support ## Condition: Default ## #@virtualization #@virtualization-client #@virtualization-platform #@virtualization-tools #-virt-manager #-virt-viewer #ebtables ################################################ ## Package set: Development packages ## Condition: Optional ## libcap-devel.i686 libselinux-devel.i686 # Install git package so we can clone SCAP Security Guide repository below git # Install selected additional packages (required by DoD STIG profile for Red Hat Enterprise Linux 6 Server) # CCE-27024-9: Install AIDE aide # Install openscap-scanner so it's possible to perform remediation once the # installation is complete openscap-scanner scap-security-guide %end # End of %packages section %post --log /root/oscap.log # Perform post installation system remediation according to the DoD STIG profile # for Red Hat Enterprise Linux 6 Server via the oscap tool # To create a system compliant against different RHEL-6 SCAP Security Guide profile specify selected # profile name after the --profile oscap tool option oscap xccdf eval --remediate --profile stig-rhel6-disa --report /root/oscap_stig_remediation_report.html \ /usr/share/xml/scap/ssg/content/ssg-rhel6-xccdf.xml %end # End of %post section # Reboot after the installation is complete (optional) # --eject attempt to eject CD or DVD media before rebooting reboot --eject scap-security-guide-0.1.39/rhel6/kickstart/ssg-rhel6-usgcb-server-with-gui-ks.cfg000066400000000000000000000144511327242345500275730ustar00rootroot00000000000000# SCAP Security Guide USGCB profile kickstart for Red Hat Enterprise Linux 6 Server # Version: 0.0.1 # Date: 2014-10-23 # # Based on: # http://fedoraproject.org/wiki/Anaconda/Kickstart # https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Installation_Guide/s1-kickstart2-options.html # http://usgcb.nist.gov/usgcb/content/configuration/workstation-ks.cfg # Install a fresh new system (optional) install # Specify installation method to use for installation # To use a different one comment out the 'url' one below, update # the selected choice with proper options & un-comment it # # Install from an installation tree on a remote server via FTP or HTTP: # --url the URL to install from # url --url=http://192.168.122.1/image # # Other possible / supported installation methods: # * install from the first CD-ROM/DVD drive on the system: # # cdrom # # * install from a directory of ISO images on a local drive: # # harddrive --partition=hdb2 --dir=/tmp/install-tree # # * install from provided NFS server: # # nfs --server= --dir= [--opts=] # # Set language to use during installation and the default language to use on the installed system (required) lang en_US.UTF-8 # Set system keyboard type / layout (required) keyboard us # Configure network information for target system and activate network devices in the installer environment (optional) # --onboot enable device at a boot time # --device device to be activated and / or configured with the network command # --bootproto method to obtain networking configuration for device (default dhcp) # --noipv6 disable IPv6 on this device network --onboot yes --device eth0 --bootproto dhcp --noipv6 # Set the system's root password (required) # Plaintext password is: server # Refer to e.g. http://fedoraproject.org/wiki/Anaconda/Kickstart#rootpw to see how to create # encrypted password form for different plaintext password rootpw --iscrypted $6$rhel6usgcb$aS6oPGXcPKp3OtFArSrhRwu6sN8q2.yEGY7AIwDOQd23YCtiz9c5mXbid1BzX9bmXTEZi.hCzTEXFosVBI5ng0 # Configure firewall settings for the system (optional) # --enabled reject incoming connections that are not in response to outbound requests # --ssh allow sshd service through the firewall firewall --enabled --ssh # Set up the authentication options for the system (required) # --enableshadow enable shadowed passwords by default # --passalgo hash / crypt algorithm for new passwords # See the manual page for authconfig for a complete list of possible options. authconfig --enableshadow --passalgo=sha512 # State of SELinux on the installed system (optional) # Defaults to enforcing selinux --enforcing # Set the system time zone (required) timezone --utc America/New_York # Specify how the bootloader should be installed (required) # Plaintext password is: password # Refer to e.g. http://fedoraproject.org/wiki/Anaconda/Kickstart#rootpw to see how to create # encrypted password form for different plaintext password bootloader --location=mbr --append="crashkernel=auto rhgb quiet" --password=$6$rhel6usgcb$kOzIfC4zLbuo3ECp1er99NRYikN419wxYMmons8Vm/37Qtg0T8aB9dKxHwqapz8wWAFuVkuI/UJqQBU92bA5C0 # Initialize (format) all disks (optional) zerombr # The following partition layout scheme assumes disk of size 20GB or larger # Modify size of partitions appropriately to reflect actual machine's hardware # # Remove Linux partitions from the system prior to creating new ones (optional) # --linux erase all Linux partitions # --initlabel initialize the disk label to the default based on the underlying architecture clearpart --linux --initlabel # Create primary system partitions (required for installs) part /boot --fstype=ext4 --size=512 part pv.01 --grow --size=1 # Create a Logical Volume Management (LVM) group (optional) volgroup VolGroup --pesize=4096 pv.01 # Create particular logical volumes (optional) logvol / --fstype=ext4 --name=LogVol06 --vgname=VolGroup --size=12288 --grow # CCE-26557-9: Ensure /home Located On Separate Partition logvol /home --fstype=ext4 --name=LogVol02 --vgname=VolGroup --size=1024 --fsoptions="nodev" # CCE-26435-8: Ensure /tmp Located On Separate Partition logvol /tmp --fstype=ext4 --name=LogVol01 --vgname=VolGroup --size=1024 --fsoptions="nodev,noexec,nosuid" # CCE-26639-5: Ensure /var Located On Separate Partition logvol /var --fstype=ext4 --name=LogVol03 --vgname=VolGroup --size=2048 --fsoptions="nodev" # CCE-26215-4: Ensure /var/log Located On Separate Partition logvol /var/log --fstype=ext4 --name=LogVol04 --vgname=VolGroup --size=1024 --fsoptions="nodev" # CCE-26436-6: Ensure /var/log/audit Located On Separate Partition logvol /var/log/audit --fstype=ext4 --name=LogVol05 --vgname=VolGroup --size=512 --fsoptions="nodev" logvol swap --name=lv_swap --vgname=VolGroup --size=2016 # Packages selection (%packages section is required) # # Packages from the following package groups are installed by default when 'Desktop' # Anaconda option is selected when installing Red Hat Enterprise Linux 6 Server %packages @additional-devel @base @basic-desktop @desktop-debugging @dial-up @directory-client @mail-server @fonts @general-desktop @graphical-admin-tools @hardware-monitoring @input-methods @internet-browser @java-platform @large-systems @legacy-unix @legacy-x @nfs-file-server @network-server @network-file-system-client @network-tools @performance @perl-runtime @print-server @print-client @system-management-snmp @server-platform @web-server @x11 # Install git package so we can clone SCAP Security Guide repository below git # Install selected additional packages (required by USGCB profile) # CCE-27024-9: Install AIDE aide # Install openscap-scanner so it's possible to perform remediation once the # installation is complete openscap-scanner scap-security-guide %end # End of %packages section %post --log /root/oscap.log # Perform post installation system remediation according to the USGCB profile via the oscap tool # To create a system compliant against different RHEL-6 SCAP Security Guide profile specify selected # profile name after the --profile oscap tool option oscap xccdf eval --remediate --profile usgcb-rhel6-server --report /root/oscap_usgcb_remediation_report.html \ /usr/share/xml/scap/ssg/content/ssg-rhel6-xccdf.xml %end # End of %post section # Reboot after the installation is complete (optional) # --eject attempt to eject CD or DVD media before rebooting reboot --eject scap-security-guide-0.1.39/rhel6/overlays/000077500000000000000000000000001327242345500203655ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/overlays/nist_support.xml000066400000000000000000000102751327242345500236650ustar00rootroot00000000000000 scap-security-guide-0.1.39/rhel6/overlays/srg_support.xml000066400000000000000000000157631327242345500235120ustar00rootroot00000000000000 scap-security-guide-0.1.39/rhel6/overlays/stig_overlay.xml000066400000000000000000003700051327242345500236230ustar00rootroot00000000000000 The system must use a separate file system for /tmp. The system must use a separate file system for /var. The system must use a separate file system for /var/log. The system must use a separate file system for the system audit data path. The audit system must alert designated staff members when the audit storage volume approaches capacity. The system must use a separate file system for user home directories. Vendor-provided cryptographic certificates must be installed to verify the integrity of system software. The Red Hat Network Service (rhnsd) service must not be running, unless using RHN or an RHN Satellite. System security patches and updates must be installed and up-to-date. The system package management tool must cryptographically verify the authenticity of system software packages during installation. The system package management tool must cryptographically verify the authenticity of all software packages during installation. A file integrity tool must be installed. The system must use a Linux Security Module at boot time. A file integrity baseline must be created. There must be no .rhosts or hosts.equiv files on the system. The system must use a Linux Security Module configured to enforce limits on system services. The system must use a Linux Security Module configured to limit the privileges of system services. All device files must be monitored by the system Linux Security Module. The system must prevent the root account from logging in from virtual consoles. The system must prevent the root account from logging in from serial consoles. Default operating system accounts, other than root, must be locked. The system must not have accounts configured with blank or null passwords. The /etc/passwd file must not contain password hashes. The root account must be the only account having a UID of 0. The /etc/shadow file must be owned by root. The /etc/shadow file must be group-owned by root. The /etc/shadow file must have mode 0000. The /etc/gshadow file must be owned by root. The /etc/gshadow file must be group-owned by root. The /etc/gshadow file must have mode 0000. The /etc/passwd file must be owned by root. The /etc/passwd file must be group-owned by root. The /etc/passwd file must have mode 0644 or less permissive. The /etc/group file must be owned by root. The /etc/group file must be group-owned by root. The /etc/group file must have mode 0644 or less permissive. Library files must have mode 0755 or less permissive. Library files must be owned by root. All system command files must have mode 0755 or less permissive. All system command files must be owned by root. The system must require passwords to contain a minimum of 14 characters. Users must not be able to change passwords more than once every 24 hours. User passwords must be changed at least every 60 days. Users must be warned 7 days in advance of password expiration. The system must require passwords to contain at least one numeric character. The system must require passwords to contain at least one uppercase alphabetic character. The system must require passwords to contain at least one special character. The system must require passwords to contain at least one lowercase alphabetic character. The system must require at least four characters be changed between the old and new passwords during a password change. The system must disable accounts after three consecutive unsuccessful logon attempts. The system must use a FIPS 140-2 approved cryptographic hashing algorithm for generating account password hashes (system-auth). The system must use a FIPS 140-2 approved cryptographic hashing algorithm for generating account password hashes (login.defs). The system must use a FIPS 140-2 approved cryptographic hashing algorithm for generating account password hashes (libuser.conf). The system boot loader configuration file(s) must be owned by root. The system boot loader configuration file(s) must be group-owned by root. The system boot loader configuration file(s) must have mode 0600 or less permissive. Boot partitions based on VFAT, NTFS, or other non-standard configurations may require alternative measures. The system boot loader must require authentication. The system must require authentication upon booting into single-user and maintenance modes. The system must not permit interactive boot. The system must allow locking of the console screen in text mode. The Department of Defense (DoD) login banner must be displayed immediately prior to, or as part of, console login prompts. The system must implement virtual address space randomization. The system must limit the ability of processes to have simultaneous write and execute access to memory. The system must not send ICMPv4 redirects by default. The system must not send ICMPv4 redirects from any interface. IP forwarding for IPv4 must not be enabled, unless the system is a router. The system must not accept IPv4 source-routed packets on any interface. The system must not accept ICMPv4 redirect packets on any interface. The system must not accept ICMPv4 secure redirect packets on any interface. The system must log Martian packets. The system must not accept IPv4 source-routed packets by default. The system must not accept ICMPv4 secure redirect packets by default. The system must ignore ICMPv4 redirect messages by default. The system must not respond to ICMPv4 sent to a broadcast address. The system must ignore ICMPv4 bogus error responses. The system must be configured to use TCP syncookies. The system must use a reverse-path filter for IPv4 network traffic when possible on all interfaces. The system must use a reverse-path filter for IPv4 network traffic when possible by default. The IPv6 protocol handler must not be bound to the network stack unless needed. The system must ignore ICMPv6 redirects by default. The system must employ a local IPv6 firewall. If the system is a cross-domain system, this is not applicable. The system must employ a local IPv6 firewall. The operating system must connect to external networks or information systems only through managed IPv6 interfaces consisting of boundary protection devices arranged in accordance with an organizational security architecture. If the system is a cross-domain system, this is not applicable. The operating system must prevent public IPv6 access into an organizations internal networks, except as appropriately mediated by managed interfaces employing boundary protection devices. If the system is a cross-domain system, this is not applicable. The system must employ a local IPv6 firewall. The system must employ a local IPv6 firewall. The system must employ a local IPv4 firewall. The system must employ a local IPv4 firewall. The operating system must connect to external networks or information systems only through managed IPv4 interfaces consisting of boundary protection devices arranged in accordance with an organizational security architecture. The operating system must prevent public IPv4 access into an organizations internal networks, except as appropriately mediated by managed interfaces employing boundary protection devices. The system must employ a local IPv4 firewall. The system must employ a local IPv4 firewall. The systems local IPv4 firewall must implement a deny-all, allow-by-exception policy for inbound packets. The system's local firewall must implement a deny-all, allow-by-exception policy for inbound packets. The system's local firewall must implement a deny-all, allow-by-exception policy for inbound packets. The Datagram Congestion Control Protocol (DCCP) must be disabled unless required. The Stream Control Transmission Protocol (SCTP) must be disabled unless required. The Reliable Datagram Sockets (RDS) protocol must be disabled unless required. The Transparent Inter-Process Communication (TIPC) protocol must be disabled unless required. All rsyslog-generated log files must be owned by root. All rsyslog-generated log files must be group-owned by root. All rsyslog-generated log files must have mode 0600 or less permissive. The operating system must back up audit records on an organization defined frequency onto a different system or media than the system being audited. The operating system must support the requirement to centrally manage the content of audit records generated by organization defined information system components. System logs must be rotated daily. Auditing must be implemented. The operating system audit records must be able to be used by a report generation capability. The operating system must audit nonlocal maintenance and diagnostic sessions. The operating system must produce a system-wide (logical or physical) audit trail composed of audit records in a standardized format. The operating system must produce audit records containing sufficient information to establish the identity of any user/subject associated with the event. The operating system must employ automated mechanisms to facilitate the monitoring and control of remote access methods. The operating system must provide the capability to automatically process audit records for events of interest based upon selectable, event criteria. The operating system must fail to an organization defined known state for organization defined types of failures. The operating system must produce audit records containing sufficient information to establish what type of events occurred. Auditing must be enabled at boot by setting a kernel parameter. The system must retain enough rotated audit logs to cover the required log retention period. The system must set a maximum audit log file size. The system must rotate audit log files that reach the maximum file size. The audit system must switch the system to single-user mode when available audit storage volume becomes dangerously low. The audit system must be configured to audit all attempts to alter system time through adjtimex. The audit system must be configured to audit all attempts to alter system time through settimeofday. The audit system must be configured to audit all attempts to alter system time through stime. The audit system must be configured to audit all attempts to alter system time through clock_settime. The audit system must be configured to audit all attempts to alter system time through /etc/localtime. The operating system must automatically audit account creation. The operating system must automatically audit account modification. The operating system must automatically audit account disabling actions. The operating system must automatically audit account termination. The audit system must be configured to audit modifications to the systems network configuration. The audit system must be configured to audit modifications to the systems Mandatory Access Control (MAC) configuration (SELinux). The audit system must be configured to audit all discretionary access control permission modifications using chmod. The audit system must be configured to audit all discretionary access control permission modifications using chown. The audit system must be configured to audit all discretionary access control permission modifications using fchmod. The audit system must be configured to audit all discretionary access control permission modifications using fchmodat. The audit system must be configured to audit all discretionary access control permission modifications using fchown. The audit system must be configured to audit all discretionary access control permission modifications using fchownat. The audit system must be configured to audit all discretionary access control permission modifications using fremovexattr. The audit system must be configured to audit all discretionary access control permission modifications using fsetxattr. The audit system must be configured to audit all discretionary access control permission modifications using lchown. The audit system must be configured to audit all discretionary access control permission modifications using lremovexattr. The audit system must be configured to audit all discretionary access control permission modifications using lsetxattr. The audit system must be configured to audit all discretionary access control permission modifications using removexattr. The audit system must be configured to audit all discretionary access control permission modifications using setxattr. The audit system must be configured to audit failed attempts to access files and programs. The audit system must be configured to audit all use of setuid and setgid programs. The audit system must be configured to audit successful file system mounts. The audit system must be configured to audit user deletions of files and programs. The audit system must be configured to audit changes to the /etc/sudoers file. The audit system must be configured to audit the loading and unloading of dynamic kernel modules. The xinetd service must be disabled if no network services utilizing it are enabled. The xinetd service must be uninstalled if no network services utilizing it are enabled. The telnet-server package must not be installed. The telnet daemon must not be running. The rsh-server package must not be installed. The rshd service must not be running. The rexecd service must not be running. The rlogind service must not be running. The ypserv package must not be installed. The ypbind service must not be running. The tftp-server package must not be installed. The TFTP service must not be running. The cron service must be running. The SSH daemon must be configured to use only the SSHv2 protocol. The SSH daemon must set a timeout interval on idle sessions. The SSH daemon must set a timeout count on idle sessions. The SSH daemon must ignore .rhosts files. The SSH daemon must not allow host-based authentication. The SSH daemon must not allow host-based authentication. The system must not permit root logins using remote access programs such as ssh. The SSH daemon must not allow authentication using an empty password. The SSH daemon must be configured with the Department of Defense (DoD) login banner. The SSH daemon must not permit user environment settings. The SSH daemon must be configured to use only FIPS 140-2 approved ciphers. The operating system must employ FIPS-validated cryptography to protect unclassified information. The operating system must employ NSA-approved cryptography to protect classified information. The avahi service must be disabled. The system clock must be synchronized continuously, or at least daily. The system clock must be synchronized to an authoritative DoD time source. Mail relaying must be restricted. The operating system must uniquely identify and authenticate an organization defined list of specific devices and/or types of devices before establishing a connection. If the system is using LDAP for authentication or account information, the system must use a TLS connection using FIPS 140-2 approved cryptographic algorithms. The LDAP client must use a TLS connection using trust certificates signed by the site CA. The openldap-servers package must not be installed unless required. The graphical desktop environment must set the idle timeout to no more than 15 minutes. The graphical desktop environment must automatically lock after 15 minutes of inactivity and the system must require user to re-authenticate to unlock the environment. The graphical desktop environment must have automatic lock enabled. The system must display a publicly-viewable pattern during a graphical desktop environment session lock. The Automatic Bug Reporting Tool (abrtd) service must not be running. The atd service must be disabled. Automated file system mounting tools must not be enabled unless needed. The ntpdate service must not be running. The oddjobd service must not be running. The qpidd service must not be running. The rdisc service must not be running. Remote file systems must be mounted with the nodev option. Remote file systems must be mounted with the nosuid option. The noexec option must be added to removable media partitions. The system must use SMB client signing for connecting to samba servers using smbclient. The system must use SMB client signing for connecting to samba servers using mount.cifs. The system must prohibit the reuse of passwords within twenty-four iterations. The operating system must employ cryptographic mechanisms to protect information in storage. The operating system must protect the confidentiality and integrity of data at rest. The operating system must employ cryptographic mechanisms to prevent unauthorized disclosure of data at rest unless otherwise protected by alternative physical measures. The system package management tool must verify permissions on all files and directories associated with the audit package. The system package management tool must verify ownership on all files and directories associated with the audit package. The system package management tool must verify group-ownership on all files and directories associated with the audit package. The system package management tool must verify contents of all files associated with the audit package. There must be no world-writable files on the system. The system must use and update a DoD-approved virus scan program. The system must have a host-based intrusion detection tool installed. The x86 Ctrl-Alt-Delete key sequence must be disabled. The postfix service must be enabled for mail delivery. The sendmail package must be removed. The netconsole service must be disabled unless required. X Windows must not be enabled unless required. The xorg-x11-server-common (X Windows) package must not be installed, unless required. The DHCP client must be disabled if not needed. All GIDs referenced in /etc/passwd must be defined in /etc/group All accounts on the system must have unique user or account names Temporary accounts must be provisioned with an expiration date. Emergency accounts must be provisioned with an expiration date. The system must require passwords to contain no more than three consecutive repeating characters. All files and directories must have a valid owner. All files must be owned by a group. A file integrity tool must be used at least weekly to check for unauthorized file changes, particularly the addition of unauthorized system libraries or binaries, or for unauthorized modification to authorized system libraries or binaries. The operating system must employ automated mechanisms, per organization defined frequency, to detect the addition of unauthorized components/devices into the operating system. The operating system must employ automated mechanisms to detect the presence of unauthorized software on organizational information systems and notify designated organizational officials in accordance with the organization defined frequency. The operating system must provide a near real-time alert when any of the organization defined list of compromise or potential compromise indicators occurs. The operating system must detect unauthorized changes to software and information. The operating system must ensure unauthorized, security-relevant configuration changes detected are tracked. Process core dumps must be disabled unless needed. The NFS server must not have the insecure file locking option enabled. The audit system must provide a warning when allocated audit record storage volume reaches a documented percentage of maximum audit record storage capacity. The audit system must identify staff members to receive notifications of audit log storage volume capacity issues. The Bluetooth kernel module must be disabled. The system must have USB Mass Storage disabled unless needed. The system must limit users to 10 simultaneous system logins, or a site-defined number, in accordance with operational requirements. The systems local firewall must implement a deny-all, allow-by-exception policy for forwarded packets. The system must provide VPN connectivity for communications over untrusted networks. If the system does not communicate over untrusted networks, this is not applicable. A login banner must be displayed immediately prior to, or as part of, graphical desktop environment login prompts. The Department of Defense (DoD) login banner must be displayed immediately prior to, or as part of, graphical desktop environment login prompts. The Bluetooth service must be disabled. Accounts must be locked upon 35 days of inactivity. The operating system must manage information system identifiers for users and devices by disabling the user identifier after an organization defined time period of inactivity. The sticky bit must be set on all public directories. All public directories must be owned by a system account. The TFTP daemon must operate in secure mode which provides access only to a single directory on the host file system. The FTP daemon must be configured for logging or verbose mode. The snmpd service must use only SNMP protocol version 3 or newer. The snmpd service must not use a default password. The system default umask for the bash shell must be 077. The system default umask for the csh shell must be 077. The system default umask in /etc/profile must be 077. The system default umask in /etc/login.defs must be 077. The system default umask for daemons must be 027 or 022. There must be no .netrc files on the system. The FTPS/FTP service on the system must be configured with the Department of Defense (DoD) login banner. The system must be configured to require the use of a CAC, PIV compliant hardware token, or Alternate Logon Token (ALT) for authentication. The system must require administrator action to unlock an account locked by excessive failed login attempts. The system must disable accounts after excessive login failures within a 15-minute interval. The operating system must dynamically manage user privileges and associated access authorizations. The operating system must support organization defined one-way flows using hardware mechanisms. The operating system must provide the capability for a privileged administrator to enable/disable organization defined security policy filters. The operating system, upon successful logon, must display to the user the date and time of the last logon (access) via GUI. The operating system, upon successful logon/access, must display to the user the number of unsuccessful logon/access attempts since the last successful logon/access. The operating system must retain the session lock until the user reestablishes access using established identification and authentication procedures. The operating system must employ automated mechanisms to enable authorized users to make information sharing decisions based on access authorizations of sharing partners and access restrictions on information to be shared. The operating system must produce audit records containing sufficient information to establish when (date and time) the events occurred. The operating system must produce audit records containing sufficient information to establish where the events occurred. The operating system must produce audit records containing sufficient information to establish the sources of the events. The operating system must produce audit records containing sufficient information to establish the outcome (success or failure) of the events. The operating system must include organization defined additional, more detailed information in the audit records for audit events identified by type, location, or subject. Operating system must support the capability to centralize the review and analysis of audit records from multiple components within the system. The operating system must support an audit reduction capability. The operating system must use internal system clocks to generate time stamps for audit records. Audit log files must have mode 0640 or less permissive. Audit log files must be owned by root. Audit log directories must have mode 0755 or less permissive. The operating system must allow designated organizational personnel to select which auditable events are to be audited by the operating system. The operating system must support the capability to compile audit records from multiple components within the system into a system-wide (logical or physical) audit trail that is time-correlated to within organization defined level of tolerance. The operating system, for PKI-based authentication must validate certificates by constructing a certification path with status information to an accepted trust anchor. The operating system, for PKI-based authentication must enforce authorized access to the corresponding private key. The operating system must obscure feedback of authentication information during the authentication process to protect the information from possible exploitation/use by unauthorized individuals. The operating system must bind security attributes to information to facilitate information flow policy enforcement. The operating system must provide the capability for a privileged administrator to configure organization defined security policy filters to support different security policies. The operating system must enforce logical access restrictions associated with changes to the information system. The operating system must employ automated mechanisms to enforce access restrictions. The operating system must employ automated mechanisms to prevent program execution in accordance with the organization defined specifications. The operating system must dynamically manage identifiers, attributes, and associated access authorizations. The operating system must employ automated mechanisms to restrict the use of maintenance tools to authorized personnel only. The operating system must separate user functionality (including user interface services) from operating system management functionality. The operating system must prevent the presentation of information system management-related functionality at an interface for general (i.e., non-privileged) users. The operating system must isolate security functions from nonsecurity functions. The operating system must isolate security functions enforcing access and information flow control from both non-security functions and from other security functions. The operating system must implement an information system isolation boundary to minimize the number of non-security functions included within the boundary containing security functions. The operating system must implement security functions as a layered structure minimizing interactions between layers of the design and avoiding any dependence by lower layers on the functionality or correctness of higher layers. The operating system must prevent unauthorized and unintended information transfer via shared system resources. The operating system must not share resources used to interface with systems operating at different security levels. The operating system must limit the use of resources by priority. The operating system must prevent remote devices that have established a non-remote connection with the system from communicating outside of the communication path with resources in external networks. The operating system must protect the integrity of transmitted information. The operating system must employ cryptographic mechanisms to recognize changes to information during transmission unless otherwise protected by alternative physical measures. The operating system must maintain the integrity of information during aggregation, packaging, and transformation in preparation for transmission. The operating system must validate the integrity of security attributes exchanged between systems. The operating system must protect the integrity of information during the processes of data aggregation, packaging, and transformation in preparation for transmission. The operating system must employ organization defined information system components with no writeable storage that are persistent across component restart or power on/off. The operating system must install software updates automatically. The operating system must support automated patch management tools to facilitate flaw remediation to organization defined information system components. The operating system must prevent non-privileged users from circumventing malicious code protection capabilities. The operating system must prevent non-privileged users from circumventing intrusion detection and prevention capabilities. The operating system must protect information obtained from intrusion-monitoring tools from unauthorized access, modification, and deletion. The operating system must verify the correct operation of security functions in accordance with organization defined conditions and in accordance with organization defined frequency (if periodic verification). The operating system must provide notification of failed automated security tests. The operating system must provide automated support for the management of distributed security testing. The operating system must check the validity of information inputs. The operating system must support the requirement that organizations, if an information system component failure is detected must activate an organization defined alarm and/or automatically shuts down the operating system. The operating system must associate the identity of the information producer with the information. The operating system must enforce an organization defined Discretionary Access Control (DAC) policy that must allow users to specify and control sharing by named individuals or groups of individuals, or by both. The operating system must enforce approved authorizations for controlling the flow of information within the system in accordance with applicable policy. The operating system must support and maintain the binding of organization defined security attributes to information in storage. The operating system must support and maintain the binding of organization defined security attributes to information in process. The operating system must dynamically reconfigure security attributes in accordance with an identified security policy as information is created and combined. The operating system must only allow authorized entities to change security attributes. The operating system must maintain the binding of security attributes to information with sufficient assurance that the information--attribute association can be used as the basis for automated policy actions. The operating system must only allow authorized users to associate security attributes with information. The operating system must display security attributes in human-readable form on each object output from the system to system output devices to identify an organization-identified set of special dissemination, handling, or distribution instructions using organization-identified human readable, standard naming conventions. The operating system must enforce a Discretionary Access Control (DAC) policy that includes or excludes access to the granularity of a single user. The operating system must automatically implement organization defined safeguards and countermeasures if security functions (or mechanisms) are changed inappropriately. The operating system must enforce a Discretionary Access Control (DAC) policy that limits propagation of access rights. The operating system must preserve organization defined system state information in the event of a system failure. The operating system must take organization defined list of least disruptive actions to terminate suspicious events. The operating system must respond to security function anomalies in accordance with organization defined responses and alternative action(s). The operating system must enforce requirements for the connection of mobile devices to operating systems. The operating system must conduct backups of user-level information contained in the operating system per organization defined frequency to conduct backups consistent with recovery time and recovery point objectives. The operating system must conduct backups of system-level information contained in the information system per organization defined frequency to conduct backups that are consistent with recovery time and recovery point objectives. The operating system, upon successful logon, must display to the user the date and time of the last logon or access via ssh. The system must allow locking of graphical desktop sessions. The system must forward audit records to the syslog service. The audit system must take appropriate action when the audit storage volume is full. The audit system must take appropriate action when there are disk errors on the audit storage volume. The audit system must alert designated staff members when audit storage volume is full. The audit system must alert designated staff members when audit storage volume is generating disk errors. The RPM package management tool must cryptographically verify the authenticity of all software packages during installation. The NFS server must not have the all_squash option enabled. The system package management tool must verify ownership on all files and directories associated with packages. The system package management tool must verify group-ownership on all files and directories associated with packages. The system package management tool must verify permissions on all files and directories associated with packages. The system package management tool must verify contents of all files associated with packages. The mail system must forward all mail for root to one or more system administrators. Audit log files must be group-owned by root. The systems local IPv6 firewall must implement a deny-all, allow-by-exception policy for inbound packets. The system must provide automated support for account management functions. Auditing must be enabled at boot by setting a kernel parameter. Automated file system mounting tools must not be enabled unless needed. The operating system must enforce dual authorization, based on organizational policies and procedures for organization defined privileged commands. The operating system must prevent access to organization defined security-relevant information except during secure, non-operable system states. The operating system must enforce information flow control using explicit security attributes on information, source, and destination objects as a basis for flow control decisions. The operating system must enforce information flow control using protected processing domains (e.g., domain type-enforcement) as a basis for flow control decisions. The operating system must enforce dynamic information flow control based on policy that must allow or disallow information flows based upon changing conditions or operational considerations. The operating system must prevent encrypted data from bypassing content checking mechanisms. The operating system must enforce organization defined limitations on the embedding of data types within other data types. The operating system must enforce information flow control on metadata. The operating system must enforce information flow control using organization defined security policy filters as a basis for flow control decisions. The operating system must provide the capability for a privileged administrator to configure the organization defined security policy filters to support different security policies. The operating system must implement separation of duties through assigned information system access authorizations. The operating system must produce audit records on hardware-enforced, write-once media. The operating system must protect against an individual falsely denying having performed a particular action. The operating system, for PKI-based authentication must map the authenticated identity to the user account. The operating system must enforce password encryption for transmission. The operating system, when transferring information between different security domains, must identify information flows by data type specification and usage. The operating system, when transferring information between different security domains, must decompose information into policy-relevant subcomponents for submission to policy enforcement mechanisms. The operating system must enforce security policies regarding information on interconnected systems. The operating system must enforce a two-person rule for changes to organization defined information system components and system-level information. The operating system must employ automated mechanisms to centrally apply configuration settings. The operating system must employ automated mechanisms to centrally verify configuration settings. The operating system must conduct backups of operating system documentation including security-related documentation per organization defined frequency to conduct backups that is consistent with recovery time and recovery point objectives. The operating system must implement transaction recovery for transaction-based systems. The operating system must use multifactor authentication for local access to privileged accounts. The operating system must use multifactor authentication for local access to non-privileged accounts. The operating system must use multifactor authentication for network access to privileged accounts where one of the factors is provided by a device separate from the information system being accessed. The operating system must use multifactor authentication for network access to non-privileged accounts where one of the factors is provided by a device separate from the operating system being accessed. The operating system must authenticate devices before establishing remote network connections using bidirectional cryptographically based authentication between devices. The operating system must authenticate devices before establishing wireless network connections using bidirectional cryptographically based authentication between devices. The operating system must authenticate devices before establishing network connections using bidirectional cryptographically based authentication between devices. The operating system must implement a configurable capability to automatically disable the operating system if any of the organization defined lists of security violations are detected. The operating system must employ strong identification and authentication techniques in the establishment of nonlocal maintenance and diagnostic sessions. The operating system must protect nonlocal maintenance sessions through the use of a strong authenticator tightly bound to the user. The operating system must use cryptographic mechanisms to protect and restrict access to information on portable digital media. The operating system must protect against or must limit the effects of the organization defined or referenced types of Denial of Service attacks. The operating system must restrict the ability of users to launch Denial of Service attacks against other information systems or networks. The operating system must route organization defined internal communications traffic to organization defined external networks through authenticated proxy servers within the managed interfaces of boundary protection devices. The operating system, at managed interfaces, must deny network traffic and must audit internal users (or malicious code) posing a threat to external information systems. The operating system must route all networked, privileged accesses through a dedicated, managed interface for purposes of access control and auditing. The operating system must prevent discovery of specific system components (or devices) composing a managed interface. The operating system must employ automated mechanisms to enforce strict adherence to protocol format. The operating system must fail securely in the event of an operational failure of a boundary protection device. The operating system must employ cryptographic mechanisms to prevent unauthorized disclosure of information during transmission unless otherwise protected by alternative physical measures. The operating system must maintain the confidentiality of information during aggregation, packaging, and transformation in preparation for transmission. The operating system must establish a trusted communications path between the user and organization defined security functions within the operating system. The operating system must produce, control, and distribute symmetric cryptographic keys using NIST-approved or NSA-approved key management technology and processes. The operating system must produce, control, and distribute symmetric and asymmetric cryptographic keys using NSA-approved key management technology and processes. The operating system must produce, control, and distribute asymmetric cryptographic keys using approved PKI Class 3 certificates or prepositioned keying material. The operating system must produce, control, and distribute asymmetric cryptographic keys using approved PKI Class 3 or Class 4 certificates and hardware security tokens that protect the user's private key. The operating system must employ FIPS-validated cryptography to protect information when it must be separated from individuals who have the necessary clearances, yet lack the necessary access approvals. The operating system must employ FIPS-validate or NSA-approved cryptography to implement digital signatures. The operating system must protect the integrity and availability of publicly available information and applications. The operating system must prohibit remote activation of collaborative computing devices, excluding the organization defined exceptions where remote activation is to be allowed. The operating system must associate security attributes with information exchanged between information systems. The operating system must issue or obtain public key certificates under an appropriate certificate policy from an approved service provider. The operating system must implement detection and inspection mechanisms to identify unauthorized mobile code. The operating system must prevent the execution of prohibited mobile code. The operating system must prevent the download of prohibited mobile code. The operating system must prevent the automatic execution of mobile code in organization defined software applications and must require organization defined actions prior to executing the code. The operating system at organization defined information system components must load and execute the operating environment from hardware-enforced, read-only media. The operating system at organization defined information system components must load and execute organization defined applications from hardware-enforced, read-only media. The operating system must have malicious code protection mechanisms at system entry and exit points to detect and eradicate malicious code transported by electronic mail, electronic mail attachments, web accesses, removable media, or other common means. The operating system must identify potentially security-relevant error conditions. The operating system must generate error messages providing information necessary for corrective actions without revealing organization defined sensitive or potentially harmful information in error logs and administrative messages that could be exploited. The operating system must validate the binding of the information producer's identity to the information. The operating system must maintain reviewer/releaser identity and credentials within the established chain of custody for all information reviewed or released. The operating system must validate the binding of the reviewer's identity to the information at the transfer/release point prior to release/transfer from one security domain to another security domain. The operating system must employ automated mechanisms to alert security personnel of any organization defined inappropriate or unusual activities with security implications. The operating system must use cryptographic mechanisms to protect the integrity of audit information. The operating system must protect the audit records resulting from nonlocal accesses to privileged accounts and the execution of privileged functions. The operating system must monitor for atypical usage of operating system accounts. The operating system, when transferring information between different security domains, must implement policy filters constraining data structure and content to organization defined information security policy requirements. The operating system, when transferring information between different security domains, must detect unsanctioned information. The operating system, when transferring information between different security domains, must prohibit the transfer of unsanctioned information in accordance with the security policy. The operating system must uniquely identify source domains for information transfer. The operating system must uniquely authenticate source domains for information transfer. The operating system must provide additional protection for mobile devices accessed via login by purging information from the device after organization defined number of consecutive, unsuccessful login attempts to the mobile device. The operating system must employ automated mechanisms to centrally manage configuration settings. The operating system must notify the user of the number of successful logins/accesses that occur during the organization defined time period. The operating system must notify the user of the number of unsuccessful login/access attempts that occur during organization defined time period. The operating system must notify the user of organization defined security-related changes to the user's account that occur during the organization defined time period. The operating system must support and maintain the binding of organization defined security attributes to information in transmission. The operating system must ensure remote sessions for accessing an organization defined list of security functions and security-relevant information are audited. The operating system must provide the capability to capture/record and log all content related to a user session. The operating system uniquely must identify destination domains for information transfer. The operating system uniquely must authenticate destination domains for information transfer. The operating system must track problems associated with the information transfer. The operating system must protect nonlocal maintenance sessions by separating the maintenance session from other network sessions with the information system by either physically separated communications paths or logically separated communications paths. The operating system must take corrective actions, when unauthorized mobile code is identified. The operating system must notify, as required, appropriate individuals when accounts are created. The operating system must notify, as required, appropriate individuals when accounts are modified. The operating system must notify, as required, appropriate individuals when account is disabled. The operating system must notify, as required, appropriate individuals for account termination. scap-security-guide-0.1.39/rhel6/overlays/transition_notes.xml000066400000000000000000001467651327242345500245340ustar00rootroot00000000000000 This is covered in RHEL 6 content This is covered in RHEL 6 content This is not covered in RHEL 6 content This is covered in RHEL 6 content This is not covered in RHEL 6 content This is not covered in RHEL 6 content This is not covered in RHEL 6 content This is covered in RHEL 6 content This is covered in RHEL 6 content This is covered in RHEL 6 content This is covered in RHEL 6 content This is covered in RHEL 6 content This is covered in RHEL 6 content This is covered in RHEL 6 content This is covered in RHEL 6 content This is covered in RHEL 6 content This is covered in RHEL 6 content This is covered in RHEL 6 content This is covered in RHEL 6 content This is covered in RHEL 6 content This is covered in RHEL 6 content This is covered in RHEL 6 content This is covered in RHEL 6 content This is not covered in RHEL 6 content This is not covered in RHEL 6 content This is covered in RHEL 6 content This is covered in RHEL 6 content This is covered in RHEL 6 content This is covered in RHEL 6 content This is covered in RHEL 6 content This is not covered in RHEL 6 content This is not covered in RHEL 6 content This is covered in RHEL 6 content This is covered in RHEL 6 content This is covered in RHEL 6 content This is not covered in RHEL 6 content This is covered in RHEL 6 content This is not in the RHEL 6 content. Nosuid / nodev checks address perms on NFS shares. This is not in the RHEL 6 content. The requirements SSL / Localhost will be addressed via the Web Stig, there is no need (IMHO) to require this twice. This is covered in the RHEL 6 content This is covered in the RHEL 6 content. The check CCE-3987-5 meets this requirement This is not covered in the RHEL 6 content. This check is entirely manual and shouldn't be added to RHEL 6 content This is covered in the RHEL 6 content. This is covered in the RHEL 6 content. CCE-4191-3 This is covered in the RHEL 6 content by setting NIS to disabled. This is covered in the RHEL 6 content. This is covered in the RHEL 6 content. This is covered in the RHEL 6 content. By applying patches, this requirement will be addressed This is covered in the RHEL 6 content. By applying patches, this requirement will be addressed This is covered in the RHEL 6 content. This is not covered in the RHEL 6 content. There is a check to disable a GUI, but a GUI is sometimes required for install of 3rd party apps (Oracle, Weblogic, etc) This is covered in the RHEL 6 content in a slightly different manner. CCE-3919-8 is set vsftpd to off This is covered in RHEL 6 content in a slightly different manner. CCE-4092-3 sets pass max days in /etc/login.defs, not shadow. This is covered in RHEL 6 content in a slightly different manner. CCE-17248-6 states a *.*, which would include the authpriv being submitted to the loghost. The audit.rules settings are not called out This is not covered in the RHEL 6 content. This is not covered in the RHEL 6 content. This will have to be a manual check IF it is to be included. This is not covered in the RHEL 6 content. Default settings from RH should be acceptable for this and should be covered in the rpm verify check. This is not covered in the RHEL 6 content. This is covered in the RHEL 6 content in a slightly different manner. NIS+ is to be set to disable / erased. This is covered in the RHEL 6 content in a slightly different manner. CCE-TODO requires .rhosts file to be removed. This is covered in the RHEL 6 content in a slightly different manner. CCE-TODO requires .rhosts file to be removed. This is not covered in the RHEL 6 content. This is not covered in the RHEL 6 content. This is not covered in the RHEL 6 content. This is not covered in the RHEL 6 content. This is covered in the RHEL 6 content. CCE-4236-6 This is covered in RHEL 6 content in a slightly different manner. CCE-17248-6 states a *.*, which would include the authpriv being submitted to the loghost. The audit.rules settings are not called out This is covered in the RHEL 6 content. CCE-4236-6 This is not covered in the RHEL 6 content. The RHEL 6 requirement is to disable FTP This is not covered in the RHEL 6 content. This is not covered in the RHEL 6 content. This is covered in the RHEL 6 content. This is covered in the RHEL 6 content. This is a manual check. Previously have addressed this with DISA about this that HBSS (which is required on systems) meets this requirement. This is not covered in the RHEL 6 content. It is impossible to express network access rules for a particular use case in a baseline. Keep best practice suggestions in a howto guide. Furthermore, iptables obsolete TCPwrappers. This is covered in the RHEL 6 content. CCE-14735-5 This is covered in the RHEL 6 content. CCE-14063-2 This is covered in the RHEL 6 content. CCE-14063-2 This is covered in the RHEL 6 content. CCE-14063-2 This is covered in the RHEL 6 content. CCE-14063-2 This is covered in the RHEL 6 content. CCE-14701-7 This is covered in the RHEL 6 content. This is not covered in the RHEL 6 content. This is nice best practice for a howto guide, but it is unreasonable to dictate which groups a site should use for its privileged users. This is not covered in the RHEL 6 content. This is a manual check. This is covered in the RHEL 6 content. This is covered in the RHEL 6 content. CCE-14300-8 Password hashes are not stored in /etc/group. This is not covered in the RHEL 6 content. This is not covered in the RHEL 6 content. This is a manual check. This check typically fails with accounts for Oracle (ora:dba) is a good example of this. This is not covered in the RHEL 6 content. This is not covered in the RHEL 6 content. This is covered in the RHEL 6 content in a slightly different manner. RHEL 6 admin_space_left_action = ACTION This is covered in the RHEL 6 content in a slightly different manner. RHEL 6 admin_space_left_action = ACTION -w /usr/sbin/useradd -p x -k useradd - Not in RHEL 6 -w /usr/sbin/groupadd -p x -k groupadd - Not in RHEL 6 -w /etc/passwd -p a -k passwd - Is in RHEL 6 -w /etc/shadow -p a -k shadow - Is in RHEL 6 -w /etc/group -p a -k group - Is in RHEL 6 -w /etc/gshadow -p a -k gshadow - Is in RHEL 6 -w /usr/sbin/usermod -p x -k usermod - Not in RHEL 6 -w /usr/sbin/groupmod -p x -k groupmod - Not in RHEL 6 -w /etc/passwd -p w -k passwd - Is in RHEL 6 -w /etc/shadow -p w -k shadow - Is in RHEL 6 -w /etc/group -p w -k group - Is in RHEL 6 -w /etc/gshadow -p w -k gshadow - Is in RHEL 6 -w /usr/bin/passwd -p x -k passwd - Not in RHEL 6 -w /usr/sbin/userdel -p x - Not in RHEL 6 -w /usr/sbin/groupdel -p x - Not in RHEL 6 This is covered in the RHEL 6 content This is not covered in the RHEL 6 content This is not covered in the RHEL 6 content This is not covered in the RHEL 6 content This is not covered in the RHEL 6 content This is not covered in the RHEL 6 content This is not covered in the RHEL 6 content This is not covered in RHEL 6 content This is covered in RHEL 6 content This is covered in RHEL 6 content This is covered in RHEL 6 content This is not covered in RHEL 6 content This is covered in RHEL 6 content This is covered in RHEL 6 content This is covered in RHEL 6 content This is covered in RHEL 6 content This is not covered in RHEL 6 content This is not covered in RHEL 6 content This is not covered in RHEL 6 content This is not covered in RHEL 6 content This is covered in RHEL 6 content This is covered in RHEL 6 content This is covered in RHEL 6 content This is covered in RHEL 6 content This is not covered in RHEL 6 content This is covered in RHEL 6 content in a slightly different manner. CCE-3765-5 sets SNMP to disabled This is covered in RHEL 6 content in a slightly different manner. CCE-3765-5 sets SNMP to disabled This is covered in RHEL 6 content in a slightly different manner. CCE-3765-5 sets SNMP to disabled This is covered in RHEL 6 content This is covered in RHEL 6 content This is covered in RHEL 6 content This is not covered in RHEL 6 content. This is a manual check This is covered in RHEL 6 content This is covered in RHEL 6 content This is not covered in RHEL 6 content This is not covered in RHEL 6 content This is not covered in RHEL 6 content This is not covered in RHEL 6 content This is not covered in RHEL 6 content This is not covered in RHEL 6 content This is not covered in RHEL 6 content This is not covered in RHEL 6 content This is not covered in RHEL 6 content This is not covered in RHEL 6 content This is not covered in RHEL 6 content This is not covered in RHEL 6 content. IPV6 is set to disabled in RHEL 6 content This is not covered in RHEL 6 content. IPV6 is set to disabled in RHEL 6 content This is not covered in RHEL 6 content. This is not covered in RHEL 6 content. This is not covered in RHEL 6 content. This is not covered in RHEL 6 content. This is a manual check This is not covered in RHEL 6 content. AIDE is set to be installed, but not configuration changes are set for the aide.conf in RHEL 6 content. This is not covered in RHEL 6 content. AIDE is set to be installed, but not configuration changes are set for the aide.conf in RHEL 6 content. This is covered in RHEL 6 content. This is covered in RHEL 6 content. This is not covered in the RHEL6 content. AppleTalk support is not included in RHEL6. This is covered in RHEL 6 content. This is covered in RHEL 6 content. This is covered in the RHEL6 content. This is not covered in RHEL 6 content. IPV6 is set to be disabled This is not covered in RHEL 6 content. IPV6 is set to be disabled This is not covered in RHEL 6 content. IPV6 is set to be disabled This is not covered in RHEL 6 content. IPV6 is set to be disabled This is not covered in RHEL 6 content. IPV6 is set to be disabled This is covered in RHEL 6 content in a slightly different way. This is covered in RHEL 6 content in a slightly different way. This is covered in RHEL 6 content This is not covered in RHEL 6 content. IPV6 is set to be disabled This is covered in RHEL 6 content. This is covered in RHEL 6 content. This is a manual check This is not covered in RHEL 6 content. This is not covered in RHEL 6 content. This is not covered in RHEL 6 content. This is not covered in RHEL 6 content. This is not covered in RHEL 6 content. This is not covered in RHEL 6 content. This is not covered in RHEL 6 content. This is not covered in RHEL 6 content. This is not covered in RHEL 6 content. This is not covered in RHEL 6 content. This is not covered in RHEL 6 content. This is not covered in RHEL 6 content. *note* DISA FSO stated HBSS meets this requirement This is covered in the RHEL 6 content This is covered in the RHEL 6 content This is covered in the RHEL 6 content This is covered in the RHEL 6 content This is covered in the RHEL 6 content This is covered in the RHEL 6 content This is not covered in the RHEL 6 content This is covered in the RHEL 6 content This is not covered in the RHEL 6 content This is not covered in the RHEL 6 content This is not covered in the RHEL 6 content. FTP is set to be disabled in RHEL 6 This is covered in the RHEL 6 content. This is covered in the RHEL 6 content. This is covered in the RHEL 6 content. This is not covered in the RHEL 6 content. This is not covered in the RHEL 6 content. This is not covered in the RHEL 6 content. IPV6 is set to be disabled This is covered in the RHEL 6 content. This is not covered in the RHEL 6 content. This is covered in the RHEL 6 content. This is not covered in the RHEL 6 content. This is covered in the RHEL 6 content. This is covered in the RHEL 6 content. This is a manual/procedural check that requires human intervention. How to handle this for a specific OS's STIG is currently under investigation. This was identified as no longer practical for most use cases. This was identified as impractical/costly. This was identified as redundant to the integrity checking baseline requirements. This was identified as not indicative of the underlying driver behavior. This was identified as providing little confidence of proper system state, as it is extremely difficult to query the system with any confidence. This could be considered for a new group that involves ensuring LD_LIBRARY_PATH, LD_PRELOAD, LD_AUDIT, and relative paths do not occur in a particular set of initialization files. At the same time, this represents a level of misconfiguration-checking that may not be appropriate for a baseline. Isn't this redundant to V-914 and V-915? This rule is made irrelevant by the advent of browser-based IM clients. The intent of the check is addressed effectively only by network traffic filtering/inspection. We are manually inspecting the well-formedness of certain configuration files? What? This will be superseded by a new section describing expectations for permissions contained in certain important directories. DAC permissions on device files do not relate to their behavior, which depends on the implementation of the underlying device driver. This is superseded by the system-wide check for improper permissions provided by the package manager. Automating this check became possible with OVAL 5.8. This is superseded by the system-wide check for improper permissions provided by the package manager. Automating this check became possible with OVAL 5.8. The security argument is not apparent or salient. Existence of an ACL is not necessarily a problem, and checking for existence of ACLs on a random selection of files does not achieve any security goals. Alternatives include denying use of any ACLs unless documented, or simply dropping these rules entirely (preferred). This is covered in the RHEL6 content. This is covered in the RHEL6 content for NFS mounts. Need to investigate removable media (for which we put in a ticket for configuration options a long time ago). What is the distinction and purpose of different MAC levels? This is desirable but not practical in many environments. Notably, many other OSes do not even support this capability. This needs to be added to the RHEL6 content. Is this a concern on a modern system? This is covered in the RHEL6 content in a slightly different manner. This needs to be added to the RHEL6 content, as well as a complete re-write of its CUPS section. This is covered in the RHEL6 content in a slightly different manner: iptables is required. This is covered in the RHEL6 content in a slightly different manner: xinetd is required to be disabled, and inetd is not available as part of RHEL6. This could be covered in the RHEL6 content itself, though it seems more like something appropriate for a CTO upon retirement of major OS releases? This is covered in the RHEL6 content in a slightly different manner: xinetd services are not permitted. Finger is still part of RHEL, and so a separate rule could be created for this if we were so inclined. Postfix is the mail server on RHEL 6, and items peculiar to sendmail no longer apply. This needs to be added, but adjusting for Postfix as the mail server on RHEL 6. Is this not redundant to the system-wide requirement for keeping patches up to date (V-783)? This package is only available in EPEL. I suggest that this makes it out of scope. Is this not redundant to the system-wide aide check (V-11945)? Suggest that this be covered in the RHEL6 content in a slightly different manner: ensuring all setuid programs are packaged (which implies vendor provenance). Also, what is the goal of the documentation? The intent or utility of the check procedure is not clear or not actionable. NIS/NIS+/yp should be disabled, as stated in a Rule in the RHEL 6 content. NIS/NIS+/yp are obsolete and should not be running on any modern system. Note that sulogin may be going away in RHEL7. Shawn/Steve to followup. Also, need to add in architecture specific details e.g. s390x Current mapping does not meet requirement as it works for passwords, not keys Per Steve Grubb there is a patch coming to enable this through PAM, so we can map to met_inherently in RHEL 6.4 Put more mappings Where requirement says "must provide.." that is a yes/no. We can map to met_inherently. Poor CCI that can be restructured -- consider removing Perhaps move this to OCIL as interview question Valid requirement but not applicable to STIG-server. Change check procedure to check audit logs, not lastlog /etc/pam.d/gdm can enforce this, update the check Update guidance to say "don't change from default homedir" chmod to 550 or more restrictive, not 700 Reword to allow changes, but ensure we audit them. Language around MUST have absolute paths needs to stay. Path order must be vendor default. This is now default behavior, can be removed For filepermission checks, defer to common criteria accepted values Need to ensure rpm verify flags such files for all ACL content we will change to allow ACLs (via group prose) then mandate their audit (via a rule) change chkconfig off to chkconfig --del revisit polyinstantiation for RHEL7 Installation of NIS will now be a CAT I finding. NIS to be added to banned package list Language to be broadened to beyond just CAC cards per PKI-e Disablement of at service to be implemented in RHEL6 STIG News server content can be removed This requirement can be removed value of 10 is fine change value to 15 DoD - 60 IC - 90 days Update prose to 3 pam lastlog.so noupdate showfailed touch /etc/hushlogins disable account, not remove set shell to nologin met_inherently change to audit dispatch not rsyslog audsp-auremote update tool listing allow install but allow access by priv users (root, chmod 700) update to remove vendor specific language also watch for LD_AUDIT Check exists in the RHEL6 prose, it can be automated and the OVAL for it appears to already exist. rule=audit_rules_unsuccessful_file_modification manual=no Check exists in the RHEL6 prose, it can be automated and the OVAL for it appears to already exist. rule=audit_rules_file_deletion_events manual=no Check exists in the RHEL6 prose, it can be automated and the OVAL for it appears to already exist. rule=audit_rules_login_events manual=no Has no NIST controls associated Check exists in the RHEL6 prose, it can be automated and the OVAL for it appears to already exist. rule=audit_rules_dac_modification manual=no Sendmail is no longer shipped by default. Postfix is the default instead. Equivalent check does not exist in the RHEL6 prose, it can be automated and the OVAL for it does not appear to already exist. rule=null manual=no Sendmail is no longer shipped by default. Postfix is the default instead. Equivalent check does not exist in the RHEL6 prose, it can be automated and the OVAL for it does not appear to already exist. rule=null manual=no Sendmail is no longer shipped by default. Postfix is the default instead. rsyslog is used instead of syslog Check exists in multiple places in the RHEL6 prose, it can be automated and the OVAL for it appears to already exist. rule=postfix_logging manual=no group=ensure_rsyslog_log_file_configuration (redundant?) Has no cce associated This is superseded by a stronger requirement to not permit remote X sessions. Also, the RHEL 5 STIG text is wrong anyway. A non-mess version of this check exists in the RHEL 6 content, but could use further improvement. Check does not exist in the RHEL6 prose, it can be automated and the OVAL for it does not appear to already exist. rule=null manual=no Check does not exist in the RHEL6 prose, it can be automated and the OVAL for it does not appear to already exist. rule=null manual=no At the same time, does this check make sense? Given the many security issues present in ftp, does requiring credentials really provide authentication of the user? Check does not exist in the RHEL6 prose, it can be automated and the OVAL for it does not appear to already exist. rule=null manual=no By default new home directories will be given 700 perms. A STIG is not an unconstrained search for potential misconfigurations. If it were, there would far more files than these to consider. Check does not exist in the RHEL6 prose, it can be automated and the OVAL for it does not appear to already exist. rule=null manual=no Check does not exist in the RHEL6 prose, it can be automated and the OVAL for it does not appear to already exist. rule=null manual=no This check should be superseded by the system-wide check for improper permissions provided by the package manager. Automating this check became possible with OVAL 5.8 Check does not exist in the RHEL6 prose, it can be automated and the OVAL for it does not appear to already exist. rule=null manual=no This should not occur. If such a case is identified it should be brought to the vendor for correction as a bug in the product. Check does not exist in the RHEL6 prose, it cannot be entirely automated and the OVAL for it does not appear to already exist. rule=null manual=yes A simple example, a cronjob can be made to look for devices and compare to previous lists but still requires someone to review it which is a manual process Check does not exist in the RHEL6 prose, it can be automated and the OVAL for it does not appear to already exist. rule=null manual=no Check seems redundant with V-924 Check exists in the RHEL6 prose, it can be automated and the OVAL for it does not appear to already exist. group=specify_anonymous_uid_gid manual=no Check exists in the RHEL6 prose, it can be automated and the OVAL for it does not appear to already exist. group=export_filesystems_read_only manual=no Check exists in the RHEL6 prose, it can be automated and the OVAL for it does not appear to already exist. rule=use_root_squashing_all_exports manual=no Check exists in the RHEL6 prose, it can be automated and the OVAL for it appears to already exist. rule=use_nosuid_option_on_nfs_mounts manual=no Check does not exist in the RHEL6 prose, it can be automated and the OVAL for it does not appear to already exist. rule=blank manual=no There are some mentions in the RHEL6 prose (group=nfs_restrict_access_rpcbind) of using TCP Wrappers to protect certain versions of NFS but nothing specific which may be the intent as this check is not at all specific either. Check exists in the RHEL6 prose, it can be automated and the OVAL for it does not appear to exist. group=ensure_rsyslog_log_file_configuration manual=no Check exists in the RHEL6 prose, it can be automated and the OVAL for it appears to already exist. group=restrict_at_cron_users manual=no Partial check exists in the RHEL6 prose, it can be automated and the OVAL for it appears to already exist. rule=world_writable_files manual=no Check is addressed by the world_writable_files_system_ownership rule to find any files that are world writable but not system owned. System file permissions are addressed through the rpm verification check Partial check exists in the RHEL6 prose, it can be automated and the OVAL for it appears to already exist. rule=world_writable_files_system_ownership manual=no Check is addressed by the world_writable_files_system_ownership rule to find any files that are world writable but not system owned. System file permissions are addressed through the rpm verification check Check does not exist in the RHEL6 prose, it can be automated and the OVAL for it does not appear to already exist. rule=null manual=no A new section targeting permissions in key directories will be added. Check does exist in the RHEL6 prose, it can be automated and the OVAL for it does not appear to exist. rule=restrict_at_cron_users manual=no This and others like it should be covered under a new section targeting permissions in key directories Check exists in the RHEL6 prose, it cannot be automated and the OVAL/OCIL for it does not exist. rule=bios_disable_usb_boot manual=yes Check exists in the RHEL6 prose, it can be automated and the OVAL for it does not appear to exist. rule=smb_restrict_file_sharing manual=no Check exists in the RHEL6 prose, it can be automated and the OVAL for it does not appear to exist. rule=accounts_minimum_age_login_defs manual=no Check exists in the RHEL6 prose, it can be automated and the OVAL for it partially exists. rule=accounts_minimum_age_login_defs manual=no Guide and oval address changing the defaults but don't address the current values Check does not exist in the RHEL6 prose, it can be automated and the OVAL for it not exist. rule=null manual=no Not sure what the argument is for singling these specific things out. Check does exist in the RHEL6 prose, it can be automated and the OVAL for it does exist. rule=gconf_gnome_screensaver_idle_activation_enabled manual=no Check does exist in the RHEL6 prose, it can be automated and the OVAL for it does exist. rule=accounts_password_pam_unix_remember manual=no Check does exist in the RHEL6 prose, it can be automated and the OVAL for it does exist. rule=bootloader_password manual=no Check does not exist in the RHEL6 prose, it can be automated and the OVAL for it does not exist. rule=null manual=no System file permissions will be addressed through the rpm verification check Check does not exist in the RHEL6 prose, it cannot be automated and the OVAL for it does not exist. rule=null manual=yes Check does not exist in the RHEL6 prose, it can be automated and the OVAL for it does not exist. rule=null manual=yes This no longer ships in the default repo's. Should be removed. Check exists in the RHEL6 prose, it can be automated and the OVAL for it does exist. rule=sshd_allow_only_protocol2 manual=no Check does not exists in the RHEL6 prose, it can be automated and the OVAL for it does not exist. rule=null manual=no We do have a section for addressing these sorts of items under the group root_logins, but this particular concern is not addressed. Check does not exists in the RHEL6 prose, it cannot be automated and the OVAL for it does not exist. rule=null manual=yes Cannot programmatically determine if a server is a "valid" DoD time source without maintaining a exhaustive list of potentially sensitive information Check does not exist in the RHEL6 prose, it can be automated and the OVAL for it does not exist. rule=null manual=no This check doesn't actually determine if the file system is making use of journaling. Is it necessary to carry this forward? Check exists in the RHEL6 prose, it can be automated and the OVAL for it does exist. rule=disable_smb_server manual=no Check exists in the RHEL6 prose, it can be automated and the OVAL for it does exist. rule=postfix_server_banner manual=no Check does not exist in the RHEL6 prose, it can be automated and the OVAL for it does not exist. rule=null manual=no If we must include a section on ftp we should at least require it be done over SSH. Check does not exist in the RHEL6 prose, it cannot be automated and the OVAL for it does not exist. rule=null manual=yes This is not really feasible without maintaining an exhaustive list which constantly changes. Also, why NMS? We're allowed to run unauthorized s/w on non-NMS systems? Partial check does exists in the RHEL6 prose, it cannot be entirely automated and partial OVAL check for it does exist. rule=rsyslog_send_messages_to_logserver manual=yes We can verify that logs are sent to a remote server but we cannot determine in an automated fashion if it is "justified and documented using site-defined procedures." Partial check does exists in the RHEL6 prose, it can be automated an OVAL check for it appears to exist. rule=disable_dhcp_client manual=no Check in the RHEL6 prose requires NIS not be installed, it can be automated and an OVAL check for it appears to exist. rule=uninstall_ypserv manual=no Let NIS die. Check in the RHEL6 prose requires most if not all of these files be removed, it can be automated and an OVAL check for it appears to exist. rule=no_rsh_trust_files manual=no What "r-commands" are we suggesting be used with these? V-11988 wants these removed anyway. Check does not exist in the RHEL6 prose, it can be automated and the OVAL for it does not exist. rule=null manual=no This is root:root by default. A new section will be added discussing permissions on key files. Check does not exist in the RHEL6 prose, it can be automated and the OVAL for it does not exist. rule=null manual=no Wouldn't this also be covered by V-783 on keeping the system patched? Check does not exist in the RHEL6 prose, it can be automated and the OVAL for it does not exist. rule=null manual=no Wouldn't this also be covered by V-783 on keeping the system patched? Check does exist in the RHEL6 prose to deny use of TFTP, it can be automated and the OVAL for it does exist. rule=tftp-server manual=no Is it not necessary for other software on the system to be authorized and approved? Check does not exist in the RHEL6 prose, it cannot be automated and the OVAL for it does not exist. rule=null manual=yes Without knowing what hosts should be trusted we can't do this, we don't really want to either. X has numerous issues. If remote connections to X must be used it should be tunneled over something such as SSH. Check does not exist in the RHEL6 prose, it cannot be automated and the OVAL for it does not exist. rule=null manual=yes No automated means to determine presence in DMZ. We should not be allowing FTP. Check does exist in the RHEL6 prose, it can be automated and the OVAL for it does exist. rule=accounts_maximum_age_login_defs manual=yes Partial check for authpriv does exist in the RHEL6 prose, it can be automated and the OVAL for it does exist. group=ensure_rsyslog_log_file_configuration manual=no The authpriv portion seems to be covered in several different places (V-12004, V-941). The value provided by the second half of this is not apparent and not in the RHEL6 prose. Check does exist in the RHEL6 prose, it can be automated and the OVAL for it appears to exist. rule=disable_users_coredumps manual=no Check does exist in the RHEL6 prose, it can be automated and the OVAL for it does exist. rule=sysctl_kernel_exec_shield manual=no Check does exist in the RHEL6 prose, it can be automated and the OVAL for it does exist. rule=sysctl_net_ipv4_conf_all_accept_source_route manual=no This check is split in the RHEL6 prose and addressed in the rule listed above and the sysctl_net_ipv4_conf_default_accept_source_route rule Check does exist in the RHEL6 prose, it can be automated and the OVAL for it appears to exist. rule=uninstall_vsftpd manual=no Per V-12010 don't allow FTP. Lets get rid of these other random FTP rules. Check does exist in the RHEL6 prose, it can be automated and the OVAL for it does exist. rule=sysctl_ipv4_ip_forward manual=no Check does not exist in the RHEL6 prose, it cannot be automated and the OVAL for it does not exist. rule=null manual=yes Any automated effort to check this is at best a token effort. Check does exist in the RHEL6 prose, it can be automated and the OVAL for it does exist. rule=gconf_gnome_screensaver_mode_blank manual=no Check does exist in the RHEL6 prose, it can be automated and the OVAL for it does exist. rule=set_password_hashing_algorithm manual=no Check does exist in the RHEL6 prose, it can be automated and the OVAL for it does exist. group=password_quality_pamcracklib manual=no The cracklib checks are in the RHEL6 prose. Check does exist in the RHEL6 prose, it can be automated and the OVAL for it does exist. rule=no_files_unowned_by_group manual=no Check does exist in the RHEL6 prose, it can be automated and the OVAL for it does exist. rule=userowner_shadow_file manual=no Check does exist in the RHEL6 prose, it can be automated and the OVAL for it does exist. rule=accounts_password_all_shadowed manual=no Check does exist in the RHEL6 prose, it can be automated and the OVAL for it does exist. rule=auditd_data_retention_space_left_action manual=no Partial check does exist in the RHEL6 prose, it can be automated and a partial OVAL for it does exist. rule=audit_rules_usergroup_modification manual=no Auditing of the files is in place but not the commands. Check does exist in the RHEL6 prose, it can be automated and OVAL for it does exist. rule=audit_rules_kernel_module_loading manual=no Check does exist in the RHEL6 prose, it can be automated and OVAL for it does exist. rule=service_kdump_disabled manual=no Check does exist in the RHEL6 prose, it can be automated and OVAL for it does exist. rule=iptables_icmp_disabled manual=no This is accomplished by whitelisting specific types of icmp traffic. Check does exist in the RHEL6 prose, it can be automated and OVAL for it does exist. rule=sysctl_net_ipv4_icmp_echo_ignore_broadcasts manual=no V-22410 and V-22411 are the same. Check does exist in the RHEL6 prose, it can be automated and OVAL for it does exist. rule=sysctl_net_ipv4_conf_all_accept_source_route manual=no This check is split in the RHEL6 prose into the above and the sysctl_net_ipv4_conf_default_accept_source_route rule. Check does exist in the RHEL6 prose, it can be automated and OVAL for it does exist. rule=sysctl_net_ipv4_conf_all_accept_redirects manual=no This check is split in the RHEL6 prose into the above and the sysctl_net_ipv4_conf_default_accept_redirects rule. Check does exist in the RHEL6 prose, it can be automated and OVAL for it does exist. rule=sysctl_net_ipv4_conf_all_send_redirects manual=no This check is split in the RHEL6 prose into the above and the sysctl_net_ipv4_conf_default_send_redirects rule. Partial check does exist in the RHEL6 prose, it can be automated and partial OVAL for it does exist. rule=sysctl_net_ipv4_conf_all_log_martians manual=no This check is split in the RHEL6 prose into the above but no equivalent rule exists for "default." Check does exist in the RHEL6 prose, it can be automated and OVAL for it does exist. rule=sysctl_net_ipv4_tcp_syncookies manual=no Check does exist in the RHEL6 prose, it can be automated and OVAL for it does exist. rule=service_rpcbind_disabled manual=no Check does exist in the RHEL6 prose, it can be automated and OVAL for it does exist. rule=package_rsh-server_removed manual=no Check does not exist in the RHEL6 prose, it can be automated and OVAL for it does not exist. rule=null manual=no No check exists for the client side. Check does not exist in the RHEL6 prose, it cannot be automated and OVAL for it does not exist. rule=null manual=yes No automated way to determine the management interface. Check does exist in the RHEL6 prose, it can be automated and OVAL for it does exist. rule=sshd_use_approved_ciphers manual=no V-22458 and V-22459 are essentially the same. Partial check does exist in the RHEL6 prose, it can be automated and OVAL for it does exist. rule=sshd_limit_user_access manual=no Prose focuses on blacklisting where we should prefer a whitelist. Check does exist in the RHEL6 prose, it can be automated and OVAL for it does exist. rule=sshd_enable_warning_banner manual=no This is incoherent. There is no apparent relationship between the title, description, and fixtext/checktext. The checking text lists user IDs in /etc/passwd, which have nothing to do with group IDs. If something coherent is presented it could be considered for inclusion for RHEL 6, but even then, the possibilities suggest checking for a highly unlikely configuration which is not worth inclusion in a baseline. This is redundant to another rule requiring that the path be the vendor default. This is covered in the RHEL6 content. scap-security-guide-0.1.39/rhel6/product.yml000066400000000000000000000001321327242345500207200ustar00rootroot00000000000000product: rhel6 benchmark_root: "./guide" profiles_root: "./profiles" pkg_system: "rpm" scap-security-guide-0.1.39/rhel6/profiles/000077500000000000000000000000001327242345500203445ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/profiles/C2S.profile000066400000000000000000000163301327242345500223200ustar00rootroot00000000000000documentation_complete: true title: 'C2S for Red Hat Enterprise Linux 6' description: "This profile demonstrates compliance against the \nU.S. Government Commercial Cloud Services (C2S) baseline.\n\ \nThis baseline was inspired by the Center for Internet Security\n(CIS) Red Hat Enterprise Linux 6 Benchmark, v1.2.0 -\ \ 06-25-2013.\nFor the SCAP Security Guide project to remain in compliance with\nCIS' terms and conditions, specifically\ \ Restrictions(8), note \nthere is no representation or claim that the C2S profile will\nensure a system is in compliance\ \ or consistency with the CIS\nbaseline." selections: - var_selinux_state=enforcing - var_selinux_policy_name=targeted - var_umask_for_daemons=027 - var_accounts_user_umask=027 - var_accounts_maximum_age_login_defs=90 - partition_for_tmp - mount_option_tmp_nodev - mount_option_tmp_nosuid - mount_option_tmp_noexec - partition_for_var - mount_option_var_tmp_bind - partition_for_var_log - partition_for_var_log_audit - partition_for_home - mount_option_nodev_nonroot_local_partitions - mount_option_nodev_removable_partitions - mount_option_noexec_removable_partitions - mount_option_nosuid_removable_partitions - mount_option_dev_shm_nodev - mount_option_dev_shm_nosuid - mount_option_dev_shm_noexec - dir_perms_world_writable_sticky_bits - kernel_module_cramfs_disabled - kernel_module_freevxfs_disabled - kernel_module_jffs2_disabled - kernel_module_hfs_disabled - kernel_module_hfsplus_disabled - kernel_module_squashfs_disabled - kernel_module_udf_disabled - ensure_redhat_gpgkey_installed - ensure_gpgcheck_globally_activated - ensure_gpgcheck_never_disabled - service_rhnsd_disabled - rpm_verify_permissions - rpm_verify_hashes - package_aide_installed - disable_prelink - aide_build_database - aide_periodic_cron_checking - enable_selinux_bootloader - selinux_state - selinux_policytype - package_setroubleshoot_removed - package_mcstrans_removed - selinux_confinement_of_daemons - file_user_owner_grub_conf - file_group_owner_grub_conf - file_permissions_grub_conf - bootloader_password - require_singleuser_auth - disable_interactive_boot - disable_users_coredumps - sysctl_fs_suid_dumpable - sysctl_kernel_exec_shield - sysctl_kernel_randomize_va_space - package_telnet-server_removed - package_telnet_removed - package_rsh-server_removed - package_rsh_removed - package_ypbind_removed - package_ypserv_removed - package_tftp_removed - package_tftp-server_removed - package_talk_removed - package_talk-server_removed - package_xinetd_removed - umask_for_daemons - package_xorg-x11-server-common_removed - service_avahi-daemon_disabled - service_cups_disabled - package_dhcp_removed - service_ntpd_enabled - ntpd_specify_remote_server - ntpd_specify_multiple_servers - package_openldap-servers_removed - service_nfslock_disabled - service_rpcgssd_disabled - service_rpcidmapd_disabled - service_rpcsvcgssd_disabled - service_rpcbind_disabled - package_bind_removed - package_vsftpd_removed - package_httpd_removed - package_dovecot_removed - package_samba_removed - package_squid_removed - package_net-snmp_removed - postfix_network_listening_disabled - sysctl_net_ipv4_ip_forward - sysctl_net_ipv4_conf_default_send_redirects - sysctl_net_ipv4_conf_all_send_redirects - sysctl_net_ipv4_conf_all_accept_source_route - sysctl_net_ipv4_conf_default_accept_source_route - sysctl_net_ipv4_conf_all_accept_redirects - sysctl_net_ipv4_conf_default_accept_redirects - sysctl_net_ipv4_conf_all_secure_redirects - sysctl_net_ipv4_conf_default_secure_redirects - sysctl_net_ipv4_conf_all_log_martians - sysctl_net_ipv4_icmp_echo_ignore_broadcasts - sysctl_net_ipv4_icmp_ignore_bogus_error_responses - sysctl_net_ipv4_conf_all_rp_filter - sysctl_net_ipv4_conf_default_rp_filter - sysctl_net_ipv4_tcp_syncookies - wireless_disable_in_bios - wireless_disable_interfaces - sysctl_net_ipv6_conf_default_accept_ra - sysctl_net_ipv6_conf_default_accept_redirects - network_ipv6_disable_interfaces - kernel_module_dccp_disabled - kernel_module_sctp_disabled - kernel_module_rds_disabled - kernel_module_tipc_disabled - service_iptables_enabled - service_ip6tables_enabled - package_rsyslog_installed - service_rsyslog_enabled - rsyslog_files_permissions - rsyslog_remote_loghost - rsyslog_nolisten - auditd_data_retention_max_log_file - auditd_data_retention_space_left_action - auditd_data_retention_action_mail_acct - auditd_data_retention_admin_space_left_action - auditd_data_retention_max_log_file_action - service_auditd_enabled - bootloader_audit_argument - audit_rules_time_adjtimex - audit_rules_time_settimeofday - audit_rules_time_stime - audit_rules_time_watch_localtime - audit_rules_usergroup_modification - audit_rules_networkconfig_modification - audit_rules_mac_modification - audit_rules_login_events - audit_rules_session_events - audit_dac_actions - audit_rules_unsuccessful_file_modification - audit_rules_privileged_commands - audit_rules_media_export - audit_rules_file_deletion_events - audit_rules_sysadmin_actions - audit_rules_kernel_module_loading - audit_rules_immutable - ensure_logrotate_activated - service_crond_enabled - service_atd_disabled - sshd_allow_only_protocol2 - sshd_disable_rhosts - disable_host_auth - sshd_disable_root_login - sshd_disable_empty_passwords - sshd_use_approved_ciphers - sshd_set_idle_timeout - sshd_limit_user_access - sshd_enable_warning_banner - set_password_hashing_algorithm - password_quality_pamcracklib - accounts_passwords_pam_faillock_deny - accounts_password_pam_unix_remember - no_direct_root_logins - accounts_maximum_age_login_defs - accounts_minimum_age_login_defs - accounts_password_warn_age_login_defs - no_shelllogin_for_systemaccounts - accounts_umask_etc_bashrc - accounts_umask_etc_profile - account_disable_post_pw_expiration - banner_etc_issue - gconf_gdm_enable_warning_gui_banner - gconf_gdm_set_login_banner_text - file_permissions_etc_passwd - file_permissions_etc_shadow - file_permissions_etc_gshadow - file_permissions_etc_group - file_owner_etc_passwd - file_groupowner_etc_passwd - userowner_shadow_file - groupowner_shadow_file - file_owner_etc_gshadow - file_groupowner_etc_gshadow - file_owner_etc_group - file_groupowner_etc_group - file_permissions_binary_dirs - file_permissions_unauthorized_world_writable - no_files_unowned_by_user - file_permissions_ungroupowned - file_permissions_unauthorized_suid - file_permissions_unauthorized_sgid - no_empty_passwords - accounts_no_uid_except_zero - root_path_default - file_permissions_home_dirs - no_rsh_trust_files - gid_passwd_group_same - account_unique_name - no_netrc_files scap-security-guide-0.1.39/rhel6/profiles/CS2.profile000066400000000000000000000261061327242345500223220ustar00rootroot00000000000000documentation_complete: true title: 'Example Server Profile' description: 'This profile is an example of a customized server profile.' selections: - accounts_password_minlen_login_defs - var_accounts_password_minlen_login_defs=14 - accounts_minimum_age_login_defs - var_accounts_minimum_age_login_defs=1 - accounts_maximum_age_login_defs - var_accounts_maximum_age_login_defs=180 - accounts_password_pam_dcredit - accounts_password_pam_ucredit - accounts_password_pam_ocredit - accounts_password_pam_lcredit - accounts_password_pam_difok - accounts_password_pam_unix_remember - var_password_pam_unix_remember=10 - accounts_password_warn_age_login_defs - account_disable_post_pw_expiration - accounts_passwords_pam_faillock_deny - accounts_password_pam_retry - accounts_max_concurrent_login_sessions - var_accounts_max_concurrent_login_sessions=3 - partition_for_tmp - partition_for_var - partition_for_var_log - partition_for_var_log_audit - partition_for_home - ensure_redhat_gpgkey_installed - ensure_gpgcheck_globally_activated - ensure_gpgcheck_never_disabled - rpm_verify_hashes - rpm_verify_permissions - package_aide_installed - aide_build_database - mount_option_nodev_removable_partitions - mount_option_noexec_removable_partitions - mount_option_nosuid_removable_partitions - mount_option_tmp_nodev - mount_option_tmp_noexec - mount_option_tmp_nosuid - mount_option_dev_shm_nodev - mount_option_dev_shm_noexec - mount_option_dev_shm_nosuid - mount_option_var_tmp_bind - kernel_module_usb-storage_disabled - bootloader_nousb_argument - kernel_module_cramfs_disabled - kernel_module_freevxfs_disabled - kernel_module_jffs2_disabled - kernel_module_hfs_disabled - kernel_module_hfsplus_disabled - kernel_module_squashfs_disabled - kernel_module_udf_disabled - dir_perms_world_writable_sticky_bits - file_permissions_unauthorized_world_writable - no_files_unowned_by_user - file_permissions_ungroupowned - dir_perms_world_writable_system_owned - umask_for_daemons - var_umask_for_daemons=027 - disable_users_coredumps - sysctl_kernel_randomize_va_space - sysctl_kernel_exec_shield - install_PAE_kernel_on_x86-32 - disable_prelink - account_unique_name - accounts_password_all_shadowed - accounts_no_uid_except_zero - set_password_hashing_algorithm_systemauth - set_password_hashing_algorithm_logindefs - set_password_hashing_algorithm_libuserconf - root_paths - accounts_root_path_dirs_no_write - accounts_umask_etc_bashrc - accounts_umask_etc_login_defs - var_accounts_user_umask=077 - no_shelllogin_for_systemaccounts - root_path_default - no_empty_passwords - accounts_umask_etc_csh_cshrc - accounts_umask_etc_profile - no_netrc_files - disable_interactive_boot - package_screen_installed - kernel_module_dccp_disabled - kernel_module_sctp_disabled - kernel_module_rds_disabled - kernel_module_tipc_disabled - package_rsyslog_installed - service_rsyslog_enabled - rsyslog_remote_loghost - ensure_logrotate_activated - disable_logwatch_for_logserver - rsyslog_files_ownership - rsyslog_files_groupownership - rsyslog_files_permissions - rsyslog_nolisten - logwatch_configured_splithosts - audit_rules_time_adjtimex - audit_rules_time_settimeofday - audit_rules_time_stime - audit_rules_time_clock_settime - audit_rules_time_watch_localtime - audit_rules_usergroup_modification - audit_rules_networkconfig_modification - audit_rules_mac_modification - audit_rules_dac_modification_chmod - audit_rules_dac_modification_chown - audit_rules_dac_modification_fchmod - audit_rules_dac_modification_fchmodat - audit_rules_dac_modification_fchown - audit_rules_dac_modification_fchownat - audit_rules_dac_modification_fremovexattr - audit_rules_dac_modification_fsetxattr - audit_rules_dac_modification_lchown - audit_rules_dac_modification_lremovexattr - audit_rules_dac_modification_lsetxattr - audit_rules_dac_modification_removexattr - audit_rules_dac_modification_setxattr - audit_rules_kernel_module_loading - audit_rules_immutable - file_permissions_var_log_audit - file_ownership_var_log_audit - audit_rules_login_events - audit_rules_session_events - audit_rules_unsuccessful_file_modification - audit_rules_privileged_commands - audit_rules_media_export - audit_rules_file_deletion_events - securetty_root_login_console_only - no_direct_root_logins - userowner_shadow_file - groupowner_shadow_file - file_permissions_etc_shadow - file_owner_etc_gshadow - file_groupowner_etc_gshadow - file_permissions_etc_gshadow - file_owner_etc_passwd - file_groupowner_etc_passwd - file_permissions_etc_passwd - file_owner_etc_group - file_groupowner_etc_group - file_permissions_etc_group - file_permissions_library_dirs - file_ownership_library_dirs - file_permissions_binary_dirs - file_ownership_binary_dirs - gid_passwd_group_same - file_permissions_home_dirs - file_user_owner_grub_conf - file_group_owner_grub_conf - file_permissions_grub_conf - sysctl_fs_suid_dumpable - service_restorecond_enabled - selinux_confinement_of_daemons - selinux_all_devicefiles_labeled - selinux_state - selinux_policytype - require_singleuser_auth - disable_ctrlaltdel_reboot - bootloader_password - gconf_gnome_screensaver_idle_delay - inactivity_timeout_value=15_minutes - gconf_gnome_screensaver_idle_activation_enabled - gconf_gnome_screensaver_lock_enabled - banner_etc_issue - gconf_gdm_enable_warning_gui_banner - gconf_gdm_set_login_banner_text - login_banner_text=dod_default - gconf_gnome_disable_thumbnailers - gconf_gnome_disable_automount - network_disable_zeroconf - sysctl_net_ipv4_conf_default_send_redirects - sysctl_net_ipv4_conf_all_send_redirects - sysctl_net_ipv4_ip_forward - sysctl_net_ipv4_conf_all_accept_source_route - sysctl_net_ipv4_conf_all_accept_redirects - sysctl_net_ipv4_conf_all_secure_redirects - sysctl_net_ipv4_conf_all_log_martians - sysctl_net_ipv4_conf_default_accept_source_route - sysctl_net_ipv4_conf_default_secure_redirects - sysctl_net_ipv4_conf_default_accept_redirects - sysctl_net_ipv4_icmp_echo_ignore_broadcasts - sysctl_net_ipv4_icmp_ignore_bogus_error_responses - sysctl_net_ipv4_tcp_syncookies - sysctl_net_ipv4_conf_all_rp_filter - sysctl_net_ipv4_conf_default_rp_filter - kernel_module_ipv6_option_disabled - network_ipv6_disable_interfaces - network_ipv6_disable_rpc - network_ipv6_static_address - network_ipv6_privacy_extensions - network_ipv6_default_gateway - network_ipv6_limit_requests - sysctl_net_ipv6_conf_default_accept_ra - sysctl_net_ipv6_conf_default_accept_redirects - network_sniffer_disabled - wireless_disable_in_bios - wireless_disable_interfaces - service_bluetooth_disabled - kernel_module_bluetooth_disabled - service_crond_enabled - service_abrtd_disabled - service_acpid_disabled - service_atd_disabled - service_autofs_disabled - service_certmonger_disabled - service_cgconfig_disabled - service_cgred_disabled - service_cpuspeed_disabled - service_haldaemon_disabled - service_irqbalance_enabled - service_kdump_disabled - service_mdmonitor_disabled - service_messagebus_disabled - service_netconsole_disabled - service_ntpdate_disabled - service_oddjobd_disabled - service_portreserve_disabled - service_qpidd_disabled - service_rdisc_disabled - service_rhnsd_disabled - service_saslauthd_disabled - service_rhsmcertd_disabled - service_smartd_disabled - service_sysstat_disabled - service_xinetd_disabled - package_xinetd_removed - package_telnet-server_removed - service_telnetd_disabled - package_rsh-server_removed - service_rsh_disabled - package_ypserv_removed - service_ypbind_disabled - service_sshd_disabled - sshd_allow_only_protocol2 - sshd_idle_timeout_value=60_minutes - sshd_set_keepalive - sshd_disable_rhosts - sshd_disable_root_login - sshd_disable_empty_passwords - sshd_enable_warning_banner - sshd_do_not_permit_user_env - sshd_limit_user_access - sshd_use_approved_ciphers - xwindows_runlevel_setting - package_xorg-x11-server-common_removed - service_cups_disabled - cups_disable_browsing - sysconfig_networking_bootproto_ifcfg - dhcp_server_disable_ddns - dhcp_server_deny_decline - dhcp_server_deny_bootp - dhcp_server_minimize_served_info - dhcp_server_configure_logging - service_ntpd_enabled - ntpd_specify_remote_server - service_postfix_enabled - package_sendmail_removed - ldap_client_start_tls - service_nfslock_disabled - service_rpcgssd_disabled - service_rpcidmapd_disabled - service_netfs_disabled - nfs_fixed_lockd_tcp_port - nfs_fixed_lockd_udp_port - nfs_fixed_statd_port - nfs_fixed_mountd_port - service_nfs_disabled - service_rpcsvcgssd_disabled - mount_option_nodev_remote_filesystems - mount_option_nosuid_remote_filesystems - use_root_squashing_all_exports - restrict_nfs_clients_to_privileged_ports - no_insecure_locks_exports - nfs_no_anonymous - service_named_disabled - package_bind_removed - dns_server_disable_dynamic_updates - package_tftp-server_removed - service_tftp_disabled - service_vsftpd_disabled - package_vsftpd_removed - ftp_log_transactions - ftp_present_banner - package_httpd_removed - httpd_servertokens_prod - httpd_mod_rewrite - httpd_server_side_includes - httpd_webdav - httpd_server_activity_status - httpd_server_configuration_display - httpd_url_correction - httpd_proxy_support - httpd_cache_support - httpd_cgi_support - httpd_digest_authentication - httpd_ldap_support - httpd_mime_magic - httpd_restrict_root_directory - httpd_restrict_web_directory - httpd_restrict_critical_directories - httpd_limit_available_methods - httpd_install_mod_ssl - httpd_install_mod_security - dir_perms_etc_httpd_conf - file_permissions_httpd_server_conf_files - service_dovecot_disabled - package_dovecot_removed - dovecot_enable_ssl - dovecot_configure_ssl_cert - dovecot_configure_ssl_key - service_smb_disabled - require_smb_client_signing - mount_option_smb_client_signing - smb_server_disable_root - service_squid_disabled - package_squid_removed - service_snmpd_disabled - package_net-snmp_removed - package_openswan_installed - no_rsh_trust_files - tftpd_uses_secure_mode - service_avahi-daemon_disabled - avahi_ip_only - avahi_check_ttl - avahi_prevent_port_sharing - avahi_disable_publishing scap-security-guide-0.1.39/rhel6/profiles/CSCF-RHEL6-MLS.profile000066400000000000000000000230501327242345500237130ustar00rootroot00000000000000documentation_complete: true title: 'CSCF RHEL6 MLS Core Baseline' description: "This profile reflects the Centralized Super Computing Facility \n(CSCF) baseline for Red Hat Enterprise Linux\ \ 6. This baseline has received \ngovernment ATO through the ICD 503 process, utilizing the CNSSI 1253 cross \ndomain\ \ overlay. This profile should be considered in active development. \nAdditional tailoring will be needed, such as the\ \ creation of RBAC roles \nfor production deployment." selections: - var_auditd_max_log_file_action=keep_logs - var_accounts_max_concurrent_login_sessions=3 - var_accounts_maximum_age_login_defs=180 - var_accounts_password_minlen_login_defs=12 - var_selinux_policy_name=mls - account_disable_post_pw_expiration - account_temp_expire_date - aide_build_database - "!aide_periodic_cron_checking" - audit_rules_usergroup_modification - audit_rules_immutable - "!audit_rules_unsuccessful_file_modification" - "!audit_rules_file_deletion_events" - audit_rules_kernel_module_loading - file_permissions_var_log_audit - file_ownership_var_log_audit - audit_rules_mac_modification - audit_rules_login_events - audit_rules_session_events - audit_rules_media_export - audit_rules_networkconfig_modification - "!audit_rules_privileged_commands" - audit_rules_dac_modification_chmod - audit_rules_dac_modification_chown - audit_rules_dac_modification_fchmod - audit_rules_dac_modification_fchmodat - audit_rules_dac_modification_fchown - audit_rules_dac_modification_fchownat - audit_rules_dac_modification_fremovexattr - audit_rules_dac_modification_fsetxattr - audit_rules_dac_modification_lremovexattr - audit_rules_dac_modification_lchown - audit_rules_dac_modification_lsetxattr - audit_rules_dac_modification_removexattr - audit_rules_dac_modification_setxattr - audit_rules_time_adjtimex - audit_rules_time_clock_settime - audit_rules_time_settimeofday - audit_rules_time_stime - audit_rules_time_watch_localtime - audit_rules_sysadmin_actions - bios_disable_usb_boot - "!bootloader_nousb_argument" - bootloader_password - auditd_data_retention_action_mail_acct - auditd_data_retention_admin_space_left_action - auditd_audispd_syslog_plugin_activated - auditd_data_retention_max_log_file - auditd_data_retention_max_log_file_action - auditd_data_retention_num_logs - auditd_data_retention_space_left_action - "!cups_disable_browsing" - cups_disable_printserver - wireless_disable_interfaces - "!accounts_passwords_pam_faillock_unlock_time" - "!accounts_passwords_pam_faillock_deny" - "!accounts_passwords_pam_faillock_interval" - dhcp_server_deny_bootp - dhcp_server_deny_decline - dhcp_server_disable_ddns - disable_anacron - service_avahi-daemon_disabled - sysconfig_networking_bootproto_ifcfg - service_dhcpd_disabled - service_named_disabled - gconf_gnome_disable_thumbnailers - "!service_httpd_disabled" - kernel_module_ipv6_option_disabled - kernel_module_cramfs_disabled - kernel_module_freevxfs_disabled - kernel_module_hfs_disabled - kernel_module_hfsplus_disabled - kernel_module_jffs2_disabled - kernel_module_squashfs_disabled - "!kernel_module_udf_disabled" - disable_prelink - kernel_module_dccp_disabled - kernel_module_rds_disabled - kernel_module_sctp_disabled - kernel_module_tipc_disabled - service_rexec_disabled - service_rlogin_disabled - service_rsh_disabled - sysctl_net_ipv4_conf_default_send_redirects - sysctl_net_ipv4_conf_all_send_redirects - sysctl_net_ipv4_conf_all_accept_source_route - sysctl_net_ipv4_conf_all_accept_redirects - sysctl_net_ipv4_conf_all_secure_redirects - sysctl_net_ipv4_ip_forward - "!service_telnetd_disabled" - service_tftp_disabled - service_vsftpd_disabled - service_ypbind_disabled - dns_server_authenticate_zone_transfers - bootloader_audit_argument - gconf_gdm_enable_warning_gui_banner - gconf_gnome_screensaver_idle_activation_enabled - gconf_gnome_screensaver_lock_enabled - enable_selinux_bootloader - ensure_logrotate_activated - file_ownership_binary_dirs - file_ownership_library_dirs - file_permissions_binary_dirs - file_permissions_etc_passwd - "!file_permissions_library_dirs" - gconf_gnome_disable_automount - file_groupowner_etc_group - file_groupowner_etc_gshadow - file_groupowner_etc_passwd - rsyslog_files_groupownership - groupowner_shadow_file - file_permissions_httpd_server_conf_files - dir_perms_var_log_httpd - httpd_servertokens_prod - kernel_module_bluetooth_disabled - kernel_module_usb-storage_disabled - ldap_client_start_tls - ldap_client_tls_cacertpath - accounts_password_pam_unix_remember - mount_option_dev_shm_nodev - mount_option_dev_shm_noexec - mount_option_dev_shm_nosuid - mount_option_tmp_nodev - "!mount_option_tmp_noexec" - mount_option_tmp_nosuid - "!mount_option_var_tmp_bind" - mount_option_nodev_nonroot_local_partitions - "!mount_option_noexec_removable_partitions" - "!mount_option_nosuid_removable_partitions" - "!accounts_max_concurrent_login_sessions" - network_disable_zeroconf - network_ipv6_disable_rpc - network_sniffer_disabled - no_empty_passwords - "!file_permissions_ungroupowned" - "!no_files_unowned_by_user" - accounts_password_all_shadowed - no_netrc_files - accounts_no_uid_except_zero - no_direct_root_logins - file_permissions_unauthorized_sgid - "!file_permissions_unauthorized_suid" - ntpd_specify_multiple_servers - ntpd_specify_remote_server - package_aide_installed - package_openldap-servers_removed - package_rsyslog_installed - package_sendmail_removed - "!partition_for_var_log" - partition_for_var_log_audit - accounts_maximum_age_login_defs - accounts_password_minlen_login_defs - "!accounts_password_pam_maxrepeat" - accounts_password_pam_difok - accounts_password_pam_dcredit - accounts_password_pam_lcredit - accounts_password_pam_ocredit - accounts_password_pam_ucredit - accounts_password_pam_retry - accounts_password_warn_age_login_defs - file_permissions_etc_group - file_permissions_etc_shadow - file_permissions_etc_gshadow - postfix_network_listening_disabled - securetty_root_login_console_only - restrict_serial_port_logins - "!rpm_verify_hashes" - "!rpm_verify_permissions" - rsyslog_nolisten - rsyslog_listen_tcp - rsyslog_accept_remote_messages_udp - "!rsyslog_remote_loghost" - selinux_confinement_of_daemons - selinux_all_devicefiles_labeled - service_abrtd_disabled - service_acpid_disabled - service_atd_disabled - service_auditd_enabled - service_autofs_disabled - service_bluetooth_disabled - service_certmonger_disabled - service_cgconfig_disabled - service_cpuspeed_disabled - service_crond_enabled - service_cups_disabled - service_haldaemon_disabled - service_iptables_enabled - "!service_irqbalance_enabled" - "!service_kdump_disabled" - service_mdmonitor_disabled - service_messagebus_disabled - service_netconsole_disabled - service_ntpd_enabled - service_ntpdate_disabled - service_oddjobd_disabled - service_portreserve_disabled - service_psacct_enabled - service_qpidd_disabled - service_quota_nld_disabled - service_rdisc_disabled - service_rhnsd_disabled - service_rhsmcertd_disabled - service_rsyslog_enabled - service_saslauthd_disabled - service_smartd_disabled - service_sysstat_disabled - gconf_gnome_screensaver_mode_blank - umask_for_daemons - "!gconf_gdm_set_login_banner_text" - set_iptables_default_rule - set_iptables_default_rule_forward - set_password_hashing_algorithm_systemauth - set_password_hashing_algorithm_logindefs - set_password_hashing_algorithm_libuserconf - "!gconf_gnome_screensaver_idle_delay" - selinux_policytype - selinux_state - sysctl_net_ipv4_conf_all_rp_filter - sysctl_net_ipv4_conf_default_accept_redirects - sysctl_net_ipv4_conf_default_accept_source_route - sysctl_net_ipv4_conf_default_rp_filter - sysctl_net_ipv4_conf_default_secure_redirects - sysctl_net_ipv4_icmp_echo_ignore_broadcasts - sysctl_net_ipv4_tcp_syncookies - disable_users_coredumps - sysctl_net_ipv4_conf_all_log_martians - sysctl_net_ipv4_icmp_ignore_bogus_error_responses - "!banner_etc_issue" - sshd_allow_only_protocol2 - sshd_disable_root_login - sshd_use_approved_ciphers - "!dir_perms_world_writable_sticky_bits" - tftpd_uses_secure_mode - package_bind_removed - package_dhcp_removed - "!package_httpd_removed" - package_rsh-server_removed - "!package_telnet-server_removed" - package_tftp-server_removed - package_vsftpd_removed - package_ypserv_removed - file_owner_etc_group - file_owner_etc_gshadow - file_owner_etc_passwd - "!rsyslog_files_ownership" - userowner_shadow_file - wireless_disable_in_bios - "!dir_perms_world_writable_system_owned" - disable_interactive_boot - install_hids - install_antivirus - sysctl_kernel_exec_shield - sysctl_kernel_randomize_va_space - bios_enable_execution_restrictions - sysctl_fs_suid_dumpable - xwindows_runlevel_setting - "!file_permissions_unauthorized_world_writable" scap-security-guide-0.1.39/rhel6/profiles/desktop.profile000066400000000000000000000021541327242345500234010ustar00rootroot00000000000000documentation_complete: true title: 'Desktop Baseline' description: "This profile is for a desktop installation of \nRed Hat Enterprise Linux 6." extends: standard selections: - gconf_gdm_enable_warning_gui_banner - gconf_gdm_set_login_banner_text - gconf_gnome_screensaver_idle_delay - gconf_gnome_screensaver_idle_activation_enabled - gconf_gnome_screensaver_lock_enabled - gconf_gnome_screensaver_mode_blank - package_openswan_installed - service_vsftpd_disabled - package_vsftpd_removed - service_named_disabled - package_bind_removed - service_httpd_disabled - package_httpd_removed - service_smb_disabled - service_squid_disabled - package_squid_removed - service_snmpd_disabled - package_net-snmp_removed - service_dovecot_disabled - package_dovecot_removed - service_nfs_disabled - service_rpcsvcgssd_disabled - service_nfslock_disabled - service_rpcgssd_disabled - service_rpcidmapd_disabled - service_netfs_disabled - service_dhcpd_disabled - package_dhcp_removed - inactivity_timeout_value=15_minutes scap-security-guide-0.1.39/rhel6/profiles/fisma-medium-rhel6-server.profile000066400000000000000000000201341327242345500266250ustar00rootroot00000000000000documentation_complete: true title: 'FISMA Medium for Red Hat Enterprise Linux 6' description: 'FISMA Medium for Red Hat Enterprise Linux 6.' selections: - var_account_disable_post_pw_expiration=90 - account_disable_post_pw_expiration - account_temp_expire_date - audit_rules_usergroup_modification - audit_rules_sysadmin_actions - enable_selinux_bootloader - selinux_state - selinux_policytype - service_restorecond_enabled - sshd_use_approved_ciphers - sysctl_net_ipv4_conf_default_send_redirects - sysctl_net_ipv4_conf_all_secure_redirects - sysctl_net_ipv4_conf_default_accept_source_route - sysctl_net_ipv4_conf_default_accept_redirects - sysctl_net_ipv4_conf_default_secure_redirects - sysctl_net_ipv4_tcp_syncookies - sysctl_net_ipv4_conf_all_rp_filter - sysctl_net_ipv4_conf_default_rp_filter - service_ip6tables_enabled - service_iptables_enabled - var_umask_for_daemons=022 - sshd_disable_root_login - umask_for_daemons - userowner_shadow_file - groupowner_shadow_file - file_permissions_etc_shadow - file_owner_etc_group - file_groupowner_etc_group - file_permissions_etc_group - file_owner_etc_gshadow - file_groupowner_etc_gshadow - file_permissions_etc_gshadow - file_owner_etc_passwd - file_groupowner_etc_passwd - file_permissions_etc_passwd - file_permissions_library_dirs - file_ownership_library_dirs - file_permissions_binary_dirs - file_ownership_binary_dirs - dir_perms_world_writable_sticky_bits - file_permissions_unauthorized_world_writable - no_files_unowned_by_user - file_permissions_ungroupowned - dir_perms_world_writable_system_owned - selinux_confinement_of_daemons - selinux_all_devicefiles_labeled - rsyslog_files_ownership - rsyslog_files_groupownership - file_permissions_var_log_audit - file_ownership_var_log_audit - audit_rules_immutable - accounts_no_uid_except_zero - rpm_verify_permissions - securetty_root_login_console_only - restrict_serial_port_logins - var_accounts_passwords_pam_faillock_deny=3 - var_accounts_passwords_pam_faillock_fail_interval=900 - accounts_passwords_pam_faillock_deny - accounts_passwords_pam_faillock_interval - var_accounts_passwords_pam_faillock_unlock_time=604800 - accounts_passwords_pam_faillock_unlock_time - login_banner_text=usgcb_default - banner_etc_issue - var_accounts_max_concurrent_login_sessions=1 - accounts_max_concurrent_login_sessions - package_screen_installed - service_auditd_enabled - bootloader_audit_argument - audit_rules_time_adjtimex - audit_rules_time_settimeofday - audit_rules_time_stime - audit_rules_time_clock_settime - audit_rules_time_watch_localtime - audit_rules_networkconfig_modification - audit_rules_mac_modification - audit_rules_dac_modification_chmod - audit_rules_dac_modification_chown - audit_rules_dac_modification_fchmod - audit_rules_dac_modification_fchmodat - audit_rules_dac_modification_fchown - audit_rules_dac_modification_fchownat - audit_rules_dac_modification_fremovexattr - audit_rules_dac_modification_fsetxattr - audit_rules_dac_modification_lchown - audit_rules_dac_modification_lremovexattr - audit_rules_dac_modification_lsetxattr - audit_rules_dac_modification_removexattr - audit_rules_dac_modification_setxattr - audit_rules_login_events - audit_rules_session_events - audit_rules_unsuccessful_file_modification - audit_rules_privileged_commands - audit_rules_media_export - audit_rules_file_deletion_events - audit_rules_kernel_module_loading - sysctl_net_ipv4_conf_all_log_martians_value=disabled - sysctl_net_ipv4_conf_all_log_martians - sshd_allow_only_protocol2 - service_xinetd_disabled - package_xinetd_removed - service_telnetd_disabled - package_telnet-server_removed - package_rsh_removed - service_rexec_disabled - service_rsh_disabled - service_rlogin_disabled - no_rsh_trust_files - package_ypserv_removed - service_ypbind_disabled - service_tftp_disabled - package_tftp-server_removed - tftpd_uses_secure_mode - service_abrtd_disabled - service_kdump_disabled - service_netconsole_disabled - service_ntpdate_disabled - service_portreserve_disabled - service_qpidd_disabled - service_rdisc_disabled - service_rhnsd_disabled - service_saslauthd_disabled - wireless_disable_in_bios - wireless_disable_interfaces - service_bluetooth_disabled - kernel_module_bluetooth_disabled - mount_option_nodev_removable_partitions - mount_option_noexec_removable_partitions - mount_option_nosuid_removable_partitions - kernel_module_usb-storage_disabled - bootloader_nousb_argument - bios_disable_usb_boot - service_autofs_disabled - auditd_data_retention_num_logs - auditd_data_retention_max_log_file - auditd_data_retention_max_log_file_action - auditd_data_retention_space_left_action - var_auditd_admin_space_left_action=halt - auditd_data_retention_admin_space_left_action - auditd_data_retention_action_mail_acct - auditd_audispd_syslog_plugin_activated - partition_for_var_log_audit - service_ntpd_enabled - ntpd_specify_remote_server - ntpd_specify_multiple_servers - package_rsyslog_installed - rsyslog_nolisten - ensure_logrotate_activated - partition_for_var_log - package_aide_installed - aide_build_database - aide_periodic_cron_checking - service_acpid_disabled - service_certmonger_disabled - service_cgconfig_disabled - service_cgred_disabled - service_cpuspeed_disabled - service_haldaemon_disabled - service_irqbalance_enabled - service_mdmonitor_disabled - service_messagebus_disabled - service_oddjobd_disabled - service_quota_nld_disabled - service_rhsmcertd_disabled - service_smartd_disabled - service_sysstat_disabled - service_crond_enabled - service_atd_disabled - service_avahi-daemon_disabled - mount_option_nodev_nonroot_local_partitions - mount_option_tmp_nodev - mount_option_tmp_noexec - mount_option_tmp_nosuid - mount_option_dev_shm_nodev - mount_option_dev_shm_noexec - mount_option_dev_shm_nosuid - mount_option_var_tmp_bind - kernel_module_cramfs_disabled - kernel_module_freevxfs_disabled - kernel_module_jffs2_disabled - kernel_module_hfs_disabled - kernel_module_hfsplus_disabled - kernel_module_squashfs_disabled - kernel_module_udf_disabled - sysctl_net_ipv4_conf_all_send_redirects - sysctl_net_ipv4_ip_forward - sysctl_net_ipv4_conf_all_accept_source_route - sysctl_net_ipv4_icmp_echo_ignore_broadcasts - sysctl_net_ipv4_icmp_ignore_bogus_error_responses - set_ip6tables_default_rule - set_iptables_default_rule - set_iptables_default_rule_forward - kernel_module_dccp_disabled - kernel_module_sctp_disabled - kernel_module_rds_disabled - kernel_module_tipc_disabled - network_disable_zeroconf - network_sniffer_disabled - kernel_module_ipv6_option_disabled - network_ipv6_disable_rpc - sysctl_net_ipv6_conf_default_accept_ra - sysctl_net_ipv6_conf_default_accept_redirects - bootloader_password - accounts_password_pam_retry - accounts_password_pam_maxrepeat - accounts_password_pam_ucredit - accounts_password_pam_ocredit - accounts_password_pam_lcredit - var_password_pam_unix_remember=24 - accounts_password_pam_unix_remember - set_password_hashing_algorithm_systemauth - set_password_hashing_algorithm_logindefs - set_password_hashing_algorithm_libuserconf - no_empty_passwords - accounts_password_all_shadowed - no_netrc_files - var_accounts_password_minlen_login_defs=12 - accounts_password_minlen_login_defs - accounts_minimum_age_login_defs - accounts_maximum_age_login_defs - accounts_password_warn_age_login_defs - require_singleuser_auth - var_password_pam_difok=1 - accounts_password_pam_difok scap-security-guide-0.1.39/rhel6/profiles/ftp-server.profile000066400000000000000000000004771327242345500240330ustar00rootroot00000000000000documentation_complete: true title: 'FTP Server Profile (vsftpd)' description: 'This is a profile for the vsftpd FTP server.' extends: server selections: - package_vsftpd_installed - ftp_log_transactions - ftp_present_banner - ftp_restrict_to_anon - ftp_disable_uploads - ftp_home_partition scap-security-guide-0.1.39/rhel6/profiles/nist-CL-IL-AL.profile000066400000000000000000000207501327242345500237770ustar00rootroot00000000000000documentation_complete: true title: "CNSSI 1253 Low/Low/Low Control Baseline for Red Hat \nEnterprise Linux 6" description: "This profile follows the Committee on National \nSecurity Systems Instruction (CNSSI) No. 1253, \"Security Categorization\ \ and \nControl Selection for National Security Systems\" on security controls to meet\nlow confidentiality, low integrity,\ \ and low assurance.\"" extends: standard selections: - var_account_disable_post_pw_expiration=40 - var_selinux_state=enforcing - var_selinux_policy_name=targeted - sysctl_net_ipv4_conf_all_secure_redirects_value=enabled - var_umask_for_daemons=022 - var_accounts_passwords_pam_faillock_deny=3 - var_accounts_passwords_pam_faillock_fail_interval=900 - var_accounts_passwords_pam_faillock_unlock_time=900 - inactivity_timeout_value=15_minutes - login_banner_text=usgcb_default - sysctl_net_ipv4_conf_all_accept_source_route_value=disabled - sysctl_net_ipv4_conf_all_accept_redirects_value=disabled - sysctl_net_ipv4_conf_all_log_martians_value=enabled - sysctl_net_ipv4_conf_default_secure_redirects_value=enabled - sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value=enabled - sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value=enabled - account_temp_expire_date - account_disable_post_pw_expiration - audit_rules_usergroup_modification - audit_rules_sysadmin_actions - sshd_use_approved_ciphers - enable_selinux_bootloader - selinux_state - selinux_policytype - service_restorecond_enabled - service_rdisc_disabled - sysctl_net_ipv4_conf_default_send_redirects - sysctl_net_ipv4_conf_all_secure_redirects - sysctl_net_ipv4_conf_default_accept_source_route - sysctl_net_ipv4_conf_default_accept_redirects - sysctl_net_ipv4_conf_default_secure_redirects - sysctl_net_ipv4_conf_all_rp_filter - sysctl_net_ipv4_conf_default_rp_filter - service_ip6tables_enabled - service_iptables_enabled - audit_rules_immutable - service_oddjobd_disabled - rpm_verify_permissions - file_permissions_var_log_audit - file_ownership_var_log_audit - userowner_shadow_file - groupowner_shadow_file - file_permissions_etc_shadow - file_owner_etc_group - file_groupowner_etc_group - file_permissions_etc_group - file_owner_etc_gshadow - file_groupowner_etc_gshadow - file_permissions_etc_gshadow - file_owner_etc_passwd - file_groupowner_etc_passwd - file_permissions_etc_passwd - selinux_confinement_of_daemons - file_ownership_library_dirs - file_permissions_binary_dirs - file_ownership_binary_dirs - dir_perms_world_writable_sticky_bits - file_permissions_unauthorized_world_writable - no_files_unowned_by_user - file_permissions_ungroupowned - dir_perms_world_writable_system_owned - umask_for_daemons - accounts_no_uid_except_zero - rsyslog_files_ownership - rsyslog_files_groupownership - securetty_root_login_console_only - restrict_serial_port_logins - sshd_disable_root_login - accounts_passwords_pam_faillock_deny - accounts_passwords_pam_faillock_interval - accounts_passwords_pam_faillock_unlock_time - banner_etc_issue - gconf_gdm_enable_warning_gui_banner - gconf_gdm_set_login_banner_text - gconf_gnome_screensaver_idle_delay - gconf_gnome_screensaver_idle_activation_enabled - gconf_gnome_screensaver_lock_enabled - gconf_gnome_screensaver_mode_blank - service_auditd_enabled - bootloader_audit_argument - audit_rules_time_adjtimex - audit_rules_time_settimeofday - audit_rules_time_stime - audit_rules_time_clock_settime - audit_rules_time_watch_localtime - audit_rules_networkconfig_modification - audit_rules_mac_modification - audit_rules_dac_modification_chmod - audit_rules_dac_modification_chown - audit_rules_dac_modification_fchmod - audit_rules_dac_modification_fchmodat - audit_rules_dac_modification_fchown - audit_rules_dac_modification_fchownat - audit_rules_dac_modification_fremovexattr - audit_rules_dac_modification_fsetxattr - audit_rules_dac_modification_lchown - audit_rules_dac_modification_lremovexattr - audit_rules_dac_modification_lsetxattr - audit_rules_dac_modification_removexattr - audit_rules_dac_modification_setxattr - audit_rules_login_events - audit_rules_session_events - audit_rules_unsuccessful_file_modification - audit_rules_privileged_commands - audit_rules_media_export - audit_rules_file_deletion_events - audit_rules_kernel_module_loading - sysctl_net_ipv4_conf_all_log_martians - service_xinetd_disabled - package_xinetd_removed - service_telnetd_disabled - package_telnet-server_removed - package_rsh_removed - service_rexec_disabled - service_rsh_disabled - service_rlogin_disabled - no_rsh_trust_files - package_ypserv_removed - service_ypbind_disabled - service_tftp_disabled - package_tftp_removed - tftpd_uses_secure_mode - service_abrtd_disabled - service_kdump_disabled - service_netconsole_disabled - service_ntpdate_disabled - service_portreserve_disabled - service_qpidd_disabled - service_rhnsd_disabled - service_saslauthd_disabled - sshd_allow_only_protocol2 - wireless_disable_in_bios - wireless_disable_interfaces - service_bluetooth_disabled - kernel_module_bluetooth_disabled - mount_option_nodev_removable_partitions - mount_option_noexec_removable_partitions - mount_option_nosuid_removable_partitions - kernel_module_usb-storage_disabled - bootloader_nousb_argument - bios_disable_usb_boot - service_autofs_disabled - gconf_gnome_disable_automount - auditd_data_retention_num_logs - auditd_data_retention_max_log_file - auditd_data_retention_max_log_file_action - auditd_data_retention_space_left_action - auditd_data_retention_admin_space_left_action - auditd_data_retention_action_mail_acct - auditd_audispd_syslog_plugin_activated - rsyslog_remote_loghost - service_ntpd_enabled - ntpd_specify_remote_server - ntpd_specify_multiple_servers - service_psacct_enabled - package_aide_installed - disable_prelink - aide_build_database - aide_periodic_cron_checking - rpm_verify_hashes - kernel_module_ipv6_option_disabled - network_ipv6_disable_rpc - sysctl_net_ipv6_conf_default_accept_ra - sysctl_net_ipv6_conf_default_accept_redirects - network_disable_zeroconf - network_sniffer_disabled - kernel_module_dccp_disabled - kernel_module_sctp_disabled - kernel_module_rds_disabled - kernel_module_tipc_disabled - set_iptables_default_rule - set_iptables_default_rule_forward - sysctl_net_ipv4_conf_all_send_redirects - sysctl_net_ipv4_ip_forward - sysctl_net_ipv4_conf_all_accept_source_route - sysctl_net_ipv4_conf_all_accept_redirects - sysctl_net_ipv4_icmp_echo_ignore_broadcasts - sysctl_net_ipv4_icmp_ignore_bogus_error_responses - kernel_module_cramfs_disabled - kernel_module_freevxfs_disabled - kernel_module_jffs2_disabled - kernel_module_hfs_disabled - kernel_module_hfsplus_disabled - kernel_module_squashfs_disabled - kernel_module_udf_disabled - gconf_gnome_disable_thumbnailers - mount_option_nodev_nonroot_local_partitions - mount_option_tmp_nodev - mount_option_tmp_noexec - mount_option_tmp_nosuid - mount_option_dev_shm_nodev - mount_option_dev_shm_noexec - mount_option_dev_shm_nosuid - mount_option_var_tmp_bind - service_cups_disabled - cups_disable_browsing - cups_disable_printserver - service_dhcpd_disabled - package_dhcp_removed - sysconfig_networking_bootproto_ifcfg - service_avahi-daemon_disabled - service_crond_enabled - service_named_disabled - package_bind_removed - package_openldap-servers_removed - package_sendmail_removed - service_acpid_disabled - service_atd_disabled - service_certmonger_disabled - service_cgconfig_disabled - service_cgred_disabled - service_cpuspeed_disabled - service_haldaemon_disabled - service_irqbalance_enabled - service_mdmonitor_disabled - service_messagebus_disabled - service_quota_nld_disabled - service_rhsmcertd_disabled - service_smartd_disabled - service_sysstat_disabled - service_httpd_disabled - package_httpd_removed - disabling_vsftpd - package_vsftpd_removed scap-security-guide-0.1.39/rhel6/profiles/pci-dss.profile000066400000000000000000000075721327242345500233030ustar00rootroot00000000000000documentation_complete: true title: 'PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 6' description: 'This is a *draft* profile for PCI-DSS v3.' selections: - var_password_pam_unix_remember=4 - var_account_disable_post_pw_expiration=90 - var_accounts_passwords_pam_faillock_deny=6 - var_accounts_passwords_pam_faillock_unlock_time=1800 - sshd_idle_timeout_value=15_minutes - var_password_pam_minlen=7 - var_password_pam_minclass=2 - var_accounts_maximum_age_login_defs=90 - service_auditd_enabled - bootloader_audit_argument - auditd_data_retention_num_logs - auditd_data_retention_max_log_file - auditd_data_retention_max_log_file_action - auditd_data_retention_space_left_action - auditd_data_retention_admin_space_left_action - auditd_data_retention_action_mail_acct - auditd_audispd_syslog_plugin_activated - audit_rules_time_adjtimex - audit_rules_time_settimeofday - audit_rules_time_stime - audit_rules_time_clock_settime - audit_rules_time_watch_localtime - audit_rules_usergroup_modification - audit_rules_networkconfig_modification - file_permissions_var_log_audit - file_ownership_var_log_audit - audit_rules_mac_modification - audit_rules_dac_modification_chmod - audit_rules_dac_modification_chown - audit_rules_dac_modification_fchmod - audit_rules_dac_modification_fchmodat - audit_rules_dac_modification_fchown - audit_rules_dac_modification_fchownat - audit_rules_dac_modification_fremovexattr - audit_rules_dac_modification_fsetxattr - audit_rules_dac_modification_lchown - audit_rules_dac_modification_lremovexattr - audit_rules_dac_modification_lsetxattr - audit_rules_dac_modification_removexattr - audit_rules_dac_modification_setxattr - audit_rules_login_events - audit_rules_session_events - audit_rules_unsuccessful_file_modification - audit_rules_privileged_commands - audit_rules_media_export - audit_rules_file_deletion_events - audit_rules_sysadmin_actions - audit_rules_kernel_module_loading - audit_rules_immutable - service_ntpd_enabled - ntpd_specify_remote_server - ntpd_specify_multiple_servers - rpm_verify_permissions - rpm_verify_hashes - install_hids - rsyslog_files_permissions - rsyslog_files_ownership - rsyslog_files_groupownership - ensure_logrotate_activated - package_aide_installed - disable_prelink - aide_build_database - aide_periodic_cron_checking - account_unique_name - gid_passwd_group_same - accounts_password_all_shadowed - no_empty_passwords - display_login_attempts - account_disable_post_pw_expiration - accounts_passwords_pam_faillock_deny - accounts_passwords_pam_faillock_unlock_time - gconf_gnome_screensaver_idle_delay - gconf_gnome_screensaver_idle_activation_enabled - gconf_gnome_screensaver_lock_enabled - gconf_gnome_screensaver_mode_blank - sshd_set_idle_timeout - accounts_password_pam_minlen - accounts_password_pam_dcredit - accounts_password_pam_ucredit - accounts_password_pam_lcredit - accounts_password_pam_unix_remember - accounts_maximum_age_login_defs - ensure_redhat_gpgkey_installed - ensure_gpgcheck_globally_activated - ensure_gpgcheck_never_disabled - security_patches_up_to_date - smartcard_auth - set_password_hashing_algorithm_systemauth - set_password_hashing_algorithm_logindefs - set_password_hashing_algorithm_libuserconf - userowner_shadow_file - groupowner_shadow_file - file_permissions_etc_shadow - file_owner_etc_group - file_groupowner_etc_group - file_permissions_etc_group - file_owner_etc_passwd - file_groupowner_etc_passwd - file_permissions_etc_passwd - file_user_owner_grub_conf - file_group_owner_grub_conf - package_openswan_installed scap-security-guide-0.1.39/rhel6/profiles/rht-ccp.profile000066400000000000000000000076211327242345500232740ustar00rootroot00000000000000documentation_complete: true title: 'Red Hat Corporate Profile for Certified Cloud Providers (RH CCP)' description: 'This is a *draft* SCAP profile for Red Hat Certified Cloud Providers' selections: - var_selinux_state=enforcing - var_selinux_policy_name=targeted - file_owner_logfiles_value=root - file_groupowner_logfiles_value=root - sshd_idle_timeout_value=5_minutes - var_accounts_password_minlen_login_defs=6 - var_accounts_minimum_age_login_defs=7 - var_accounts_passwords_pam_faillock_deny=5 - var_accounts_password_warn_age_login_defs=7 - var_password_pam_retry=3 - var_password_pam_dcredit=1 - var_password_pam_ucredit=2 - var_password_pam_ocredit=2 - var_password_pam_lcredit=2 - var_password_pam_difok=3 - var_password_pam_unix_remember=5 - var_accounts_user_umask=077 - login_banner_text=usgcb_default - partition_for_tmp - partition_for_var - partition_for_var_log - partition_for_var_log_audit - enable_selinux_bootloader - selinux_state - selinux_policytype - selinux_all_devicefiles_labeled - ensure_redhat_gpgkey_installed - security_patches_up_to_date - ensure_gpgcheck_globally_activated - ensure_gpgcheck_never_disabled - package_aide_installed - accounts_password_pam_unix_remember - no_shelllogin_for_systemaccounts - no_empty_passwords - accounts_password_all_shadowed - accounts_no_uid_except_zero - accounts_password_minlen_login_defs - accounts_minimum_age_login_defs - accounts_maximum_age_login_defs - accounts_password_warn_age_login_defs - accounts_password_pam_retry - accounts_password_pam_dcredit - accounts_password_pam_ucredit - accounts_password_pam_ocredit - accounts_password_pam_lcredit - accounts_password_pam_difok - accounts_passwords_pam_faillock_deny - set_password_hashing_algorithm_systemauth - set_password_hashing_algorithm_logindefs - set_password_hashing_algorithm_libuserconf - require_singleuser_auth - userowner_shadow_file - groupowner_shadow_file - file_permissions_etc_shadow - file_owner_etc_gshadow - file_groupowner_etc_gshadow - file_permissions_etc_gshadow - file_owner_etc_passwd - file_groupowner_etc_passwd - file_permissions_etc_passwd - file_owner_etc_group - file_groupowner_etc_group - file_permissions_etc_group - file_permissions_library_dirs - file_ownership_library_dirs - file_permissions_binary_dirs - file_ownership_binary_dirs - file_permissions_var_log_audit - file_user_owner_grub_conf - file_group_owner_grub_conf - file_permissions_grub_conf - bootloader_password - sysctl_kernel_randomize_va_space - sysctl_kernel_exec_shield - kernel_module_ipv6_option_disabled - service_ip6tables_enabled - service_iptables_enabled - set_iptables_default_rule - kernel_module_dccp_disabled - kernel_module_sctp_disabled - kernel_module_rds_disabled - kernel_module_tipc_disabled - service_xinetd_disabled - package_xinetd_removed - package_telnet-server_removed - service_telnetd_disabled - package_rsh-server_removed - service_rsh_disabled - service_rexec_disabled - service_rlogin_disabled - package_ypserv_removed - service_ypbind_disabled - package_tftp-server_removed - service_tftp_disabled - service_avahi-daemon_disabled - service_abrtd_disabled - service_atd_disabled - service_autofs_disabled - service_ntpdate_disabled - service_oddjobd_disabled - service_qpidd_disabled - service_rdisc_disabled - sshd_allow_only_protocol2 - sshd_set_idle_timeout - sshd_set_keepalive - sshd_disable_rhosts - disable_host_auth - sshd_disable_root_login - sshd_disable_empty_passwords - sshd_enable_warning_banner - sshd_do_not_permit_user_env - sshd_use_approved_ciphers scap-security-guide-0.1.39/rhel6/profiles/server.profile000066400000000000000000000005151327242345500232350ustar00rootroot00000000000000documentation_complete: true title: 'Server Baseline' description: |- This profile is for Red Hat Enterprise Linux 6 acting as a server. extends: standard selections: - wireless_disable_interfaces - xwindows_runlevel_setting - package_xorg-x11-server-common_removed - sysconfig_networking_bootproto_ifcfg scap-security-guide-0.1.39/rhel6/profiles/standard.profile000066400000000000000000000205171327242345500235330ustar00rootroot00000000000000documentation_complete: true title: 'Standard System Security Profile for Red Hat Enterprise Linux 6' description: |- This profile contains rules to ensure standard security baseline of a Red Hat Enterprise Linux 6 system. Regardless of your system's workload all of these checks should pass. selections: - partition_for_tmp - partition_for_var - partition_for_var_log - partition_for_var_log_audit - partition_for_home - ensure_redhat_gpgkey_installed - service_rhnsd_disabled - security_patches_up_to_date - ensure_gpgcheck_globally_activated - rpm_verify_permissions - rpm_verify_hashes - ensure_gpgcheck_never_disabled - package_aide_installed - enable_selinux_bootloader - no_rsh_trust_files - selinux_state - selinux_policytype - selinux_all_devicefiles_labeled - securetty_root_login_console_only - restrict_serial_port_logins - no_shelllogin_for_systemaccounts - no_empty_passwords - file_permissions_unauthorized_sgid - file_permissions_unauthorized_suid - file_permissions_unauthorized_world_writable - accounts_root_path_dirs_no_write - dir_perms_world_writable_sticky_bits - accounts_password_all_shadowed - accounts_no_uid_except_zero - userowner_shadow_file - groupowner_shadow_file - file_permissions_etc_shadow - file_owner_etc_gshadow - file_groupowner_etc_gshadow - file_permissions_etc_gshadow - file_owner_etc_passwd - file_groupowner_etc_passwd - file_permissions_etc_passwd - file_owner_etc_group - file_groupowner_etc_group - file_permissions_etc_group - file_permissions_library_dirs - file_ownership_library_dirs - file_permissions_binary_dirs - file_ownership_binary_dirs - file_permissions_var_log_audit - accounts_password_minlen_login_defs - accounts_minimum_age_login_defs - accounts_maximum_age_login_defs - accounts_password_warn_age_login_defs - accounts_password_pam_retry - accounts_password_pam_dcredit - accounts_password_pam_ucredit - accounts_password_pam_ocredit - accounts_password_pam_lcredit - accounts_password_pam_difok - accounts_passwords_pam_faillock_deny - set_password_hashing_algorithm_systemauth - set_password_hashing_algorithm_logindefs - set_password_hashing_algorithm_libuserconf - file_user_owner_grub_conf - file_group_owner_grub_conf - file_permissions_grub_conf - bootloader_password - require_singleuser_auth - disable_interactive_boot - package_screen_installed - banner_etc_issue - sysctl_kernel_randomize_va_space - sysctl_kernel_exec_shield - sysctl_net_ipv4_conf_default_send_redirects - sysctl_net_ipv4_conf_all_send_redirects - sysctl_net_ipv4_ip_forward - sysctl_net_ipv4_conf_all_accept_source_route - sysctl_net_ipv4_conf_all_accept_redirects - sysctl_net_ipv4_conf_all_secure_redirects - sysctl_net_ipv4_conf_all_log_martians - sysctl_net_ipv4_conf_default_accept_source_route - sysctl_net_ipv4_conf_default_secure_redirects - sysctl_net_ipv4_conf_default_accept_redirects - sysctl_net_ipv4_icmp_echo_ignore_broadcasts - sysctl_net_ipv4_icmp_ignore_bogus_error_responses - sysctl_net_ipv4_tcp_syncookies - sysctl_net_ipv4_conf_all_rp_filter - sysctl_net_ipv4_conf_default_rp_filter - sysctl_net_ipv6_conf_default_accept_redirects - service_ip6tables_enabled - service_iptables_enabled - set_iptables_default_rule - set_ip6tables_default_rule - kernel_module_dccp_disabled - kernel_module_sctp_disabled - kernel_module_rds_disabled - kernel_module_tipc_disabled - package_rsyslog_installed - service_rsyslog_enabled - rsyslog_files_ownership - rsyslog_files_groupownership - rsyslog_files_permissions - rsyslog_remote_loghost - ensure_logrotate_activated - service_auditd_enabled - bootloader_audit_argument - auditd_data_retention_num_logs - auditd_data_retention_max_log_file - auditd_data_retention_max_log_file_action - auditd_data_retention_admin_space_left_action - audit_rules_time_adjtimex - audit_rules_time_settimeofday - audit_rules_time_stime - audit_rules_time_clock_settime - audit_rules_time_watch_localtime - audit_rules_usergroup_modification - audit_rules_networkconfig_modification - audit_rules_mac_modification - audit_rules_dac_modification_chmod - audit_rules_dac_modification_chown - audit_rules_dac_modification_fchmod - audit_rules_dac_modification_fchmodat - audit_rules_dac_modification_fchown - audit_rules_dac_modification_fchownat - audit_rules_dac_modification_fremovexattr - audit_rules_dac_modification_fsetxattr - audit_rules_dac_modification_lchown - audit_rules_dac_modification_lremovexattr - audit_rules_dac_modification_lsetxattr - audit_rules_dac_modification_removexattr - audit_rules_dac_modification_setxattr - audit_rules_unsuccessful_file_modification - audit_rules_privileged_commands - audit_rules_media_export - audit_rules_file_deletion_events - audit_rules_sysadmin_actions - audit_rules_kernel_module_loading - service_xinetd_disabled - package_xinetd_removed - package_telnet-server_removed - service_telnetd_disabled - package_rsh-server_removed - service_rsh_disabled - service_rexec_disabled - service_rlogin_disabled - package_ypserv_removed - service_ypbind_disabled - package_tftp-server_removed - service_tftp_disabled - service_crond_enabled - sshd_allow_only_protocol2 - sshd_set_idle_timeout - sshd_set_keepalive - sshd_disable_rhosts - disable_host_auth - sshd_disable_root_login - sshd_disable_empty_passwords - sshd_enable_warning_banner - sshd_do_not_permit_user_env - sshd_use_approved_ciphers - service_avahi-daemon_disabled - service_ntpd_enabled - ntpd_specify_remote_server - postfix_network_listening_disabled - ldap_client_start_tls - ldap_client_tls_cacertpath - package_openldap-servers_removed - gconf_gnome_screensaver_idle_delay - inactivity_timeout_value=15_minutes - var_accounts_tmout=10_min - accounts_tmout - gconf_gnome_screensaver_idle_activation_enabled - gconf_gnome_screensaver_lock_enabled - gconf_gnome_screensaver_mode_blank - service_abrtd_disabled - service_atd_disabled - service_autofs_disabled - service_ntpdate_disabled - service_oddjobd_disabled - service_qpidd_disabled - service_rdisc_disabled - mount_option_nodev_remote_filesystems - mount_option_nosuid_remote_filesystems - mount_option_noexec_removable_partitions - require_smb_client_signing - mount_option_smb_client_signing - accounts_password_pam_unix_remember - var_umask_for_daemons=027 - var_accounts_password_minlen_login_defs=15 - var_accounts_maximum_age_login_defs=90 - var_accounts_minimum_age_login_defs=7 - var_accounts_password_warn_age_login_defs=7 - var_password_pam_retry=3 - var_password_pam_minlen=14 - var_password_pam_dcredit=1 - var_password_pam_ucredit=2 - var_password_pam_ocredit=2 - var_password_pam_lcredit=2 - var_password_pam_difok=3 - var_password_pam_unix_remember=5 - var_accounts_user_umask=077 - login_banner_text=usgcb_default - var_selinux_state=enforcing - var_selinux_policy_name=targeted - var_auditd_num_logs=5 - var_auditd_max_log_file=6 - var_auditd_max_log_file_action=rotate - var_auditd_admin_space_left_action=single - sysctl_net_ipv4_conf_all_accept_source_route_value=disabled - sysctl_net_ipv4_conf_all_accept_redirects_value=disabled - sysctl_net_ipv4_conf_all_secure_redirects_value=disabled - sysctl_net_ipv4_conf_all_log_martians_value=enabled - sysctl_net_ipv4_conf_default_accept_source_route_value=disabled - sysctl_net_ipv4_conf_default_accept_redirects_value=disabled - sysctl_net_ipv4_conf_default_secure_redirects_value=disabled - sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value=enabled - sysctl_net_ipv4_tcp_syncookies_value=enabled - sysctl_net_ipv4_conf_all_rp_filter_value=enabled - sysctl_net_ipv4_conf_default_rp_filter_value=enabled - file_owner_logfiles_value=root - file_groupowner_logfiles_value=root - sshd_idle_timeout_value=5_minutes scap-security-guide-0.1.39/rhel6/profiles/stig-rhel6-disa.profile000066400000000000000000000073201327242345500246320ustar00rootroot00000000000000documentation_complete: true title: 'DISA STIG for Red Hat Enterprise Linux 6' description: |- This profile contains configuration checks that align to the DISA STIG for Red Hat Enterprise Linux 6. In addition to being applicable to RHEL6, DISA recognizes this configuration baseline as applicable to the operating system tier of Red Hat technologies that are based off RHEL6, such as RHEL Server, RHV-H, RHEL for HPC, RHEL Workstation, and Red Hat Storage deployments. extends: standard selections: - encrypt_partitions - kernel_disable_entropy_contribution_for_solid_state_drives - rpm_verify_permissions - rpm_verify_hashes - mount_option_nodev_removable_partitions - mount_option_noexec_removable_partitions - mount_option_nosuid_removable_partitions - mount_option_dev_shm_nodev - mount_option_dev_shm_nosuid - mount_option_dev_shm_noexec - mount_option_tmp_noexec - file_permissions_unauthorized_world_writable - install_antivirus - install_hids - disable_ctrlaltdel_reboot - service_postfix_enabled - package_sendmail_removed - service_netconsole_disabled - service_atd_disabled - xwindows_runlevel_setting - package_xorg-x11-server-common_removed - sysconfig_networking_bootproto_ifcfg - accounts_password_pam_unix_remember - gid_passwd_group_same - account_unique_name - account_temp_expire_date - accounts_password_pam_maxrepeat - no_files_unowned_by_user - file_permissions_ungroupowned - aide_periodic_cron_checking - disable_users_coredumps - no_insecure_locks_exports - auditd_data_retention_space_left_action - auditd_data_retention_action_mail_acct - gconf_gnome_screen_locking_keybindings - no_all_squash_exports - sshd_print_last_log - auditd_data_retention_space_left - auditd_data_disk_full_action - auditd_data_disk_error_action - directory_permissions_var_log_audit - rpm_verify_ownership - kernel_module_bluetooth_disabled - kernel_module_usb-storage_disabled - accounts_max_concurrent_login_sessions - var_accounts_max_concurrent_login_sessions=10 - set_iptables_default_rule_forward - package_openswan_installed - gconf_gdm_enable_warning_gui_banner - gconf_gdm_set_login_banner_text - login_banner_text=dod_banners - gconf_gdm_disable_user_list - service_bluetooth_disabled - account_disable_post_pw_expiration - dir_perms_world_writable_sticky_bits - dir_perms_world_writable_system_owned - tftpd_uses_secure_mode - ftp_log_transactions - snmpd_use_newer_protocol - snmpd_not_default_password - accounts_umask_etc_bashrc - accounts_umask_etc_csh_cshrc - accounts_umask_etc_profile - accounts_umask_etc_login_defs - var_accounts_user_umask=077 - umask_for_daemons - var_umask_for_daemons=027 - no_netrc_files - ftp_present_banner - smartcard_auth - display_login_attempts - accounts_passwords_pam_faillock_unlock_time - var_accounts_passwords_pam_faillock_unlock_time=604800 - accounts_passwords_pam_faillock_interval - var_accounts_passwords_pam_faillock_fail_interval=900 - var_password_pam_unix_remember=5 - var_accounts_maximum_age_login_defs=60 - var_accounts_minimum_age_login_defs=1 - var_accounts_passwords_pam_faillock_deny=3 - var_password_pam_ucredit=1 - var_password_pam_ocredit=1 - var_password_pam_lcredit=1 - sshd_idle_timeout_value=15_minutes - gconf_gnome_disable_ctrlaltdel_reboot - postfix_client_configure_mail_alias - account_use_centralized_automated_auth - no_password_auth_for_systemaccounts - wireless_disable_interfaces - configure_user_data_backups scap-security-guide-0.1.39/rhel6/profiles/usgcb-rhel6-server.profile000066400000000000000000000226041327242345500253570ustar00rootroot00000000000000documentation_complete: true title: 'United States Government Configuration Baseline (USGCB)' description: |- This profile is a working draft for a USGCB submission against RHEL6 Server. selections: - kernel_disable_entropy_contribution_for_solid_state_drives - partition_for_tmp - partition_for_var - partition_for_var_log - partition_for_var_log_audit - partition_for_home - ensure_redhat_gpgkey_installed - service_rhnsd_disabled - security_patches_up_to_date - ensure_gpgcheck_globally_activated - ensure_gpgcheck_never_disabled - package_aide_installed - rpm_verify_permissions - rpm_verify_hashes - mount_option_nodev_nonroot_local_partitions - mount_option_nodev_removable_partitions - mount_option_noexec_removable_partitions - mount_option_nosuid_removable_partitions - mount_option_tmp_nodev - mount_option_tmp_nosuid - mount_option_tmp_noexec - mount_option_dev_shm_nodev - mount_option_dev_shm_nosuid - mount_option_dev_shm_noexec - mount_option_var_tmp_bind - kernel_module_cramfs_disabled - kernel_module_freevxfs_disabled - kernel_module_hfs_disabled - kernel_module_hfsplus_disabled - kernel_module_jffs2_disabled - kernel_module_squashfs_disabled - kernel_module_udf_disabled - file_permissions_etc_gshadow - file_owner_etc_gshadow - file_groupowner_etc_gshadow - file_permissions_etc_shadow - userowner_shadow_file - groupowner_shadow_file - file_permissions_etc_group - file_owner_etc_group - file_groupowner_etc_group - file_permissions_etc_passwd - file_owner_etc_passwd - file_groupowner_etc_passwd - dir_perms_world_writable_sticky_bits - file_permissions_unauthorized_world_writable - file_permissions_unauthorized_sgid - file_permissions_unauthorized_suid - no_files_unowned_by_user - file_permissions_ungroupowned - dir_perms_world_writable_system_owned - var_umask_for_daemons=027 - umask_for_daemons - sysctl_fs_suid_dumpable - disable_users_coredumps - sysctl_kernel_randomize_va_space - sysctl_kernel_exec_shield - install_PAE_kernel_on_x86-32 - securetty_root_login_console_only - restrict_serial_port_logins - no_empty_passwords - accounts_password_all_shadowed - accounts_no_uid_except_zero - var_accounts_password_warn_age_login_defs=14 - accounts_password_warn_age_login_defs - var_accounts_maximum_age_login_defs=60 - accounts_maximum_age_login_defs - var_accounts_password_minlen_login_defs=12 - accounts_password_minlen_login_defs - var_password_pam_retry=3 - accounts_password_pam_retry - var_password_pam_dcredit=1 - accounts_password_pam_dcredit - var_password_pam_ucredit=1 - accounts_password_pam_ucredit - var_password_pam_lcredit=1 - accounts_password_pam_lcredit - var_password_pam_ocredit=1 - accounts_password_pam_ocredit - var_password_pam_difok=3 - accounts_password_pam_difok - var_accounts_passwords_pam_faillock_deny=5 - accounts_passwords_pam_faillock_deny - set_password_hashing_algorithm_systemauth - set_password_hashing_algorithm_logindefs - var_password_pam_unix_remember=24 - accounts_password_pam_unix_remember - root_path_no_dot - accounts_root_path_dirs_no_write - file_permissions_home_dirs - var_accounts_user_umask=077 - accounts_umask_etc_bashrc - accounts_umask_etc_csh_cshrc - accounts_umask_etc_profile - accounts_umask_etc_login_defs - file_user_owner_grub_conf - file_group_owner_grub_conf - file_permissions_grub_conf - bootloader_password - disable_interactive_boot - inactivity_timeout_value=15_minutes - gconf_gnome_screensaver_idle_delay - gconf_gnome_screensaver_idle_activation_enabled - gconf_gnome_screensaver_lock_enabled - gconf_gnome_screensaver_mode_blank - login_banner_text=usgcb_default - banner_etc_issue - var_selinux_state=enforcing - selinux_state - var_selinux_policy_name=targeted - selinux_policytype - enable_selinux_bootloader - selinux_confinement_of_daemons - selinux_all_devicefiles_labeled - sysctl_net_ipv4_ip_forward - sysctl_net_ipv4_conf_all_send_redirects - sysctl_net_ipv4_conf_default_send_redirects - sysctl_net_ipv4_conf_all_secure_redirects_value=disabled - sysctl_net_ipv4_conf_all_secure_redirects - sysctl_net_ipv4_conf_all_accept_redirects_value=disabled - sysctl_net_ipv4_conf_all_accept_redirects - sysctl_net_ipv4_conf_all_accept_source_route_value=disabled - sysctl_net_ipv4_conf_default_accept_source_route - sysctl_net_ipv4_conf_default_secure_redirects_value=disabled - sysctl_net_ipv4_conf_default_secure_redirects - sysctl_net_ipv4_conf_default_accept_redirects_value=disabled - sysctl_net_ipv4_conf_default_accept_redirects - sysctl_net_ipv4_conf_default_accept_source_route_value=disabled - sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value=enabled - sysctl_net_ipv4_icmp_ignore_bogus_error_responses - sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value=enabled - sysctl_net_ipv4_icmp_echo_ignore_broadcasts - sysctl_net_ipv4_conf_all_log_martians_value=enabled - sysctl_net_ipv4_conf_all_log_martians - sysctl_net_ipv4_conf_all_rp_filter_value=enabled - sysctl_net_ipv4_conf_all_rp_filter - sysctl_net_ipv4_tcp_syncookies_value=enabled - sysctl_net_ipv4_tcp_syncookies - sysctl_net_ipv4_conf_default_rp_filter_value=enabled - sysctl_net_ipv4_conf_default_rp_filter - wireless_disable_in_bios - service_bluetooth_disabled - network_ipv6_disable_rpc - sysctl_net_ipv6_conf_default_accept_ra_value=disabled - sysctl_net_ipv6_conf_default_accept_ra - sysctl_net_ipv6_conf_default_accept_redirects - service_ip6tables_enabled - service_iptables_enabled - set_iptables_default_rule - set_iptables_default_rule_forward - kernel_module_dccp_disabled - kernel_module_sctp_disabled - kernel_module_rds_disabled - kernel_module_tipc_disabled - package_rsyslog_installed - service_rsyslog_enabled - rsyslog_files_permissions - rsyslog_files_groupownership - rsyslog_files_ownership - rsyslog_remote_loghost - rsyslog_nolisten - ensure_logrotate_activated - service_auditd_enabled - bootloader_audit_argument - audit_rules_time_adjtimex - audit_rules_time_settimeofday - audit_rules_time_stime - audit_rules_time_clock_settime - audit_rules_time_watch_localtime - audit_rules_usergroup_modification - audit_rules_networkconfig_modification - audit_rules_mac_modification - audit_rules_dac_modification_chmod - audit_rules_dac_modification_chown - audit_rules_dac_modification_fchmod - audit_rules_dac_modification_fchmodat - audit_rules_dac_modification_fchown - audit_rules_dac_modification_fchownat - audit_rules_dac_modification_fremovexattr - audit_rules_dac_modification_fsetxattr - audit_rules_dac_modification_lchown - audit_rules_dac_modification_lremovexattr - audit_rules_dac_modification_lsetxattr - audit_rules_dac_modification_removexattr - audit_rules_dac_modification_setxattr - audit_rules_unsuccessful_file_modification - audit_rules_privileged_commands - audit_rules_media_export - audit_rules_file_deletion_events - audit_rules_sysadmin_actions - audit_rules_kernel_module_loading - audit_rules_immutable - service_xinetd_disabled - package_xinetd_removed - service_telnetd_disabled - package_telnet-server_removed - package_rsh-server_removed - service_ypbind_disabled - package_ypserv_removed - service_tftp_disabled - package_tftp-server_removed - wireless_disable_interfaces - kernel_module_bluetooth_disabled - service_kdump_disabled - network_disable_zeroconf - service_crond_enabled - sshd_allow_only_protocol2 - service_atd_disabled - sshd_set_keepalive - sshd_set_idle_timeout - sshd_disable_rhosts - disable_host_auth - sshd_disable_root_login - sshd_disable_empty_passwords - sshd_enable_warning_banner - sshd_do_not_permit_user_env - sshd_use_approved_ciphers - gconf_gdm_enable_warning_gui_banner - service_avahi-daemon_disabled - service_dhcpd_disabled - package_dhcp_removed - service_ntpd_enabled - ntpd_specify_remote_server - package_sendmail_removed - postfix_network_listening_disabled - ldap_client_start_tls - ldap_client_tls_cacertpath - package_openldap-servers_removed - service_nfslock_disabled - service_rpcgssd_disabled - service_rpcidmapd_disabled - service_netfs_disabled - service_portreserve_disabled - service_rpcsvcgssd_disabled - mount_option_nodev_remote_filesystems - mount_option_nosuid_remote_filesystems - service_named_disabled - package_bind_removed - service_vsftpd_disabled - package_vsftpd_removed - service_httpd_disabled - package_httpd_removed - service_dovecot_disabled - package_dovecot_removed - service_smb_disabled - require_smb_client_signing - mount_option_smb_client_signing - service_squid_disabled - package_squid_removed - service_snmpd_disabled - package_net-snmp_removed - service_autofs_disabled - var_account_disable_post_pw_expiration=30 - account_disable_post_pw_expiration scap-security-guide-0.1.39/rhel6/templates/000077500000000000000000000000001327242345500205175ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/templates/csv/000077500000000000000000000000001327242345500213125ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/templates/csv/file_dir_permissions.csv000066400000000000000000000001631327242345500262370ustar00rootroot00000000000000/etc,shadow,0,0,0000 #/boot/grub,grub.conf,0,0,600 # different filename /etc,gshadow,0,0,0000 /etc,passwd,0,0,0644 scap-security-guide-0.1.39/rhel6/templates/csv/file_groupowner.csv000066400000000000000000000001231327242345500252310ustar00rootroot00000000000000/etc/cron.allow,root,cron_allow /etc/group,root /etc/gshadow,root /etc/passwd,root scap-security-guide-0.1.39/rhel6/templates/csv/file_owner.csv000066400000000000000000000001231327242345500241540ustar00rootroot00000000000000/etc/cron.allow,root,cron_allow /etc/group,root /etc/gshadow,root /etc/passwd,root scap-security-guide-0.1.39/rhel6/templates/csv/file_permissions.csv000066400000000000000000000004271327242345500254040ustar00rootroot00000000000000/etc/group,0644 /etc/gshadow,0000 /etc/passwd,0644 /etc/httpd/conf.d/*,0640,httpd_server_conf_d_files /etc/httpd/conf/*,0640,httpd_server_conf_files /etc/ssh/*.pub,0644,sshd_pub_key /etc/ssh/*_key,0600,sshd_private_key /etc/httpd/conf.modules.d/*,0640,https_server_modules_files scap-security-guide-0.1.39/rhel6/templates/csv/kernel_modules_disabled.csv000066400000000000000000000002221327242345500266620ustar00rootroot00000000000000bluetooth cramfs dccp freevxfs hfs hfsplus #ipv6_option #entropy_contribution_for_solid_state_drives jffs2 rds sctp squashfs tipc udf usb-storage scap-security-guide-0.1.39/rhel6/templates/csv/mount_options.csv000066400000000000000000000011331327242345500247420ustar00rootroot00000000000000# format: # ,[,create_fstab_entry_if_needed] # - mount point mounted with specified option. for more than # one option, use multiple lines with the same , use the # variable name (i.e. name beginning with var_, without the leading # '$' to reference a variable, e.g. var_removable_partition,nodev) # If the remediation can create (i.e. not just modify) an /etc/fstab line, # add the 'create_fstab_entry_if_needed' literal string as the third argument. /dev/shm,nodev /dev/shm,noexec /dev/shm,nosuid /tmp,nodev /tmp,noexec /tmp,nosuid /var/tmp,bind scap-security-guide-0.1.39/rhel6/templates/csv/packages_installed.csv000066400000000000000000000002641327242345500256460ustar00rootroot00000000000000aide audit avahi cronie esc GConf2 gdm iptables iptables-ipv6 irqbalance ntp openswan openssh-server pam_pkcs11 pcsc-lite policycoreutils postfix psacct rsyslog screen vsftpd sssd scap-security-guide-0.1.39/rhel6/templates/csv/packages_removed.csv000066400000000000000000000007141327242345500253300ustar00rootroot00000000000000abrt at autofs bind bluez cpuspeed cups cyrus-sasl dbus dhcp dovecot hal httpd iputils kexec-tools libcgroup mcstrans mdadm net-snmp nfs-utils ntpdate oddjob openldap-servers openssh-server pam_ldap portreserve qpid-cpp-server quota rhnsd rpcbind rsh rsh-server samba samba-common sendmail setroubleshoot smartmontools squid subscription-manager sysstat talk-server talk telnet telnet-server tftp tftp-server vsftpd xinetd xorg-x11-server-common ypbind ypserv scap-security-guide-0.1.39/rhel6/templates/csv/services_disabled.csv000066400000000000000000000015541327242345500255060ustar00rootroot00000000000000# service_name, package_name, daemon_name (as recognized by chkconfig / systemd. To be used when daemon_name differs from service_name) abrtd,abrt, acpid,, autofs,autofs, certmonger,, cgred,, atd,at, avahi-daemon,, bluetooth,bluez, cgconfig,libcgroup, cpuspeed,cpuspeed, cups,cups, dhcpd,dhcp, dovecot,dovecot, haldaemon,hal, httpd,httpd, kdump,kexec-tools, mdmonitor,mdadm, messagebus,dbus, named,bind, netconsole,, netfs,, nfs,nfs-utils, nfslock,nfs-utils, ntpdate,ntpdate, oddjobd,oddjob, portreserve,portreserve, qpidd,qpid-cpp-server, quota_nld,quota, rdisc,iputils, rhnsd,rhnsd, rhsmcertd,subscription-manager, rpcbind,rpcbind, rpcgssd,nfs-utils, rpcidmapd,nfs-utils, rpcsvcgssd,nfs-utils, saslauthd,cyrus-sasl, smartd,smartmontools, smb,, snmpd,net-snmp, squid,squid, sshd,openssh-server, sysstat,sysstat, tftp,tftp-server, vsftpd,vsftpd, xinetd,xinetd, ypbind,ypbind, scap-security-guide-0.1.39/rhel6/templates/csv/services_enabled.csv000066400000000000000000000002511327242345500253220ustar00rootroot00000000000000auditd,audit, crond,cronie, ip6tables,iptables-ipv6, iptables,, irqbalance,, ntpd,ntp, pcscd,pcsc-lite, postfix,, psacct,, restorecond,policycoreutils, rsyslog,, sssd,, scap-security-guide-0.1.39/rhel6/templates/csv/sysctl_values.csv000066400000000000000000000021631327242345500247310ustar00rootroot00000000000000# Add to generate hard-coded OVAL and remediation content. # Add to generate OVAL and remediation content that use the XCCDF value. fs.suid_dumpable,0 kernel.dmesg_restrict,1 kernel.exec-shield,1 kernel.randomize_va_space,2 net.ipv4.conf.all.accept_redirects, net.ipv4.conf.all.accept_source_route, net.ipv4.conf.all.log_martians, net.ipv4.conf.all.rp_filter, net.ipv4.conf.all.secure_redirects, net.ipv4.conf.all.send_redirects,0 net.ipv4.conf.default.accept_redirects, net.ipv4.conf.default.accept_source_route, net.ipv4.conf.default.rp_filter, net.ipv4.conf.default.secure_redirects, net.ipv4.conf.default.send_redirects,0 net.ipv4.icmp_echo_ignore_broadcasts, net.ipv4.icmp_ignore_bogus_error_responses, net.ipv4.ip_forward,0 net.ipv4.tcp_syncookies, net.ipv6.conf.default.accept_ra, net.ipv6.conf.default.accept_redirects, net.ipv6.conf.all.accept_ra,#only-for:oval net.ipv6.conf.all.accept_redirects,#only-for:oval net.ipv6.conf.default.accept_source_route,#only-for:oval net.ipv6.conf.all.accept_source_route,#only-for:oval net.ipv6.conf.all.forwarding,#only-for:oval scap-security-guide-0.1.39/rhel6/templates/template_BASH_service_disabled000066400000000000000000000003651327242345500264250ustar00rootroot00000000000000# platform = Red Hat Enterprise Linux 6 # reboot = false # strategy = disable # complexity = low # disruption = low # Include source function library. . /usr/share/scap-security-guide/remediation_functions service_command disable %SERVICENAME% scap-security-guide-0.1.39/rhel6/templates/template_OVAL_kernel_module_disabled000066400000000000000000000040471327242345500276370ustar00rootroot00000000000000 Disable %KERNMODULE% Kernel Module Red Hat Enterprise Linux 6 The kernel module %KERNMODULE% should be disabled. /etc/modprobe.d ^.*\.conf$ ^\s*install\s+%KERNMODULE%\s+(/bin/false|/bin/true)$ 1 /etc/modprobe.conf ^\s*install\s+%KERNMODULE%\s+(/bin/false|/bin/true)$ 1 scap-security-guide-0.1.39/rhel6/templates/template_OVAL_service_disabled000066400000000000000000000117661327242345500264600ustar00rootroot00000000000000 Service %SERVICENAME% Disabled Red Hat Enterprise Linux 6 The %SERVICENAME% service should be disabled if possible. %SERVICENAME% 0 %SERVICENAME% 1 %SERVICENAME% 2 %SERVICENAME% 3 %SERVICENAME% 4 %SERVICENAME% 5 %SERVICENAME% 6 false true scap-security-guide-0.1.39/rhel6/templates/template_OVAL_service_enabled000066400000000000000000000117471327242345500263020ustar00rootroot00000000000000 Service %SERVICENAME% Enabled Red Hat Enterprise Linux 6 The %SERVICENAME% service should be enabled if possible. %SERVICENAME% 0 %SERVICENAME% 1 %SERVICENAME% 2 %SERVICENAME% 3 %SERVICENAME% 4 %SERVICENAME% 5 %SERVICENAME% 6 true false scap-security-guide-0.1.39/rhel6/templates/template_OVAL_sysctl000066400000000000000000000013771327242345500245070ustar00rootroot00000000000000 Kernel "%SYSCTLVAR%" Parameter Configuration and Runtime Check Red Hat Enterprise Linux 6 The "%SYSCTLVAR%" kernel parameter should be set to the appropriate value in both system configuration and system runtime. scap-security-guide-0.1.39/rhel6/templates/template_OVAL_sysctl_ipv6000066400000000000000000000017241327242345500254470ustar00rootroot00000000000000 Kernel "%SYSCTLVAR%" Parameter Configuration and Runtime Check Red Hat Enterprise Linux 6 The "%SYSCTLVAR%" kernel parameter should be set to the appropriate value in both system configuration and system runtime. scap-security-guide-0.1.39/rhel6/templates/template_OVAL_sysctl_runtime000066400000000000000000000022471327242345500262470ustar00rootroot00000000000000 Kernel "%SYSCTLVAR%" Parameter Runtime Check Red Hat Enterprise Linux 6 The kernel "%SYSCTLVAR%" parameter should be set to "%SYSCTLVAL%" in system runtime. %SYSCTLVAR% %SYSCTLVAL% scap-security-guide-0.1.39/rhel6/templates/template_OVAL_sysctl_runtime_var000066400000000000000000000025021327242345500271110ustar00rootroot00000000000000 Kernel "%SYSCTLVAR%" Parameter Runtime Check Red Hat Enterprise Linux 6 The kernel "%SYSCTLVAR%" parameter should be set to the appropriate value in system runtime. %SYSCTLVAR% scap-security-guide-0.1.39/rhel6/templates/template_OVAL_sysctl_static000066400000000000000000000137271327242345500260600ustar00rootroot00000000000000 Kernel "%SYSCTLVAR%" Parameter Configuration Check Red Hat Enterprise Linux 6 The kernel "%SYSCTLVAR%" parameter should be set to "%SYSCTLVAL%" in the system configuration. /etc/sysctl.d ^.*$ (?:^|.*\n)[^#]*%SYSCTLVAR%[\s]*=[\s]*(\d+)[\s]*\n 1 %SYSCTLVAL% /etc/sysctl.conf (?:^|.*\n)[^#]*%SYSCTLVAR%[\s]*=[\s]*(\d+)[\s]*\n 1 scap-security-guide-0.1.39/rhel6/templates/template_OVAL_sysctl_static_var000066400000000000000000000142231327242345500267200ustar00rootroot00000000000000 Kernel "%SYSCTLVAR%" Parameter Configuration Check Red Hat Enterprise Linux 6 The kernel "%SYSCTLVAR%" parameter should be set to the appropriate value in the system configuration. /etc/sysctl.d ^.*$ (?:^|.*\n)[^#]*%SYSCTLVAR%[\s]*=[\s]*(\d+)[\s]*\n 1 /etc/sysctl.conf (?:^|.*\n)[^#]*%SYSCTLVAR%[\s]*=[\s]*(\d+)[\s]*\n 1 scap-security-guide-0.1.39/rhel6/transforms/000077500000000000000000000000001327242345500207175ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel6/transforms/cci2html.xsl000066400000000000000000000004661327242345500231620ustar00rootroot00000000000000 scap-security-guide-0.1.39/rhel6/transforms/constants.xslt000066400000000000000000000025331327242345500236520ustar00rootroot00000000000000 Red Hat Enterprise Linux 6 RHEL 6 RHEL_6_STIG RHEL-6 cpe:/o:redhat:enterprise_linux:6,cpe:/o:redhat:enterprise_linux:6::client,cpe:/o:redhat:enterprise_linux:6::computenode rhel6 https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_6_Benchmark_v1.1.0.pdf scap-security-guide-0.1.39/rhel6/transforms/shorthand2xccdf.xslt000066400000000000000000000005121327242345500247150ustar00rootroot00000000000000 unknown unlinked-rhel6-oval.xml scap-security-guide-0.1.39/rhel6/transforms/table-add-srgitems.xslt000066400000000000000000000010731327242345500253040ustar00rootroot00000000000000 scap-security-guide-0.1.39/rhel6/transforms/table-sortbyref.xslt000066400000000000000000000005551327242345500247440ustar00rootroot00000000000000 scap-security-guide-0.1.39/rhel6/transforms/table-srgmap.xslt000066400000000000000000000011401327242345500242050ustar00rootroot00000000000000 scap-security-guide-0.1.39/rhel6/transforms/table-style.xslt000066400000000000000000000002511327242345500240560ustar00rootroot00000000000000 scap-security-guide-0.1.39/rhel6/transforms/xccdf-apply-overlay-stig.xslt000066400000000000000000000007511327242345500264730ustar00rootroot00000000000000 scap-security-guide-0.1.39/rhel6/transforms/xccdf2csv-stig.py000077500000000000000000000003651327242345500241310ustar00rootroot00000000000000#!/usr/bin/env python2 import sys # always use shared/modules version SHARED_MODULE_PATH = "../../shared/modules" sys.path.insert(0, SHARED_MODULE_PATH) import xccdf2csv_stig_module if __name__ == "__main__": xccdf2csv_stig_module.main() scap-security-guide-0.1.39/rhel6/transforms/xccdf2stigformat.xslt000066400000000000000000000006751327242345500251140ustar00rootroot00000000000000 scap-security-guide-0.1.39/rhel6/transforms/xccdf2table-byref.xslt000066400000000000000000000006741327242345500251300ustar00rootroot00000000000000 scap-security-guide-0.1.39/rhel6/transforms/xccdf2table-cce.xslt000066400000000000000000000007331327242345500245470ustar00rootroot00000000000000 scap-security-guide-0.1.39/rhel6/transforms/xccdf2table-profileccirefs.xslt000066400000000000000000000014111327242345500270060ustar00rootroot00000000000000 scap-security-guide-0.1.39/rhel6/transforms/xccdf2table-profilecisrefs.xslt000066400000000000000000000007051327242345500270330ustar00rootroot00000000000000 scap-security-guide-0.1.39/rhel6/transforms/xccdf2table-profilenistrefs.xslt000066400000000000000000000007051327242345500272320ustar00rootroot00000000000000 scap-security-guide-0.1.39/rhel6/transforms/xccdf2table-stig.xslt000066400000000000000000000006731327242345500247660ustar00rootroot00000000000000 scap-security-guide-0.1.39/rhel7/000077500000000000000000000000001327242345500165225ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel7/CMakeLists.txt000066400000000000000000000026241327242345500212660ustar00rootroot00000000000000# Sometimes our users will try to do: "cd rhel7; cmake ." That needs to error in a nice way. if ("${CMAKE_SOURCE_DIR}" STREQUAL "${CMAKE_CURRENT_SOURCE_DIR}") message(FATAL_ERROR "cmake has to be used on the root CMakeLists.txt, see BUILD.md for more details!") endif() set(PRODUCT "rhel7") set(DISA_SRG_TYPE "os") ssg_build_product(${PRODUCT}) ssg_build_html_table_by_ref(${PRODUCT} "nist") ssg_build_html_table_by_ref(${PRODUCT} "cis") ssg_build_html_table_by_ref(${PRODUCT} "cui") ssg_build_html_table_by_ref(${PRODUCT} "pcidss") ssg_build_html_table_by_ref(${PRODUCT} "anssi") ssg_build_html_nistrefs_table(${PRODUCT} "common") ssg_build_html_nistrefs_table(${PRODUCT} "ospp-${PRODUCT}") ssg_build_html_nistrefs_table(${PRODUCT} "C2S") ssg_build_html_nistrefs_table(${PRODUCT} "stig-${PRODUCT}-disa") ssg_build_html_anssirefs_table(${PRODUCT} "nt28_minimal") ssg_build_html_anssirefs_table(${PRODUCT} "nt28_intermediary") ssg_build_html_anssirefs_table(${PRODUCT} "nt28_enhanced") ssg_build_html_anssirefs_table(${PRODUCT} "nt28_high") ssg_build_html_cce_table(${PRODUCT}) ssg_build_html_srgmap_tables(${PRODUCT} ${DISA_SRG_TYPE}) ssg_build_html_stig_tables(${PRODUCT} "stig-${PRODUCT}-disa") if (SSG_CENTOS_DERIVATIVES_ENABLED) ssg_build_derivative_product(${PRODUCT} "centos" "centos7") endif() if (SSG_SCIENTIFIC_LINUX_DERIVATIVES_ENABLED) ssg_build_derivative_product(${PRODUCT} "sl" "sl7") endif() scap-security-guide-0.1.39/rhel7/README000066400000000000000000000031201327242345500173760ustar00rootroot00000000000000Directory Structure of scap-security-guide ------------------------------------------ The input directory contains source files that generate SCAP content, such as XCCDF and OVAL. Since a single large XML file is an impractical format for multiple authors to collaborate on editing SCAP content, efforts are made to keep logically related guidance and checking content in individual files. The transforms directory contains resources that enable the files inside the input directory (or output directory) to be combined and reformatted into valid SCAP formats or human-readable formats. The output directory is used as a storage area for items generated by the files in the inputs directory. It should be empty in the repository, and built on users' individual systems (and rely on its .gitignore file to keep such files out). The output directory contains transitional output (which may only exist in order to be further transformed) as well as final output. The references directory should contain documents which are specified as references from within the SCAP content, or documents that are "seeds," viz. documents whose prose will be translated into SCAP formats, as well as other examples of SCAP content. The utils directory contains helper scripts and other items that are useful to developers but are not essential to producing the project's output. The dist directory contains final outputs, which could be shipped in an RPM for consumption by end-users. Updating the Makefile to copy an item from the outputs directory to the dist directory indicates that an item is considered a final output. scap-security-guide-0.1.39/rhel7/checks/000077500000000000000000000000001327242345500177625ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel7/checks/oval/000077500000000000000000000000001327242345500207235ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel7/checks/oval/accounts_logon_fail_delay.xml000066400000000000000000000031311327242345500266310ustar00rootroot00000000000000 Ensure that FAIL_DELAY is Configured in /etc/login.defs Red Hat Enterprise Linux 7 The delay between failed authentication attempts should be set for all users specified in /etc/login.defs /etc/login.defs ^[\s]*(?i)FAIL_DELAY(?-i)[\s]+([^#\s]*) 1 scap-security-guide-0.1.39/rhel7/checks/oval/accounts_passwords_pam_faillock_deny_root.xml000066400000000000000000000141331327242345500321560ustar00rootroot00000000000000 Lock out the root account after failed login attempts Red Hat Enterprise Linux 7 The root account should be configured to deny access after the number of defined failed attempts has been reached. /etc/pam.d/system-auth [\n][\s]*auth[\s]+required[\s]+pam_faillock\.so[\s]+preauth[\s]+silent[\s]+[^\n]*even_deny_root[\s]*(?s).*[\n][\s]*auth[\s]+(?:(?:sufficient)|(?:\[.*default=die.*\]))[\s]+pam_unix\.so[^\n]*[\n] 1 /etc/pam.d/system-auth [\n][\s]*auth[\s]+(?:(?:sufficient)|(?:\[.*default=die.*\]))[\s]+pam_unix\.so[^\n]+(?s).*[\n][\s]*auth[\s]+\[default=die\][\s]+pam_faillock\.so[\s]+authfail[\s]+[^\n]*even_deny_root[^\n]*[\n] 1 /etc/pam.d/password-auth [\n][\s]*auth[\s]+required[\s]+pam_faillock\.so[\s]+preauth[\s]+silent[\s]+[^\n]*even_deny_root[\s]*(?s).*[\n][\s]*auth[\s]+(?:(?:sufficient)|(?:\[.*default=die.*\]))[\s]+pam_unix\.so[^\n]*[\n] 1 /etc/pam.d/password-auth [\n][\s]*auth[\s]+(?:(?:sufficient)|(?:\[.*default=die.*\]))[\s]+pam_unix\.so[^\n]+(?s).*[\n][\s]*auth[\s]+\[default=die\][\s]+pam_faillock\.so[\s]+authfail[\s]+[^\n]*even_deny_root[^\n]*[\n] 1 scap-security-guide-0.1.39/rhel7/checks/oval/chronyd_or_ntpd_specify_multiple_servers.xml000066400000000000000000000023521327242345500320500ustar00rootroot00000000000000 Specify Multiple Remote chronyd Or ntpd NTP Servers for Time Data Red Hat Enterprise Linux 7 Multiple remote chronyd or ntpd NTP Servers for time synchronization should be specified (and dependencies are met) scap-security-guide-0.1.39/rhel7/checks/oval/chronyd_or_ntpd_specify_remote_server.xml000066400000000000000000000022501327242345500313220ustar00rootroot00000000000000 Specify Remote NTP chronyd Or ntpd Server for Time Data Red Hat Enterprise Linux 7 A remote chronyd or ntpd NTP Server for time synchronization should be specified (and dependencies are met) scap-security-guide-0.1.39/rhel7/checks/oval/clean_components_post_updating.xml000066400000000000000000000026051327242345500277370ustar00rootroot00000000000000 Ensure YUM Removes Previous Package Versions Red Hat Enterprise Linux 7 The clean_requirements_on_remove option should be used to ensure that old versions of software components are removed after updating. /etc/yum.conf ^\s*clean_requirements_on_remove\s*=\s*(1|True|yes)\s*$ 1 scap-security-guide-0.1.39/rhel7/checks/oval/docker_selinux_enabled.xml000066400000000000000000000047541327242345500261470ustar00rootroot00000000000000 Ensure SELinux support is enabled in Docker Red Hat Enterprise Linux 7 The Docker daemon should be configured to start with --selinux-enabled option to enable SELinux for the daemon. /etc/sysconfig/docker ^(?!#)\s*OPTIONS\s*=.*[\s'](--selinux-enabled)[\s'].*$ 1 /etc/docker/daemon.json ^(?!#)\s*"selinux-enabled":[\s]+true(|,)[\s]*$ 1 scap-security-guide-0.1.39/rhel7/checks/oval/docker_storage_configured.xml000066400000000000000000000077671327242345500266660ustar00rootroot00000000000000 Use direct-lvm with device mapper storage driver Red Hat Enterprise Linux 7 To use Docker in production with the device mapper storage driver, the Docker daemon should be configured to use direct-lvm instead of loopback device as a storage. ^(?!#).*(?:--storage-opt[\s=]dm\.thinpooldev=([^\s]*)).*$ 1 ^(?!#)\s*STORAGE_DRIVER\s*=\s*"?([a-z]*)"?\s*$ 1 devicemapper /etc/sysconfig/docker-storage /usr/lib/docker-storage-setup/docker-storage-setup scap-security-guide-0.1.39/rhel7/checks/oval/ensure_gpgcheck_local_packages.xml000066400000000000000000000025161327242345500276150ustar00rootroot00000000000000 Ensure gpgcheck Enabled for Local Packages Red Hat Enterprise Linux 7 The localpkg_gpgcheck option should be used to ensure that checking of an RPM package's signature always occurs prior to its installation. /etc/yum.conf ^\s*localpkg_gpgcheck\s*=\s*(1|True|yes)\s*$ 1 scap-security-guide-0.1.39/rhel7/checks/oval/ensure_gpgcheck_repo_metadata.xml000066400000000000000000000024221327242345500274660ustar00rootroot00000000000000 Ensure gpgcheck Enabled for Repository Metadata Red Hat Enterprise Linux 7 The repo_gpgcheck option should be used to ensure that checking of repository metadata always occurs. /etc/yum.conf ^\s*repo_gpgcheck\s*=\s*(1|True|yes)\s*$ 1 scap-security-guide-0.1.39/rhel7/checks/oval/file_groupowner_cron_allow.xml000066400000000000000000000021671327242345500271000ustar00rootroot00000000000000 Verify group who owns 'cron.allow' file Red Hat Enterprise Linux 7 The /etc/cron.allow file should be owned by the appropriate group. 0 /etc/cron.allow scap-security-guide-0.1.39/rhel7/checks/oval/file_owner_cron_allow.xml000066400000000000000000000022301327242345500260120ustar00rootroot00000000000000 Verify user who owns 'cron.allow' file Red Hat Enterprise Linux 7 The /etc/cron.allow file should be owned by the appropriate user. 0 /etc/cron.allow scap-security-guide-0.1.39/rhel7/checks/oval/file_permissions_sshd_private_key.xml000066400000000000000000000032651327242345500304500ustar00rootroot00000000000000 SSH Server Private Key Permissions Red Hat Enterprise Linux 7 File permissions for the SSH Server's private keys should be set to 0640 (or stronger). By default, these files are located at /etc/ssh. /etc/ssh/ ^.*key$ false false false false false false scap-security-guide-0.1.39/rhel7/checks/oval/file_permissions_sshd_pub_key.xml000066400000000000000000000027111327242345500275570ustar00rootroot00000000000000 SSHD Service Public Key Permissions Red Hat Enterprise Linux 7 File permissions for the SSH Server's public keys should be set to 0644 (or stronger). By default, these files are located at /etc/ssh. /etc/ssh/ ^.*key.pub$ false false false false false scap-security-guide-0.1.39/rhel7/checks/oval/file_permissions_unauthorized_sgid.xml000066400000000000000000000067431327242345500306400ustar00rootroot00000000000000 Find setgid files system packages Red Hat Enterprise Linux 7 All files with setgid should be owned by a base system package / ^.*$ state_file_permissions_unauthorized_sgid state_sgid_whitelist true /usr/bin/cgclassify /usr/bin/cgexec /usr/sbin/netreport /usr/bin/crontab /usr/bin/gnomine /usr/bin/iagno /usr/bin/locate /usr/bin/lockfile /usr/bin/same-gnome /usr/bin/screen /usr/bin/ssh-agent /usr/bin/wall /usr/bin/write /usr/lib/vte/gnome-pty-helper /usr/lib/vte-2.90/gnome-pty-helper /usr/lib/vte-2.91/gnome-pty-helper /usr/lib64/vte/gnome-pty-helper /usr/lib64/vte-2.90/gnome-pty-helper /usr/lib64/vte-2.91/gnome-pty-helper /usr/libexec/abrt-action-install-debuginfo-to-abrt-cache /usr/libexec/kde4/kdesud /usr/libexec/openssh/ssh-keysign /usr/libexec/utempter/utempter /usr/lib/mailman/cgi-bin/admindb /usr/lib/mailman/cgi-bin/admin /usr/lib/mailman/cgi-bin/confirm /usr/lib/mailman/cgi-bin/create /usr/lib/mailman/cgi-bin/edithtml /usr/lib/mailman/cgi-bin/listinfo /usr/lib/mailman/cgi-bin/options /usr/lib/mailman/cgi-bin/private /usr/lib/mailman/cgi-bin/rmlist /usr/lib/mailman/cgi-bin/roster /usr/lib/mailman/cgi-bin/subscribe /usr/lib/mailman/mail/mailman /usr/sbin/lockdev /usr/sbin/postdrop /usr/sbin/postqueue /usr/sbin/sendmail.sendmail scap-security-guide-0.1.39/rhel7/checks/oval/file_permissions_unauthorized_suid.xml000066400000000000000000000101121327242345500306370ustar00rootroot00000000000000 Find setuid files from system packages Red Hat Enterprise Linux 7 All files with setuid should be owned by a base system package / ^.*$ state_file_permissions_unauthorized_suid state_suid_whitelist true /usr/bin/abrt-action-install-debuginfo-to-abrt-cache /usr/bin/at /usr/bin/chage /usr/bin/chfn /usr/bin/chsh /usr/bin/crontab /usr/bin/fusermount /usr/bin/gpasswd /usr/bin/ksu /usr/bin/mount /usr/bin/newgrp /usr/bin/passwd /usr/bin/pkexec /usr/bin/staprun /usr/bin/sudoedit /usr/bin/sudo /usr/bin/su /usr/bin/umount /usr/bin/Xorg /usr/lib64/amanda/application/amgtar /usr/lib64/amanda/application/amstar /usr/lib64/amanda/calcsize /usr/lib64/amanda/dumper /usr/lib64/amanda/killpgrp /usr/lib64/amanda/planner /usr/lib64/amanda/rundump /usr/lib64/amanda/runtar /usr/lib64/dbus-1/dbus-daemon-launch-helper /usr/lib/amanda/application/amgtar /usr/lib/amanda/application/amstar /usr/lib/amanda/calcsize /usr/lib/amanda/dumper /usr/lib/amanda/killpgrp /usr/lib/amanda/planner /usr/lib/amanda/rundump /usr/lib/amanda/runtar /usr/lib/dbus-1/dbus-daemon-launch-helper /usr/libexec/abrt-action-install-debuginfo-to-abrt-cache /usr/libexec/kde4/kpac_dhcp_helper /usr/libexec/qemu-bridge-helper /usr/libexec/spice-gtk-x86_64/spice-client-glib-usb-acl-helper /usr/libexec/sssd/krb5_child /usr/libexec/sssd/ldap_child /usr/libexec/sssd/proxy_child /usr/libexec/sssd/selinux_child /usr/lib/polkit-1/polkit-agent-helper-1 /usr/sbin/amcheck /usr/sbin/amservice /usr/sbin/mount.nfs /usr/sbin/pam_timestamp_check /usr/sbin/unix_chkpwd /usr/sbin/userhelper /usr/sbin/usernetctl scap-security-guide-0.1.39/rhel7/checks/oval/grub2_enable_fips_mode.xml000066400000000000000000000071121327242345500260220ustar00rootroot00000000000000 Enable FIPS Mode in GRUB2 Red Hat Enterprise Linux 7 Look for argument fips=1 in the kernel line in /etc/default/grub. /etc/default/grub ^\s*GRUB_CMDLINE_LINUX="(.*)"$ 1 /etc/default/grub ^\s*GRUB_CMDLINE_LINUX_DEFAULT="(.*)"$ 1 ^.*fips=1.*$ /etc/default/grub ^\s*GRUB_CMDLINE_LINUX_DEFAULT=.*$ 1 scap-security-guide-0.1.39/rhel7/checks/oval/install_PAE_kernel_on_x86-32.xml000066400000000000000000000057311327242345500265710ustar00rootroot00000000000000 Package kernel-PAE Installed Red Hat Enterprise Linux 7 The RPM package kernel-PAE should be installed on 32-bit systems. kernel-PAE /proc/cpuinfo ^flags[\s]+:.*[\s]+pae[\s]+.*[\s]+nx[\s]+.*$ 1 /etc/sysconfig/kernel ^\s*DEFAULTKERNEL[\s]*=[\s]*kernel-PAE$ 1 scap-security-guide-0.1.39/rhel7/checks/oval/mount_option_krb_sec_remote_filesystems.xml000066400000000000000000000050571327242345500317000ustar00rootroot00000000000000 Mount Remote Filesystems with Kerberos Security Red Hat Enterprise Linux 7 The Kerberos security option should be enabled for all NFS mounts in /etc/fstab. /etc/fstab ^\s*\[?[\.\w-:]+\]?:[/\w-]+\s+[/\w-]+\s+nfs[4]?\s+(.*)$ 0 ^.*sec=krb5:krb5i:krb5p.*$ /etc/fstab ^\s*\[?[\.\w-:]+\]?:[/\w-]+\s+[/\w-]+\s+nfs[4]?\s+.*$ 0 scap-security-guide-0.1.39/rhel7/checks/oval/network_disable_ddns_interfaces.xml000066400000000000000000000053331327242345500300400ustar00rootroot00000000000000 Disable Client Dynamic DNS Updates Red Hat Enterprise Linux 7 Clients should not automatically update their own DNS record. /etc/sysconfig/network-scripts ifcfg-.* ^[\s]*DHCP_HOSTNAME[\s]*=.*$ 1 /etc/dhclient.*\.conf ^[\s]*send[\s]+host-name.*$ 1 /etc/dhcp ^.*$ ^[\s]*send[\s]+host-name.*$ 1 scap-security-guide-0.1.39/rhel7/checks/oval/rsyslog_cron_logging.xml000066400000000000000000000034671327242345500257100ustar00rootroot00000000000000 Verify Cron is Logging to Rsyslog Red Hat Enterprise Linux 7 Rsyslog should be configured to capture cron messages. /etc/rsyslog.conf ^[\s]*cron\.\*[\s]*/var/log/cron$ 1 /etc/rsyslog.d ^.*$ ^[\s]*cron\.\*[\s]*/var/log/cron$ 1 scap-security-guide-0.1.39/rhel7/checks/oval/service_chronyd_or_ntpd_enabled.xml000066400000000000000000000013431327242345500300330ustar00rootroot00000000000000 Service chronyd Or Service ntpd Enabled Red Hat Enterprise Linux 7 At least one of the chronyd or ntpd services should be enabled if possible. scap-security-guide-0.1.39/rhel7/checks/oval/service_sshd_disabled.xml000066400000000000000000000027061327242345500257620ustar00rootroot00000000000000 Service sshd Disabled Red Hat Enterprise Linux 7 The sshd service should be disabled if possible. /etc/systemd/system/multi-user.target.wants/sshd.service state_symlink symbolic link scap-security-guide-0.1.39/rhel7/checks/oval/smartcard_auth.xml000066400000000000000000000164011327242345500244500ustar00rootroot00000000000000 Enable Smart Card Login Red Hat Enterprise Linux 7 Enable Smart Card logins /etc/pam_pkcs11/pam_pkcs11.conf ^[\s]*cert_policy[ ]=(.*)$ 1 ^.*ocsp_on.*$ \nauth[\s]+required[\s]+pam_env.so \nauth[\s]+\[success=1[\s]default=ignore\][\s]pam_succeed_if.so[\s]service[\s]notin[\s] login:gdm:xdm:kdm:xscreensaver:gnome-screensaver:kscreensaver[\s]quiet[\s]use_uid \nauth[\s]+\[success=done[\s]authinfo_unavail=ignore[\s]ignore=ignore[\s]default=die\][\s] pam_pkcs11.so[\s]nodebug\n /etc/pam.d/system-auth 1 \nauth[\s]+required[\s]+pam_env.so \nauth[\s]+\[success=1[\s]default=ignore\][\s]pam_succeed_if.so[\s]service[\s]notin[\s] login:gdm:xdm:kdm:xscreensaver:gnome-screensaver:kscreensaver[\s]quiet[\s]use_uid \nauth[\s]+\[success=done[\s]ignore=ignore[\s]default=die\][\s] pam_pkcs11.so[\s]nodebug[\s]wait_for_card\n /etc/pam.d/system-auth 1 \nauth[\s]+required[\s]+pam_env.so \nauth[\s]+\[success=done[\s]ignore=ignore[\s]default=die\][\s] pam_pkcs11.so[\s]nodebug[\s]wait_for_card\n.* \npassword[\s]+required[\s]+pam_pkcs11.so\n /etc/pam.d/smartcard-auth 1 scap-security-guide-0.1.39/rhel7/checks/oval/sshd_disable_compression.xml000066400000000000000000000037071327242345500265210ustar00rootroot00000000000000 Disable Compression Or Set Compression to delayed Red Hat Enterprise Linux 7 SSH should either have compression disabled or set to delayed. /etc/ssh/sshd_config ^[\s]*(?i)Compression(?-i)[\s]+(no|delayed)[\s]*(?:|(?:#.*))?$ 1 scap-security-guide-0.1.39/rhel7/checks/oval/sshd_disable_gssapi_auth.xml000066400000000000000000000037211327242345500264630ustar00rootroot00000000000000 Disable GSSAPI Authentication Red Hat Enterprise Linux 7 Unless needed, disable the GSSAPI authentication option for the SSH Server. /etc/ssh/sshd_config ^[\s]*(?i)GSSAPIAuthentication(?-i)[\s]+no[\s]*(?:|(?:#.*))?$ 1 scap-security-guide-0.1.39/rhel7/checks/oval/sshd_disable_kerb_auth.xml000066400000000000000000000037231327242345500261220ustar00rootroot00000000000000 Disable Kerberos Authentication Red Hat Enterprise Linux 7 Unless needed, disable the Kerberos authentication option for the SSH Server. /etc/ssh/sshd_config ^[\s]*(?i)KerberosAuthentication(?-i)[\s]+yes[\s]*(?:|(?:#.*))?$ 1 scap-security-guide-0.1.39/rhel7/checks/oval/sshd_enable_strictmodes.xml000066400000000000000000000036701327242345500263420ustar00rootroot00000000000000 Enable SSH Server's Strict Mode Red Hat Enterprise Linux 7 Enable StrictMode to check users home directory permissions and configurations. /etc/ssh/sshd_config ^[\s]*(?i)StrictModes(?-i)[\s]+no[\s]*(?:|(?:#.*))?$ 1 scap-security-guide-0.1.39/rhel7/checks/oval/sshd_use_approved_macs.xml000066400000000000000000000061121327242345500261650ustar00rootroot00000000000000 Use Only FIPS MACs Red Hat Enterprise Linux 7 Limit the Message Authentication Codes (MACs) to those which are FIPS-approved. var_sshd_config_macs /etc/ssh/sshd_config ^[\s]*(?i)MACs(?-i)[\s]+([\w,-@]+)+[\s]*(?:|(?:#.*))?$ 1 scap-security-guide-0.1.39/rhel7/checks/oval/sshd_use_priv_separation.xml000066400000000000000000000037501327242345500265540ustar00rootroot00000000000000 Use Priviledge Separation Red Hat Enterprise Linux 7 Use priviledge separation to cause the SSH process to drop root privileges when not needed. /etc/ssh/sshd_config ^[\s]*(?i)UsePrivilegeSeparation(?-i)[\s]+sandbox[\s]*(?:|(?:#.*))?$ 1 scap-security-guide-0.1.39/rhel7/checks/oval/sssd_conf_exists.xml000066400000000000000000000016451327242345500250330ustar00rootroot00000000000000 Verify The SSSD Configuration File Exists Red Hat Enterprise Linux 7 The /etc/sssd/sssd.conf file should exist if it is in use. /etc/sssd/sssd.conf scap-security-guide-0.1.39/rhel7/checks/oval/sssd_memcache_timeout.xml000066400000000000000000000030011327242345500260030ustar00rootroot00000000000000 Configure SSSD's Memory Cache to Expire Red Hat Enterprise Linux 7 SSSD's memory cache should be configured to set to expire records after 1 day. /etc/sssd/sssd.conf ^\[nss]([^\n]*\n+)+?memcache_timeout[\s]+=[\s]+86400$ 1 scap-security-guide-0.1.39/rhel7/checks/oval/sssd_offline_cred_expiration.xml000066400000000000000000000031051327242345500273610ustar00rootroot00000000000000 Configure SSSD to Expire Offline Credentials Red Hat Enterprise Linux 7 SSSD should be configured to expire offline credentials after 1 day. /etc/sssd/sssd.conf ^\[pam]([^\n]*\n+)+?offline_credentials_expiration[\s]+=[\s]+1$ 1 scap-security-guide-0.1.39/rhel7/checks/oval/sssd_ssh_known_hosts_timeout.xml000066400000000000000000000030661327242345500275050ustar00rootroot00000000000000 Configure SSSD to Expire SSH Known Hosts Red Hat Enterprise Linux 7 SSSD should be configured to expire keys from known SSH hosts after 1 day. /etc/sssd/sssd.conf ^\[ssh]([^\n]*\n+)+?ssh_known_hosts_timeout[\s]+=[\s]+86400$ 1 scap-security-guide-0.1.39/rhel7/checks/oval/use_kerberos_security_all_exports.xml000066400000000000000000000042521327242345500305030ustar00rootroot00000000000000 Use Kerberos Security on All Exports Red Hat Enterprise Linux 7 Using Kerberos Security allows to cryptography authenticate a valid user to an NFS share. /etc/exports ^\/.*\((\S+)\)$ 0 ^.*,sec=krb5\:krb5i\:krb5p.*$ /etc/exports ^\/.*$ 0 scap-security-guide-0.1.39/rhel7/cpe/000077500000000000000000000000001327242345500172715ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel7/cpe/rhel7-cpe-dictionary.xml000066400000000000000000000067731327242345500237610ustar00rootroot00000000000000 Red Hat Enterprise Linux 7 installed_OS_is_rhel7 Red Hat Enterprise Linux 7 Server installed_OS_is_rhel7 Red Hat Enterprise Linux 7 Client installed_OS_is_rhel7 Red Hat Enterprise Linux 7 ComputeNode installed_OS_is_rhel7 Red Hat Enterprise Linux 7 Workstation installed_OS_is_rhel7 CentOS 7 installed_OS_is_centos7 Scientific Linux 7 installed_OS_is_sl7 Container installed_env_is_a_container Bare-metal or Virtual Machine installed_env_is_a_machine scap-security-guide-0.1.39/rhel7/fixes/000077500000000000000000000000001327242345500176405ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel7/fixes/ansible/000077500000000000000000000000001327242345500212555ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel7/fixes/ansible/service_avahi-daemon_disabled.yml000066400000000000000000000012071327242345500277000ustar00rootroot00000000000000# platform = multi_platform_rhel, multi_platform_fedora - name: Disable service avahi service: name="{{item}}" enabled="no" state="stopped" register: service_result failed_when: "service_result|failed and ('Could not find the requested service' not in service_result.msg)" with_items: - avahi-daemon tags: @ANSIBLE_TAGS@ - name: Disable avahi socket service: name="{{item}}" enabled="no" state="stopped" register: service_result failed_when: "service_result|failed and ('Could not find the requested service' not in service_result.msg)" with_items: - avahi-socket tags: @ANSIBLE_TAGS@ scap-security-guide-0.1.39/rhel7/fixes/bash/000077500000000000000000000000001327242345500205555ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel7/fixes/bash/account_disable_post_pw_expiration.sh000066400000000000000000000004021327242345500302410ustar00rootroot00000000000000# platform = Red Hat Enterprise Linux 7 . /usr/share/scap-security-guide/remediation_functions populate var_account_disable_post_pw_expiration replace_or_append '/etc/default/useradd' '^INACTIVE' "$var_account_disable_post_pw_expiration" '@CCENUM@' '%s=%s' scap-security-guide-0.1.39/rhel7/fixes/bash/accounts_have_homedir_login_defs.sh000066400000000000000000000003101327242345500276250ustar00rootroot00000000000000# platform = Red Hat Enterprise Linux 7 if ! grep -q ^CREATE_HOME /etc/login.defs; then echo "CREATE_HOME yes" >> /etc/login.defs else sed -i "s/^\(CREATE_HOME\).*/\1 yes/g" /etc/login.defs fi scap-security-guide-0.1.39/rhel7/fixes/bash/accounts_maximum_age_login_defs.sh000066400000000000000000000006201327242345500274700ustar00rootroot00000000000000# platform = Red Hat Enterprise Linux 7 . /usr/share/scap-security-guide/remediation_functions populate var_accounts_maximum_age_login_defs grep -q ^PASS_MAX_DAYS /etc/login.defs && \ sed -i "s/PASS_MAX_DAYS.*/PASS_MAX_DAYS $var_accounts_maximum_age_login_defs/g" /etc/login.defs if ! [ $? -eq 0 ]; then echo "PASS_MAX_DAYS $var_accounts_maximum_age_login_defs" >> /etc/login.defs fi scap-security-guide-0.1.39/rhel7/fixes/bash/accounts_minimum_age_login_defs.sh000066400000000000000000000006201327242345500274660ustar00rootroot00000000000000# platform = Red Hat Enterprise Linux 7 . /usr/share/scap-security-guide/remediation_functions populate var_accounts_minimum_age_login_defs grep -q ^PASS_MIN_DAYS /etc/login.defs && \ sed -i "s/PASS_MIN_DAYS.*/PASS_MIN_DAYS $var_accounts_minimum_age_login_defs/g" /etc/login.defs if ! [ $? -eq 0 ]; then echo "PASS_MIN_DAYS $var_accounts_minimum_age_login_defs" >> /etc/login.defs fi scap-security-guide-0.1.39/rhel7/fixes/bash/accounts_no_uid_except_zero.sh000066400000000000000000000001651327242345500266760ustar00rootroot00000000000000# platform = Red Hat Enterprise Linux 7 awk -F: '$3 == 0 && $1 != "root" { print $1 }' /etc/passwd | xargs passwd -l scap-security-guide-0.1.39/rhel7/fixes/bash/accounts_password_minlen_login_defs.sh000066400000000000000000000006301327242345500304040ustar00rootroot00000000000000# platform = Red Hat Enterprise Linux 7 . /usr/share/scap-security-guide/remediation_functions populate var_accounts_password_minlen_login_defs grep -q ^PASS_MIN_LEN /etc/login.defs && \ sed -i "s/PASS_MIN_LEN.*/PASS_MIN_LEN $var_accounts_password_minlen_login_defs/g" /etc/login.defs if ! [ $? -eq 0 ]; then echo "PASS_MIN_LEN $var_accounts_password_minlen_login_defs" >> /etc/login.defs fi scap-security-guide-0.1.39/rhel7/fixes/bash/accounts_password_pam_retry.sh000066400000000000000000000006071327242345500267370ustar00rootroot00000000000000# platform = Red Hat Enterprise Linux 7 . /usr/share/scap-security-guide/remediation_functions populate var_password_pam_retry if grep -q "retry=" /etc/pam.d/system-auth; then sed -i --follow-symlinks "s/\(retry *= *\).*/\1$var_password_pam_retry/" /etc/pam.d/system-auth else sed -i --follow-symlinks "/pam_pwquality.so/ s/$/ retry=$var_password_pam_retry/" /etc/pam.d/system-auth fi scap-security-guide-0.1.39/rhel7/fixes/bash/accounts_password_warn_age_login_defs.sh000066400000000000000000000006421327242345500307100ustar00rootroot00000000000000# platform = Red Hat Enterprise Linux 7 . /usr/share/scap-security-guide/remediation_functions populate var_accounts_password_warn_age_login_defs grep -q ^PASS_WARN_AGE /etc/login.defs && \ sed -i "s/PASS_WARN_AGE.*/PASS_WARN_AGE $var_accounts_password_warn_age_login_defs/g" /etc/login.defs if ! [ $? -eq 0 ]; then echo "PASS_WARN_AGE $var_accounts_password_warn_age_login_defs" >> /etc/login.defs fi scap-security-guide-0.1.39/rhel7/fixes/bash/accounts_tmout.sh000066400000000000000000000006171327242345500241640ustar00rootroot00000000000000# platform = Red Hat Enterprise Linux 7 . /usr/share/scap-security-guide/remediation_functions populate var_accounts_tmout if grep --silent ^TMOUT /etc/profile ; then sed -i "s/^TMOUT.*/TMOUT=$var_accounts_tmout/g" /etc/profile else echo -e "\n# Set TMOUT to $var_accounts_tmout per security requirements" >> /etc/profile echo "TMOUT=$var_accounts_tmout" >> /etc/profile fi scap-security-guide-0.1.39/rhel7/fixes/bash/audit_rules_file_deletion_events.sh000066400000000000000000000016021327242345500276760ustar00rootroot00000000000000# platform = Red Hat Enterprise Linux 7 # Include source function library. . /usr/share/scap-security-guide/remediation_functions # Perform the remediation for the syscall rule # Retrieve hardware architecture of the underlying system [ $(getconf LONG_BIT) = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") for ARCH in "${RULE_ARCHS[@]}" do PATTERN="-a always,exit -F arch=$ARCH -S .* -F auid>=1000 -F auid!=4294967295 -k *" # Use escaped BRE regex to specify rule group GROUP="\(rmdir\|unlink\|rename\)" FULL_RULE="-a always,exit -F arch=$ARCH -S rmdir -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" done scap-security-guide-0.1.39/rhel7/fixes/bash/audit_rules_mac_modification.sh000066400000000000000000000005311327242345500267750ustar00rootroot00000000000000# platform = Red Hat Enterprise Linux 7 # Include source function library. . /usr/share/scap-security-guide/remediation_functions # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' fix_audit_watch_rule "auditctl" "/etc/selinux/" "wa" "MAC-policy" fix_audit_watch_rule "augenrules" "/etc/selinux/" "wa" "MAC-policy" scap-security-guide-0.1.39/rhel7/fixes/bash/audit_rules_media_export.sh000066400000000000000000000014221327242345500261700ustar00rootroot00000000000000# platform = Red Hat Enterprise Linux 7 # Include source function library. . /usr/share/scap-security-guide/remediation_functions # Perform the remediation of the syscall rule # Retrieve hardware architecture of the underlying system [ $(getconf LONG_BIT) = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") for ARCH in "${RULE_ARCHS[@]}" do PATTERN="-a always,exit -F arch=$ARCH -S .* -F auid>=1000 -F auid!=4294967295 -k *" GROUP="mount" FULL_RULE="-a always,exit -F arch=$ARCH -S mount -F auid>=1000 -F auid!=4294967295 -k export" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" done scap-security-guide-0.1.39/rhel7/fixes/bash/audit_rules_networkconfig_modification.sh000066400000000000000000000033201327242345500311130ustar00rootroot00000000000000# platform = Red Hat Enterprise Linux 7 # Include source function library. . /usr/share/scap-security-guide/remediation_functions # First perform the remediation of the syscall rule # Retrieve hardware architecture of the underlying system [ $(getconf LONG_BIT) = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") for ARCH in "${RULE_ARCHS[@]}" do PATTERN="-a always,exit -F arch=$ARCH -S .* -k *" # Use escaped BRE regex to specify rule group GROUP="set\(host\|domain\)name" FULL_RULE="-a always,exit -F arch=$ARCH -S sethostname -S setdomainname -k audit_rules_networkconfig_modification" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" done # Then perform the remediations for the watch rules # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' fix_audit_watch_rule "auditctl" "/etc/issue" "wa" "audit_rules_networkconfig_modification" fix_audit_watch_rule "augenrules" "/etc/issue" "wa" "audit_rules_networkconfig_modification" fix_audit_watch_rule "auditctl" "/etc/issue.net" "wa" "audit_rules_networkconfig_modification" fix_audit_watch_rule "augenrules" "/etc/issue.net" "wa" "audit_rules_networkconfig_modification" fix_audit_watch_rule "auditctl" "/etc/hosts" "wa" "audit_rules_networkconfig_modification" fix_audit_watch_rule "augenrules" "/etc/hosts" "wa" "audit_rules_networkconfig_modification" fix_audit_watch_rule "auditctl" "/etc/sysconfig/network" "wa" "audit_rules_networkconfig_modification" fix_audit_watch_rule "augenrules" "/etc/sysconfig/network" "wa" "audit_rules_networkconfig_modification" scap-security-guide-0.1.39/rhel7/fixes/bash/audit_rules_privileged_commands.sh000066400000000000000000000005411327242345500275240ustar00rootroot00000000000000# platform = Red Hat Enterprise Linux 7 # Include source function library. . /usr/share/scap-security-guide/remediation_functions # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' perform_audit_rules_privileged_commands_remediation "auditctl" "1000" perform_audit_rules_privileged_commands_remediation "augenrules" "1000" scap-security-guide-0.1.39/rhel7/fixes/bash/audit_rules_session_events.sh000066400000000000000000000011551327242345500265620ustar00rootroot00000000000000# platform = Red Hat Enterprise Linux 7 # Include source function library. . /usr/share/scap-security-guide/remediation_functions # Perform the remediation # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' fix_audit_watch_rule "auditctl" "/var/run/utmp" "wa" "session" fix_audit_watch_rule "augenrules" "/var/run/utmp" "wa" "session" fix_audit_watch_rule "auditctl" "/var/log/btmp" "wa" "session" fix_audit_watch_rule "augenrules" "/var/log/btmp" "wa" "session" fix_audit_watch_rule "auditctl" "/var/log/wtmp" "wa" "session" fix_audit_watch_rule "augenrules" "/var/log/wtmp" "wa" "session" scap-security-guide-0.1.39/rhel7/fixes/bash/audit_rules_sysadmin_actions.sh000066400000000000000000000005211327242345500270560ustar00rootroot00000000000000# platform = Red Hat Enterprise Linux 7 # Include source function library. . /usr/share/scap-security-guide/remediation_functions # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' fix_audit_watch_rule "auditctl" "/etc/sudoers" "wa" "actions" fix_audit_watch_rule "augenrules" "/etc/sudoers" "wa" "actions" scap-security-guide-0.1.39/rhel7/fixes/bash/audit_rules_time_adjtimex.sh000066400000000000000000000003071327242345500263340ustar00rootroot00000000000000# platform = Red Hat Enterprise Linux 7 # Include source function library. . /usr/share/scap-security-guide/remediation_functions rhel7_fedora_perform_audit_adjtimex_settimeofday_stime_remediation scap-security-guide-0.1.39/rhel7/fixes/bash/audit_rules_time_settimeofday.sh000066400000000000000000000003071327242345500272240ustar00rootroot00000000000000# platform = Red Hat Enterprise Linux 7 # Include source function library. . /usr/share/scap-security-guide/remediation_functions rhel7_fedora_perform_audit_adjtimex_settimeofday_stime_remediation scap-security-guide-0.1.39/rhel7/fixes/bash/audit_rules_time_stime.sh000066400000000000000000000003071327242345500256500ustar00rootroot00000000000000# platform = Red Hat Enterprise Linux 7 # Include source function library. . /usr/share/scap-security-guide/remediation_functions rhel7_fedora_perform_audit_adjtimex_settimeofday_stime_remediation scap-security-guide-0.1.39/rhel7/fixes/bash/audit_rules_time_watch_localtime.sh000066400000000000000000000005471327242345500276740ustar00rootroot00000000000000# platform = Red Hat Enterprise Linux 7 # Include source function library. . /usr/share/scap-security-guide/remediation_functions # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' fix_audit_watch_rule "auditctl" "/etc/localtime" "wa" "audit_time_rules" fix_audit_watch_rule "augenrules" "/etc/localtime" "wa" "audit_time_rules" scap-security-guide-0.1.39/rhel7/fixes/bash/audit_rules_unsuccessful_file_modification.sh000066400000000000000000000031261327242345500317610ustar00rootroot00000000000000# platform = Red Hat Enterprise Linux 7 # Include source function library. . /usr/share/scap-security-guide/remediation_functions # Perform the remediation of the syscall rule # Retrieve hardware architecture of the underlying system [ $(getconf LONG_BIT) = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") for ARCH in "${RULE_ARCHS[@]}" do # First fix the -EACCES requirement PATTERN="-a always,exit -F arch=$ARCH -S .* -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k *" # Use escaped BRE regex to specify rule group GROUP="\(creat\|open\|truncate\)" FULL_RULE="-a always,exit -F arch=$ARCH -S creat -S open -S openat -S open_by_handle_at -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" # Then fix the -EPERM requirement PATTERN="-a always,exit -F arch=$ARCH -S .* -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k *" # No need to change content of $GROUP variable - it's the same as for -EACCES case above FULL_RULE="-a always,exit -F arch=$ARCH -S creat -S open -S openat -S open_by_handle_at -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" done scap-security-guide-0.1.39/rhel7/fixes/bash/audit_rules_usergroup_modification.sh000066400000000000000000000021731327242345500302740ustar00rootroot00000000000000# platform = Red Hat Enterprise Linux 7 # Include source function library. . /usr/share/scap-security-guide/remediation_functions # Perform the remediation # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' fix_audit_watch_rule "auditctl" "/etc/group" "wa" "audit_rules_usergroup_modification" fix_audit_watch_rule "augenrules" "/etc/group" "wa" "audit_rules_usergroup_modification" fix_audit_watch_rule "auditctl" "/etc/passwd" "wa" "audit_rules_usergroup_modification" fix_audit_watch_rule "augenrules" "/etc/passwd" "wa" "audit_rules_usergroup_modification" fix_audit_watch_rule "auditctl" "/etc/gshadow" "wa" "audit_rules_usergroup_modification" fix_audit_watch_rule "augenrules" "/etc/gshadow" "wa" "audit_rules_usergroup_modification" fix_audit_watch_rule "auditctl" "/etc/shadow" "wa" "audit_rules_usergroup_modification" fix_audit_watch_rule "augenrules" "/etc/shadow" "wa" "audit_rules_usergroup_modification" fix_audit_watch_rule "auditctl" "/etc/security/opasswd" "wa" "audit_rules_usergroup_modification" fix_audit_watch_rule "augenrules" "/etc/security/opasswd" "wa" "audit_rules_usergroup_modification" scap-security-guide-0.1.39/rhel7/fixes/bash/auditd_data_retention_admin_space_left_action.sh000066400000000000000000000007051327242345500323370ustar00rootroot00000000000000# platform = Red Hat Enterprise Linux 7 . /usr/share/scap-security-guide/remediation_functions populate var_auditd_admin_space_left_action grep -q ^admin_space_left_action /etc/audit/auditd.conf && \ sed -i "s/admin_space_left_action.*/admin_space_left_action = $var_auditd_admin_space_left_action/g" /etc/audit/auditd.conf if ! [ $? -eq 0 ]; then echo "admin_space_left_action = $var_auditd_admin_space_left_action" >> /etc/audit/auditd.conf fi scap-security-guide-0.1.39/rhel7/fixes/bash/auditd_data_retention_space_left_action.sh000066400000000000000000000006331327242345500311670ustar00rootroot00000000000000# platform = Red Hat Enterprise Linux 7 . /usr/share/scap-security-guide/remediation_functions populate var_auditd_space_left_action grep -q ^space_left_action /etc/audit/auditd.conf && \ sed -i "s/space_left_action.*/space_left_action = $var_auditd_space_left_action/g" /etc/audit/auditd.conf if ! [ $? -eq 0 ]; then echo "space_left_action = $var_auditd_space_left_action" >> /etc/audit/auditd.conf fi scap-security-guide-0.1.39/rhel7/fixes/bash/banner_etc_issue.sh000066400000000000000000000011021327242345500244130ustar00rootroot00000000000000# platform = Red Hat Enterprise Linux 7 . /usr/share/scap-security-guide/remediation_functions populate login_banner_text # There was a regular-expression matching various banners, needs to be expanded # When there are multiple banners in login_banner_text, the first banner should be the one for RHEL7 expanded=$(echo "$login_banner_text" | sed 's/(\\\\\x27)\*/\\\x27/g;s/(\\\x27)\*//g;s/\^(\(.*\)|.*$/\1/g;s/\[\\s\\n\][+*]/ /g;s/\\//g;s/[^-]- /\n\n-/g;s/(n)\**//g') formatted=$(echo "$expanded" | fold -sw 80) cat </etc/issue $formatted EOF printf "\n" >> /etc/issue scap-security-guide-0.1.39/rhel7/fixes/bash/bootloader_audit_argument.sh000066400000000000000000000007521327242345500263370ustar00rootroot00000000000000# platform = Red Hat Enterprise Linux 7 # Correct the form of default kernel command line in /etc/default/grub grep -q ^GRUB_CMDLINE_LINUX=\".*audit=0.*\" /etc/default/grub && \ sed -i "s/audit=[^[:space:]\+]/audit=1/g" /etc/default/grub if ! [ $? -eq 0 ]; then sed -i "s/\(GRUB_CMDLINE_LINUX=\)\"\(.*\)\"/\1\"\2 audit=1\"/" /etc/default/grub fi # Correct the form of kernel command line for each installed kernel # in the bootloader /sbin/grubby --update-kernel=ALL --args="audit=1" scap-security-guide-0.1.39/rhel7/fixes/bash/chronyd_or_ntpd_specify_multiple_servers.sh000066400000000000000000000007741327242345500315220ustar00rootroot00000000000000# platform = Red Hat Enterprise Linux 7 . /usr/share/scap-security-guide/remediation_functions populate var_multiple_time_servers # Invoke the function without args, so its body is substituded right here. rhel7_ensure_there_are_servers_in_ntp_compatible_config_file config_file="/etc/ntp.conf" /usr/sbin/pidof ntpd || config_file="/etc/chrony.conf" [ "$(grep -c '^server' "$config_file")" -gt 1 ] || rhel7_ensure_there_are_servers_in_ntp_compatible_config_file "$config_file" "$var_multiple_time_servers" scap-security-guide-0.1.39/rhel7/fixes/bash/chronyd_or_ntpd_specify_remote_server.sh000066400000000000000000000007531327242345500307740ustar00rootroot00000000000000# platform = Red Hat Enterprise Linux 7 . /usr/share/scap-security-guide/remediation_functions populate var_multiple_time_servers # Invoke the function without args, so its body is substituded right here. rhel7_ensure_there_are_servers_in_ntp_compatible_config_file config_file="/etc/ntp.conf" /usr/sbin/pidof ntpd || config_file="/etc/chrony.conf" grep -q ^server "$config_file" || rhel7_ensure_there_are_servers_in_ntp_compatible_config_file "$config_file" "$var_multiple_time_servers" scap-security-guide-0.1.39/rhel7/fixes/bash/clean_components_post_updating.sh000066400000000000000000000005751327242345500274070ustar00rootroot00000000000000# platform = Red Hat Enterprise Linux 7 if grep --silent ^clean_requirements_on_remove /etc/yum.conf ; then sed -i "s/^clean_requirements_on_remove.*/clean_requirements_on_remove=1/g" /etc/yum.conf else echo -e "\n# Set clean_requirements_on_remove to 1 per security requirements" >> /etc/yum.conf echo "clean_requirements_on_remove=1" >> /etc/yum.conf fi scap-security-guide-0.1.39/rhel7/fixes/bash/disable_ctrlaltdel_reboot.sh000066400000000000000000000003011327242345500262720ustar00rootroot00000000000000# platform = Red Hat Enterprise Linux 7 # The process to disable ctrl+alt+del has changed in RHEL7. # Reference: https://access.redhat.com/solutions/1123873 systemctl mask ctrl-alt-del.target scap-security-guide-0.1.39/rhel7/fixes/bash/disable_prelink.sh000066400000000000000000000005521327242345500242420ustar00rootroot00000000000000# platform = Red Hat Enterprise Linux 7 if rpm --quiet -q prelink; then if grep -q ^PRELINKING /etc/sysconfig/prelink then sed -i 's/PRELINKING.*/PRELINKING=no/g' /etc/sysconfig/prelink else echo -e '\n# Set PRELINKING=no per security requirements' >> /etc/sysconfig/prelink echo 'PRELINKING=no' >> /etc/sysconfig/prelink fi /usr/sbin/prelink -ua fi scap-security-guide-0.1.39/rhel7/fixes/bash/disable_users_coredumps.sh000066400000000000000000000001431327242345500260140ustar00rootroot00000000000000# platform = Red Hat Enterprise Linux 7 echo "* hard core 0" >> /etc/security/limits.conf scap-security-guide-0.1.39/rhel7/fixes/bash/ensure_gpgcheck_local_packages.sh000066400000000000000000000005061327242345500272560ustar00rootroot00000000000000# platform = Red Hat Enterprise Linux 7 if grep --silent ^localpkg_gpgcheck /etc/yum.conf ; then sed -i "s/^localpkg_gpgcheck.*/localpkg_gpgcheck=1/g" /etc/yum.conf else echo -e "\n# Set localpkg_gpgcheck to 1 per security requirements" >> /etc/yum.conf echo "localpkg_gpgcheck=1" >> /etc/yum.conf fi scap-security-guide-0.1.39/rhel7/fixes/bash/gnome_gdm_disable_automatic_login.sh000066400000000000000000000004711327242345500277700ustar00rootroot00000000000000# platform = Red Hat Enterprise Linux 7 if rpm --quiet -q gdm then if ! grep -q "^AutomaticLoginEnable=" /etc/gdm/custom.conf then sed -i "/^\[daemon\]/a \ AutomaticLoginEnable=False" /etc/gdm/custom.conf else sed -i "s/^AutomaticLoginEnable=.*/AutomaticLoginEnable=False/g" /etc/gdm/custom.conf fi fi scap-security-guide-0.1.39/rhel7/fixes/bash/gnome_gdm_disable_guest_login.sh000066400000000000000000000004511327242345500271270ustar00rootroot00000000000000# platform = Red Hat Enterprise Linux 7 if rpm --quiet -q gdm then if ! grep -q "^TimedLoginEnable=" /etc/gdm/custom.conf then sed -i "/^\[daemon\]/a \ TimedLoginEnable=False" /etc/gdm/custom.conf else sed -i "s/^TimedLoginEnable=.*/TimedLoginEnable=False/g" /etc/gdm/custom.conf fi fi scap-security-guide-0.1.39/rhel7/fixes/bash/groupowner_shadow_file.sh000066400000000000000000000000771327242345500256700ustar00rootroot00000000000000# platform = Red Hat Enterprise Linux 7 chgrp root /etc/shadow scap-security-guide-0.1.39/rhel7/fixes/bash/grub2_enable_fips_mode.sh000066400000000000000000000032601327242345500254660ustar00rootroot00000000000000# platform = Red Hat Enterprise Linux 7 # include remediation functions library . /usr/share/scap-security-guide/remediation_functions # if prelink package is installed disable it, else ignore if rpm -q prelink 2>&1 > /dev/null; then if grep -q '^PRELINKING=' /etc/sysconfig/prelink ; then sed -i 's/^PRELINKING=.*/# Set PRELINKING to "no" per security requirements\nPRELINKING=no/' /etc/sysconfig/prelink else echo -e "\n# Set PRELINKING to 'no' per security requirements" >> /etc/sysconfig/prelink echo "PRELINKING=no" >> /etc/sysconfig/prelink fi prelink -u -a fi package_install dracut-fips dracut -f # Correct the form of default kernel command line in grub if grep -q '^GRUB_CMDLINE_LINUX=.*fips=.*"' /etc/default/grub; then # modify the GRUB command-line if a fips= arg already exists sed -i 's/\(^GRUB_CMDLINE_LINUX=".*\)fips=[^[:space:]]*\(.*"\)/\1 fips=1 \2/' /etc/default/grub else # no existing fips=arg is present, append it sed -i 's/\(^GRUB_CMDLINE_LINUX=".*\)"/\1 fips=1"/' /etc/default/grub fi # Get the UUID of the device mounted at /boot. BOOT_UUID=$(findmnt --noheadings --output uuid --target /boot) if grep -q '^GRUB_CMDLINE_LINUX=".*boot=.*"' /etc/default/grub; then # modify the GRUB command-line if a boot= arg already exists sed -i 's/\(^GRUB_CMDLINE_LINUX=".*\)boot=[^[:space:]]*\(.*"\)/\1 boot=UUID='"${BOOT_UUID} \2/" /etc/default/ grub else # no existing boot=arg is present, append it sed -i 's/\(^GRUB_CMDLINE_LINUX=".*\)"/\1 boot=UUID='${BOOT_UUID}'"/' /etc/default/grub fi # Correct the form of kernel command line for each installed kernel in the bootloader /sbin/grubby --update-kernel=ALL --args="fips=1 boot=UUID=${BOOT_UUID}" scap-security-guide-0.1.39/rhel7/fixes/bash/network_disable_zeroconf.sh000066400000000000000000000001301327242345500261640ustar00rootroot00000000000000# platform = Red Hat Enterprise Linux 7 echo "NOZEROCONF=yes" >> /etc/sysconfig/network scap-security-guide-0.1.39/rhel7/fixes/bash/postfix_prevent_unrestricted_relay.sh000066400000000000000000000004761327242345500303460ustar00rootroot00000000000000# platform = Red Hat Enterprise Linux 7 if ! grep -q ^smtpd_client_restrictions /etc/postfix/main.cf; then echo "smtpd_client_restrictions = permit_mynetworks,reject" >> /etc/postfix/main.cf else sed -i "s/^smtpd_client_restrictions.*/smtpd_client_restrictions = permit_mynetworks,reject/g" /etc/postfix/main.cf fi scap-security-guide-0.1.39/rhel7/fixes/bash/rsyslog_cron_logging.sh000066400000000000000000000003601327242345500253410ustar00rootroot00000000000000# platform = Red Hat Enterprise Linux 7 if ! grep "^\s*cron\.\*\s*/var/log/cron$" /etc/rsyslog.conf /etc/rsyslog.d/*.conf; then echo "cron.* /var/log/cron\n" >> /etc/rsyslog.d/cron.conf fi scap-security-guide-0.1.39/rhel7/fixes/bash/rsyslog_files_permissions.sh000066400000000000000000000047561327242345500264440ustar00rootroot00000000000000# platform = Red Hat Enterprise Linux 7 # List of log file paths to be inspected for correct permissions # * Primarily inspect log file paths listed in /etc/rsyslog.conf RSYSLOG_ETC_CONFIG="/etc/rsyslog.conf" # * And also the log file paths listed after rsyslog's $IncludeConfig directive # (store the result into array for the case there's shell glob used as value of IncludeConfig) RSYSLOG_INCLUDE_CONFIG=($(grep -e "\$IncludeConfig[[:space:]]\+[^[:space:];]\+" /etc/rsyslog.conf | cut -d ' ' -f 2)) # Declare an array to hold the final list of different log file paths declare -a LOG_FILE_PATHS # Browse each file selected above as containing paths of log files # ('/etc/rsyslog.conf' and '/etc/rsyslog.d/*.conf' in the default configuration) for LOG_FILE in "${RSYSLOG_ETC_CONFIG}" "${RSYSLOG_INCLUDE_CONFIG[@]}" do # From each of these files extract just particular log file path(s), thus: # * Ignore lines starting with space (' '), comment ('#"), or variable syntax ('$') characters, # * Ignore empty lines, # * From the remaining valid rows select only fields constituting a log file path # Text file column is understood to represent a log file path if and only if all of the following are met: # * it contains at least one slash '/' character, # * it doesn't contain space (' '), colon (':'), and semicolon (';') characters # Search log file for path(s) only in case it exists! if [[ -f "${LOG_FILE}" ]] then MATCHED_ITEMS=$(sed -e "/^[[:space:]|#|$]/d ; s/[^\/]*[[:space:]]*\([^:;[:space:]]*\)/\1/g ; /^$/d" "${LOG_FILE}") # Since above sed command might return more than one item (delimited by newline), split the particular # matches entries into new array specific for this log file readarray -t ARRAY_FOR_LOG_FILE <<< "$MATCHED_ITEMS" # Concatenate the two arrays - previous content of $LOG_FILE_PATHS array with # items from newly created array for this log file LOG_FILE_PATHS=("${LOG_FILE_PATHS[@]}" "${ARRAY_FOR_LOG_FILE[@]}") # Delete the temporary array unset ARRAY_FOR_LOG_FILE fi done for PATH in "${LOG_FILE_PATHS[@]}" do # Sanity check - if particular $PATH is empty string, skip it from further processing if [ -z "$PATH" ] then continue fi # In RHEL 7 we have systemd, so it doesn't make sense to patch/change /etc/rc.d/rc.local, # as per BZ https://bugzilla.redhat.com/show_bug.cgi?id=1404381 # Also for each log file check if its permissions differ from 600. If so, correct them if [ "$(/usr/bin/stat -c %a "$PATH")" -ne 600 ] then /bin/chmod 600 "$PATH" fi done scap-security-guide-0.1.39/rhel7/fixes/bash/service_avahi-daemon_disabled.sh000066400000000000000000000005351327242345500270140ustar00rootroot00000000000000# platform = Red Hat Enterprise Linux 7 # # Disable avahi-daemon.service for all systemd targets # systemctl disable avahi-daemon.service # # Stop avahi-daemon.service if currently running # and disable avahi-daemon.socket so the avahi-daemon.service # can't be activated # systemctl stop avahi-daemon.service systemctl disable avahi-daemon.socket scap-security-guide-0.1.39/rhel7/fixes/bash/service_bluetooth_disabled.sh000066400000000000000000000005051327242345500264650ustar00rootroot00000000000000# platform = Red Hat Enterprise Linux 7 grep -qi disable /etc/xinetd.d/bluetooth && \ sed -i 's/disable.*/disable = yes/gI' /etc/xinetd.d/bluetooth # # Disable bluetooth.service for all systemd targets # systemctl disable bluetooth.service # # Stop bluetooth.service if currently running # systemctl stop bluetooth.service scap-security-guide-0.1.39/rhel7/fixes/bash/service_chronyd_or_ntpd_enabled.sh000066400000000000000000000005621327242345500275010ustar00rootroot00000000000000# platform = Red Hat Enterprise Linux 7 . /usr/share/scap-security-guide/remediation_functions if ! `rpm -q --quiet chrony` && ! `rpm -q --quiet ntp-`; then package_install chrony service_command enable chronyd elif `rpm -q --quiet chrony`; then if ! [ `/usr/sbin/pidof ntpd` ] ; then service_command enable chronyd fi else service_command enable ntpd fi scap-security-guide-0.1.39/rhel7/fixes/bash/service_cups_disabled.sh000066400000000000000000000005131327242345500254310ustar00rootroot00000000000000# platform = Red Hat Enterprise Linux 7 # # Disable cups.service for all systemd targets # systemctl disable cups.service # # Stop cups.service if currently running # and disable cups.path and cups.socket so # cups.service can't be activated # systemctl stop cups.service systemctl disable cups.path systemctl disable cups.socket scap-security-guide-0.1.39/rhel7/fixes/bash/service_nfslock_disabled.sh000066400000000000000000000003241327242345500261160ustar00rootroot00000000000000# platform = Red Hat Enterprise Linux 7 # # Disable nfs-lock.service for all systemd targets # systemctl disable nfs-lock.service # # Stop nfs-lock.service if currently running # systemctl stop nfs-lock.service scap-security-guide-0.1.39/rhel7/fixes/bash/service_rexec_disabled.sh000066400000000000000000000004631327242345500255710ustar00rootroot00000000000000# platform = Red Hat Enterprise Linux 7 grep -qi disable /etc/xinetd.d/rexec && \ sed -i "s/disable.*/disable = yes/gI" /etc/xinetd.d/rexec # # Disable rexec.socket for all systemd targets # systemctl disable rexec.socket # # Stop rexec.socket if currently running # systemctl stop rexec.socket scap-security-guide-0.1.39/rhel7/fixes/bash/service_rlogin_disabled.sh000066400000000000000000000004711327242345500257540ustar00rootroot00000000000000# platform = Red Hat Enterprise Linux 7 grep -qi disable /etc/xinetd.d/rlogin && \ sed -i "s/disable.*/disable = yes/gI" /etc/xinetd.d/rlogin # # Disable rlogin.socket for all systemd targets # systemctl disable rlogin.socket # # Stop rlogin.socket if currently running # systemctl stop rlogin.socket scap-security-guide-0.1.39/rhel7/fixes/bash/service_rpcgssd_disabled.sh000066400000000000000000000003601327242345500261240ustar00rootroot00000000000000# platform = Red Hat Enterprise Linux 7 # # Disable nfs-secure.service (rpcgssd) for all systemd targets # systemctl disable nfs-secure.service # # Stop nfs-secure.service (rpcgssd) if currently running # systemctl stop nfs-secure.service scap-security-guide-0.1.39/rhel7/fixes/bash/service_rpcidmapd_disabled.sh000066400000000000000000000003601327242345500264220ustar00rootroot00000000000000# platform = Red Hat Enterprise Linux 7 # # Disable nfs-idmap.service (rpcidmapd) for all systemd targets # systemctl disable nfs-idmap.service # # Stop nfs-idmap.service (rpcidmapd) if currently running # systemctl stop nfs-idmap.service scap-security-guide-0.1.39/rhel7/fixes/bash/service_rpcsvcgssd_disabled.sh000066400000000000000000000004221327242345500266370ustar00rootroot00000000000000# platform = Red Hat Enterprise Linux 7 # # Disable nfs-secure-server.service (rpcsvcgssd) for all systemd targets # systemctl disable nfs-secure-server.service # # Stop nfs-secure-server.service (rpcsvcgssd) if currently running # systemctl stop nfs-secure-server.service scap-security-guide-0.1.39/rhel7/fixes/bash/service_rsh_disabled.sh000066400000000000000000000004471327242345500252610ustar00rootroot00000000000000# platform = Red Hat Enterprise Linux 7 grep -qi disable /etc/xinetd.d/rsh && \ sed -i "s/disable.*/disable = yes/gI" /etc/xinetd.d/rsh # # Disable rsh.socket for all systemd targets # systemctl disable rsh.socket # # Stop rsh.socket if currently running # systemctl stop rsh.socket scap-security-guide-0.1.39/rhel7/fixes/bash/service_telnet_disabled.sh000066400000000000000000000004711327242345500257550ustar00rootroot00000000000000# platform = Red Hat Enterprise Linux 7 grep -qi disable /etc/xinetd.d/telnet && \ sed -i "s/disable.*/disable = yes/gI" /etc/xinetd.d/telnet # # Disable telnet.socket for all systemd targets # systemctl disable telnet.socket # # Stop telnet.socket if currently running # systemctl stop telnet.socket scap-security-guide-0.1.39/rhel7/fixes/bash/smartcard_auth.sh000066400000000000000000000072551327242345500241230ustar00rootroot00000000000000# platform = Red Hat Enterprise Linux 7 . /usr/share/scap-security-guide/remediation_functions # Install required packages package_install esc package_install pam_pkcs11 # Enable pcscd.socket systemd activation socket service_command enable pcscd.socket # Configure the expected /etc/pam.d/system-auth{,-ac} settings directly # # The code below will configure system authentication in the way smart card # logins will be enabled, but also user login(s) via other method to be allowed # # NOTE: It is not possible to use the 'authconfig' command to perform the # remediation for us, because call of 'authconfig' would discard changes # for other remediations (see RH BZ#1357019 for details) # # Therefore we need to configure the necessary settings directly. # # Define system-auth config location SYSTEM_AUTH_CONF="/etc/pam.d/system-auth" # Define expected 'pam_env.so' row in $SYSTEM_AUTH_CONF PAM_ENV_SO="auth.*required.*pam_env.so" # Define 'pam_succeed_if.so' row to be appended past $PAM_ENV_SO row into $SYSTEM_AUTH_CONF SYSTEM_AUTH_PAM_SUCCEED="\ auth [success=1 default=ignore] pam_succeed_if.so service notin \ login:gdm:xdm:kdm:xscreensaver:gnome-screensaver:kscreensaver quiet use_uid" # Define 'pam_pkcs11.so' row to be appended past $SYSTEM_AUTH_PAM_SUCCEED # row into SYSTEM_AUTH_CONF file SYSTEM_AUTH_PAM_PKCS11="\ auth [success=done authinfo_unavail=ignore ignore=ignore default=die] \ pam_pkcs11.so nodebug" # Define smartcard-auth config location SMARTCARD_AUTH_CONF="/etc/pam.d/smartcard-auth" # Define 'pam_pkcs11.so' auth section to be appended past $PAM_ENV_SO into $SMARTCARD_AUTH_CONF SMARTCARD_AUTH_SECTION="\ auth [success=done ignore=ignore default=die] pam_pkcs11.so wait_for_card card_only" # Define expected 'pam_permit.so' row in $SMARTCARD_AUTH_CONF PAM_PERMIT_SO="account.*required.*pam_permit.so" # Define 'pam_pkcs11.so' password section SMARTCARD_PASSWORD_SECTION="\ password required pam_pkcs11.so" # First Correct the SYSTEM_AUTH_CONF configuration if ! grep -q 'pam_pkcs11.so' "$SYSTEM_AUTH_CONF" then # Append (expected) pam_succeed_if.so row past the pam_env.so into SYSTEM_AUTH_CONF file # and append (expected) pam_pkcs11.so row right after the pam_succeed_if.so we just added # in SYSTEM_AUTH_CONF file # This will preserve any other already existing row equal to "$SYSTEM_AUTH_PAM_SUCCEED" echo "$(awk '/^'"$PAM_ENV_SO"'/{print $0 RS "'"$SYSTEM_AUTH_PAM_SUCCEED"'" RS "'"$SYSTEM_AUTH_PAM_PKCS11"'";next}1' "$SYSTEM_AUTH_CONF")" > "$SYSTEM_AUTH_CONF" fi # Then also correct the SMARTCARD_AUTH_CONF if ! grep -q 'pam_pkcs11.so' "$SMARTCARD_AUTH_CONF" then # Append (expected) SMARTCARD_AUTH_SECTION row past the pam_env.so into SMARTCARD_AUTH_CONF file sed -i --follow-symlinks -e '/^'"$PAM_ENV_SO"'/a '"$SMARTCARD_AUTH_SECTION" "$SMARTCARD_AUTH_CONF" # Append (expected) SMARTCARD_PASSWORD_SECTION row past the pam_permit.so into SMARTCARD_AUTH_CONF file sed -i --follow-symlinks -e '/^'"$PAM_PERMIT_SO"'/a '"$SMARTCARD_PASSWORD_SECTION" "$SMARTCARD_AUTH_CONF" fi # Perform /etc/pam_pkcs11/pam_pkcs11.conf settings below # Define selected constants for later reuse SP="[:space:]" PAM_PKCS11_CONF="/etc/pam_pkcs11/pam_pkcs11.conf" # Ensure OCSP is turned on in $PAM_PKCS11_CONF # 1) First replace any occurrence of 'none' value of 'cert_policy' key setting with the correct configuration sed -i "s/^[$SP]*cert_policy[$SP]\+=[$SP]\+none;/\t\tcert_policy = ca, ocsp_on, signature;/g" "$PAM_PKCS11_CONF" # 2) Then append 'ocsp_on' value setting to each 'cert_policy' key in $PAM_PKCS11_CONF configuration line, # which does not contain it yet sed -i "/ocsp_on/! s/^[$SP]*cert_policy[$SP]\+=[$SP]\+\(.*\);/\t\tcert_policy = \1, ocsp_on;/" "$PAM_PKCS11_CONF" scap-security-guide-0.1.39/rhel7/fixes/bash/smartcard_configure_cert_checking.sh000066400000000000000000000005211327242345500300000ustar00rootroot00000000000000# platform = Red Hat Enterprise Linux 7 # Install required packages if ! rpm --quiet -q pam_pkcs11; then yum -y -d 1 install pam_pkcs11; fi if grep "^\s*cert_policy" /etc/pam_pkcs11/pam_pkcs11.conf | grep -qv "ocsp_on"; then sed -i "/^\s*#/! s/cert_policy.*/cert_policy = ca, ocsp_on, signature;/g" /etc/pam_pkcs11/pam_pkcs11.conf fi scap-security-guide-0.1.39/rhel7/fixes/bash/snmpd_not_default_password.sh000066400000000000000000000002651327242345500265430ustar00rootroot00000000000000# platform = Red Hat Enterprise Linux 7 if grep -s "public\|private" /etc/snmp/snmpd.conf | grep -qv "^#"; then sed -i "/^\s*#/b;/public\|private/ s/^/#/" /etc/snmp/snmpd.conf fi scap-security-guide-0.1.39/rhel7/fixes/bash/sshd_do_not_permit_user_env.sh000066400000000000000000000003361327242345500267040ustar00rootroot00000000000000# platform = Red Hat Enterprise Linux 7 # Include source function library. . /usr/share/scap-security-guide/remediation_functions replace_or_append '/etc/ssh/sshd_config' '^PermitUserEnvironment' 'no' '@CCENUM@' '%s %s' scap-security-guide-0.1.39/rhel7/fixes/bash/sshd_enable_warning_banner.sh000066400000000000000000000003271327242345500264340ustar00rootroot00000000000000# platform = Red Hat Enterprise Linux 7 # Include source function library. . /usr/share/scap-security-guide/remediation_functions replace_or_append '/etc/ssh/sshd_config' '^Banner' '/etc/issue' '@CCENUM@' '%s %s' scap-security-guide-0.1.39/rhel7/fixes/bash/sshd_set_idle_timeout.sh000066400000000000000000000003551327242345500254730ustar00rootroot00000000000000# platform = Red Hat Enterprise Linux 7 . /usr/share/scap-security-guide/remediation_functions populate sshd_idle_timeout_value replace_or_append '/etc/ssh/sshd_config' '^ClientAliveInterval' $sshd_idle_timeout_value '@CCENUM@' '%s %s' scap-security-guide-0.1.39/rhel7/fixes/bash/sshd_set_keepalive.sh000066400000000000000000000003331327242345500247510ustar00rootroot00000000000000# platform = Red Hat Enterprise Linux 7 # Include source function library. . /usr/share/scap-security-guide/remediation_functions replace_or_append '/etc/ssh/sshd_config' '^ClientAliveCountMax' '0' '@CCENUM@' '%s %s' scap-security-guide-0.1.39/rhel7/fixes/bash/sshd_use_approved_ciphers.sh000066400000000000000000000004301327242345500263400ustar00rootroot00000000000000# platform = Red Hat Enterprise Linux 7 # Include source function library. . /usr/share/scap-security-guide/remediation_functions replace_or_append '/etc/ssh/sshd_config' '^Ciphers' 'aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc' '@CCENUM@' '%s %s' scap-security-guide-0.1.39/rhel7/fixes/bash/sshd_use_approved_macs.sh000066400000000000000000000003731327242345500256340ustar00rootroot00000000000000# platform = Red Hat Enterprise Linux 7 # Include source function library. . /usr/share/scap-security-guide/remediation_functions populate sshd_approved_macs replace_or_append '/etc/ssh/sshd_config' '^MACs' "$sshd_approved_macs" '@CCENUM@' '%s %s' scap-security-guide-0.1.39/rhel7/fixes/bash/sysctl_kernel_exec_shield.sh000066400000000000000000000013731327242345500263320ustar00rootroot00000000000000# Include source function library. . /usr/share/scap-security-guide/remediation_functions # platform = Red Hat Enterprise Linux 7 if [ $(getconf LONG_BIT) = "32" ] ; then # # Set runtime for kernel.exec-shield # sysctl -q -n -w kernel.exec-shield=1 # # If kernel.exec-shield present in /etc/sysctl.conf, change value to "1" # else, add "kernel.exec-shield = 1" to /etc/sysctl.conf # replace_or_append '/etc/sysctl.conf' '^kernel.exec-shield' '1' '@CCENUM@' fi if [ $(getconf LONG_BIT) = "64" ] ; then if grep --silent noexec /boot/grub2/grub*.cfg ; then sed -i "s/noexec.*//g" /etc/default/grub sed -i "s/noexec.*//g" /etc/grub.d/* GRUBCFG=`ls | grep '.cfg$'` grub2-mkconfig -o /boot/grub2/$GRUBCFG fi fi scap-security-guide-0.1.39/rhel7/fixes/bash/sysctl_kernel_randomize_va_space.sh000066400000000000000000000004611327242345500277040ustar00rootroot00000000000000# platform = Red Hat Enterprise Linux 7 # # Set runtime for kernel.randomize_va_space # sysctl -q -n -w kernel.randomize_va_space=2 # Include source function library. . /usr/share/scap-security-guide/remediation_functions replace_or_append '/etc/sysctl.conf' '^kernel.randomize_va_space' '2' '@CCENUM@' scap-security-guide-0.1.39/rhel7/fixes/bash/umask_for_daemons.sh000066400000000000000000000005171327242345500246100ustar00rootroot00000000000000# platform = Red Hat Enterprise Linux 7 . /usr/share/scap-security-guide/remediation_functions populate var_umask_for_daemons grep -q ^umask /etc/init.d/functions && \ sed -i "s/umask.*/umask $var_umask_for_daemons/g" /etc/init.d/functions if ! [ $? -eq 0 ]; then echo "umask $var_umask_for_daemons" >> /etc/init.d/functions fi scap-security-guide-0.1.39/rhel7/fixes/bash/userowner_shadow_file.sh000066400000000000000000000000771327242345500255120ustar00rootroot00000000000000# platform = Red Hat Enterprise Linux 7 chown root /etc/shadow scap-security-guide-0.1.39/rhel7/fixes/bash/xwindows_runlevel_setting.sh000066400000000000000000000001211327242345500264360ustar00rootroot00000000000000# platform = Red Hat Enterprise Linux 7 systemctl set-default multi-user.target scap-security-guide-0.1.39/rhel7/guide.xslt000066400000000000000000000075471327242345500205500ustar00rootroot00000000000000 A conditional clause for check statements. A conditional clause for check statements. This is a placeholder. scap-security-guide-0.1.39/rhel7/kickstart/000077500000000000000000000000001327242345500205215ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel7/kickstart/ssg-rhel7-ospp-ks.cfg000066400000000000000000000136001327242345500244070ustar00rootroot00000000000000# SCAP Security Guide OSPP/USGCB profile kickstart for Red Hat Enterprise Linux 7 Server # Version: 0.0.2 # Date: 2015-11-19 # # Based on: # http://fedoraproject.org/wiki/Anaconda/Kickstart # https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Installation_Guide/sect-kickstart-syntax.html # http://usgcb.nist.gov/usgcb/content/configuration/workstation-ks.cfg # Install a fresh new system (optional) install # Specify installation method to use for installation # To use a different one comment out the 'url' one below, update # the selected choice with proper options & un-comment it # # Install from an installation tree on a remote server via FTP or HTTP: # --url the URL to install from # # Example: # # url --url=http://192.168.122.1/image # # Modify concrete URL in the above example appropriately to reflect the actual # environment machine is to be installed in # # Other possible / supported installation methods: # * install from the first CD-ROM/DVD drive on the system: # # cdrom # # * install from a directory of ISO images on a local drive: # # harddrive --partition=hdb2 --dir=/tmp/install-tree # # * install from provided NFS server: # # nfs --server= --dir= [--opts=] # # Set language to use during installation and the default language to use on the installed system (required) lang en_US.UTF-8 # Set system keyboard type / layout (required) keyboard us # Configure network information for target system and activate network devices in the installer environment (optional) # --onboot enable device at a boot time # --device device to be activated and / or configured with the network command # --bootproto method to obtain networking configuration for device (default dhcp) # --noipv6 disable IPv6 on this device # # NOTE: Usage of DHCP will fail CCE-27021-5 (DISA FSO RHEL-06-000292). To use static IP configuration, # "--bootproto=static" must be used. For example: # network --bootproto=static --ip=10.0.2.15 --netmask=255.255.255.0 --gateway=10.0.2.254 --nameserver 192.168.2.1,192.168.3.1 # network --onboot yes --device eth0 --bootproto dhcp --noipv6 # Set the system's root password (required) # Plaintext password is: server # Refer to e.g. http://fedoraproject.org/wiki/Anaconda/Kickstart#rootpw to see how to create # encrypted password form for different plaintext password rootpw --iscrypted $6$rhel6usgcb$aS6oPGXcPKp3OtFArSrhRwu6sN8q2.yEGY7AIwDOQd23YCtiz9c5mXbid1BzX9bmXTEZi.hCzTEXFosVBI5ng0 # The selected profile will restrict root login # Add a user that can login and escalate privileges # Plaintext password is: admin123 user --name=admin --groups=wheel --password=$6$Ga6ZnIlytrWpuCzO$q0LqT1USHpahzUafQM9jyHCY9BiE5/ahXLNWUMiVQnFGblu0WWGZ1e6icTaCGO4GNgZNtspp1Let/qpM7FMVB0 --iscrypted # Configure firewall settings for the system (optional) # --enabled reject incoming connections that are not in response to outbound requests # --ssh allow sshd service through the firewall firewall --enabled --ssh # Set up the authentication options for the system (required) # --enableshadow enable shadowed passwords by default # --passalgo hash / crypt algorithm for new passwords # See the manual page for authconfig for a complete list of possible options. authconfig --enableshadow --passalgo=sha512 # State of SELinux on the installed system (optional) # Defaults to enforcing selinux --enforcing # Set the system time zone (required) timezone --utc America/New_York # Specify how the bootloader should be installed (required) # Plaintext password is: password # Refer to e.g. http://fedoraproject.org/wiki/Anaconda/Kickstart#rootpw to see how to create # encrypted password form for different plaintext password bootloader --location=mbr --append="crashkernel=auto rhgb quiet" --password=$6$rhel6usgcb$kOzIfC4zLbuo3ECp1er99NRYikN419wxYMmons8Vm/37Qtg0T8aB9dKxHwqapz8wWAFuVkuI/UJqQBU92bA5C0 # Initialize (format) all disks (optional) zerombr # The following partition layout scheme assumes disk of size 20GB or larger # Modify size of partitions appropriately to reflect actual machine's hardware # # Remove Linux partitions from the system prior to creating new ones (optional) # --linux erase all Linux partitions # --initlabel initialize the disk label to the default based on the underlying architecture clearpart --linux --initlabel # Create primary system partitions (required for installs) part /boot --fstype=xfs --size=512 part pv.01 --grow --size=1 # Create a Logical Volume Management (LVM) group (optional) volgroup VolGroup --pesize=4096 pv.01 # Create particular logical volumes (optional) logvol / --fstype=xfs --name=LogVol06 --vgname=VolGroup --size=12288 --grow # CCE-26557-9: Ensure /home Located On Separate Partition logvol /home --fstype=xfs --name=LogVol02 --vgname=VolGroup --size=1024 --fsoptions="nodev" # CCE-26435-8: Ensure /tmp Located On Separate Partition logvol /tmp --fstype=xfs --name=LogVol01 --vgname=VolGroup --size=1024 --fsoptions="nodev,noexec,nosuid" # CCE-26639-5: Ensure /var Located On Separate Partition logvol /var --fstype=xfs --name=LogVol03 --vgname=VolGroup --size=2048 --fsoptions="nodev" # CCE-26215-4: Ensure /var/log Located On Separate Partition logvol /var/log --fstype=xfs --name=LogVol04 --vgname=VolGroup --size=1024 --fsoptions="nodev" # CCE-26436-6: Ensure /var/log/audit Located On Separate Partition logvol /var/log/audit --fstype=xfs --name=LogVol05 --vgname=VolGroup --size=512 --fsoptions="nodev" logvol swap --name=lv_swap --vgname=VolGroup --size=2016 %addon org_fedora_oscap content-type = scap-security-guide profile = ospp %end # Packages selection (%packages section is required) %packages # Require @Base @Base # Install selected additional packages (required by profile) # CCE-27024-9: Install AIDE aide # Install libreswan package libreswan %end # End of %packages section # Reboot after the installation is complete (optional) # --eject attempt to eject CD or DVD media before rebooting reboot --eject scap-security-guide-0.1.39/rhel7/kickstart/ssg-rhel7-pci-dss-server-with-gui-oaa-ks.cfg000066400000000000000000000125711327242345500305730ustar00rootroot00000000000000# SCAP Security Guide PCI-DSS profile kickstart for Red Hat Enterprise Linux 7 Server # Version: 0.0.2 # Date: 2015-08-02 # # Based on: # http://fedoraproject.org/wiki/Anaconda/Kickstart # https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Installation_Guide/sect-kickstart-syntax.html # http://usgcb.nist.gov/usgcb/content/configuration/workstation-ks.cfg # Install a fresh new system (optional) install # Specify installation method to use for installation # To use a different one comment out the 'url' one below, update # the selected choice with proper options & un-comment it # # Install from an installation tree on a remote server via FTP or HTTP: # --url the URL to install from # # Example: # # url --url=http://192.168.122.1/image # # Modify concrete URL in the above example appropriately to reflect the actual # environment machine is to be installed in # # Other possible / supported installation methods: # * install from the first CD-ROM/DVD drive on the system: # # cdrom # # * install from a directory of ISO images on a local drive: # # harddrive --partition=hdb2 --dir=/tmp/install-tree # # * install from provided NFS server: # # nfs --server= --dir= [--opts=] # # Set language to use during installation and the default language to use on the installed system (required) lang en_US.UTF-8 # Set system keyboard type / layout (required) keyboard us # Configure network information for target system and activate network devices in the installer environment (optional) # --onboot enable device at a boot time # --device device to be activated and / or configured with the network command # --bootproto method to obtain networking configuration for device (default dhcp) # --noipv6 disable IPv6 on this device network --onboot yes --device eth0 --bootproto dhcp --noipv6 # Set the system's root password (required) # Plaintext password is: server # Refer to e.g. http://fedoraproject.org/wiki/Anaconda/Kickstart#rootpw to see how to create # encrypted password form for different plaintext password rootpw --iscrypted $6$rhel6usgcb$aS6oPGXcPKp3OtFArSrhRwu6sN8q2.yEGY7AIwDOQd23YCtiz9c5mXbid1BzX9bmXTEZi.hCzTEXFosVBI5ng0 # Configure firewall settings for the system (optional) # --enabled reject incoming connections that are not in response to outbound requests # --ssh allow sshd service through the firewall firewall --enabled --ssh # Set up the authentication options for the system (required) # --enableshadow enable shadowed passwords by default # --passalgo hash / crypt algorithm for new passwords # See the manual page for authconfig for a complete list of possible options. authconfig --enableshadow --passalgo=sha512 # State of SELinux on the installed system (optional) # Defaults to enforcing selinux --enforcing # Set the system time zone (required) timezone --utc America/New_York # Specify how the bootloader should be installed (required) # Plaintext password is: password # Refer to e.g. http://fedoraproject.org/wiki/Anaconda/Kickstart#rootpw to see how to create # encrypted password form for different plaintext password bootloader --location=mbr --append="crashkernel=auto rhgb quiet" --password=$6$rhel6usgcb$kOzIfC4zLbuo3ECp1er99NRYikN419wxYMmons8Vm/37Qtg0T8aB9dKxHwqapz8wWAFuVkuI/UJqQBU92bA5C0 # Initialize (format) all disks (optional) zerombr # The following partition layout scheme assumes disk of size 20GB or larger # Modify size of partitions appropriately to reflect actual machine's hardware # # Remove Linux partitions from the system prior to creating new ones (optional) # --linux erase all Linux partitions # --initlabel initialize the disk label to the default based on the underlying architecture clearpart --linux --initlabel # Create primary system partitions (required for installs) part /boot --fstype=xfs --size=512 part pv.01 --grow --size=1 # Create a Logical Volume Management (LVM) group (optional) volgroup VolGroup --pesize=4096 pv.01 # Create particular logical volumes (optional) logvol / --fstype=xfs --name=LogVol06 --vgname=VolGroup --size=12288 --grow # CCE-26557-9: Ensure /home Located On Separate Partition logvol /home --fstype=xfs --name=LogVol02 --vgname=VolGroup --size=1024 --fsoptions="nodev" # CCE-26435-8: Ensure /tmp Located On Separate Partition logvol /tmp --fstype=xfs --name=LogVol01 --vgname=VolGroup --size=1024 --fsoptions="nodev,noexec,nosuid" # CCE-26639-5: Ensure /var Located On Separate Partition logvol /var --fstype=xfs --name=LogVol03 --vgname=VolGroup --size=2048 --fsoptions="nodev" # CCE-26215-4: Ensure /var/log Located On Separate Partition logvol /var/log --fstype=xfs --name=LogVol04 --vgname=VolGroup --size=1024 --fsoptions="nodev" # CCE-26436-6: Ensure /var/log/audit Located On Separate Partition logvol /var/log/audit --fstype=xfs --name=LogVol05 --vgname=VolGroup --size=512 --fsoptions="nodev" logvol swap --name=lv_swap --vgname=VolGroup --size=2016 %addon org_fedora_oscap content-type = scap-security-guide profile = pci-dss %end # Packages selection (%packages section is required) %packages # Require 'Server with GUI' package environment to be installed @^Server with GUI # Install selected additional packages (required by PCI-DSS profile) # CCE-27024-9: Install AIDE aide # Install libreswan package libreswan %end # End of %packages section # Reboot after the installation is complete (optional) # --eject attempt to eject CD or DVD media before rebooting reboot --eject scap-security-guide-0.1.39/rhel7/overlays/000077500000000000000000000000001327242345500203665ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel7/overlays/c2s_support.xml000066400000000000000000000044641327242345500234030ustar00rootroot00000000000000 scap-security-guide-0.1.39/rhel7/overlays/nist800171_support.xml000066400000000000000000000027761327242345500243560ustar00rootroot00000000000000 scap-security-guide-0.1.39/rhel7/overlays/nist_support.xml000066400000000000000000000102751327242345500236660ustar00rootroot00000000000000 scap-security-guide-0.1.39/rhel7/overlays/srg_support.xml000066400000000000000000000157751327242345500235160ustar00rootroot00000000000000 scap-security-guide-0.1.39/rhel7/overlays/stig_overlay.xml000066400000000000000000002152471327242345500236320ustar00rootroot00000000000000 The file permissions, ownership, and group membership of system files and commands must match the vendor values. The cryptographic hash of system files and commands must match vendor values. The operating system must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a graphical user logon. The operating system must display the approved Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a graphical user logon. The operating system must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a command line user logon. The operating system must enable a user session lock until that user re-establishes access using established identification and authentication procedures. The operating system must uniquely identify and must authenticate users using multifactor authentication via a graphical user logon. The operating system must prevent a user from overriding the screensaver lock-enabled setting for the graphical user interface. The operating system must initiate a screensaver after a 15-minute period of inactivity for graphical user interfaces. The operating system must prevent a user from overriding the screensaver lock-delay setting for the graphical user interface. The operating system must prevent a user from overriding the session idle-delay setting for the graphical user interface. The operating system must have the screen package installed. The operating system must initiate a session lock for the screensaver after a period of inactivity for graphical user interfaces. The operating system must prevent a user from overriding the screensaver idle-activation-enabled setting for the graphical user interface. The operating system must initiate a session lock for graphical user interfaces when the screensaver is activated. When passwords are changed or new passwords are established, pwquality must be used. When passwords are changed or new passwords are established, the new password must contain at least one upper-case character. When passwords are changed or new passwords are established, the new password must contain at least one lower-case character. When passwords are changed or new passwords are assigned, the new password must contain at least one numeric character. When passwords are changed or new passwords are assigned, the new password must contain at least one special character. When passwords are changed a minimum of eight of the total number of characters must be changed. When passwords are changed a minimum of four character classes must be changed. When passwords are changed the number of repeating consecutive characters must not be more than three characters. When passwords are changed the number of repeating characters of the same character class must not be more than four characters. The PAM system service must be configured to store only encrypted representations of passwords. The shadow file must be configured to store only encrypted representations of passwords. User and group account administration utilities must be configured to store only encrypted representations of passwords. Passwords for new users must be restricted to a 24 hours/1 day minimum lifetime. Passwords must be restricted to a 24 hours/1 day minimum lifetime. Passwords for new users must be restricted to a 60-day maximum lifetime. Existing passwords must be restricted to a 60-day maximum lifetime. Passwords must be prohibited from reuse for a minimum of five generations. Passwords must be a minimum of 15 characters in length. The system must not have accounts configured with blank or null passwords. The SSH daemon must not allow authentication using an empty password. The operating system must disable account identifiers (individuals, groups, roles, and devices) if the password expires. Accounts subject to three unsuccessful logon attempts within 15 minutes must be locked for the maximum configurable period. If three unsuccessful root logon attempts within 15 minutes occur the associated account must be locked. Users must provide a password for privilege escalation. Users must re-authenticate for privilege escalation. The delay between logon prompts following a failed console logon attempt must be at least four seconds. The operating system must not allow an unattended or automatic logon to the system via a graphical user interface. The operating system must not allow an unrestricted logon to the system. The operating system must not allow users to override SSH environment variables. The operating system must not allow a non-certificate trusted host SSH logon to the system. Systems with a Basic Input/Output System (BIOS) must require authentication upon booting into single-user and maintenance modes. The operating system must require authentication upon booting into single-user and maintenance modes. Systems using Unified Extensible Firmware Interface (UEFI) must require authentication upon booting into single-user and maintenance modes. The operating system must uniquely identify and must authenticate organizational users (or processes acting on behalf of organizational users) using multifactor authentication. The rsh-server package must not be installed. The ypserv package must not be installed. The operating system must prevent non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures. A file integrity tool must verify the baseline operating system configuration at least weekly. Designated personnel must be notified if baseline configurations are changed in an unauthorized manner. The operating system must prevent the installation of software, patches, service packs, device drivers, or operating system components from a repository without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved by the organization. The operating system must prevent the installation of software, patches, service packs, device drivers, or operating system components of local packages without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved by the organization. The operating system must prevent the installation of software, patches, service packs, device drivers, or operating system components of packages without verification of the repository metadata. USB mass storage must be disabled. The Datagram Congestion Control Protocol (DCCP) kernel module must be disabled unless required. File system automounter must be disabled unless required. The operating system must remove all software components after updated versions have been installed. The operating system must enable SELinux. The operating system must enable the SELinux targeted policy. The x86 Ctrl-Alt-Delete key sequence must be disabled. The operating system must define default permissions for all authenticated users in such a way that the user can only read and modify their own files. The operating system must be a vendor supported release. Vendor packaged system security patches and updates must be installed and up to date. The system must not have unnecessary accounts. All Group Identifiers (GIDs) referenced in the /etc/passwd file must be defined in the /etc/group file. The root account must be the only account having unrestricted access to the system. All files and directories must have a valid owner. All files and directories must have a valid group owner. All local interactive users must have a home directory assigned in the /etc/passwd file. All local interactive user accounts, upon creation, must be assigned a home directory. All local interactive user home directories defined in the /etc/passwd file must exist. All local interactive user home directories must have mode 0750 or less permissive. All local interactive user home directories must be owned by their respective users. All local interactive user home directories must be group-owned by the home directory owners primary group. All files and directories contained in local interactive user home directories must be owned by the owner of the home directory. All files and directories contained in local interactive user home directories must be group-owned by a group of which the home directory owner is a member. All files and directories contained in local interactive user home directories must have mode 0750 or less permissive. All local initialization files for interactive users must be owned by the home directory user or root. Local initialization files for local interactive users must be group-owned by the users primary group or root. All local initialization files must have mode 0740 or less permissive. All local interactive user initialization files executable search paths must contain only paths that resolve to the users home directory. Local initialization files must not execute world-writable programs. All system device files must be correctly labeled to prevent unauthorized modification. File systems that contain user home directories must be mounted to prevent files with the setuid and setgid bit set from being executed. File systems that are used with removable media must be mounted to prevent files with the setuid and setgid bit set from being executed. File systems that are being imported via Network File System (NFS) must be mounted to prevent files with the setuid and setgid bit set from being executed. File systems that are being imported via Network File System (NFS) must be mounted to prevent binary files from being executed. All world-writable directories must be group-owned by root, sys, bin, or an application group. The umask must be set to 077 for all local interactive user accounts. Cron logging must be implemented. If the cron.allow file exists it must be owned by root. If the cron.allow file exists it must be group-owned by root. Kernel core dumps must be disabled unless needed. A separate file system must be used for user home directories (such as /home or an equivalent). The system must use a separate file system for /var. The system must use a separate file system for the system audit data path. The system must use a separate file system for /tmp (or equivalent). The operating system must implement NIST FIPS-validated cryptography for the following: to provision digital signatures, to generate cryptographic hashes, and to protect data requiring data-at-rest protections in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards. The file integrity tool must be configured to verify Access Control Lists (ACLs). The file integrity tool must be configured to verify extended attributes. The file integrity tool must use FIPS 140-2 approved cryptographic hashes for validating file contents and directories. The system must not allow removable media to be used as the boot loader unless approved. The telnet-server package must not be installed. Auditing must be configured to produce records containing information to establish what type of events occurred, where the events occurred, the source of the events, and the outcome of the events. These audit records must also identify individual identities of group account users. The operating system must shut down upon audit processing failure, unless availability is an overriding concern. If availability is a concern, the system must alert the designated staff (System Administrator [SA] and Information System Security Officer [ISSO] at a minimum) in the event of an audit processing failure. The operating system must off-load audit records onto a different system or media from the system being audited. The operating system must encrypt the transfer of audit records off-loaded onto a different system or media from the system being audited. The audit system must take appropriate action when the audit storage volume is full. The audit system must take appropriate action when there is an error sending audit records to a remote system. The operating system must immediately notify the System Administrator (SA) and Information System Security Officer ISSO (at a minimum) when allocated audit record storage volume reaches 75% of the repository maximum audit record storage capacity. The operating system must immediately notify the System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) via email when the threshold for the repository maximum audit record storage capacity is reached. The operating system must immediately notify the System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) when the threshold for the repository maximum audit record storage capacity is reached. All privileged function executions must be audited. All uses of the chown command must be audited. All uses of the fchown command must be audited. All uses of the lchown command must be audited. All uses of the fchownat command must be audited. All uses of the chmod command must be audited. All uses of the fchmod command must be audited. All uses of the fchmodat command must be audited. All uses of the setxattr command must be audited. All uses of the fsetxattr command must be audited. All uses of the lsetxattr command must be audited. All uses of the removexattr command must be audited. All uses of the fremovexattr command must be audited. All uses of the lremovexattr command must be audited. All uses of the creat command must be audited. All uses of the open command must be audited. All uses of the openat command must be audited. All uses of the open_by_handle_at command must be audited. All uses of the truncate command must be audited. All uses of the ftruncate command must be audited. All uses of the semanage command must be audited. All uses of the setsebool command must be audited. All uses of the chcon command must be audited. All uses of the setfiles command must be audited. The operating system must generate audit records for all successful/unsuccessful account access count events. The operating system must generate audit records for all unsuccessful account access events. The operating system must generate audit records for all successful account access events. All uses of the passwd command must be audited. All uses of the unix_chkpwd command must be audited. All uses of the gpasswd command must be audited. All uses of the chage command must be audited. All uses of the userhelper command must be audited. All uses of the su command must be audited. All uses of the sudo command must be audited. All uses of the sudoers command must be audited. All uses of the newgrp command must be audited. All uses of the chsh command must be audited. All uses of the sudoedit command must be audited. All uses of the mount command must be audited. All uses of the umount command must be audited. All uses of the postdrop command must be audited. All uses of the postqueue command must be audited. All uses of the ssh-keysign command must be audited. All uses of the crontab command must be audited. All uses of the pam_timestamp_check command must be audited. All uses of the create_module command must be audited. All uses of the init_module command must be audited. All uses of the finit_module command must be audited. All uses of the delete_module command must be audited. All uses of the insmod command must be audited. All uses of the rmmod command must be audited. All uses of the modprobe command must be audited. The operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/passwd. The operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/group. The operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/gshadow. The operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/shadow. The operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/opasswd. All uses of the rename command must be audited. All uses of the renameat command must be audited. All uses of the rmdir command must be audited. All uses of the unlink command must be audited. All uses of the unlinkat command must be audited. The system must send rsyslog output to a log aggregation server. The rsyslog daemon must not accept log messages from other servers unless the server is being used for log aggregation. The system must use a virus scan program. The system must update the virus scan program every seven days or more frequently. The operating system must limit the number of concurrent sessions to 10 for all accounts and/or account types. The host must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management Component Local Service Assessment (PPSM CLSA) and vulnerability assessments. A FIPS 140-2 approved cryptographic algorithm must be used for SSH communications. All network connections associated with a communication session must be terminated at the end of the session or after 10 minutes of inactivity from the user at a command prompt, except to fulfill documented and validated mission requirements. The Standard Mandatory DoD Notice and Consent Banner must be displayed immediately prior to, or as part of, remote access logon prompts. The operating system must implement cryptography to protect the integrity of Lightweight Directory Access Protocol (LDAP) authentication communications. The operating system must implement cryptography to protect the integrity of Lightweight Directory Access Protocol (LDAP) communications. The operating system must implement cryptography to protect the integrity of Lightweight Directory Access Protocol (LDAP) communications. The operating system must implement virtual address space randomization. All networked systems must have SSH installed. All networked systems must use SSH for confidentiality and integrity of transmitted and received information as well as information during preparation for transmission. All network connections associated with SSH traffic must terminate at the end of the session or after 10 minutes of inactivity, except to fulfill documented and validated mission requirements. The SSH daemon must not allow authentication using RSA rhosts authentication. All network connections associated with SSH traffic must terminate after a period of inactivity. The SSH daemon must not allow authentication using rhosts authentication. The system must display the date and time of the last successful account logon upon an SSH logon. The system must not permit direct logons to the root account using remote access via SSH. The SSH daemon must not allow authentication using known hosts authentication. The SSH daemon must be configured to only use the SSHv2 protocol. The SSH daemon must be configured to only use Message Authentication Codes (MACs) employing FIPS 140-2 approved cryptographic hash algorithms. The SSH public host key files must have mode 0644 or less permissive. The SSH private host key files must have mode 0600 or less permissive. The SSH daemon must not permit Generic Security Service Application Program Interface (GSSAPI) authentication unless needed. The SSH daemon must not permit Kerberos authentication unless needed. The SSH daemon must perform strict mode checking of home directory configuration files. The SSH daemon must use privilege separation. The SSH daemon must not allow compression or must only allow compression after successful authentication. The operating system must, for networked systems, synchronize clocks with a server that is synchronized to one of the redundant United States Naval Observatory (USNO) time servers, a time server designated for the appropriate DoD network (NIPRNet/SIPRNet), and/or the Global Positioning System (GPS). The operating system must protect against or limit the effects of Denial of Service (DoS) attacks by validating the operating system is implementing rate-limiting measures on impacted network interfaces. The operating system must enable an application firewall, if available. The system must display the date and time of the last successful account logon upon logon. There must be no .shosts files on the system. There must be no shosts.equiv files on the system. For systems using DNS resolution, at least two name servers must be configured. The system must not forward Internet Protocol version 4 (IPv4) source-routed packets. The system must not forward Internet Protocol version 4 (IPv4) source-routed packets by default. The system must not respond to Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) echoes sent to a broadcast address. The system must prevent Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages from being accepted. The system must ignore Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages. The system must not allow interfaces to perform Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirects by default. The system must not send Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirects. Network interfaces must not be in promiscuous mode. The system must be configured to prevent unrestricted mail relaying. A File Transfer Protocol (FTP) server package must not be installed unless needed. The Trivial File Transfer Protocol (TFTP) server package must not be installed if not required for operational support. Remote X connections for interactive users must be encrypted. If the Trivial File Transfer Protocol (TFTP) server is required, the TFTP daemon must be configured to operate in secure mode. An X Windows display manager must not be installed unless approved. The system must not be performing packet forwarding unless the system is a router. The Network File System (NFS) must be configured to use RPCSEC_GSS. SNMP community strings must be changed from the default. The system access control program must be configured to grant or deny system access to specific hosts and services. The system must not have unauthorized IP tunnels configured. The system must not forward IPv6 source-routed packets. The operating system must have the required packages for multifactor authentication installed. The operating system must implement multifactor authentication for access to privileged accounts via pluggable authentication modules (PAM). The operating system must implement certificate status checking for PKI authentication. Wireless network adapters must be disabled. scap-security-guide-0.1.39/rhel7/product.yml000066400000000000000000000001421327242345500207220ustar00rootroot00000000000000product: rhel7 benchmark_root: "../shared/guide" profiles_root: "./profiles" pkg_system: "rpm" scap-security-guide-0.1.39/rhel7/profiles/000077500000000000000000000000001327242345500203455ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel7/profiles/C2S-docker.profile000066400000000000000000000012221327242345500235600ustar00rootroot00000000000000documentation_complete: false title: '[DRAFT] C2S for Docker' description: |- This profile demonstrates compliance against the U.S. Government Commercial Cloud Services (C2S) baseline. This baseline was inspired by the Center for Internet Security (CIS) Docker Community Edition Benchmark, v1.1.0 - 07-06-2017. For the SCAP Security Guide project to remain in compliance with CIS' terms and conditions, specifically Restrictions(8), note there is no representation or claim that the C2S profile will ensure a system is in compliance or consistency with the CIS baseline. selections: - security_patches_up_to_date scap-security-guide-0.1.39/rhel7/profiles/C2S.profile000066400000000000000000000215431327242345500223230ustar00rootroot00000000000000documentation_complete: true title: 'C2S for Red Hat Enterprise Linux 7' description: |- This profile demonstrates compliance against the U.S. Government Commercial Cloud Services (C2S) baseline. This baseline was inspired by the Center for Internet Security (CIS) Red Hat Enterprise Linux 7 Benchmark, v2.1.1 - 01-31-2017. For the SCAP Security Guide project to remain in compliance with CIS' terms and conditions, specifically Restrictions(8), note there is no representation or claim that the C2S profile will ensure a system is in compliance or consistency with the CIS baseline. selections: - kernel_module_cramfs_disabled - kernel_module_freevxfs_disabled - kernel_module_jffs2_disabled - kernel_module_hfs_disabled - kernel_module_hfsplus_disabled - kernel_module_squashfs_disabled - kernel_module_udf_disabled - partition_for_tmp - mount_option_tmp_nodev - mount_option_tmp_nosuid - mount_option_tmp_noexec - partition_for_var - partition_for_var_tmp - mount_option_var_tmp_nodev - mount_option_var_tmp_nosuid - mount_option_var_tmp_noexec - partition_for_var_log - partition_for_var_log_audit - partition_for_home - mount_option_home_nodev - mount_option_dev_shm_nodev - mount_option_dev_shm_nosuid - mount_option_dev_shm_noexec - mount_option_nodev_removable_partitions - mount_option_nosuid_removable_partitions - mount_option_noexec_removable_partitions - dir_perms_world_writable_sticky_bits - service_autofs_disabled - ensure_gpgcheck_globally_activated - ensure_redhat_gpgkey_installed - service_rhnsd_disabled - package_aide_installed - aide_periodic_cron_checking - file_user_owner_grub2_cfg - file_group_owner_grub2_cfg - file_permissions_grub2_cfg - bootloader_password - bootloader_uefi_password - require_singleuser_auth - disable_users_coredumps - sysctl_fs_suid_dumpable - sysctl_kernel_exec_shield - sysctl_kernel_randomize_va_space - disable_prelink - enable_selinux_bootloader - var_selinux_state=enforcing - selinux_state - var_selinux_policy_name=targeted - selinux_policytype - package_setroubleshoot_removed - package_mcstrans_removed - selinux_confinement_of_daemons - banner_etc_issue - login_banner_text=usgcb_default - dconf_gnome_login_banner_text - dconf_gnome_banner_enabled - security_patches_up_to_date - service_tftp_disabled - service_xinetd_disabled - service_chronyd_or_ntpd_enabled - package_xorg-x11-server-common_removed - service_avahi-daemon_disabled - service_cups_disabled - service_dhcpd_disabled - package_openldap-servers_removed - service_rpcbind_disabled - service_nfs_disabled - service_named_disabled - service_vsftpd_disabled - service_httpd_disabled - service_dovecot_disabled - service_smb_disabled - service_squid_disabled - service_snmpd_disabled - postfix_network_listening_disabled - package_ypserv_removed - service_rexec_disabled - service_rsh_disabled - service_rlogin_disabled - service_telnet_disabled - package_talk-server_removed - package_ypbind_removed - package_rsh_removed - package_talk_removed - package_telnet_removed - sysctl_net_ipv4_ip_forward - sysctl_net_ipv4_conf_all_send_redirects - sysctl_net_ipv4_conf_default_send_redirects - sysctl_net_ipv4_conf_all_accept_source_route - sysctl_net_ipv4_conf_default_accept_source_route - sysctl_net_ipv4_conf_all_accept_redirects - sysctl_net_ipv4_conf_default_accept_redirects - sysctl_net_ipv4_conf_all_secure_redirects - sysctl_net_ipv4_conf_default_secure_redirects - sysctl_net_ipv4_conf_all_log_martians - sysctl_net_ipv4_conf_default_log_martians - sysctl_net_ipv4_icmp_echo_ignore_broadcasts - sysctl_net_ipv4_icmp_ignore_bogus_error_responses - sysctl_net_ipv4_conf_all_rp_filter - sysctl_net_ipv4_conf_default_rp_filter - sysctl_net_ipv4_tcp_syncookies - sysctl_net_ipv6_conf_all_accept_ra - sysctl_net_ipv6_conf_default_accept_ra - sysctl_net_ipv6_conf_all_accept_redirects - sysctl_net_ipv6_conf_default_accept_redirects - sysctl_net_ipv6_conf_all_disable_ipv6 - package_tcp_wrappers_installed - kernel_module_dccp_disabled - kernel_module_sctp_disabled - var_auditd_max_log_file=6 - auditd_data_retention_max_log_file - var_auditd_action_mail_acct=root - var_auditd_admin_space_left_action=single - auditd_data_retention_action_mail_acct - auditd_data_retention_admin_space_left_action - auditd_data_retention_max_log_file_action - service_auditd_enabled - bootloader_audit_argument - audit_rules_time_adjtimex - audit_rules_time_settimeofday - audit_rules_time_stime - audit_rules_time_clock_settime - audit_rules_time_watch_localtime - audit_rules_usergroup_modification_passwd - audit_rules_usergroup_modification_group - audit_rules_usergroup_modification_gshadow - audit_rules_usergroup_modification_shadow - audit_rules_usergroup_modification_opasswd - audit_rules_networkconfig_modification - audit_rules_mac_modification - audit_rules_login_events - audit_rules_session_events - audit_rules_dac_modification_chmod - audit_rules_dac_modification_chown - audit_rules_dac_modification_fchmod - audit_rules_dac_modification_fchmodat - audit_rules_dac_modification_fchown - audit_rules_dac_modification_fchownat - audit_rules_dac_modification_fremovexattr - audit_rules_dac_modification_fsetxattr - audit_rules_dac_modification_lchown - audit_rules_dac_modification_lremovexattr - audit_rules_dac_modification_lsetxattr - audit_rules_dac_modification_removexattr - audit_rules_dac_modification_setxattr - audit_rules_unsuccessful_file_modification_creat - audit_rules_unsuccessful_file_modification_open - audit_rules_unsuccessful_file_modification_openat - audit_rules_unsuccessful_file_modification_open_by_handle_at - audit_rules_unsuccessful_file_modification_truncate - audit_rules_unsuccessful_file_modification_ftruncate - audit_rules_privileged_commands - audit_rules_media_export - audit_rules_file_deletion_events_rename - audit_rules_file_deletion_events_renameat - audit_rules_file_deletion_events_rmdir - audit_rules_file_deletion_events_unlink - audit_rules_file_deletion_events_unlinkat - audit_rules_sysadmin_actions - audit_rules_kernel_module_loading - audit_rules_immutable - service_rsyslog_enabled - rsyslog_files_permissions - rsyslog_remote_loghost - rsyslog_accept_remote_messages_tcp - rsyslog_accept_remote_messages_udp - package_rsyslog_installed - ensure_logrotate_activated - service_crond_enabled - sshd_allow_only_protocol2 - sshd_set_loglevel_info - sshd_enable_x11_forwarding - sshd_set_max_auth_tries - sshd_disable_rhosts - disable_host_auth - sshd_disable_root_login - sshd_disable_empty_passwords - sshd_do_not_permit_user_env - sshd_use_approved_ciphers - sshd_use_approved_macs - sshd_set_idle_timeout - sshd_set_keepalive - sshd_enable_warning_banner - var_password_pam_minlen=14 - accounts_password_pam_minlen - accounts_password_pam_dcredit - accounts_password_pam_ucredit - accounts_password_pam_lcredit - accounts_password_pam_retry - var_accounts_passwords_pam_faillock_unlock_time=900 - var_accounts_passwords_pam_faillock_deny=5 - accounts_passwords_pam_faillock_unlock_time - accounts_passwords_pam_faillock_deny - var_password_pam_unix_remember=5 - accounts_password_pam_unix_remember - set_password_hashing_algorithm_systemauth - var_accounts_maximum_age_login_defs=90 - accounts_maximum_age_login_defs - var_accounts_minimum_age_login_defs=7 - accounts_minimum_age_login_defs - var_accounts_password_warn_age_login_defs=7 - accounts_password_warn_age_login_defs - var_account_disable_post_pw_expiration=30 - account_disable_post_pw_expiration - no_shelllogin_for_systemaccounts - accounts_umask_etc_bashrc - accounts_umask_etc_profile - no_direct_root_logins - file_owner_etc_passwd - file_groupowner_etc_passwd - file_permissions_etc_passwd - userowner_shadow_file - groupowner_shadow_file - file_permissions_etc_shadow - file_owner_etc_group - file_groupowner_etc_group - file_permissions_etc_group - file_owner_etc_gshadow - file_groupowner_etc_gshadow - file_permissions_etc_gshadow - file_permissions_unauthorized_world_writable - no_files_unowned_by_user - file_permissions_ungroupowned - file_permissions_unauthorized_suid - file_permissions_unauthorized_sgid - accounts_no_uid_except_zero - no_rsh_trust_files scap-security-guide-0.1.39/rhel7/profiles/anssi_nt28_enhanced.profile000066400000000000000000000004761327242345500255530ustar00rootroot00000000000000documentation_complete: false title: '[DRAFT] ANSSI DAT-NT28 (enhanced)' description: 'Draft profile for ANSSI compliance at the enhanced level. ANSSI stands for Agence nationale de la sécurité des systèmes d''information. Based on https://www.ssi.gouv.fr/.' extends: anssi_nt28_intermediary selections: [] scap-security-guide-0.1.39/rhel7/profiles/anssi_nt28_high.profile000066400000000000000000000004621327242345500247200ustar00rootroot00000000000000documentation_complete: false title: '[DRAFT] ANSSI DAT-NT28 (high)' description: 'Draft profile for ANSSI compliance at the high level. ANSSI stands for Agence nationale de la sécurité des systèmes d''information. Based on https://www.ssi.gouv.fr/.' extends: anssi_nt28_enhanced selections: [] scap-security-guide-0.1.39/rhel7/profiles/anssi_nt28_intermediary.profile000066400000000000000000000013241327242345500264730ustar00rootroot00000000000000documentation_complete: false title: '[DRAFT] ANSSI DAT-NT28 (intermediary)' description: 'Draft profile for ANSSI compliance at the intermediary level. ANSSI stands for Agence nationale de la sécurité des systèmes d''information. Based on https://www.ssi.gouv.fr/.' extends: anssi_nt28_minimal selections: - partition_for_tmp - partition_for_var - partition_for_var_log - partition_for_var_log_audit - partition_for_home - sshd_idle_timeout_value=5_minutes - rsyslog_files_ownership - rsyslog_files_groupownership - rsyslog_files_permissions - "!rsyslog_remote_loghost" - ensure_logrotate_activated - sysctl_fs_suid_dumpable - sysctl_kernel_randomize_va_space scap-security-guide-0.1.39/rhel7/profiles/anssi_nt28_minimal.profile000066400000000000000000000010321327242345500254210ustar00rootroot00000000000000documentation_complete: false title: '[DRAFT] ANSSI DAT-NT28 (minimal)' description: 'Draft profile for ANSSI compliance at the minimal level. ANSSI stands for Agence nationale de la sécurité des systèmes d''information. Based on https://www.ssi.gouv.fr/.' selections: - sudo_remove_nopasswd - sudo_remove_no_authenticate - package_rsyslog_installed - service_rsyslog_enabled - file_permissions_etc_shadow - file_permissions_etc_gshadow - file_permissions_etc_passwd - file_permissions_etc_group scap-security-guide-0.1.39/rhel7/profiles/cjis.profile000066400000000000000000000113631327242345500226630ustar00rootroot00000000000000documentation_complete: true title: 'Criminal Justice Information Services (CJIS) Security Policy' description: |- This profile is derived from FBI's CJIS v5.4 Security Policy. A copy of this policy can be found at the CJIS Security Policy Resource Center: https://www.fbi.gov/services/cjis/cjis-security-policy-resource-center selections: - service_auditd_enabled - bootloader_audit_argument - auditd_data_retention_num_logs - auditd_data_retention_max_log_file - auditd_data_retention_max_log_file_action - auditd_data_retention_space_left_action - auditd_data_retention_admin_space_left_action - auditd_data_retention_action_mail_acct - auditd_audispd_syslog_plugin_activated - audit_rules_time_adjtimex - audit_rules_time_settimeofday - audit_rules_time_stime - audit_rules_time_clock_settime - audit_rules_time_watch_localtime - audit_rules_usergroup_modification - audit_rules_networkconfig_modification - file_permissions_var_log_audit - file_ownership_var_log_audit - audit_rules_mac_modification - audit_rules_dac_modification_chmod - audit_rules_dac_modification_chown - audit_rules_dac_modification_fchmod - audit_rules_dac_modification_fchmodat - audit_rules_dac_modification_fchown - audit_rules_dac_modification_fchownat - audit_rules_dac_modification_fremovexattr - audit_rules_dac_modification_fsetxattr - audit_rules_dac_modification_lchown - audit_rules_dac_modification_lremovexattr - audit_rules_dac_modification_lsetxattr - audit_rules_dac_modification_removexattr - audit_rules_dac_modification_setxattr - audit_rules_login_events - audit_rules_session_events - audit_rules_unsuccessful_file_modification - audit_rules_privileged_commands - audit_rules_media_export - audit_rules_file_deletion_events - audit_rules_sysadmin_actions - audit_rules_kernel_module_loading - audit_rules_immutable - account_unique_name - gid_passwd_group_same - accounts_password_all_shadowed - no_empty_passwords - display_login_attempts - var_accounts_password_minlen_login_defs=12 - var_accounts_maximum_age_login_defs=90 - var_password_pam_unix_remember=10 - var_account_disable_post_pw_expiration=0 - var_password_pam_minlen=12 - var_accounts_minimum_age_login_defs=1 - var_password_pam_difok=6 - var_accounts_max_concurrent_login_sessions=3 - account_disable_post_pw_expiration - accounts_password_pam_minlen - accounts_minimum_age_login_defs - accounts_password_pam_difok - accounts_max_concurrent_login_sessions - set_password_hashing_algorithm_systemauth - set_password_hashing_algorithm_logindefs - set_password_hashing_algorithm_libuserconf - userowner_shadow_file - groupowner_shadow_file - file_permissions_etc_shadow - file_owner_etc_group - file_groupowner_etc_group - file_permissions_etc_group - file_owner_etc_passwd - file_groupowner_etc_passwd - file_permissions_etc_passwd - file_user_owner_grub2_cfg - file_group_owner_grub2_cfg - var_password_pam_retry=5 - var_accounts_passwords_pam_faillock_deny=5 - var_accounts_passwords_pam_faillock_unlock_time=600 - dconf_gnome_screensaver_idle_delay - dconf_gnome_screensaver_idle_activation_enabled - dconf_gnome_screensaver_lock_enabled - dconf_gnome_screensaver_mode_blank - sshd_allow_only_protocol2 - sshd_set_idle_timeout - sshd_set_keepalive - sshd_disable_rhosts - disable_host_auth - sshd_disable_root_login - sshd_disable_empty_passwords - sshd_enable_warning_banner - sshd_do_not_permit_user_env - sshd_use_approved_ciphers - kernel_module_dccp_disabled - kernel_module_sctp_disabled - service_firewalld_enabled - set_firewalld_default_zone - firewalld_sshd_port_enabled - sshd_idle_timeout_value=30_minutes - inactivity_timeout_value=30_minutes - sysctl_net_ipv4_conf_default_accept_source_route - sysctl_net_ipv4_tcp_syncookies - sysctl_net_ipv4_conf_all_send_redirects - sysctl_net_ipv4_conf_default_send_redirects - sysctl_net_ipv4_conf_all_accept_redirects - sysctl_net_ipv4_conf_default_accept_redirects - sysctl_net_ipv4_icmp_echo_ignore_broadcasts - var_password_pam_ocredit=1 - var_password_pam_dcredit=1 - var_password_pam_ucredit=1 - var_password_pam_lcredit=1 - package_aide_installed - disable_prelink - aide_build_database - aide_periodic_cron_checking - rpm_verify_permissions - rpm_verify_hashes - ensure_redhat_gpgkey_installed - ensure_gpgcheck_globally_activated - ensure_gpgcheck_never_disabled - security_patches_up_to_date - kernel_module_bluetooth_disabled scap-security-guide-0.1.39/rhel7/profiles/docker-host.profile000066400000000000000000000011651327242345500241540ustar00rootroot00000000000000documentation_complete: false title: '[DRAFT] Standard Docker Host Security Profile' description: "This profile contains rules to ensure standard security \n \ baseline of Red Hat Enterprise Linux 7 system running the docker \n \ \n \ This discussion is currently being held on open-scap-list@redhat.com \n \ and scap-security-guide@lists.fedorahosted.org." selections: - service_docker_enabled - var_selinux_policy_name=targeted - var_selinux_state=enforcing - enable_selinux_bootloader - selinux_state - selinux_policytype - docker_selinux_enabled - docker_storage_configured scap-security-guide-0.1.39/rhel7/profiles/hipaa.profile000066400000000000000000000143401327242345500230130ustar00rootroot00000000000000documentation_complete: True title: 'Health Insurance Portability and Accountability Act (HIPAA)' description: |- The HIPAA Security Rule establishes U.S. national standards to protect individuals’ electronic personal health information that is created, received, used, or maintained by a covered entity. The Security Rule requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information. This profile configures Red Hat Enterprise Linux 7 to the HIPAA Security Rule identified for securing of electronic protected health information. selections: - bootloader_password - bootloader_uefi_password - file_group_owner_grub2_cfg - file_permissions_grub2_cfg - file_user_owner_grub2_cfg - disable_interactive_boot - no_direct_root_logins - no_empty_passwords - require_singleuser_auth - restrict_serial_port_logins - securetty_root_login_console_only - service_debug-shell_disabled - disable_ctrlaltdel_reboot - disable_ctrlaltdel_burstaction - dconf_gnome_remote_access_credential_prompt - dconf_gnome_remote_access_encryption - sshd_disable_empty_passwords - sshd_disable_root_login - libreswan_approved_tunnels - no_rsh_trust_files - package_rsh_removed - package_rsh-server_removed - package_talk_removed - package_talk-server_removed - package_telnet_removed - package_telnet-server_removed - package_xinetd_removed - package_ypbind_removed - package_ypserv_removed - service_crond_enabled - service_rexec_disabled - service_rlogin_disabled - service_rsh_disabled - service_telnet_disabled - service_xinetd_disabled - service_ypbind_disabled - service_zebra_disabled - use_kerberos_security_all_exports - disable_host_auth - sshd_allow_only_protocol2 - sshd_disable_compression - sshd_disable_gssapi_auth - sshd_disable_kerb_auth - sshd_disable_rhosts_rsa - sshd_disable_rhosts - sshd_disable_user_known_hosts - sshd_do_not_permit_user_env - sshd_enable_strictmodes - sshd_enable_warning_banner - sshd_set_keepalive - sshd_use_priv_separation - encrypt_partitions - sshd_use_approved_ciphers - sshd_use_approved_macs - var_selinux_policy_name=targeted - var_selinux_state=enforcing - enable_selinux_bootloader - sebool_selinuxuser_execheap - sebool_selinuxuser_execmod - sebool_selinuxuser_execstack - selinux_confinement_of_daemons - selinux_policytype - selinux_state - service_kdump_disabled - sysctl_fs_suid_dumpable - sysctl_kernel_dmesg_restrict - sysctl_kernel_exec_shield - sysctl_kernel_randomize_va_space - rpm_verify_hashes - rpm_verify_permissions - ensure_redhat_gpgkey_installed - ensure_gpgcheck_globally_activated - ensure_gpgcheck_never_disabled - ensure_gpgcheck_repo_metadata - ensure_gpgcheck_local_packages - bootloader_audit_argument - service_auditd_enabled - audit_rules_privileged_commands_sudo - audit_rules_privileged_commands_su - audit_rules_immutable - kernel_module_usb-storage_disabled - service_autofs_disabled - auditd_audispd_syslog_plugin_activated - rsyslog_remote_loghost - auditd_data_retention_flush - audit_rules_dac_modification_chmod - audit_rules_dac_modification_chown - audit_rules_dac_modification_fchmodat - audit_rules_dac_modification_fchmod - audit_rules_dac_modification_fchownat - audit_rules_dac_modification_fchown - audit_rules_dac_modification_fremovexattr - audit_rules_dac_modification_fsetxattr - audit_rules_dac_modification_lchown - audit_rules_dac_modification_lremovexattr - audit_rules_dac_modification_lsetxattr - audit_rules_dac_modification_removexattr - audit_rules_dac_modification_setxattr - audit_rules_execution_chcon - audit_rules_execution_restorecon - audit_rules_execution_semanage - audit_rules_execution_setsebool - audit_rules_file_deletion_events_renameat - audit_rules_file_deletion_events_rename - audit_rules_file_deletion_events_rmdir - audit_rules_file_deletion_events_unlinkat - audit_rules_file_deletion_events_unlink - audit_rules_kernel_module_loading_delete - audit_rules_kernel_module_loading_init - audit_rules_kernel_module_loading_insmod - audit_rules_kernel_module_loading_modprobe - audit_rules_kernel_module_loading_rmmod - audit_rules_login_events_faillock - audit_rules_login_events_lastlog - audit_rules_login_events_tallylog - audit_rules_mac_modification - audit_rules_media_export - audit_rules_networkconfig_modification - audit_rules_privileged_commands_chage - audit_rules_privileged_commands_chsh - audit_rules_privileged_commands_crontab - audit_rules_privileged_commands_gpasswd - audit_rules_privileged_commands_newgrp - audit_rules_privileged_commands_pam_timestamp_check - audit_rules_privileged_commands_passwd - audit_rules_privileged_commands_postdrop - audit_rules_privileged_commands_postqueue - audit_rules_privileged_commands_ssh_keysign - audit_rules_privileged_commands_sudoedit - audit_rules_privileged_commands_umount - audit_rules_privileged_commands_unix_chkpwd - audit_rules_privileged_commands_userhelper - audit_rules_session_events - audit_rules_sysadmin_actions - audit_rules_system_shutdown - audit_rules_time_adjtimex - audit_rules_time_clock_settime - audit_rules_time_settimeofday - audit_rules_time_stime - audit_rules_time_watch_localtime - audit_rules_unsuccessful_file_modification_creat - audit_rules_unsuccessful_file_modification_ftruncate - audit_rules_unsuccessful_file_modification_openat - audit_rules_unsuccessful_file_modification_open_by_handle_at - audit_rules_unsuccessful_file_modification_open - audit_rules_unsuccessful_file_modification_truncate - audit_rules_usergroup_modification_group - audit_rules_usergroup_modification_gshadow - audit_rules_usergroup_modification_opasswd - audit_rules_usergroup_modification_passwd - audit_rules_usergroup_modification_shadow scap-security-guide-0.1.39/rhel7/profiles/nist-800-171-cui.profile000066400000000000000000000020661327242345500243010ustar00rootroot00000000000000documentation_complete: true title: 'Unclassified Information in Non-federal Information Systems and Organizations (NIST 800-171)' description: "From NIST 800-171, Section 2.2:\nSecurity requirements for protecting the confidentiality of CUI in nonfederal\ \ \ninformation systems and organizations have a well-defined structure that \nconsists of:\n\n(i) a basic security requirements\ \ section;\n(ii) a derived security requirements section.\n\nThe basic security requirements are obtained from FIPS Publication\ \ 200, which\nprovides the high-level and fundamental security requirements for federal\ninformation and information systems.\ \ The derived security requirements, which\nsupplement the basic security requirements, are taken from the security controls\n\ in NIST Special Publication 800-53.\n\nThis profile configures Red Hat Enterprise Linux 7 to the NIST Special\nPublication\ \ 800-53 controls identified for securing Controlled Unclassified\nInformation (CUI)." extends: ospp selections: - inactivity_timeout_value=10_minutes scap-security-guide-0.1.39/rhel7/profiles/ospp.profile000066400000000000000000000411751327242345500227200ustar00rootroot00000000000000documentation_complete: true title: 'United States Government Configuration Baseline' description: "This compliance profile reflects the core set of security \n \ related configuration settings for deployment of Red Hat Enterprise \n \ Linux 7.x into U.S. Defense, Intelligence, and Civilian agencies. \n \ Development partners and sponsors include the U.S. National Institute \n \ of Standards and Technology (NIST), U.S. Department of Defense, \n \ the National Security Agency, and Red Hat. \n \ \n \ This baseline implements configuration requirements from the following \n \ sources: \n \ \n \ - Committee on National Security Systems Instruction No. 1253 (CNSSI 1253) \n \ - NIST Controlled Unclassified Information (NIST 800-171) \n \ - NIST 800-53 control selections for MODERATE impact systems (NIST 800-53) \n \ - U.S. Government Configuration Baseline (USGCB) \n \ - NIAP Protection Profile for General Purpose Operating Systems v4.0 (OSPP v4.0) \n \ - DISA Operating System Security Requirements Guide (OS SRG) \n \ \n \ For any differing configuration requirements, e.g. password lengths, the stricter \n \ security setting was chosen. Security Requirement Traceability Guides (RTMs) and \n \ sample System Security Configuration Guides are provided via the \n \ scap-security-guide-docs package. \n \ \n \ This profile reflects U.S. Government consensus content and is developed through \n \ the OpenSCAP/SCAP Security Guide initiative, championed by the National \n \ Security Agency. Except for differences in formatting to accommodate \n \ publishing processes, this profile mirrors OpenSCAP/SCAP Security Guide \n \ content as minor divergences, such as bugfixes, work through the \n \ consensus and release processes." selections: - installed_OS_is_certified - login_banner_text=usgcb_default - inactivity_timeout_value=15_minutes - var_password_pam_minlen=15 - accounts_password_pam_minlen - accounts_password_minlen_login_defs - var_password_pam_ocredit=1 - accounts_password_pam_ocredit - var_password_pam_dcredit=1 - accounts_password_pam_dcredit - var_password_pam_ucredit=1 - accounts_password_pam_ucredit - var_password_pam_lcredit=1 - accounts_password_pam_lcredit - package_screen_installed - sshd_idle_timeout_value=10_minutes - sshd_set_idle_timeout - accounts_password_all_shadowed - bootloader_password - bootloader_uefi_password - disable_interactive_boot - no_direct_root_logins - no_empty_passwords - require_singleuser_auth - restrict_serial_port_logins - securetty_root_login_console_only - service_debug-shell_disabled - sshd_disable_empty_passwords - sshd_disable_root_login - var_accounts_fail_delay=4 - var_accounts_passwords_pam_faillock_deny=3 - var_accounts_passwords_pam_faillock_fail_interval=900 - var_accounts_passwords_pam_faillock_unlock_time=never - var_password_pam_retry=3 - accounts_logon_fail_delay - accounts_password_pam_retry - accounts_passwords_pam_faillock_deny_root - accounts_passwords_pam_faillock_deny - accounts_passwords_pam_faillock_interval - accounts_passwords_pam_faillock_unlock_time - sshd_listening_port=default - sysctl_net_ipv4_conf_all_accept_redirects_value=disabled - sysctl_net_ipv4_conf_default_accept_redirects_value=disabled - sysctl_net_ipv4_conf_default_accept_source_route_value=disabled - sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value=enabled - sysctl_net_ipv4_tcp_syncookies_value=enabled - service_firewalld_enabled - set_firewalld_default_zone - firewalld_sshd_port_enabled - sysctl_net_ipv6_conf_all_disable_ipv6 - sysctl_net_ipv4_conf_all_accept_redirects - sysctl_net_ipv4_conf_all_accept_source_route - sysctl_net_ipv4_conf_all_log_martians - sysctl_net_ipv4_conf_all_rp_filter - sysctl_net_ipv4_conf_all_secure_redirects - sysctl_net_ipv4_conf_all_send_redirects - sysctl_net_ipv4_conf_default_accept_redirects - sysctl_net_ipv4_conf_default_accept_source_route - sysctl_net_ipv4_conf_default_log_martians - sysctl_net_ipv4_conf_default_rp_filter - sysctl_net_ipv4_conf_default_secure_redirects - sysctl_net_ipv4_conf_default_send_redirects - sysctl_net_ipv4_icmp_echo_ignore_broadcasts - sysctl_net_ipv4_icmp_ignore_bogus_error_responses - sysctl_net_ipv4_ip_forward - sysctl_net_ipv4_tcp_syncookies - sysctl_net_ipv6_conf_all_accept_ra - sysctl_net_ipv6_conf_all_accept_redirects - sysctl_net_ipv6_conf_all_accept_source_route - sysctl_net_ipv6_conf_all_forwarding - sysctl_net_ipv6_conf_default_accept_ra - sysctl_net_ipv6_conf_default_accept_redirects - sysctl_net_ipv6_conf_default_accept_source_route - auditd_audispd_syslog_plugin_activated - rsyslog_remote_loghost - var_auditd_action_mail_acct=root - var_auditd_admin_space_left_action=single - var_auditd_flush=data - var_auditd_max_log_file_action=rotate - var_auditd_max_log_file=6 - var_auditd_num_logs=5 - var_auditd_space_left_action=email - auditd_data_retention_action_mail_acct - auditd_data_retention_admin_space_left_action - auditd_data_retention_max_log_file_action - auditd_data_retention_max_log_file - auditd_data_retention_num_logs - auditd_data_retention_space_left_action - file_permissions_var_log_audit - auditd_data_retention_flush - audit_rules_dac_modification_chmod - audit_rules_dac_modification_chown - audit_rules_dac_modification_fchmodat - audit_rules_dac_modification_fchmod - audit_rules_dac_modification_fchownat - audit_rules_dac_modification_fchown - audit_rules_dac_modification_fremovexattr - audit_rules_dac_modification_fsetxattr - audit_rules_dac_modification_lchown - audit_rules_dac_modification_lremovexattr - audit_rules_dac_modification_lsetxattr - audit_rules_dac_modification_removexattr - audit_rules_dac_modification_setxattr - audit_rules_execution_chcon - audit_rules_execution_restorecon - audit_rules_execution_semanage - audit_rules_execution_setsebool - audit_rules_file_deletion_events_renameat - audit_rules_file_deletion_events_rename - audit_rules_file_deletion_events_rmdir - audit_rules_file_deletion_events - audit_rules_file_deletion_events_unlinkat - audit_rules_file_deletion_events_unlink - audit_rules_immutable - audit_rules_kernel_module_loading_delete - audit_rules_kernel_module_loading_init - audit_rules_kernel_module_loading_insmod - audit_rules_kernel_module_loading_modprobe - audit_rules_kernel_module_loading_rmmod - audit_rules_login_events_faillock - audit_rules_login_events_lastlog - audit_rules_login_events_tallylog - audit_rules_mac_modification - audit_rules_media_export - audit_rules_networkconfig_modification - audit_rules_privileged_commands_chage - audit_rules_privileged_commands_chsh - audit_rules_privileged_commands_crontab - audit_rules_privileged_commands_gpasswd - audit_rules_privileged_commands_newgrp - audit_rules_privileged_commands_pam_timestamp_check - audit_rules_privileged_commands_passwd - audit_rules_privileged_commands_postdrop - audit_rules_privileged_commands_postqueue - audit_rules_privileged_commands - audit_rules_privileged_commands_ssh_keysign - audit_rules_privileged_commands_sudoedit - audit_rules_privileged_commands_sudo - audit_rules_privileged_commands_su - audit_rules_privileged_commands_umount - audit_rules_privileged_commands_unix_chkpwd - audit_rules_privileged_commands_userhelper - audit_rules_session_events - audit_rules_sysadmin_actions - audit_rules_system_shutdown - audit_rules_time_adjtimex - audit_rules_time_clock_settime - audit_rules_time_settimeofday - audit_rules_time_stime - audit_rules_time_watch_localtime - audit_rules_unsuccessful_file_modification_creat - audit_rules_unsuccessful_file_modification_ftruncate - audit_rules_unsuccessful_file_modification_openat - audit_rules_unsuccessful_file_modification_open_by_handle_at - audit_rules_unsuccessful_file_modification_open - audit_rules_unsuccessful_file_modification_truncate - audit_rules_usergroup_modification_group - audit_rules_usergroup_modification_gshadow - audit_rules_usergroup_modification_opasswd - audit_rules_usergroup_modification_passwd - audit_rules_usergroup_modification_shadow - bootloader_audit_argument - rsyslog_cron_logging - rsyslog_nolisten - service_auditd_enabled - var_multiple_time_servers=rhel - chronyd_or_ntpd_specify_remote_server - chronyd_or_ntpd_specify_multiple_servers - service_chronyd_or_ntpd_enabled - security_patches_up_to_date - wireless_disable_interfaces - kernel_module_bluetooth_disabled - service_bluetooth_disabled - kernel_module_usb-storage_disabled - service_autofs_disabled - disable_ctrlaltdel_reboot - disable_ctrlaltdel_burstaction - libreswan_approved_tunnels - no_rsh_trust_files - package_rsh_removed - package_rsh-server_removed - package_talk_removed - package_talk-server_removed - package_telnet_removed - package_telnet-server_removed - package_xinetd_removed - package_ypbind_removed - package_ypserv_removed - service_crond_enabled - service_rexec_disabled - service_rlogin_disabled - service_rsh_disabled - sshd_required=yes - service_sshd_enabled - service_telnet_disabled - service_xinetd_disabled - service_ypbind_disabled - service_zebra_disabled - use_kerberos_security_all_exports - disable_host_auth - sshd_allow_only_protocol2 - sshd_disable_compression - sshd_disable_gssapi_auth - sshd_disable_kerb_auth - sshd_disable_rhosts_rsa - sshd_disable_rhosts - sshd_disable_user_known_hosts - sshd_do_not_permit_user_env - sshd_enable_strictmodes - sshd_enable_warning_banner - sshd_set_keepalive - sshd_use_approved_ciphers - sshd_use_approved_macs - sshd_use_priv_separation - var_accounts_user_umask=077 - var_selinux_policy_name=targeted - var_selinux_state=enforcing - accounts_no_uid_except_zero - accounts_umask_etc_login_defs - dir_perms_world_writable_system_owned - enable_selinux_bootloader - file_group_owner_grub2_cfg - file_groupowner_cron_allow - file_owner_cron_allow - file_ownership_var_log_audit - file_permissions_grub2_cfg - file_permissions_sshd_private_key - file_permissions_sshd_pub_key - file_permissions_ungroupowned - file_user_owner_grub2_cfg - gid_passwd_group_same - mount_option_krb_sec_remote_filesystems - mount_option_nodev_remote_filesystems - mount_option_nodev_removable_partitions - mount_option_noexec_removable_partitions - mount_option_nosuid_remote_filesystems - mount_option_nosuid_removable_partitions - no_files_unowned_by_user - rpm_verify_permissions - sebool_abrt_anon_write - sebool_abrt_handle_event - sebool_abrt_upload_watch_anon_write - sebool_auditadm_exec_content - sebool_cron_can_relabel - sebool_cron_system_cronjob_use_shares - sebool_cron_userdomain_transition - sebool_daemons_dump_core - sebool_daemons_use_tcp_wrapper - sebool_daemons_use_tty - sebool_deny_execmem - sebool_deny_ptrace - sebool_domain_fd_use - sebool_domain_kernel_load_modules - sebool_fips_mode - sebool_gpg_web_anon_write - sebool_guest_exec_content - sebool_kerberos_enabled - sebool_logadm_exec_content - sebool_logging_syslogd_can_sendmail - sebool_logging_syslogd_use_tty - sebool_login_console_enabled - sebool_mmap_low_allowed - sebool_mock_enable_homedirs - sebool_mount_anyfile - sebool_polyinstantiation_enabled - sebool_secadm_exec_content - sebool_secure_mode - sebool_secure_mode_insmod - sebool_secure_mode_policyload - sebool_selinuxuser_direct_dri_enabled - sebool_selinuxuser_execheap - sebool_selinuxuser_execmod - sebool_selinuxuser_execstack - sebool_selinuxuser_mysql_connect_enabled - sebool_selinuxuser_ping - sebool_selinuxuser_postgresql_connect_enabled - sebool_selinuxuser_rw_noexattrfile - sebool_selinuxuser_share_music - sebool_selinuxuser_tcp_server - sebool_selinuxuser_udp_server - sebool_selinuxuser_use_ssh_chroot - sebool_ssh_chroot_rw_homedirs - sebool_ssh_keysign - sebool_ssh_sysadm_login - sebool_staff_exec_content - sebool_sysadm_exec_content - sebool_unconfined_login - sebool_use_ecryptfs_home_dirs - sebool_user_exec_content - sebool_xdm_bind_vnc_tcp_port - sebool_xdm_exec_bootloader - sebool_xdm_sysadm_login - sebool_xdm_write_home - sebool_xguest_connect_network - sebool_xguest_exec_content - sebool_xguest_mount_media - sebool_xguest_use_bluetooth - sebool_xserver_clients_write_xshm - sebool_xserver_execmem - sebool_xserver_object_manager - selinux_all_devicefiles_labeled - selinux_confinement_of_daemons - selinux_policytype - selinux_state - aide_build_database - aide_periodic_cron_checking - aide_scan_notification - aide_use_fips_hashes - aide_verify_acls - aide_verify_ext_attributes - disable_prelink - grub2_enable_fips_mode - install_antivirus - install_hids - ldap_client_start_tls - package_aide_installed - package_dracut-fips_installed - rpm_verify_hashes - install_PAE_kernel_on_x86-32 - service_kdump_disabled - sysctl_fs_suid_dumpable - sysctl_kernel_dmesg_restrict - sysctl_kernel_exec_shield - sysctl_kernel_randomize_va_space - var_account_disable_post_pw_expiration=35 - var_accounts_max_concurrent_login_sessions=10 - var_accounts_maximum_age_login_defs=60 - var_accounts_minimum_age_login_defs=7 - var_accounts_password_minlen_login_defs=6 - var_accounts_password_warn_age_login_defs=7 - var_accounts_tmout=10_min - var_password_pam_difok=8 - var_password_pam_maxclassrepeat=4 - var_password_pam_maxrepeat=2 - var_password_pam_minclass=4 - var_password_pam_unix_remember=5 - account_disable_post_pw_expiration - accounts_max_concurrent_login_sessions - accounts_maximum_age_login_defs - accounts_minimum_age_login_defs - accounts_password_pam_difok - accounts_password_pam_maxclassrepeat - accounts_password_pam_maxrepeat - accounts_password_pam_minclass - accounts_password_pam_unix_remember - accounts_password_warn_age_login_defs - accounts_tmout - banner_etc_issue - display_login_attempts - set_password_hashing_algorithm_libuserconf - set_password_hashing_algorithm_logindefs - set_password_hashing_algorithm_systemauth - smartcard_auth - sssd_memcache_timeout - sssd_offline_cred_expiration - sssd_ssh_known_hosts_timeout - encrypt_partitions - ensure_redhat_gpgkey_installed - ensure_gpgcheck_globally_activated - ensure_gpgcheck_never_disabled - ensure_gpgcheck_repo_metadata - ensure_gpgcheck_local_packages - network_sniffer_disabled - network_ipv6_disable_rpc - network_ipv6_privacy_extensions - dconf_gnome_banner_enabled - dconf_gnome_disable_automount - dconf_gnome_disable_ctrlaltdel_reboot - dconf_gnome_disable_geolocation - dconf_gnome_disable_restart_shutdown - dconf_gnome_disable_thumbnailers - dconf_gnome_disable_user_admin - dconf_gnome_disable_user_list - dconf_gnome_disable_wifi_create - dconf_gnome_disable_wifi_notification - dconf_gnome_enable_smartcard_auth - dconf_gnome_login_banner_text - dconf_gnome_login_retries - dconf_gnome_remote_access_credential_prompt - dconf_gnome_remote_access_encryption - dconf_gnome_screensaver_idle_activation_enabled - dconf_gnome_screensaver_idle_delay - dconf_gnome_screensaver_lock_delay - dconf_gnome_screensaver_lock_enabled - dconf_gnome_screensaver_mode_blank - dconf_gnome_screensaver_user_info - dconf_gnome_screensaver_user_locks - dconf_gnome_session_idle_user_locks - enable_dconf_user_profile - sshd_enable_x11_forwarding - gnome_gdm_disable_automatic_login - gnome_gdm_disable_guest_login - clean_components_post_updating - kernel_module_cramfs_disabled - kernel_module_dccp_disabled - kernel_module_freevxfs_disabled - kernel_module_hfs_disabled - kernel_module_hfsplus_disabled - kernel_module_jffs2_disabled - kernel_module_sctp_disabled - kernel_module_squashfs_disabled scap-security-guide-0.1.39/rhel7/profiles/ospp42-draft.profile000066400000000000000000000135101327242345500241540ustar00rootroot00000000000000documentation_complete: false title: '[DRAFT] Protection Profile for General Purpose Operating Systems' description: "This profile reflects mandatory configuration controls identified\nin the NIAP Configuration Annex to the Protection\ \ Profile for General Purpose Operating\nSystems (Protection Profile Version 4.2 draft). \n\nThis Annex is consistent\ \ with CNSSI-1253, which requires US National Security\nSystems to adhere to certain configuration parameters. Accordingly,\ \ configuration\nguidance produced according to the requirements of this Annex is suitable for use\nin US National Security\ \ Systems." selections: - installed_OS_is_certified - bootloader_audit_argument - service_auditd_enabled - grub2_enable_fips_mode - rpm_verify_hashes - selinux_all_devicefiles_labeled - selinux_confinement_of_daemons - selinux_policytype - selinux_state - audit_rules_immutable - var_selinux_policy_name=targeted - var_selinux_state=enforcing - var_password_pam_minlen=12 - accounts_password_pam_minlen - accounts_password_minlen_login_defs - var_password_pam_ocredit=1 - accounts_password_pam_ocredit - var_password_pam_dcredit=1 - accounts_password_pam_dcredit - var_password_pam_ucredit=1 - accounts_password_pam_ucredit - var_password_pam_lcredit=1 - accounts_password_pam_lcredit - package_screen_installed - dconf_gnome_screensaver_idle_activation_enabled - dconf_gnome_screensaver_idle_delay - dconf_gnome_screensaver_lock_delay - dconf_gnome_screensaver_lock_enabled - dconf_gnome_screensaver_mode_blank - dconf_gnome_screensaver_user_info - dconf_gnome_screensaver_user_locks - dconf_gnome_session_idle_user_locks - accounts_tmout - bootloader_password - bootloader_uefi_password - disable_interactive_boot - no_empty_passwords - require_singleuser_auth - service_debug-shell_disabled - sshd_disable_empty_passwords - sshd_disable_root_login - gnome_gdm_disable_automatic_login - gnome_gdm_disable_guest_login - sssd_offline_cred_expiration - sssd_memcache_timeout - disable_host_auth - sshd_disable_gssapi_auth - sshd_disable_kerb_auth - sshd_disable_rhosts_rsa - sshd_disable_rhosts - sshd_disable_user_known_hosts - var_accounts_passwords_pam_faillock_deny=3 - var_accounts_passwords_pam_faillock_fail_interval=900 - var_accounts_passwords_pam_faillock_unlock_time=never - var_password_pam_retry=3 - accounts_password_pam_retry - accounts_passwords_pam_faillock_deny_root - accounts_passwords_pam_faillock_deny - accounts_passwords_pam_faillock_interval - accounts_passwords_pam_faillock_unlock_time - dconf_gnome_login_retries - service_firewalld_enabled - set_firewalld_default_zone - auditd_audispd_syslog_plugin_activated - auditd_audispd_configure_remote_server - rsyslog_remote_loghost - auditd_audispd_encrypt_sent_records - login_banner_text=usgcb_default - sshd_enable_warning_banner - banner_etc_issue - dconf_gnome_banner_enabled - dconf_gnome_login_banner_text - audit_rules_login_events_faillock - audit_rules_login_events_lastlog - audit_rules_login_events_tallylog - audit_rules_unsuccessful_file_modification_creat - audit_rules_unsuccessful_file_modification_openat - audit_rules_unsuccessful_file_modification_open_by_handle_at - audit_rules_unsuccessful_file_modification_open - audit_rules_unsuccessful_file_modification_ftruncate - audit_rules_unsuccessful_file_modification_truncate - audit_rules_file_deletion_events_renameat - audit_rules_file_deletion_events_rename - audit_rules_file_deletion_events_rmdir - audit_rules_file_deletion_events_unlinkat - audit_rules_file_deletion_events_unlink - audit_rules_dac_modification_chmod - audit_rules_dac_modification_fchmodat - audit_rules_dac_modification_fchmod - audit_rules_dac_modification_fremovexattr - audit_rules_dac_modification_fsetxattr - audit_rules_dac_modification_lremovexattr - audit_rules_dac_modification_lsetxattr - audit_rules_dac_modification_removexattr - audit_rules_dac_modification_setxattr - audit_rules_execution_chcon - audit_rules_execution_restorecon - audit_rules_execution_semanage - audit_rules_execution_setsebool - audit_rules_mac_modification - audit_rules_dac_modification_chown - audit_rules_dac_modification_fchownat - audit_rules_dac_modification_fchown - audit_rules_dac_modification_lchown - audit_rules_privileged_commands_passwd - audit_rules_privileged_commands_unix_chkpwd - audit_rules_privileged_commands_userhelper - audit_rules_privileged_commands_chage - audit_rules_privileged_commands_chsh - audit_rules_privileged_commands_pt_chown - audit_rules_sysadmin_actions - audit_rules_privileged_commands_gpasswd - audit_rules_privileged_commands_newgrp - audit_rules_usergroup_modification_group - audit_rules_usergroup_modification_gshadow - audit_rules_usergroup_modification_opasswd - audit_rules_usergroup_modification_passwd - audit_rules_usergroup_modification_shadow - audit_rules_privileged_commands_sudoedit - audit_rules_privileged_commands_sudo - audit_rules_privileged_commands_su - audit_rules_session_events - ensure_redhat_gpgkey_installed - ensure_gpgcheck_globally_activated - ensure_gpgcheck_never_disabled - ensure_gpgcheck_local_packages - audit_rules_privileged_commands_ssh_keysign - rsyslog_cron_logging - audit_rules_kernel_module_loading_delete - audit_rules_kernel_module_loading_init - audit_rules_kernel_module_loading_insmod - audit_rules_kernel_module_loading_modprobe - audit_rules_kernel_module_loading_rmmod - security_patches_up_to_date scap-security-guide-0.1.39/rhel7/profiles/pci-dss.profile000066400000000000000000000100141327242345500232650ustar00rootroot00000000000000documentation_complete: true title: '[DRAFT] PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7' description: 'Ensures PCI-DSS v3 related security configuration settings \n \ are applied.' selections: - var_password_pam_unix_remember=4 - var_account_disable_post_pw_expiration=90 - var_accounts_passwords_pam_faillock_deny=6 - var_accounts_passwords_pam_faillock_unlock_time=1800 - sshd_idle_timeout_value=15_minutes - var_password_pam_minlen=7 - var_password_pam_minclass=2 - var_accounts_maximum_age_login_defs=90 - var_auditd_num_logs=5 - service_auditd_enabled - bootloader_audit_argument - auditd_data_retention_num_logs - auditd_data_retention_max_log_file - auditd_data_retention_max_log_file_action - auditd_data_retention_space_left_action - auditd_data_retention_admin_space_left_action - auditd_data_retention_action_mail_acct - auditd_audispd_syslog_plugin_activated - audit_rules_time_adjtimex - audit_rules_time_settimeofday - audit_rules_time_stime - audit_rules_time_clock_settime - audit_rules_time_watch_localtime - audit_rules_usergroup_modification - audit_rules_networkconfig_modification - file_permissions_var_log_audit - file_ownership_var_log_audit - audit_rules_mac_modification - audit_rules_dac_modification_chmod - audit_rules_dac_modification_chown - audit_rules_dac_modification_fchmod - audit_rules_dac_modification_fchmodat - audit_rules_dac_modification_fchown - audit_rules_dac_modification_fchownat - audit_rules_dac_modification_fremovexattr - audit_rules_dac_modification_fsetxattr - audit_rules_dac_modification_lchown - audit_rules_dac_modification_lremovexattr - audit_rules_dac_modification_lsetxattr - audit_rules_dac_modification_removexattr - audit_rules_dac_modification_setxattr - audit_rules_login_events - audit_rules_session_events - audit_rules_unsuccessful_file_modification - audit_rules_privileged_commands - audit_rules_media_export - audit_rules_file_deletion_events - audit_rules_sysadmin_actions - audit_rules_kernel_module_loading - audit_rules_immutable - var_multiple_time_servers=rhel - service_chronyd_or_ntpd_enabled - chronyd_or_ntpd_specify_remote_server - chronyd_or_ntpd_specify_multiple_servers - rpm_verify_permissions - rpm_verify_hashes - install_hids - rsyslog_files_permissions - rsyslog_files_ownership - rsyslog_files_groupownership - ensure_logrotate_activated - package_aide_installed - disable_prelink - aide_build_database - aide_periodic_cron_checking - account_unique_name - gid_passwd_group_same - accounts_password_all_shadowed - no_empty_passwords - display_login_attempts - account_disable_post_pw_expiration - accounts_passwords_pam_faillock_deny - accounts_passwords_pam_faillock_unlock_time - dconf_gnome_screensaver_idle_delay - dconf_gnome_screensaver_idle_activation_enabled - dconf_gnome_screensaver_lock_enabled - dconf_gnome_screensaver_mode_blank - sshd_set_idle_timeout - accounts_password_pam_minlen - accounts_password_pam_dcredit - accounts_password_pam_ucredit - accounts_password_pam_lcredit - accounts_password_pam_unix_remember - accounts_maximum_age_login_defs - ensure_redhat_gpgkey_installed - ensure_gpgcheck_globally_activated - ensure_gpgcheck_never_disabled - security_patches_up_to_date - smartcard_auth - set_password_hashing_algorithm_systemauth - set_password_hashing_algorithm_logindefs - set_password_hashing_algorithm_libuserconf - userowner_shadow_file - groupowner_shadow_file - file_permissions_etc_shadow - file_owner_etc_group - file_groupowner_etc_group - file_permissions_etc_group - file_owner_etc_passwd - file_groupowner_etc_passwd - file_permissions_etc_passwd - file_user_owner_grub2_cfg - file_group_owner_grub2_cfg - package_libreswan_installed scap-security-guide-0.1.39/rhel7/profiles/rht-ccp.profile000066400000000000000000000064471327242345500233020ustar00rootroot00000000000000documentation_complete: true title: 'Red Hat Corporate Profile for Certified Cloud Providers (RH CCP)' description: 'This profile contains the minimum security relevant \n \ configuration settings recommended by Red Hat, Inc for \n \ Red Hat Enterprise Linux 7 instances deployed by Red Hat Certified \n \ Cloud Providers.' selections: - var_selinux_state=enforcing - var_selinux_policy_name=targeted - file_owner_logfiles_value=root - file_groupowner_logfiles_value=root - sshd_idle_timeout_value=5_minutes - var_accounts_password_minlen_login_defs=6 - var_accounts_minimum_age_login_defs=7 - var_accounts_passwords_pam_faillock_deny=5 - var_accounts_password_warn_age_login_defs=7 - var_password_pam_retry=3 - var_password_pam_dcredit=1 - var_password_pam_ucredit=2 - var_password_pam_ocredit=2 - var_password_pam_lcredit=2 - var_password_pam_difok=3 - var_password_pam_unix_remember=5 - var_accounts_user_umask=077 - login_banner_text=usgcb_default - partition_for_tmp - partition_for_var - partition_for_var_log - partition_for_var_log_audit - selinux_state - selinux_policytype - ensure_redhat_gpgkey_installed - security_patches_up_to_date - ensure_gpgcheck_globally_activated - ensure_gpgcheck_never_disabled - package_aide_installed - accounts_password_pam_unix_remember - no_shelllogin_for_systemaccounts - no_empty_passwords - accounts_password_all_shadowed - accounts_no_uid_except_zero - accounts_password_minlen_login_defs - accounts_minimum_age_login_defs - accounts_password_warn_age_login_defs - accounts_password_pam_retry - accounts_password_pam_dcredit - accounts_password_pam_ucredit - accounts_password_pam_ocredit - accounts_password_pam_lcredit - accounts_password_pam_difok - accounts_passwords_pam_faillock_deny - set_password_hashing_algorithm_systemauth - set_password_hashing_algorithm_logindefs - set_password_hashing_algorithm_libuserconf - require_singleuser_auth - userowner_shadow_file - groupowner_shadow_file - file_permissions_etc_shadow - file_owner_etc_gshadow - file_groupowner_etc_gshadow - file_permissions_etc_gshadow - file_owner_etc_passwd - file_groupowner_etc_passwd - file_permissions_etc_passwd - file_owner_etc_group - file_groupowner_etc_group - file_permissions_etc_group - file_permissions_library_dirs - file_ownership_library_dirs - file_permissions_binary_dirs - file_ownership_binary_dirs - file_permissions_var_log_audit - file_user_owner_grub2_cfg - file_group_owner_grub2_cfg - file_permissions_grub2_cfg - bootloader_password - kernel_module_dccp_disabled - kernel_module_sctp_disabled - service_firewalld_enabled - set_firewalld_default_zone - firewalld_sshd_port_enabled - service_abrtd_disabled - service_telnet_disabled - package_telnet-server_removed - package_telnet_removed - sshd_allow_only_protocol2 - sshd_set_idle_timeout - sshd_set_keepalive - sshd_disable_rhosts - disable_host_auth - sshd_disable_root_login - sshd_disable_empty_passwords - sshd_enable_warning_banner - sshd_do_not_permit_user_env - sshd_use_approved_ciphers scap-security-guide-0.1.39/rhel7/profiles/standard.profile000066400000000000000000000042551327242345500235350ustar00rootroot00000000000000documentation_complete: true title: 'Standard System Security Profile for Red Hat Enterprise Linux 7' description: |- This profile contains rules to ensure standard security baseline of a Red Hat Enterprise Linux 7 system. Regardless of your system's workload all of these checks should pass. selections: - ensure_redhat_gpgkey_installed - ensure_gpgcheck_globally_activated - rpm_verify_permissions - rpm_verify_hashes - security_patches_up_to_date - no_empty_passwords - file_permissions_unauthorized_sgid - file_permissions_unauthorized_suid - file_permissions_unauthorized_world_writable - accounts_root_path_dirs_no_write - dir_perms_world_writable_sticky_bits - mount_option_dev_shm_nodev - mount_option_dev_shm_nosuid - partition_for_var_log - partition_for_var_log_audit - package_rsyslog_installed - service_rsyslog_enabled - audit_rules_time_adjtimex - audit_rules_time_settimeofday - audit_rules_time_stime - audit_rules_time_clock_settime - audit_rules_time_watch_localtime - audit_rules_usergroup_modification - audit_rules_networkconfig_modification - audit_rules_mac_modification - audit_rules_dac_modification_chmod - audit_rules_dac_modification_chown - audit_rules_dac_modification_fchmod - audit_rules_dac_modification_fchmodat - audit_rules_dac_modification_fchown - audit_rules_dac_modification_fchownat - audit_rules_dac_modification_fremovexattr - audit_rules_dac_modification_fsetxattr - audit_rules_dac_modification_lchown - audit_rules_dac_modification_lremovexattr - audit_rules_dac_modification_lsetxattr - audit_rules_dac_modification_removexattr - audit_rules_dac_modification_setxattr - audit_rules_unsuccessful_file_modification - audit_rules_privileged_commands - audit_rules_media_export - audit_rules_file_deletion_events - audit_rules_sysadmin_actions - audit_rules_kernel_module_loading - service_abrtd_disabled - service_atd_disabled - service_autofs_disabled - service_ntpdate_disabled - service_oddjobd_disabled - service_qpidd_disabled - service_rdisc_disabled scap-security-guide-0.1.39/rhel7/profiles/stig-ansible-tower-upstream.profile000066400000000000000000000004541327242345500273070ustar00rootroot00000000000000documentation_complete: false title: '[DRAFT] DISA STIG for Red Hat Ansible Tower' description: |- This is a *draft* profile for STIG. This profile is being developed under the DoD consensus model to become a STIG in coordination with DISA FSO. extends: stig-http-disa selections: [] scap-security-guide-0.1.39/rhel7/profiles/stig-http-disa.profile000066400000000000000000000025511327242345500245730ustar00rootroot00000000000000documentation_complete: false title: '[DRAFT] DISA STIG for Apache HTTP on Red Hat Enterprise Linux 7' description: |- This profile contains configuration checks that align to the DISA STIG for Apache HTTP web server. selections: - httpd_enable_error_logging - httpd_configure_log_format - httpd_enable_system_logging - httpd_enable_loglevel - httpd_configure_max_keepalive_requests - httpd_enable_log_config - httpd_disable_anonymous_ftp_access - httpd_ignore_htaccess_files - httpd_anonymous_content_sharing - httpd_configure_script_permissions - httpd_configure_tls - httpd_require_client_certs - httpd_configure_valid_server_cert - httpd_configure_perl_taint - httpd_configure_remote_session_encryption - httpd_antivirus_scan_uploads - dir_perms_var_log_httpd - http_configure_log_file_ownership - httpd_configure_firewalld - httpd_configure_documentroot - partition_for_web_content - httpd_encrypt_file_uploads - httpd_configure_banner_page - httpd_remove_robots_file - httpd_disable_content_symlinks - httpd_limit_java_files - httpd_disable_mime_types - httpd_entrust_passwords - httpd_nipr_accredited_dmz - httpd_no_compilers_in_prod - httpd_private_server_on_separate_subnet - httpd_public_resources_not_shared - httpd_remove_backups scap-security-guide-0.1.39/rhel7/profiles/stig-ipa-server-upstream.profile000066400000000000000000000004421327242345500266060ustar00rootroot00000000000000documentation_complete: false title: '[DRAFT] DISA STIG for Red Hat IdM' description: |- This is a *draft* profile for STIG. This profile is being developed under the DoD consensus model to become a STIG in coordination with DISA FSO. extends: stig-http-disa selections: [] scap-security-guide-0.1.39/rhel7/profiles/stig-rhel7-disa.profile000066400000000000000000000266641327242345500246500ustar00rootroot00000000000000documentation_complete: true title: 'DISA STIG for Red Hat Enterprise Linux 7' description: "This profile contains configuration checks that align to the \n \ DISA STIG for Red Hat Enterprise Linux V1R4. \n \ \n \ In addition to being applicable to RHEL7, DISA recognizes this \n \ configuration baseline as applicable to the operating system tier of \n \ Red Hat technologies that are based off RHEL7, such as: \n \ - Red Hat Enterprise Linux Server \n \ - Red Hat Enterprise Linux Workstation and Desktop \n \ - Red Hat Virtualization Hypervisor (RHV-H) \n \ - Red Hat Enterprise Linux for HPC \n \ - Red Hat Storage" selections: - login_banner_text=dod_banners - inactivity_timeout_value=15_minutes - var_screensaver_lock_delay=5_seconds - sshd_idle_timeout_value=10_minutes - var_accounts_fail_delay=4 - var_selinux_state=enforcing - var_selinux_policy_name=targeted - var_password_pam_minlen=15 - var_password_pam_ocredit=1 - var_password_pam_lcredit=1 - var_password_pam_ucredit=1 - var_accounts_passwords_pam_faillock_unlock_time=never - var_accounts_passwords_pam_faillock_fail_interval=900 - var_accounts_passwords_pam_faillock_deny=3 - var_password_pam_unix_remember=5 - var_password_pam_maxclassrepeat=4 - var_password_pam_difok=8 - var_password_pam_dcredit=1 - var_password_pam_minclass=4 - var_accounts_minimum_age_login_defs=1 - var_password_pam_maxrepeat=3 - var_accounts_maximum_age_login_defs=60 - var_account_disable_post_pw_expiration=0 - var_removable_partition=dev_cdrom - var_auditd_action_mail_acct=root - var_auditd_space_left_action=email - var_accounts_user_umask=077 - var_password_pam_retry=3 - var_accounts_max_concurrent_login_sessions=10 - var_accounts_tmout=10_min - var_time_service_set_maxpoll=system_default - sysctl_net_ipv4_conf_all_accept_source_route_value=disabled - sysctl_net_ipv4_conf_default_accept_source_route_value=disabled - sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value=enabled - sysctl_net_ipv4_conf_default_accept_redirects_value=disabled - sysctl_net_ipv6_conf_all_accept_source_route_value=disabled - sysctl_net_ipv4_conf_all_accept_redirects_value=disabled - rpm_verify_permissions - rpm_verify_ownership - rpm_verify_hashes - dconf_gnome_banner_enabled - dconf_gnome_login_banner_text - banner_etc_issue - dconf_gnome_screensaver_lock_enabled - dconf_gnome_screensaver_lock_locked - dconf_gnome_enable_smartcard_auth - dconf_gnome_screensaver_idle_delay - package_screen_installed - dconf_gnome_screensaver_idle_activation_enabled - dconf_gnome_screensaver_idle_activation_locked - dconf_gnome_screensaver_lock_delay - accounts_password_pam_ucredit - accounts_password_pam_lcredit - accounts_password_pam_dcredit - accounts_password_pam_ocredit - accounts_password_pam_difok - accounts_password_pam_minclass - accounts_password_pam_maxrepeat - accounts_password_pam_maxclassrepeat - set_password_hashing_algorithm_systemauth - set_password_hashing_algorithm_logindefs - set_password_hashing_algorithm_libuserconf - accounts_minimum_age_login_defs - accounts_password_set_min_life_existing - accounts_maximum_age_login_defs - accounts_password_set_max_life_existing - accounts_password_pam_unix_remember - accounts_password_pam_minlen - no_empty_passwords - sshd_disable_empty_passwords - account_disable_post_pw_expiration - accounts_passwords_pam_faillock_unlock_time - accounts_passwords_pam_faillock_interval - accounts_passwords_pam_faillock_deny - accounts_passwords_pam_faillock_deny_root - sudo_remove_nopasswd - sudo_remove_no_authenticate - accounts_logon_fail_delay - gnome_gdm_disable_automatic_login - gnome_gdm_disable_guest_login - sshd_do_not_permit_user_env - disable_host_auth - bootloader_password - require_singleuser_auth - bootloader_uefi_password - smartcard_auth - package_rsh-server_removed - package_ypserv_removed - selinux_user_login_roles - package_aide_installed - aide_periodic_cron_checking - aide_scan_notification - ensure_gpgcheck_globally_activated - ensure_gpgcheck_local_packages - ensure_gpgcheck_repo_metadata - kernel_module_usb-storage_disabled - kernel_module_dccp_disabled - service_autofs_disabled - clean_components_post_updating - selinux_state - selinux_policytype - disable_ctrlaltdel_reboot - accounts_umask_etc_login_defs - installed_OS_is_certified - security_patches_up_to_date - gid_passwd_group_same - accounts_no_uid_except_zero - no_files_unowned_by_user - file_permissions_ungroupowned - accounts_user_interactive_home_directory_defined - accounts_have_homedir_login_defs - accounts_user_interactive_home_directory_exists - file_permissions_home_directories - file_ownership_home_directories - file_groupownership_home_directories - accounts_users_home_files_ownership - accounts_users_home_files_groupownership - accounts_users_home_files_permissions - accounts_user_dot_user_ownership - accounts_user_dot_group_ownership - file_permission_user_init_files - accounts_user_home_paths_only - accounts_user_dot_no_world_writable_programs - selinux_all_devicefiles_labeled - mount_option_home_nosuid - mount_option_nosuid_removable_partitions - mount_option_nosuid_remote_filesystems - dir_perms_world_writable_system_owned - accounts_umask_interactive_users - rsyslog_cron_logging - file_owner_cron_allow - file_groupowner_cron_allow - service_kdump_disabled - partition_for_home - partition_for_var - partition_for_var_log_audit - partition_for_tmp - grub2_enable_fips_mode - aide_verify_acls - aide_verify_ext_attributes - aide_use_fips_hashes - bootloader_no_removeable_media - package_telnet-server_removed - service_auditd_enabled - audit_rules_system_shutdown - auditd_audispd_configure_remote_server - auditd_audispd_encrypt_sent_records - auditd_audispd_disk_full_action - auditd_data_retention_space_left - auditd_data_retention_space_left_action - auditd_data_retention_action_mail_acct - audit_rules_privileged_commands - audit_rules_dac_modification_chown - audit_rules_dac_modification_fchown - audit_rules_dac_modification_lchown - audit_rules_dac_modification_fchownat - audit_rules_dac_modification_chmod - audit_rules_dac_modification_fchmod - audit_rules_dac_modification_fchmodat - audit_rules_dac_modification_setxattr - audit_rules_dac_modification_fsetxattr - audit_rules_dac_modification_lsetxattr - audit_rules_dac_modification_removexattr - audit_rules_dac_modification_fremovexattr - audit_rules_dac_modification_lremovexattr - audit_rules_unsuccessful_file_modification_creat - audit_rules_unsuccessful_file_modification_open - audit_rules_unsuccessful_file_modification_openat - audit_rules_unsuccessful_file_modification_open_by_handle_at - audit_rules_unsuccessful_file_modification_truncate - audit_rules_unsuccessful_file_modification_ftruncate - audit_rules_execution_semanage - audit_rules_execution_setsebool - audit_rules_execution_chcon - audit_rules_execution_setfiles - audit_rules_login_events_tallylog - audit_rules_login_events_faillock - audit_rules_login_events_lastlog - audit_rules_privileged_commands_passwd - audit_rules_privileged_commands_unix_chkpwd - audit_rules_privileged_commands_gpasswd - audit_rules_privileged_commands_chage - audit_rules_privileged_commands_userhelper - audit_rules_privileged_commands_su - audit_rules_privileged_commands_sudo - audit_rules_sysadmin_actions - audit_rules_privileged_commands_newgrp - audit_rules_privileged_commands_chsh - audit_rules_privileged_commands_sudoedit - audit_rules_media_export - audit_rules_privileged_commands_umount - audit_rules_privileged_commands_postdrop - audit_rules_privileged_commands_postqueue - audit_rules_privileged_commands_ssh_keysign - audit_rules_privileged_commands_crontab - audit_rules_privileged_commands_pam_timestamp_check - audit_rules_kernel_module_loading_create - audit_rules_kernel_module_loading_init - audit_rules_kernel_module_loading_finit - audit_rules_kernel_module_loading_delete - audit_rules_kernel_module_loading_insmod - audit_rules_kernel_module_loading_rmmod - audit_rules_kernel_module_loading_modprobe - audit_rules_usergroup_modification_passwd - audit_rules_file_deletion_events_rename - audit_rules_file_deletion_events_renameat - audit_rules_file_deletion_events_rmdir - audit_rules_file_deletion_events_unlink - audit_rules_file_deletion_events_unlinkat - rsyslog_remote_loghost - rsyslog_nolisten - install_mcafee_antivirus - mcafee_antivirus_definitions_updated - accounts_max_concurrent_login_sessions - configure_firewalld_ports - sshd_use_approved_ciphers - accounts_tmout - sshd_enable_warning_banner - sssd_ldap_start_tls - sssd_ldap_configure_tls_ca_dir - sssd_ldap_configure_tls_ca - sysctl_kernel_randomize_va_space - package_openssh-server_installed - sshd_required=yes - service_sshd_enabled - sshd_set_idle_timeout - sshd_disable_rhosts_rsa - sshd_set_keepalive - sshd_disable_rhosts - sshd_print_last_log - sshd_disable_root_login - sshd_disable_user_known_hosts - sshd_allow_only_protocol2 - sshd_use_approved_macs - file_permissions_sshd_pub_key - file_permissions_sshd_private_key - sshd_disable_gssapi_auth - sshd_disable_kerb_auth - sshd_enable_strictmodes - sshd_use_priv_separation - sshd_disable_compression - chronyd_or_ntpd_set_maxpoll - configure_firewalld_rate_limiting - service_firewalld_enabled - display_login_attempts - no_user_host_based_files - no_host_based_files - network_configure_name_resolution - sysctl_net_ipv4_conf_all_accept_source_route - sysctl_net_ipv4_conf_default_accept_source_route - sysctl_net_ipv4_icmp_echo_ignore_broadcasts - sysctl_net_ipv4_conf_default_accept_redirects - sysctl_net_ipv4_conf_default_send_redirects - sysctl_net_ipv4_conf_all_send_redirects - network_sniffer_disabled - postfix_prevent_unrestricted_relay - package_vsftpd_removed - package_tftp-server_removed - sshd_enable_x11_forwarding - tftpd_uses_secure_mode - package_xorg-x11-server-common_removed - sysctl_net_ipv4_ip_forward - mount_option_krb_sec_remote_filesystems - snmpd_not_default_password - set_firewalld_default_zone - libreswan_approved_tunnels - sysctl_net_ipv6_conf_all_accept_source_route - install_smartcard_packages - sssd_enable_pam_services - smartcard_configure_cert_checking - dconf_gnome_screensaver_user_locks - dconf_gnome_session_idle_user_locks - accounts_password_pam_retry - mount_option_noexec_remote_filesystems - auditd_audispd_network_failure_action - audit_rules_usergroup_modification_group - audit_rules_usergroup_modification_gshadow - audit_rules_usergroup_modification_shadow - audit_rules_usergroup_modification_opasswd - sysctl_net_ipv4_conf_all_accept_redirects - wireless_disable_interfaces scap-security-guide-0.1.39/rhel7/profiles/stig-rhvh-upstream.profile000066400000000000000000000004531327242345500255020ustar00rootroot00000000000000documentation_complete: false title: '[DRAFT] STIG for Red Hat Virtualization Hypervisor' description: "This is a *draft* profile for STIG. This profile is being \n \ developed under the DISA Vendor STIG model in coordination with \n \ DISA FSO." extends: stig-rhel7-disa selections: [] scap-security-guide-0.1.39/rhel7/profiles/stig-satellite-upstream.profile000066400000000000000000000004501327242345500265160ustar00rootroot00000000000000documentation_complete: false title: '[DRAFT] DISA STIG for Red Hat Satellite' description: |- This is a *draft* profile for STIG. This profile is being developed under the DoD consensus model to become a STIG in coordination with DISA FSO. extends: stig-http-disa selections: [] scap-security-guide-0.1.39/rhel7/templates/000077500000000000000000000000001327242345500205205ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel7/templates/csv/000077500000000000000000000000001327242345500213135ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel7/templates/csv/accounts_password.csv000066400000000000000000000001171327242345500255700ustar00rootroot00000000000000dcredit difok lcredit maxclassrepeat maxrepeat minclass minlen ocredit ucredit scap-security-guide-0.1.39/rhel7/templates/csv/file_dir_permissions.csv000066400000000000000000000001101327242345500262300ustar00rootroot00000000000000/etc,shadow,0,0,0000 #/boot/grub,grub.conf,0,0,600 # different filename scap-security-guide-0.1.39/rhel7/templates/csv/file_groupowner.csv000066400000000000000000000001231327242345500252320ustar00rootroot00000000000000/etc/cron.allow,root,cron_allow /etc/group,root /etc/gshadow,root /etc/passwd,root scap-security-guide-0.1.39/rhel7/templates/csv/file_owner.csv000066400000000000000000000001231327242345500241550ustar00rootroot00000000000000/etc/cron.allow,root,cron_allow /etc/group,root /etc/gshadow,root /etc/passwd,root scap-security-guide-0.1.39/rhel7/templates/csv/file_permissions.csv000066400000000000000000000004271327242345500254050ustar00rootroot00000000000000/etc/group,0644 /etc/gshadow,0000 /etc/passwd,0644 /etc/httpd/conf.d/*,0640,httpd_server_conf_d_files /etc/httpd/conf/*,0640,httpd_server_conf_files /etc/ssh/*.pub,0644,sshd_pub_key /etc/ssh/*_key,0600,sshd_private_key /etc/httpd/conf.modules.d/*,0640,https_server_modules_files scap-security-guide-0.1.39/rhel7/templates/csv/kernel_modules_disabled.csv000066400000000000000000000001171327242345500266660ustar00rootroot00000000000000bluetooth cramfs dccp freevxfs hfs hfsplus jffs2 sctp squashfs udf usb-storage scap-security-guide-0.1.39/rhel7/templates/csv/mount_options.csv000066400000000000000000000012431327242345500247450ustar00rootroot00000000000000# format: # ,[,create_fstab_entry_if_needed] # - mount point mounted with specified option. for more than # one option, use multiple lines with the same , use the # variable name (i.e. name beginning with var_, without the leading # '$' to reference a variable, e.g. var_removable_partition,nodev) # If the remediation can create (i.e. not just modify) an /etc/fstab line, # add the 'create_fstab_entry_if_needed' literal string as the third argument. /dev/shm,nodev /dev/shm,noexec /dev/shm,nosuid /home,nosuid /home,nodev /tmp,nodev /tmp,noexec /tmp,nosuid /var/tmp,nodev /var/tmp,noexec /var/tmp,nosuid /var/tmp,bind scap-security-guide-0.1.39/rhel7/templates/csv/mounts.csv000066400000000000000000000001741327242345500233570ustar00rootroot00000000000000# format: # - this means on separate partition /home /tmp /var /var/log /var/log/audit /var/tmp scap-security-guide-0.1.39/rhel7/templates/csv/oval_5.11/000077500000000000000000000000001327242345500227205ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel7/templates/csv/oval_5.11/packages_installed.csv000066400000000000000000000001461327242345500272530ustar00rootroot00000000000000esc ntp irqbalance postfix pam_pkcs11 pcsc-lite psacct xinetd openssh-server sssd tcp_wrappers docker scap-security-guide-0.1.39/rhel7/templates/csv/oval_5.11/packages_removed.csv000066400000000000000000000006201327242345500267320ustar00rootroot00000000000000abrt acpid at autofs avahi bind bluez certmonger cups cyrus-sasl dbus dhcp dovecot httpd iputils kernel-tools kexec-tools libcgroup libcgroup-tools mdadm net-snmp nfs-utils ntpdate oddjob openssh-server portreserve qpid-cpp-server quagga quota-nld rhnsd rsh rsh-server samba smartmontools squid sssd subscription-manager sysstat talk talk-server telnet-server tftp-server vsftpd xinetd ypbind ypserv scap-security-guide-0.1.39/rhel7/templates/csv/oval_5.11/services_disabled.csv000066400000000000000000000015601327242345500271110ustar00rootroot00000000000000# service_name, package_name, daemon_name (as recognized by chkconfig / systemd. To be used when daemon_name differs from service_name) abrtd,abrt, acpid,, atd,at, autofs,, avahi-daemon,avahi, bluetooth,bluez, certmonger,, cgconfig,libcgroup, cgred,libcgroup-tools, cpupower,kernel-tools, cups,, debug-shell,, dhcpd,dhcp, dovecot,, httpd,, kdump,kexec-tools, mdmonitor,mdadm, messagebus,dbus, named,bind, netconsole,, nfs,nfs-utils, nfslock,nfs-utils, ntpd,, ntpdate,, oddjobd,oddjob, portreserve,, qpidd,qpid-cpp-server, quota_nld,quota-nld, rdisc,iputils, rexec,, rhnsd,, rhsmcertd,subscription-manager, rlogin,, rpcbind,nfs-utils, rpcgssd,nfs-utils, rpcidmapd,nfs-utils, rpcsvcgssd,nfs-utils, rsh,, saslauthd,cyrus-sasl, smartd,smartmontools, smb,samba, snmpd,net-snmp, squid,, sshd,, sssd,, sysstat,sysstat, telnet,, tftp,tftp-server, vsftpd,, xinetd,, ypbind,, zebra,quagga, scap-security-guide-0.1.39/rhel7/templates/csv/oval_5.11/services_enabled.csv000066400000000000000000000003321327242345500267300ustar00rootroot00000000000000auditd,, auditd,audit, chronyd,chrony, #chronyd_or_ntpd,, # has to be static! crond,cronie, docker,, firewalld,, irqbalance,, nails,, ntpd,ntp, postfix,, psacct,, pcscd,pcsc-lite, rsyslog,, sshd,openssh-server, sssd,, scap-security-guide-0.1.39/rhel7/templates/csv/packages_installed.csv000066400000000000000000000003021327242345500256400ustar00rootroot00000000000000aide audit chrony cronie dconf firewalld esc irqbalance #kernel-PAE libreswan ntp openssh-server pam_pkcs11 policycoreutils postfix psacct rsyslog screen sssd tcp_wrappers vsftpd authconfig-gtk scap-security-guide-0.1.39/rhel7/templates/csv/packages_removed.csv000066400000000000000000000002631327242345500253300ustar00rootroot00000000000000abrt autofs bind dhcp dovecot httpd iputils net-snmp nptdate prelink rsh rsh-server quagga samba squid talk talk-server telnet telnet-server tftp tftp-server vsftpd xinetd ypserv scap-security-guide-0.1.39/rhel7/templates/csv/sysctl_values.csv000066400000000000000000000022111327242345500247240ustar00rootroot00000000000000# Add to generate hard-coded OVAL and remediation content. # Add to generate OVAL and remediation content that use the XCCDF value. fs.suid_dumpable,0 kernel.dmesg_restrict,1#only-for:bash,ansible #kernel.exec-shield,1 kernel.randomize_va_space,2 net.ipv4.conf.all.accept_redirects, net.ipv4.conf.all.accept_source_route, net.ipv4.conf.all.log_martians, net.ipv4.conf.all.rp_filter, net.ipv4.conf.all.secure_redirects, net.ipv4.conf.all.send_redirects,0 net.ipv4.conf.default.accept_redirects, net.ipv4.conf.default.accept_source_route, net.ipv4.conf.default.log_martians, net.ipv4.conf.default.rp_filter, net.ipv4.conf.default.secure_redirects, net.ipv4.conf.default.send_redirects,0 net.ipv4.icmp_echo_ignore_broadcasts, net.ipv4.icmp_ignore_bogus_error_responses, net.ipv4.ip_forward,0 net.ipv4.tcp_syncookies, net.ipv6.conf.default.accept_ra, net.ipv6.conf.default.accept_redirects, net.ipv6.conf.all.accept_ra, net.ipv6.conf.all.accept_redirects, net.ipv6.conf.all.disable_ipv6,1 net.ipv6.conf.default.accept_source_route, net.ipv6.conf.all.accept_source_route, net.ipv6.conf.all.forwarding, scap-security-guide-0.1.39/rhel7/templates/oval_5.11_templates/000077500000000000000000000000001327242345500242035ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel7/templates/oval_5.11_templates/template_OVAL_service_disabled000066400000000000000000000074421327242345500321400ustar00rootroot00000000000000 Service %SERVICENAME% Disabled Red Hat Enterprise Linux 7 The %SERVICENAME% service should be disabled if possible. multi-user.target %SERVICENAME%.service multi-user.target %SERVICENAME%.socket %SERVICENAME%\.(service|socket) ActiveState inactive scap-security-guide-0.1.39/rhel7/templates/oval_5.11_templates/template_OVAL_service_enabled000066400000000000000000000074641327242345500317670ustar00rootroot00000000000000 Service %SERVICENAME% Enabled Red Hat Enterprise Linux 7 The %SERVICENAME% service should be enabled if possible. multi-user.target %SERVICENAME%.service multi-user.target %SERVICENAME%.socket %SERVICENAME%\.(socket|service) ActiveState active scap-security-guide-0.1.39/rhel7/templates/template_BASH_service_disabled000066400000000000000000000003651327242345500264260ustar00rootroot00000000000000# platform = Red Hat Enterprise Linux 7 # reboot = false # strategy = disable # complexity = low # disruption = low # Include source function library. . /usr/share/scap-security-guide/remediation_functions service_command disable %SERVICENAME% scap-security-guide-0.1.39/rhel7/templates/template_OVAL_kernel_module_disabled000066400000000000000000000112561327242345500276400ustar00rootroot00000000000000 Disable %KERNMODULE% Kernel Module Red Hat Enterprise Linux 7 The kernel module %KERNMODULE% should be disabled. /etc/modprobe.d ^.*\.conf$ ^\s*install\s+%KERNMODULE%\s+(/bin/false|/bin/true)$ 1 /etc/modprobe.conf ^\s*install\s+%KERNMODULE%\s+(/bin/false|/bin/true)$ 1 /etc/modules-load.d ^.*\.conf$ ^\s*install\s+%KERNMODULE%\s+(/bin/false|/bin/true)$ 1 /run/modules-load.d ^.*\.conf$ ^\s*install\s+%KERNMODULE%\s+(/bin/false|/bin/true)$ 1 /usr/lib/modules-load.d ^.*\.conf$ ^\s*install\s+%KERNMODULE%\s+(/bin/false|/bin/true)$ 1 scap-security-guide-0.1.39/rhel7/templates/template_OVAL_sysctl000066400000000000000000000013771327242345500245100ustar00rootroot00000000000000 Kernel "%SYSCTLVAR%" Parameter Configuration and Runtime Check Red Hat Enterprise Linux 7 The "%SYSCTLVAR%" kernel parameter should be set to the appropriate value in both system configuration and system runtime. scap-security-guide-0.1.39/rhel7/templates/template_OVAL_sysctl_ipv6000066400000000000000000000017141327242345500254470ustar00rootroot00000000000000 Kernel "%SYSCTLVAR%" Parameter Configuration and Runtime Check Red Hat Enterprise Linux 7 The "%SYSCTLVAR%" kernel parameter should be set to the appropriate value in both system configuration and system runtime. scap-security-guide-0.1.39/rhel7/templates/template_OVAL_sysctl_runtime000066400000000000000000000022761327242345500262520ustar00rootroot00000000000000 Kernel "%SYSCTLVAR%" Parameter Runtime Check Red Hat Enterprise Linux 7 The kernel "%SYSCTLVAR%" parameter should be set to "%SYSCTLVAL%" in system runtime. %SYSCTLVAR% %SYSCTLVAL% scap-security-guide-0.1.39/rhel7/templates/template_OVAL_sysctl_runtime_var000066400000000000000000000025431327242345500271170ustar00rootroot00000000000000 Kernel "%SYSCTLVAR%" Parameter Runtime Check Red Hat Enterprise Linux 7 The kernel "%SYSCTLVAR%" parameter should be set to the appropriate value in system runtime. %SYSCTLVAR% scap-security-guide-0.1.39/rhel7/templates/template_OVAL_sysctl_static000066400000000000000000000071461327242345500260570ustar00rootroot00000000000000 Kernel "%SYSCTLVAR%" Parameter Configuration Check Red Hat Enterprise Linux 7 The kernel "%SYSCTLVAR%" parameter should be set to "%SYSCTLVAL%" in the system configuration. /etc/sysctl.conf ^[\s]*%SYSCTLVAR%[\s]*=[\s]*%SYSCTLVAL%[\s]*$ 1 /etc/sysctl.d ^.*\.conf$ ^[\s]*%SYSCTLVAR%[\s]*=[\s]*%SYSCTLVAL%[\s]*$ 1 /run/sysctl.d ^.*\.conf$ ^[\s]*%SYSCTLVAR%[\s]*=[\s]*%SYSCTLVAL%[\s]*$ 1 /usr/lib/sysctl.d ^.*\.conf$ ^[\s]*%SYSCTLVAR%[\s]*=[\s]*%SYSCTLVAL%[\s]*$ 1 scap-security-guide-0.1.39/rhel7/templates/template_OVAL_sysctl_static_var000066400000000000000000000105651327242345500267260ustar00rootroot00000000000000 Kernel "%SYSCTLVAR%" Parameter Configuration Check Red Hat Enterprise Linux 7 The kernel "%SYSCTLVAR%" parameter should be set to the appropriate value in the system configuration. /etc/sysctl.conf (?:^|.*\n)[^#]*%SYSCTLVAR%[\s]*=[\s]*(\d+)[\s]*\n 1 /etc/sysctl.d ^.*\.conf$ (?:^|.*\n)[^#]*%SYSCTLVAR%[\s]*=[\s]*(\d+)[\s]*\n 1 /run/sysctl.d ^.*\.conf$ (?:^|.*\n)[^#]*%SYSCTLVAR%[\s]*=[\s]*(\d+)[\s]*\n 1 /usr/lib/sysctl.d ^.*\.conf$ (?:^|.*\n)[^#]*%SYSCTLVAR%[\s]*=[\s]*(\d+)[\s]*\n 1 scap-security-guide-0.1.39/rhel7/transforms/000077500000000000000000000000001327242345500207205ustar00rootroot00000000000000scap-security-guide-0.1.39/rhel7/transforms/cci2html.xsl000066400000000000000000000004651327242345500231620ustar00rootroot00000000000000 scap-security-guide-0.1.39/rhel7/transforms/constants.xslt000066400000000000000000000025441327242345500236550ustar00rootroot00000000000000 Red Hat Enterprise Linux 7 RHEL 7 RHEL_7_STIG RHEL-7 cpe:/o:redhat:enterprise_linux:7,cpe:/o:redhat:enterprise_linux:7::client,cpe:/o:redhat:enterprise_linux:7::computenode rhel7 https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf RHEL-07- scap-security-guide-0.1.39/rhel7/transforms/shorthand2xccdf.xslt000066400000000000000000000004051327242345500247170ustar00rootroot00000000000000 unknown scap-security-guide-0.1.39/rhel7/transforms/table-add-srgitems.xslt000066400000000000000000000010731327242345500253050ustar00rootroot00000000000000 scap-security-guide-0.1.39/rhel7/transforms/table-sortbyref.xslt000066400000000000000000000005551327242345500247450ustar00rootroot00000000000000 scap-security-guide-0.1.39/rhel7/transforms/table-srgmap.xslt000066400000000000000000000011401327242345500242060ustar00rootroot00000000000000 scap-security-guide-0.1.39/rhel7/transforms/table-style.xslt000066400000000000000000000002511327242345500240570ustar00rootroot00000000000000 scap-security-guide-0.1.39/rhel7/transforms/xccdf-apply-overlay-stig.xslt000066400000000000000000000007511327242345500264740ustar00rootroot00000000000000 scap-security-guide-0.1.39/rhel7/transforms/xccdf2csv-stig.py000077500000000000000000000003651327242345500241320ustar00rootroot00000000000000#!/usr/bin/env python2 import sys # always use shared/modules version SHARED_MODULE_PATH = "../../shared/modules" sys.path.insert(0, SHARED_MODULE_PATH) import xccdf2csv_stig_module if __name__ == "__main__": xccdf2csv_stig_module.main() scap-security-guide-0.1.39/rhel7/transforms/xccdf2stigformat.xslt000066400000000000000000000006751327242345500251150ustar00rootroot00000000000000 scap-security-guide-0.1.39/rhel7/transforms/xccdf2table-byref.xslt000066400000000000000000000006741327242345500251310ustar00rootroot00000000000000 scap-security-guide-0.1.39/rhel7/transforms/xccdf2table-cce.xslt000066400000000000000000000007331327242345500245500ustar00rootroot00000000000000 scap-security-guide-0.1.39/rhel7/transforms/xccdf2table-profileanssirefs.xslt000066400000000000000000000007061327242345500273740ustar00rootroot00000000000000 scap-security-guide-0.1.39/rhel7/transforms/xccdf2table-profileccirefs.xslt000066400000000000000000000014111327242345500270070ustar00rootroot00000000000000 scap-security-guide-0.1.39/rhel7/transforms/xccdf2table-profilecisrefs.xslt000066400000000000000000000007051327242345500270340ustar00rootroot00000000000000 scap-security-guide-0.1.39/rhel7/transforms/xccdf2table-profilenistrefs-cui.xslt000066400000000000000000000007111327242345500300060ustar00rootroot00000000000000 scap-security-guide-0.1.39/rhel7/transforms/xccdf2table-profilenistrefs.xslt000066400000000000000000000007051327242345500272330ustar00rootroot00000000000000 scap-security-guide-0.1.39/rhel7/transforms/xccdf2table-stig.xslt000066400000000000000000000006731327242345500247670ustar00rootroot00000000000000 scap-security-guide-0.1.39/shared/000077500000000000000000000000001327242345500167475ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/bash_remediation_functions/000077500000000000000000000000001327242345500243345ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/bash_remediation_functions/die.sh000066400000000000000000000003311327242345500254260ustar00rootroot00000000000000# Print a message to stderr and exit the shell # $1: The message to print. # $2: The error code (optional, default is 1) function die { local _message="$1" _rc="${2:-1}" printf '%s\n' "$_message" >&2 exit "$_rc" } scap-security-guide-0.1.39/shared/bash_remediation_functions/firefox_cfg_setting.sh000066400000000000000000000036451327242345500307160ustar00rootroot00000000000000# Function to replace configuration setting(s) in the Firefox preferences configuration (.cfg) file or add the # preference if it does not exist. # # Expects three arguments: # # config_file: Configuration file that will be modified # key: Configuration option to change # value: Value of the configuration option to change # # # Example Call(s): # # Without string or variable: # firefox_cfg_setting "stig.cfg" "extensions.update.enabled" "false" # # With string: # firefox_cfg_setting "stig.cfg" "security.default_personal_cert" "\"Ask Every Time\"" # # With a string variable: # firefox_cfg_setting "stig.cfg" "browser.startup.homepage\" "\"${var_default_home_page}\"" # function firefox_cfg_setting { local firefox_cfg=$1 local key=$2 local value=$3 local firefox_dirs="/usr/lib/firefox /usr/lib64/firefox /usr/local/lib/firefox /usr/local/lib64/firefox" # Check sanity of input if [ $# -lt "3" ] then echo "Usage: firefox_cfg_setting 'config_cfg_file' 'key_to_search' 'new_value'" echo echo "Aborting." exit 1 fi # Check the possible Firefox install directories for firefox_dir in ${firefox_dirs}; do # If the Firefox directory exists, then Firefox is installed if [ -d "${firefox_dir}" ]; then # Make sure the Firefox .cfg file exists and has the appropriate permissions if ! [ -f "${firefox_dir}/${firefox_cfg}" ] ; then touch "${firefox_dir}/${firefox_cfg}" chmod 644 "${firefox_dir}/${firefox_cfg}" fi # If the key exists, change it. Otherwise, add it to the config_file. if `grep -q "^lockPref(\"${key}\", " "${firefox_dir}/${firefox_cfg}"` ; then sed -i "s/lockPref(\"${key}\".*/lockPref(\"${key}\", ${value});/g" "${firefox_dir}/${firefox_cfg}" else echo "lockPref(\"${key}\", ${value});" >> "${firefox_dir}/${firefox_cfg}" fi fi done } scap-security-guide-0.1.39/shared/bash_remediation_functions/firefox_js_setting.sh000066400000000000000000000050221327242345500305620ustar00rootroot00000000000000# Function to replace configuration setting(s) in the Firefox preferences JavaScript file or add the # preference if it does not exist. # # Expects three arguments: # # config_file: Configuration file that will be modified # key: Configuration option to change # value: Value of the configuration option to change # # # Example Call(s): # # Without string or variable: # firefox_js_setting "stig_settings.js" "general.config.obscure_value" "0" # # With string: # firefox_js_setting "stig_settings.js" "general.config.filename" "\"stig.cfg\"" # # With a string variable: # firefox_js_setting "stig_settings.js" "general.config.filename" "\"$var_config_file_name\"" # function firefox_js_setting { local firefox_js=$1 local key=$2 local value=$3 local firefox_dirs="/usr/lib/firefox /usr/lib64/firefox /usr/local/lib/firefox /usr/local/lib64/firefox" local firefox_pref="/defaults/pref" local firefox_preferences="/defaults/preferences" # Check sanity of input if [ $# -lt "3" ] then echo "Usage: firefox_js_setting 'config_javascript_file' 'key_to_search' 'new_value'" echo echo "Aborting." exit 1 fi # Check the possible Firefox install directories for firefox_dir in ${firefox_dirs}; do # If the Firefox directory exists, then Firefox is installed if [ -d "${firefox_dir}" ]; then # Different versions of Firefox have different preferences directories, check for them and set the right one if [ -d "${firefox_dir}/${firefox_pref}" ] ; then local firefox_pref_dir="${firefox_dir}/${firefox_pref}" elif [ -d "${firefox_dir}/${firefox_preferences}" ] ; then local firefox_pref_dir="${firefox_dir}/${firefox_preferences}" else mkdir -m 755 -p "${firefox_dir}/${firefox_preferences}" local firefox_pref_dir="${firefox_dir}/${firefox_preferences}" fi # Make sure the Firefox .js file exists and has the appropriate permissions if ! [ -f "${firefox_pref_dir}/${firefox_js}" ] ; then touch "${firefox_pref_dir}/${firefox_js}" chmod 644 "${firefox_pref_dir}/${firefox_js}" fi # If the key exists, change it. Otherwise, add it to the config_file. if `grep -q "^pref(\"${key}\", " "${firefox_pref_dir}/${firefox_js}"` ; then sed -i "s/pref(\"${key}\".*/pref(\"${key}\", ${value});/g" "${firefox_pref_dir}/${firefox_js}" else echo "pref(\"${key}\", ${value});" >> "${firefox_pref_dir}/${firefox_js}" fi fi done } scap-security-guide-0.1.39/shared/bash_remediation_functions/fix_audit_syscall_rule.sh000066400000000000000000000206271327242345500314340ustar00rootroot00000000000000# Function to fix syscall audit rule for given system call. It is # based on example audit syscall rule definitions as outlined in # /usr/share/doc/audit-2.3.7/stig.rules file provided with the audit # package. It will combine multiple system calls belonging to the same # syscall group into one audit rule (rather than to create audit rule per # different system call) to avoid audit infrastructure performance penalty # in the case of 'one-audit-rule-definition-per-one-system-call'. See: # # https://www.redhat.com/archives/linux-audit/2014-November/msg00009.html # # for further details. # # Expects five arguments (each of them is required) in the form of: # * audit tool tool used to load audit rules, # either 'auditctl', or 'augenrules # * audit rules' pattern audit rule skeleton for same syscall # * syscall group greatest common string this rule shares # with other rules from the same group # * architecture architecture this rule is intended for # * full form of new rule to add expected full form of audit rule as to be # added into audit.rules file # # Note: The 2-th up to 4-th arguments are used to determine how many existing # audit rules will be inspected for resemblance with the new audit rule # (5-th argument) the function is going to add. The rule's similarity check # is performed to optimize audit.rules definition (merge syscalls of the same # group into one rule) to avoid the "single-syscall-per-audit-rule" performance # penalty. # # Example call: # # See e.g. 'audit_rules_file_deletion_events.sh' remediation script # function fix_audit_syscall_rule { # Load function arguments into local variables local tool="$1" local pattern="$2" local group="$3" local arch="$4" local full_rule="$5" # Check sanity of the input if [ $# -ne "5" ] then echo "Usage: fix_audit_syscall_rule 'tool' 'pattern' 'group' 'arch' 'full rule'" echo "Aborting." exit 1 fi # Create a list of audit *.rules files that should be inspected for presence and correctness # of a particular audit rule. The scheme is as follows: # # ----------------------------------------------------------------------------------------- # Tool used to load audit rules | Rule already defined | Audit rules file to inspect | # ----------------------------------------------------------------------------------------- # auditctl | Doesn't matter | /etc/audit/audit.rules | # ----------------------------------------------------------------------------------------- # augenrules | Yes | /etc/audit/rules.d/*.rules | # augenrules | No | /etc/audit/rules.d/$key.rules | # ----------------------------------------------------------------------------------------- # declare -a files_to_inspect retval=0 # First check sanity of the specified audit tool if [ "$tool" != 'auditctl' ] && [ "$tool" != 'augenrules' ] then echo "Unknown audit rules loading tool: $1. Aborting." echo "Use either 'auditctl' or 'augenrules'!" return 1 # If audit tool is 'auditctl', then add '/etc/audit/audit.rules' # file to the list of files to be inspected elif [ "$tool" == 'auditctl' ] then files_to_inspect=("${files_to_inspect[@]}" '/etc/audit/audit.rules' ) # If audit tool is 'augenrules', then check if the audit rule is defined # If rule is defined, add '/etc/audit/rules.d/*.rules' to the list for inspection # If rule isn't defined yet, add '/etc/audit/rules.d/$key.rules' to the list for inspection elif [ "$tool" == 'augenrules' ] then # Extract audit $key from audit rule so we can use it later key=$(expr "$full_rule" : '.*-k[[:space:]]\([^[:space:]]\+\)' '|' "$full_rule" : '.*-F[[:space:]]key=\([^[:space:]]\+\)') # Check if particular audit rule is already defined IFS=$'\n' matches=($(sed -s -n -e "\;${pattern};!d" -e "/${arch}/!d" -e "/${group}/!d;F" /etc/audit/rules.d/*.rules)) if [ $? -ne 0 ] then retval=1 fi # Reset IFS back to default unset IFS for match in "${matches[@]}" do files_to_inspect=("${files_to_inspect[@]}" "${match}") done # Case when particular rule isn't defined in /etc/audit/rules.d/*.rules yet if [ ${#files_to_inspect[@]} -eq "0" ] then files_to_inspect="/etc/audit/rules.d/$key.rules" if [ ! -e "$files_to_inspect" ] then touch "$files_to_inspect" chmod 0640 "$files_to_inspect" fi fi fi # # Indicator that we want to append $full_rule into $audit_file by default local append_expected_rule=0 for audit_file in "${files_to_inspect[@]}" do # Filter existing $audit_file rules' definitions to select those that: # * follow the rule pattern, and # * meet the hardware architecture requirement, and # * are current syscall group specific IFS=$'\n' existing_rules=($(sed -e "\;${pattern};!d" -e "/${arch}/!d" -e "/${group}/!d" "$audit_file")) if [ $? -ne 0 ] then retval=1 fi # Reset IFS back to default unset IFS # Process rules found case-by-case for rule in "${existing_rules[@]}" do # Found rule is for same arch & key, but differs (e.g. in count of -S arguments) if [ "${rule}" != "${full_rule}" ] then # If so, isolate just '(-S \w)+' substring of that rule rule_syscalls=$(echo $rule | grep -o -P '(-S \w+ )+') # Check if list of '-S syscall' arguments of that rule is subset # of '-S syscall' list of expected $full_rule if grep -q -- "$rule_syscalls" <<< "$full_rule" then # Rule is covered (i.e. the list of -S syscalls for this rule is # subset of -S syscalls of $full_rule => existing rule can be deleted # Thus delete the rule from audit.rules & our array sed -i -e "\;${rule};d" "$audit_file" if [ $? -ne 0 ] then retval=1 fi existing_rules=("${existing_rules[@]//$rule/}") else # Rule isn't covered by $full_rule - it besides -S syscall arguments # for this group contains also -S syscall arguments for other syscall # group. Example: '-S lchown -S fchmod -S fchownat' => group='chown' # since 'lchown' & 'fchownat' share 'chown' substring # Therefore: # * 1) delete the original rule from audit.rules # (original '-S lchown -S fchmod -S fchownat' rule would be deleted) # * 2) delete the -S syscall arguments for this syscall group, but # keep those not belonging to this syscall group # (original '-S lchown -S fchmod -S fchownat' would become '-S fchmod' # * 3) append the modified (filtered) rule again into audit.rules # if the same rule not already present # # 1) Delete the original rule sed -i -e "\;${rule};d" "$audit_file" if [ $? -ne 0 ] then retval=1 fi # 2) Delete syscalls for this group, but keep those from other groups # Convert current rule syscall's string into array splitting by '-S' delimiter IFS=$'-S' read -a rule_syscalls_as_array <<< "$rule_syscalls" # Reset IFS back to default unset IFS # Declare new empty string to hold '-S syscall' arguments from other groups new_syscalls_for_rule='' # Walk through existing '-S syscall' arguments for syscall_arg in "${rule_syscalls_as_array[@]}" do # Skip empty $syscall_arg values if [ "$syscall_arg" == '' ] then continue fi # If the '-S syscall' doesn't belong to current group add it to the new list # (together with adding '-S' delimiter back for each of such item found) if grep -q -v -- "$group" <<< "$syscall_arg" then new_syscalls_for_rule="$new_syscalls_for_rule -S $syscall_arg" fi done # Replace original '-S syscall' list with the new one for this rule updated_rule=${rule//$rule_syscalls/$new_syscalls_for_rule} # Squeeze repeated whitespace characters in rule definition (if any) into one updated_rule=$(echo "$updated_rule" | tr -s '[:space:]') # 3) Append the modified / filtered rule again into audit.rules # (but only in case it's not present yet to prevent duplicate definitions) if ! grep -q -- "$updated_rule" "$audit_file" then echo "$updated_rule" >> "$audit_file" fi fi else # $audit_file already contains the expected rule form for this # architecture & key => don't insert it second time append_expected_rule=1 fi done # We deleted all rules that were subset of the expected one for this arch & key. # Also isolated rules containing system calls not from this system calls group. # Now append the expected rule if it's not present in $audit_file yet if [[ ${append_expected_rule} -eq "0" ]] then echo "$full_rule" >> "$audit_file" fi done return $retval } scap-security-guide-0.1.39/shared/bash_remediation_functions/fix_audit_watch_rule.sh000066400000000000000000000124331327242345500310640ustar00rootroot00000000000000# Function to fix audit file system object watch rule for given path: # * if rule exists, also verifies the -w bits match the requirements # * if rule doesn't exist yet, appends expected rule form to $files_to_inspect # audit rules file, depending on the tool which was used to load audit rules # # Expects four arguments (each of them is required) in the form of: # * audit tool tool used to load audit rules, # either 'auditctl', or 'augenrules' # * path value of -w audit rule's argument # * required access bits value of -p audit rule's argument # * key value of -k audit rule's argument # # Example call: # # fix_audit_watch_rule "auditctl" "/etc/localtime" "wa" "audit_time_rules" # function fix_audit_watch_rule { # Load function arguments into local variables local tool="$1" local path="$2" local required_access_bits="$3" local key="$4" # Check sanity of the input if [ $# -ne "4" ] then echo "Usage: fix_audit_watch_rule 'tool' 'path' 'bits' 'key'" echo "Aborting." exit 1 fi # Create a list of audit *.rules files that should be inspected for presence and correctness # of a particular audit rule. The scheme is as follows: # # ----------------------------------------------------------------------------------------- # Tool used to load audit rules | Rule already defined | Audit rules file to inspect | # ----------------------------------------------------------------------------------------- # auditctl | Doesn't matter | /etc/audit/audit.rules | # ----------------------------------------------------------------------------------------- # augenrules | Yes | /etc/audit/rules.d/*.rules | # augenrules | No | /etc/audit/rules.d/$key.rules | # ----------------------------------------------------------------------------------------- declare -a files_to_inspect # Check sanity of the specified audit tool if [ "$tool" != 'auditctl' ] && [ "$tool" != 'augenrules' ] then echo "Unknown audit rules loading tool: $1. Aborting." echo "Use either 'auditctl' or 'augenrules'!" exit 1 # If the audit tool is 'auditctl', then add '/etc/audit/audit.rules' # into the list of files to be inspected elif [ "$tool" == 'auditctl' ] then files_to_inspect=("${files_to_inspect[@]}" '/etc/audit/audit.rules') # If the audit is 'augenrules', then check if rule is already defined # If rule is defined, add '/etc/audit/rules.d/*.rules' to list of files for inspection. # If rule isn't defined, add '/etc/audit/rules.d/$key.rules' to list of files for inspection. elif [ "$tool" == 'augenrules' ] then # Case when particular audit rule is already defined in some of /etc/audit/rules.d/*.rules file # Get pair -- filepath : matching_row into @matches array IFS=$'\n' matches=($(grep -P "[\s]*-w[\s]+$path" /etc/audit/rules.d/*.rules)) # Reset IFS back to default unset IFS # For each of the matched entries for match in "${matches[@]}" do # Extract filepath from the match rulesd_audit_file=$(echo $match | cut -f1 -d ':') # Append that path into list of files for inspection files_to_inspect=("${files_to_inspect[@]}" "$rulesd_audit_file") done # Case when particular audit rule isn't defined yet if [ ${#files_to_inspect[@]} -eq "0" ] then # Append '/etc/audit/rules.d/$key.rules' into list of files for inspection files_to_inspect="/etc/audit/rules.d/$key.rules" # If the $key.rules file doesn't exist yet, create it with correct permissions if [ ! -e "$files_to_inspect" ] then touch "$files_to_inspect" chmod 0640 "$files_to_inspect" fi fi fi # Finally perform the inspection and possible subsequent audit rule # correction for each of the files previously identified for inspection for audit_rules_file in "${files_to_inspect[@]}" do # Check if audit watch file system object rule for given path already present if grep -q -P -- "[\s]*-w[\s]+$path" "$audit_rules_file" then # Rule is found => verify yet if existing rule definition contains # all of the required access type bits # Escape slashes in path for use in sed pattern below local esc_path=${path//$'/'/$'\/'} # Define BRE whitespace class shortcut local sp="[[:space:]]" # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule current_access_bits=$(sed -ne "s/$sp*-w$sp\+$esc_path$sp\+-p$sp\+\([rxwa]\{1,4\}\).*/\1/p" "$audit_rules_file") # Split required access bits string into characters array # (to check bit's presence for one bit at a time) for access_bit in $(echo "$required_access_bits" | grep -o .) do # For each from the required access bits (e.g. 'w', 'a') check # if they are already present in current access bits for rule. # If not, append that bit at the end if ! grep -q "$access_bit" <<< "$current_access_bits" then # Concatenate the existing mask with the missing bit current_access_bits="$current_access_bits$access_bit" fi done # Propagate the updated rule's access bits (original + the required # ones) back into the /etc/audit/audit.rules file for that rule sed -i "s/\($sp*-w$sp\+$esc_path$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)/\1$current_access_bits\3/" "$audit_rules_file" else # Rule isn't present yet. Append it at the end of $audit_rules_file file # with proper key echo "-w $path -p $required_access_bits -k $key" >> "$audit_rules_file" fi done } scap-security-guide-0.1.39/shared/bash_remediation_functions/include_dconf_settings.sh000066400000000000000000000035611327242345500314110ustar00rootroot00000000000000function include_dconf_settings { : } # Function to configure DConf settings for RHEL and Fedora systems. # # Example Call(s): # # dconf_settings 'org/gnome/login-screen' 'banner-message-enable' 'true' 'local.d' '10-banner' # function dconf_settings { local _path=$1 _key=$2 _value=$3 _db=$4 _settingFile=$5 # Check sanity of the input if [ $# -ne "5" ] then echo "Usage: dconf_settings 'dconf_path' 'dconf_setting' 'dconf_db' 'dconf_settingsfile'" echo "Aborting." exit 1 fi # Check for setting in any of the DConf db directories SETTINGSFILES=($(grep -r "\[${_path}]" "/etc/dconf/db/" | grep -v "distro\|ibus" | cut -d":" -f1)) DCONFFILE="/etc/dconf/db/${_db}/${_settingFile}" DBDIR="/etc/dconf/db/${_db}" mkdir -p "${DBDIR}" if [[ -z "${SETTINGSFILES[@]}" ]] then [ ! -z ${DCONFFILE} ] || $(echo "" >> ${DCONFFILE}) echo "[${_path}]" >> ${DCONFFILE} echo "${_key}=${_value}" >> ${DCONFFILE} else if grep -q "${_key}" ${SETTINGSFILES[@]} then sed -i "s/${_key}\s*=\s*.*/${_key}=${_value}/g" ${SETTINGSFILES[@]} else sed -i "\|\[${_path}]|a\\${_key}=${_value}" ${SETTINGSFILES[@]} fi fi } # Function to configure DConf locks for RHEL and Fedora systems. # # Example Call(s): # # dconf_lock 'org/gnome/login-screen' 'banner-message-enable' 'local.d' 'banner' # function dconf_lock { local _key=$1 _setting=$2 _db=$3 _lockFile=$4 # Check sanity of the input if [ $# -ne "4" ] then echo "Usage: dconf_lock 'dconf_path' 'dconf_setting' 'dconf_db' 'dconf_lockfile'" echo "Aborting." exit 1 fi # Check for setting in any of the DConf db directories LOCKFILES=$(grep -r "^/${_key}/${_setting}$" "/etc/dconf/db/" | grep -v "distro\|ibus" | cut -d":" -f1) LOCKSFOLDER="/etc/dconf/db/${_db}/locks" mkdir -p "${LOCKSFOLDER}" if [[ -z "${LOCKFILES}" ]] then echo "/${_key}/${_setting}" >> "/etc/dconf/db/${_db}/locks/${_lockFile}" fi } scap-security-guide-0.1.39/shared/bash_remediation_functions/include_mount_options_functions.sh000066400000000000000000000030521327242345500334000ustar00rootroot00000000000000function include_mount_options_functions { : } # $1: mount point # $2: new mount point option function ensure_mount_option_in_fstab { local _mount_point="$1" _new_opt="$2" _mount_point_match_regexp="" _previous_mount_opts="" _mount_point_match_regexp="$(get_mount_point_regexp "$_mount_point")" if [ $(grep "$_mount_point_match_regexp" /etc/fstab | grep -c "$_new_opt" ) -eq 0 ]; then _previous_mount_opts=$(grep "$_mount_point_match_regexp" /etc/fstab | awk '{print $4}') sed -i "s|\(${_mount_point_match_regexp}.*${_previous_mount_opts}\)|\1,${_new_opt}|" /etc/fstab fi } # $1: mount point function get_mount_point_regexp { printf "[[:space:]]%s[[:space:]]" "$1" } # $1: mount point function assert_mount_point_in_fstab { local _mount_point_match_regexp _mount_point_match_regexp="$(get_mount_point_regexp "$1")" grep "$_mount_point_match_regexp" -q /etc/fstab \ || { echo "The mount point '$1' is not even in /etc/fstab, so we can't set up mount options" >&2; return 1; } } # $1: mount point function remove_defaults_from_fstab_if_overriden { local _mount_point_match_regexp _mount_point_match_regexp="$(get_mount_point_regexp "$1")" if [ $(grep "$_mount_point_match_regexp" /etc/fstab | grep -q "defaults,") -gt 0 ] then sed -i "s|\(${_mount_point_match_regexp}.*\)defaults,|\1|" /etc/fstab fi } # $1: mount point function ensure_partition_is_mounted { local _mount_point="$1" mkdir -p "$_mount_point" || return 1 if mountpoint -q "$_mount_point"; then mount -o remount --target "$_mount_point" else mount --target "$_mount_point" fi } scap-security-guide-0.1.39/shared/bash_remediation_functions/package_install.sh000066400000000000000000000013321327242345500300100ustar00rootroot00000000000000# Function to install packages on RHEL, Fedora, Debian, and possibly other systems. # # Example Call(s): # # package_install aide # function package_install { # Load function arguments into local variables local package="$1" # Check sanity of the input if [ $# -ne "1" ] then echo "Usage: package_install 'package_name'" echo "Aborting." exit 1 fi if which dnf ; then if ! rpm -q --quiet "$package"; then dnf install -y "$package" fi elif which yum ; then if ! rpm -q --quiet "$package"; then yum install -y "$package" fi elif which apt-get ; then apt-get install -y "$package" else echo "Failed to detect available packaging system, tried dnf, yum and apt-get!" echo "Aborting." exit 1 fi } scap-security-guide-0.1.39/shared/bash_remediation_functions/package_remove.sh000066400000000000000000000013301327242345500276350ustar00rootroot00000000000000# Function to remove packages on RHEL, Fedora, Debian, and possibly other systems. # # Example Call(s): # # package_remove telnet-server # function package_remove { # Load function arguments into local variables local package="$1" # Check sanity of the input if [ $# -ne "1" ] then echo "Usage: package_remove 'package_name'" echo "Aborting." exit 1 fi if which dnf ; then if rpm -q --quiet "$package"; then dnf remove -y "$package" fi elif which yum ; then if rpm -q --quiet "$package"; then yum remove -y "$package" fi elif which apt-get ; then apt-get remove -y "$package" else echo "Failed to detect available packaging system, tried dnf, yum and apt-get!" echo "Aborting." exit 1 fi } perform_audit_rules_privileged_commands_remediation.sh000066400000000000000000000157211327242345500373440ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/bash_remediation_functions# Function to perform remediation for 'audit_rules_privileged_commands' rule # # Expects two arguments: # # audit_tool tool used to load audit rules # One of 'auditctl' or 'augenrules' # # min_auid Minimum original ID the user logged in with # '500' for RHEL-6 and before, '1000' for RHEL-7 and after. # # Example Call(s): # # perform_audit_rules_privileged_commands_remediation "auditctl" "500" # perform_audit_rules_privileged_commands_remediation "augenrules" "1000" # function perform_audit_rules_privileged_commands_remediation { # # Load function arguments into local variables local tool="$1" local min_auid="$2" # Check sanity of the input if [ $# -ne "2" ] then echo "Usage: perform_audit_rules_privileged_commands_remediation 'auditctl | augenrules' '500 | 1000'" echo "Aborting." exit 1 fi declare -a files_to_inspect=() # Check sanity of the specified audit tool if [ "$tool" != 'auditctl' ] && [ "$tool" != 'augenrules' ] then echo "Unknown audit rules loading tool: $1. Aborting." echo "Use either 'auditctl' or 'augenrules'!" exit 1 # If the audit tool is 'auditctl', then: # * add '/etc/audit/audit.rules'to the list of files to be inspected, # * specify '/etc/audit/audit.rules' as the output audit file, where # missing rules should be inserted elif [ "$tool" == 'auditctl' ] then files_to_inspect=("/etc/audit/audit.rules") output_audit_file="/etc/audit/audit.rules" # # If the audit tool is 'augenrules', then: # * add '/etc/audit/rules.d/*.rules' to the list of files to be inspected # (split by newline), # * specify /etc/audit/rules.d/privileged.rules' as the output file, where # missing rules should be inserted elif [ "$tool" == 'augenrules' ] then IFS=$'\n' files_to_inspect=($(find /etc/audit/rules.d -maxdepth 1 -type f -name '*.rules' -print)) output_audit_file="/etc/audit/rules.d/privileged.rules" fi # Obtain the list of SUID/SGID binaries on the particular system (split by newline) # into privileged_binaries array IFS=$'\n' privileged_binaries=($(find / -xdev -type f -perm -4000 -o -type f -perm -2000 2>/dev/null)) # Keep list of SUID/SGID binaries that have been already handled within some previous iteration declare -a sbinaries_to_skip=() # For each found sbinary in privileged_binaries list for sbinary in "${privileged_binaries[@]}" do # Check if this sbinary wasn't already handled in some of the previous iterations # Return match only if whole sbinary definition matched (not in the case just prefix matched!!!) if [[ $(sed -ne "\|${sbinary}|p" <<< "${sbinaries_to_skip[*]}") ]] then # If so, don't process it second time & go to process next sbinary continue fi # Reset the counter of inspected files when starting to check # presence of existing audit rule for new sbinary local count_of_inspected_files=0 # Define expected rule form for this binary expected_rule="-a always,exit -F path=${sbinary} -F perm=x -F auid>=${min_auid} -F auid!=4294967295 -k privileged" # If list of audit rules files to be inspected is empty, just add new rule and move on to next binary if [[ ${#files_to_inspect[@]} -eq 0 ]]; then echo "$expected_rule" >> "$output_audit_file" continue fi # Replace possible slash '/' character in sbinary definition so we could use it in sed expressions below sbinary_esc=${sbinary//$'/'/$'\/'} # For each audit rules file from the list of files to be inspected for afile in "${files_to_inspect[@]}" do # Search current audit rules file's content for match. Match criteria: # * existing rule is for the same SUID/SGID binary we are currently processing (but # can contain multiple -F path= elements covering multiple SUID/SGID binaries) # * existing rule contains all arguments from expected rule form (though can contain # them in arbitrary order) base_search=$(sed -e '/-a always,exit/!d' -e '/-F path='"${sbinary_esc}"'/!d' \ -e '/-F path=[^[:space:]]\+/!d' -e '/-F perm=.*/!d' \ -e '/-F auid>='"${min_auid}"'/!d' -e '/-F auid!=4294967295/!d' \ -e '/-k privileged/!d' "$afile") # Increase the count of inspected files for this sbinary count_of_inspected_files=$((count_of_inspected_files + 1)) # Require execute access type to be set for existing audit rule exec_access='x' # Search current audit rules file's content for presence of rule pattern for this sbinary if [[ $base_search ]] then # Current audit rules file already contains rule for this binary => # Store the exact form of found rule for this binary for further processing concrete_rule=$base_search # Select all other SUID/SGID binaries possibly also present in the found rule IFS=$'\n' handled_sbinaries=($(grep -o -e "-F path=[^[:space:]]\+" <<< "$concrete_rule")) IFS=$' ' handled_sbinaries=(${handled_sbinaries[@]//-F path=/}) # Merge the list of such SUID/SGID binaries found in this iteration with global list ignoring duplicates sbinaries_to_skip=($(for i in "${sbinaries_to_skip[@]}" "${handled_sbinaries[@]}"; do echo "$i"; done | sort -du)) # Separate concrete_rule into three sections using hash '#' # sign as a delimiter around rule's permission section borders concrete_rule="$(echo "$concrete_rule" | sed -n "s/\(.*\)\+\(-F perm=[rwax]\+\)\+/\1#\2#/p")" # Split concrete_rule into head, perm, and tail sections using hash '#' delimiter IFS=$'#' read -r rule_head rule_perm rule_tail <<< "$concrete_rule" # Extract already present exact access type [r|w|x|a] from rule's permission section access_type=${rule_perm//-F perm=/} # Verify current permission access type(s) for rule contain 'x' (execute) permission if ! grep -q "$exec_access" <<< "$access_type" then # If not, append the 'x' (execute) permission to the existing access type bits access_type="$access_type$exec_access" # Reconstruct the permissions section for the rule new_rule_perm="-F perm=$access_type" # Update existing rule in current audit rules file with the new permission section sed -i "s#${rule_head}\(.*\)${rule_tail}#${rule_head}${new_rule_perm}${rule_tail}#" "$afile" fi # If the required audit rule for particular sbinary wasn't found yet, insert it under following conditions: # # * in the "auditctl" mode of operation insert particular rule each time # (because in this mode there's only one file -- /etc/audit/audit.rules to be inspected for presence of this rule), # # * in the "augenrules" mode of operation insert particular rule only once and only in case we have already # searched all of the files from /etc/audit/rules.d/*.rules location (since that audit rule can be defined # in any of those files and if not, we want it to be inserted only once into /etc/audit/rules.d/privileged.rules file) # elif [ "$tool" == "auditctl" ] || [[ "$tool" == "augenrules" && $count_of_inspected_files -eq "${#files_to_inspect[@]}" ]] then # Current audit rules file's content doesn't contain expected rule for this # SUID/SGID binary yet => append it echo "$expected_rule" >> "$output_audit_file" continue fi done done } scap-security-guide-0.1.39/shared/bash_remediation_functions/populate.sh000066400000000000000000000004741327242345500265260ustar00rootroot00000000000000# The populate function isn't directly used by SSG at the moment but it can be # used for testing purposes and will be used in SSG Testsuite in the future. function populate { # code to populate environment variables needed (for unit testing) if [ -z "${!1}" ]; then echo "$1 is not defined. Exiting." exit fi } scap-security-guide-0.1.39/shared/bash_remediation_functions/replace_or_append.sh000066400000000000000000000061641327242345500303410ustar00rootroot00000000000000# Function to replace configuration setting in config file or add the configuration setting if # it does not exist. # # Expects arguments: # # config_file: Configuration file that will be modified # key: Configuration option to change # value: Value of the configuration option to change # cce: The CCE identifier or '@CCENUM@' if no CCE identifier exists # format: The printf-like format string that will be given stripped key and value as arguments, # so e.g. '%s=%s' will result in key=value subsitution (i.e. without spaces around =) # # Optional arugments: # # format: Optional argument to specify the format of how key/value should be # modified/appended in the configuration file. The default is key = value. # # Example Call(s): # # With default format of 'key = value': # replace_or_append '/etc/sysctl.conf' '^kernel.randomize_va_space' '2' '@CCENUM@' # # With custom key/value format: # replace_or_append '/etc/sysconfig/selinux' '^SELINUX=' 'disabled' '@CCENUM@' '%s=%s' # # With a variable: # replace_or_append '/etc/sysconfig/selinux' '^SELINUX=' $var_selinux_state '@CCENUM@' '%s=%s' # function replace_or_append { local default_format='%s = %s' case_insensitive_mode=yes sed_case_insensitive_option='' grep_case_insensitive_option='' local config_file=$1 local key=$2 local value=$3 local cce=$4 local format=$5 if [ "$case_insensitive_mode" = yes ]; then sed_case_insensitive_option="i" grep_case_insensitive_option="-i" fi [ -n "$format" ] || format="$default_format" # Check sanity of the input [ $# -ge "3" ] || { echo "Usage: replace_or_append [] [printf-like format, default is '$default_format']" >&2; exit 1; } # Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed. # Otherwise, regular sed command will do. sed_command=('sed' '-i') if test -L "$config_file"; then sed_command+=('--follow-symlinks') fi # Test that the cce arg is not empty or does not equal @CCENUM@. # If @CCENUM@ exists, it means that there is no CCE assigned. if [ -n "$cce" ] && [ "$cce" != '@CCENUM@' ]; then cce="CCE-${cce}" else cce="CCE" fi # Strip any search characters in the key arg so that the key can be replaced without # adding any search characters to the config file. stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "$key") # shellcheck disable=SC2059 printf -v formatted_output "$format" "$stripped_key" "$value" # If the key exists, change it. Otherwise, add it to the config_file. # We search for the key string followed by a word boundary (matched by \>), # so if we search for 'setting', 'setting2' won't match. if grep -q $grep_case_insensitive_option "${key}\\>" "$config_file"; then "${sed_command[@]}" "s/${key}\\>.*/$formatted_output/g$sed_case_insensitive_option" "$config_file" else # \n is precaution for case where file ends without trailing newline printf '\n# Per %s: Set %s in %s\n' "$cce" "$formatted_output" "$config_file" >> "$config_file" printf '%s\n' "$formatted_output" >> "$config_file" fi } rhel6_perform_audit_adjtimex_settimeofday_stime_remediation.sh000066400000000000000000000025031327242345500407740ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/bash_remediation_functionssource fix_audit_syscall_rule.sh # Perform the remediation for the 'adjtimex', 'settimeofday', and 'stime' audit # system calls on Red Hat Enterprise Linux 6 OS function rhel6_perform_audit_adjtimex_settimeofday_stime_remediation { # Retrieve hardware architecture of the underlying system [ $(getconf LONG_BIT) = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") for ARCH in "${RULE_ARCHS[@]}" do PATTERN="-a always,exit -F arch=${ARCH} -S .* -k *" # Create expected audit group and audit rule form for particular system call & architecture if [ ${ARCH} = "b32" ] then # stime system call is known at 32-bit arch (see e.g "$ ausyscall i386 stime" 's output) # so append it to the list of time group system calls to be audited GROUP="\(adjtimex\|settimeofday\|stime\)" FULL_RULE="-a always,exit -F arch=${ARCH} -S adjtimex -S settimeofday -S stime -k audit_time_rules" elif [ ${ARCH} = "b64" ] then # stime system call isn't known at 64-bit arch (see "$ ausyscall x86_64 stime" 's output) # therefore don't add it to the list of time group system calls to be audited GROUP="\(adjtimex\|settimeofday\)" FULL_RULE="-a always,exit -F arch=${ARCH} -S adjtimex -S settimeofday -k audit_time_rules" fi # Perform the remediation itself fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" done } rhel7_ensure_there_are_servers_in_ntp_compatible_config_file.sh000066400000000000000000000012431327242345500410740ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/bash_remediation_functions# Function ensures that the ntp/chrony config file contains valid server entries # $1: Path to the config file # $2: Comma-separated list of servers function rhel7_ensure_there_are_servers_in_ntp_compatible_config_file { # If invoked with no arguments, exit. This is an intentional behavior. [ $# -gt 1 ] || return 0 [ $# = 2 ] || die "$0 requires zero or exactly two arguments" local _config_file="$1" _servers_list="$2" if ! grep -q '#[[:space:]]*server' "$_config_file"; then for server in $(echo "$_servers_list" | tr ',' '\n') ; do printf '\nserver %s iburst' "$server" >> "$_config_file" done else sed -i 's/#[ \t]*server/server/g' "$_config_file" fi } rhel7_fedora_perform_audit_adjtimex_settimeofday_stime_remediation.sh000066400000000000000000000027231327242345500423210ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/bash_remediation_functionssource fix_audit_syscall_rule.sh # Perform the remediation for the 'adjtimex', 'settimeofday', and 'stime' audit # system calls on Red Hat Enterprise Linux 7 or Fedora OSes function rhel7_fedora_perform_audit_adjtimex_settimeofday_stime_remediation { # Retrieve hardware architecture of the underlying system [ $(getconf LONG_BIT) = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") for ARCH in "${RULE_ARCHS[@]}" do PATTERN="-a always,exit -F arch=${ARCH} -S .* -k *" # Create expected audit group and audit rule form for particular system call & architecture if [ ${ARCH} = "b32" ] then # stime system call is known at 32-bit arch (see e.g "$ ausyscall i386 stime" 's output) # so append it to the list of time group system calls to be audited GROUP="\(adjtimex\|settimeofday\|stime\)" FULL_RULE="-a always,exit -F arch=${ARCH} -S adjtimex -S settimeofday -S stime -k audit_time_rules" elif [ ${ARCH} = "b64" ] then # stime system call isn't known at 64-bit arch (see "$ ausyscall x86_64 stime" 's output) # therefore don't add it to the list of time group system calls to be audited GROUP="\(adjtimex\|settimeofday\)" FULL_RULE="-a always,exit -F arch=${ARCH} -S adjtimex -S settimeofday -k audit_time_rules" fi # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" done } scap-security-guide-0.1.39/shared/bash_remediation_functions/service_command.sh000066400000000000000000000042251327242345500300310ustar00rootroot00000000000000# Function to enable/disable and start/stop services on RHEL and Fedora systems. # # Example Call(s): # # service_command enable bluetooth # service_command disable bluetooth.service # # Using xinetd: # service_command disable rsh.socket xinetd=rsh # function service_command { # Load function arguments into local variables local service_state=$1 local service=$2 local xinetd=$(echo $3 | cut -d'=' -f2) # Check sanity of the input if [ $# -lt "2" ] then echo "Usage: service_command 'enable/disable' 'service_name.service'" echo echo "To enable or disable xinetd services add \'xinetd=service_name\'" echo "as the last argument" echo "Aborting." exit 1 fi # If systemctl is installed, use systemctl command; otherwise, use the service/chkconfig commands if [ -f "/usr/bin/systemctl" ] ; then service_util="/usr/bin/systemctl" else service_util="/sbin/service" chkconfig_util="/sbin/chkconfig" fi # If disable is not specified in arg1, set variables to enable services. # Otherwise, variables are to be set to disable services. if [ "$service_state" != 'disable' ] ; then service_state="enable" service_operation="start" chkconfig_state="on" else service_state="disable" service_operation="stop" chkconfig_state="off" fi # If chkconfig_util is not empty, use chkconfig/service commands. if [ "x$chkconfig_util" != x ] ; then $service_util $service $service_operation $chkconfig_util --level 0123456 $service $chkconfig_state else $service_util $service_operation $service $service_util $service_state $service # The service may not be running because it has been started and failed, # so let's reset the state so OVAL checks pass. # Service should be 'inactive', not 'failed' after reboot though. $service_util reset-failed $service fi # Test if local variable xinetd is empty using non-bashism. # If empty, then xinetd is not being used. if [ "x$xinetd" != x ] ; then grep -qi disable /etc/xinetd.d/$xinetd && \ if [ "$service_operation" = 'disable' ] ; then sed -i "s/disable.*/disable = no/gI" /etc/xinetd.d/$xinetd else sed -i "s/disable.*/disable = yes/gI" /etc/xinetd.d/$xinetd fi fi } set_faillock_option_to_value_in_pam_file.sh000066400000000000000000000030221327242345500350550ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/bash_remediation_functionsfunction set_faillock_option_to_value_in_pam_file { # If invoked with no arguments, exit. This is an intentional behavior. [ $# -gt 1 ] || return 0 [ $# -ge 3 ] || die "$0 requires exactly zero, three, or four arguments" [ $# -le 4 ] || die "$0 requires exactly zero, three, or four arguments" local _pamFile="$1" _option="$2" _value="$3" _insert_lines_callback="$4" # pam_faillock.so already present? if grep -q "^auth.*pam_faillock.so.*" "$_pamFile"; then # pam_faillock.so present, is the option present? if grep -q "^auth.*[default=die].*pam_faillock.so.*authfail.*$_option=" "$_pamFile"; then # both pam_faillock.so & option present, just correct option to the right value sed -i --follow-symlinks "s/\(^auth.*required.*pam_faillock.so.*preauth.*silent.*\)\($_option *= *\).*/\1\2$_value/" "$_pamFile" sed -i --follow-symlinks "s/\(^auth.*[default=die].*pam_faillock.so.*authfail.*\)\($_option *= *\).*/\1\2$_value/" "$_pamFile" # pam_faillock.so present, but the option not yet else # append correct option value to appropriate places sed -i --follow-symlinks "/^auth.*required.*pam_faillock.so.*preauth.*silent.*/ s/$/ $_option=$_value/" "$_pamFile" sed -i --follow-symlinks "/^auth.*[default=die].*pam_faillock.so.*authfail.*/ s/$/ $_option=$_value/" "$_pamFile" fi # pam_faillock.so not present yet else test -z "$_insert_lines_callback" || "$_insert_lines_callback" "$_option" "$_value" "$_pamFile" # insert pam_faillock.so preauth & authfail rows with proper value of the option in question fi } scap-security-guide-0.1.39/shared/checks/000077500000000000000000000000001327242345500202075ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/checks/oval/000077500000000000000000000000001327242345500211505ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/checks/oval/account_disable_post_pw_expiration.xml000066400000000000000000000036571327242345500310410ustar00rootroot00000000000000 Set Accounts to Expire Following Password Expiration multi_platform_rhel The accounts should be configured to expire automatically following password expiration. /etc/default/useradd ^\s*INACTIVE\s*=\s*(\d+)\s*$ 1 -1 scap-security-guide-0.1.39/shared/checks/oval/account_unique_name.xml000066400000000000000000000062051327242345500257170ustar00rootroot00000000000000 Set All Accounts To Have Unique Names multi_platform_all All accounts on the system should have unique names for proper accountability. /etc/passwd ^([^:]+):.*$ 1 variable_count_of_all_usernames_from_etc_passwd scap-security-guide-0.1.39/shared/checks/oval/accounts_have_homedir_login_defs.xml000066400000000000000000000022131327242345500304120ustar00rootroot00000000000000 Ensure new users receive home directories multi_platform_rhel CREATE_HOME should be enabled /etc/login.defs ^[\s]*(?i)CREATE_HOME(?-i)[\s]+yes[\s]*(?:|(?:#.*))?$ 1 scap-security-guide-0.1.39/shared/checks/oval/accounts_max_concurrent_login_sessions.xml000066400000000000000000000070311327242345500317370ustar00rootroot00000000000000 Set Maximum Number of Concurrent Login Sessions Per User multi_platform_rhel multi_platform_wrlinux The maximum number of concurrent login sessions per user should meet minimum requirements. /etc/security/limits.conf ^[\s]*\*[\s]+(?:(?:hard)|(?:-))[\s]+maxlogins[\s]+(\d+)\s*$ 1 /etc/security/limits.d ^.*\.conf$ ^[\s]*\*[\s]+(?:(?:hard)|(?:-))[\s]+maxlogins[\s]+(\d+)\s*$ 1 /etc/security/limits.d ^.*\.conf$ ^[\s]*\*[\s]+(?:(?:hard)|(?:-))[\s]+maxlogins 1 scap-security-guide-0.1.39/shared/checks/oval/accounts_maximum_age_login_defs.xml000066400000000000000000000053601327242345500302570ustar00rootroot00000000000000 Set Password Expiration Parameters multi_platform_all The maximum password age policy should meet minimum requirements. /etc/login.defs .*\n[^#]*(PASS_MAX_DAYS\s+\d+)\s*\n 1 variable_last_pass_max_days_instance_value scap-security-guide-0.1.39/shared/checks/oval/accounts_minimum_age_login_defs.xml000066400000000000000000000053741327242345500302620ustar00rootroot00000000000000 Set Password Expiration Parameters multi_platform_all The minimum password age policy should be set appropriately. /etc/login.defs .*\n[^#]*(PASS_MIN_DAYS\s+\d+)\s*\n 1 variable_last_pass_min_days_instance_value scap-security-guide-0.1.39/shared/checks/oval/accounts_no_uid_except_zero.xml000066400000000000000000000022301327242345500274520ustar00rootroot00000000000000 UID 0 Belongs Only To Root multi_platform_all Only the root account should be assigned a user id of 0. /etc/passwd ^(?!root:)[^:]*:[^:]*:0 1 scap-security-guide-0.1.39/shared/checks/oval/accounts_password_all_shadowed.xml000066400000000000000000000021641327242345500301440ustar00rootroot00000000000000 All Password Hashes Shadowed multi_platform_all All password hashes should be shadowed. .* x|\* scap-security-guide-0.1.39/shared/checks/oval/accounts_password_minlen_login_defs.xml000066400000000000000000000052531327242345500311730ustar00rootroot00000000000000 Set Password Expiration Parameters multi_platform_all The password minimum length should be set appropriately. /etc/login.defs .*\n[^#]*(PASS_MIN_LEN\s+\d+)\s*\n 1 variable_last_pass_min_len_instance_value scap-security-guide-0.1.39/shared/checks/oval/accounts_password_pam_dcredit.xml000066400000000000000000000035101327242345500277650ustar00rootroot00000000000000 Set Password dcredit Requirements Red Hat Enterprise Linux 7 multi_platform_fedora The password dcredit should meet minimum requirements /etc/security/pwquality.conf ^dcredit[\s]*=[\s]*(-?\d+)(?:[\s]|$) 1 1 scap-security-guide-0.1.39/shared/checks/oval/accounts_password_pam_difok.xml000066400000000000000000000034601327242345500274470ustar00rootroot00000000000000 Set Password difok Requirements Red Hat Enterprise Linux 7 multi_platform_fedora The password difok should meet minimum requirements /etc/security/pwquality.conf ^difok[\s]*=[\s]*(\d+)(?:[\s]|$) 1 1 scap-security-guide-0.1.39/shared/checks/oval/accounts_password_pam_lcredit.xml000066400000000000000000000035101327242345500277750ustar00rootroot00000000000000 Set Password lcredit Requirements Red Hat Enterprise Linux 7 multi_platform_fedora The password lcredit should meet minimum requirements /etc/security/pwquality.conf ^lcredit[\s]*=[\s]*(-?\d+)(?:[\s]|$) 1 1 scap-security-guide-0.1.39/shared/checks/oval/accounts_password_pam_maxclassrepeat.xml000066400000000000000000000036211327242345500313660ustar00rootroot00000000000000 Set Password maxclassrepeat Requirements Red Hat Enterprise Linux 7 multi_platform_fedora The password maxclassrepeat should meet minimum requirements using pam_pwquality /etc/security/pwquality.conf ^maxclassrepeat[\s]*=[\s]*(-?\d+)(?:[\s]|$) 1 scap-security-guide-0.1.39/shared/checks/oval/accounts_password_pam_maxrepeat.xml000066400000000000000000000035131327242345500303400ustar00rootroot00000000000000 Set Password maxrepeat Requirements Red Hat Enterprise Linux 7 multi_platform_fedora The password maxrepeat should meet minimum requirements using pam_pwquality /etc/security/pwquality.conf ^maxrepeat[\s]*=[\s]*(-?\d+)(?:[\s]|$) 1 scap-security-guide-0.1.39/shared/checks/oval/accounts_password_pam_minclass.xml000066400000000000000000000035471327242345500301720ustar00rootroot00000000000000 Set Password minclass Requirements Red Hat Enterprise Linux 7 multi_platform_fedora The password minclass should meet the minimum requirements /etc/security/pwquality.conf ^minclass[\s]*=[\s]*(-?\d+)(?:[\s]|$) 1 1 scap-security-guide-0.1.39/shared/checks/oval/accounts_password_pam_minlen.xml000066400000000000000000000035001327242345500276300ustar00rootroot00000000000000 Set Password minlen Requirements Red Hat Enterprise Linux 7 multi_platform_fedora The password minlen should meet minimum requirements /etc/security/pwquality.conf ^minlen[\s]*=[\s]*(-?\d+)(?:[\s]|$) 1 1 scap-security-guide-0.1.39/shared/checks/oval/accounts_password_pam_ocredit.xml000066400000000000000000000035101327242345500300000ustar00rootroot00000000000000 Set Password ocredit Requirements Red Hat Enterprise Linux 7 multi_platform_fedora The password ocredit should meet minimum requirements /etc/security/pwquality.conf ^ocredit[\s]*=[\s]*(-?\d+)(?:[\s]|$) 1 1 scap-security-guide-0.1.39/shared/checks/oval/accounts_password_pam_pwquality.xml000066400000000000000000000022521327242345500304100ustar00rootroot00000000000000 Check pam_pwquality Existence in system-auth Red Hat Enterprise Linux 7 multi_platform_fedora Check that pam_pwquality.so exists in system-auth /etc/pam.d/system-auth ^\s*password\s+(?:(?:required)|(?:requisite))\s+pam_pwquality\.so.*$ 1 scap-security-guide-0.1.39/shared/checks/oval/accounts_password_pam_retry.xml000066400000000000000000000066621327242345500275270ustar00rootroot00000000000000 Set Password retry Requirements multi_platform_fedora multi_platform_rhel multi_platform_rhel-osp The password retry should meet minimum requirements /etc/pam.d/system-auth ^\s*password\s+(?:(?:required)|(?:requisite))\s+pam_cracklib\.so.*retry=([0-9]*).*$ 1 /etc/pam.d/system-auth ^\s*password\s+(?:(?:required)|(?:requisite))\s+pam_pwquality\.so.*retry=([0-9]*).*$ 1 scap-security-guide-0.1.39/shared/checks/oval/accounts_password_pam_ucredit.xml000066400000000000000000000035101327242345500300060ustar00rootroot00000000000000 Set Password ucredit Requirements Red Hat Enterprise Linux 7 multi_platform_fedora The password ucredit should meet minimum requirements /etc/security/pwquality.conf ^ucredit[s\]*=[\s]*(-?\d+)(?:[\s]|$) 1 1 scap-security-guide-0.1.39/shared/checks/oval/accounts_password_pam_unix_remember.xml000066400000000000000000000056361327242345500312230ustar00rootroot00000000000000 Limit Password Reuse multi_platform_rhel multi_platform_fedora The passwords to remember should be set correctly. /etc/pam.d/system-auth ^\s*password\s+(?:(?:sufficient)|(?:required))\s+pam_unix\.so.*remember=([0-9]*).*$ 1 /etc/pam.d/system-auth ^\s*password\s+(?:(?:requisite)|(?:required))\s+pam_pwhistory\.so.*remember=([0-9]*).*$ 1 scap-security-guide-0.1.39/shared/checks/oval/accounts_password_warn_age_login_defs.xml000066400000000000000000000053111327242345500314670ustar00rootroot00000000000000 Set Password Expiration Parameters multi_platform_all The password expiration warning age should be set appropriately. /etc/login.defs .*\n[^#]*(PASS_WARN_AGE\s+\d+)\s*\n 1 variable_last_pass_warn_age_instance_value scap-security-guide-0.1.39/shared/checks/oval/accounts_passwords_pam_faillock_deny.xml000066400000000000000000000345071327242345500313470ustar00rootroot00000000000000 Lock out account after failed login attempts multi_platform_all The number of allowed failed logins should be set correctly. /etc/pam.d/system-auth [\n][\s]*auth[\s]+\[.*default=([0-9]+).*\][\s]+pam_unix\.so 1 /etc/pam.d/system-auth 1 pam_unix(?:.*[\n](?:.*[\n]){ })(?:.*[\n])*auth.*pam_faillock.so[\s]+[^\n]*deny=([0-9]+) /etc/pam.d/password-auth [\n][\s]*auth[\s]+\[[^\]]*default=([0-9]+)[^\]]*\][\s]+pam_unix\.so 1 /etc/pam.d/password-auth 1 pam_unix(?:.*[\n](?:.*[\n]){ })(?:.*[\n])*auth.*pam_faillock.so[\s]+[^\n]*deny=([0-9]+) /etc/pam.d/system-auth [\n][\s]*auth[\s]+required[\s]+pam_faillock\.so[\s]+preauth[\s]+[^\n]*silent[\s]+[^\n]*deny=([0-9]+)[\s]*(?s).*[\n][\s]*auth[^\n]+pam_unix\.so[^\n]*[\n] 1 /etc/pam.d/system-auth [\n][\s]*auth[\s]+(?:(?:sufficient)|(?:\[[^\]]*default=ignore[^\]]*\]))[^\n]+pam_unix\.so(?:.*[\n])*auth[\s]+\[default=die\][\s]+pam_faillock\.so[\s]+authfail[^\n]+deny=([0-9]+) 1 /etc/pam.d/system-auth [\n][\s]*account[\s]+required[\s]+pam_faillock\.so[^\n]*[\n][\s]*account[\s]+required[\s]+pam_unix\.so[^\n]*[\n] 1 /etc/pam.d/password-auth [\n][\s]*auth[\s]+required[\s]+pam_faillock\.so[\s]+preauth[\s]+[^\n]*silent[\s]+[^\n]*deny=([0-9]+)[\s]*(?s).*[\n][\s]*auth[^\n]+pam_unix\.so[^\n]*[\n] 1 /etc/pam.d/password-auth [\n][\s]*auth[\s]+(?:(?:sufficient)|(?:\[[^\]]*default=ignore[[^\]]*\]))[\s]+pam_unix\.so(?:.*[\n])*[^\n]*auth[\s]+\[default=die\][\s]+pam_faillock\.so[\s]+authfail[\s]+[^\n]*deny=([0-9]+) 1 /etc/pam.d/password-auth [\n][\s]*account[\s]+required[\s]+pam_faillock\.so[^\n]*[\n][\s]*account[\s]+required[\s]+pam_unix\.so[^\n]*[\n] 1 scap-security-guide-0.1.39/shared/checks/oval/accounts_passwords_pam_faillock_interval.xml000066400000000000000000000124321327242345500322250ustar00rootroot00000000000000 Lock out account after failed login attempts multi_platform_rhel The number of allowed failed logins should be set correctly. /etc/pam.d/system-auth ^\s*auth\s+(?:(?:required))\s+pam_faillock\.so\s+preauth.*fail_interval=([0-9]*).*$ 1 /etc/pam.d/system-auth ^\s*auth\s+(?:(?:sufficient)|(?:\[default=die\]))\s+pam_faillock\.so\s+authfail.*fail_interval=([0-9]*).*$ 1 /etc/pam.d/password-auth ^\s*auth\s+(?:(?:sufficient)|(?:\[default=die\]))\s+pam_faillock\.so\s+authfail.*fail_interval=([0-9]*).*$ 1 /etc/pam.d/password-auth ^\s*auth\s+(?:(?:required))\s+pam_faillock\.so\s+preauth.*fail_interval=([0-9]*).*$ 1 scap-security-guide-0.1.39/shared/checks/oval/accounts_passwords_pam_faillock_unlock_time.xml000066400000000000000000000124711327242345500327150ustar00rootroot00000000000000 Lock out account after failed login attempts multi_platform_rhel multi_platform_fedora The number of allowed failed logins should be set correctly. /etc/pam.d/system-auth ^\s*auth\s+(?:(?:required))\s+pam_faillock\.so\s+preauth.*unlock_time=([a-z0-9]*).*$ 1 /etc/pam.d/system-auth ^\s*auth\s+(?:(?:sufficient)|(?:\[default=die\]))\s+pam_faillock\.so\s+authfail.*unlock_time=([a-z0-9]*).*$ 1 /etc/pam.d/password-auth ^\s*auth\s+(?:(?:sufficient)|(?:\[default=die\]))\s+pam_faillock\.so\s+authfail.*unlock_time=([a-z0-9]*).*$ 1 /etc/pam.d/password-auth ^\s*auth\s+(?:(?:required))\s+pam_faillock\.so\s+preauth.*unlock_time=([a-z0-9]*).*$ 1 scap-security-guide-0.1.39/shared/checks/oval/accounts_root_path_dirs_no_write.xml000066400000000000000000000050231327242345500305170ustar00rootroot00000000000000 Write permissions are disabled for group and other in all directories in Root's Path multi_platform_all Check each directory in root's path and make use it does not grant write permission to group and other PATH state_accounts_root_path_dirs_wrong_perms state_accounts_root_path_dirs_symlink true true symbolic link scap-security-guide-0.1.39/shared/checks/oval/accounts_tmout.xml000066400000000000000000000042471327242345500247500ustar00rootroot00000000000000 Set Interactive Session Timeout multi_platform_rhel Checks interactive shell timeout /etc/profile ^[\s]*TMOUT[\s]*=[\s]*(.*)[\s]*$ 1 /etc/profile.d ^.*\.sh$ ^[\s]*TMOUT[\s]*=[\s]*(.*)[\s]*$ 1 scap-security-guide-0.1.39/shared/checks/oval/accounts_umask_etc_bashrc.xml000066400000000000000000000072061327242345500270730ustar00rootroot00000000000000 Ensure that Users Have Sensible Umask Values set for bash multi_platform_rhel multi_platform_wrlinux The default umask for users of the bash shell /etc/bashrc ^[\s]*(?i)UMASK(?-i)[\s]+([^#\s]*) 1 64 8 var_etc_bashrc_umask_as_number scap-security-guide-0.1.39/shared/checks/oval/accounts_umask_etc_csh_cshrc.xml000066400000000000000000000073221327242345500275670ustar00rootroot00000000000000 Ensure that Users Have Sensible Umask Values set for csh multi_platform_rhel multi_platform_wrlinux The default umask for users of the csh shell /etc/csh.cshrc ^[\s]*(?i)UMASK(?-i)[\s]+([^#\s]*) 1 64 8 var_etc_csh_cshrc_umask_as_number scap-security-guide-0.1.39/shared/checks/oval/accounts_umask_etc_login_defs.xml000066400000000000000000000074031327242345500277410ustar00rootroot00000000000000 Ensure that Users Have Sensible Umask Values in /etc/login.defs multi_platform_rhel multi_platform_wrlinux The default umask for all users specified in /etc/login.defs /etc/login.defs ^[\s]*(?i)UMASK(?-i)[\s]+([^#\s]*) 1 64 8 var_etc_login_defs_umask_as_number scap-security-guide-0.1.39/shared/checks/oval/accounts_umask_etc_profile.xml000066400000000000000000000072551327242345500272750ustar00rootroot00000000000000 Ensure that Users Have Sensible Umask Values in /etc/profile multi_platform_rhel multi_platform_wrlinux The default umask for all users should be set correctly /etc/profile ^[\s]*(?i)UMASK(?-i)[\s]+([^#\s]*) 1 64 8 var_etc_profile_umask_as_number scap-security-guide-0.1.39/shared/checks/oval/aide_build_database.xml000066400000000000000000000114161327242345500256020ustar00rootroot00000000000000 Aide Database Must Exist multi_platform_rhel multi_platform_fedora The aide database must be initialized. /etc/aide.conf ^@@define[\s]DBDIR[\s]+(/.*)$ 1 /etc/aide.conf ^database_out=file:@@{DBDIR}/([a-z.]+)$ 1 /etc/aide.conf ^database=file:@@{DBDIR}/([a-z.]+)$ 1 / / scap-security-guide-0.1.39/shared/checks/oval/aide_periodic_cron_checking.xml000066400000000000000000000076451327242345500273420ustar00rootroot00000000000000 Configure Periodic Execution of AIDE multi_platform_rhel By default, AIDE does not install itself for periodic execution. Periodically running AIDE is necessary to reveal unexpected changes in installed files. /etc/crontab ^(([0-9]*[\s]*[0-9]*[\s]*\*[\s]*\*[\s]*\*)|@(hourly|daily|weekly|monthly))[\s]*root[\s]*/usr/sbin/aide[\s]*\-\-check.*$ 1 /etc/cron.d ^.*$ ^(([0-9]*[\s]*[0-9]*[\s]*\*[\s]*\*[\s]*\*)|@(hourly|daily|weekly|monthly))[\s]*root[\s]*/usr/sbin/aide[\s]*\-\-check.*$ 1 /var/spool/cron/root ^(([0-9]*[\s]*[0-9]*[\s]*\*[\s]*\*[\s]*\*)|@(hourly|daily|weekly|monthly))[\s]*root[\s]*/usr/sbin/aide[\s]*\-\-check.*$ 1 /etc/cron.(daily|weekly|monthly) ^.*$ ^\s*/usr/sbin/aide[\s]*\-\-check.*$ 1 scap-security-guide-0.1.39/shared/checks/oval/aide_scan_notification.xml000066400000000000000000000062721327242345500263550ustar00rootroot00000000000000 Configure Notification of Post-AIDE Scan Details multi_platform_rhel AIDE should notify appropriate personnel of the details of a scan after the scan has been run. /etc/crontab ^.*/usr/sbin/aide[\s]*\-\-check.*\|.*/bin/mail[\s]*-s[\s]*".*"[\s]*.+@.+$ 1 /var/spool/cron/root ^.*/usr/sbin/aide[\s]*\-\-check.*\|.*/bin/mail[\s]*-s[\s]*".*"[\s]*.+@.+$ 1 /etc/cron.(d|daily|weekly|monthly) ^.*$ ^.*/usr/sbin/aide[\s]*\-\-check.*\|.*/bin/mail[\s]*-s[\s]*".*"[\s]*.+@.+$ 1 scap-security-guide-0.1.39/shared/checks/oval/aide_use_fips_hashes.xml000066400000000000000000000045201327242345500260250ustar00rootroot00000000000000 Configure AIDE to Use FIPS 140-2 for Validating Hashes multi_platform_rhel AIDE should be configured to use the FIPS 140-2 cryptographic hashes. /etc/aide.conf ^[A-Z]*[\s]*=[\s]*.*(sha1|rmd160|sha256|whirlpool|tiger|haval|gost|crc32).*$ 0 /etc/aide.conf ^[A-Z]*[\s]*=[\s]*([a-z0-9\+]*)$ 1 ^.*sha512.*$ scap-security-guide-0.1.39/shared/checks/oval/aide_verify_acls.xml000066400000000000000000000026711327242345500251700ustar00rootroot00000000000000 Configure AIDE to Verify Access Control Lists (ACLs) multi_platform_rhel AIDE should be configured to verify Access Control Lists (ACLs). /etc/aide.conf ^(?!ALLXTRAHASHES)[A-Z]*[\s]*=[\s]*([a-z0-9\+]*)$ 1 ^.*acl.*$ scap-security-guide-0.1.39/shared/checks/oval/aide_verify_ext_attributes.xml000066400000000000000000000027751327242345500273210ustar00rootroot00000000000000 Configure AIDE to Verify Extended Attributes multi_platform_rhel AIDE should be configured to verify extended file attributes. /etc/aide.conf ^(?!ALLXTRAHASHES)[A-Z]*[\s]*=[\s]*([a-z0-9\+]*)$ 1 ^.*xattrs.*$ scap-security-guide-0.1.39/shared/checks/oval/apt_conf_disallow_unauthenticated.xml000066400000000000000000000041331327242345500306270ustar00rootroot00000000000000 Check that no unauthenticated repository is authorized by configuration multi_platform_debian multi_platform_ubuntu Accessing a repository should be allowed only when the repository is authenticated. /etc/apt/apt/apt.conf ^[\s]*APT::Get::AllowUnauthenticated(=|[\s]+)(yes|true|True);.*$ 1 ^/etc/apt/apt.conf.d/.* ^[\s]*APT::Get::AllowUnauthenticated(=|[\s]+)(yes|true|True);.*$ 1 scap-security-guide-0.1.39/shared/checks/oval/apt_sources_list_official.xml000066400000000000000000000043161327242345500271140ustar00rootroot00000000000000 Only official, up-to-date distribution repositories should be used multi_platform_debian Official distribution repositories contain up-to-date distribution security and functional patches. ^/etc/apt/sources(.d\/[a-zA-Z0-9]+){0,1}.list ^deb[\s]+http://[a-z\.]+\.debian\.org/debian[\s]+[a-z]+[\s]+main 1 ^/etc/apt/sources(.d\/[a-zA-Z0-9]+){0,1}.list ^deb[\s]+http://security\.debian\.org[\s]+[a-z]+/updates[\s]+main 1 scap-security-guide-0.1.39/shared/checks/oval/audit_rules_auditctl.xml000066400000000000000000000021751327242345500261100ustar00rootroot00000000000000 Record Any Attempts to Run semanage Red Hat Enterprise Linux 7 multi_platform_fedora Test if auditctl is in use for audit rules. /usr/lib/systemd/system/auditd.service ^ExecStartPost=\-\/sbin\/auditctl.*$ 1 scap-security-guide-0.1.39/shared/checks/oval/audit_rules_augenrules.xml000066400000000000000000000022221327242345500264420ustar00rootroot00000000000000 Record Any Attempts to Run semanage Red Hat Enterprise Linux 7 multi_platform_fedora Test if augenrules is enabled for audit rules. /usr/lib/systemd/system/auditd.service ^ExecStartPost=\-\/sbin\/augenrules.*$ 1 scap-security-guide-0.1.39/shared/checks/oval/audit_rules_file_deletion_events.xml000066400000000000000000000017571327242345500304720ustar00rootroot00000000000000 Audit File Deletion Events Red Hat Enterprise Linux 7 multi_platform_fedora Audit files deletion events. scap-security-guide-0.1.39/shared/checks/oval/audit_rules_immutable.xml000066400000000000000000000041221327242345500262500ustar00rootroot00000000000000 Make Audit Configuration Immutable Red Hat Enterprise Linux 7 multi_platform_fedora Force a reboot to change audit rules is enabled ^/etc/audit/rules\.d/.*\.rules ^\-e\s+2\s*$ 1 /etc/audit/audit.rules ^\-e\s+2\s*$ 1 scap-security-guide-0.1.39/shared/checks/oval/audit_rules_kernel_module_loading.xml000066400000000000000000000024761327242345500306250ustar00rootroot00000000000000 Audit Kernel Module Loading and Unloading Red Hat Enterprise Linux 7 multi_platform_fedora The audit rules should be configured to log information about kernel module loading and unloading. scap-security-guide-0.1.39/shared/checks/oval/audit_rules_kernel_module_loading_create.xml000066400000000000000000000121001327242345500321310ustar00rootroot00000000000000 Audit Kernel Module Loading and Unloading - create_module Red Hat Enterprise Linux 7 multi_platform_fedora The audit rules should be configured to log information about kernel module loading and unloading. ^/etc/audit/rules\.d/.*\.rules ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+create_module[\s]+|([\s]+|[,])create_module([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+create_module[\s]+|([\s]+|[,])create_module([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+create_module[\s]+|([\s]+|[,])create_module([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+create_module[\s]+|([\s]+|[,])create_module([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 scap-security-guide-0.1.39/shared/checks/oval/audit_rules_kernel_module_loading_delete.xml000066400000000000000000000121001327242345500321300ustar00rootroot00000000000000 Audit Kernel Module Loading and Unloading - delete_module Red Hat Enterprise Linux 7 multi_platform_fedora The audit rules should be configured to log information about kernel module loading and unloading. ^/etc/audit/rules\.d/.*\.rules ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+delete_module[\s]+|([\s]+|[,])delete_module([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+delete_module[\s]+|([\s]+|[,])delete_module([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+delete_module[\s]+|([\s]+|[,])delete_module([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+delete_module[\s]+|([\s]+|[,])delete_module([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 scap-security-guide-0.1.39/shared/checks/oval/audit_rules_kernel_module_loading_finit.xml000066400000000000000000000120321327242345500320030ustar00rootroot00000000000000 Audit Kernel Module Loading and Unloading - finit_module Red Hat Enterprise Linux 7 multi_platform_fedora The audit rules should be configured to log information about kernel module loading and unloading. ^/etc/audit/rules\.d/.*\.rules ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+finit_module[\s]+|([\s]+|[,])finit_module([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+finit_module[\s]+|([\s]+|[,])finit_module([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+finit_module[\s]+|([\s]+|[,])finit_module([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+finit_module[\s]+|([\s]+|[,])finit_module([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 scap-security-guide-0.1.39/shared/checks/oval/audit_rules_kernel_module_loading_init.xml000066400000000000000000000117641327242345500316500ustar00rootroot00000000000000 Audit Kernel Module Loading and Unloading - init_module Red Hat Enterprise Linux 7 multi_platform_fedora The audit rules should be configured to log information about kernel module loading and unloading. ^/etc/audit/rules\.d/.*\.rules ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+init_module[\s]+|([\s]+|[,])init_module([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+init_module[\s]+|([\s]+|[,])init_module([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+init_module[\s]+|([\s]+|[,])init_module([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+init_module[\s]+|([\s]+|[,])init_module([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 scap-security-guide-0.1.39/shared/checks/oval/audit_rules_kernel_module_loading_insmod.xml000066400000000000000000000060031327242345500321640ustar00rootroot00000000000000 Audit Kernel Module Loading and Unloading - insmod Red Hat Enterprise Linux 7 multi_platform_fedora The audit rules should be configured to log information about kernel module loading and unloading. ^/etc/audit/rules\.d/.*\.rules ^\-w[\s]+/usr/sbin/insmod[\s]+\-p[\s]+\b([raw]*x[raw]*)\b[\s]+(-k[\s]+|-F[\s]+key=)[-\w]+[\s]*$ 1 /etc/audit/audit.rules ^\-w[\s]+/usr/sbin/insmod[\s]+\-p[\s]+\b([raw]*x[raw]*)\b[\s]+(-k[\s]+|-F[\s]+key=)[-\w]+[\s]*$ 1 scap-security-guide-0.1.39/shared/checks/oval/audit_rules_kernel_module_loading_modprobe.xml000066400000000000000000000060431327242345500325060ustar00rootroot00000000000000 Audit Kernel Module Loading and Unloading - modprobe Red Hat Enterprise Linux 7 multi_platform_fedora The audit rules should be configured to log information about kernel module loading and unloading. ^/etc/audit/rules\.d/.*\.rules ^\-w[\s]+/usr/sbin/modprobe[\s]+\-p[\s]+\b([raw]*x[raw]*)\b[\s]+(-k[\s]+|-F[\s]+key=)[-\w]+[\s]*$ 1 /etc/audit/audit.rules ^\-w[\s]+/usr/sbin/modprobe[\s]+\-p[\s]+\b([raw]*x[raw]*)\b[\s]+(-k[\s]+|-F[\s]+key=)[-\w]+[\s]*$ 1 scap-security-guide-0.1.39/shared/checks/oval/audit_rules_kernel_module_loading_rmmod.xml000066400000000000000000000057631327242345500320250ustar00rootroot00000000000000 Audit Kernel Module Loading and Unloading - rmmod Red Hat Enterprise Linux 7 multi_platform_fedora The audit rules should be configured to log information about kernel module loading and unloading. ^/etc/audit/rules\.d/.*\.rules ^\-w[\s]+/usr/sbin/rmmod[\s]+\-p[\s]+\b([raw]*x[raw]*)\b[\s]+(-k[\s]+|-F[\s]+key=)[-\w]+[\s]*$ 1 /etc/audit/audit.rules ^\-w[\s]+/usr/sbin/rmmod[\s]+\-p[\s]+\b([raw]*x[raw]*)\b[\s]+(-k[\s]+|-F[\s]+key=)[-\w]+[\s]*$ 1 scap-security-guide-0.1.39/shared/checks/oval/audit_rules_login_events.xml000066400000000000000000000015311327242345500267660ustar00rootroot00000000000000 Record Attempts to Alter Login and Logout Events Red Hat Enterprise Linux 7 multi_platform_fedora Audit rules should be configured to log successful and unsuccessful login and logout events. scap-security-guide-0.1.39/shared/checks/oval/audit_rules_mac_modification.xml000066400000000000000000000046401327242345500275630ustar00rootroot00000000000000 Record Events that Modify the System's Mandatory Access Controls Red Hat Enterprise Linux 7 multi_platform_fedora Audit rules that detect changes to the system's mandatory access controls (SELinux) are enabled. ^/etc/audit/rules\.d/.*\.rules ^\-w[\s]+/etc/selinux/[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+(-k[\s]+|-F[\s]+key=)[-\w]+[\s]*$ 1 /etc/audit/audit.rules ^\-w[\s]+/etc/selinux/[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+(-k[\s]+|-F[\s]+key=)[-\w]+[\s]*$ 1 scap-security-guide-0.1.39/shared/checks/oval/audit_rules_media_export.xml000066400000000000000000000116601327242345500267560ustar00rootroot00000000000000 Audit Information Export To Media Red Hat Enterprise Linux 7 multi_platform_fedora Audit rules that detect the mounting of filesystems should be enabled. ^/etc/audit/rules\.d/.*\.rules ^\-a\s+always,exit\s+(\-F\s+arch=b32\s+)(?:.*(-S[\s]+mount[\s]+|([\s]+|[,])mount([\s]+|[,])))(?:.*-F\s+auid>=1000\s+\-F\s+auid!=4294967295\s+)(-k[\s]+|-F[\s]+key=)[-\w]+\s*$ 1 ^/etc/audit/rules\.d/.*\.rules ^\-a\s+always,exit\s+(\-F\s+arch=b64\s+)(?:.*(-S[\s]+mount[\s]+|([\s]+|[,])mount([\s]+|[,])))(?:.*-F\s+auid>=1000\s+\-F\s+auid!=4294967295\s+)(-k[\s]+|-F[\s]+key=)[-\w]+\s*$ 1 /etc/audit/audit.rules ^\-a\s+always,exit\s+(\-F\s+arch=b32\s+)(?:.*(-S[\s]+mount[\s]+|([\s]+|[,])mount([\s]+|[,])))(?:.*-F\s+auid>=1000\s+\-F\s+auid!=4294967295\s+)(-k[\s]+|-F[\s]+key=)[-\w]+\s*$ 1 /etc/audit/audit.rules ^\-a\s+always,exit\s+(\-F\s+arch=b64\s+)(?:.*(-S[\s]+mount[\s]+|([\s]+|[,])mount([\s]+|[,])))(?:.*-F\s+auid>=1000\s+\-F\s+auid!=4294967295\s+)(-k[\s]+|-F[\s]+key=)[-\w]+\s*$ 1 scap-security-guide-0.1.39/shared/checks/oval/audit_rules_networkconfig_modification.xml000066400000000000000000000167111327242345500317040ustar00rootroot00000000000000 Record Events that Modify the System's Network Environment Red Hat Enterprise Linux 7 multi_platform_fedora The network environment should not be modified by anything other than administrator action. Any change to network parameters should be audited. ^/etc/audit/rules\.d/.*\.rules ^\-w[\s]+/etc/issue[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+(-k[\s]+|-F[\s]+key=)[-\w]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules ^\-w[\s]+/etc/issue\.net[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+(-k[\s]+|-F[\s]+key=)[-\w]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules ^\-w[\s]+/etc/hosts[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+(-k[\s]+|-F[\s]+key=)[-\w]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules ^\-w[\s]+/etc/sysconfig/network[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+(-k[\s]+|-F[\s]+key=)[-\w]+[\s]*$ 1 /etc/audit/audit.rules ^\-w[\s]+/etc/issue[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+(-k[\s]+|-F[\s]+key=)[-\w]+[\s]*$ 1 /etc/audit/audit.rules ^\-w[\s]+/etc/issue\.net[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+(-k[\s]+|-F[\s]+key=)[-\w]+[\s]*$ 1 /etc/audit/audit.rules ^\-w[\s]+/etc/hosts[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+(-k[\s]+|-F[\s]+key=)[-\w]+[\s]*$ 1 /etc/audit/audit.rules ^\-w[\s]+/etc/sysconfig/network[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+(-k[\s]+|-F[\s]+key=)[-\w]+[\s]*$ 1 scap-security-guide-0.1.39/shared/checks/oval/audit_rules_networkconfig_modification_domainname.xml000066400000000000000000000121751327242345500340740ustar00rootroot00000000000000 Record Events that Modify the System's Network Environment Red Hat Enterprise Linux 7 multi_platform_fedora The network environment should not be modified by anything other than administrator action. Any change to network parameters should be audited. ^/etc/audit/rules\.d/.*\.rules ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+setdomainname[\s]+|([\s]+|[,])setdomainname([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+setdomainname[\s]+|([\s]+|[,])setdomainname([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+setdomainname[\s]+|([\s]+|[,])setdomainname([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+setdomainname[\s]+|([\s]+|[,])setdomainname([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 scap-security-guide-0.1.39/shared/checks/oval/audit_rules_networkconfig_modification_hostname.xml000066400000000000000000000120631327242345500335760ustar00rootroot00000000000000 Record Events that Modify the System's Network Environment Red Hat Enterprise Linux 7 multi_platform_fedora The network environment should not be modified by anything other than administrator action. Any change to network parameters should be audited. ^/etc/audit/rules\.d/.*\.rules ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+sethostname[\s]+|([\s]+|[,])sethostname([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+sethostname[\s]+|([\s]+|[,])sethostname([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+sethostname[\s]+|([\s]+|[,])sethostname([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+sethostname[\s]+|([\s]+|[,])sethostname([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 scap-security-guide-0.1.39/shared/checks/oval/audit_rules_privileged_commands.xml000066400000000000000000000166541327242345500303210ustar00rootroot00000000000000 Ensure auditd Collects Information on the Use of Privileged Commands Red Hat Enterprise Linux 7 multi_platform_fedora Audit rules about the information on the use of privileged commands are enabled. / [a-z]+ state_setuid_or_setgid_set state_dev_proc_sys_dirs true true ^\/(dev|proc|sys)\/.*$ variable_count_of_suid_sgid_binaries_on_system ^/etc/audit/rules\.d/.*\.rules ^[\s]*-a always,exit (?:-F path=([\S]+) )+-F perm=[r|w]?x -F auid>=1000 -F auid!=4294967295[\s]+(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 state_proper_audit_rule_but_for_unprivileged_command /etc/audit/audit.rules ^[\s]*-a always,exit (?:-F path=([\S]+) )+-F perm=[r|w]?x -F auid>=1000 -F auid!=4294967295[\s]+(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 state_proper_audit_rule_but_for_unprivileged_command scap-security-guide-0.1.39/shared/checks/oval/audit_rules_session_events.xml000066400000000000000000000113431327242345500273430ustar00rootroot00000000000000 Record Attempts to Alter Process and Session Initiation Information Red Hat Enterprise Linux 7 multi_platform_fedora Audit rules should capture information about session initiation. ^/etc/audit/rules\.d/.*\.rules ^\-w\s+/var/run/utmp\s+\-p\s+wa\s+(-k[\s]+|-F[\s]+key=)[-\w]+\s*$ 1 ^/etc/audit/rules\.d/.*\.rules ^\-w\s+/var/log/btmp\s+\-p\s+wa\s+(-k[\s]+|-F[\s]+key=)[-\w]+\s*$ 1 ^/etc/audit/rules\.d/.*\.rules ^\-w\s+/var/log/wtmp\s+\-p\s+wa\s+(-k[\s]+|-F[\s]+key=)[-\w]+\s*$ 1 /etc/audit/audit.rules ^\-w\s+/var/run/utmp\s+\-p\s+wa\s+(-k[\s]+|-F[\s]+key=)[-\w]+\s*$ 1 /etc/audit/audit.rules ^\-w\s+/var/log/btmp\s+\-p\s+wa\s+(-k[\s]+|-F[\s]+key=)[-\w]+\s*$ 1 /etc/audit/audit.rules ^\-w\s+/var/log/wtmp\s+\-p\s+wa\s+(-k[\s]+|-F[\s]+key=)[-\w]+\s*$ 1 scap-security-guide-0.1.39/shared/checks/oval/audit_rules_sysadmin_actions.xml000066400000000000000000000045711327242345500276500ustar00rootroot00000000000000 Audit System Administrator Actions Red Hat Enterprise Linux 7 multi_platform_fedora Audit actions taken by system administrators on the system. ^/etc/audit/rules\.d/.*\.rules ^\-w[\s]+/etc/sudoers[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+(-k[\s]+|-F[\s]+key=)[-\w]+[\s]*$ 1 /etc/audit/audit.rules ^\-w[\s]+/etc/sudoers[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+(-k[\s]+|-F[\s]+key=)[-\w]+[\s]*$ 1 scap-security-guide-0.1.39/shared/checks/oval/audit_rules_system_shutdown.xml000066400000000000000000000041701327242345500275530ustar00rootroot00000000000000 Shutdown System When Auditing Failures Occur Red Hat Enterprise Linux 7 multi_platform_fedora The system will shutdown when auditing fails. ^/etc/audit/rules\.d/.*\.rules ^\-f\s+2\s*$ 1 /etc/audit/audit.rules ^\-f\s+2\s*$ 1 scap-security-guide-0.1.39/shared/checks/oval/audit_rules_time_adjtimex.xml000066400000000000000000000113371327242345500271220ustar00rootroot00000000000000 Record Attempts to Alter Time Through Adjtimex Red Hat Enterprise Linux 7 multi_platform_fedora Record attempts to alter time through adjtimex. ^/etc/audit/rules\.d/.*\.rules ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32.*(-S[\s]+adjtimex[\s]+|([\s]+|[,])adjtimex([\s]+|[,])).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64.*(-S[\s]+adjtimex[\s]+|([\s]+|[,])adjtimex([\s]+|[,])).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32.*(-S[\s]+adjtimex[\s]+|([\s]+|[,])adjtimex([\s]+|[,])).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64.*(-S[\s]+adjtimex[\s]+|([\s]+|[,])adjtimex([\s]+|[,])).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 scap-security-guide-0.1.39/shared/checks/oval/audit_rules_time_clock_settime.xml000066400000000000000000000120121327242345500301310ustar00rootroot00000000000000 Record Attempts to Alter Time Through Clock_settime Red Hat Enterprise Linux 7 multi_platform_fedora Record attempts to alter time through clock_settime. ^/etc/audit/rules\.d/.*\.rules ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+(-S[\s]+clock_settime[\s]+|([\s]+|[,])clock_settime([\s]+|[,]))-F[\s]+a0=(?:0x)?0[\s]+(?:-F[\s]+key=|-k[\s]+)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+(-S[\s]+clock_settime[\s]+|([\s]+|[,])clock_settime([\s]+|[,]))-F[\s]+a0=(?:0x)?0[\s]+(?:-F[\s]+key=|-k[\s]+)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+(-S[\s]+clock_settime[\s]+|([\s]+|[,])clock_settime([\s]+|[,]))-F[\s]+a0=(?:0x)?0[\s]+(?:-F[\s]+key=|-k[\s]+)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+(-S[\s]+clock_settime[\s]+|([\s]+|[,])clock_settime([\s]+|[,]))-F[\s]+a0=(?:0x)?0[\s]+(?:-F[\s]+key=|-k[\s]+)[\S]+[\s]*$ 1 scap-security-guide-0.1.39/shared/checks/oval/audit_rules_time_settimeofday.xml000066400000000000000000000115731327242345500300140ustar00rootroot00000000000000 Record Attempts to Alter Time Through Settimeofday Red Hat Enterprise Linux 7 multi_platform_fedora Record attempts to alter time through settimeofday. ^/etc/audit/rules\.d/.*\.rules ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32.*(-S[\s]+settimeofday[\s]+|([\s]+|[,])settimeofday([\s]+|[,])).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64.*(-S[\s]+settimeofday[\s]+|([\s]+|[,])settimeofday([\s]+|[,])).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32.*(-S[\s]+settimeofday[\s]+|([\s]+|[,])settimeofday([\s]+|[,])).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64.*(-S[\s]+settimeofday[\s]+|([\s]+|[,])settimeofday([\s]+|[,])).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 scap-security-guide-0.1.39/shared/checks/oval/audit_rules_time_stime.xml000066400000000000000000000063461327242345500264420ustar00rootroot00000000000000 Record Attempts to Alter Time Through Stime Red Hat Enterprise Linux 7 multi_platform_fedora Record attempts to alter time through stime. Note that on 64-bit architectures the stime system call is not defined in the audit system calls lookup table. ^/etc/audit/rules\.d/.*\.rules ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32.*(-S[\s]+stime[\s]+|([\s]+|[,])stime([\s]+|[,])).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32.*(-S[\s]+stime[\s]+|([\s]+|[,])stime([\s]+|[,])).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 scap-security-guide-0.1.39/shared/checks/oval/audit_rules_time_watch_localtime.xml000066400000000000000000000046111327242345500304510ustar00rootroot00000000000000 Record Attempts to Alter Time Through the Localtime File Red Hat Enterprise Linux 7 multi_platform_fedora Record attempts to alter time through /etc/localtime. ^/etc/audit/rules\.d/.*\.rules ^[\s]*-w[\s]+\/etc\/localtime[\s]+-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 /etc/audit/audit.rules ^[\s]*-w[\s]+\/etc\/localtime[\s]+-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$ 1 scap-security-guide-0.1.39/shared/checks/oval/audit_rules_unsuccessful_file_modification.xml000066400000000000000000000024521327242345500325430ustar00rootroot00000000000000 Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful) Red Hat Enterprise Linux 7 multi_platform_fedora Audit rules about the unauthorized access attempts to files (unsuccessful) are enabled. scap-security-guide-0.1.39/shared/checks/oval/audit_rules_usergroup_modification.xml000066400000000000000000000217411327242345500310570ustar00rootroot00000000000000 Audit User/Group Modification Red Hat Enterprise Linux 7 multi_platform_fedora Audit user/group modification. ^/etc/audit/rules\.d/.*\.rules ^\-w[\s]+/etc/group[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s+]+(-k[\s]+|-F[\s]+key=)\w+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules ^\-w[\s]+/etc/passwd[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+(-k[\s]+|-F[\s]+key=)\w+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules ^\-w[\s]+/etc/gshadow[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+(-k[\s]+|-F[\s]+key=)\w+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules ^\-w[\s]+/etc/shadow[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+(-k[\s]+|-F[\s]+key=)\w+[\s]*$ 1 ^/etc/audit/rules\.d/.*\.rules ^\-w[\s]+/etc/security/opasswd[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+(-k[\s]+|-F[\s]+key=)\w+[\s]*$ 1 /etc/audit/audit.rules ^\-w[\s]+/etc/group[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+(-k[\s]+|-F[\s]+key=)\w+[\s]*$ 1 /etc/audit/audit.rules ^\-w[\s]+/etc/passwd[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+(-k[\s]+|-F[\s]+key=)\w+[\s]*$ 1 /etc/audit/audit.rules ^\-w[\s]+/etc/gshadow[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+(-k[\s]+|-F[\s]+key=)\w+[\s]*$ 1 /etc/audit/audit.rules ^\-w[\s]+/etc/shadow[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+(-k[\s]+|-F[\s]+key=)\w+[\s]*$ 1 /etc/audit/audit.rules ^\-w[\s]+/etc/security/opasswd[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+(-k[\s]+|-F[\s]+key=)\w+[\s]*$ 1 scap-security-guide-0.1.39/shared/checks/oval/auditd_audispd_syslog_plugin_activated.xml000066400000000000000000000025571327242345500316700ustar00rootroot00000000000000 The syslog Plugin Of the Audit Event Multiplexor (audispd) Is Activated multi_platform_all active setting in /etc/audisp/plugins.d/syslog.conf is set to 'yes' /etc/audisp/plugins.d/syslog.conf ^[ ]*active[ ]+=[ ]+yes[ ]*$ 1 scap-security-guide-0.1.39/shared/checks/oval/auditd_conf_log_group_not_root.xml000066400000000000000000000023141327242345500301510ustar00rootroot00000000000000 'log_group' Not Set To 'root' In /etc/audit/auditd.conf multi_platform_all Verify 'log_group' is not set to 'root' in /etc/audit/auditd.conf. /etc/audit/auditd.conf ^[ ]*log_group[ ]+=[ ]+root[ ]*$ 1 scap-security-guide-0.1.39/shared/checks/oval/auditd_data_disk_error_action.xml000066400000000000000000000033131327242345500277150ustar00rootroot00000000000000 Auditd Action to Take When Disk Errors multi_platform_all disk_error_action setting in /etc/audit/auditd.conf is set to a certain action /etc/audit/auditd.conf ^[ ]*disk_error_action[ ]+=[ ]+(\S+)[ ]*$ 1 scap-security-guide-0.1.39/shared/checks/oval/auditd_data_disk_full_action.xml000066400000000000000000000033001327242345500275220ustar00rootroot00000000000000 Auditd Action to Take When Disk Is Full multi_platform_all disk_full_action setting in /etc/audit/auditd.conf is set to a certain action /etc/audit/auditd.conf ^[ ]*disk_full_action[ ]+=[ ]+(\S+)[ ]*$ 1 scap-security-guide-0.1.39/shared/checks/oval/auditd_data_retention_action_mail_acct.xml000066400000000000000000000033771327242345500315670ustar00rootroot00000000000000 Auditd Email Account to Notify Upon Action multi_platform_all action_mail_acct setting in /etc/audit/auditd.conf is set to a certain account /etc/audit/auditd.conf ^[ ]*action_mail_acct[ ]+=[ ]+(\S+)[ ]*$ 1 scap-security-guide-0.1.39/shared/checks/oval/auditd_data_retention_admin_space_left_action.xml000066400000000000000000000035501327242345500331210ustar00rootroot00000000000000 Auditd Action to Take When Disk is Low on Space multi_platform_all admin_space_left_action setting in /etc/audit/auditd.conf is set to a certain action /etc/audit/auditd.conf ^[ ]*admin_space_left_action[ ]+=[ ]+(\S+)[ ]*$ 1 scap-security-guide-0.1.39/shared/checks/oval/auditd_data_retention_flush.xml000066400000000000000000000032301327242345500274230ustar00rootroot00000000000000 Auditd priority for flushing data to disk multi_platform_rhel The setting for flush in /etc/audit/auditd.conf /etc/audit/auditd.conf ^[ ]*flush[ ]+=[ ]+(\S+)[ ]*$ 1 scap-security-guide-0.1.39/shared/checks/oval/auditd_data_retention_max_log_file.xml000066400000000000000000000033311327242345500307310ustar00rootroot00000000000000 Auditd Maximum Log File Size multi_platform_all max_log_file setting in /etc/audit/auditd.conf is set to at least a certain value /etc/audit/auditd.conf ^[ ]*max_log_file[ ]+=[ ]+(\d+)[ ]*$ 1 scap-security-guide-0.1.39/shared/checks/oval/auditd_data_retention_max_log_file_action.xml000066400000000000000000000035001327242345500322640ustar00rootroot00000000000000 Auditd Action to Take When Maximum Log Size Reached multi_platform_all max_log_file_action setting in /etc/audit/auditd.conf is set to a certain action /etc/audit/auditd.conf ^[ ]*max_log_file_action[ ]+=[ ]+(\S+)[ ]*$ 1 scap-security-guide-0.1.39/shared/checks/oval/auditd_data_retention_num_logs.xml000066400000000000000000000032701327242345500301310ustar00rootroot00000000000000 Auditd Maximum Number of Logs to Retain multi_platform_all num_logs setting in /etc/audit/auditd.conf is set to at least a certain value /etc/audit/auditd.conf ^[ ]*num_logs[ ]+=[ ]+(\d+)[ ]*$ 1 scap-security-guide-0.1.39/shared/checks/oval/auditd_data_retention_space_left.xml000066400000000000000000000033341327242345500304140ustar00rootroot00000000000000 Configure auditd space_left on Low Disk Space multi_platform_all space_left setting in /etc/audit/auditd.conf is set to at least a certain value /etc/audit/auditd.conf ^[\s]*space_left[\s]+=[\s]+(\d+)[\s]*$ 1 scap-security-guide-0.1.39/shared/checks/oval/auditd_data_retention_space_left_action.xml000066400000000000000000000034501327242345500317500ustar00rootroot00000000000000 Auditd Action to Take When Disk Starting to Run Low on Space multi_platform_all space_left_action setting in /etc/audit/auditd.conf is set to a certain action /etc/audit/auditd.conf ^[ ]*space_left_action[ ]+=[ ]+(\S+)[ ]*$ 1 scap-security-guide-0.1.39/shared/checks/oval/banner_etc_issue.xml000066400000000000000000000023051327242345500252020ustar00rootroot00000000000000 /etc/issue 1 scap-security-guide-0.1.39/shared/checks/oval/bootloader_audit_argument.xml000066400000000000000000000052151327242345500271170ustar00rootroot00000000000000 Enable Auditing for Processes Which Start Prior to the Audit Daemon Red Hat Enterprise Linux 7 multi_platform_fedora Look for argument audit=1 in the kernel line in /etc/default/grub. /etc/default/grub ^\s*GRUB_CMDLINE_LINUX="(.*)"$ 1 /etc/default/grub ^\s*GRUB_CMDLINE_LINUX_DEFAULT="(.*)"$ 1 ^.*audit=1.*$ scap-security-guide-0.1.39/shared/checks/oval/bootloader_disable_recovery_set_to_true.xml000066400000000000000000000032451327242345500320450ustar00rootroot00000000000000 Verify GRUB_DISABLE_RECOVERY Set to true Red Hat Enterprise Linux 7 multi_platform_fedora GRUB_DISABLE_RECOVERY set to 'true' in /etc/default/grub /etc/default/grub ^\s*GRUB_DISABLE_RECOVERY=(.*)$ 1 ^true|"true"$ scap-security-guide-0.1.39/shared/checks/oval/bootloader_nousb_argument.xml000066400000000000000000000027751327242345500271470ustar00rootroot00000000000000 Disable Kernel Support for USB via Bootloader Configuration Red Hat Enterprise Linux 7 multi_platform_fedora Look for 'nousb' argument in the kernel line in /etc/default/grub /etc/default/grub ^\s*GRUB_CMDLINE_LINUX="(.*)"$ 1 ^.*nousb.*$ scap-security-guide-0.1.39/shared/checks/oval/bootloader_password.xml000066400000000000000000000065571327242345500257630ustar00rootroot00000000000000 Set Boot Loader Password Red Hat Enterprise Linux 7 multi_platform_fedora The grub2 boot loader should have password protection enabled. /boot/grub2/grub.cfg /boot/grub2/grub.cfg ^[\s]*set[\s]+superusers=\"(?i)(?!root|admin|administrator)(?-i).*\"$ 1 /boot/grub2/user.cfg ^[\s]*GRUB2_PASSWORD=grub\.pbkdf2\.sha512.*$ 1 /boot/grub2/grub.cfg ^[\s]*password_pbkdf2[\s]+.*[\s]+grub\.pbkdf2\.sha512.*$ 1 scap-security-guide-0.1.39/shared/checks/oval/bootloader_uefi_password.xml000066400000000000000000000073031327242345500267610ustar00rootroot00000000000000 Set the UEFI Boot Loader Password Red Hat Enterprise Linux 7 multi_platform_fedora The UEFI grub2 boot loader should have password protection enabled. ^/boot/efi/EFI/(redhat|fedora)/grub.cfg ^/boot/efi/EFI/(redhat|fedora)/grub.cfg ^[\s]*set[\s]+superusers=\"(?i)(?!root|admin|administrator)(?-i).*\"$ 1 /boot/efi/EFI/(redhat|fedora)/user.cfg ^[\s]*GRUB2_PASSWORD=grub\.pbkdf2\.sha512.*$ 1 /boot/efi/EFI/(redhat|fedora)/grub.cfg ^[\s]*password_pbkdf2[\s]+.*[\s]+grub\.pbkdf2\.sha512.*$ 1 scap-security-guide-0.1.39/shared/checks/oval/chronyd_or_ntpd_set_maxpoll.xml000066400000000000000000000107261327242345500275020ustar00rootroot00000000000000 Configure Time Service Maxpoll Interval Red Hat Enterprise Linux 7 Configure the maxpoll setting in /etc/ntp.conf or chrony.conf to continuously poll the time source servers. /etc/ntp.conf ^server[\s]+[\S]+.*maxpoll[\s]+(\d+) 1 /etc/chrony.conf ^server[\s]+[\S]+.*maxpoll[\s]+(\d+) 1 /etc/ntp.conf ^server[\s]+[\S]+[\s]+(.*) 1 /etc/chrony.conf ^server[\s]+[\S]+[\s]+(.*) 1 maxpoll \d+ scap-security-guide-0.1.39/shared/checks/oval/chronyd_specify_multiple_servers.xml000066400000000000000000000023661327242345500305550ustar00rootroot00000000000000 Specify Multiple Remote chronyd NTP Servers for Time Data Red Hat Enterprise Linux 7 multi_platform_fedora Multiple chronyd NTP Servers for time synchronization should be specified. /etc/chrony.conf ^([\s]*server[\s]+.+$){2,}$ 1 scap-security-guide-0.1.39/shared/checks/oval/chronyd_specify_remote_server.xml000066400000000000000000000023371327242345500300300ustar00rootroot00000000000000 Specify a Remote NTP Server for Time Data Red Hat Enterprise Linux 7 multi_platform_fedora A remote NTP Server for time synchronization should be specified (and dependencies are met) /etc/chrony.conf ^[\s]*server[\s]+.+$ 1 scap-security-guide-0.1.39/shared/checks/oval/configure_firewalld_ports.xml000066400000000000000000000011051327242345500271300ustar00rootroot00000000000000 Configure the Firewalld Ports Red Hat Enterprise Linux 7 Configure the firewalld ports to allow approved services to have access to the system. scap-security-guide-0.1.39/shared/checks/oval/cups_disable_browsing.xml000066400000000000000000000043101327242345500262370ustar00rootroot00000000000000 Disable Printer Browsing Entirely if Possible multi_platform_rhel The CUPS print service can be configured to broadcast a list of available printers to the network. Other machines on the network, also running the CUPS print service, can be configured to listen to these broadcasts and add and configure these printers for immediate use. By disabling this browsing capability, the machine will no longer generate or receive such broadcasts. /etc/cups/cupsd.conf ^[\s]*Browsing[\s]+(?:Off|No) 1 /etc/cups/cupsd.conf ^[\s]*BrowseAllow[\s]+(?:none) 1 scap-security-guide-0.1.39/shared/checks/oval/cups_disable_printserver.xml000066400000000000000000000043541327242345500270000ustar00rootroot00000000000000 Disable Printer Server if Possible multi_platform_rhel By default, locally configured printers will not be shared over the network, but if this functionality has somehow been enabled, these recommendations will disable it again. Be sure to disable outgoing printer list broadcasts, or remote users will still be able to see the locally configured printers, even if they cannot actually print to them. To limit print serving to a particular set of users, use the Policy directive. /etc/cups/cupsd.conf ^[\s]*Port[\s]+(\d)+ 1 /etc/cups/cupsd.conf ^[\s]*Listen[\s]+(?:localhost|127\.0\.0\.1|::1):(\d)+ 1 scap-security-guide-0.1.39/shared/checks/oval/dconf_gnome_banner_enabled.xml000066400000000000000000000044411327242345500271520ustar00rootroot00000000000000 Enable GNOME3 Login Warning Banner Red Hat Enterprise Linux 7 multi_platform_fedora Enable the GNOME3 Login warning banner. /etc/dconf/db/gdm.d/ ^.*$ ^\[org/gnome/login-screen]([^\n]*\n+)+?banner-message-enable=true$ 1 /etc/dconf/db/gdm.d/locks/ ^.*$ ^/org/gnome/login-screen/banner-message-enable$ 1 scap-security-guide-0.1.39/shared/checks/oval/dconf_gnome_disable_automount.xml000066400000000000000000000132071327242345500277510ustar00rootroot00000000000000 Disable GNOME3 Automounting Red Hat Enterprise Linux 7 multi_platform_fedora The system's default desktop environment, GNOME3, will mount devices and removable media (such as DVDs, CDs and USB flash drives) whenever they are inserted into the system. Disable automount and autorun within GNOME3. /etc/dconf/db/local.d/ ^.*$ ^\[org/gnome/desktop/media-handling]([^\n]*\n+)+?automount=false$ 1 /etc/dconf/db/local.d/locks/ ^.*$ ^/org/gnome/desktop/media-handling/automount$ 1 /etc/dconf/db/local.d/ ^.*$ ^\[org/gnome/desktop/media-handling]([^\n]*\n+)+?automount-open=false$ 1 /etc/dconf/db/local.d/locks/ ^.*$ ^/org/gnome/desktop/media-handling/automount-open$ 1 /etc/dconf/db/local.d/ ^.*$ ^\[org/gnome/desktop/media-handling]([^\n]*\n+)+?autorun-never=true$ 1 /etc/dconf/db/local.d/locks/ ^.*$ ^/org/gnome/desktop/media-handling/autorun-never$ 1 scap-security-guide-0.1.39/shared/checks/oval/dconf_gnome_disable_ctrlaltdel_reboot.xml000066400000000000000000000044421327242345500314230ustar00rootroot00000000000000 Disable Ctrl-Alt-Del Reboot Key Sequence in GNOME3 Red Hat Enterprise Linux 7 multi_platform_fedora Disable the GNOME3 ctrl-alt-del reboot key sequence in GNOME3. /etc/dconf/db/local.d/ ^.*$ ^\[org/gnome/settings-daemon/plugins/media-keys]([^\n]*\n+)+?logout=string[\s]''$ 1 /etc/dconf/db/local.d/locks/ ^.*$ ^/org/gnome/settings-daemon/plugins/media-keys/logout$ 1 scap-security-guide-0.1.39/shared/checks/oval/dconf_gnome_disable_geolocation.xml000066400000000000000000000072601327242345500302230ustar00rootroot00000000000000 Disable Geolocation in GNOME3 Red Hat Enterprise Linux 7 multi_platform_fedora Disable GNOME3 Geolocation for the clock and system. /etc/dconf/db/local.d/ ^.*$ ^\[org/gnome/system/location]([^\n]*\n+)+?enabled=false$ 1 /etc/dconf/db/local.d/locks/ ^.*$ ^/org/gnome/system/location/enabled$ 1 /etc/dconf/db/local.d/ ^.*$ ^\[org/gnome/clocks]([^\n]*\n+)+?geolocation=false$ 1 /etc/dconf/db/local.d/locks/ ^.*$ ^/org/gnome/clocks/geolocation$ 1 scap-security-guide-0.1.39/shared/checks/oval/dconf_gnome_disable_power_settings.xml000066400000000000000000000043651327242345500307770ustar00rootroot00000000000000 Disable Power Settings in GNOME3 Red Hat Enterprise Linux 7 multi_platform_fedora Disable GNOME3 power settings. /etc/dconf/db/local.d/ ^.*$ ^\[org/gnome/settings-daemon/plugins/power]([^\n]*\n+)+?active=false$ 1 /etc/dconf/db/local.d/locks/ ^.*$ ^/org/gnome/settings-daemon/plugins/power/active$ 1 scap-security-guide-0.1.39/shared/checks/oval/dconf_gnome_disable_restart_shutdown.xml000066400000000000000000000047061327242345500313410ustar00rootroot00000000000000 Disable the GNOME3 Login Restart and Shutdown Buttons Red Hat Enterprise Linux 7 multi_platform_fedora Disable the GNOME3 Login GUI Restart and Shutdown buttons to all users on the login screen. /etc/dconf/db/gdm.d/ ^.*$ ^\[org/gnome/login-screen]([^\n]*\n+)+?disable-restart-buttons=true$ 1 /etc/dconf/db/gdm.d/locks/ ^.*$ ^/org/gnome/login-screen/disable-restart-buttons$ 1 scap-security-guide-0.1.39/shared/checks/oval/dconf_gnome_disable_thumbnailers.xml000066400000000000000000000050751327242345500304170ustar00rootroot00000000000000 Disable All GNOME3 Thumbnailers Red Hat Enterprise Linux 7 multi_platform_fedora The system's default desktop environment, GNOME3, uses a number of different thumbnailer programs to generate thumbnails for any new or modified content in an opened folder. Disable the execution of these thumbnail applications within GNOME3. /etc/dconf/db/local.d/ ^.*$ ^\[org/gnome/desktop/thumbnailers]([^\n]*\n+)+?disable-all=true$ 1 /etc/dconf/db/local.d/locks/ ^.*$ ^/org/gnome/desktop/thumbnailers/disable-all$ 1 scap-security-guide-0.1.39/shared/checks/oval/dconf_gnome_disable_user_admin.xml000066400000000000000000000044161327242345500300460ustar00rootroot00000000000000 Disable User Administration in GNOME3 Red Hat Enterprise Linux 7 multi_platform_fedora Disable GNOME3's ability to give users some administrative rights. /etc/dconf/db/local.d/ ^.*$ ^\[org/gnome/desktop/lockdown]([^\n]*\n+)+?user-administration-disabled=true$ 1 /etc/dconf/db/local.d/locks/ ^.*$ ^/org/gnome/desktop/lockdown/user-administration-disabled$ 1 scap-security-guide-0.1.39/shared/checks/oval/dconf_gnome_disable_user_list.xml000066400000000000000000000044471327242345500277350ustar00rootroot00000000000000 Disable the GNOME3 Login User List Red Hat Enterprise Linux 7 multi_platform_fedora Disable the GNOME3 GUI listing of all known users on the login screen. /etc/dconf/db/gdm.d/ ^.*$ ^\[org/gnome/login-screen]([^\n]*\n+)+?disable-user-list=true$ 1 /etc/dconf/db/gdm.d/locks/ ^.*$ ^/org/gnome/login-screen/disable-user-list$ 1 scap-security-guide-0.1.39/shared/checks/oval/dconf_gnome_disable_wifi_create.xml000066400000000000000000000043751327242345500302050ustar00rootroot00000000000000 Disable WIFI Network Connection Creation in GNOME3 Red Hat Enterprise Linux 7 multi_platform_fedora Disable the GNOME3 wireless network creation settings. /etc/dconf/db/local.d/ ^.*$ ^\[org/gnome/nm-applet]([^\n]*\n+)+?disable-wifi-create=true$ 1 /etc/dconf/db/local.d/locks/ ^.*$ ^/org/gnome/nm-applet/disable-wifi-create$ 1 scap-security-guide-0.1.39/shared/checks/oval/dconf_gnome_disable_wifi_notification.xml000066400000000000000000000045051327242345500314230ustar00rootroot00000000000000 Disable WIFI Network Notification in GNOME3 Red Hat Enterprise Linux 7 multi_platform_fedora Disable the GNOME3 wireless network notification. /etc/dconf/db/local.d/ ^.*$ ^\[org/gnome/nm-applet]([^\n]*\n+)+?suppress-wireless-networks-available=true$ 1 /etc/dconf/db/local.d/locks/ ^.*$ ^/org/gnome/nm-applet/suppress-wireless-networks-available$ 1 scap-security-guide-0.1.39/shared/checks/oval/dconf_gnome_enable_smartcard_auth.xml000066400000000000000000000045761327242345500305530ustar00rootroot00000000000000 Enable the GNOME3 Login Smartcard Authentication Red Hat Enterprise Linux 7 multi_platform_fedora Enable smartcard authentication in the GNOME3 Login GUI. /etc/dconf/db/gdm.d/ ^.*$ ^\[org/gnome/login-screen]([^\n]*\n+)+?enable-smartcard-authentication=true$ 1 /etc/dconf/db/gdm.d/locks/ ^.*$ ^/org/gnome/login-screen/enable-smartcard-authentication$ 1 scap-security-guide-0.1.39/shared/checks/oval/dconf_gnome_login_banner_text.xml000066400000000000000000000052611327242345500277350ustar00rootroot00000000000000 Enable GUI Warning Banner Red Hat Enterprise Linux 7 multi_platform_fedora Enable the GUI warning banner. /etc/dconf/db/gdm.d/locks/ ^.*$ ^/org/gnome/login-screen/banner-message-text$ 1 /etc/dconf/db/gdm.d/ ^.*$ ^banner-message-text=string[\s]*'*(.*?)'$ 1 scap-security-guide-0.1.39/shared/checks/oval/dconf_gnome_login_retries.xml000066400000000000000000000045161327242345500271030ustar00rootroot00000000000000 Set the GNOME3 Login Number of Failures Red Hat Enterprise Linux 7 multi_platform_fedora Set the GNOME3 number of login failure attempts. /etc/dconf/db/gdm.d/ ^.*$ ^\[org/gnome/login-screen]([^\n]*\n+)+?allowed-failures=3$ 1 /etc/dconf/db/gdm.d/locks/ ^.*$ ^/org/gnome/login-screen/allowed-failures$ 1 scap-security-guide-0.1.39/shared/checks/oval/dconf_gnome_remote_access_credential_prompt.xml000066400000000000000000000045521327242345500326450ustar00rootroot00000000000000 Require Credential Prompting for Remote Access in GNOME3 Red Hat Enterprise Linux 7 multi_platform_fedora Configure GNOME3 to require credential prompting for remote access. /etc/dconf/db/local.d/ ^.*$ ^\[org/gnome/Vino]([^\n]*\n+)+?authentication-methods=\['vnc'\]$ 1 /etc/dconf/db/local.d/locks/ ^.*$ ^/org/gnome/Vino/authentication-methods$ 1 scap-security-guide-0.1.39/shared/checks/oval/dconf_gnome_remote_access_encryption.xml000066400000000000000000000045471327242345500313300ustar00rootroot00000000000000 Require Encryption for Remote Access in GNOME3 Red Hat Enterprise Linux 7 multi_platform_fedora Configure GNOME3 to require encryption for remote access connections. /etc/dconf/db/local.d/ ^.*$ ^\[org/gnome/Vino]([^\n]*\n+)+?require-encryption=true$ 1 /etc/dconf/db/local.d/locks/ ^.*$ ^/org/gnome/Vino/require-encryption$ 1 scap-security-guide-0.1.39/shared/checks/oval/dconf_gnome_screensaver_idle_activation_enabled.xml000066400000000000000000000047501327242345500334460ustar00rootroot00000000000000 Enable GNOME3 Screensaver Idle Activation Red Hat Enterprise Linux 7 multi_platform_fedora Idle activation of the screen saver should be enabled. /etc/dconf/db/local.d/ ^.*$ ^\[org/gnome/desktop/screensaver]([^\n]*\n+)+?idle-activation-enabled=true$ 1 /etc/dconf/db/local.d/locks/ ^.*$ ^/org/gnome/desktop/screensaver/idle-activation-enabled$ 1 scap-security-guide-0.1.39/shared/checks/oval/dconf_gnome_screensaver_idle_activation_locked.xml000066400000000000000000000033251327242345500333120ustar00rootroot00000000000000 Ensure Users Cannot Change GNOME3 Screensaver Idle Activation Red Hat Enterprise Linux 7 multi_platform_fedora Idle activation of the screen saver should not be changed by users. /etc/dconf/db/local.d/locks/ ^.*$ ^/org/gnome/desktop/screensaver/idle-activation-enabled$ 1 scap-security-guide-0.1.39/shared/checks/oval/dconf_gnome_screensaver_idle_delay.xml000066400000000000000000000077531327242345500307370ustar00rootroot00000000000000 Configure the GNOME3 GUI Screen locking Red Hat Enterprise Linux 7 multi_platform_fedora The allowed period of inactivity before the screensaver is activated. /etc/dconf/db/local.d/ ^.*$ ^\[org/gnome/desktop/session]([^\n]*\n+)+?idle-delay=uint32[\s][0-9]*$ 1 /etc/dconf/db/local.d/locks/ ^.*$ ^/org/gnome/desktop/session/idle-delay$ 1 /etc/dconf/db/local.d/ ^.*$ ^idle-delay[\s=]*uint32[\s]([^=\s]*) 1 scap-security-guide-0.1.39/shared/checks/oval/dconf_gnome_screensaver_lock_delay.xml000066400000000000000000000100211327242345500307300ustar00rootroot00000000000000 Enable GNOME3 Screensaver Lock Delay After Idle Period Red Hat Enterprise Linux 7 multi_platform_fedora Idle activation of the screen lock should be enabled immediately or after a delay. /etc/dconf/db/local.d/ ^.*$ ^\[org/gnome/desktop/screensaver]([^\n]*\n+)+?lock-delay=uint32[\s][0-9]*$ 1 /etc/dconf/db/local.d/locks/ ^.*$ ^/org/gnome/desktop/screensaver/lock-delay$ 1 /etc/dconf/db/local.d/ ^.*$ ^lock-delay[\s=]*uint32[\s]([^=\s]*) 1 scap-security-guide-0.1.39/shared/checks/oval/dconf_gnome_screensaver_lock_enabled.xml000066400000000000000000000047421327242345500312410ustar00rootroot00000000000000 Enable GNOME3 Screensaver Lock After Idle Period Red Hat Enterprise Linux 7 multi_platform_fedora Idle activation of the screen lock should be enabled. /etc/dconf/db/local.d/ ^.*$ ^\[org/gnome/desktop/screensaver]([^\n]*\n+)+?lock-enabled=true$ 1 /etc/dconf/db/local.d/locks/ ^.*$ ^/org/gnome/desktop/screensaver/lock-enabled$ 1 scap-security-guide-0.1.39/shared/checks/oval/dconf_gnome_screensaver_lock_locked.xml000066400000000000000000000032521327242345500311030ustar00rootroot00000000000000 Ensure Users Cannot Change GNOME3 Screensaver Lock After Idle Period Red Hat Enterprise Linux 7 multi_platform_fedora Idle activation of the screen lock should not be changed by users. /etc/dconf/db/local.d/locks/ ^.*$ ^/org/gnome/desktop/screensaver/lock-enabled$ 1 scap-security-guide-0.1.39/shared/checks/oval/dconf_gnome_screensaver_mode_blank.xml000066400000000000000000000051041327242345500307230ustar00rootroot00000000000000 Implement Blank Screensaver Red Hat Enterprise Linux 7 multi_platform_fedora The GNOME3 screensaver should be blank. /etc/dconf/db/local.d/ ^.*$ ^\[org/gnome/desktop/screensaver]([^\n]*\n+)+?picture-uri=string[\s]\'\'$ 1 /etc/dconf/db/local.d/locks/ ^.*$ ^/org/gnome/desktop/screensaver/picture-uri$ 1 scap-security-guide-0.1.39/shared/checks/oval/dconf_gnome_screensaver_user_info.xml000066400000000000000000000046161327242345500306300ustar00rootroot00000000000000 Disable Full User Name on Splash Shield Red Hat Enterprise Linux 7 multi_platform_fedora GNOME3 screen splash shield should not display full name of logged in user. /etc/dconf/db/local.d/ ^.*$ ^\[org/gnome/desktop/screensaver]([^\n]*\n+)+?show-full-name-in-top-bar=false$ 1 /etc/dconf/db/local.d/locks/ ^.*$ ^/org/gnome/desktop/screensaver/show-full-name-in-top-bar$ 1 scap-security-guide-0.1.39/shared/checks/oval/dconf_gnome_screensaver_user_locks.xml000066400000000000000000000032321327242345500310010ustar00rootroot00000000000000 Ensure Users Cannot Change GNOME3 Screensaver Lock Delay Settings Red Hat Enterprise Linux 7 multi_platform_fedora Ensure that users cannot change GNOME3 screensaver idle and lock settings. /etc/dconf/db/local.d/locks/ ^.*$ ^/org/gnome/desktop/screensaver/lock-delay$ 1 scap-security-guide-0.1.39/shared/checks/oval/dconf_gnome_session_idle_user_locks.xml000066400000000000000000000031551327242345500311450ustar00rootroot00000000000000 Ensure Users Cannot Change GNOME3 Session Idle Settings Red Hat Enterprise Linux 7 multi_platform_fedora Ensure that users cannot change GNOME3 session idle settings. /etc/dconf/db/local.d/locks/ ^.*$ ^/org/gnome/desktop/session/idle-delay$ 1 scap-security-guide-0.1.39/shared/checks/oval/dir_perms_etc_httpd_conf.xml000066400000000000000000000031171327242345500267230ustar00rootroot00000000000000 Directory /etc/httpd/conf/ Permissions multi_platform_rhel Directory permissions for /etc/httpd/conf/ should be set to 0750 (or stronger). /etc/httpd/conf false false false false false false false scap-security-guide-0.1.39/shared/checks/oval/dir_perms_var_log_httpd.xml000066400000000000000000000032401327242345500265710ustar00rootroot00000000000000 Directory /var/log/httpd/ Permissions multi_platform_rhel Directory permissions for /var/log/httpd should be set to 0700 (or stronger). /var/log/httpd false false false false false false false false false scap-security-guide-0.1.39/shared/checks/oval/dir_perms_world_writable_sticky_bits.xml000066400000000000000000000031101327242345500313600ustar00rootroot00000000000000 Verify that All World-Writable Directories Have Sticky Bits Set multi_platform_rhel multi_platform_ol The sticky bit should be set for all world-writable directories. / state_world_writable_and_not_sticky false true scap-security-guide-0.1.39/shared/checks/oval/dir_perms_world_writable_system_owned.xml000066400000000000000000000033741327242345500315650ustar00rootroot00000000000000 Find world writable directories not owned by a system account Red Hat Enterprise Linux 7 All world writable directories should be owned by a system user. / state_gid_is_user_and_world_writable 1000 true scap-security-guide-0.1.39/shared/checks/oval/directory_permissions_var_log_audit.xml000066400000000000000000000067701327242345500312420ustar00rootroot00000000000000 Verify /var/log/audit Directory Permissions multi_platform_rhel Checks for correct permissions for /var/log/audit. /var/log/audit ^.*$ state_not_mode_0750 /var/log/audit ^.*$ state_not_mode_0700 true true true true true true true true true true true true true true true true true scap-security-guide-0.1.39/shared/checks/oval/disable_ctrlaltdel_burstaction.xml000066400000000000000000000024051327242345500301250ustar00rootroot00000000000000 Disable Ctrl-Alt-Del Burst Action Red Hat Enterprise Linux 7 Configure the CtrlAltDelBurstAction setting in /etc/systemd/system.conf to none to prevent a reboot if Ctrl-Alt-Delete is pressed more than 7 times in 2 seconds. /etc/systemd/system.conf ^[\s]*CtrlAltDelBurstAction[\s]*=[\s]*none$ 1 scap-security-guide-0.1.39/shared/checks/oval/disable_ctrlaltdel_reboot.xml000066400000000000000000000027331327242345500270660ustar00rootroot00000000000000 Disable Ctrl-Alt-Del Reboot Activation Red Hat Enterprise Linux 7 multi_platform_fedora By default, the system will reboot when the Ctrl-Alt-Del key sequence is pressed. /etc/systemd/system/ctrl-alt-del.target /etc/systemd/system/ctrl-alt-del.target /dev/null scap-security-guide-0.1.39/shared/checks/oval/disable_host_auth.xml000066400000000000000000000036271327242345500253630ustar00rootroot00000000000000 Disable Host-Based Authentication multi_platform_rhel SSH host-based authentication should be disabled. /etc/ssh/sshd_config ^[\s]*(?i)HostbasedAuthentication(?-i)[\s]+yes[\s]*(?:|(?:#.*))?$ 1 scap-security-guide-0.1.39/shared/checks/oval/disable_interactive_boot.xml000066400000000000000000000055101327242345500267160ustar00rootroot00000000000000 Verify that Interactive Boot is Disabled Red Hat Enterprise Linux 7 multi_platform_fedora The ability for users to perform interactive startups should be disabled. /etc/default/grub ^\s*GRUB_CMDLINE_LINUX=".*systemd.confirm_spawn=(?:1|yes|true|on).*$ 1 /etc/default/grub ^\s*GRUB_CMDLINE_LINUX_DEFAULT=".*systemd.confirm_spawn=(?:1|yes|true|on).*$ 1 scap-security-guide-0.1.39/shared/checks/oval/disable_prelink.xml000066400000000000000000000027201327242345500250220ustar00rootroot00000000000000 Disable Prelinking multi_platform_fedora multi_platform_rhel multi_platform_rhel-osp The prelinking feature can interfere with the operation of checksum integrity tools (e.g. AIDE), mitigates the protection provided by ASLR, and requires additional CPU cycles by software upgrades. /etc/sysconfig/prelink ^[\s]*PRELINKING=no[\s]* 1 scap-security-guide-0.1.39/shared/checks/oval/disable_users_coredumps.xml000066400000000000000000000070161327242345500266030ustar00rootroot00000000000000 Disable Core Dumps multi_platform_rhel multi_platform_fedora Core dumps for all users should be disabled 0 /etc/security/limits.conf ^[\s]*\*[\s]+(?:hard|-)[\s]+core[\s]+([\d]+) 1 0 /etc/security/limits.d ^.*\.conf$ ^[\s]*\*[\s]+(?:hard|-)[\s]+core[\s]+([\d]+) 1 0 /etc/security/limits.d ^.*\.conf$ ^[\s]*\*[\s]+(?:hard|-)[\s]+core 1 scap-security-guide-0.1.39/shared/checks/oval/display_login_attempts.xml000066400000000000000000000027271327242345500264600ustar00rootroot00000000000000 Set Last Login/Access Notification Red Hat Enterprise Linux 7 multi_platform_fedora Configure the system to notify users of last login/access using pam_lastlog. /etc/pam.d/postlogin [\n][\s]*session[\s]+\[default=1\][\s]+pam_lastlog.so[\s\w\d\=]+showfailed[\s\w\d\=]*\n[\s]*session[\s]+optional[\s]+pam_lastlog.so[\s\w\d\=]+showfailed[\s\w\d\=]*[\n] 1 scap-security-guide-0.1.39/shared/checks/oval/dovecot_disable_plaintext_auth.xml000066400000000000000000000025751327242345500301420ustar00rootroot00000000000000 Disable Plaintext Authentication in Dovecot Red Hat Enterprise Linux 7 Plaintext authentication of mail clients should be disabled. /etc/dovecot/conf.d/10-auth.conf ^[\s]*disable_plaintext_auth[\s]*=[\s]*yes[\s]*$ 1 scap-security-guide-0.1.39/shared/checks/oval/dovecot_enable_ssl.xml000066400000000000000000000023601327242345500255250ustar00rootroot00000000000000 Enable SSL in Dovecot Red Hat Enterprise Linux 7 SSL capabilities should be enabled for the mail server. /etc/dovecot/conf.d/10-ssl.conf ^[\s]*ssl[\s]*=[\s]*(yes|required)[\s]*$ 1 scap-security-guide-0.1.39/shared/checks/oval/enable_dconf_user_profile.xml000066400000000000000000000023421327242345500270500ustar00rootroot00000000000000 Implement Local DB for DConf User Profile Red Hat Enterprise Linux 7 multi_platform_fedora The DConf User profile should have the local DB configured. /etc/dconf/profile/user ^user-db:user\nsystem-db:local$ 1 scap-security-guide-0.1.39/shared/checks/oval/enable_ldap_client.xml000066400000000000000000000020131327242345500254520ustar00rootroot00000000000000 Enable the LDAP Client For Use in Authconfig Red Hat Enterprise Linux 7 Enable LDAP in authconfig. /etc/sysconfig/authconfig ^[\s]*USELDAPAUTH=yes[\s]*$ 1 scap-security-guide-0.1.39/shared/checks/oval/enable_selinux_bootloader.xml000066400000000000000000000056511327242345500271100ustar00rootroot00000000000000 Enable SELinux in the GRUB2 Bootloader" Red Hat Enterprise Linux 7 Check if selinux=0 OR enforcing=0 within the GRUB2 configuration files, fail if found. /etc/default/grub ^[\s]*GRUB_CMDLINE_LINUX.*(selinux|enforcing)=0.*$ 1 /etc/grub2.cfg ^.*(selinux|enforcing)=0.*$ 1 /etc/grub.d ^.*$ ^.*(selinux|enforcing)=0.*$ 1 scap-security-guide-0.1.39/shared/checks/oval/ensure_gpgcheck_globally_activated.xml000066400000000000000000000043431327242345500307430ustar00rootroot00000000000000 Ensure Yum gpgcheck Globally Activated multi_platform_all The gpgcheck option should be used to ensure that checking of an RPM package's signature always occurs prior to its installation. /etc/yum.conf ^\s*gpgcheck\s*=\s*1\s*$ 1 /etc/dnf/dnf.conf ^\s*gpgcheck\s*=\s*1\s*$ 1 scap-security-guide-0.1.39/shared/checks/oval/ensure_gpgcheck_never_disabled.xml000066400000000000000000000025701327242345500300600ustar00rootroot00000000000000 Ensure gpgcheck Enabled For All Yum or Dnf Package Repositories multi_platform_fedora multi_platform_rhel Ensure all yum or dnf repositories utilize signature checking. /etc/yum.repos.d .* ^\s*gpgcheck\s*=\s*0\s*$ 1 scap-security-guide-0.1.39/shared/checks/oval/ensure_logrotate_activated.xml000066400000000000000000000075761327242345500273160ustar00rootroot00000000000000 Ensure the logrotate utility performs the automatic rotation of log files on daily basis multi_platform_rhel multi_platform_debian multi_platform_ubuntu The frequency of automatic log files rotation performed by the logrotate utility should be configured to run daily /etc/logrotate.conf (?:daily)*.*(?=[\n][\s]*daily)(.*)$ 1 state_another_rotate_interval_after_daily }[^{]+[\n][\s]*(weekly|monthly|yearly)|[\n][\s]*(weekly|monthly|yearly)[^}]+{ /etc/cron.daily/logrotate ^[\s]*/usr/sbin/logrotate[\s\S]*/etc/logrotate.conf$ 1 scap-security-guide-0.1.39/shared/checks/oval/ensure_oracle_gpgkey_installed.xml000066400000000000000000000034071327242345500301310ustar00rootroot00000000000000 Oracle Linux gpg-pubkey Package Installed multi_platform_ol The Oracle Linux key packages are required to be installed. gpg-pubkey 53619141 ec551f03 scap-security-guide-0.1.39/shared/checks/oval/ensure_redhat_gpgkey_installed.xml000066400000000000000000000110611327242345500301260ustar00rootroot00000000000000 Red Hat Release and Auxiliary gpg-pubkey Packages Installed multi_platform_rhel The Red Hat release and auxiliary key packages are required to be installed. gpg-pubkey 4ae0493b fd431d51 45700c69 2fa658e0 53a7ff4b f4a80eb5 4e0fd3a3 c105b9de scap-security-guide-0.1.39/shared/checks/oval/file_group_owner_efi_grub2_cfg.xml000066400000000000000000000023401327242345500300010ustar00rootroot00000000000000 File grub.cfg Owned By root Group Red Hat Enterprise Linux 7 multi_platform_fedora The /boot/efi/EFI/redhat/grub.cfg file should be owned by the root group. /boot/efi/EFI/redhat/grub.cfg 0 scap-security-guide-0.1.39/shared/checks/oval/file_group_owner_grub2_cfg.xml000066400000000000000000000025351327242345500271640ustar00rootroot00000000000000 File grub.cfg Owned By root Group Red Hat Enterprise Linux 7 multi_platform_fedora The grub.cfg file should be owned by the root group. By default, this file is located at /boot/grub2/grub.cfg or, for EFI systems, at /boot/efi/EFI/redhat/grub.cfg /boot/grub2/grub.cfg 0 scap-security-guide-0.1.39/shared/checks/oval/file_groupowner_etc_group.xml000066400000000000000000000021071327242345500271470ustar00rootroot00000000000000 Verify group who owns 'group' file multi_platform_rhel The /etc/group file should be owned by the appropriate group. 0 /etc/group scap-security-guide-0.1.39/shared/checks/oval/file_groupowner_etc_gshadow.xml000066400000000000000000000021371327242345500274520ustar00rootroot00000000000000 Verify group who owns 'gshadow' file multi_platform_rhel The /etc/gshadow file should be owned by the appropriate group. 0 /etc/gshadow scap-security-guide-0.1.39/shared/checks/oval/file_groupowner_etc_passwd.xml000066400000000000000000000022211327242345500273110ustar00rootroot00000000000000 Verify group who owns 'passwd' file multi_platform_rhel multi_platform_sle The /etc/passwd file should be owned by the appropriate group. 0 /etc/passwd scap-security-guide-0.1.39/shared/checks/oval/file_owner_etc_group.xml000066400000000000000000000020351327242345500260720ustar00rootroot00000000000000 Verify user who owns 'group' file multi_platform_rhel The /etc/group file should be owned by the appropriate user. 0 /etc/group scap-security-guide-0.1.39/shared/checks/oval/file_owner_etc_gshadow.xml000066400000000000000000000020701327242345500263710ustar00rootroot00000000000000 Verify user who owns 'gshadow' file multi_platform_rhel The /etc/gshadow file should be owned by the appropriate user. 0 /etc/gshadow scap-security-guide-0.1.39/shared/checks/oval/file_owner_etc_passwd.xml000066400000000000000000000021301327242345500262330ustar00rootroot00000000000000 Verify user who owns 'passwd' file multi_platform_rhel multi_platform_sle The /etc/passwd file should be owned by the appropriate user. 0 /etc/passwd scap-security-guide-0.1.39/shared/checks/oval/file_ownership_binary_dirs.xml000066400000000000000000000045611327242345500273020ustar00rootroot00000000000000 Verify that System Executables Have Root Ownership multi_platform_rhel multi_platform_fedora Checks that /bin, /sbin, /usr/bin, /usr/sbin, /usr/local/bin, /usr/local/sbin, /usr/libexec, and objects therein, are owned by root. ^\/(|s)bin|^\/usr\/(|local\/)(|s)bin|^\/usr\/libexec state_owner_binaries_not_root ^\/(|s)bin|^\/usr\/(|local\/)(|s)bin|^\/usr\/libexec ^.*$ state_owner_binaries_not_root 0 scap-security-guide-0.1.39/shared/checks/oval/file_ownership_library_dirs.xml000066400000000000000000000042011327242345500274510ustar00rootroot00000000000000 Verify that Shared Library Files Have Root Ownership multi_platform_rhel multi_platform_fedora Checks that /lib, /lib64, /usr/lib, /usr/lib64, /lib/modules, and objects therein, are owned by root. ^\/lib(|64)\/|^\/usr\/lib(|64)\/ state_owner_libraries_not_root ^\/lib(|64)\/|^\/usr\/lib(|64)\/ ^.*$ state_owner_libraries_not_root 0 scap-security-guide-0.1.39/shared/checks/oval/file_ownership_var_log_audit.xml000066400000000000000000000105601327242345500276100ustar00rootroot00000000000000 Verify /var/log/audit Ownership multi_platform_all Checks that all /var/log/audit files and directories are owned by the root user and group. /var/log/audit state_owner_not_root_root_var_log_audit /var/log/audit ^.*$ state_owner_not_root_root_var_log_audit 0 0 /var/log/audit state_owner_not_root_var_log_audit-non_root /var/log/audit ^.*$ state_owner_not_root_var_log_audit-non_root 0 0 scap-security-guide-0.1.39/shared/checks/oval/file_permissions_binary_dirs.xml000066400000000000000000000036161327242345500276370ustar00rootroot00000000000000 Verify that System Executables Have Restrictive Permissions multi_platform_rhel multi_platform_fedora Checks that binary files under /bin, /sbin, /usr/bin, /usr/sbin, /usr/local/bin, /usr/local/sbin, and /usr/libexec are not group-writable or world-writable. ^\/(|s)bin|^\/usr\/(|local\/)(|s)bin|^\/usr\/libexec ^.*$ state_perms_binary_files_nogroupwrite_noworldwrite state_perms_binary_files_symlink true true symbolic link scap-security-guide-0.1.39/shared/checks/oval/file_permissions_efi_grub2_cfg.xml000066400000000000000000000030171327242345500300100ustar00rootroot00000000000000 File /boot/efi/EFI/redhat/grub.cfg Permissions Red Hat Enterprise Linux 7 multi_platform_fedora File permissions for /boot/efi/EFI/redhat/grub.cfg should be set to 0700 (or stronger). /boot/efi/EFI/redhat/grub.cfg false false false false false false scap-security-guide-0.1.39/shared/checks/oval/file_permissions_etc_group.xml000066400000000000000000000027161327242345500273210ustar00rootroot00000000000000 Verify permissions on 'group' file multi_platform_rhel File permissions for /etc/group should be set correctly. false false false false false false false false /etc/group scap-security-guide-0.1.39/shared/checks/oval/file_permissions_etc_gshadow.xml000066400000000000000000000041301327242345500276110ustar00rootroot00000000000000 Verify /etc/gshadow Permissions multi_platform_rhel This test makes sure that /etc/gshadow is owned by 0, group owned by 0, and has mode 0000. If the target file or directory has an extended ACL then it will fail the mode check. /etc/gshadow 0 0 false false false false false false false false false false false false scap-security-guide-0.1.39/shared/checks/oval/file_permissions_etc_passwd.xml000066400000000000000000000037501327242345500274650ustar00rootroot00000000000000 Verify /etc/passwd Permissions multi_platform_rhel multi_platform_sle This test makes sure that /etc/passwd is owned by 0, group owned by 0, and has mode 0644 (or stronger). If the target file or directory has an extended ACL then it will fail the mode check. /etc/passwd 0 0 false false false false false false false false scap-security-guide-0.1.39/shared/checks/oval/file_permissions_etc_shadow.xml000066400000000000000000000041601327242345500274450ustar00rootroot00000000000000 Verify /etc/shadow Permissions multi_platform_rhel multi_platform_ol This test makes sure that /etc/shadow is owned by 0, group owned by 0, and has mode 0000. If the target file or directory has an extended ACL then it will fail the mode check. /etc/shadow 0 0 false false false false false false false false false false false false scap-security-guide-0.1.39/shared/checks/oval/file_permissions_grub2_cfg.xml000066400000000000000000000032431327242345500271660ustar00rootroot00000000000000 File grub.cfg Permissions Red Hat Enterprise Linux 7 multi_platform_fedora File permissions for grub.cfg should be set to 0600 (or stronger). By default, this file is located at /boot/grub2/grub.cfg or, for EFI systems, at /boot/efi/EFI/redhat/grub.cfg /boot/grub2/grub.cfg false false false false false false false scap-security-guide-0.1.39/shared/checks/oval/file_permissions_home_dirs.xml000066400000000000000000000037371327242345500273070ustar00rootroot00000000000000 Proper Permissions User Home Directories multi_platform_all File permissions should be set correctly for the home directories for all user accounts. /home state_home_dirs_home_itself state_home_dirs_wrong_perm /home true true true true true true true scap-security-guide-0.1.39/shared/checks/oval/file_permissions_httpd_server_conf_d_files.xml000066400000000000000000000040351327242345500325310ustar00rootroot00000000000000 Verify Permissions On Apache Web Server Configuration Files multi_platform_rhel The /etc/httpd/conf.d/* files should have the appropriate permissions (0640 or stronger). false false false false false false false false false /etc/httpd/conf.d/ ^.*$ scap-security-guide-0.1.39/shared/checks/oval/file_permissions_httpd_server_conf_files.xml000066400000000000000000000040061327242345500322240ustar00rootroot00000000000000 Verify Permissions On Apache Web Server Configuration Files multi_platform_rhel The /etc/httpd/conf/* files should have the appropriate permissions (0640 or stronger). false false false false false false false false false /etc/httpd/conf ^.*$ scap-security-guide-0.1.39/shared/checks/oval/file_permissions_httpd_server_modules_files.xml000066400000000000000000000041041327242345500327460ustar00rootroot00000000000000 Verify Permissions On Apache Web Server Configuration Files multi_platform_rhel The /etc/httpd/conf.modules.d/* files should have the appropriate permissions (0640 or stronger). false false false false false false false false false /etc/httpd/conf.modules.d/ ^.*$ scap-security-guide-0.1.39/shared/checks/oval/file_permissions_library_dirs.xml000066400000000000000000000047011327242345500300130ustar00rootroot00000000000000 Verify that Shared Library Files Have Restrictive Permissions multi_platform_rhel multi_platform_fedora Checks that /lib, /lib64, /usr/lib, /usr/lib64, /lib/modules, and objects therein, are not group-writable or world-writable. ^\/lib(|64)|^\/usr\/lib(|64) state_perms_nogroupwrite_noworldwrite perms_state_symlink ^\/lib(|64)|^\/usr\/lib(|64) ^.*$ state_perms_nogroupwrite_noworldwrite perms_state_symlink true true symbolic link scap-security-guide-0.1.39/shared/checks/oval/file_permissions_unauthorized_world_writable.xml000066400000000000000000000060201327242345500331430ustar00rootroot00000000000000 Find Unauthorized World-Writable Files multi_platform_rhel multi_platform_wrlinux multi_platform_opensuse multi_platform_ol The world-write permission should be disabled for all files. / ^.*$ state_file_permissions_unauthorized_world_write state_file_permissions_unauthorized_world_write_exclude_special_selinux_files state_file_permissions_unauthorized_world_write_exclude_proc state_file_permissions_unauthorized_world_write_exclude_sys regular true ^/selinux/(?:(?:member)|(?:user)|(?:relabel)|(?:create)|(?:access)|(?:context))$ ^/proc/.*$ ^/sys/.*$ scap-security-guide-0.1.39/shared/checks/oval/file_permissions_ungroupowned.xml000066400000000000000000000065121327242345500300640ustar00rootroot00000000000000 Find files unowned by a group multi_platform_rhel multi_platform_fedora All files should be owned by a group / .* state_file_permissions_ungroupowned /etc/group ^[^:]+:[^:]*:([\d]+):[^:]*$ 1 scap-security-guide-0.1.39/shared/checks/oval/file_permissions_var_log_audit.xml000066400000000000000000000071361327242345500301520ustar00rootroot00000000000000 Verify /var/log/audit Permissions multi_platform_rhel Checks for correct permissions for all log files in /var/log/audit. /var/log/audit ^.*$ state_not_mode_0640 /var/log/audit ^.*$ state_not_mode_0600 true true true true true true true true true true true true true true true true true true true scap-security-guide-0.1.39/shared/checks/oval/file_user_owner_efi_grub2_cfg.xml000066400000000000000000000023521327242345500276260ustar00rootroot00000000000000 File /boot/efi/EFI/redhat/grub.cfg Owned By root User Red Hat Enterprise Linux 7 multi_platform_fedora The /boot/efi/EFI/redhat/grub.cfg file should be owned by the root user. /boot/efi/EFI/redhat/grub.cfg 0 scap-security-guide-0.1.39/shared/checks/oval/file_user_owner_grub2_cfg.xml000066400000000000000000000025211327242345500270010ustar00rootroot00000000000000 File grub.cfg Owned By root User Red Hat Enterprise Linux 7 multi_platform_fedora The grub.cfg file should be owned by the root user. By default, this file is located at /boot/grub2/grub.cfg or, for EFI systems, at /boot/efi/EFI/redhat/grub.cfg /boot/grub2/grub.cfg 0 scap-security-guide-0.1.39/shared/checks/oval/firewalld_sshd_disabled.xml000066400000000000000000000060141327242345500265140ustar00rootroot00000000000000 Disallow inbound firewall access to the SSH Server port Red Hat Enterprise Linux 7 If inbound SSH access is not needed, the firewall should disallow or reject access to the SSH port (22). /etc/firewalld/services ^.*\.xml$ /service/service[@name='ssh'] /etc/firewalld/services ^.*\.xml$ /service/port[@port='22'] /etc/firewalld/zones ^.*\.xml$ /zone/service[@name='ssh'] /etc/firewalld/zones ^.*\.xml$ /zone/port[@port='22'] scap-security-guide-0.1.39/shared/checks/oval/firewalld_sshd_port_enabled.xml000066400000000000000000000133571327242345500274130ustar00rootroot00000000000000 Allow inbound firewall access to the SSH Server port Red Hat Enterprise Linux 7 If inbound SSH access is needed, the firewall should allow access to the SSH port (22). /etc/firewalld/services ^.*\.xml$ /service/service[@name='ssh'] /etc/firewalld/services ^.*\.xml$ <port.*port="(\d+)" 1 /etc/firewalld/zones ^.*\.xml$ /zone/service[@name='ssh'] /etc/firewalld/zones ^.*\.xml$ <port.*port="(\d+)" 1 /etc/firewalld/zones /zone/service[@name='ssh'] .xml /etc/sysconfig/network-scripts ifcfg-.* ^ZONE=(.*)$ 1 scap-security-guide-0.1.39/shared/checks/oval/ftp_log_transactions.xml000066400000000000000000000062331327242345500261200ustar00rootroot00000000000000 Banner for FTP Users multi_platform_fedora multi_platform_rhel multi_platform_rhel-osp To trace malicious activity facilitated by the FTP service, it must be configured to ensure that all commands sent to the FTP server are logged using the verbose vsftpd log format. /etc/vsftpd/vsftpd.conf ^[\s]*xferlog_enable[\s]*=[\s]*YES$ 1 /etc/vsftpd/vsftpd.conf ^[\s]*xferlog_std_format[\s]*=[\s]*NO$ 1 /etc/vsftpd/vsftpd.conf ^[\s]*log_ftp_protocol[\s]*=[\s]*YES$ 1 scap-security-guide-0.1.39/shared/checks/oval/ftp_present_banner.xml000066400000000000000000000025611327242345500255540ustar00rootroot00000000000000 Banner for FTP Users multi_platform_fedora multi_platform_rhel multi_platform_rhel-osp This setting will cause the system greeting banner to be used for FTP connections as well. /etc/vsftpd/vsftpd.conf ^[\s]*banner_file=/etc/issue[\s]*$ 1 scap-security-guide-0.1.39/shared/checks/oval/gid_passwd_group_same.xml000066400000000000000000000050021327242345500262340ustar00rootroot00000000000000 All GIDs Are Present In /etc/group multi_platform_rhel multi_platform_fedora All GIDs referenced in /etc/passwd must be defined in /etc/group. /etc/group ^.*:x:([0-9]+): 1 /etc/passwd ^.*:[0-9]+:([0-9]+): 1 scap-security-guide-0.1.39/shared/checks/oval/gnome_gdm_disable_automatic_login.xml000066400000000000000000000025361327242345500305550ustar00rootroot00000000000000 Disable GDM Automatic Login Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 multi_platform_fedora Disable the GNOME Display Manager (GDM) ability to allow users to automatically login. /etc/gdm/custom.conf ^\[daemon]([^\n]*\n+)+?AutomaticLoginEnable=[Ff]alse$ 1 scap-security-guide-0.1.39/shared/checks/oval/gnome_gdm_disable_guest_login.xml000066400000000000000000000024621327242345500277140ustar00rootroot00000000000000 Disable GDM Guest Login Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 multi_platform_fedora Disable the GNOME Display Manager (GDM) ability to allow guest users to login. /etc/gdm/custom.conf ^\[daemon]([^\n]*\n+)+?TimedLoginEnable=[Ff]alse$ 1 scap-security-guide-0.1.39/shared/checks/oval/groupowner_shadow_file.xml000066400000000000000000000021041327242345500264420ustar00rootroot00000000000000 Verify group who owns 'shadow' file multi_platform_rhel The /etc/shadow file should be owned by the appropriate group. /etc/shadow 0 scap-security-guide-0.1.39/shared/checks/oval/install_antivirus.xml000066400000000000000000000010531327242345500254430ustar00rootroot00000000000000 Package Antivirus Installed multi_platform_all Antivirus software should be installed. scap-security-guide-0.1.39/shared/checks/oval/install_hids.xml000066400000000000000000000022151327242345500243470ustar00rootroot00000000000000 Install Intrusion Detection Software Red Hat Enterprise Linux 7 Intrusion detection software or SELinux should be installed and enabled. /etc/selinux/config ^[\s]*SELINUX[\s]*=[\s]*enforcing[\s]*$ 1 scap-security-guide-0.1.39/shared/checks/oval/install_mcafee_antivirus.xml000066400000000000000000000021511327242345500267430ustar00rootroot00000000000000 Package McAfeeVSEForLinux Installed multi_platform_all McAfee Antivirus software should be installed. McAfeeVSEForLinux scap-security-guide-0.1.39/shared/checks/oval/install_mcafee_cma_rt.xml000066400000000000000000000026611327242345500261720ustar00rootroot00000000000000 Install the McAfee Runtime Libraries and Linux Agent multi_platform_all Install the McAfee Runtime Libraries (MFErt) and Linux Agent (MFEcma). MFErt MFEcma scap-security-guide-0.1.39/shared/checks/oval/install_mcafee_hbss.xml000066400000000000000000000015321327242345500256600ustar00rootroot00000000000000 Install McAfee Host-Based Intrusion Detection Software (HBSS) multi_platform_all McAfee Host-Based Intrusion Detection Software (HBSS) software should be installed. scap-security-guide-0.1.39/shared/checks/oval/install_mcafee_hbss_accm.xml000066400000000000000000000016441327242345500266470ustar00rootroot00000000000000 Install the Asset Configuration Compliance Module (ACCM) multi_platform_all Install the Asset Configuration Compliance Module (ACCM). /opt/McAfee/accm/bin accm scap-security-guide-0.1.39/shared/checks/oval/install_mcafee_hbss_hips.xml000066400000000000000000000020161327242345500267010ustar00rootroot00000000000000 Install the Host Intrusion Prevention System (HIPS) Module multi_platform_all Install the McAfee Host Intrusion Prevention System (HIPS) Module if it is absolutely necessary. If SELinux is enabled, do not install or enable this module. MFEhiplsm scap-security-guide-0.1.39/shared/checks/oval/install_mcafee_hbss_pa.xml000066400000000000000000000016751327242345500263500ustar00rootroot00000000000000 Install the Policy Auditor (PA) Module multi_platform_all Install the Policy Auditor (PA) Module. /opt/McAfee/auditengine/bin auditmanager scap-security-guide-0.1.39/shared/checks/oval/install_smartcard_packages.xml000066400000000000000000000015221327242345500272360ustar00rootroot00000000000000 Install needed packages for smartcard use. Red Hat Enterprise Linux 7 The RPM packages esc pam_pkcs11 and authconfig-gtk must be installed. scap-security-guide-0.1.39/shared/checks/oval/installed_OS_is_centos6.xml000066400000000000000000000023051327242345500264060ustar00rootroot00000000000000 CentOS 6 multi_platform_all The operating system installed on the system is CentOS 6 ^6.*$ centos-release scap-security-guide-0.1.39/shared/checks/oval/installed_OS_is_centos7.xml000066400000000000000000000023241327242345500264100ustar00rootroot00000000000000 CentOS 7 multi_platform_all The operating system installed on the system is CentOS 7 ^7.*$ centos-release scap-security-guide-0.1.39/shared/checks/oval/installed_OS_is_certified.xml000066400000000000000000000015511327242345500267650ustar00rootroot00000000000000 Vendor Certified Operating System multi_platform_rhel multi_platform_rhel-osp The operating system installed on the system is a certified vendor operating system and meets government requirements/certifications such as FIPS, NIAP, etc. scap-security-guide-0.1.39/shared/checks/oval/installed_OS_is_debian8.xml000066400000000000000000000023021327242345500263340ustar00rootroot00000000000000 Debian 8 multi_platform_all The operating system installed on the system is Debian 8 /etc/debian_version ^8.[0-9]+$ 1 scap-security-guide-0.1.39/shared/checks/oval/installed_OS_is_fedora.xml000066400000000000000000000037761327242345500263020ustar00rootroot00000000000000 Installed operating system is Fedora multi_platform_all The operating system installed on the system is Fedora fedora-release /etc/system-release-cpe ^cpe:\/o:fedoraproject:fedora:[\d]+$ 1 scap-security-guide-0.1.39/shared/checks/oval/installed_OS_is_ol6_family.xml000066400000000000000000000024751327242345500270760ustar00rootroot00000000000000 Oracle Linux 6 multi_platform_all The operating system installed on the system is Oracle Linux 6 ^6Server$ oraclelinux-release scap-security-guide-0.1.39/shared/checks/oval/installed_OS_is_ol7_family.xml000066400000000000000000000024711327242345500270730ustar00rootroot00000000000000 Oracle Linux 7 multi_platform_all The operating system installed on the system is Oracle Linux 7 ^7.*$ oraclelinux-release scap-security-guide-0.1.39/shared/checks/oval/installed_OS_is_opensuse.xml000066400000000000000000000035331327242345500266720ustar00rootroot00000000000000 openSUSE multi_platform_all The operating system installed on the system is openSUSE. unix ^42.*$ openSUSE-release scap-security-guide-0.1.39/shared/checks/oval/installed_OS_is_part_of_Unix_family.xml000066400000000000000000000020241327242345500310210ustar00rootroot00000000000000 Installed operating system is part of the Unix family multi_platform_all The operating system installed on the system is part of the Unix OS family unix scap-security-guide-0.1.39/shared/checks/oval/installed_OS_is_rhel6.xml000066400000000000000000000065221327242345500260520ustar00rootroot00000000000000 Red Hat Enterprise Linux 6 multi_platform_all The operating system installed on the system is Red Hat Enterprise Linux 6 ^6.*$ redhat-release-client ^6.*$ redhat-release-workstation ^6.*$ redhat-release-server ^6.*$ redhat-release-computenode scap-security-guide-0.1.39/shared/checks/oval/installed_OS_is_rhel7.xml000066400000000000000000000126251327242345500260540ustar00rootroot00000000000000 Red Hat Enterprise Linux 7 multi_platform_all The operating system installed on the system is Red Hat Enterprise Linux 7 unix ^7.*$ redhat-release-client ^7.*$ redhat-release-workstation ^7.*$ redhat-release-server ^7.*$ redhat-release-computenode redhat-release-virtualization-host /etc/redhat-release ^Red Hat Enterprise Linux release (\d)\.\d+$ 1 7 scap-security-guide-0.1.39/shared/checks/oval/installed_OS_is_sl6.xml000066400000000000000000000023431327242345500255330ustar00rootroot00000000000000 Scientific Linux 6 multi_platform_all The operating system installed on the system is Scientific Linux 6 ^6.*$ sl-release scap-security-guide-0.1.39/shared/checks/oval/installed_OS_is_sl7.xml000066400000000000000000000023431327242345500255340ustar00rootroot00000000000000 Scientific Linux 7 multi_platform_all The operating system installed on the system is Scientific Linux 7 ^7.*$ sl-release scap-security-guide-0.1.39/shared/checks/oval/installed_OS_is_sle11.xml000066400000000000000000000047431327242345500257620ustar00rootroot00000000000000 SUSE Linux Enterprise 11 multi_platform_all The operating system installed on the system is SUSE Linux Enterprise 11. unix ^11.*$ sled-release ^11.*$ sles-release scap-security-guide-0.1.39/shared/checks/oval/installed_OS_is_sle12.xml000066400000000000000000000047431327242345500257630ustar00rootroot00000000000000 SUSE Linux Enterprise 12 multi_platform_all The operating system installed on the system is SUSE Linux Enterprise 12. unix ^12.*$ sled-release ^12.*$ sles-release scap-security-guide-0.1.39/shared/checks/oval/installed_OS_is_ubuntu.xml000066400000000000000000000030071327242345500263470ustar00rootroot00000000000000 Ubuntu multi_platform_all The operating system installed is an Ubuntu System /etc/lsb-release /etc/lsb-release ^DISTRIB_ID=Ubuntu$ 1 scap-security-guide-0.1.39/shared/checks/oval/installed_OS_is_ubuntu1404.xml000066400000000000000000000023611327242345500266620ustar00rootroot00000000000000 Ubuntu 1404 multi_platform_all The operating system installed on the system is Ubuntu 1404 /etc/lsb-release ^DISTRIB_CODENAME=trusty$ 1 scap-security-guide-0.1.39/shared/checks/oval/installed_OS_is_ubuntu1604.xml000066400000000000000000000023611327242345500266640ustar00rootroot00000000000000 Ubuntu 1604 multi_platform_all The operating system installed on the system is Ubuntu 1604 /etc/lsb-release ^DISTRIB_CODENAME=xenial$ 1 scap-security-guide-0.1.39/shared/checks/oval/installed_OS_is_wrlinux.xml000066400000000000000000000030311327242345500265320ustar00rootroot00000000000000 WRLinux multi_platform_all The operating system installed on the system is Wind River Linux unix /etc/wrlinux-release scap-security-guide-0.1.39/shared/checks/oval/installed_env_is_a_container.xml000066400000000000000000000020121327242345500275510ustar00rootroot00000000000000 Check if the scan target is a container multi_platform_all Check if file /.dockerenv exists, if it does then we consider to be a docker filesystem. /.dockerenv scap-security-guide-0.1.39/shared/checks/oval/installed_env_is_a_machine.xml000066400000000000000000000020341327242345500271770ustar00rootroot00000000000000 Check if the scan target is a machine multi_platform_all Check if file /.dockerenv exists, if it doesn't then we consider to be host filesystem or virtual machine. /.dockerenv scap-security-guide-0.1.39/shared/checks/oval/kernel_module_dccp_disabled.xml000066400000000000000000000106121327242345500273370ustar00rootroot00000000000000 Disable dccp Kernel Module Red Hat Enterprise Linux 7 multi_platform_fedora The kernel module dccp should be disabled. /etc/modprobe.d ^.*\.conf$ ^\s*install\s+dccp\s+(/bin/false|/bin/true)$ 1 /etc/modprobe.conf ^\s*install\s+dccp\s+(/bin/false|/bin/true)$ 1 /etc/modules-load.d ^.*\.conf$ ^\s*install\s+dccp\s+(/bin/false|/bin/true)$ 1 /run/modules-load.d ^.*\.conf$ ^\s*install\s+dccp\s+(/bin/false|/bin/true)$ 1 /usr/lib/modules-load.d ^.*\.conf$ ^\s*install\s+dccp\s+(/bin/false|/bin/true)$ 1 scap-security-guide-0.1.39/shared/checks/oval/kernel_module_usb-storage_disabled.xml000066400000000000000000000112671327242345500306700ustar00rootroot00000000000000 Disable usb-storage Kernel Module Red Hat Enterprise Linux 7 multi_platform_fedora The kernel module usb-storage should be disabled. /etc/modprobe.d ^.*\.conf$ ^\s*install\s+usb-storage\s+(/bin/false|/bin/true)$ 1 /etc/modprobe.conf ^\s*install\s+usb-storage\s+(/bin/false|/bin/true)$ 1 /etc/modules-load.d ^.*\.conf$ ^\s*install\s+usb-storage\s+(/bin/false|/bin/true)$ 1 /run/modules-load.d ^.*\.conf$ ^\s*install\s+usb-storage\s+(/bin/false|/bin/true)$ 1 /usr/lib/modules-load.d ^.*\.conf$ ^\s*install\s+usb-storage\s+(/bin/false|/bin/true)$ 1 scap-security-guide-0.1.39/shared/checks/oval/ldap_client_start_tls.xml000066400000000000000000000023571327242345500262560ustar00rootroot00000000000000 Configure LDAP to Use TLS for All Transactions Red Hat Enterprise Linux 7 Require the use of TLS for ldap clients. /etc/nslcd.conf ^[\s]*ssl[\s]+start_tls[\s]*$ 1 scap-security-guide-0.1.39/shared/checks/oval/ldap_client_tls_cacertpath.xml000066400000000000000000000035651327242345500272410ustar00rootroot00000000000000 Configure LDAP CA Certificate Path Red Hat Enterprise Linux 7 Require the use of TLS for ldap clients. /etc/nslcd.conf ^[\s]*tls_cacertdir[\s]+/etc/pki/tls/CA$ 1 /etc/nslcd.conf ^[\s]*tls_cacertfile[\s]+/etc/pki/tls/CA/.*\.(pem|crt)$ 1 scap-security-guide-0.1.39/shared/checks/oval/logwatch_configured_hostlimit.xml000066400000000000000000000021511327242345500300020ustar00rootroot00000000000000 Ensure Logwatch HostLimit Configured multi_platform_rhel Test if HostLimit line in logwatch.conf is set appropriately. /etc/logwatch/conf/logwatch.conf ^[\s]HostLimit[\s]*=[\s]*no[\s]*$ 1 scap-security-guide-0.1.39/shared/checks/oval/logwatch_configured_splithosts.xml000066400000000000000000000021441327242345500302040ustar00rootroot00000000000000 Ensure Logwatch SplitHosts Configured multi_platform_rhel Check if SplitHosts line in logwatch.conf is set appropriately. /etc/logwatch/conf/logwatch.conf ^[\s]SplitHosts[\s]*=[\s]*yes[\s]*$ 1 scap-security-guide-0.1.39/shared/checks/oval/mount_option_nodev_nonroot_local_partitions.xml000066400000000000000000000033731327242345500330310ustar00rootroot00000000000000 Add nodev Option to Non-Root Local Partitions multi_platform_all The nodev mount option prevents files from being interpreted as character or block devices. Legitimate character and block devices should exist in the /dev directory on the root partition or within chroot jails built for system services. All other locations should not allow character and block devices. ^/\w.*$ state_local_nodev ^/dev/.*$ nodev scap-security-guide-0.1.39/shared/checks/oval/mount_option_smb_client_signing.xml000066400000000000000000000062401327242345500303430ustar00rootroot00000000000000 Require Client SMB Packet Signing, if using mount.cifs multi_platform_all Require packet signing of clients who mount Samba shares using the mount.cifs program (e.g., those who specify shares in /etc/fstab). To do so, ensure that signing options (either sec=krb5i or sec=ntlmv2i) are used. /etc/fstab ^[\s]*[\S]+[\s]+[\S]+[\s]+cifs[\s]+([\S]+) 1 2 sec=(krb5i|ntlmv2i) /etc/mtab ^[\s]*[\S]+[\s]+[\S]+[\s]+cifs[\s]+([\S]+) 1 scap-security-guide-0.1.39/shared/checks/oval/mount_option_var_tmp_bind.xml000066400000000000000000000066271327242345500271630ustar00rootroot00000000000000 Bind Mount /var/tmp To /tmp multi_platform_all The /var/tmp directory should be bind mounted to /tmp in order to consolidate temporary storage into one location protected by the same techniques as /tmp. /var/tmp /etc/mtab ^[\s]*/tmp[\s]+/var/tmp[\s]+.*bind.*$ 1 /tmp scap-security-guide-0.1.39/shared/checks/oval/network_configure_name_resolution.xml000066400000000000000000000024661327242345500307170ustar00rootroot00000000000000 Configure Multiple DNS Servers in /etc/resolv.conf Red Hat Enterprise Linux 7 Multiple Domain Name System (DNS) Servers should be configured in /etc/resolv.conf. /etc/resolv.conf ^[\s]*nameserver[\s]+([0-9\.]+)$ 1 scap-security-guide-0.1.39/shared/checks/oval/network_disable_zeroconf.xml000066400000000000000000000022001327242345500267450ustar00rootroot00000000000000 Disable Zeroconf Networking multi_platform_rhel Disable Zeroconf automatic route assignment in the 169.254.0.0 subnet. /etc/sysconfig/network ^[\s]*NOZEROCONF[\s]*=[\s]*yes 1 scap-security-guide-0.1.39/shared/checks/oval/network_ipv6_default_gateway.xml000066400000000000000000000024401327242345500275540ustar00rootroot00000000000000 Manually Assign IPv6 Router Address Red Hat Enterprise Linux 7 Define default gateways for IPv6 traffic /etc/sysconfig/network-scripts ifcfg-.* ^IPV6_DEFAULTGW=.+$ 1 scap-security-guide-0.1.39/shared/checks/oval/network_ipv6_disable_rpc.xml000066400000000000000000000035011327242345500266550ustar00rootroot00000000000000 Disable Support for RPC IPv6 multi_platform_rhel Disable ipv6 based rpc services /etc/netconfig ^udp6\s+tpi_clts\s+v\s+inet6\s+udp\s+-\s+-$ 1 /etc/netconfig ^tcp6\s+tpi_cots_ord\s+v\s+inet6\s+tcp\s+-\s+-$ 1 scap-security-guide-0.1.39/shared/checks/oval/network_ipv6_privacy_extensions.xml000066400000000000000000000025431327242345500303470ustar00rootroot00000000000000 Enable Privacy Extensions for IPv6 Red Hat Enterprise Linux 7 Enable privacy extensions for IPv6 /etc/sysconfig/network-scripts ifcfg-.* ^IPV6_PRIVACY=rfc3041$ 1 scap-security-guide-0.1.39/shared/checks/oval/network_ipv6_static_address.xml000066400000000000000000000025101327242345500274010ustar00rootroot00000000000000 Manually Assign Global IPv6 Address Red Hat Enterprise Linux 7 Manually configure addresses for IPv6 /etc/sysconfig/network-scripts ifcfg-.* ^IPV6ADDR=.+$ 1 scap-security-guide-0.1.39/shared/checks/oval/network_sniffer_disabled.xml000066400000000000000000000022311327242345500267240ustar00rootroot00000000000000 Disable the network sniffer multi_platform_rhel Disable the network sniffer ^.*$ state_promisc PROMISC scap-security-guide-0.1.39/shared/checks/oval/no_cd_dvd_drive_in_etc_fstab.xml000066400000000000000000000035031327242345500275030ustar00rootroot00000000000000 No CD/DVD drive is configured to automount in /etc/fstab multi_platform_rhel multi_platform_fedora multi_platform_wrlinux Check the /etc/fstab and check if a CD/DVD drive is not configured for automount. /dev/cdrom /dev/dvd /dev/scd0 /dev/sr0 /etc/fstab 1 scap-security-guide-0.1.39/shared/checks/oval/no_direct_root_logins.xml000066400000000000000000000034411327242345500262600ustar00rootroot00000000000000 Direct root Logins Not Allowed multi_platform_all Preventing direct root logins help ensure accountability for actions taken on the system using the root account. /etc/securetty ^.*$ 1 /etc/securetty ^$ 1 scap-security-guide-0.1.39/shared/checks/oval/no_empty_passwords.xml000066400000000000000000000021411327242345500256270ustar00rootroot00000000000000 No nullok Option in /etc/pam.d/system-auth multi_platform_all The file /etc/pam.d/system-auth should not contain the nullok option /etc/pam.d/system-auth \s*nullok\s* 1 scap-security-guide-0.1.39/shared/checks/oval/no_files_unowned_by_user.xml000066400000000000000000000040121327242345500267540ustar00rootroot00000000000000 Find files unowned by a user multi_platform_rhel All files should be owned by a user /etc/passwd ^[^:]+:[^:]+:([\d]+):[\d]+:[^:]*:[^:]+:[^:]*$ 1 / .* file_permissions_unowned_userid_list_match scap-security-guide-0.1.39/shared/checks/oval/no_host_based_files.xml000066400000000000000000000021221327242345500256600ustar00rootroot00000000000000 No shosts.equiv file deployed on the system multi_platform_rhel There should not be any shosts.equiv files on the system. / shosts\.equiv$ scap-security-guide-0.1.39/shared/checks/oval/no_insecure_locks_exports.xml000066400000000000000000000022451327242345500271650ustar00rootroot00000000000000 Ensure insecure_locks is disabled multi_platform_all Allowing insecure file locking could allow for sensitive data to be viewed or edited by an unauthorized user. /etc/exports ^(.*?(\binsecure_locks\b)[^$]*)$ 1 scap-security-guide-0.1.39/shared/checks/oval/no_netrc_files.xml000066400000000000000000000022031327242345500246600ustar00rootroot00000000000000 Verify No netrc Files Exist multi_platform_all The .netrc files contain login information used to auto-login into FTP servers and reside in the user's home directory. Any .netrc files should be removed. /home ^\.netrc$ scap-security-guide-0.1.39/shared/checks/oval/no_rsh_trust_files.xml000066400000000000000000000045131327242345500256100ustar00rootroot00000000000000 No Legacy .rhosts Or hosts.equiv Files multi_platform_rhel multi_platform_ol There should not be any .rhosts or hosts.equiv files on the system. /root ^\.(r|s)hosts$ /home ^\.(r|s)hosts$ /etc ^s?hosts\.equiv$ scap-security-guide-0.1.39/shared/checks/oval/no_shelllogin_for_systemaccounts.xml000066400000000000000000000370031327242345500305430ustar00rootroot00000000000000 System Accounts Do Not Run a Shell multi_platform_all The root account is the only system account that should have a login shell. /etc/login.defs .*\n(?!#|SYS_)(UID_MIN[\s]+[\d]+)\s*\n 1 /etc/login.defs .*\n[^#]*(SYS_UID_MIN[\s]+[\d]+)\s*\n 1 /etc/login.defs .*\n[^#]*(SYS_UID_MAX[\s]+[\d]+)\s*\n 1 /etc/passwd ^(?!root).*:x:([\d]+):[\d]+:[^:]*:[^:]*:(?!\/sbin\/nologin|\/bin\/sync|\/sbin\/shutdown|\/sbin\/halt).*$ 1 -1 -1 variable_default_range_quad_expr 0 -1 variable_reserved_range_quad_expr 0 -1 -1 variable_dynalloc_range_quad_expr 0 scap-security-guide-0.1.39/shared/checks/oval/no_user_host_based_files.xml000066400000000000000000000020471327242345500267240ustar00rootroot00000000000000 No .shosts file deployed on the system multi_platform_rhel There should not be any .shosts files on the system. / \.shosts scap-security-guide-0.1.39/shared/checks/oval/ntpd_specify_multiple_servers.xml000066400000000000000000000022331327242345500300450ustar00rootroot00000000000000 Specify Multiple Remote ntpd NTP Server for Time Data Red Hat Enterprise Linux 7 Multiple ntpd NTP Servers for time synchronization should be specified. /etc/ntp.conf ^([\s]*server[\s]+.+$){2,}$ 1 scap-security-guide-0.1.39/shared/checks/oval/ntpd_specify_remote_server.xml000066400000000000000000000022411327242345500273210ustar00rootroot00000000000000 Specify a Remote ntpd NTP Server for Time Data Red Hat Enterprise Linux 7 A remote ntpd NTP Server for time synchronization should be specified (and dependencies are met) /etc/ntp.conf ^[\s]*server[\s]+.+$ 1 scap-security-guide-0.1.39/shared/checks/oval/package_aide_installed.xml000066400000000000000000000016161327242345500263120ustar00rootroot00000000000000 Package aide Installed multi_platform_rhel multi_platform_fedora The RPM package aide should be installed. aide scap-security-guide-0.1.39/shared/checks/oval/package_audit_installed.xml000066400000000000000000000015541327242345500265170ustar00rootroot00000000000000 Package audit Installed Red Hat Enterprise Linux 6 The RPM package audit should be installed. audit scap-security-guide-0.1.39/shared/checks/oval/package_bind_removed.xml000066400000000000000000000015121327242345500260010ustar00rootroot00000000000000 Package bind Removed multi_platform_rhel The RPM package bind should be removed. bind scap-security-guide-0.1.39/shared/checks/oval/package_chrony_installed.xml000066400000000000000000000016511327242345500267110ustar00rootroot00000000000000 Package chrony Installed Red Hat Enterprise Linux 7 multi_platform_fedora The RPM package chrony should be installed. chrony scap-security-guide-0.1.39/shared/checks/oval/package_cronie_installed.xml000066400000000000000000000016511327242345500266660ustar00rootroot00000000000000 Package cronie Installed Red Hat Enterprise Linux 7 multi_platform_fedora The RPM package cronie should be installed. cronie scap-security-guide-0.1.39/shared/checks/oval/package_dconf_installed.xml000066400000000000000000000016371327242345500265040ustar00rootroot00000000000000 Package dconf Installed Red Hat Enterprise Linux 7 multi_platform_fedora The RPM package dconf should be installed. dconf scap-security-guide-0.1.39/shared/checks/oval/package_dhcp_removed.xml000066400000000000000000000015121327242345500260030ustar00rootroot00000000000000 Package dhcp Removed multi_platform_rhel The RPM package dhcp should be removed. dhcp scap-security-guide-0.1.39/shared/checks/oval/package_dovecot_removed.xml000066400000000000000000000015501327242345500265320ustar00rootroot00000000000000 Package dovecot Removed multi_platform_rhel The RPM package dovecot should be removed. dovecot scap-security-guide-0.1.39/shared/checks/oval/package_dracut-fips_installed.xml000066400000000000000000000021131327242345500276220ustar00rootroot00000000000000 Package dracut-fips Installed Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 The RPM package dracut-fips should be installed. dracut-fips scap-security-guide-0.1.39/shared/checks/oval/package_firewalld_installed.xml000066400000000000000000000017071327242345500273620ustar00rootroot00000000000000 Package firewalld Installed Red Hat Enterprise Linux 7 multi_platform_fedora The RPM package firewalld should be installed. firewalld scap-security-guide-0.1.39/shared/checks/oval/package_gdm_installed.xml000066400000000000000000000016131327242345500261540ustar00rootroot00000000000000 Package gdm Installed Red Hat Enterprise Linux 7 multi_platform_fedora The RPM package gdm should be installed. gdm scap-security-guide-0.1.39/shared/checks/oval/package_httpd_removed.xml000066400000000000000000000015241327242345500262130ustar00rootroot00000000000000 Package httpd Removed multi_platform_rhel The RPM package httpd should be removed. httpd scap-security-guide-0.1.39/shared/checks/oval/package_libreswan_installed.xml000066400000000000000000000016241327242345500273750ustar00rootroot00000000000000 Package libreswan Installed Red Hat Enterprise Linux 7 The RPM package libreswan should be installed. libreswan scap-security-guide-0.1.39/shared/checks/oval/package_mcstrans_removed.xml000066400000000000000000000015621327242345500267240ustar00rootroot00000000000000 Package mcstrans Removed multi_platform_rhel The RPM package mcstrans should be removed. mcstrans scap-security-guide-0.1.39/shared/checks/oval/package_net-snmp_removed.xml000066400000000000000000000015611327242345500266320ustar00rootroot00000000000000 Package net-snmp Removed multi_platform_all The RPM package net-snmp should be removed. net-snmp scap-security-guide-0.1.39/shared/checks/oval/package_nss-pam-ldapd_removed.xml000066400000000000000000000016531327242345500275330ustar00rootroot00000000000000 Package nss-pam-ldapd Removed Red Hat Enterprise Linux 7 The RPM package nss-pam-ldapd should be removed. nss-pam-ldapd scap-security-guide-0.1.39/shared/checks/oval/package_ntp_installed.xml000066400000000000000000000015301327242345500262040ustar00rootroot00000000000000 Package ntp Installed Red Hat Enterprise Linux 6 The RPM package ntp should be installed. ntp scap-security-guide-0.1.39/shared/checks/oval/package_openldap-servers_removed.xml000066400000000000000000000017021327242345500303570ustar00rootroot00000000000000 Package openldap-servers Removed multi_platform_rhel The RPM package openldap-servers should be removed. openldap-servers scap-security-guide-0.1.39/shared/checks/oval/package_openssh-server_removed.xml000066400000000000000000000022511327242345500300510ustar00rootroot00000000000000 Package openssh-server Removed multi_platform_rhel multi_platform_fedora multi_platform_sle multi_platform_wrlinux multi_platform_opensuse multi_platform_ol The RPM package openssh-server should be removed. openssh-server scap-security-guide-0.1.39/shared/checks/oval/package_prelink_removed.xml000066400000000000000000000015451327242345500265370ustar00rootroot00000000000000 Package prelink Removed multi_platform_all The RPM package prelink should be removed. prelink scap-security-guide-0.1.39/shared/checks/oval/package_rsh-server_removed.xml000066400000000000000000000016061327242345500271710ustar00rootroot00000000000000 Package rsh-server Removed multi_platform_rhel The RPM package rsh-server should be removed. rsh-server scap-security-guide-0.1.39/shared/checks/oval/package_rsh_removed.xml000066400000000000000000000015001327242345500256560ustar00rootroot00000000000000 Package rsh Removed multi_platform_rhel The RPM package rsh should be removed. rsh scap-security-guide-0.1.39/shared/checks/oval/package_rsyslog_installed.xml000066400000000000000000000015711327242345500271120ustar00rootroot00000000000000 Package rsyslog Installed multi_platform_rhel The RPM package rsyslog should be installed. rsyslog scap-security-guide-0.1.39/shared/checks/oval/package_samba-common_installed.xml000066400000000000000000000020221327242345500277510ustar00rootroot00000000000000 Package samba-common Installed multi_platform_rhel multi_platform_fedora multi_platform_wrlinux The RPM package samba-common should be installed. samba-common scap-security-guide-0.1.39/shared/checks/oval/package_samba-common_removed.xml000066400000000000000000000016321327242345500274410ustar00rootroot00000000000000 Package samba-common Removed multi_platform_rhel The RPM package samba-common should be removed. samba-common scap-security-guide-0.1.39/shared/checks/oval/package_screen_installed.xml000066400000000000000000000015571327242345500266730ustar00rootroot00000000000000 Package screen Installed multi_platform_rhel The RPM package screen should be installed. screen scap-security-guide-0.1.39/shared/checks/oval/package_sendmail_removed.xml000066400000000000000000000015621327242345500266660ustar00rootroot00000000000000 Package sendmail Removed multi_platform_rhel The RPM package sendmail should be removed. sendmail scap-security-guide-0.1.39/shared/checks/oval/package_setroubleshoot_removed.xml000066400000000000000000000016561327242345500301570ustar00rootroot00000000000000 Package setroubleshoot Removed multi_platform_rhel The RPM package setroubleshoot should be removed. setroubleshoot scap-security-guide-0.1.39/shared/checks/oval/package_squid_removed.xml000066400000000000000000000015241327242345500262150ustar00rootroot00000000000000 Package squid Removed multi_platform_rhel The RPM package squid should be removed. squid scap-security-guide-0.1.39/shared/checks/oval/package_talk-server_removed.xml000066400000000000000000000016161327242345500273310ustar00rootroot00000000000000 Package talk-server Removed multi_platform_rhel The RPM package talk-server should be removed. talk-server scap-security-guide-0.1.39/shared/checks/oval/package_talk_removed.xml000066400000000000000000000015101327242345500260160ustar00rootroot00000000000000 Package talk Removed multi_platform_rhel The RPM package talk should be removed. talk scap-security-guide-0.1.39/shared/checks/oval/package_telnet-server_removed.xml000066400000000000000000000016441327242345500276720ustar00rootroot00000000000000 Package telnet-server Removed multi_platform_rhel The RPM package telnet-server should be removed. telnet-server scap-security-guide-0.1.39/shared/checks/oval/package_telnet_removed.xml000066400000000000000000000015361327242345500263660ustar00rootroot00000000000000 Package telnet Removed multi_platform_rhel The RPM package telnet should be removed. telnet scap-security-guide-0.1.39/shared/checks/oval/package_tftp-server_removed.xml000066400000000000000000000016201327242345500273460ustar00rootroot00000000000000 Package tftp-server Removed multi_platform_rhel The RPM package tftp-server should be removed. tftp-server scap-security-guide-0.1.39/shared/checks/oval/package_tftp_removed.xml000066400000000000000000000015121327242345500260420ustar00rootroot00000000000000 Package tftp Removed multi_platform_rhel The RPM package tftp should be removed. tftp scap-security-guide-0.1.39/shared/checks/oval/package_vsftpd_installed.xml000066400000000000000000000016421327242345500267150ustar00rootroot00000000000000 Package vsftpd Installed multi_platform_rhel multi_platform_fedora The RPM package vsftpd should be installed. vsftpd scap-security-guide-0.1.39/shared/checks/oval/package_vsftpd_removed.xml000066400000000000000000000015361327242345500264010ustar00rootroot00000000000000 Package vsftpd Removed multi_platform_rhel The RPM package vsftpd should be removed. vsftpd scap-security-guide-0.1.39/shared/checks/oval/package_xinetd_removed.xml000066400000000000000000000015361327242345500263660ustar00rootroot00000000000000 Package xinetd Removed multi_platform_rhel The RPM package xinetd should be removed. xinetd scap-security-guide-0.1.39/shared/checks/oval/package_xorg-x11-server-common_removed.xml000066400000000000000000000020571327242345500312520ustar00rootroot00000000000000 Package xorg-x11-server-common Removed multi_platform_rhel multi_platform_fedora The RPM package xorg-x11-server-common should be removed. xorg-x11-server-common scap-security-guide-0.1.39/shared/checks/oval/package_ypbind_removed.xml000066400000000000000000000015361327242345500263600ustar00rootroot00000000000000 Package ypbind Removed multi_platform_rhel The RPM package ypbind should be removed. ypbind scap-security-guide-0.1.39/shared/checks/oval/package_ypserv_removed.xml000066400000000000000000000015361327242345500264230ustar00rootroot00000000000000 Package ypserv Removed multi_platform_rhel The RPM package ypserv should be removed. ypserv scap-security-guide-0.1.39/shared/checks/oval/postfix_network_listening_disabled.xml000066400000000000000000000030741327242345500310460ustar00rootroot00000000000000 Postfix network listening should be disabled Red Hat Enterprise Linux 7 Postfix network listening should be disabled /etc/postfix/main.cf ^[\s]*inet_interfaces[\s]*=[\s]*localhost[\s]*$ 1 scap-security-guide-0.1.39/shared/checks/oval/postfix_server_banner.xml000066400000000000000000000021301327242345500262750ustar00rootroot00000000000000 Configure Postfix Against Unnecessary Release of Information multi_platform_rhel Protect against unnecessary release of information. /etc/postfix/main.cf ^[\s]*smtpd_banner[\s]*=[\s]*\$myhostname[\s]+ESMTP[\s]*$ 1 scap-security-guide-0.1.39/shared/checks/oval/removable_partition_doesnt_exist.xml000066400000000000000000000024441327242345500305330ustar00rootroot00000000000000 Device Files for Removable Media Partitions Does Not Exist on the System multi_platform_rhel multi_platform_fedora multi_platform_wrlinux Verify if device file representing removable partitions exist on the system scap-security-guide-0.1.39/shared/checks/oval/require_singleuser_auth.xml000066400000000000000000000067011327242345500266330ustar00rootroot00000000000000 Require Authentication for Single-User Mode Red Hat Enterprise Linux 7 multi_platform_fedora The requirement for a password to boot into single-user mode should be configured correctly. /usr/lib/systemd/system/rescue.service ^ExecStart=\-.*/sbin/sulogin 1 /usr/lib/systemd/system/runlevel1.target ^Requires=.*rescue.service 1 /etc/systemd/system ^rescue.service$ /etc/systemd/system ^runlevel1.target$ scap-security-guide-0.1.39/shared/checks/oval/require_smb_client_signing.xml000066400000000000000000000031401327242345500272610ustar00rootroot00000000000000 Require Client SMB Packet Signing in smb.conf multi_platform_rhel Require samba clients which use smb.conf, such as smbclient, to use packet signing. A Samba client should only communicate with servers who can support SMB packet signing. /etc/samba/smb.conf ^[\s]*client[\s]+signing[\s]*=[\s]*mandatory 1 scap-security-guide-0.1.39/shared/checks/oval/restrict_serial_port_logins.xml000066400000000000000000000023401327242345500275060ustar00rootroot00000000000000 Restrict Serial Port Root Logins multi_platform_all Preventing direct root login to serial port interfaces helps ensure accountability for actions taken on the system using the root account. /etc/securetty ^ttyS[0-9]+$ 1 scap-security-guide-0.1.39/shared/checks/oval/root_path_no_dot.xml000066400000000000000000000111351327242345500252340ustar00rootroot00000000000000 Ensure that No Dangerous Directories Exist in Root's Path multi_platform_rhel multi_platform_wrlinux multi_platform_ol The environment variable PATH should be set correctly for the root user. PATH ^[:\.] :: \.\. [:\.]$ ^[^/] [^\\]:[^/] scap-security-guide-0.1.39/shared/checks/oval/rpm_verify_hashes.xml000066400000000000000000000052401327242345500254100ustar00rootroot00000000000000 Verify File Hashes with RPM multi_platform_fedora multi_platform_rhel multi_platform_ol Verify the RPM digests of system binaries using the RPM database. .* .* .* .* .* ^/(bin|sbin|lib|lib64|usr)/.+$ state_files_fail_md5_hash fail scap-security-guide-0.1.39/shared/checks/oval/rpm_verify_ownership.xml000066400000000000000000000057721327242345500261650ustar00rootroot00000000000000 Verify File Ownership Using RPM multi_platform_rhel multi_platform_fedora Verify ownership of installed packages by comparing the installed files with information about the files taken from the package metadata stored in the RPM database. .* .* .* .* .* .* state_files_fail_user_ownership .* .* .* .* .* .* state_files_fail_group_ownership fail fail scap-security-guide-0.1.39/shared/checks/oval/rpm_verify_permissions.xml000066400000000000000000000033751327242345500265170ustar00rootroot00000000000000 Verify File Permissions Using RPM multi_platform_rhel multi_platform_fedora multi_platform_ol Verify the permissions of installed packages by comparing the installed files with information about the files taken from the package metadata stored in the RPM database. .* .* .* .* .* .* state_files_fail_mode fail scap-security-guide-0.1.39/shared/checks/oval/rsyslog_files_groupownership.xml000066400000000000000000000117311327242345500277340ustar00rootroot00000000000000 Confirm Existence and Permissions of System Log Files multi_platform_rhel multi_platform_fedora All syslog log files should be owned by the appropriate group. /etc/rsyslog.conf ^\$IncludeConfig[\s]+([^\s;]+) 1 %^/etc/rsyslog.conf$ ^[^(\s|#|\$)]+[\s]+.*[\s]+-?(/+[^:;\s]+);*.*$ 1 regular 0 scap-security-guide-0.1.39/shared/checks/oval/rsyslog_files_ownership.xml000066400000000000000000000120211327242345500266500ustar00rootroot00000000000000 Confirm Existence and Permissions of System Log Files multi_platform_rhel multi_platform_fedora multi_platform_debian multi_platform_ubuntu All syslog log files should be owned by the appropriate user. /etc/rsyslog.conf ^\$IncludeConfig[\s]+([^\s;]+) 1 %^/etc/rsyslog.conf$ ^[^(\s|#|\$)]+[\s]+.*[\s]+-?(/+[^:;\s]+);*.*$ 1 regular 0 scap-security-guide-0.1.39/shared/checks/oval/rsyslog_files_permissions.xml000066400000000000000000000123761327242345500272220ustar00rootroot00000000000000 Confirm Existence and Permissions of System Log Files multi_platform_rhel multi_platform_fedora File permissions for all syslog log files should be set correctly. /etc/rsyslog.conf ^\$IncludeConfig[\s]+([^\s;]+) 1 %^/etc/rsyslog.conf$ ^[^(\s|#|\$)]+[\s]+.*[\s]+-?(/+[^:;\s]+);*.*$ 1 regular false false false false false false false scap-security-guide-0.1.39/shared/checks/oval/rsyslog_nolisten.xml000066400000000000000000000022051327242345500253060ustar00rootroot00000000000000 Disable Rsyslogd from Accepting Remote Messages on Loghosts Only multi_platform_rhel rsyslogd should reject remote messages /etc/rsyslog.conf ^[\s]*\$(?:Input(?:TCP|RELP)|UDP)ServerRun 1 scap-security-guide-0.1.39/shared/checks/oval/rsyslog_remote_loghost.xml000066400000000000000000000050351327242345500265110ustar00rootroot00000000000000 Send Logs to a Remote Loghost multi_platform_rhel multi_platform_debian multi_platform_ubuntu Syslog logs should be sent to a remote loghost /etc/rsyslog.conf ^\*\.\*[\s]+(?:@|\:omrelp\:) 1 /etc/rsyslog.d .* ^\*\.\*[\s]+(?:@|\:omrelp\:) 1 scap-security-guide-0.1.39/shared/checks/oval/securetty_root_login_console_only.xml000066400000000000000000000023711327242345500307420ustar00rootroot00000000000000 Restrict Virtual Console Root Logins multi_platform_all Preventing direct root login to virtual console devices helps ensure accountability for actions taken on the system using the root account. /etc/securetty ^vc/[0-9]+$ 1 scap-security-guide-0.1.39/shared/checks/oval/selinux_all_devicefiles_labeled.xml000066400000000000000000000030761327242345500302310ustar00rootroot00000000000000 Device Files Have Proper SELinux Context Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 All device files in /dev should be assigned an SELinux security context other than 'device_t'. /dev ^.*$ state_selinux_all_devicefiles_labeled device_t scap-security-guide-0.1.39/shared/checks/oval/selinux_confinement_of_daemons.xml000066400000000000000000000031701327242345500301410ustar00rootroot00000000000000 Ensure No Daemons are Unconfined by SELinux Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 Wind River Linux 8 All pids in /proc should be assigned an SELinux security context other than 'initrc_t'. /proc ^.*$ state_selinux_confinement_of_daemons initrc_t scap-security-guide-0.1.39/shared/checks/oval/selinux_policytype.xml000066400000000000000000000026671327242345500256550ustar00rootroot00000000000000 Enable SELinux multi_platform_rhel The SELinux policy should be set appropriately. /etc/selinux/config ^[\s]*SELINUXTYPE[\s]*=[\s]*([^\s]*) 1 scap-security-guide-0.1.39/shared/checks/oval/selinux_state.xml000066400000000000000000000026311327242345500245630ustar00rootroot00000000000000 SELinux Enforcing multi_platform_rhel The SELinux state should be enforcing the local policy. /etc/selinux/config ^[\s]*SELINUX[\s]*=[\s]*(.*)[\s]*$ 1 scap-security-guide-0.1.39/shared/checks/oval/service_dovecot_disabled.xml000066400000000000000000000032131327242345500267030ustar00rootroot00000000000000 Service dovecot Disabled Red Hat Enterprise Linux 7 The dovecot service should be disabled if possible. multi-user.target dovecot.service scap-security-guide-0.1.39/shared/checks/oval/set_firewalld_default_zone.xml000066400000000000000000000022001327242345500272470ustar00rootroot00000000000000 Change the default firewalld zone to drop Red Hat Enterprise Linux 7 multi_platform_fedora Change the default firewalld zone to drop. /etc/firewalld/firewalld.conf ^DefaultZone=drop$ 1 scap-security-guide-0.1.39/shared/checks/oval/set_password_hashing_algorithm_libuserconf.xml000066400000000000000000000024221327242345500325510ustar00rootroot00000000000000 Set SHA512 Password Hashing Algorithm in /etc/libuser.conf multi_platform_rhel The password hashing algorithm should be set correctly in /etc/libuser.conf. /etc/libuser.conf ^[\s]*crypt_style[\s]+=[\s]+(?i)sha512[\s]*$ 1 scap-security-guide-0.1.39/shared/checks/oval/set_password_hashing_algorithm_logindefs.xml000066400000000000000000000051631327242345500322150ustar00rootroot00000000000000 Set SHA512 Password Hashing Algorithm in /etc/login.defs multi_platform_rhel multi_platform_fedora The password hashing algorithm should be set correctly in /etc/login.defs. /etc/login.defs .*\n[^#]*(ENCRYPT_METHOD\s+\w+)\s*\n 1 variable_last_encrypt_method_instance_value SHA512 scap-security-guide-0.1.39/shared/checks/oval/set_password_hashing_algorithm_systemauth.xml000066400000000000000000000023251327242345500324460ustar00rootroot00000000000000 Set Password Hashing Algorithm in /etc/pam.d/system-auth multi_platform_rhel The password hashing algorithm should be set correctly in /etc/pam.d/system-auth. /etc/pam.d/system-auth ^[\s]*password[\s]+(?:(?:required)|(?:sufficient))[\s]+pam_unix\.so[\s]+.*sha512.*$ 1 scap-security-guide-0.1.39/shared/checks/oval/snmpd_not_default_password.xml000066400000000000000000000022611327242345500273220ustar00rootroot00000000000000 SNMP default communities disabled multi_platform_all SNMP default communities must be removed. /etc/snmp/snmpd.conf ^[\s]*(com2se|rocommunity|rwcommunity|createUser).*(public|private) 1 scap-security-guide-0.1.39/shared/checks/oval/snmpd_use_newer_protocol.xml000066400000000000000000000021331327242345500270070ustar00rootroot00000000000000 SNMP use newer protocols multi_platform_all SNMP version 1 and 2c must not be enabled. /etc/snmp/snmpd.conf ^[\s]*(com2se|rocommunity|rwcommunity) 1 scap-security-guide-0.1.39/shared/checks/oval/sshd_allow_only_protocol2.xml000066400000000000000000000043671327242345500271070ustar00rootroot00000000000000 Ensure Only Protocol 2 Connections Allowed multi_platform_rhel multi_platform_debian multi_platform_ubuntu The OpenSSH daemon should be running protocol 2. /etc/ssh/sshd_config ^[\s]*(?i)Protocol[\s]+2[\s]*(?:|(?:#.*))?$ 1 scap-security-guide-0.1.39/shared/checks/oval/sshd_disable_empty_passwords.xml000066400000000000000000000040451327242345500276440ustar00rootroot00000000000000 Disable Empty Passwords multi_platform_all Remote connections from accounts with empty passwords should be disabled (and dependencies are met) /etc/ssh/sshd_config ^[\s]*(?i)PermitEmptyPasswords(?-i)[\s]+no[\s]*(?:|(?:#.*))?$ 1 scap-security-guide-0.1.39/shared/checks/oval/sshd_disable_rhosts.xml000066400000000000000000000037571327242345500257340ustar00rootroot00000000000000 Disable .rhosts Files multi_platform_rhel Emulation of the rsh command through the ssh server should be disabled (and dependencies are met) /etc/ssh/sshd_config ^[\s]*(?i)IgnoreRhosts(?-i)[\s]+no[\s]*(?:|(?:#.*))?$ 1 scap-security-guide-0.1.39/shared/checks/oval/sshd_disable_rhosts_rsa.xml000066400000000000000000000046201327242345500265670ustar00rootroot00000000000000 Disable SSH Support for Rhosts RSA Authentication multi_platform_all SSH can allow authentication through the obsolete rsh command through the use of the authenticating user's SSH keys. This should be disabled. /etc/ssh/sshd_config ^[\s]*(?i)RhostsRSAAuthentication(?-i)[\s]+no[\s]*(?:|(?:#.*))?$ 1 scap-security-guide-0.1.39/shared/checks/oval/sshd_disable_root_login.xml000066400000000000000000000037331327242345500265570ustar00rootroot00000000000000 Disable root Login via SSH multi_platform_all Root login via SSH should be disabled (and dependencies are met) /etc/ssh/sshd_config ^[\s]*(?i)PermitRootLogin(?-i)[\s]+no[\s]*(?:|(?:#.*))?$ 1 scap-security-guide-0.1.39/shared/checks/oval/sshd_disable_user_known_hosts.xml000066400000000000000000000041411327242345500300100ustar00rootroot00000000000000 Disable SSH Support for User Known Hosts multi_platform_all SSH can allow system users host-based authentication to connect to systems if a cache of the remote systems public keys are available. This should be disabled. /etc/ssh/sshd_config ^[\s]*(?i)IgnoreUserKnownHosts(?-i)[\s]+yes[\s]*(?:|(?:#.*))?$ 1 scap-security-guide-0.1.39/shared/checks/oval/sshd_do_not_permit_user_env.xml000066400000000000000000000036431327242345500274710ustar00rootroot00000000000000 Do Not Allow Users to Set Environment Options multi_platform_rhel PermitUserEnvironment should be disabled /etc/ssh/sshd_config ^[\s]*(?i)PermitUserEnvironment(?-i)[\s]+no[\s]*(?:|(?:#.*))?$ 1 scap-security-guide-0.1.39/shared/checks/oval/sshd_enable_warning_banner.xml000066400000000000000000000036151327242345500272200ustar00rootroot00000000000000 Enable a Warning Banner multi_platform_rhel SSH warning banner should be enabled (and dependencies are met) /etc/ssh/sshd_config ^[\s]*(?i)Banner(?-i)[\s]+/etc/issue[\s]*(?:|(?:#.*))?$ 1 scap-security-guide-0.1.39/shared/checks/oval/sshd_enable_x11_forwarding.xml000066400000000000000000000036541327242345500270640ustar00rootroot00000000000000 Enable X11 Forwarding multi_platform_all Enable X11Forwarding to encrypt X11 remote connections over SSH. /etc/ssh/sshd_config ^[\s]*(?i)X11Forwarding(?-i)[\s]+yes[\s]*(?:|(?:#.*))?$ 1 scap-security-guide-0.1.39/shared/checks/oval/sshd_not_required_or_unset.xml000066400000000000000000000026751327242345500273430ustar00rootroot00000000000000 SSHD is not required to be installed or requirement not set multi_platform_all If SSHD is not required, we check it is not installed. If SSH requirement is unset, we are good. sshd_required 1 scap-security-guide-0.1.39/shared/checks/oval/sshd_print_last_log.xml000066400000000000000000000036331327242345500257400ustar00rootroot00000000000000 Enable Print Last Log multi_platform_rhel Enable PrintLastLog to display user's last login time and date. /etc/ssh/sshd_config ^[\s]*(?i)PrintLastLog(?-i)[\s]+yes[\s]*(?:|(?:#.*))?$ 1 scap-security-guide-0.1.39/shared/checks/oval/sshd_required_or_unset.xml000066400000000000000000000026141327242345500264540ustar00rootroot00000000000000 SSHD is required to be installed or requirement not set multi_platform_all If SSHD is required, we check it is installed. If SSH requirement is unset, we are good. sshd_required 2 scap-security-guide-0.1.39/shared/checks/oval/sshd_requirement_unset.xml000066400000000000000000000023611327242345500264730ustar00rootroot00000000000000 It doesn't matter if sshd is installed or not multi_platform_all Test if value sshd_required is 0. sshd_required 0 scap-security-guide-0.1.39/shared/checks/oval/sshd_set_idle_timeout.xml000066400000000000000000000052111327242345500262500ustar00rootroot00000000000000 Set OpenSSH Idle Timeout Interval multi_platform_all The SSH idle timeout interval should be set to an appropriate value. /etc/ssh/sshd_config ^[\s]*(?i)ClientAliveInterval[\s]+(\d+)[\s]*(?:|(?:#.*))?$ 1 0 scap-security-guide-0.1.39/shared/checks/oval/sshd_set_keepalive.xml000066400000000000000000000043421327242345500255360ustar00rootroot00000000000000 Set ClientAliveCountMax for User Logins multi_platform_all The SSH ClientAliveCountMax should be set to an appropriate value (and dependencies are met) 0 /etc/ssh/sshd_config ^[\s]*(?i)ClientAliveCountMax[\s]+([\d]+)[\s]*(?:|(?:#.*))?$ 1 scap-security-guide-0.1.39/shared/checks/oval/sshd_set_loglevel_info.xml000066400000000000000000000023471327242345500264200ustar00rootroot00000000000000 Set OpenSSH LogLevel to INFO multi_platform_all The SSH LogLevel should be set to INFO. /etc/ssh/sshd_config ^[\s]*(?i)LogLevel(?-i)[\s]+INFO[\s]*(?:|(?:#.*))?$ 1 scap-security-guide-0.1.39/shared/checks/oval/sshd_set_max_auth_tries.xml000066400000000000000000000040551327242345500266060ustar00rootroot00000000000000 Set OpenSSH authentication attempt limit (MaxAuthTries) multi_platform_all The SSH MaxAuthTries should be set to an appropriate value. /etc/ssh/sshd_config ^[\s]*(?i)MaxAuthTries[\s]+(\d+)[\s]*(?:|(?:#.*))?$ 1 0 scap-security-guide-0.1.39/shared/checks/oval/sshd_use_approved_ciphers.xml000066400000000000000000000042741327242345500271330ustar00rootroot00000000000000 Use Only Approved Ciphers multi_platform_rhel Limit the ciphers to those which are FIPS-approved. /etc/ssh/sshd_config ^[\s]*(?i)Ciphers(?-i)[\s]+((aes128-ctr|aes192-ctr|aes256-ctr|aes128-cbc|aes192-cbc|aes256-cbc|3des-cbc|rijndael-cbc@lysator\.liu\.se),?)+[\s]*(?:|(?:#.*))?$ 1 scap-security-guide-0.1.39/shared/checks/oval/sshd_use_approved_macs.xml000066400000000000000000000043071327242345500264160ustar00rootroot00000000000000 Use Only FIPS MACs multi_platform_rhel Limit the Message Authentication Codes (MACs) to those which are FIPS-approved. /etc/ssh/sshd_config ^[\s]*(?i)MACs(?-i)[\s]+((hmac-sha1|hmac-sha2-256|hmac-sha2-512|hmac-sha1-etm@openssh\.com|hmac-sha2-256-etm@openssh\.com|hmac-sha2-512-etm@openssh\.com),?)+[\s]*(?:|(?:#.*))?$ 1 scap-security-guide-0.1.39/shared/checks/oval/sshd_use_strong_ciphers.xml000066400000000000000000000025471327242345500266300ustar00rootroot00000000000000 Use Only Strong Ciphers multi_platform_all Only use strong ciphers. /etc/ssh/sshd_config ^[\s]*(?i)Ciphers(?-i)[\s]+((chacha20-poly1305@openssh\.com|aes256-gcm@openssh\.com|aes128-gcm@openssh\.com|aes256-ctr|aes128-ctr),?)+[\s]*(?:|(?:#.*))?$ 1 scap-security-guide-0.1.39/shared/checks/oval/sshd_use_strong_macs.xml000066400000000000000000000025441327242345500261130ustar00rootroot00000000000000 Use Only Strong MACs multi_platform_all Only use strong MACs. /etc/ssh/sshd_config ^[\s]*(?i)MACs(?-i)[\s]+((hmac-sha2-512-etm@openssh\.com|hmac-sha2-256-etm@openssh\.com|umac-128-etm@openssh\.com|hmac-sha2-512|hmac-sha2-256|hmac-ripemd160),?)+[\s]*(?:|(?:#.*))?$ 1 scap-security-guide-0.1.39/shared/checks/oval/sshd_version_higher_than_74.xml000066400000000000000000000070361327242345500272600ustar00rootroot00000000000000 OpenSSH Server is 7.4 or newer multi_platform_all Check if version of OpenSSH Server is equal or higher than 7.4 openssh-server 0:7.4 openssh-server 0:7.4 scap-security-guide-0.1.39/shared/checks/oval/sssd_enable_pam_services.xml000066400000000000000000000022551327242345500267200ustar00rootroot00000000000000 Configure PAM in SSSD Services Red Hat Enterprise Linux 7 SSSD should be configured to run SSSD PAM services. /etc/sssd/sssd.conf ^[\s]*\[sssd]([^\n\[\]]*\n+)+?[\s]*services.*pam.*$ 1 scap-security-guide-0.1.39/shared/checks/oval/sudo_remove_no_authenticate.xml000066400000000000000000000037221327242345500274570ustar00rootroot00000000000000 Ensure !authenticate Is Not Used in Sudo multi_platform_rhel multi_platform_debian multi_platform_ubuntu Checks sudo usage without authentication /etc/sudoers ^(?!#).*[\s]+\!authenticate.*$ 1 /etc/sudoers.d ^.*$ ^(?!#).*[\s]+\!authenticate.*$ 1 scap-security-guide-0.1.39/shared/checks/oval/sudo_remove_nopasswd.xml000066400000000000000000000035711327242345500261450ustar00rootroot00000000000000 Ensure NOPASSWD Is Not Used in Sudo multi_platform_rhel multi_platform_debian multi_platform_ubuntu Checks sudo usage without password /etc/sudoers ^(?!#).*[\s]+NOPASSWD[\s]*\:.*$ 1 /etc/sudoers.d ^.*$ ^(?!#).*[\s]+NOPASSWD[\s]*\:.*$ 1 scap-security-guide-0.1.39/shared/checks/oval/sudo_require_authentication.xml000066400000000000000000000011171327242345500274770ustar00rootroot00000000000000 Ensure Users Re-Authenticate for Privilege Escalation - sudo Red Hat Enterprise Linux 6 Checks sudo usage without password scap-security-guide-0.1.39/shared/checks/oval/sysconfig_networking_bootproto_ifcfg.xml000066400000000000000000000031171327242345500314140ustar00rootroot00000000000000 Disable DHCP Client multi_platform_rhel DHCP configuration should be static for all interfaces. ^(static|none)$ /etc/sysconfig/network-scripts ifcfg-.* ^[\s]*BOOTPROTO[\s]*=[\s"]*([^#"\s]*) 1 scap-security-guide-0.1.39/shared/checks/oval/sysctl_kernel_dmesg_restrict.xml000066400000000000000000000014571327242345500276600ustar00rootroot00000000000000 Kernel "kernel.dmesg_restrict" Parameter Configuration and Runtime Check multi_platform_rhel The "kernel.dmesg_restrict" kernel parameter should be set to "1" in both system configuration and system runtime. scap-security-guide-0.1.39/shared/checks/oval/sysctl_kernel_exec_shield.xml000066400000000000000000000067201327242345500271140ustar00rootroot00000000000000 Kernel Runtime Parameter "kernel.exec-shield" Check Red Hat Enterprise Linux 7 multi_platform_fedora The kernel runtime parameter "kernel.exec-shield" should not be disabled and set to 1 on 32-bit systems. /etc/sysctl.conf ^[\s]*kernel.exec-shield[\s]*=[\s]*1[\s]*$ 1 kernel.exec-shield 1 /boot/grub2/grub.cfg [\s]*noexec[\s]*=[\s]*off 1 scap-security-guide-0.1.39/shared/checks/oval/sysctl_kernel_ipv6_disable.xml000066400000000000000000000016331327242345500272050ustar00rootroot00000000000000 Kernel Runtime Parameter IPv6 Check Red Hat Enterprise Linux 7 multi_platform_fedora Disables IPv6 for all network interfaces. scap-security-guide-0.1.39/shared/checks/oval/sysctl_kernel_randomize_va_space.xml000066400000000000000000000015441327242345500304700ustar00rootroot00000000000000 Kernel "kernel.randomize_va_space" Parameter Configuration and Runtime Check Red Hat Enterprise Linux 7 The "kernel.randomize_va_space" kernel parameter should be set to the appropriate value in both system configuration and system runtime. scap-security-guide-0.1.39/shared/checks/oval/sysctl_runtime_kernel_dmesg_restrict.xml000066400000000000000000000024021327242345500314120ustar00rootroot00000000000000 Kernel "kernel.dmesg_restrict" Parameter Runtime Check multi_platform_rhel The kernel "kernel.dmesg_restrict" parameter should be set to "1" in system runtime. kernel.dmesg_restrict 1 scap-security-guide-0.1.39/shared/checks/oval/sysctl_runtime_kernel_randomize_va_space.xml000066400000000000000000000025061327242345500322320ustar00rootroot00000000000000 Kernel "kernel.randomize_va_space" Parameter Runtime Check Red Hat Enterprise Linux 7 The kernel "kernel.randomize_va_space" parameter should be set to "2" in system runtime. kernel.randomize_va_space 2 scap-security-guide-0.1.39/shared/checks/oval/sysctl_runtime_net_ipv6_conf_all_disable_ipv6.xml000066400000000000000000000026651327242345500330650ustar00rootroot00000000000000 Kernel "net.ipv6.conf.all.disable_ipv6" Parameter Runtime Check Red Hat Enterprise Linux 7 multi_platform_fedora The kernel "net.ipv6.conf.all.disable_ipv6" parameter should be set to "1" in system runtime. net.ipv6.conf.all.disable_ipv6 1 scap-security-guide-0.1.39/shared/checks/oval/sysctl_static_kernel_dmesg_restrict.xml000066400000000000000000000144271327242345500312300ustar00rootroot00000000000000 Kernel "kernel.dmesg_restrict" Parameter Configuration Check multi_platform_rhel The kernel "kernel.dmesg_restrict" parameter should be set to "1" in the system configuration. /etc/sysctl.d ^.*$ (?:^|.*\n)[^#]*kernel.dmesg_restrict[\s]*=[\s]*(\d+)[\s]*\n 1 1 /etc/sysctl.conf (?:^|.*\n)[^#]*kernel.dmesg_restrict[\s]*=[\s]*(\d+)[\s]*\n 1 scap-security-guide-0.1.39/shared/checks/oval/sysctl_static_kernel_randomize_va_space.xml000066400000000000000000000077201327242345500320410ustar00rootroot00000000000000 Kernel "kernel.randomize_va_space" Parameter Configuration Check Red Hat Enterprise Linux 7 The kernel "kernel.randomize_va_space" parameter should be set to "2" in the system configuration. /etc/sysctl.conf ^[\s]*kernel.randomize_va_space[\s]*=[\s]*2[\s]*$ 1 /etc/sysctl.d ^.*\.conf$ ^[\s]*kernel.randomize_va_space[\s]*=[\s]*2[\s]*$ 1 /run/sysctl.d ^.*\.conf$ ^[\s]*kernel.randomize_va_space[\s]*=[\s]*2[\s]*$ 1 /usr/lib/sysctl.d ^.*\.conf$ ^[\s]*kernel.randomize_va_space[\s]*=[\s]*2[\s]*$ 1 scap-security-guide-0.1.39/shared/checks/oval/sysctl_static_net_ipv6_conf_all_disable_ipv6.xml000066400000000000000000000102361327242345500326620ustar00rootroot00000000000000 Kernel "net.ipv6.conf.all.disable_ipv6" Parameter Configuration Check Red Hat Enterprise Linux 7 multi_platform_fedora The kernel "net.ipv6.conf.all.disable_ipv6" parameter should be set to "1" in the system configuration. /etc/sysctl.conf ^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*1[\s]*$ 1 /etc/sysctl.d ^.*\.conf$ ^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*1[\s]*$ 1 /run/sysctl.d ^.*\.conf$ ^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*1[\s]*$ 1 /usr/lib/sysctl.d ^.*\.conf$ ^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*1[\s]*$ 1 scap-security-guide-0.1.39/shared/checks/oval/system_info_architecture_64bit.xml000066400000000000000000000015121327242345500300020ustar00rootroot00000000000000 Test for 64-bit Architecture multi_platform_all Generic test for 64-bit architectures to be used by other tests scap-security-guide-0.1.39/shared/checks/oval/system_info_architecture_ppc_64.xml000066400000000000000000000037701327242345500301550ustar00rootroot00000000000000 Test for PPC and PPCLE Architecture multi_platform_all Generic test for PPC PPC64LE architecture to be used by other tests ppc64 ppc64le scap-security-guide-0.1.39/shared/checks/oval/system_info_architecture_x86.xml000066400000000000000000000023441327242345500275030ustar00rootroot00000000000000 Test for x86 Architecture multi_platform_all Generic test for x86 architecture to be used by other tests i686 scap-security-guide-0.1.39/shared/checks/oval/system_info_architecture_x86_64.xml000066400000000000000000000024041327242345500300110ustar00rootroot00000000000000 Test for x86_64 Architecture multi_platform_all Generic test for x86_64 architecture to be used by other tests x86_64 scap-security-guide-0.1.39/shared/checks/oval/tftpd_uses_secure_mode.xml000066400000000000000000000023021327242345500264210ustar00rootroot00000000000000 TFTP Daemon Uses Secure Mode multi_platform_rhel The TFTP daemon should use secure mode. /etc/xinetd.d/tftp ^[\s]*server_args[\s]+=[\s]+\-s[\s]+.+$ 1 scap-security-guide-0.1.39/shared/checks/oval/umask_for_daemons.xml000066400000000000000000000072451327242345500253760ustar00rootroot00000000000000 Set Daemon umask multi_platform_rhel The daemon umask should be set as appropriate /etc/init.d/functions ^[\s]*(?i)UMASK(?-i)[\s]+([^#\s]*) 1 64 8 var_etc_init_d_functions_umask_as_number scap-security-guide-0.1.39/shared/checks/oval/userowner_shadow_file.xml000066400000000000000000000021411327242345500262650ustar00rootroot00000000000000 Verify user who owns 'shadow' file multi_platform_rhel The /etc/shadow file should be owned by the appropriate user. 0 /etc/shadow scap-security-guide-0.1.39/shared/checks/oval/var_accounts_user_umask_as_number.xml000066400000000000000000000063131327242345500306550ustar00rootroot00000000000000 Value of 'var_accounts_user_umask' variable represented as octal number multi_platform_rhel multi_platform_wrlinux Value of 'var_accounts_user_umask' variable represented as octal number 64 8 var_accounts_user_umask_umask_as_number scap-security-guide-0.1.39/shared/checks/oval/var_removable_partition_is_cd_dvd_drive.xml000066400000000000000000000031511327242345500317760ustar00rootroot00000000000000 Value of 'var_removable_partition' variable is set to '/dev/cdrom' multi_platform_rhel multi_platform_fedora multi_platform_wrlinux Verify if value of 'var_removable_partition' variable is set to '/dev/cdrom' var_removable_partition /dev/cdrom scap-security-guide-0.1.39/shared/checks/oval/var_umask_for_daemons_as_number.xml000066400000000000000000000061431327242345500302750ustar00rootroot00000000000000 Value of 'var_umask_for_daemons' variable represented as octal number multi_platform_rhel Value of 'var_umask_for_daemons' variable represented as octal number 64 8 var_umask_for_daemons_umask_as_number scap-security-guide-0.1.39/shared/checks/oval/wireless_disable_interfaces.xml000066400000000000000000000020611327242345500274140ustar00rootroot00000000000000 Deactivate Wireless Interfaces multi_platform_rhel All wireless interfaces should be disabled. /proc/net/wireless ^\s*[-\w]+: 1 scap-security-guide-0.1.39/shared/checks/oval/xwindows_runlevel_setting.xml000066400000000000000000000030271327242345500272270ustar00rootroot00000000000000 Disable X Windows Startup By Setting Default SystemD Target Red Hat Enterprise Linux 7 multi_platform_fedora Checks /etc/systemd/system/default.target to ensure that the default runlevel target is set to multi-user.target. /etc/systemd/system/default.target /etc/systemd/system/default.target /lib/systemd/system/multi-user.target$ scap-security-guide-0.1.39/shared/fixes/000077500000000000000000000000001327242345500200655ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/fixes/anaconda/000077500000000000000000000000001327242345500216315ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/fixes/anaconda/service_kdump_disable.anaconda000066400000000000000000000000621327242345500276400ustar00rootroot00000000000000# platform = multi_platform_rhel kdump --disable scap-security-guide-0.1.39/shared/fixes/anaconda/smartcard_auth.anaconda000066400000000000000000000001051327242345500263140ustar00rootroot00000000000000# platform = multi_platform_rhel package --add=pam_pkcs11 --add=esc scap-security-guide-0.1.39/shared/fixes/ansible/000077500000000000000000000000001327242345500215025ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/fixes/ansible/account_disable_post_pw_expiration.yml000066400000000000000000000006361327242345500313660ustar00rootroot00000000000000# platform = multi_platform_rhel,multi_platform_fedora # reboot = false # strategy = restrict # complexity = low # disruption = low - (xccdf-var var_account_disable_post_pw_expiration) - name: Set Account Expiration Following Inactivity lineinfile: create: yes dest: /etc/default/useradd regexp: ^INACTIVE line: "INACTIVE={{ var_account_disable_post_pw_expiration }}" tags: @ANSIBLE_TAGS@ scap-security-guide-0.1.39/shared/fixes/ansible/accounts_logon_fail_delay.yml000066400000000000000000000003771327242345500274220ustar00rootroot00000000000000# platform = multi_platform_rhel - (xccdf-var var_accounts_fail_delay) - name: Set accounts logon fail delay lineinfile: dest: /etc/login.defs regexp: ^FAIL_DELAY line: "FAIL_DELAY {{ var_accounts_fail_delay }}" tags: @ANSIBLE_TAGS@ scap-security-guide-0.1.39/shared/fixes/ansible/accounts_max_concurrent_login_sessions.yml000066400000000000000000000010551327242345500322720ustar00rootroot00000000000000# platform = multi_platform_fedora, Red Hat Enterprise Linux 7, Red Hat Enterprise Linux 6 # reboot = false # strategy = restrict # complexity = low # disruption = low - (xccdf-var var_accounts_max_concurrent_login_sessions) - name: "Limit the Number of Concurrent Login Sessions Allowed Per User" lineinfile: state: present dest: /etc/security/limits.conf insertbefore: "^# End of file" regexp: "^#?\\*.*maxlogins" line: "* hard maxlogins {{ var_accounts_max_concurrent_login_sessions }}" tags: @ANSIBLE_TAGS@ scap-security-guide-0.1.39/shared/fixes/ansible/accounts_maximum_age_login_defs.yml000066400000000000000000000006141327242345500306070ustar00rootroot00000000000000# platform = multi_platform_rhel,multi_platform_fedora # reboot = false # strategy = restrict # complexity = low # disruption = low - (xccdf-var var_accounts_maximum_age_login_defs) - name: Set Password Maximum Age lineinfile: create: yes dest: /etc/login.defs regexp: ^#?PASS_MAX_DAYS line: "PASS_MAX_DAYS {{ var_accounts_maximum_age_login_defs }}" tags: @ANSIBLE_TAGS@ scap-security-guide-0.1.39/shared/fixes/ansible/accounts_minimum_age_login_defs.yml000066400000000000000000000006241327242345500306060ustar00rootroot00000000000000# platform = multi_platform_rhel,multi_platform_fedora # reboot = false # strategy = restrict # complexity = low # disruption = low - (xccdf-var var_accounts_minimum_age_login_defs) - name: Set Password Minimum Age lineinfile: create: yes dest: /etc/login.defs regexp: ^#?PASS_MIN_DAYS line: "PASS_MIN_DAYS {{ var_accounts_minimum_age_login_defs }}" tags: @ANSIBLE_TAGS@ scap-security-guide-0.1.39/shared/fixes/ansible/accounts_password_minlen_login_defs.yml000066400000000000000000000006671327242345500315320ustar00rootroot00000000000000# platform = multi_platform_rhel,multi_platform_fedora # reboot = false # strategy = restrict # complexity = low # disruption = low - (xccdf-var var_accounts_password_minlen_login_defs) - name: "Set Password Minimum Length in login.defs" lineinfile: dest: /etc/login.defs regexp: "^PASS_MIN_LEN *[0-9]*" state: present line: "PASS_MIN_LEN {{ var_accounts_password_minlen_login_defs }}" tags: @ANSIBLE_TAGS@ scap-security-guide-0.1.39/shared/fixes/ansible/accounts_password_pam_maxclassrepeat.yml000066400000000000000000000006301327242345500317160ustar00rootroot00000000000000# platform = multi_platform_rhel,multi_platform_fedora # reboot = false # strategy = restrict # complexity = low # disruption = low - (xccdf-var var_password_pam_maxclassrepeat) - name: "@RULE_TITLE@" lineinfile: create: yes dest: /etc/security/pwquality.conf regexp: '^#?\s*maxclassrepeat' line: "maxclassrepeat = {{ var_password_pam_maxclassrepeat }}" tags: @ANSIBLE_TAGS@ scap-security-guide-0.1.39/shared/fixes/ansible/accounts_password_pam_maxrepeat.yml000066400000000000000000000006531327242345500306750ustar00rootroot00000000000000# platform = multi_platform_rhel,multi_platform_fedora # reboot = false # strategy = restrict # complexity = low # disruption = low - (xccdf-var var_password_pam_maxrepeat) - name: Set Password Maximum Consecutive Repeating Characters lineinfile: create: yes dest: /etc/security/pwquality.conf regexp: '^#?\s*maxrepeat' line: "maxrepeat = {{ var_password_pam_maxrepeat }}" tags: @ANSIBLE_TAGS@ scap-security-guide-0.1.39/shared/fixes/ansible/accounts_password_pam_minlen.yml000066400000000000000000000006321327242345500301660ustar00rootroot00000000000000# platform = multi_platform_rhel,multi_platform_fedora # reboot = false # strategy = restrict # complexity = low # disruption = low - (xccdf-var var_password_pam_minlen) - name: Set Password Minimum Length - /etc/security/pwquality.conf lineinfile: dest: /etc/security/pwquality.conf regexp: ^minlen = state: present line: "minlen = {{ var_password_pam_minlen }}" tags: @ANSIBLE_TAGS@ scap-security-guide-0.1.39/shared/fixes/ansible/accounts_password_pam_retry.yml000066400000000000000000000013501327242345500300470ustar00rootroot00000000000000# platform = multi_platform_rhel, multi_platform_fedora # reboot = false # strategy = configure # complexity = low # disruption = medium - (xccdf-var var_password_pam_retry) - name: "Set Password Retry Prompts Permitted Per-Session - system-auth (change)" replace: dest: /etc/pam.d/system-auth follow: yes regexp: '(^.*\spam_pwquality.so\s.*retry\s*=\s*)(\S+)(.*$)' replace: '\g<1>{{ var_password_pam_retry }}\g<3>' tags: @ANSIBLE_TAGS@ - name: "Set Password Retry Prompts Permitted Per-Session - system-auth (add)" replace: dest: /etc/pam.d/system-auth follow: yes regexp: '^.*\spam_pwquality.so\s(?!.*retry\s*=\s*).*$' replace: '\g<0> retry={{ var_password_pam_retry }}' tags: @ANSIBLE_TAGS@ scap-security-guide-0.1.39/shared/fixes/ansible/accounts_password_pam_unix_remember.yml000066400000000000000000000014411327242345500315440ustar00rootroot00000000000000# platform = multi_platform_rhel, multi_platform_fedora # reboot = false # strategy = configure # complexity = low # disruption = medium - (xccdf-var var_password_pam_unix_remember) - name: "Do not allow users to reuse recent passwords - system-auth (change)" replace: dest: /etc/pam.d/system-auth follow: yes regexp: '^(password\s+sufficient\s+pam_unix\.so\s.*remember\s*=\s*)(\S+)(.*)$' replace: '\g<1>{{ var_password_pam_unix_remember }}\g<3>' tags: @ANSIBLE_TAGS@ - name: "Do not allow users to reuse recent passwords - system-auth (add)" replace: dest: /etc/pam.d/system-auth follow: yes regexp: '^password\s+sufficient\s+pam_unix\.so\s(?!.*remember\s*=\s*).*$' replace: '\g<0> remember={{ var_password_pam_unix_remember }}' tags: @ANSIBLE_TAGS@ scap-security-guide-0.1.39/shared/fixes/ansible/accounts_password_warn_age_login_defs.yml000066400000000000000000000006541327242345500320270ustar00rootroot00000000000000# platform = multi_platform_rhel,multi_platform_fedora # reboot = false # strategy = restrict # complexity = low # disruption = low - (xccdf-var var_accounts_password_warn_age_login_defs) - name: "Set Password Warning Age" lineinfile: dest: /etc/login.defs regexp: "^PASS_WARN_AGE *[0-9]*" state: present line: "PASS_WARN_AGE {{ var_accounts_password_warn_age_login_defs }}" tags: @ANSIBLE_TAGS@ scap-security-guide-0.1.39/shared/fixes/ansible/accounts_passwords_pam_faillock_deny.yml000066400000000000000000000032041327242345500316700ustar00rootroot00000000000000# platform = multi_platform_rhel,multi_platform_fedora # reboot = false # strategy = restrict # complexity = low # disruption = low - (xccdf-var var_accounts_passwords_pam_faillock_deny) - (xccdf-var var_accounts_passwords_pam_faillock_unlock_time) - (xccdf-var var_accounts_passwords_pam_faillock_fail_interval) - name: set auth pam_faillock before pam_unix.so pamd: name: system-auth type: auth control: sufficient module_path: pam_unix.so new_type: auth new_control: required new_module_path: pam_faillock.so module_arguments: 'preauth silent deny={{ var_accounts_passwords_pam_faillock_deny }} unlock_time={{ var_accounts_passwords_pam_faillock_unlock_time }} fail_interval={{ var_accounts_passwords_pam_faillock_fail_interval }}' state: before tags: @ANSIBLE_TAGS@ - name: set auth pam_faillock after pam_unix.so pamd: name: system-auth type: auth control: sufficient module_path: pam_unix.so new_type: auth new_control: '[default=die]' new_module_path: pam_faillock.so module_arguments: 'preauth silent deny={{ var_accounts_passwords_pam_faillock_deny }} unlock_time={{ var_accounts_passwords_pam_faillock_unlock_time }} fail_interval={{ var_accounts_passwords_pam_faillock_fail_interval }}' state: after tags: @ANSIBLE_TAGS@ - name: set account pam_faillock before pam_unix.so pamd: name: system-auth type: account control: required module_path: pam_unix.so new_type: account new_control: required new_module_path: pam_faillock.so state: before tags: @ANSIBLE_TAGS@ scap-security-guide-0.1.39/shared/fixes/ansible/accounts_passwords_pam_faillock_deny_root.yml000066400000000000000000000032621327242345500327370ustar00rootroot00000000000000# platform = multi_platform_rhel,multi_platform_fedora # reboot = false # strategy = restrict # complexity = low # disruption = low - (xccdf-var var_accounts_passwords_pam_faillock_deny) - (xccdf-var var_accounts_passwords_pam_faillock_unlock_time) - (xccdf-var var_accounts_passwords_pam_faillock_fail_interval) - name: set auth pam_faillock before pam_unix.so pamd: name: system-auth type: auth control: sufficient module_path: pam_unix.so new_type: auth new_control: required new_module_path: pam_faillock.so module_arguments: 'preauth silent even_deny_root deny={{ var_accounts_passwords_pam_faillock_deny }} unlock_time={{ var_accounts_passwords_pam_faillock_unlock_time }} fail_interval={{ var_accounts_passwords_pam_faillock_fail_interval }}' state: before tags: @ANSIBLE_TAGS@ - name: set auth pam_faillock after pam_unix.so pamd: name: system-auth type: auth control: sufficient module_path: pam_unix.so new_type: auth new_control: '[default=die]' new_module_path: pam_faillock.so module_arguments: 'preauth silent even_deny_root deny={{ var_accounts_passwords_pam_faillock_deny }} unlock_time={{ var_accounts_passwords_pam_faillock_unlock_time }} fail_interval={{ var_accounts_passwords_pam_faillock_fail_interval }}' state: after tags: @ANSIBLE_TAGS@ - name: set account pam_faillock before pam_unix.so pamd: name: system-auth type: account control: required module_path: pam_unix.so new_type: account new_control: required new_module_path: pam_faillock.so state: before tags: @ANSIBLE_TAGS@ scap-security-guide-0.1.39/shared/fixes/ansible/accounts_root_path_dirs_no_write.yml000066400000000000000000000014331327242345500310530ustar00rootroot00000000000000# platform = multi_platform_rhel, multi_platform_fedora, multi_platform_ol # reboot = false # strategy = restrict # complexity = low # disruption = medium - name: "Fail if user is not root" fail: msg: 'Root account required to read root $PATH' when: ansible_user != "root" tags: @ANSIBLE_TAGS@ - name: "Get root paths which are not symbolic links" shell: 'tr ":" "\n" <<< "$PATH" | xargs -I% find % -maxdepth 0 -type d' changed_when: False failed_when: False register: root_paths when: ansible_user == "root" check_mode: no tags: @ANSIBLE_TAGS@ - name: "Disable writability to root directories" file: path: "{{item}}" mode: "g-w,o-w" with_items: "{{ root_paths.stdout_lines }}" when: root_paths.stdout_lines is defined tags: @ANSIBLE_TAGS@ scap-security-guide-0.1.39/shared/fixes/ansible/accounts_tmout.yml000066400000000000000000000005461327242345500253010ustar00rootroot00000000000000# platform = multi_platform_rhel,multi_platform_fedora # reboot = false # strategy = restrict # complexity = low # disruption = low - (xccdf-var var_accounts_tmout) - name: Set Interactive Session Timeout lineinfile: create: yes dest: /etc/profile regexp: ^#?TMOUT line: "TMOUT={{ var_accounts_tmout }}" tags: @ANSIBLE_TAGS@ scap-security-guide-0.1.39/shared/fixes/ansible/accounts_umask_etc_login_defs.yml000066400000000000000000000005631327242345500302740ustar00rootroot00000000000000# platform = multi_platform_rhel,multi_platform_fedora # reboot = false # strategy = restrict # complexity = low # disruption = low - (xccdf-var var_accounts_user_umask) - name: Ensure the Default UMASK is Set Correctly lineinfile: create: yes dest: /etc/login.defs regexp: ^UMASK line: "UMASK {{ var_accounts_user_umask }}" tags: @ANSIBLE_TAGS@ scap-security-guide-0.1.39/shared/fixes/ansible/aide_build_database.yml000066400000000000000000000010051327242345500261260ustar00rootroot00000000000000# platform = multi_platform_all # reboot = false # strategy = restrict # complexity = low # disruption = low - name: "Ensure AIDE is installed" package: name="{{item}}" state=present with_items: - aide tags: @ANSIBLE_TAGS@ - name: "Build and Test AIDE Database" shell: /usr/sbin/aide --init tags: @ANSIBLE_TAGS@ - name: Stage AIDE Database" copy: src: /var/lib/aide/aide.db.new.gz dest: /var/lib/aide/aide.db.gz backup: yes remote_src: yes tags: @ANSIBLE_TAGS@ scap-security-guide-0.1.39/shared/fixes/ansible/aide_periodic_cron_checking.yml000066400000000000000000000006461327242345500276670ustar00rootroot00000000000000# platform = multi_platform_all # reboot = false # strategy = restrict # complexity = low # disruption = low - name: "Ensure AIDE is installed" package: name="{{item}}" state=present with_items: - aide tags: @ANSIBLE_TAGS@ - name: "@RULE_TITLE@" cron: name: "run AIDE check" minute: 05 hour: 04 weekday: 0 user: root job: "/usr/sbin/aide --check" tags: @ANSIBLE_TAGS@scap-security-guide-0.1.39/shared/fixes/ansible/audit_rules_privileged_commands.yml000066400000000000000000000033201327242345500306360ustar00rootroot00000000000000# platform = multi_platform_rhel,multi_platform_fedora # reboot = false # strategy = restrict # complexity = low # disruption = low - name: Search for privileged commands shell: "find / -xdev -type f -perm -4000 -o -type f -perm -2000 2>/dev/null | cat" check_mode: no register: find_result tags: @ANSIBLE_TAGS@ # Inserts/replaces the rule in /etc/audit/rules.d - name: Search /etc/audit/rules.d for audit rule entries find: paths: "/etc/audit/rules.d" recurse: no contains: "^.*path={{ item }} .*$" patterns: "*.rules" with_items: - "{{ find_result.stdout_lines }}" register: files_result tags: @ANSIBLE_TAGS@ - name: Overwrites the rule in rules.d lineinfile: path: "{{ item.1.path }}" line: '-a always,exit -F path={{ item.0.item }} -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged' create: no regexp: "^.*path={{ item.0.item }} .*$" with_subelements: - "{{ files_result.results }}" - files tags: @ANSIBLE_TAGS@ - name: Adds the rule in rules.d lineinfile: path: /etc/audit/rules.d/privileged.rules line: '-a always,exit -F path={{ item.item }} -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged' create: yes with_items: - "{{ files_result.results }}" when: item.matched == 0 tags: @ANSIBLE_TAGS@ # Adds/overwrites the rule in /etc/audit/audit.rules - name: Inserts/replaces the rule in audit.rules lineinfile: path: /etc/audit/audit.rules line: '-a always,exit -F path={{ item.item }} -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged' create: yes regexp: "^.*path={{ item.item }} .*$" with_items: - "{{ files_result.results }}" tags: @ANSIBLE_TAGS@ scap-security-guide-0.1.39/shared/fixes/ansible/auditd_data_retention_action_mail_acct.yml000066400000000000000000000006421327242345500321120ustar00rootroot00000000000000# platform = multi_platform_rhel,multi_platform_fedora # reboot = false # strategy = restrict # complexity = low # disruption = low - (xccdf-var var_auditd_action_mail_acct) - name: Configure auditd mail_acct Action on Low Disk Space lineinfile: dest: /etc/audit/auditd.conf line: "action_mail_acct = {{ var_auditd_action_mail_acct }}" state: present #notify: reload auditd tags: @ANSIBLE_TAGS@ scap-security-guide-0.1.39/shared/fixes/ansible/auditd_data_retention_admin_space_left_action.yml000066400000000000000000000007231327242345500334530ustar00rootroot00000000000000# platform = multi_platform_rhel,multi_platform_fedora # reboot = false # strategy = restrict # complexity = low # disruption = low - (xccdf-var var_auditd_admin_space_left_action) - name: Configure auditd admin_space_left Action on Low Disk Space lineinfile: dest: /etc/audit/auditd.conf line: "admin_space_left_action = {{ var_auditd_admin_space_left_action }}" regexp: "^admin_space_left_action*" #notify: reload auditd tags: @ANSIBLE_TAGS@ scap-security-guide-0.1.39/shared/fixes/ansible/auditd_data_retention_flush.yml000066400000000000000000000004761327242345500277670ustar00rootroot00000000000000# platform = multi_platform_rhel,multi_platform_fedora # reboot = false # strategy = restrict # complexity = low # disruption = low - name: Configure auditd Flush Priority lineinfile: dest: /etc/audit/auditd.conf regexp: '.*flush.*' line: flush = data #notify: reload auditd tags: @ANSIBLE_TAGS@ scap-security-guide-0.1.39/shared/fixes/ansible/auditd_data_retention_max_log_file.yml000066400000000000000000000006031327242345500312630ustar00rootroot00000000000000# platform = multi_platform_rhel,multi_platform_fedora # reboot = false # strategy = restrict # complexity = low # disruption = low - (xccdf-var var_auditd_max_log_file) - name: Configure auditd Max Log File Size lineinfile: dest: /etc/audit/auditd.conf line: "max_log_file {{ var_auditd_max_log_file }}" state: present #notify: reload auditd tags: @ANSIBLE_TAGS@ scap-security-guide-0.1.39/shared/fixes/ansible/auditd_data_retention_max_log_file_action.yml000066400000000000000000000006711327242345500326250ustar00rootroot00000000000000# platform = multi_platform_rhel,multi_platform_fedora # reboot = false # strategy = restrict # complexity = low # disruption = low - (xccdf-var var_auditd_max_log_file_action) - name: Configure auditd max_log_file_action Upon Reaching Maximum Log Size lineinfile: dest: /etc/audit/auditd.conf line: "max_log_file_action {{ var_auditd_max_log_file_action }}" state: present #notify: reload auditd tags: @ANSIBLE_TAGS@ scap-security-guide-0.1.39/shared/fixes/ansible/auditd_data_retention_space_left_action.yml000066400000000000000000000006631327242345500323060ustar00rootroot00000000000000# platform = multi_platform_rhel,multi_platform_fedora # reboot = false # strategy = restrict # complexity = low # disruption = low - (xccdf-var var_auditd_space_left_action) - name: Configure auditd space_left Action on Low Disk Space lineinfile: dest: /etc/audit/auditd.conf line: "space_left_action = {{ var_auditd_space_left_action }}" regexp: ^space_left_action* #notify: reload auditd tags: @ANSIBLE_TAGS@ scap-security-guide-0.1.39/shared/fixes/ansible/bootloader_audit_argument.yml000066400000000000000000000004471327242345500274540ustar00rootroot00000000000000# platform = multi_platform_rhel,multi_platform_fedora # reboot = true # strategy = restrict # complexity = low # disruption = low - name: "Enable Auditing for Processes Which Start Prior to the Audit Daemon" shell: /sbin/grubby --update-kernel=ALL --args="audit=1" tags: @ANSIBLE_TAGS@ scap-security-guide-0.1.39/shared/fixes/ansible/clean_components_post_updating.yml000066400000000000000000000005651327242345500305220ustar00rootroot00000000000000# platform = multi_platform_rhel,multi_platform_fedora # reboot = false # strategy = restrict # complexity = low # disruption = low - name: "Ensure YUM Removes Previous Package Versions" lineinfile: dest: /etc/yum.conf regexp: ^#?clean_requirements_on_remove line: clean_requirements_on_remove=1 insertafter: '\[main\]' tags: @ANSIBLE_TAGS@ scap-security-guide-0.1.39/shared/fixes/ansible/dconf_gnome_banner_enabled.yml000066400000000000000000000012611327242345500275020ustar00rootroot00000000000000# platform = multi_platform_rhel, multi_platform_fedora # reboot = false # strategy = unknown # complexity = low # disruption = medium - name: "Enable GNOME3 Login Warning Banner" ini_file: dest: "/etc/dconf/db/local.d/00-security-settings" section: "org/gnome/login-screen" option: banner-message-enable value: "true" create: yes tags: @ANSIBLE_TAGS@ - name: "Prevent user modification of GNOME banner-message-enabled" lineinfile: path: /etc/dconf/db/local.d/locks/00-security-settings-lock regexp: '^/org/gnome/login-screen/banner-message-enable' line: '/org/gnome/login-screen/banner-message-enable' create: yes tags: @ANSIBLE_TAGS@ scap-security-guide-0.1.39/shared/fixes/ansible/dconf_gnome_disable_automount.yml000066400000000000000000000034611327242345500303050ustar00rootroot00000000000000# platform = multi_platform_rhel, multi_platform_fedora # reboot = false # strategy = unknown # complexity = low # disruption = medium - name: "Disable GNOME3 Automounting - automount" ini_file: dest: /etc/dconf/db/local.d/00-security-settings section: org/gnome/desktop/media-handling option: automount value: "false" create: yes tags: @ANSIBLE_TAGS@ - name: "Prevent user modification of GNOME3 Automounting - automount" lineinfile: path: /etc/dconf/db/local.d/locks/00-security-settings-lock regexp: '^/org/gnome/desktop/media-handling/automount' line: '/org/gnome/desktop/media-handling/automount' create: yes tags: @ANSIBLE_TAGS@ - name: "Disable GNOME3 Automounting - automount-open" ini_file: dest: /etc/dconf/db/local.d/00-security-settings section: org/gnome/desktop/media-handling option: automount-open value: "false" create: yes tags: @ANSIBLE_TAGS@ - name: "Prevent user modification of GNOME3 Automounting - automount-open" lineinfile: path: /etc/dconf/db/local.d/locks/00-security-settings-lock regexp: '^/org/gnome/desktop/media-handling/automount-open' line: '/org/gnome/desktop/media-handling/automount-open' create: yes tags: @ANSIBLE_TAGS@ - name: "Disable GNOME3 Automounting - autorun-never" ini_file: dest: /etc/dconf/db/local.d/00-security-settings section: org/gnome/desktop/media-handling option: autorun-never value: "true" create: yes tags: @ANSIBLE_TAGS@ - name: "Prevent user modification of GNOME3 Automounting - autorun-never" lineinfile: path: /etc/dconf/db/local.d/locks/00-security-settings-lock regexp: '^/org/gnome/desktop/media-handling/autorun-never' line: '/org/gnome/desktop/media-handling/autorun-never' create: yes tags: @ANSIBLE_TAGS@ scap-security-guide-0.1.39/shared/fixes/ansible/dconf_gnome_disable_ctrlaltdel_reboot.yml000066400000000000000000000013321327242345500317510ustar00rootroot00000000000000# platform = multi_platform_rhel, multi_platform_fedora # reboot = false # strategy = unknown # complexity = low # disruption = medium - name: "Disable Ctrl-Alt-Del Reboot Key Sequence in GNOME3" ini_file: dest: /etc/dconf/db/local.d/00-security-settings section: org/gnome/settings-daemon/plugins/media-keys option: logout value: string '' create: yes tags: @ANSIBLE_TAGS@ - name: "Prevent user modification of GNOME disablement of Ctrl-Alt-Del" lineinfile: path: /etc/dconf/db/local.d/locks/00-security-settings-lock regexp: '^/org/gnome/settings-daemon/plugins/media-keys/logout' line: '/org/gnome/settings-daemon/plugins/media-keys/logout' create: yes tags: @ANSIBLE_TAGS@ scap-security-guide-0.1.39/shared/fixes/ansible/dconf_gnome_disable_geolocation.yml000066400000000000000000000022451327242345500305540ustar00rootroot00000000000000# platform = multi_platform_rhel, multi_platform_fedora # reboot = false # strategy = unknown # complexity = low # disruption = medium - name: "Disable Geolocation in GNOME3 - location tracking" ini_file: dest: /etc/dconf/db/local.d/00-security-settings section: org/gnome/system/location option: enabled value: "false" create: yes tags: @ANSIBLE_TAGS@ - name: "Disable Geolocation in GNOME3 - clock location tracking" ini_file: dest: /etc/dconf/db/local.d/00-security-settings section: org/gnome/clocks option: gelocation value: "false" create: yes - name: "Prevent user modification of GNOME geolocation - location tracking" lineinfile: path: /etc/dconf/db/local.d/locks/00-security-settings-lock regexp: '^/org/gnome/system/location/enabled' line: '/org/gnome/system/location/enabled' create: yes tags: @ANSIBLE_TAGS@ - name: "Prevent user modification of GNOME geolocation - clock location tracking" lineinfile: path: /etc/dconf/db/local.d/locks/00-security-settings-lock regexp: '^/org/gnome/clocks/geolocation' line: '/org/gnome/clocks/geolocation' create: yes tags: @ANSIBLE_TAGS@ scap-security-guide-0.1.39/shared/fixes/ansible/dconf_gnome_disable_restart_shutdown.yml000066400000000000000000000013351327242345500316670ustar00rootroot00000000000000# platform = multi_platform_rhel, multi_platform_fedora # reboot = false # strategy = unknown # complexity = low # disruption = medium - name: "Disable the GNOME3 Login Restart and Shutdown Buttons" ini_file: dest: /etc/dconf/db/gdm.d/00-security-settings section: org/gnome/login-screen option: disable-restart-buttons value: "true" create: yes tags: @ANSIBLE_TAGS@ - name: "Prevent user modification of GNOME disablement of Login Restart and Shutdown Buttons" lineinfile: path: /etc/dconf/db/gdm.d/locks/00-security-settings-lock regexp: '^/org/gnome/login-screen/disable-restart-buttons' line: '/org/gnome/login-screen/disable-restart-buttons' create: yes tags: @ANSIBLE_TAGS@ scap-security-guide-0.1.39/shared/fixes/ansible/dconf_gnome_disable_thumbnailers.yml000066400000000000000000000012331327242345500307420ustar00rootroot00000000000000# platform = multi_platform_rhel, multi_platform_fedora # reboot = false # strategy = unknown # complexity = low # disruption = medium - name: "Disable All GNOME3 Thumbnailers" ini_file: dest: /etc/dconf/db/local.d/00-security-settings section: org/gnome/desktop/thumbnailers option: disable-all value: "true" create: yes tags: @ANSIBLE_TAGS@ - name: "Prevent user modification of GNOME3 Thumbnailers" lineinfile: path: /etc/dconf/db/local.d/locks/00-security-settings-lock regexp: '^/org/gnome/desktop/thumbnailers/disable-all' line: '/org/gnome/desktop/thumbnailers/disable-all' create: yes tags: @ANSIBLE_TAGS@ scap-security-guide-0.1.39/shared/fixes/ansible/dconf_gnome_disable_user_admin.yml000066400000000000000000000013101327242345500303670ustar00rootroot00000000000000# platform = multi_platform_rhel, multi_platform_fedora # reboot = false # strategy = unknown # complexity = low # disruption = medium - name: "Disable User Administration in GNOME3" ini_file: dest: /etc/dconf/db/local.d/00-security-settings section: org/gnome/desktop/lockdown option: user-administration-disabled value: "true" create: yes tags: @ANSIBLE_TAGS@ - name: "Prevent user modification of GNOME3 Thumbnailers" lineinfile: path: /etc/dconf/db/local.d/locks/00-security-settings-lock regexp: '^/org/gnome/desktop/lockdown/user-administration-disabled' line: '/org/gnome/desktop/lockdown/user-administration-disabled' create: yes tags: @ANSIBLE_TAGS@ scap-security-guide-0.1.39/shared/fixes/ansible/dconf_gnome_disable_user_list.yml000066400000000000000000000012461327242345500302620ustar00rootroot00000000000000# platform = multi_platform_rhel, multi_platform_fedora # reboot = false # strategy = unknown # complexity = low # disruption = medium - name: "Disable the GNOME3 Login User List" ini_file: dest: /etc/dconf/db/gdm.d/00-security-settings section: org/gnome/login-screen option: disable-user-list value: "true" create: yes tags: @ANSIBLE_TAGS@ - name: "Prevent user modification of GNOME3 disablement of Login User List" lineinfile: path: /etc/dconf/db/gdm.d/locks/00-security-settings-lock regexp: '^/org/gnome/login-screen/disable-user-list' line: '/org/gnome/login-screen/disable-user-list' create: yes tags: @ANSIBLE_TAGS@ scap-security-guide-0.1.39/shared/fixes/ansible/dconf_gnome_disable_wifi_create.yml000066400000000000000000000012541327242345500305310ustar00rootroot00000000000000# platform = multi_platform_rhel, multi_platform_fedora # reboot = false # strategy = unknown # complexity = low # disruption = medium - name: "Disable WiFi Network Connection Creation in GNOME3" ini_file: dest: /etc/dconf/db/local.d/00-security-settings section: org/gnome/nm-applet option: disable-wifi-create value: "true" create: yes tags: @ANSIBLE_TAGS@ - name: "Prevent user modification of GNOME3 disablement of WiFi" lineinfile: path: /etc/dconf/db/local.d/locks/00-security-settings-lock regexp: '^/org/gnome/nm-applet/disable-wifi-create' line: '/org/gnome/nm-applet/disable-wifi-create' create: yes tags: @ANSIBLE_TAGS@ scap-security-guide-0.1.39/shared/fixes/ansible/dconf_gnome_disable_wifi_notification.yml000066400000000000000000000013301327242345500317470ustar00rootroot00000000000000# platform = multi_platform_rhel, multi_platform_fedora # reboot = false # strategy = unknown # complexity = low # disruption = medium - name: "Disable WiFi Network Notification in GNOME3" ini_file: dest: /etc/dconf/db/local.d/00-security-settings section: org/gnome/nm-applet option: suppress-wireless-networks-available value: "true" create: yes tags: @ANSIBLE_TAGS@ - name: "Prevent user modification of GNOME3 disablement of WiFi" lineinfile: path: /etc/dconf/db/local.d/locks/00-security-settings-lock regexp: '^/org/gnome/nm-applet/suppress-wireless-networks-available' line: '/org/gnome/nm-applet/suppress-wireless-networks-available' create: yes tags: @ANSIBLE_TAGS@ scap-security-guide-0.1.39/shared/fixes/ansible/dconf_gnome_login_banner_text.yml000066400000000000000000000022311327242345500302620ustar00rootroot00000000000000# platform = multi_platform_rhel, multi_platform_fedora # reboot = false # strategy = unknown # complexity = low # disruption = medium - (xccdf-var login_banner_text) - name: "@RULE_TITLE@" file: path: "/etc/dconf/db/{{ item }}" owner: root group: root mode: 0755 state: directory with_items: - gdm.d - gdm.d/locks tags: @ANSIBLE_TAGS@ - name: "@RULE_TITLE@" file: path: "/etc/dconf/db/gdm.d/{{ item }}" owner: root group: root mode: 0644 state: touch with_items: - 00-security-settings - locks/00-security-settings-lock tags: @ANSIBLE_TAGS@ - name: "@RULE_TITLE@" ini_file: dest: /etc/dconf/db/gdm.d/00-security-settings section: org/gnome/login-screen option: banner-message-text value: string '{{ login_banner_text }}' create: yes tags: @ANSIBLE_TAGS@ - name: "Prevent user modification of the GNOME3 Login Warning Banner Text" lineinfile: path: '/etc/dconf/db/gdm.d/locks/00-security-settings-lock' regexp: '^org/gnome/login-screen/banner-message-text$' line: 'org/gnome/login-screen/banner-message-text' state: present tags: @ANSIBLE_TAGS@ scap-security-guide-0.1.39/shared/fixes/ansible/dconf_gnome_screensaver_idle_activation_enabled.yml000066400000000000000000000013241327242345500337730ustar00rootroot00000000000000# platform = multi_platform_rhel, multi_platform_fedora # reboot = false # strategy = unknown # complexity = low # disruption = medium - name: "Enable GNOME3 Screensaver Idle Activation" ini_file: dest: "/etc/dconf/db/local.d/00-security-settings" section: "org/gnome/desktop/screensaver" option: idle_activation_enabled value: "true" create: yes tags: @ANSIBLE_TAGS@ - name: "Prevent user modification of GNOME idle_activation_enabled" lineinfile: path: /etc/dconf/db/local.d/locks/00-security-settings-lock regexp: '^/org/gnome/desktop/screensaver/idle-activation-enabled' line: '/org/gnome/desktop/screensaver/idle-activation-enabled' create: yes tags: @ANSIBLE_TAGS@ scap-security-guide-0.1.39/shared/fixes/ansible/dconf_gnome_screensaver_idle_delay.yml000066400000000000000000000013421327242345500312560ustar00rootroot00000000000000# platform = multi_platform_rhel, multi_platform_fedora # reboot = false # strategy = unknown # complexity = low # disruption = medium - (xccdf-var inactivity_timeout_value) - name: "Set GNOME3 Screensaver Inactivity Timeout" ini_file: dest: "/etc/dconf/db/local.d/00-security-settings" section: "org/gnome/desktop/screensaver" option: idle-delay value: "{{ inactivity_timeout_value }}" create: yes tags: @ANSIBLE_TAGS@ - name: "Prevent user modification of GNOME idle-delay" lineinfile: path: /etc/dconf/db/local.d/locks/00-security-settings-lock regexp: '^/org/gnome/desktop/screensaver/idle-delay' line: '/org/gnome/desktop/screensaver/idle-delay' create: yes tags: @ANSIBLE_TAGS@ scap-security-guide-0.1.39/shared/fixes/ansible/dconf_gnome_screensaver_lock_delay.yml000066400000000000000000000012621327242345500312720ustar00rootroot00000000000000# platform = multi_platform_rhel, multi_platform_fedora # reboot = false # strategy = unknown # complexity = low # disruption = medium - name: "Set GNOME3 Screensaver Lock Delay After Activation Period" ini_file: dest: "/etc/dconf/db/local.d/00-security-settings" section: "org/gnome/desktop/screensaver" option: lock-delay value: uint32 5 create: yes tags: @ANSIBLE_TAGS@ - name: "Prevent user modification of GNOME lock-delay" lineinfile: path: /etc/dconf/db/local.d/locks/00-security-settings-lock regexp: '^/org/gnome/desktop/screensaver/lock-delay' line: '/org/gnome/desktop/screensaver/lock-delay' create: yes tags: @ANSIBLE_TAGS@ scap-security-guide-0.1.39/shared/fixes/ansible/dconf_gnome_screensaver_lock_enabled.yml000066400000000000000000000012571327242345500315720ustar00rootroot00000000000000# platform = multi_platform_rhel, multi_platform_fedora # reboot = false # strategy = unknown # complexity = low # disruption = medium - name: "Enable GNOME3 Screensaver Lock After Idle Period" ini_file: dest: "/etc/dconf/db/local.d/00-security-settings" section: "org/gnome/desktop/screensaver" option: lock-enabled value: "true" create: yes tags: @ANSIBLE_TAGS@ - name: "Prevent user modification of GNOME lock-enabled" lineinfile: path: /etc/dconf/db/local.d/locks/00-security-settings-lock regexp: '^/org/gnome/desktop/screensaver/lock-enabled' line: '/org/gnome/desktop/screensaver/lock-enabled' create: yes tags: @ANSIBLE_TAGS@ scap-security-guide-0.1.39/shared/fixes/ansible/dconf_gnome_screensaver_mode_blank.yml000066400000000000000000000012311327242345500312530ustar00rootroot00000000000000# platform = multi_platform_rhel, multi_platform_fedora # reboot = false # strategy = unknown # complexity = low # disruption = medium - name: "Implement Blank Screensaver" ini_file: dest: "/etc/dconf/db/local.d/00-security-settings" section: "org/gnome/desktop/screensaver" option: picture-uri value: string '' create: yes tags: @ANSIBLE_TAGS@ - name: "Prevent user modification of GNOME picture-uri" lineinfile: path: /etc/dconf/db/local.d/locks/00-security-settings-lock regexp: '^/org/gnome/desktop/screensaver/picture-uri' line: '/org/gnome/desktop/screensaver/picture-uri' create: yes tags: @ANSIBLE_TAGS@ scap-security-guide-0.1.39/shared/fixes/ansible/dconf_gnome_screensaver_user_info.yml000066400000000000000000000013321327242345500311530ustar00rootroot00000000000000# platform = multi_platform_rhel, multi_platform_fedora # reboot = false # strategy = unknown # complexity = low # disruption = medium - name: "Disable Full Username on Splash Screen" ini_file: dest: "/etc/dconf/db/local.d/00-security-settings" section: "org/gnome/desktop/screensaver" option: show-full-name-in-top-bar value: "false" create: yes tags: @ANSIBLE_TAGS@ - name: "Prevent user modification of GNOME show-full-name-in-top-bar" lineinfile: path: /etc/dconf/db/local.d/locks/00-security-settings-lock regexp: '^/org/gnome/desktop/screensaver/show-full-name-in-top-bar' line: '/org/gnome/desktop/screensaver/show-full-name-in-top-bar' create: yes tags: @ANSIBLE_TAGS@ scap-security-guide-0.1.39/shared/fixes/ansible/disable_host_auth.yml000066400000000000000000000005201327242345500257030ustar00rootroot00000000000000# platform = multi_platform_rhel,multi_platform_fedora # reboot = false # strategy = restrict # complexity = low # disruption = low - name: Disable Host-Based Authentication lineinfile: create: yes dest: /etc/ssh/sshd_config regexp: ^HostbasedAuthentication line: HostbasedAuthentication no tags: @ANSIBLE_TAGS@ scap-security-guide-0.1.39/shared/fixes/ansible/disable_interactive_boot.yml000066400000000000000000000005541327242345500272540ustar00rootroot00000000000000# platform = Red Hat Enterprise Linux 7,multi_platform_fedora # reboot = false # strategy = restrict # complexity = low # disruption = low - name: Verify that Interactive Boot is Disabled lineinfile: create: yes dest: /etc/default/grub regexp: ^systemd.confirm_spawn= line: systemd.confirm_spawn=no state: present tags: @ANSIBLE_TAGS@ scap-security-guide-0.1.39/shared/fixes/ansible/disable_prelink.yml000066400000000000000000000007121327242345500253540ustar00rootroot00000000000000# platform = multi_platform_rhel,multi_platform_fedora # reboot = false # strategy = restrict # complexity = low # disruption = low - name: Does prelink file exist stat: path=/etc/sysconfig/prelink register: prelink_exists tags: @ANSIBLE_TAGS@ - name: disable prelinking lineinfile: path: /etc/sysconfig/prelink regexp: '^PRELINKING=' line: 'PRELINKING=no' when: prelink_exists.stat.exists == True tags: @ANSIBLE_TAGS@ scap-security-guide-0.1.39/shared/fixes/ansible/enable_selinux_bootloader.yml000066400000000000000000000004251327242345500274350ustar00rootroot00000000000000# platform = multi_platform_rhel,multi_platform_fedora # reboot = false # strategy = restrict # complexity = low # disruption = low - name: Ensure SELinux Not Disabled in /etc/default/grub replace: dest: /etc/default/grub regexp: selinux=0 tags: @ANSIBLE_TAGS@ scap-security-guide-0.1.39/shared/fixes/ansible/ensure_gpgcheck_globally_activated.yml000066400000000000000000000016161327242345500312760ustar00rootroot00000000000000# platform = multi_platform_rhel, multi_platform_fedora # reboot = false # strategy = unknown # complexity = low # disruption = medium - name: Check existence of yum on Fedora stat: path: /etc/yum.conf register: yum_config_file check_mode: no when: ansible_distribution == "Fedora" # Old versions of Fedora use yum - name: Ensure GPG check is globally activated (yum) ini_file: dest: "{{item}}" section: main option: gpgcheck value: 1 create: False with_items: "/etc/yum.conf" when: ansible_distribution == "RedHat" or ansible_distribution == "CentOS" or yum_config_file.stat.exists tags: @ANSIBLE_TAGS@ - name: Ensure GPG check is globally activated (dnf) ini_file: dest: "{{item}}" section: main option: gpgcheck value: 1 create: False with_items: "/etc/dnf/dnf.conf" when: ansible_distribution == "Fedora" tags: @ANSIBLE_TAGS@ scap-security-guide-0.1.39/shared/fixes/ansible/ensure_gpgcheck_local_packages.yml000066400000000000000000000016501327242345500303730ustar00rootroot00000000000000# platform = multi_platform_rhel, multi_platform_fedora # reboot = false # strategy = unknown # complexity = low # disruption = medium - name: Check existence of yum on Fedora stat: path: /etc/yum.conf register: yum_config_file check_mode: no when: ansible_distribution == "Fedora" # Old versions of Fedora use yum - name: Ensure GPG check Enabled for Local Packages (Yum) ini_file: dest: "{{item}}" section: main option: localpkg_gpgcheck value: 1 create: True with_items: "/etc/yum.conf" when: ansible_distribution == "RedHat" or ansible_distribution == "CentOS" or yum_config_file.stat.exists tags: @ANSIBLE_TAGS@ - name: Ensure GPG check Enabled for Local Packages (DNF) ini_file: dest: "{{item}}" section: main option: localpkg_gpgcheck value: 1 create: True with_items: "/etc/dnf/dnf.conf" when: ansible_distribution == "Fedora" tags: @ANSIBLE_TAGS@ scap-security-guide-0.1.39/shared/fixes/ansible/ensure_gpgcheck_never_disabled.yml000066400000000000000000000007221327242345500304100ustar00rootroot00000000000000# platform = multi_platform_rhel # reboot = false # strategy = unknown # complexity = low # disruption = medium # - name: Find All Yum Repositories find: paths: "/etc/yum.repos.d/" patterns: "*.repo" register: yum_find - name: Ensure gpgcheck Enabled For All Yum Package Repositories with_items: "{{ yum_find.files }}" lineinfile: create: yes dest: "{{ item.path }}" regexp: '^gpgcheck' line: 'gpgcheck=1' tags: @ANSIBLE_TAGS@ scap-security-guide-0.1.39/shared/fixes/ansible/ensure_redhat_gpgkey_installed.yml000066400000000000000000000023431327242345500304640ustar00rootroot00000000000000# platform=multi_platform_rhel # reboot = false # strategy = restrict # complexity = medium # disruption = medium - name: "Read permission of GPG key directory" stat: path: /etc/pki/rpm-gpg/ register: gpg_key_directory_permission check_mode: no tags: @ANSIBLE_TAGS@ # It should fail if it doesn't find any fingerprints in file - maybe file was not parsed well. - name: Read signatures in GPG key shell: gpg --with-fingerprint '/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release' | grep 'Key fingerprint =' | tr -s ' ' | sed 's;.*= ;;g' changed_when: False register: gpg_fingerprints check_mode: no tags: @ANSIBLE_TAGS@ - name: Set Fact - Valid fingerprints set_fact: gpg_valid_fingerprints: ("567E 347A D004 4ADE 55BA 8A5F 199E 2F91 FD43 1D51" "43A6 E49C 4A38 F4BE 9ABF 2A53 4568 9C88 2FA6 58E0") tags: @ANSIBLE_TAGS@ - name: Import RedHat GPG key rpm_key: state: present key: /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release when: (gpg_key_directory_permission.stat.mode <= '0755') and (( gpg_fingerprints.stdout_lines | difference(gpg_valid_fingerprints)) | length == 0) and (gpg_fingerprints.stdout_lines | length > 0) and (ansible_distribution == "RedHat") tags: @ANSIBLE_TAGS@ scap-security-guide-0.1.39/shared/fixes/ansible/file_ownership_binary_dirs.yml000066400000000000000000000012631327242345500276310ustar00rootroot00000000000000# platform=multi_platform_rhel,multi_platform_fedora # reboot = false # strategy = restrict # complexity = medium # disruption = medium - name: "Read list of system executables without root ownership" shell: "find /bin/ /usr/bin/ /usr/local/bin/ /sbin/ /usr/sbin/ /usr/local/sbin/ /usr/libexec \\! -user root" register: no_root_system_executables changed_when: False failed_when: False check_mode: no tags: @ANSIBLE_TAGS@ - name: "Set ownership to root of system executables" file: path: "{{item}}" owner: "root" with_items: "{{ no_root_system_executables.stdout_lines }}" when: no_root_system_executables.stdout_lines | length > 0 tags: @ANSIBLE_TAGS@ scap-security-guide-0.1.39/shared/fixes/ansible/file_ownership_library_dirs.yml000066400000000000000000000011561327242345500300120ustar00rootroot00000000000000# platform=multi_platform_rhel,multi_platform_fedora # reboot = false # strategy = restrict # complexity = medium # disruption = medium - name: "Read list libraries without root ownership" shell: "find -L /usr/lib /usr/lib64 /lib /lib64 \\! -user root" register: libraries_not_owned_by_root changed_when: False failed_when: False check_mode: no tags: @ANSIBLE_TAGS@ - name: "Set ownership of system libraries to root" file: path: "{{item}}" owner: "root" with_items: "{{ libraries_not_owned_by_root.stdout_lines }}" when: libraries_not_owned_by_root | length > 0 tags: @ANSIBLE_TAGS@ scap-security-guide-0.1.39/shared/fixes/ansible/file_permissions_binary_dirs.yml000066400000000000000000000013011327242345500301570ustar00rootroot00000000000000# platform=multi_platform_rhel,multi_platform_fedora # reboot = false # strategy = restrict # complexity = medium # disruption = medium - name: "Read list of world and group writable system executables" shell: "find /bin /usr/bin /usr/local/bin /sbin /usr/sbin /usr/local/sbin /usr/libexec -perm /022 -type f" register: world_writable_library_files changed_when: False failed_when: False check_mode: no tags: @ANSIBLE_TAGS@ - name: "Remove world/group writability of system executables" file: path: "{{item}}" mode: "go-w" with_items: "{{ world_writable_library_files.stdout_lines }}" when: world_writable_library_files.stdout_lines | length > 0 tags: @ANSIBLE_TAGS@ scap-security-guide-0.1.39/shared/fixes/ansible/file_permissions_library_dirs.yml000066400000000000000000000012401327242345500303410ustar00rootroot00000000000000# platform = multi_platform_rhel, multi_platform_fedora # reboot = false # strategy = restrict # complexity = high # disruption = medium - name: "Read list of world and group writable files in libraries directories" shell: "find /lib /lib64 /usr/lib /usr/lib64 -perm /022 -type f" register: world_writable_library_files changed_when: False failed_when: False check_mode: no tags: @ANSIBLE_TAGS@ - name: "Disable world/group writability to library files" file: path: "{{item}}" mode: "go-w" with_items: "{{ world_writable_library_files.stdout_lines }}" when: world_writable_library_files.stdout_lines | length > 0 tags: @ANSIBLE_TAGS@ scap-security-guide-0.1.39/shared/fixes/ansible/firewalld_sshd_port_enabled.yml000066400000000000000000000012761327242345500277430ustar00rootroot00000000000000# platform = Red Hat Enterprise Linux 7, multi_platform_fedora # reboot = false # complexity = low # strategy = configure # disruption = low - name: Ensure firewalld is installed package: name="{{item}}" state=present with_items: - firewalld tags: @ANSIBLE_TAGS@ - (xccdf-var sshd_listening_port) - name: Enable SSHD in firewalld (custom port) firewalld: port: "{{ sshd_listening_port }}/tcp" permanent: yes state: enabled when: sshd_listening_port != 22 tags: @ANSIBLE_TAGS@ - name: Enable SSHD in firewalld (default port) firewalld: service: ssh permanent: yes state: enabled when: sshd_listening_port == 22 tags: @ANSIBLE_TAGS@ scap-security-guide-0.1.39/shared/fixes/ansible/gnome_gdm_disable_automatic_login.yml000066400000000000000000000005441327242345500311050ustar00rootroot00000000000000# platform = multi_platform_rhel, multi_platform_fedora # reboot = false # strategy = unknown # complexity = low # disruption = medium - name: "Disable GDM Automatic Login" ini_file: dest: /etc/gdm/custom.conf section: daemon option: AutomaticLoginEnable value: "false" no_extra_spaces: yes create: yes tags: @ANSIBLE_TAGS@ scap-security-guide-0.1.39/shared/fixes/ansible/gnome_gdm_disable_guest_login.yml000066400000000000000000000005341327242345500302450ustar00rootroot00000000000000# platform = multi_platform_rhel, multi_platform_fedora # reboot = false # strategy = unknown # complexity = low # disruption = medium - name: "Disable GDM Guest Login" ini_file: dest: /etc/gdm/custom.conf section: daemon option: TimedLoginEnable value: "false" no_extra_spaces: yes create: yes tags: @ANSIBLE_TAGS@ scap-security-guide-0.1.39/shared/fixes/ansible/no_direct_root_logins.yml000066400000000000000000000003471327242345500266150ustar00rootroot00000000000000# platform = multi_platform_rhel,multi_platform_fedora # reboot = false # strategy = restrict # complexity = low # disruption = low - name: "Direct root Logins Not Allowed" shell: echo > /etc/securetty tags: @ANSIBLE_TAGS@ scap-security-guide-0.1.39/shared/fixes/ansible/no_empty_passwords.yml000066400000000000000000000010101327242345500261540ustar00rootroot00000000000000# platform = multi_platform_rhel, multi_platform_fedora, multi_platform_ol # reboot = false # strategy = configure # complexity = low # disruption = medium - name: "Prevent Log In to Accounts With Empty Password - system-auth" replace: dest: /etc/pam.d/system-auth follow: yes regexp: 'nullok' tags: @ANSIBLE_TAGS@ - name: "Prevent Log In to Accounts With Empty Password - password-auth" replace: dest: /etc/pam.d/password-auth follow: yes regexp: 'nullok' tags: @ANSIBLE_TAGS@ scap-security-guide-0.1.39/shared/fixes/ansible/no_rsh_trust_files.yml000066400000000000000000000010671327242345500261440ustar00rootroot00000000000000# platform = multi_platform_rhel,multi_platform_fedora # reboot = false # strategy = restrict # complexity = low # disruption = low - block: - name: "Detect shosts.equiv Files on the System" find: paths: / recurse: yes patterns: shosts.equiv check_mode: no register: shosts_equiv_locations - name: "Remove Rsh Trust Files" file: path: "{{ item.path }}" state: absent with_items: "{{ shosts_equiv_locations.files }}" when: shosts_equiv_locations tags: @ANSIBLE_TAGS@ scap-security-guide-0.1.39/shared/fixes/ansible/require_smb_client_signing.yml000066400000000000000000000007751327242345500276270ustar00rootroot00000000000000# platform = multi_platform_rhel, multi_platform_fedora # reboot = false # strategy = configure # complexity = low # disruption = medium - name: Check if /etc/samba/smb.conf exists stat: path: /etc/samba/smb.conf register: st_smb tags: @ANSIBLE_TAGS@ - name: Require Client SMB Packet Signing, if using smbclient lineinfile: dest: /etc/samba/smb.conf line: client signing = mandatory state: present insertafter: [global] when: st_smb.stat.exists tags: @ANSIBLE_TAGS@ scap-security-guide-0.1.39/shared/fixes/ansible/restrict_serial_port_logins.yml000066400000000000000000000004331327242345500300420ustar00rootroot00000000000000# platform = multi_platform_rhel,multi_platform_fedora # reboot = false # strategy = restrict # complexity = low # disruption = low - name: "Restrict Serial Port Root Logins" lineinfile: dest: /etc/securetty regexp: 'ttyS[0-9]' state: absent tags: @ANSIBLE_TAGS@ scap-security-guide-0.1.39/shared/fixes/ansible/rpm_verify_hashes.yml000066400000000000000000000022501327242345500257410ustar00rootroot00000000000000# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol # reboot = false # strategy = unknown # complexity = high # disruption = medium - name: "Set fact: Package manager reinstall command (dnf)" set_fact: package_manager_reinstall_cmd: dnf reinstall -y when: ansible_distribution == "Fedora" tags: @ANSIBLE_TAGS@ - name: "Set fact: Package manager reinstall command (yum)" set_fact: package_manager_reinstall_cmd: yum reinstall -y when: ansible_distribution == "RedHat" or ansible_distribution == "OracleLinux" tags: @ANSIBLE_TAGS@ - name: "Read files with incorrect hash" shell: "rpm -Va | grep -E '^..5.* /(bin|sbin|lib|lib64|usr)/' | sed -r 's;^.*\\s+(.+);\\1;g'" register: files_with_incorrect_hash changed_when: False when: package_manager_reinstall_cmd is defined check_mode: no tags: @ANSIBLE_TAGS@ - name: "Reinstall packages of files with incorrect hash" shell: "{{package_manager_reinstall_cmd}} $(rpm -qf '{{item}}')" with_items: "{{ files_with_incorrect_hash.stdout_lines }}" when: package_manager_reinstall_cmd is defined and (files_with_incorrect_hash.stdout_lines | length > 0) tags: @ANSIBLE_TAGS@ scap-security-guide-0.1.39/shared/fixes/ansible/rpm_verify_permissions.yml000066400000000000000000000012251327242345500270420ustar00rootroot00000000000000# platform = multi_platform_rhel,multi_platform_fedora # reboot = false # strategy = restrict # complexity = high # disruption = medium - name: "Read list of files with incorrect permissions" shell: "rpm -Va | grep '^.M' | cut -d ' ' -f5- | sed -r 's;^.*\\s+(.+);\\1;g'" register: files_with_incorrect_permissions failed_when: False changed_when: False check_mode: no tags: @ANSIBLE_TAGS@ - name: "Correct file permissions with RPM" shell: "rpm --setperms $(rpm -qf '{{item}}')" with_items: "{{ files_with_incorrect_permissions.stdout_lines }}" when: files_with_incorrect_permissions.stdout_lines | length > 0 tags: @ANSIBLE_TAGS@ scap-security-guide-0.1.39/shared/fixes/ansible/rsyslog_remote_loghost.yml000066400000000000000000000005751327242345500270500ustar00rootroot00000000000000# platform = multi_platform_rhel,multi_platform_fedora # reboot = false # strategy = restrict # complexity = low # disruption = low - (xccdf-var rsyslog_remote_loghost_address) - name: "Set rsyslog remote loghost" lineinfile: dest: /etc/rsyslog.conf regexp: "^\\*\\.\\*" line: "*.* @@{{ rsyslog_remote_loghost_address }}" create: yes tags: @ANSIBLE_TAGS@ scap-security-guide-0.1.39/shared/fixes/ansible/securetty_root_login_console_only.yml000066400000000000000000000004311327242345500312700ustar00rootroot00000000000000# platform = multi_platform_rhel,multi_platform_fedora # reboot = false # strategy = restrict # complexity = low # disruption = low - name: "Restrict Virtual Console Root Logins" lineinfile: dest: /etc/securetty regexp: '^vc' state: absent tags: @ANSIBLE_TAGS@ scap-security-guide-0.1.39/shared/fixes/ansible/security_patches_up_to_date.yml000066400000000000000000000003351327242345500300070ustar00rootroot00000000000000# platform = multi_platform_all # reboot = true # strategy = patch # complexity = low # disruption = high - name: "Security patches are up to date" package: name: "*" state: "latest" tags: @ANSIBLE_TAGS@ scap-security-guide-0.1.39/shared/fixes/ansible/selinux_policytype.yml000066400000000000000000000005561327242345500262030ustar00rootroot00000000000000# platform = multi_platform_rhel,multi_platform_fedora # reboot = false # strategy = restrict # complexity = low # disruption = low - (xccdf-var var_selinux_policy_name) - name: "@RULE_TITLE@" lineinfile: path: /etc/sysconfig/selinux regexp: '^SELINUXTYPE=' line: "SELINUXTYPE={{ var_selinux_policy_name }}" create: yes tags: @ANSIBLE_TAGS@ scap-security-guide-0.1.39/shared/fixes/ansible/selinux_state.yml000066400000000000000000000005321327242345500251140ustar00rootroot00000000000000# platform = multi_platform_rhel,multi_platform_fedora # reboot = false # strategy = restrict # complexity = low # disruption = low - (xccdf-var var_selinux_state) - name: "@RULE_TITLE@" lineinfile: path: /etc/sysconfig/selinux regexp: '^SELINUX=' line: "SELINUX={{ var_selinux_state }}" create: yes tags: @ANSIBLE_TAGS@ scap-security-guide-0.1.39/shared/fixes/ansible/set_password_hashing_algorithm_libuserconf.yml000066400000000000000000000005601327242345500331050ustar00rootroot00000000000000# platform = multi_platform_rhel,multi_platform_fedora # reboot = false # strategy = restrict # complexity = low # disruption = low - name: Set Password Hashing Algorithm in /etc/libuser.conf lineinfile: dest: /etc/libuser.conf insertafter: "^.default]" regexp: ^#?crypt_style line: crypt_style = sha512 state: present tags: @ANSIBLE_TAGS@ scap-security-guide-0.1.39/shared/fixes/ansible/set_password_hashing_algorithm_logindefs.yml000066400000000000000000000005321327242345500325430ustar00rootroot00000000000000# platform = multi_platform_rhel,multi_platform_fedora # reboot = false # strategy = restrict # complexity = low # disruption = low - name: Set Password Hashing Algorithm in /etc/login.defs lineinfile: dest: /etc/login.defs regexp: ^#?ENCRYPT_METHOD line: ENCRYPT_METHOD SHA512 state: present tags: @ANSIBLE_TAGS@ scap-security-guide-0.1.39/shared/fixes/ansible/sshd_allow_only_protocol2.yml000066400000000000000000000005311327242345500274270ustar00rootroot00000000000000# platform = multi_platform_rhel,multi_platform_fedora # reboot = false # strategy = restrict # complexity = low # disruption = low - name: "Allow Only SSH Protocol 2" lineinfile: dest: /etc/ssh/sshd_config regexp: "^Protocol [0-9]" line: "Protocol 2" validate: sshd -t -f %s #notify: :reload ssh tags: @ANSIBLE_TAGS@ scap-security-guide-0.1.39/shared/fixes/ansible/sshd_disable_compression.yml000066400000000000000000000006121327242345500272710ustar00rootroot00000000000000# platform = multi_platform_rhel,multi_platform_fedora # reboot = false # strategy = restrict # complexity = low # disruption = low - name: "Disable Compression or Set Compression to delayed" lineinfile: create: yes dest: /etc/ssh/sshd_config regexp: (?i)^#?compression line: Compression delayed validate: sshd -t -f %s #notify: restart sshd tags: @ANSIBLE_TAGS@ scap-security-guide-0.1.39/shared/fixes/ansible/sshd_disable_empty_passwords.yml000066400000000000000000000005531327242345500301770ustar00rootroot00000000000000# platform = multi_platform_rhel,multi_platform_fedora # reboot = false # strategy = restrict # complexity = low # disruption = low - name: Disable SSH Access via Empty Passwords lineinfile: create: yes dest: /etc/ssh/sshd_config regexp: ^PermitEmptyPasswords line: PermitEmptyPasswords no validate: sshd -t -f %s tags: @ANSIBLE_TAGS@ scap-security-guide-0.1.39/shared/fixes/ansible/sshd_disable_gssapi_auth.yml000066400000000000000000000006031327242345500272370ustar00rootroot00000000000000# platform = multi_platform_rhel,multi_platform_fedora # reboot = false # strategy = restrict # complexity = low # disruption = low - name: "Disable GSSAPI Authentication" lineinfile: create: yes dest: /etc/ssh/sshd_config regexp: (?i)^#?gssapiauthentication line: GSSAPIAuthentication no validate: sshd -t -f %s #notify: sshd -t -f %s tags: @ANSIBLE_TAGS@ scap-security-guide-0.1.39/shared/fixes/ansible/sshd_disable_kerb_auth.yml000066400000000000000000000006101327242345500266720ustar00rootroot00000000000000# platform = multi_platform_rhel,multi_platform_fedora # reboot = false # strategy = restrict # complexity = low # disruption = low - name: "Disable Kerberos Authentication" lineinfile: create: yes dest: /etc/ssh/sshd_config regexp: (?i)^#?kerberosauthentication line: KerberosAuthentication no validate: sshd -t -f %s #notify: restart sshd tags: @ANSIBLE_TAGS@ scap-security-guide-0.1.39/shared/fixes/ansible/sshd_disable_rhosts.yml000066400000000000000000000005331327242345500262540ustar00rootroot00000000000000# platform = multi_platform_rhel,multi_platform_fedora # reboot = false # strategy = restrict # complexity = low # disruption = low - name: Disable SSH Support for .rhosts Files lineinfile: create: yes dest: /etc/ssh/sshd_config regexp: ^IgnoreRhosts line: IgnoreRhosts yes validate: sshd -t -f %s tags: @ANSIBLE_TAGS@ scap-security-guide-0.1.39/shared/fixes/ansible/sshd_disable_rhosts_rsa.yml000066400000000000000000000005741327242345500271260ustar00rootroot00000000000000# platform = multi_platform_rhel,multi_platform_fedora # reboot = false # strategy = restrict # complexity = low # disruption = low - name: Disable SSH Support for Rhosts RSA Authentication lineinfile: create: yes dest: /etc/ssh/sshd_config regexp: ^RhostsRSAAuthentication line: RhostsRSAAuthentication no validate: sshd -t -f %s tags: @ANSIBLE_TAGS@ scap-security-guide-0.1.39/shared/fixes/ansible/sshd_disable_root_login.yml000066400000000000000000000006321327242345500271050ustar00rootroot00000000000000# platform = multi_platform_rhel,multi_platform_fedora # reboot = false # strategy = restrict # complexity = low # disruption = low - name: "Disable SSH Root Login" lineinfile: create: yes dest: "/etc/ssh/sshd_config" regexp: "^PermitRootLogin" line: "PermitRootLogin no" insertafter: '(?i)^#?authentication' validate: sshd -t -f %s #notify: restart sshd tags: @ANSIBLE_TAGS@ scap-security-guide-0.1.39/shared/fixes/ansible/sshd_disable_user_known_hosts.yml000066400000000000000000000006101327242345500303400ustar00rootroot00000000000000# platform = multi_platform_rhel,multi_platform_fedora # reboot = false # strategy = restrict # complexity = low # disruption = low - name: "Disable SSH Support for User Known Hosts" lineinfile: create: yes dest: /etc/ssh/sshd_config regexp: ^IgnoreUserKnownHosts line: IgnoreUserKnownHosts yes validate: sshd -t -f %s #notify: restart sshd tags: @ANSIBLE_TAGS@ scap-security-guide-0.1.39/shared/fixes/ansible/sshd_do_not_permit_user_env.yml000066400000000000000000000005531327242345500300210ustar00rootroot00000000000000# platform = multi_platform_rhel,multi_platform_fedora # reboot = false # strategy = restrict # complexity = low # disruption = low - name: Do Not Allow SSH Environment Options lineinfile: create: yes dest: /etc/ssh/sshd_config regexp: ^PermitUserEnvironment line: PermitUserEnvironment no validate: sshd -t -f %s tags: @ANSIBLE_TAGS@ scap-security-guide-0.1.39/shared/fixes/ansible/sshd_enable_strictmodes.yml000066400000000000000000000005661327242345500271230ustar00rootroot00000000000000# platform = multi_platform_rhel,multi_platform_fedora # reboot = false # strategy = restrict # complexity = low # disruption = low - name: "Enable Use of Strict Mode Checking" lineinfile: create: yes dest: /etc/ssh/sshd_config regexp: (?i)^#?strictmodes line: StrictModes yes validate: sshd -t -f %s #notify: restart sshd tags: @ANSIBLE_TAGS@ scap-security-guide-0.1.39/shared/fixes/ansible/sshd_enable_warning_banner.yml000066400000000000000000000005121327242345500275440ustar00rootroot00000000000000# platform = multi_platform_rhel,multi_platform_fedora # reboot = false # strategy = restrict # complexity = low # disruption = low - name: Enable SSH Warning Banner lineinfile: create: yes dest: /etc/ssh/sshd_config regexp: ^Banner line: Banner /etc/issue validate: sshd -t -f %s tags: @ANSIBLE_TAGS@ scap-security-guide-0.1.39/shared/fixes/ansible/sshd_enable_x11_forwarding.yml000066400000000000000000000005271327242345500274130ustar00rootroot00000000000000# platform = multi_platform_rhel,multi_platform_fedora # reboot = false # strategy = restrict # complexity = low # disruption = low - name: Enable Encrypted X11 Forwarding lineinfile: create: yes dest: /etc/ssh/sshd_config regexp: ^X11Forwarding line: X11Forwarding yes validate: sshd -t -f %s tags: @ANSIBLE_TAGS@ scap-security-guide-0.1.39/shared/fixes/ansible/sshd_print_last_log.yml000066400000000000000000000003711327242345500262670ustar00rootroot00000000000000# platform = multi_platform_rhel - name: Print last log lineinfile: create: yes dest: /etc/ssh/sshd_config regexp: ^PrintLastLog line: PrintLastLog yes validate: sshd -t -f %s #notify: restart sshd tags: @ANSIBLE_TAGS@ scap-security-guide-0.1.39/shared/fixes/ansible/sshd_set_idle_timeout.yml000066400000000000000000000006741327242345500266130ustar00rootroot00000000000000# platform = multi_platform_rhel,multi_platform_fedora # reboot = false # strategy = restrict # complexity = low # disruption = low - (xccdf-var sshd_idle_timeout_value) - name: Set SSH Idle Timeout Interval lineinfile: create: yes dest: /etc/ssh/sshd_config regexp: ^ClientAliveInterval line: "ClientAliveInterval {{ sshd_idle_timeout_value }}" validate: sshd -t -f %s #notify: restart sshd tags: @ANSIBLE_TAGS@ scap-security-guide-0.1.39/shared/fixes/ansible/sshd_set_keepalive.yml000066400000000000000000000005641327242345500260730ustar00rootroot00000000000000# platform = multi_platform_rhel,multi_platform_fedora # reboot = false # strategy = restrict # complexity = low # disruption = low - name: Set SSH Client Alive Count lineinfile: create: yes dest: /etc/ssh/sshd_config regexp: ^ClientAliveCountMax line: ClientAliveCountMax 0 validate: sshd -t -f %s #notify: restart sshd tags: @ANSIBLE_TAGS@ scap-security-guide-0.1.39/shared/fixes/ansible/sshd_use_approved_ciphers.yml000066400000000000000000000006441327242345500274630ustar00rootroot00000000000000# platform = multi_platform_rhel,multi_platform_fedora # reboot = false # strategy = restrict # complexity = low # disruption = low - name: Use Only Approved Ciphers lineinfile: create: yes dest: /etc/ssh/sshd_config regexp: ^Ciphers line: Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc validate: sshd -t -f %s #notify: restart sshd tags: @ANSIBLE_TAGS@ scap-security-guide-0.1.39/shared/fixes/ansible/sshd_use_approved_macs.yml000066400000000000000000000005711327242345500267500ustar00rootroot00000000000000# platform = multi_platform_rhel,multi_platform_fedora # reboot = false # strategy = restrict # complexity = low # disruption = low - name: "Use Only Approved MACs" lineinfile: create: yes dest: /etc/ssh/sshd_config regexp: ^MACs line: MACs hmac-sha2-512,hmac-sha2-256,hmac-sha1 validate: sshd -t -f %s #notify: restart sshd tags: @ANSIBLE_TAGS@ scap-security-guide-0.1.39/shared/fixes/ansible/sshd_use_priv_separation.yml000066400000000000000000000006201327242345500273250ustar00rootroot00000000000000# platform = multi_platform_rhel,multi_platform_fedora # reboot = false # strategy = restrict # complexity = low # disruption = low - name: "Enable use of Privilege Separation" lineinfile: create: yes dest: /etc/ssh/sshd_config regexp: (?i)^#?useprivilegeseparation line: UsePrivilegeSeparation sandbox validate: sshd -t -f %s #notify: restart sshd tags: @ANSIBLE_TAGS@ scap-security-guide-0.1.39/shared/fixes/ansible/sssd_memcache_timeout.yml000066400000000000000000000005151327242345500265720ustar00rootroot00000000000000# platform = multi_platform_rhel, multi_platform_fedora # reboot = false # strategy = unknown # complexity = low # disruption = medium - name: "Configure SSSD's Memory Cache to Expire" ini_file: dest: /etc/sssd/sssd.conf section: nss option: memcache_timeout value: 86400 create: yes tags: @ANSIBLE_TAGS@ scap-security-guide-0.1.39/shared/fixes/ansible/sssd_offline_cred_expiration.yml000066400000000000000000000005331327242345500301430ustar00rootroot00000000000000# platform = multi_platform_rhel, multi_platform_fedora # reboot = false # strategy = unknown # complexity = low # disruption = medium - name: "Configure SSD to Expire Offline Credentials" ini_file: dest: /etc/sssd/sssd.conf section: pam option: offline_credentials_expiration value: 1 create: yes tags: @ANSIBLE_TAGS@ scap-security-guide-0.1.39/shared/fixes/ansible/sssd_ssh_known_hosts_timeout.yml000066400000000000000000000005251327242345500302620ustar00rootroot00000000000000# platform = multi_platform_rhel, multi_platform_fedora # reboot = false # strategy = unknown # complexity = low # disruption = medium - name: "Configure SSSD to Expire SSH Known Hosts" ini_file: dest: /etc/sssd/sssd.conf section: ssh option: ssh_known_hosts_timeout value: 86400 create: yes tags: @ANSIBLE_TAGS@ scap-security-guide-0.1.39/shared/fixes/bash/000077500000000000000000000000001327242345500210025ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/fixes/bash/accounts_logon_fail_delay.sh000066400000000000000000000004171327242345500265260ustar00rootroot00000000000000# platform = multi_platform_rhel # Include source function library. . /usr/share/scap-security-guide/remediation_functions # Set variables populate var_accounts_fail_delay replace_or_append '/etc/login.defs' '^FAIL_DELAY' "$var_accounts_fail_delay" '@CCENUM@' '%s %s' scap-security-guide-0.1.39/shared/fixes/bash/accounts_max_concurrent_login_sessions.sh000066400000000000000000000012311327242345500313770ustar00rootroot00000000000000# platform = multi_platform_rhel, multi_platform_wrlinux . /usr/share/scap-security-guide/remediation_functions populate var_accounts_max_concurrent_login_sessions if grep -q '^[^#]*\' /etc/security/limits.d/*.conf; then sed -i "/^[^#]*\/ s/maxlogins.*/maxlogins $var_accounts_max_concurrent_login_sessions/" /etc/security/limits.d/*.conf elif grep -q '^[^#]*\' /etc/security/limits.conf; then sed -i "/^[^#]*\/ s/maxlogins.*/maxlogins $var_accounts_max_concurrent_login_sessions/" /etc/security/limits.conf else echo "* hard maxlogins $var_accounts_max_concurrent_login_sessions" >> /etc/security/limits.conf fi scap-security-guide-0.1.39/shared/fixes/bash/accounts_password_pam_unix_remember.sh000066400000000000000000000011701327242345500306540ustar00rootroot00000000000000# platform = Red Hat Enterprise Linux 6, Red Hat Enterprise Linux 7 . /usr/share/scap-security-guide/remediation_functions populate var_password_pam_unix_remember AUTH_FILES[0]="/etc/pam.d/system-auth" AUTH_FILES[1]="/etc/pam.d/password-auth" for pamFile in "${AUTH_FILES[@]}" do if grep -q "remember=" $pamFile; then sed -i --follow-symlinks "s/\(^password.*sufficient.*pam_unix.so.*\)\(\(remember *= *\)[^ $]*\)/\1remember=$var_password_pam_unix_remember/" $pamFile else sed -i --follow-symlinks "/^password[[:space:]]\+sufficient[[:space:]]\+pam_unix.so/ s/$/ remember=$var_password_pam_unix_remember/" $pamFile fi done scap-security-guide-0.1.39/shared/fixes/bash/accounts_passwords_pam_faillock_deny.sh000066400000000000000000000034271327242345500310100ustar00rootroot00000000000000# platform = multi_platform_rhel . /usr/share/scap-security-guide/remediation_functions populate var_accounts_passwords_pam_faillock_deny AUTH_FILES[0]="/etc/pam.d/system-auth" AUTH_FILES[1]="/etc/pam.d/password-auth" # This script fixes absence of pam_faillock.so in PAM stack or the # absense of deny=[0-9]+ in pam_faillock.so arguments # When inserting auth pam_faillock.so entries, # the entry with preauth argument will be added before pam_unix.so module # and entry with authfail argument will be added before pam_deny.so module. # The placement of pam_faillock.so entries will not be changed # if they are already present # Invoke the function without args, so its body is substituded right here. set_faillock_option_to_value_in_pam_file function insert_lines_if_pam_faillock_so_not_present { # insert pam_faillock.so preauth row with proper value of the 'deny' option before pam_unix.so sed -i --follow-symlinks "/^auth.*pam_unix.so.*/i auth required pam_faillock.so preauth silent $_option=$_value" $_pamFile # insert pam_faillock.so authfail row with proper value of the 'deny' option before pam_deny.so, after all modules which determine authentication outcome. sed -i --follow-symlinks "/^auth.*pam_deny.so.*/i auth [default=die] pam_faillock.so authfail $_option=$_value" $_pamFile } for pamFile in "${AUTH_FILES[@]}" do # 'true &&' has to be there due to build system limitation true && set_faillock_option_to_value_in_pam_file "$pamFile" deny "$var_accounts_passwords_pam_faillock_deny" insert_lines_if_pam_faillock_so_not_present # add pam_faillock.so into account phase if ! grep -q "^account.*required.*pam_faillock.so" $pamFile; then sed -i --follow-symlinks "/^account.*required.*pam_unix.so/i account required pam_faillock.so" $pamFile fi done scap-security-guide-0.1.39/shared/fixes/bash/accounts_passwords_pam_faillock_deny_root.sh000066400000000000000000000035431327242345500320520ustar00rootroot00000000000000# platform = multi_platform_rhel AUTH_FILES[0]="/etc/pam.d/system-auth" AUTH_FILES[1]="/etc/pam.d/password-auth" # This script fixes absence of pam_faillock.so in PAM stack or the # absense of even_deny_root and deny=[0-9]+ in pam_faillock.so arguments # When inserting auth pam_faillock.so entries, # the entry with preauth argument will be added before pam_unix.so module # and entry with authfail argument will be added before pam_deny.so module. # The placement of pam_faillock.so entries will not be changed # if they are already present for pamFile in "${AUTH_FILES[@]}" do # pam_faillock.so already present? if grep -q "^auth.*pam_faillock.so.*" $pamFile; then # pam_faillock.so present, preauth even_deny_root directive present? if ! grep -q "^auth.*required.*pam_faillock.so.*preauth.*even_deny_root" $pamFile; then # even_deny_root is not present sed -i --follow-symlinks "s/\(^auth.*required.*pam_faillock.so.*preauth.*\).*/\1 even_deny_root/" $pamFile fi # pam_faillock.so present, authfail even_deny_root directive present? if ! grep -q "^auth.*\[default=die\].*pam_faillock.so.*authfail.*even_deny_root" $pamFile; then # even_deny_root is not present sed -i --follow-symlinks "s/\(^auth.*\[default=die\].*pam_faillock.so.*authfail.*\).*/\1 even_deny_root/" $pamFile fi # pam_faillock.so not present yet else # insert pam_faillock.so preauth row with proper value of the 'deny' option before pam_unix.so sed -i --follow-symlinks "/^auth.*pam_unix.so.*/i auth required pam_faillock.so preauth silent even_deny_root" $pamFile # insert pam_faillock.so authfail row with proper value of the 'deny' option before pam_deny.so, after all modules which determine authentication outcome. sed -i --follow-symlinks "/^auth.*pam_deny.so.*/i auth [default=die] pam_faillock.so authfail silent even_deny_root" $pamFile fi done scap-security-guide-0.1.39/shared/fixes/bash/accounts_passwords_pam_faillock_interval.sh000066400000000000000000000021611327242345500316670ustar00rootroot00000000000000# platform = multi_platform_rhel . /usr/share/scap-security-guide/remediation_functions populate var_accounts_passwords_pam_faillock_fail_interval # Invoke the function without args, so its body is substituded right here. set_faillock_option_to_value_in_pam_file AUTH_FILES[0]="/etc/pam.d/system-auth" AUTH_FILES[1]="/etc/pam.d/password-auth" function insert_lines_if_pam_faillock_so_not_present { local _option="$1" _value="$2" _pamFile="$3" sed -i --follow-symlinks "/^auth.*sufficient.*pam_unix.so.*/i auth required pam_faillock.so preauth silent $_option=$_value" "$_pamFile" sed -i --follow-symlinks "/^auth.*sufficient.*pam_unix.so.*/a auth [default=die] pam_faillock.so authfail $_option=$_value" "$_pamFile" sed -i --follow-symlinks "/^account.*required.*pam_unix.so/i account required pam_faillock.so" "$_pamFile" } for pamFile in "${AUTH_FILES[@]}" do # 'true &&' has to be there due to build system limitation true && set_faillock_option_to_value_in_pam_file "$pamFile" fail_interval "$var_accounts_passwords_pam_faillock_fail_interval" insert_lines_if_pam_faillock_so_not_present done scap-security-guide-0.1.39/shared/fixes/bash/accounts_passwords_pam_faillock_unlock_time.sh000066400000000000000000000021531327242345500323550ustar00rootroot00000000000000# platform = multi_platform_rhel . /usr/share/scap-security-guide/remediation_functions populate var_accounts_passwords_pam_faillock_unlock_time # Invoke the function without args, so its body is substituded right here. set_faillock_option_to_value_in_pam_file AUTH_FILES[0]="/etc/pam.d/system-auth" AUTH_FILES[1]="/etc/pam.d/password-auth" function insert_lines_if_pam_faillock_so_not_present { local _option="$1" _value="$2" _pamFile="$3" sed -i --follow-symlinks "/^auth.*sufficient.*pam_unix.so.*/i auth required pam_faillock.so preauth silent $_option=$_value" "$_pamFile" sed -i --follow-symlinks "/^auth.*sufficient.*pam_unix.so.*/a auth [default=die] pam_faillock.so authfail $_option=$_value" "$_pamFile" sed -i --follow-symlinks "/^account.*required.*pam_unix.so/i account required pam_faillock.so" "$_pamFile" } for pamFile in "${AUTH_FILES[@]}" do # 'true &&' has to be there due to build system limitation true && set_faillock_option_to_value_in_pam_file "$pamFile" unlock_time "$var_accounts_passwords_pam_faillock_unlock_time" insert_lines_if_pam_faillock_so_not_present done scap-security-guide-0.1.39/shared/fixes/bash/accounts_umask_etc_bashrc.sh000066400000000000000000000004571327242345500265400ustar00rootroot00000000000000# platform = multi_platform_rhel . /usr/share/scap-security-guide/remediation_functions populate var_accounts_user_umask grep -q umask /etc/bashrc && \ sed -i "s/umask.*/umask $var_accounts_user_umask/g" /etc/bashrc if ! [ $? -eq 0 ]; then echo "umask $var_accounts_user_umask" >> /etc/bashrc fi scap-security-guide-0.1.39/shared/fixes/bash/accounts_umask_etc_csh_cshrc.sh000066400000000000000000000004701327242345500272300ustar00rootroot00000000000000# platform = multi_platform_rhel . /usr/share/scap-security-guide/remediation_functions populate var_accounts_user_umask grep -q umask /etc/csh.cshrc && \ sed -i "s/umask.*/umask $var_accounts_user_umask/g" /etc/csh.cshrc if ! [ $? -eq 0 ]; then echo "umask $var_accounts_user_umask" >> /etc/csh.cshrc fi scap-security-guide-0.1.39/shared/fixes/bash/accounts_umask_etc_login_defs.sh000066400000000000000000000003251327242345500274010ustar00rootroot00000000000000# platform = multi_platform_rhel . /usr/share/scap-security-guide/remediation_functions populate var_accounts_user_umask replace_or_append '/etc/login.defs' '^UMASK' "$var_accounts_user_umask" '@CCENUM@' '%s %s' scap-security-guide-0.1.39/shared/fixes/bash/accounts_umask_etc_profile.sh000066400000000000000000000004711327242345500267320ustar00rootroot00000000000000# platform = Red Hat Enterprise Linux 7 . /usr/share/scap-security-guide/remediation_functions populate var_accounts_user_umask grep -q umask /etc/profile && \ sed -i "s/umask.*/umask $var_accounts_user_umask/g" /etc/profile if ! [ $? -eq 0 ]; then echo "umask $var_accounts_user_umask" >> /etc/profile fi scap-security-guide-0.1.39/shared/fixes/bash/aide_build_database.sh000066400000000000000000000003061327242345500252420ustar00rootroot00000000000000# platform = multi_platform_rhel . /usr/share/scap-security-guide/remediation_functions package_install aide /usr/sbin/aide --init /bin/cp -p /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz scap-security-guide-0.1.39/shared/fixes/bash/aide_periodic_cron_checking.sh000066400000000000000000000003561327242345500267760ustar00rootroot00000000000000# platform = multi_platform_rhel . /usr/share/scap-security-guide/remediation_functions package_install aide if ! grep -q "/usr/sbin/aide --check" /etc/crontab ; then echo "05 4 * * * root /usr/sbin/aide --check" >> /etc/crontab fi scap-security-guide-0.1.39/shared/fixes/bash/aide_scan_notification.sh000066400000000000000000000010331327242345500260070ustar00rootroot00000000000000# platform = Red Hat Enterprise Linux 7 . /usr/share/scap-security-guide/remediation_functions package_install aide CRONTAB=/etc/crontab CRONDIRS='/etc/cron.d /etc/cron.daily /etc/cron.weekly /etc/cron.monthly' if [ -f /var/spool/cron/root ]; then VARSPOOL=/var/spool/cron/root fi if ! grep -qR '^.*\/usr\/sbin\/aide\s*\-\-check.*|.*\/bin\/mail\s*-s\s*".*"\s*root@.*$' $CRONTAB $VARSPOOL $CRONDIRS; then echo '0 5 * * * root /usr/sbin/aide --check | /bin/mail -s "$(hostname) - AIDE Integrity Check" root@localhost' >> $CRONTAB fi scap-security-guide-0.1.39/shared/fixes/bash/aide_use_fips_hashes.sh000066400000000000000000000013551327242345500254740ustar00rootroot00000000000000# platform = multi_platform_rhel, multi_platform_fedora . /usr/share/scap-security-guide/remediation_functions package_install aide aide_conf="/etc/aide.conf" forbidden_hashes=(sha1 rmd160 sha256 whirlpool tiger haval gost crc32) groups=$(grep "^[A-Z]\+" $aide_conf | cut -f1 -d ' ' | tr -d ' ' | sort -u) for group in $groups do config=$(grep "^$group\s*=" $aide_conf | cut -f2 -d '=' | tr -d ' ') if ! [[ $config = *sha512* ]] then config=$config"+sha512" fi for hash in ${forbidden_hashes[@]} do config=$(echo $config | sed "s/$hash//") done config=$(echo $config | sed "s/^\+*//") config=$(echo $config | sed "s/\+\++/+/") config=$(echo $config | sed "s/\+$//") sed -i "s/^$group\s*=.*/$group = $config/g" $aide_conf done scap-security-guide-0.1.39/shared/fixes/bash/aide_verify_acls.sh000066400000000000000000000010351327242345500246250ustar00rootroot00000000000000# platform = multi_platform_rhel, multi_platform_fedora . /usr/share/scap-security-guide/remediation_functions package_install aide aide_conf="/etc/aide.conf" groups=$(grep "^[A-Z]\+" $aide_conf | grep -v "^ALLXTRAHASHES" | cut -f1 -d '=' | tr -d ' ' | sort -u) for group in $groups do config=$(grep "^$group\s*=" $aide_conf | cut -f2 -d '=' | tr -d ' ') if ! [[ $config = *acl* ]] then if [[ -z $config ]] then config="acl" else config=$config"+acl" fi fi sed -i "s/^$group\s*=.*/$group = $config/g" $aide_conf done scap-security-guide-0.1.39/shared/fixes/bash/aide_verify_ext_attributes.sh000066400000000000000000000010461327242345500267530ustar00rootroot00000000000000# platform = multi_platform_rhel, multi_platform_fedora . /usr/share/scap-security-guide/remediation_functions package_install aide aide_conf="/etc/aide.conf" groups=$(grep "^[A-Z]\+" $aide_conf | grep -v "^ALLXTRAHASHES" | cut -f1 -d '=' | tr -d ' ' | sort -u) for group in $groups do config=$(grep "^$group\s*=" $aide_conf | cut -f2 -d '=' | tr -d ' ') if ! [[ $config = *xattrs* ]] then if [[ -z $config ]] then config="xattrs" else config=$config"+xattrs" fi fi sed -i "s/^$group\s*=.*/$group = $config/g" $aide_conf done scap-security-guide-0.1.39/shared/fixes/bash/audit_rules_immutable.sh000066400000000000000000000017771327242345500257310ustar00rootroot00000000000000# platform = Red Hat Enterprise Linux 7, multi_platform_fedora # Traverse all of: # # /etc/audit/audit.rules, (for auditctl case) # /etc/audit/rules.d/*.rules (for augenrules case) # # files to check if '-e .*' setting is present in that '*.rules' file already. # If found, delete such occurrence since auditctl(8) manual page instructs the # '-e 2' rule should be placed as the last rule in the configuration find /etc/audit /etc/audit/rules.d -maxdepth 1 -type f -name *.rules -exec sed -i '/-e[[:space:]]\+.*/d' {} ';' # Append '-e 2' requirement at the end of both: # * /etc/audit/audit.rules file (for auditctl case) # * /etc/audit/rules.d/immutable.rules (for augenrules case) for AUDIT_FILE in "/etc/audit/audit.rules" "/etc/audit/rules.d/immutable.rules" do echo '' >> $AUDIT_FILE echo '# Set the audit.rules configuration immutable per security requirements' >> $AUDIT_FILE echo '# Reboot is required to change audit rules once this setting is applied' >> $AUDIT_FILE echo '-e 2' >> $AUDIT_FILE done scap-security-guide-0.1.39/shared/fixes/bash/audit_rules_kernel_module_loading.sh000066400000000000000000000031141327242345500302570ustar00rootroot00000000000000# platform = Red Hat Enterprise Linux 7 # Include source function library. . /usr/share/scap-security-guide/remediation_functions # First perform the remediation of the syscall rule # Retrieve hardware architecture of the underlying system # Note: 32-bit and 64-bit kernel syscall numbers not always line up => # it's required on a 64-bit system to check also for the presence # of 32-bit's equivalent of the corresponding rule. # (See `man 7 audit.rules` for details ) [ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") for ARCH in "${RULE_ARCHS[@]}" do PATTERN="-a always,exit -F arch=$ARCH -S init_module -S delete_module \(-F key=\|-k \).*" GROUP="modules" FULL_RULE="-a always,exit -F arch=$ARCH -S init_module -S delete_module -k modules" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" done # Then perform the remediations for the watch rules # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' fix_audit_watch_rule "auditctl" "/usr/sbin/insmod" "x" "modules" fix_audit_watch_rule "augenrules" "/usr/sbin/insmod" "x" "modules" fix_audit_watch_rule "auditctl" "/usr/sbin/rmmod" "x" "modules" fix_audit_watch_rule "augenrules" "/usr/sbin/rmmod" "x" "modules" fix_audit_watch_rule "auditctl" "/usr/sbin/modprobe" "x" "modules" fix_audit_watch_rule "augenrules" "/usr/sbin/modprobe" "x" "modules" scap-security-guide-0.1.39/shared/fixes/bash/audit_rules_kernel_module_loading_create.sh000066400000000000000000000020111327242345500315750ustar00rootroot00000000000000# platform = Red Hat Enterprise Linux 7, multi_platform_fedora # Include source function library. . /usr/share/scap-security-guide/remediation_functions # First perform the remediation of the syscall rule # Retrieve hardware architecture of the underlying system # Note: 32-bit and 64-bit kernel syscall numbers not always line up => # it's required on a 64-bit system to check also for the presence # of 32-bit's equivalent of the corresponding rule. # (See `man 7 audit.rules` for details ) [ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") for ARCH in "${RULE_ARCHS[@]}" do PATTERN="-a always,exit -F arch=$ARCH -S create_module \(-F key=\|-k \).*" GROUP="modules" FULL_RULE="-a always,exit -F arch=$ARCH -S create_module -k modules" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" done scap-security-guide-0.1.39/shared/fixes/bash/audit_rules_kernel_module_loading_delete.sh000066400000000000000000000020111327242345500315740ustar00rootroot00000000000000# platform = Red Hat Enterprise Linux 7, multi_platform_fedora # Include source function library. . /usr/share/scap-security-guide/remediation_functions # First perform the remediation of the syscall rule # Retrieve hardware architecture of the underlying system # Note: 32-bit and 64-bit kernel syscall numbers not always line up => # it's required on a 64-bit system to check also for the presence # of 32-bit's equivalent of the corresponding rule. # (See `man 7 audit.rules` for details ) [ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") for ARCH in "${RULE_ARCHS[@]}" do PATTERN="-a always,exit -F arch=$ARCH -S delete_module \(-F key=\|-k \).*" GROUP="modules" FULL_RULE="-a always,exit -F arch=$ARCH -S delete_module -k modules" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" done scap-security-guide-0.1.39/shared/fixes/bash/audit_rules_kernel_module_loading_finit.sh000066400000000000000000000020071327242345500314500ustar00rootroot00000000000000# platform = Red Hat Enterprise Linux 7, multi_platform_fedora # Include source function library. . /usr/share/scap-security-guide/remediation_functions # First perform the remediation of the syscall rule # Retrieve hardware architecture of the underlying system # Note: 32-bit and 64-bit kernel syscall numbers not always line up => # it's required on a 64-bit system to check also for the presence # of 32-bit's equivalent of the corresponding rule. # (See `man 7 audit.rules` for details ) [ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") for ARCH in "${RULE_ARCHS[@]}" do PATTERN="-a always,exit -F arch=$ARCH -S finit_module \(-F key=\|-k \).*" GROUP="modules" FULL_RULE="-a always,exit -F arch=$ARCH -S finit_module -k modules" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" done scap-security-guide-0.1.39/shared/fixes/bash/audit_rules_kernel_module_loading_init.sh000066400000000000000000000020051327242345500313000ustar00rootroot00000000000000# platform = Red Hat Enterprise Linux 7, multi_platform_fedora # Include source function library. . /usr/share/scap-security-guide/remediation_functions # First perform the remediation of the syscall rule # Retrieve hardware architecture of the underlying system # Note: 32-bit and 64-bit kernel syscall numbers not always line up => # it's required on a 64-bit system to check also for the presence # of 32-bit's equivalent of the corresponding rule. # (See `man 7 audit.rules` for details ) [ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") for ARCH in "${RULE_ARCHS[@]}" do PATTERN="-a always,exit -F arch=$ARCH -S init_module \(-F key=\|-k \).*" GROUP="modules" FULL_RULE="-a always,exit -F arch=$ARCH -S init_module -k modules" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" done scap-security-guide-0.1.39/shared/fixes/bash/audit_rules_kernel_module_loading_insmod.sh000066400000000000000000000005571327242345500316400ustar00rootroot00000000000000# platform = Red Hat Enterprise Linux 7, multi_platform_fedora # Include source function library. . /usr/share/scap-security-guide/remediation_functions # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' fix_audit_watch_rule "auditctl" "/usr/sbin/insmod" "x" "modules" fix_audit_watch_rule "augenrules" "/usr/sbin/insmod" "x" "modules" scap-security-guide-0.1.39/shared/fixes/bash/audit_rules_kernel_module_loading_modprobe.sh000066400000000000000000000005631327242345500321530ustar00rootroot00000000000000# platform = Red Hat Enterprise Linux 7, multi_platform_fedora # Include source function library. . /usr/share/scap-security-guide/remediation_functions # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' fix_audit_watch_rule "auditctl" "/usr/sbin/modprobe" "x" "modules" fix_audit_watch_rule "augenrules" "/usr/sbin/modprobe" "x" "modules" scap-security-guide-0.1.39/shared/fixes/bash/audit_rules_kernel_module_loading_rmmod.sh000066400000000000000000000005551327242345500314630ustar00rootroot00000000000000# platform = Red Hat Enterprise Linux 7, multi_platform_fedora # Include source function library. . /usr/share/scap-security-guide/remediation_functions # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' fix_audit_watch_rule "auditctl" "/usr/sbin/rmmod" "x" "modules" fix_audit_watch_rule "augenrules" "/usr/sbin/rmmod" "x" "modules" scap-security-guide-0.1.39/shared/fixes/bash/audit_rules_login_events.sh000066400000000000000000000011771327242345500264400ustar00rootroot00000000000000# platform = Red Hat Enterprise Linux 7, multi_platform_fedora # Include source function library. . /usr/share/scap-security-guide/remediation_functions # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' fix_audit_watch_rule "auditctl" "/var/log/tallylog" "wa" "logins" fix_audit_watch_rule "augenrules" "/var/log/tallylog" "wa" "logins" fix_audit_watch_rule "auditctl" "/var/run/faillock/" "wa" "logins" fix_audit_watch_rule "augenrules" "/var/run/faillock/" "wa" "logins" fix_audit_watch_rule "auditctl" "/var/log/lastlog" "wa" "logins" fix_audit_watch_rule "augenrules" "/var/log/lastlog" "wa" "logins" scap-security-guide-0.1.39/shared/fixes/bash/audit_rules_system_shutdown.sh000066400000000000000000000016701327242345500272210ustar00rootroot00000000000000# platform = Red Hat Enterprise Linux 7, multi_platform_fedora # Traverse all of: # # /etc/audit/audit.rules, (for auditctl case) # /etc/audit/rules.d/*.rules (for augenrules case) # # files to check if '-f .*' setting is present in that '*.rules' file already. # If found, delete such occurrence since auditctl(8) manual page instructs the # '-f 2' rule should be placed as the last rule in the configuration find /etc/audit /etc/audit/rules.d -maxdepth 1 -type f -name *.rules -exec sed -i '/-e[[:space:]]\+.*/d' {} ';' # Append '-f 2' requirement at the end of both: # * /etc/audit/audit.rules file (for auditctl case) # * /etc/audit/rules.d/immutable.rules (for augenrules case) for AUDIT_FILE in "/etc/audit/audit.rules" "/etc/audit/rules.d/immutable.rules" do echo '' >> $AUDIT_FILE echo '# Set the audit.rules configuration to halt system upon audit failure per security requirements' >> $AUDIT_FILE echo '-f 2' >> $AUDIT_FILE done scap-security-guide-0.1.39/shared/fixes/bash/audit_rules_time_clock_settime.sh000066400000000000000000000014561327242345500276070ustar00rootroot00000000000000# platform = Red Hat Enterprise Linux 7, multi_platform_fedora # Include source function library. . /usr/share/scap-security-guide/remediation_functions # First perform the remediation of the syscall rule # Retrieve hardware architecture of the underlying system [ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") for ARCH in "${RULE_ARCHS[@]}" do PATTERN="-a always,exit -F arch=$ARCH -S clock_settime -F a0=.* \(-F key=\|-k \).*" GROUP="clock_settime" FULL_RULE="-a always,exit -F arch=$ARCH -S clock_settime -F a0=0x0 -k time-change" # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" done scap-security-guide-0.1.39/shared/fixes/bash/auditd_audispd_syslog_plugin_activated.sh000066400000000000000000000003701327242345500313230ustar00rootroot00000000000000# platform = multi_platform_rhel grep -q ^active /etc/audisp/plugins.d/syslog.conf && \ sed -i "s/active.*/active = yes/g" /etc/audisp/plugins.d/syslog.conf if ! [ $? -eq 0 ]; then echo "active = yes" >> /etc/audisp/plugins.d/syslog.conf fi scap-security-guide-0.1.39/shared/fixes/bash/auditd_data_disk_error_action.sh000066400000000000000000000013441327242345500273630ustar00rootroot00000000000000# platform = multi_platform_rhel . /usr/share/scap-security-guide/remediation_functions populate var_auditd_disk_error_action # # If disk_error_action present in /etc/audit/auditd.conf, change value # to var_auditd_disk_error_action, else # add "disk_error_action = $var_auditd_disk_error_action" to /etc/audit/auditd.conf # if grep --silent ^disk_error_action /etc/audit/auditd.conf ; then sed -i 's/^disk_error_action.*/disk_error_action = '"$var_auditd_disk_error_action"'/g' /etc/audit/auditd.conf else echo -e "\n# Set disk_error_action to $var_auditd_disk_error_action per security requirements" >> /etc/audit/auditd.conf echo "disk_error_action = $var_auditd_disk_error_action" >> /etc/audit/auditd.conf fi scap-security-guide-0.1.39/shared/fixes/bash/auditd_data_disk_full_action.sh000066400000000000000000000004121327242345500271670ustar00rootroot00000000000000# platform = multi_platform_rhel # Include source function library. . /usr/share/scap-security-guide/remediation_functions populate var_auditd_disk_full_action replace_or_append /etc/audit/auditd.conf '^disk_full_action' "$var_auditd_disk_full_action" "@CCENUM@" scap-security-guide-0.1.39/shared/fixes/bash/auditd_data_retention_action_mail_acct.sh000066400000000000000000000006261327242345500312250ustar00rootroot00000000000000# platform = multi_platform_rhel . /usr/share/scap-security-guide/remediation_functions populate var_auditd_action_mail_acct AUDITCONFIG=/etc/audit/auditd.conf grep -q ^action_mail_acct $AUDITCONFIG && \ sed -i 's/^action_mail_acct.*/action_mail_acct = '"$var_auditd_action_mail_acct"'/g' $AUDITCONFIG if ! [ $? -eq 0 ]; then echo "action_mail_acct = $var_auditd_action_mail_acct" >> $AUDITCONFIG fi scap-security-guide-0.1.39/shared/fixes/bash/auditd_data_retention_flush.sh000066400000000000000000000016731327242345500271000ustar00rootroot00000000000000# platform = multi_platform_rhel . /usr/share/scap-security-guide/remediation_functions populate var_auditd_flush AUDITCONFIG=/etc/audit/auditd.conf # if flush is present, flush param edited to var_auditd_flush # else flush param is defined by var_auditd_flush # # the freq param is only used value 'incremental' and will be # commented out if flush != incremental # # if flush == incremental && freq param is not defined, it # will be defined as the package-default value of 20 grep -q ^flush $AUDITCONFIG && \ sed -i 's/^flush.*/flush = '"$var_auditd_flush"'/g' $AUDITCONFIG if ! [ $? -eq 0 ]; then echo "flush = $var_auditd_flush" >> $AUDITCONFIG fi if ! [ "$var_auditd_flush" == "incremental" ]; then sed -i 's/^freq/##freq/g' $AUDITCONFIG elif [ "$var_auditd_flush" == "incremental" ]; then grep -q freq $AUDITCONFIG && \ sed -i 's/^#\+freq/freq/g' $AUDITCONFIG if ! [ $? -eq 0 ]; then echo "freq = 20" >> $AUDITCONFIG fi fi scap-security-guide-0.1.39/shared/fixes/bash/auditd_data_retention_max_log_file.sh000066400000000000000000000005721327242345500304010ustar00rootroot00000000000000# platform = multi_platform_rhel . /usr/share/scap-security-guide/remediation_functions populate var_auditd_max_log_file AUDITCONFIG=/etc/audit/auditd.conf grep -q ^max_log_file $AUDITCONFIG && \ sed -i 's/^max_log_file.*/max_log_file = '"$var_auditd_max_log_file"'/g' $AUDITCONFIG if ! [ $? -eq 0 ]; then echo "max_log_file = $var_auditd_max_log_file" >> $AUDITCONFIG fi scap-security-guide-0.1.39/shared/fixes/bash/auditd_data_retention_max_log_file_action.sh000066400000000000000000000006531327242345500317360ustar00rootroot00000000000000# platform = multi_platform_rhel . /usr/share/scap-security-guide/remediation_functions populate var_auditd_max_log_file_action AUDITCONFIG=/etc/audit/auditd.conf grep -q ^max_log_file_action $AUDITCONFIG && \ sed -i 's/^max_log_file_action.*/max_log_file_action = '"$var_auditd_max_log_file_action"'/g' $AUDITCONFIG if ! [ $? -eq 0 ]; then echo "max_log_file_action = $var_auditd_max_log_file_action" >> $AUDITCONFIG fi scap-security-guide-0.1.39/shared/fixes/bash/auditd_data_retention_num_logs.sh000066400000000000000000000005361327242345500275770ustar00rootroot00000000000000# platform = multi_platform_rhel . /usr/share/scap-security-guide/remediation_functions populate var_auditd_num_logs AUDITCONFIG=/etc/audit/auditd.conf grep -q ^num_logs $AUDITCONFIG && \ sed -i 's/^num_logs.*/num_logs = '"$var_auditd_num_logs"'/g' $AUDITCONFIG if ! [ $? -eq 0 ]; then echo "num_logs = $var_auditd_num_logs" >> $AUDITCONFIG fi scap-security-guide-0.1.39/shared/fixes/bash/auditd_data_retention_space_left.sh000066400000000000000000000005541327242345500300610ustar00rootroot00000000000000# platform = multi_platform_rhel . /usr/share/scap-security-guide/remediation_functions populate var_auditd_space_left grep -q "^space_left[[:space:]]*=.*$" /etc/audit/auditd.conf && \ sed -i "s/^space_left[[:space:]]*=.*$/space_left = $var_auditd_space_left/g" /etc/audit/auditd.conf || \ echo "space_left = $var_auditd_space_left" >> /etc/audit/auditd.conf scap-security-guide-0.1.39/shared/fixes/bash/auditd_data_retention_space_left_action.sh000066400000000000000000000013441327242345500314140ustar00rootroot00000000000000# platform = multi_platform_rhel . /usr/share/scap-security-guide/remediation_functions populate var_auditd_space_left_action # # If space_left_action present in /etc/audit/auditd.conf, change value # to var_auditd_space_left_action, else # add "space_left_action = $var_auditd_space_left_action" to /etc/audit/auditd.conf # if grep --silent ^space_left_action /etc/audit/auditd.conf ; then sed -i 's/^space_left_action.*/space_left_action = '"$var_auditd_space_left_action"'/g' /etc/audit/auditd.conf else echo -e "\n# Set space_left_action to $var_auditd_space_left_action per security requirements" >> /etc/audit/auditd.conf echo "space_left_action = $var_auditd_space_left_action" >> /etc/audit/auditd.conf fi scap-security-guide-0.1.39/shared/fixes/bash/bootloader_audit_argument.sh000066400000000000000000000001321327242345500265540ustar00rootroot00000000000000# platform = Red Hat Enterprise Linux 6 /sbin/grubby --update-kernel=ALL --args="audit=1" scap-security-guide-0.1.39/shared/fixes/bash/bootloader_nousb_argument.sh000066400000000000000000000010521327242345500265760ustar00rootroot00000000000000# platform = Red Hat Enterprise Linux 7, multi_platform_fedora # Correct the form of default kernel command line in /etc/default/grub if ! grep -q ^GRUB_CMDLINE_LINUX=\".*nousb.*\" /etc/default/grub; then # Edit configuration setting # Append 'nousb' argument to /etc/default/grub (if not present yet) sed -i "s/\(GRUB_CMDLINE_LINUX=\)\"\(.*\)\"/\1\"\2 nousb\"/" /etc/default/grub # Edit runtime setting # Correct the form of kernel command line for each installed kernel in the bootloader /sbin/grubby --update-kernel=ALL --args="nousb" fi scap-security-guide-0.1.39/shared/fixes/bash/chronyd_or_ntpd_set_maxpoll.sh000066400000000000000000000011021327242345500271320ustar00rootroot00000000000000# platform = multi_platform_rhel . /usr/share/scap-security-guide/remediation_functions populate var_time_service_set_maxpoll config_file="/etc/ntp.conf" /usr/sbin/pidof ntpd || config_file="/etc/chrony.conf" # Set maxpoll values to var_time_service_set_maxpoll sed -i "s/^\(server.*maxpoll\) [0-9][0-9]*\(.*\)$/\1 $var_time_service_set_maxpoll \2/" "$config_file" # Add maxpoll to server entries without maxpoll grep "^server" "$config_file" | grep -v maxpoll | while read -r line ; do sed -i "s/$line/& maxpoll $var_time_service_set_maxpoll/" "$config_file" done scap-security-guide-0.1.39/shared/fixes/bash/configure_firewalld_ports.sh000066400000000000000000000032561327242345500266050ustar00rootroot00000000000000# platform = Red Hat Enterprise Linux 7, multi_platform_fedora # reboot = false # complexity = low # strategy = configure # disruption = low . /usr/share/scap-security-guide/remediation_functions package_install firewalld populate firewalld_sshd_zone # This assumes that firewalld_sshd_zone is one of the pre-defined zones if [ ! -f /etc/firewalld/zones/${firewalld_sshd_zone}.xml ]; then cp /usr/lib/firewalld/zones/${firewalld_sshd_zone}.xml /etc/firewalld/zones/${firewalld_sshd_zone}.xml fi if ! grep -q 'service name="ssh"' /etc/firewalld/zones/${firewalld_sshd_zone}.xml; then sed -i '/<\/description>/a \ ' /etc/firewalld/zones/${firewalld_sshd_zone}.xml fi # Check if any eth interface is bounded to the zone with SSH service enabled nic_bound=false eth_interface_list=$(ip link show up | cut -d ' ' -f2 | cut -d ':' -s -f1 | grep -E '^(en|eth)') for interface in $eth_interface_list; do if grep -q "ZONE=$firewalld_sshd_zone" /etc/sysconfig/network-scripts/ifcfg-$interface; then nic_bound=true break; fi done if [ $nic_bound = false ];then # Add first NIC to SSH enabled zone if ! firewall-cmd --state -q; then replace_or_append "/etc/sysconfig/network-scripts/ifcfg-${eth_interface_list[0]}" '^ZONE=' "$firewalld_sshd_zone" '@CCENUM@' '%s=%s' else # If firewalld service is running, we need to do this step with firewall-cmd # Otherwise firewalld will comunicate with NetworkManage and will revert assigned zone # of NetworkManager managed interfaces upon reload firewall-cmd --zone=$firewalld_sshd_zone --add-interface=${eth_interface_list[0]} firewall-cmd --reload fi fi scap-security-guide-0.1.39/shared/fixes/bash/dconf_gnome_banner_enabled.sh000066400000000000000000000004761327242345500266220ustar00rootroot00000000000000# platform = Red Hat Enterprise Linux 7 . /usr/share/scap-security-guide/remediation_functions include_dconf_settings dconf_settings 'org/gnome/login-screen' 'banner-message-enable' 'true' 'gdm.d' '00-security-settings' dconf_lock 'org/gnome/login-screen' 'banner-message-enable' 'gdm.d' '00-security-settings-lock' scap-security-guide-0.1.39/shared/fixes/bash/dconf_gnome_disable_automount.sh000066400000000000000000000013361327242345500274150ustar00rootroot00000000000000# platform = Red Hat Enterprise Linux 7 . /usr/share/scap-security-guide/remediation_functions include_dconf_settings dconf_settings 'org/gnome/desktop/media-handling' 'automount' 'false' 'local.d' '00-security-settings' dconf_settings 'org/gnome/desktop/media-handling' 'automount-open' 'false' 'local.d' '00-security-settings' dconf_settings 'org/gnome/desktop/media-handling' 'autorun-never' 'true' 'local.d' '00-security-settings' dconf_lock 'org/gnome/desktop/media-handling' 'automount' 'local.d' '00-security-settings-lock' dconf_lock 'org/gnome/desktop/media-handling' 'automount-open' 'local.d' '00-security-settings-lock' dconf_lock 'org/gnome/desktop/media-handling' 'autorun-never' 'local.d' '00-security-settings-lock' scap-security-guide-0.1.39/shared/fixes/bash/dconf_gnome_disable_ctrlaltdel_reboot.sh000066400000000000000000000005251327242345500310650ustar00rootroot00000000000000# platform = Red Hat Enterprise Linux 7 . /usr/share/scap-security-guide/remediation_functions include_dconf_settings dconf_settings 'org/gnome/settings-daemon/plugins/media-keys' 'logout' "string ''" 'local.d' '00-security-settings' dconf_lock 'org/gnome/settings-daemon/plugins/media-keys' 'logout' 'local.d' '00-security-settings-lock' scap-security-guide-0.1.39/shared/fixes/bash/dconf_gnome_disable_geolocation.sh000066400000000000000000000007301327242345500276620ustar00rootroot00000000000000# platform = Red Hat Enterprise Linux 7 . /usr/share/scap-security-guide/remediation_functions include_dconf_settings dconf_settings 'org/gnome/system/location' 'enabled' 'false' 'local.d' '00-security-settings' dconf_settings 'org/gnome/clocks' 'geolocation' 'false' 'local.d' '00-security-settings' dconf_lock 'org/gnome/system/location' 'enabled' 'local.d' '00-security-settings-lock' dconf_lock 'org/gnome/clocks' 'geolocation' 'local.d' '00-security-settings-lock' scap-security-guide-0.1.39/shared/fixes/bash/dconf_gnome_disable_restart_shutdown.sh000066400000000000000000000005021327242345500307730ustar00rootroot00000000000000# platform = Red Hat Enterprise Linux 7 . /usr/share/scap-security-guide/remediation_functions include_dconf_settings dconf_settings 'org/gnome/login-screen' 'disable-restart-buttons' 'true' 'gdm.d' '00-security-settings' dconf_lock 'org/gnome/login-screen' 'disable-restart-buttons' 'gdm.d' '00-security-settings-lock' scap-security-guide-0.1.39/shared/fixes/bash/dconf_gnome_disable_thumbnailers.sh000066400000000000000000000004761327242345500300630ustar00rootroot00000000000000# platform = Red Hat Enterprise Linux 7 . /usr/share/scap-security-guide/remediation_functions include_dconf_settings dconf_settings 'org/gnome/desktop/thumbnailers' 'disable-all' 'true' 'local.d' '00-security-settings' dconf_lock 'org/gnome/desktop/thumbnailers' 'disable-all' 'local.d' '00-security-settings-lock' scap-security-guide-0.1.39/shared/fixes/bash/dconf_gnome_disable_user_admin.sh000066400000000000000000000005301327242345500275030ustar00rootroot00000000000000# platform = Red Hat Enterprise Linux 7 . /usr/share/scap-security-guide/remediation_functions include_dconf_settings dconf_settings 'org/gnome/desktop/lockdown' 'user-administration-disabled' 'true' 'local.d' '00-security-settings' dconf_lock 'org/gnome/desktop/lockdown' 'user-administration-disabled' 'local.d' '00-security-settings-lock' scap-security-guide-0.1.39/shared/fixes/bash/dconf_gnome_disable_user_list.sh000066400000000000000000000004661327242345500273760ustar00rootroot00000000000000# platform = Red Hat Enterprise Linux 7 . /usr/share/scap-security-guide/remediation_functions include_dconf_settings dconf_settings 'org/gnome/login-screen' 'disable-user-list' 'true' 'gdm.d' '00-security-settings' dconf_lock 'org/gnome/login-screen' 'disable-user-list' 'gdm.d' '00-security-settings-lock' scap-security-guide-0.1.39/shared/fixes/bash/dconf_gnome_disable_wifi_create.sh000066400000000000000000000005171327242345500276430ustar00rootroot00000000000000# platform = Red Hat Enterprise Linux 7, multi_platform_fedora . /usr/share/scap-security-guide/remediation_functions include_dconf_settings dconf_settings 'org/gnome/nm-applet' 'disable-wifi-create' 'true' 'local.d' '00-security-settings' dconf_lock 'org/gnome/nm-applet' 'disable-wifi-create' 'local.d' '00-security-settings-lock' scap-security-guide-0.1.39/shared/fixes/bash/dconf_gnome_disable_wifi_notification.sh000066400000000000000000000005611327242345500310650ustar00rootroot00000000000000# platform = Red Hat Enterprise Linux 7, multi_platform_fedora . /usr/share/scap-security-guide/remediation_functions include_dconf_settings dconf_settings 'org/gnome/nm-applet' 'suppress-wireless-networks-available' 'true' 'local.d' '00-security-settings' dconf_lock 'org/gnome/nm-applet' 'suppress-wireless-networks-available' 'local.d' '00-security-settings-lock' scap-security-guide-0.1.39/shared/fixes/bash/dconf_gnome_enable_smartcard_auth.sh000066400000000000000000000005221327242345500302020ustar00rootroot00000000000000# platform = Red Hat Enterprise Linux 7 . /usr/share/scap-security-guide/remediation_functions include_dconf_settings dconf_settings 'org/gnome/login-screen' 'enable-smartcard-authentication' 'true' 'gdm.d' '00-security-settings' dconf_lock 'org/gnome/login-screen' 'enable-smartcard-authentication' 'gdm.d' '00-security-settings-lock' scap-security-guide-0.1.39/shared/fixes/bash/dconf_gnome_login_banner_text.sh000066400000000000000000000010431327242345500273730ustar00rootroot00000000000000# platform = Red Hat Enterprise Linux 7 . /usr/share/scap-security-guide/remediation_functions populate login_banner_text include_dconf_settings expanded=$(echo "$login_banner_text" | sed 's/(\\\\\x27)\*/\\\x27/g;s/(\\\x27)\*//g;s/(\\\\\x27)/tamere/g;s/\^(\(.*\)|.*$/\1/g;s/\[\\s\\n\][+*]/ /g;s/\\//g;s/(n)\*/\\n/g;s/\x27/\\\x27/g;') dconf_settings 'org/gnome/login-screen' 'banner-message-text' "string '${expanded}'" 'gdm.d' '00-security-settings' dconf_lock 'org/gnome/login-screen' 'banner-message-text' 'gdm.d' '00-security-settings-lock' scap-security-guide-0.1.39/shared/fixes/bash/dconf_gnome_login_retries.sh000066400000000000000000000004611327242345500265420ustar00rootroot00000000000000# platform = Red Hat Enterprise Linux 7 . /usr/share/scap-security-guide/remediation_functions include_dconf_settings dconf_settings 'org/gnome/login-screen' 'allowed-failures' "3" 'gdm.d' '00-security-settings' dconf_lock 'org/gnome/login-screen' 'allowed-failures' 'gdm.d' '00-security-settings-lock' scap-security-guide-0.1.39/shared/fixes/bash/dconf_gnome_remote_access_credential_prompt.sh000066400000000000000000000004671327242345500323120ustar00rootroot00000000000000# platform = Red Hat Enterprise Linux 7 . /usr/share/scap-security-guide/remediation_functions include_dconf_settings dconf_settings 'org/gnome/Vino' 'authentication-methods' "['vnc']" 'local.d' '00-security-settings' dconf_lock 'org/gnome/Vino' 'authentication-methods' 'local.d' '00-security-settings-lock' scap-security-guide-0.1.39/shared/fixes/bash/dconf_gnome_remote_access_encryption.sh000066400000000000000000000004541327242345500307650ustar00rootroot00000000000000# platform = Red Hat Enterprise Linux 7 . /usr/share/scap-security-guide/remediation_functions include_dconf_settings dconf_settings 'org/gnome/Vino' 'require-encryption' 'true' 'local.d' '00-security-settings' dconf_lock 'org/gnome/Vino' 'require-encryption' 'local.d' '00-security-settings-lock' scap-security-guide-0.1.39/shared/fixes/bash/dconf_gnome_screensaver_idle_activation_enabled.sh000066400000000000000000000005241327242345500331050ustar00rootroot00000000000000# platform = Red Hat Enterprise Linux 7 . /usr/share/scap-security-guide/remediation_functions include_dconf_settings dconf_settings 'org/gnome/desktop/screensaver' 'idle-activation-enabled' 'true' 'local.d' '00-security-settings' dconf_lock 'org/gnome/desktop/screensaver' 'idle-activation-enabled' 'local.d' '00-security-settings-lock' scap-security-guide-0.1.39/shared/fixes/bash/dconf_gnome_screensaver_idle_activation_locked.sh000066400000000000000000000003431327242345500327530ustar00rootroot00000000000000# platform = Red Hat Enterprise Linux 7 . /usr/share/scap-security-guide/remediation_functions include_dconf_settings dconf_lock 'org/gnome/desktop/screensaver' 'idle-activation-enabled' 'local.d' '00-security-settings-lock' scap-security-guide-0.1.39/shared/fixes/bash/dconf_gnome_screensaver_idle_delay.sh000066400000000000000000000005621327242345500303720ustar00rootroot00000000000000# platform = Red Hat Enterprise Linux 7 . /usr/share/scap-security-guide/remediation_functions populate inactivity_timeout_value include_dconf_settings dconf_settings 'org/gnome/desktop/session' 'idle-delay' "uint32 ${inactivity_timeout_value}" 'local.d' '00-security-settings' dconf_lock 'org/gnome/desktop/session' 'idle-delay' 'local.d' '00-security-settings-lock' scap-security-guide-0.1.39/shared/fixes/bash/dconf_gnome_screensaver_lock_delay.sh000066400000000000000000000005761327242345500304120ustar00rootroot00000000000000# platform = Red Hat Enterprise Linux 7 . /usr/share/scap-security-guide/remediation_functions populate var_screensaver_lock_delay include_dconf_settings dconf_settings 'org/gnome/desktop/screensaver' 'lock-delay' "uint32 ${var_screensaver_lock_delay}" 'local.d' '00-security-settings' dconf_lock 'org/gnome/desktop/screensaver' 'lock-delay' 'local.d' '00-security-settings-lock' scap-security-guide-0.1.39/shared/fixes/bash/dconf_gnome_screensaver_lock_enabled.sh000066400000000000000000000004761327242345500307050ustar00rootroot00000000000000# platform = Red Hat Enterprise Linux 7 . /usr/share/scap-security-guide/remediation_functions include_dconf_settings dconf_settings 'org/gnome/desktop/screensaver' 'lock-enabled' 'true' 'local.d' '00-security-settings' dconf_lock 'org/gnome/desktop/screensaver' 'lock-enabled' 'local.d' '00-security-settings-lock' scap-security-guide-0.1.39/shared/fixes/bash/dconf_gnome_screensaver_lock_locked.sh000066400000000000000000000003301327242345500305410ustar00rootroot00000000000000# platform = Red Hat Enterprise Linux 7 . /usr/share/scap-security-guide/remediation_functions include_dconf_settings dconf_lock 'org/gnome/desktop/screensaver' 'lock-enabled' 'local.d' '00-security-settings-lock' scap-security-guide-0.1.39/shared/fixes/bash/dconf_gnome_screensaver_mode_blank.sh000066400000000000000000000005011327242345500303630ustar00rootroot00000000000000# platform = Red Hat Enterprise Linux 7 . /usr/share/scap-security-guide/remediation_functions include_dconf_settings dconf_settings 'org/gnome/desktop/screensaver' 'picture-uri' "string ''" 'local.d' '00-security-settings' dconf_lock 'org/gnome/desktop/screensaver' 'picture-uri' 'local.d' '00-security-settings-lock' scap-security-guide-0.1.39/shared/fixes/bash/dconf_gnome_screensaver_user_info.sh000066400000000000000000000005311327242345500302640ustar00rootroot00000000000000# platform = Red Hat Enterprise Linux 7 . /usr/share/scap-security-guide/remediation_functions include_dconf_settings dconf_settings 'org/gnome/desktop/screensaver' 'show-full-name-in-top-bar' 'false' 'local.d' '00-security-settings' dconf_lock 'org/gnome/desktop/screensaver' 'show-full-name-in-top-bar' 'local.d' '00-security-settings-lock' scap-security-guide-0.1.39/shared/fixes/bash/dconf_gnome_screensaver_user_locks.sh000066400000000000000000000003261327242345500304460ustar00rootroot00000000000000# platform = Red Hat Enterprise Linux 7 . /usr/share/scap-security-guide/remediation_functions include_dconf_settings dconf_lock 'org/gnome/desktop/screensaver' 'lock-delay' 'local.d' '00-security-settings-lock' scap-security-guide-0.1.39/shared/fixes/bash/dconf_gnome_session_idle_user_locks.sh000066400000000000000000000003221327242345500306020ustar00rootroot00000000000000# platform = Red Hat Enterprise Linux 7 . /usr/share/scap-security-guide/remediation_functions include_dconf_settings dconf_lock 'org/gnome/desktop/session' 'idle-delay' 'local.d' '00-security-settings-lock' scap-security-guide-0.1.39/shared/fixes/bash/directory_permissions_var_log_audit.xml000066400000000000000000000004751327242345500310700ustar00rootroot00000000000000# platform = multi_platform_rhel if `grep -q ^log_group /etc/audit/auditd.conf` ; then GROUP=$(awk -F "=" '/log_group/ {print $2}' /etc/audit/auditd.conf | tr -d ' ') if ! [ "${GROUP}" == 'root' ] ; then chmod 0750 /var/log/audit else chmod 0700 /var/log/audit fi else chmod 0700 /var/log/audit fi scap-security-guide-0.1.39/shared/fixes/bash/disable_ctrlaltdel_burstaction.sh000066400000000000000000000003741327242345500275740ustar00rootroot00000000000000# platform = Red Hat Enterprise Linux 7, multi_platform_fedora # Include source function library. . /usr/share/scap-security-guide/remediation_functions replace_or_append '/etc/systemd/system.conf' '^CtrlAltDelBurstAction=' 'none' '@CCENUM@' '%s=%s' scap-security-guide-0.1.39/shared/fixes/bash/disable_ctrlaltdel_reboot.sh000066400000000000000000000001701327242345500265230ustar00rootroot00000000000000# platform = Red Hat Enterprise Linux 7, multi_platform_fedora ln -sf /dev/null /etc/systemd/system/ctrl-alt-del.target scap-security-guide-0.1.39/shared/fixes/bash/disable_host_auth.sh000066400000000000000000000004451327242345500250220ustar00rootroot00000000000000# platform = multi_platform_rhel, multi_platform_fedora grep -q ^HostbasedAuthentication /etc/ssh/sshd_config && \ sed -i "s/HostbasedAuthentication.*/HostbasedAuthentication no/g" /etc/ssh/sshd_config if ! [ $? -eq 0 ]; then echo "HostbasedAuthentication no" >> /etc/ssh/sshd_config fi scap-security-guide-0.1.39/shared/fixes/bash/disable_interactive_boot.sh000066400000000000000000000017171327242345500263670ustar00rootroot00000000000000# platform = Red Hat Enterprise Linux 7, multi_platform_fedora # Systemd confirm_spawn regex to search for and delete if found CONFIRM_SPAWN_REGEX="systemd.confirm_spawn=\(1\|yes\|true\|on\)" # Modify both the GRUB_CMDLINE_LINUX and GRUB_CMDLINE_LINUX_DEFAULT directives for grubcmdline in "GRUB_CMDLINE_LINUX" "GRUB_CMDLINE_LINUX_DEFAULT" do # Remove 'systemd.confirm_spawn' argument from /etc/default/grub if found if grep -q "^${grubcmdline}=\".*${CONFIRM_SPAWN_REGEX}.*\"" /etc/default/grub then # Remove all three possible occurrences of CONFIRM_SPAWN_REGEX: # At the start sed -i "s/\"${CONFIRM_SPAWN_REGEX} /\"/" /etc/default/grub # At the end sed -i "s/ ${CONFIRM_SPAWN_REGEX}\"$/\"/" /etc/default/grub # In the middle sed -i "s/ ${CONFIRM_SPAWN_REGEX}//" /etc/default/grub fi done # Remove 'systemd.confirm_spawn' kernel argument also from runtime settings /sbin/grubby --update-kernel=ALL --remove-args="systemd.confirm_spawn" scap-security-guide-0.1.39/shared/fixes/bash/display_login_attempts.sh000066400000000000000000000005621327242345500261170ustar00rootroot00000000000000# platform = Red Hat Enterprise Linux 7 if $(grep -q "^session.*pam_lastlog.so" /etc/pam.d/postlogin) ; then sed -i --follow-symlinks "/pam_lastlog.so/d" /etc/pam.d/postlogin fi echo "session [default=1] pam_lastlog.so nowtmp showfailed" >> /etc/pam.d/postlogin echo "session optional pam_lastlog.so silent noupdate showfailed" >> /etc/pam.d/postlogin scap-security-guide-0.1.39/shared/fixes/bash/enable_selinux_bootloader.sh000066400000000000000000000003361327242345500265470ustar00rootroot00000000000000# platform = Red Hat Enterprise Linux 7 sed -i --follow-symlinks "s/selinux=0//gI" /etc/default/grub /etc/grub2.cfg /etc/grub.d/* sed -i --follow-symlinks "s/enforcing=0//gI" /etc/default/grub /etc/grub2.cfg /etc/grub.d/* scap-security-guide-0.1.39/shared/fixes/bash/ensure_gpgcheck_globally_activated.sh000066400000000000000000000002511327242345500304010ustar00rootroot00000000000000# platform = multi_platform_rhel, multi_platform_ol . /usr/share/scap-security-guide/remediation_functions replace_or_append '/etc/yum.conf' '^gpgcheck' '1' '@CCENUM@' scap-security-guide-0.1.39/shared/fixes/bash/ensure_gpgcheck_never_disabled.sh000066400000000000000000000001301327242345500275120ustar00rootroot00000000000000# platform = multi_platform_rhel sed -i 's/gpgcheck=.*/gpgcheck=1/g' /etc/yum.repos.d/* scap-security-guide-0.1.39/shared/fixes/bash/ensure_logrotate_activated.sh000066400000000000000000000012341327242345500267430ustar00rootroot00000000000000# platform = multi_platform_rhel LOGROTATE_CONF_FILE="/etc/logrotate.conf" CRON_DAILY_LOGROTATE_FILE="/etc/cron.daily/logrotate" # daily rotation is configured grep -q "^daily$" $LOGROTATE_CONF_FILE|| echo "daily" >> $LOGROTATE_CONF_FILE # remove any line configuring weekly, monthly or yearly rotation sed -i -r "/^(weekly|monthly|yearly)$/d" $LOGROTATE_CONF_FILE # configure cron.daily if not already if ! grep -q "^[[:space:]]*/usr/sbin/logrotate[[:alnum:][:blank:][:punct:]]*$LOGROTATE_CONF_FILE$" $CRON_DAILY_LOGROTATE_FILE; then echo "#!/bin/sh" > $CRON_DAILY_LOGROTATE_FILE echo "/usr/sbin/logrotate $LOGROTATE_CONF_FILE" >> $CRON_DAILY_LOGROTATE_FILE fi scap-security-guide-0.1.39/shared/fixes/bash/ensure_oracle_gpgkey_installed.sh000066400000000000000000000024331327242345500275730ustar00rootroot00000000000000# platform = multi_platform_ol # OL fingerprints below retrieved from "Oracle Linux Unbreakable Linux Network User's Guide" # https://docs.oracle.com/cd/E37670_01/E39381/html/ol_import_gpg.html readonly OL_FINGERPRINT="4214 4123 FECF C55B 9086 313D 72F9 7B74 EC55 1F03" # Location of the key we would like to import (once it's integrity verified) readonly OL_RELEASE_KEY="/etc/pki/rpm-gpg/RPM-GPG-KEY-oracle" RPM_GPG_DIR_PERMS=$(stat -c %a "$(dirname "$OL_RELEASE_KEY")") # Verify /etc/pki/rpm-gpg directory permissions are safe if [ "${RPM_GPG_DIR_PERMS}" -le "755" ] then # If they are safe, try to obtain fingerprints from the key file # (to ensure there won't be e.g. CRC error) IFS=$'\n' GPG_OUT=($(gpg --with-fingerprint "${OL_RELEASE_KEY}")) GPG_RESULT=$? # No CRC error, safe to proceed if [ "${GPG_RESULT}" -eq "0" ] then for ITEM in "${GPG_OUT[@]}" do # Filter just hexadecimal fingerprints from gpg's output from # processing of a key file RESULT=$(echo ${ITEM} | sed -n "s/[[:space:]]*Key fingerprint = \(.*\)/\1/p" | tr -s '[:space:]') # If fingerprint matches Oracle Linux 6 and 7 key import the key if [[ ${RESULT} ]] && [[ ${RESULT} = "${OL_FINGERPRINT}" ]] then rpm --import "${OL_RELEASE_KEY}" fi done fi fi scap-security-guide-0.1.39/shared/fixes/bash/ensure_redhat_gpgkey_installed.sh000066400000000000000000000023041327242345500275720ustar00rootroot00000000000000# platform = multi_platform_rhel # The two fingerprints below are retrieved from https://access.redhat.com/security/team/key readonly REDHAT_RELEASE_2_FINGERPRINT="567E 347A D004 4ADE 55BA 8A5F 199E 2F91 FD43 1D51" readonly REDHAT_AUXILIARY_FINGERPRINT="43A6 E49C 4A38 F4BE 9ABF 2A53 4568 9C88 2FA6 58E0" # Location of the key we would like to import (once it's integrity verified) readonly REDHAT_RELEASE_KEY="/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release" RPM_GPG_DIR_PERMS=$(stat -c %a "$(dirname "$REDHAT_RELEASE_KEY")") # Verify /etc/pki/rpm-gpg directory permissions are safe if [ "${RPM_GPG_DIR_PERMS}" -le "755" ] then # If they are safe, try to obtain fingerprints from the key file # (to ensure there won't be e.g. CRC error). IFS=$'\n' GPG_OUT=($(gpg --with-fingerprint "${REDHAT_RELEASE_KEY}" | grep 'Key fingerprint =')) GPG_RESULT=$? # Reset IFS back to default unset IFS # No CRC error, safe to proceed if [ "${GPG_RESULT}" -eq "0" ] then tr -s ' ' <<< "${GPG_OUT}" | grep -vE "${REDHAT_RELEASE_2_FINGERPRINT}|${REDHAT_AUXILIARY_FINGERPRINT}" || { # If file doesn't contains any keys with unknown fingerprint, import it rpm --import "${REDHAT_RELEASE_KEY}" } fi fi scap-security-guide-0.1.39/shared/fixes/bash/file_group_owner_efi_grub2_cfg.sh000066400000000000000000000001211327242345500274400ustar00rootroot00000000000000# platform = Red Hat Enterprise Linux 7 chgrp root /boot/efi/EFI/redhat/grub.cfg scap-security-guide-0.1.39/shared/fixes/bash/file_group_owner_grub2_cfg.sh000066400000000000000000000001101327242345500266130ustar00rootroot00000000000000# platform = Red Hat Enterprise Linux 7 chgrp root /boot/grub2/grub.cfg scap-security-guide-0.1.39/shared/fixes/bash/file_ownership_binary_dirs.sh000066400000000000000000000002541327242345500267410ustar00rootroot00000000000000# platform = multi_platform_rhel find /bin/ \ /usr/bin/ \ /usr/local/bin/ \ /sbin/ \ /usr/sbin/ \ /usr/local/sbin/ \ /usr/libexec \ \! -user root -execdir chown root {} \; scap-security-guide-0.1.39/shared/fixes/bash/file_ownership_library_dirs.sh000066400000000000000000000003101327242345500271120ustar00rootroot00000000000000# platform = multi_platform_rhel, multi_platform_fedora for LIBDIR in /usr/lib /usr/lib64 /lib /lib64 do if [ -d $LIBDIR ] then find -L $LIBDIR \! -user root -exec chown root {} \; fi done scap-security-guide-0.1.39/shared/fixes/bash/file_ownership_var_log_audit.sh000066400000000000000000000007341327242345500272560ustar00rootroot00000000000000# platform = multi_platform_rhel if `grep -q ^log_group /etc/audit/auditd.conf` ; then GROUP=$(awk -F "=" '/log_group/ {print $2}' /etc/audit/auditd.conf | tr -d ' ') if ! [ "${GROUP}" == 'root' ] ; then chown root.${GROUP} /var/log/audit chown root.${GROUP} /var/log/audit/audit.log* else chown root.root /var/log/audit chown root.root /var/log/audit/audit.log* fi else chown root.root /var/log/audit chown root.root /var/log/audit/audit.log* fi scap-security-guide-0.1.39/shared/fixes/bash/file_permissions_binary_dirs.sh000066400000000000000000000003051327242345500272730ustar00rootroot00000000000000# platform = multi_platform_rhel DIRS="/bin /usr/bin /usr/local/bin /sbin /usr/sbin /usr/local/sbin /usr/libexec" for dirPath in $DIRS; do find "$dirPath" -perm /022 -exec chmod go-w '{}' \; done scap-security-guide-0.1.39/shared/fixes/bash/file_permissions_efi_grub2_cfg.sh000066400000000000000000000001201327242345500274440ustar00rootroot00000000000000# platform = Red Hat Enterprise Linux 7 chmod 700 /boot/efi/EFI/redhat/grub.cfg scap-security-guide-0.1.39/shared/fixes/bash/file_permissions_grub2_cfg.sh000066400000000000000000000001071327242345500266260ustar00rootroot00000000000000# platform = Red Hat Enterprise Linux 7 chmod 600 /boot/grub2/grub.cfg scap-security-guide-0.1.39/shared/fixes/bash/file_permissions_library_dirs.sh000066400000000000000000000003061327242345500274540ustar00rootroot00000000000000# platform = Red Hat Enterprise Linux 6, Red Hat Enterprise Linux 7 DIRS="/lib /lib64 /usr/lib /usr/lib64" for dirPath in $DIRS; do find "$dirPath" -perm /022 -type f -exec chmod go-w '{}' \; done scap-security-guide-0.1.39/shared/fixes/bash/file_permissions_var_log_audit.sh000066400000000000000000000011321327242345500276040ustar00rootroot00000000000000# platform = multi_platform_rhel if `grep -q ^log_group /etc/audit/auditd.conf` ; then GROUP=$(awk -F "=" '/log_group/ {print $2}' /etc/audit/auditd.conf | tr -d ' ') if ! [ "${GROUP}" == 'root' ] ; then chmod 0640 /var/log/audit/audit.log chmod 0440 /var/log/audit/audit.log.* else chmod 0600 /var/log/audit/audit.log chmod 0400 /var/log/audit/audit.log.* fi chmod 0640 /etc/audit/audit* chmod 0640 /etc/audit/rules.d/* else chmod 0600 /var/log/audit/audit.log chmod 0400 /var/log/audit/audit.log.* chmod 0640 /etc/audit/audit* chmod 0640 /etc/audit/rules.d/* fi scap-security-guide-0.1.39/shared/fixes/bash/file_user_owner_efi_grub2_cfg.sh000066400000000000000000000001211327242345500272620ustar00rootroot00000000000000# platform = Red Hat Enterprise Linux 7 chown root /boot/efi/EFI/redhat/grub.cfg scap-security-guide-0.1.39/shared/fixes/bash/file_user_owner_grub2_cfg.sh000066400000000000000000000001101327242345500264350ustar00rootroot00000000000000# platform = Red Hat Enterprise Linux 7 chown root /boot/grub2/grub.cfg scap-security-guide-0.1.39/shared/fixes/bash/ftp_present_banner.sh000066400000000000000000000002611327242345500252130ustar00rootroot00000000000000# platform = multi_platform_wrlinux . /usr/share/scap-security-guide/remediation_functions replace_or_append '/etc/vsftpd.conf' '^banner_file' '/etc/issue' '@CCENUM@' '%s=%s' scap-security-guide-0.1.39/shared/fixes/bash/install_smartcard_packages.sh000066400000000000000000000002471327242345500267050ustar00rootroot00000000000000# platform = multi_platform_rhel . /usr/share/scap-security-guide/remediation_functions package_install esc package_install pam_pkcs11 package_install authconfig-gtk scap-security-guide-0.1.39/shared/fixes/bash/ldap_client_start_tls.sh000066400000000000000000000005601327242345500257140ustar00rootroot00000000000000# platform = multi_platform_rhel # Include source function library. . /usr/share/scap-security-guide/remediation_functions # Use LDAP for authentication replace_or_append '/etc/sysconfig/authconfig' 'USELDAPAUTH' 'yes' '@CCENUM@' '%s=%s' # Configure client to use TLS for all authentications replace_or_append '/etc/nslcd.conf' 'ssl' 'start_tls' '@CCENUM@' '%s %s' scap-security-guide-0.1.39/shared/fixes/bash/network_ipv6_disable_rpc.sh000066400000000000000000000004251327242345500263230ustar00rootroot00000000000000# platform = multi_platform_rhel # Drop 'tcp6' and 'udp6' entries from /etc/netconfig to prevent RPC # services for NFSv4 from attempting to start IPv6 network listeners for rpc_entry in "tcp6" "udp6" do sed -i "/^$rpc_entry[[:space:]]\+tpi_.*inet6.*/d" /etc/netconfig done scap-security-guide-0.1.39/shared/fixes/bash/network_ipv6_privacy_extensions.sh000066400000000000000000000002771327242345500300150ustar00rootroot00000000000000# platform = multi_platform_rhel # enable randomness in ipv6 address generation for interface in /etc/sysconfig/network-scripts/ifcfg-* do echo "IPV6_PRIVACY=rfc3041" >> $interface done scap-security-guide-0.1.39/shared/fixes/bash/no_direct_root_logins.sh000066400000000000000000000000661327242345500257240ustar00rootroot00000000000000# platform = multi_platform_all echo > /etc/securetty scap-security-guide-0.1.39/shared/fixes/bash/no_empty_passwords.sh000066400000000000000000000003211327242345500252710ustar00rootroot00000000000000# platform = multi_platform_rhel, multi_platform_fedora, multi_platform_ol sed --follow-symlinks -i 's/\//g' /etc/pam.d/system-auth sed --follow-symlinks -i 's/\//g' /etc/pam.d/password-auth scap-security-guide-0.1.39/shared/fixes/bash/no_host_based_files.sh000066400000000000000000000004071327242345500253300ustar00rootroot00000000000000# platform = multi_platform_rhel # Identify local mounts MOUNT_LIST=$(df | grep "^/dev" | awk '{ print $6 }') # Find file on each listed mount point for cur_mount in ${MOUNT_LIST} do find ${cur_mount} -xdev -type f -name "shosts.equiv" -exec rm -f {} \; done scap-security-guide-0.1.39/shared/fixes/bash/no_rsh_trust_files.sh000066400000000000000000000002441327242345500252510ustar00rootroot00000000000000# platform = multi_platform_rhel find /home -maxdepth 2 -type f -name .rhosts -exec rm -f '{}' \; if [ -f /etc/hosts.equiv ]; then /bin/rm -f /etc/hosts.equiv fi scap-security-guide-0.1.39/shared/fixes/bash/no_user_host_based_files.sh000066400000000000000000000004021327242345500263610ustar00rootroot00000000000000# platform = multi_platform_rhel # Identify local mounts MOUNT_LIST=$(df | grep "^/dev" | awk '{ print $6 }') # Find file on each listed mount point for cur_mount in ${MOUNT_LIST} do find ${cur_mount} -xdev -type f -name ".shosts" -exec rm -f {} \; done scap-security-guide-0.1.39/shared/fixes/bash/require_singleuser_auth.sh000066400000000000000000000003571327242345500263000ustar00rootroot00000000000000# platform = Red Hat Enterprise Linux 7 grep -q "^ExecStart=\-.*/sbin/sulogin" /usr/lib/systemd/system/rescue.service if ! [ $? -eq 0 ]; then sed -i "s/ExecStart=-.*-c \"/&\/sbin\/sulogin; /g" /usr/lib/systemd/system/rescue.service fi scap-security-guide-0.1.39/shared/fixes/bash/require_smb_client_signing.sh000066400000000000000000000011371327242345500267310ustar00rootroot00000000000000# platform = multi_platform_rhel ###################################################################### #By Luke "Brisk-OH" Brisk #luke.brisk@boeing.com or luke.brisk@gmail.com ###################################################################### CLIENTSIGNING=$( grep -ic 'client signing' /etc/samba/smb.conf ) if [ "$CLIENTSIGNING" -eq 0 ]; then # Add to global section sed -i 's/\[global\]/\[global\]\n\n\tclient signing = mandatory/g' /etc/samba/smb.conf else sed -i 's/[[:blank:]]*client[[:blank:]]signing[[:blank:]]*=[[:blank:]]*no/ client signing = mandatory/g' /etc/samba/smb.conf fi scap-security-guide-0.1.39/shared/fixes/bash/restrict_serial_port_logins.sh000066400000000000000000000001001327242345500271420ustar00rootroot00000000000000# platform = multi_platform_all sed -i '/ttyS/d' /etc/securetty scap-security-guide-0.1.39/shared/fixes/bash/rpm_verify_ownership.sh000066400000000000000000000020451327242345500256170ustar00rootroot00000000000000# platform = multi_platform_rhel,multi_platform_ol # reboot = false # strategy = restrict # complexity = high # disruption = medium # Declare array to hold list of RPM packages we need to correct permissions for SETPERMS_RPM_LIST=() # Create a list of files on the system having permissions different from what # is expected by the RPM database FILES_WITH_INCORRECT_PERMS=($(rpm -Va --nofiledigest | grep "^.*\(G\|U\)" | cut -d ' ' -f4-)) # For each file path from that list: # * Determine the RPM package the file path is shipped by, # * Include it into SETPERMS_RPM_LIST array for FILE_PATH in "${FILES_WITH_INCORRECT_PERMS[@]}" do RPM_PACKAGE=$(rpm -qf "$FILE_PATH") SETPERMS_RPM_LIST+=("$RPM_PACKAGE") done # Remove duplicate mention of same RPM in $SETPERMS_RPM_LIST (if any) SETPERMS_RPM_LIST=( $(printf "%s\n" "${SETPERMS_RPM_LIST[@]}" | sort -u) ) # For each of the RPM packages left in the list -- reset its permissions to the # correct values for RPM_PACKAGE in "${SETPERMS_RPM_LIST[@]}" do rpm --setugids "${RPM_PACKAGE}" done scap-security-guide-0.1.39/shared/fixes/bash/rpm_verify_permissions.sh000066400000000000000000000021031327242345500261470ustar00rootroot00000000000000# platform = multi_platform_rhel,multi_platform_ol # reboot = false # strategy = restrict # complexity = high # disruption = medium # Declare array to hold list of RPM packages we need to correct permissions for declare -a SETPERMS_RPM_LIST # Create a list of files on the system having permissions different from what # is expected by the RPM database FILES_WITH_INCORRECT_PERMS=($(rpm -Va --nofiledigest | grep '^.M' | cut -d ' ' -f4-)) # For each file path from that list: # * Determine the RPM package the file path is shipped by, # * Include it into SETPERMS_RPM_LIST array for FILE_PATH in "${FILES_WITH_INCORRECT_PERMS[@]}" do RPM_PACKAGE=$(rpm -qf "$FILE_PATH") SETPERMS_RPM_LIST=("${SETPERMS_RPM_LIST[@]}" "$RPM_PACKAGE") done # Remove duplicate mention of same RPM in $SETPERMS_RPM_LIST (if any) SETPERMS_RPM_LIST=( $(echo "${SETPERMS_RPM_LIST[@]}" | tr ' ' '\n' | sort -u | tr '\n' ' ') ) # For each of the RPM packages left in the list -- reset its permissions to the # correct values for RPM_PACKAGE in "${SETPERMS_RPM_LIST[@]}" do rpm --setperms "${RPM_PACKAGE}" done scap-security-guide-0.1.39/shared/fixes/bash/rsyslog_files_permissions.sh000066400000000000000000000056301327242345500266610ustar00rootroot00000000000000# platform = multi_platform_rhel # List of log file paths to be inspected for correct permissions # * Primarily inspect log file paths listed in /etc/rsyslog.conf RSYSLOG_ETC_CONFIG="/etc/rsyslog.conf" # * And also the log file paths listed after rsyslog's $IncludeConfig directive # (store the result into array for the case there's shell glob used as value of IncludeConfig) RSYSLOG_INCLUDE_CONFIG=($(grep -e "\$IncludeConfig[[:space:]]\+[^[:space:];]\+" /etc/rsyslog.conf | cut -d ' ' -f 2)) # Declare an array to hold the final list of different log file paths declare -a LOG_FILE_PATHS # Browse each file selected above as containing paths of log files # ('/etc/rsyslog.conf' and '/etc/rsyslog.d/*.conf' in the default configuration) for LOG_FILE in "${RSYSLOG_ETC_CONFIG}" "${RSYSLOG_INCLUDE_CONFIG[@]}" do # From each of these files extract just particular log file path(s), thus: # * Ignore lines starting with space (' '), comment ('#"), or variable syntax ('$') characters, # * Ignore empty lines, # * From the remaining valid rows select only fields constituting a log file path # Text file column is understood to represent a log file path if and only if all of the following are met: # * it contains at least one slash '/' character, # * it doesn't contain space (' '), colon (':'), and semicolon (';') characters # Search log file for path(s) only in case it exists! if [[ -f "${LOG_FILE}" ]] then MATCHED_ITEMS=$(sed -e "/^[[:space:]|#|$]/d ; s/[^\/]*[[:space:]]*\([^:;[:space:]]*\)/\1/g ; /^$/d" "${LOG_FILE}") # Since above sed command might return more than one item (delimited by newline), split the particular # matches entries into new array specific for this log file readarray -t ARRAY_FOR_LOG_FILE <<< "$MATCHED_ITEMS" # Concatenate the two arrays - previous content of $LOG_FILE_PATHS array with # items from newly created array for this log file LOG_FILE_PATHS=("${LOG_FILE_PATHS[@]}" "${ARRAY_FOR_LOG_FILE[@]}") # Delete the temporary array unset ARRAY_FOR_LOG_FILE fi done for PATH in "${LOG_FILE_PATHS[@]}" do # Sanity check - if particular $PATH is empty string, skip it from further processing if [ -z "$PATH" ] then continue fi # Per https://access.redhat.com/solutions/66805 '/var/log/boot.log' log file needs special care => perform it if [ "$PATH" == "/var/log/boot.log" ] then # Ensure permissions of /var/log/boot.log are configured to be updated in /etc/rc.local if ! /bin/grep -q "boot.log" "/etc/rc.local" then echo "/bin/chmod 600 /var/log/boot.log" >> /etc/rc.local fi # Ensure /etc/rc.d/rc.local has user-executable permission # (in order to be actually executed during boot) if [ "$(/usr/bin/stat -c %a /etc/rc.d/rc.local)" -ne 744 ] then /bin/chmod u+x /etc/rc.d/rc.local fi fi # Also for each log file check if its permissions differ from 600. If so, correct them if [ "$(/usr/bin/stat -c %a "$PATH")" -ne 600 ] then /bin/chmod 600 "$PATH" fi done scap-security-guide-0.1.39/shared/fixes/bash/rsyslog_remote_loghost.sh000066400000000000000000000004011327242345500261450ustar00rootroot00000000000000# platform = multi_platform_rhel, multi_platform_fedora . /usr/share/scap-security-guide/remediation_functions populate rsyslog_remote_loghost_address replace_or_append '/etc/rsyslog.conf' '^\*\.\*' "@@$rsyslog_remote_loghost_address" '@CCENUM@' '%s %s' scap-security-guide-0.1.39/shared/fixes/bash/securetty_root_login_console_only.sh000066400000000000000000000001011327242345500303730ustar00rootroot00000000000000# platform = multi_platform_all sed -i '/^vc\//d' /etc/securetty scap-security-guide-0.1.39/shared/fixes/bash/security_patches_up_to_date.sh000066400000000000000000000002141327242345500271140ustar00rootroot00000000000000# platform = multi_platform_rhel, multi_platform_ol # reboot = true # strategy = patch # complexity = low # disruption = high yum -y update scap-security-guide-0.1.39/shared/fixes/bash/selinux_policytype.sh000066400000000000000000000004061327242345500253060ustar00rootroot00000000000000# platform = multi_platform_rhel # # Include source function library. . /usr/share/scap-security-guide/remediation_functions populate var_selinux_policy_name replace_or_append '/etc/sysconfig/selinux' '^SELINUXTYPE=' $var_selinux_policy_name '@CCENUM@' '%s=%s' scap-security-guide-0.1.39/shared/fixes/bash/selinux_state.sh000066400000000000000000000004331327242345500242250ustar00rootroot00000000000000# platform = multi_platform_rhel # # Include source function library. . /usr/share/scap-security-guide/remediation_functions populate var_selinux_state replace_or_append '/etc/sysconfig/selinux' '^SELINUX=' $var_selinux_state '@CCENUM@' '%s=%s' fixfiles onboot fixfiles -f relabel scap-security-guide-0.1.39/shared/fixes/bash/set_ip6tables_default_rule.sh000066400000000000000000000001611327242345500266330ustar00rootroot00000000000000# platform = Red Hat Enterprise Linux 6 sed -i 's/^:INPUT ACCEPT.*/:INPUT DROP [0:0]/g' /etc/sysconfig/ip6tables scap-security-guide-0.1.39/shared/fixes/bash/set_iptables_default_rule.sh000066400000000000000000000001601327242345500265440ustar00rootroot00000000000000# platform = Red Hat Enterprise Linux 6 sed -i 's/^:INPUT ACCEPT.*/:INPUT DROP [0:0]/g' /etc/sysconfig/iptables scap-security-guide-0.1.39/shared/fixes/bash/set_iptables_default_rule_forward.sh000066400000000000000000000001641327242345500302740ustar00rootroot00000000000000# platform = Red Hat Enterprise Linux 6 sed -i 's/^:FORWARD ACCEPT.*/:FORWARD DROP [0:0]/g' /etc/sysconfig/iptables scap-security-guide-0.1.39/shared/fixes/bash/set_password_hashing_algorithm_logindefs.sh000066400000000000000000000003641327242345500316570ustar00rootroot00000000000000# platform = multi_platform_rhel if grep --silent ^ENCRYPT_METHOD /etc/login.defs ; then sed -i 's/^ENCRYPT_METHOD.*/ENCRYPT_METHOD SHA512/g' /etc/login.defs else echo "" >> /etc/login.defs echo "ENCRYPT_METHOD SHA512" >> /etc/login.defs fi scap-security-guide-0.1.39/shared/fixes/bash/set_password_hashing_algorithm_systemauth.sh000066400000000000000000000005031327242345500321060ustar00rootroot00000000000000# platform = multi_platform_rhel AUTH_FILES[0]="/etc/pam.d/system-auth" AUTH_FILES[1]="/etc/pam.d/password-auth" for pamFile in "${AUTH_FILES[@]}" do if ! grep -q "^password.*sufficient.*pam_unix.so.*sha512" $pamFile; then sed -i --follow-symlinks "/^password.*sufficient.*pam_unix.so/ s/$/ sha512/" $pamFile fi done scap-security-guide-0.1.39/shared/fixes/bash/sshd_allow_only_protocol2.sh000066400000000000000000000003111327242345500265340ustar00rootroot00000000000000# platform = multi_platform_rhel # Include source function library. . /usr/share/scap-security-guide/remediation_functions replace_or_append '/etc/ssh/sshd_config' '^Protocol' '2' '@CCENUM@' '%s %s' scap-security-guide-0.1.39/shared/fixes/bash/sshd_disable_compression.sh000066400000000000000000000003151327242345500264020ustar00rootroot00000000000000# platform = multi_platform_rhel # Include source function library. . /usr/share/scap-security-guide/remediation_functions replace_or_append '/etc/ssh/sshd_config' '^Compression' 'no' '@CCENUM@' '%s %s' scap-security-guide-0.1.39/shared/fixes/bash/sshd_disable_empty_passwords.sh000066400000000000000000000003551327242345500273100ustar00rootroot00000000000000# platform = multi_platform_rhel, multi_platform_fedora # Include source function library. . /usr/share/scap-security-guide/remediation_functions replace_or_append '/etc/ssh/sshd_config' '^PermitEmptyPasswords' 'no' '@CCENUM@' '%s %s' scap-security-guide-0.1.39/shared/fixes/bash/sshd_disable_gssapi_auth.sh000066400000000000000000000003261327242345500263520ustar00rootroot00000000000000# platform = multi_platform_rhel # Include source function library. . /usr/share/scap-security-guide/remediation_functions replace_or_append '/etc/ssh/sshd_config' '^GSSAPIAuthentication' 'no' '@CCENUM@' '%s %s' scap-security-guide-0.1.39/shared/fixes/bash/sshd_disable_kerb_auth.sh000066400000000000000000000003301327242345500260020ustar00rootroot00000000000000# platform = multi_platform_rhel # Include source function library. . /usr/share/scap-security-guide/remediation_functions replace_or_append '/etc/ssh/sshd_config' '^KerberosAuthentication' 'no' '@CCENUM@' '%s %s' scap-security-guide-0.1.39/shared/fixes/bash/sshd_disable_rhosts.sh000066400000000000000000000003461327242345500253670ustar00rootroot00000000000000# platform = multi_platform_rhel, multi_platform_fedora # Include source function library. . /usr/share/scap-security-guide/remediation_functions replace_or_append '/etc/ssh/sshd_config' '^IgnoreRhosts' 'yes' '@CCENUM@' '%s %s' scap-security-guide-0.1.39/shared/fixes/bash/sshd_disable_rhosts_rsa.sh000066400000000000000000000003601327242345500262300ustar00rootroot00000000000000# platform = multi_platform_rhel, multi_platform_fedora # Include source function library. . /usr/share/scap-security-guide/remediation_functions replace_or_append '/etc/ssh/sshd_config' '^RhostsRSAAuthentication' 'no' '@CCENUM@' '%s %s' scap-security-guide-0.1.39/shared/fixes/bash/sshd_disable_root_login.sh000066400000000000000000000045461327242345500262260ustar00rootroot00000000000000# platform = multi_platform_rhel, multi_platform_fedora SSHD_CONFIG='/etc/ssh/sshd_config' # Obtain line number of first uncommented case-insensitive occurrence of Match # block directive (possibly prefixed with whitespace) present in $SSHD_CONFIG FIRST_MATCH_BLOCK=$(sed -n '/^[[:space:]]*Match[^\n]*/I{=;q}' $SSHD_CONFIG) # Obtain line number of first uncommented case-insensitive occurence of # PermitRootLogin directive (possibly prefixed with whitespace) present in # $SSHD_CONFIG FIRST_PERMIT_ROOT_LOGIN=$(sed -n '/^[[:space:]]*PermitRootLogin[^\n]*/I{=;q}' $SSHD_CONFIG) # Case: Match block directive not present in $SSHD_CONFIG if [ -z "$FIRST_MATCH_BLOCK" ] then # Case: PermitRootLogin directive not present in $SSHD_CONFIG yet if [ -z "$FIRST_PERMIT_ROOT_LOGIN" ] then # Append 'PermitRootLogin no' at the end of $SSHD_CONFIG echo -e "\nPermitRootLogin no" >> $SSHD_CONFIG # Case: PermitRootLogin directive present in $SSHD_CONFIG already else # Replace first uncommented case-insensitive occurrence # of PermitRootLogin directive sed -i "$FIRST_PERMIT_ROOT_LOGIN s/^[[:space:]]*PermitRootLogin.*$/PermitRootLogin no/I" $SSHD_CONFIG fi # Case: Match block directive present in $SSHD_CONFIG else # Case: PermitRootLogin directive not present in $SSHD_CONFIG yet if [ -z "$FIRST_PERMIT_ROOT_LOGIN" ] then # Prepend 'PermitRootLogin no' before first uncommented # case-insensitive occurrence of Match block directive sed -i "$FIRST_MATCH_BLOCK s/^\([[:space:]]*Match[^\n]*\)/PermitRootLogin no\n\1/I" $SSHD_CONFIG # Case: PermitRootLogin directive present in $SSHD_CONFIG and placed # before first Match block directive elif [ "$FIRST_PERMIT_ROOT_LOGIN" -lt "$FIRST_MATCH_BLOCK" ] then # Replace first uncommented case-insensitive occurrence # of PermitRootLogin directive sed -i "$FIRST_PERMIT_ROOT_LOGIN s/^[[:space:]]*PermitRootLogin.*$/PermitRootLogin no/I" $SSHD_CONFIG # Case: PermitRootLogin directive present in $SSHD_CONFIG and placed # after first Match block directive else # Prepend 'PermitRootLogin no' before first uncommented # case-insensitive occurrence of Match block directive sed -i "$FIRST_MATCH_BLOCK s/^\([[:space:]]*Match[^\n]*\)/PermitRootLogin no\n\1/I" $SSHD_CONFIG fi fi scap-security-guide-0.1.39/shared/fixes/bash/sshd_disable_user_known_hosts.sh000066400000000000000000000003561327242345500274600ustar00rootroot00000000000000# platform = multi_platform_rhel, multi_platform_fedora # Include source function library. . /usr/share/scap-security-guide/remediation_functions replace_or_append '/etc/ssh/sshd_config' '^IgnoreUserKnownHosts' 'yes' '@CCENUM@' '%s %s' scap-security-guide-0.1.39/shared/fixes/bash/sshd_enable_strictmodes.sh000066400000000000000000000003161327242345500262250ustar00rootroot00000000000000# platform = multi_platform_rhel # Include source function library. . /usr/share/scap-security-guide/remediation_functions replace_or_append '/etc/ssh/sshd_config' '^StrictModes' 'yes' '@CCENUM@' '%s %s' scap-security-guide-0.1.39/shared/fixes/bash/sshd_print_last_log.sh000066400000000000000000000003171327242345500254000ustar00rootroot00000000000000# platform = multi_platform_rhel # Include source function library. . /usr/share/scap-security-guide/remediation_functions replace_or_append '/etc/ssh/sshd_config' '^PrintLastLog' 'yes' '@CCENUM@' '%s %s' scap-security-guide-0.1.39/shared/fixes/bash/sshd_set_idle_timeout.sh000066400000000000000000000053621327242345500257230ustar00rootroot00000000000000# platform = multi_platform_rhel, multi_platform_fedora . /usr/share/scap-security-guide/remediation_functions declare sshd_idle_timeout_value populate sshd_idle_timeout_value SSHD_CONFIG='/etc/ssh/sshd_config' # Obtain line number of first uncommented case-insensitive occurrence of Match # block directive (possibly prefixed with whitespace) present in $SSHD_CONFIG FIRST_MATCH_BLOCK=$(sed -n '/^[[:space:]]*Match[^\n]*/I{=;q}' $SSHD_CONFIG) # Obtain line number of first uncommented case-insensitive occurence of # ClientAliveInterval directive (possibly prefixed with whitespace) present in # $SSHD_CONFIG FIRST_CLIENT_ALIVE_INTERVAL=$(sed -n '/^[[:space:]]*ClientAliveInterval[^\n]*/I{=;q}' $SSHD_CONFIG) # Case: Match block directive not present in $SSHD_CONFIG if [ -z "$FIRST_MATCH_BLOCK" ] then # Case: ClientAliveInterval directive not present in $SSHD_CONFIG yet if [ -z "$FIRST_CLIENT_ALIVE_INTERVAL" ] then # Append 'ClientAliveInterval $sshd_idle_timeout_value' at the end of $SSHD_CONFIG echo -e "\nClientAliveInterval $sshd_idle_timeout_value" >> $SSHD_CONFIG # Case: ClientAliveInterval directive present in $SSHD_CONFIG already else # Replace first uncommented case-insensitive occurrence # of ClientAliveInterval directive sed -i "$FIRST_CLIENT_ALIVE_INTERVAL s/^[[:space:]]*ClientAliveInterval.*$/ClientAliveInterval $sshd_idle_timeout_value/I" $SSHD_CONFIG fi # Case: Match block directive present in $SSHD_CONFIG else # Case: ClientAliveInterval directive not present in $SSHD_CONFIG yet if [ -z "$FIRST_CLIENT_ALIVE_INTERVAL" ] then # Prepend 'ClientAliveInterval $sshd_idle_timeout_value' before first uncommented # case-insensitive occurrence of Match block directive sed -i "$FIRST_MATCH_BLOCK s/^\([[:space:]]*Match[^\n]*\)/ClientAliveInterval $sshd_idle_timeout_value\n\1/I" $SSHD_CONFIG # Case: ClientAliveInterval directive present in $SSHD_CONFIG and placed # before first Match block directive elif [ "$FIRST_CLIENT_ALIVE_INTERVAL" -lt "$FIRST_MATCH_BLOCK" ] then # Replace first uncommented case-insensitive occurrence # of ClientAliveInterval directive sed -i "$FIRST_CLIENT_ALIVE_INTERVAL s/^[[:space:]]*ClientAliveInterval.*$/ClientAliveInterval $sshd_idle_timeout_value/I" $SSHD_CONFIG # Case: ClientAliveInterval directive present in $SSHD_CONFIG and placed # after first Match block directive else # Prepend 'ClientAliveInterval $sshd_idle_timeout_value' before first uncommented # case-insensitive occurrence of Match block directive sed -i "$FIRST_MATCH_BLOCK s/^\([[:space:]]*Match[^\n]*\)/ClientAliveInterval $sshd_idle_timeout_value\n\1/I" $SSHD_CONFIG fi fi scap-security-guide-0.1.39/shared/fixes/bash/sshd_set_keepalive.sh000066400000000000000000000047101327242345500252010ustar00rootroot00000000000000# platform = multi_platform_rhel, multi_platform_fedora SSHD_CONFIG='/etc/ssh/sshd_config' # Obtain line number of first uncommented case-insensitive occurrence of Match # block directive (possibly prefixed with whitespace) present in $SSHD_CONFIG FIRST_MATCH_BLOCK=$(sed -n '/^[[:space:]]*Match[^\n]*/I{=;q}' $SSHD_CONFIG) # Obtain line number of first uncommented case-insensitive occurence of # ClientAliveCountMax directive (possibly prefixed with whitespace) present in # $SSHD_CONFIG FIRST_CLIENT_ALIVE_COUNT_MAX=$(sed -n '/^[[:space:]]*ClientAliveCountMax[^\n]*/I{=;q}' $SSHD_CONFIG) # Case: Match block directive not present in $SSHD_CONFIG if [ -z "$FIRST_MATCH_BLOCK" ] then # Case: ClientAliveCountMax directive not present in $SSHD_CONFIG yet if [ -z "$FIRST_CLIENT_ALIVE_COUNT_MAX" ] then # Append 'ClientAliveCountMax 0' at the end of $SSHD_CONFIG echo -e "\nClientAliveCountMax 0" >> $SSHD_CONFIG # Case: ClientAliveCountMax directive present in $SSHD_CONFIG already else # Replace first uncommented case-insensitive occurrence # of ClientAliveCountMax directive sed -i "$FIRST_CLIENT_ALIVE_COUNT_MAX s/^[[:space:]]*ClientAliveCountMax.*$/ClientAliveCountMax 0/I" $SSHD_CONFIG fi # Case: Match block directive present in $SSHD_CONFIG else # Case: ClientAliveCountMax directive not present in $SSHD_CONFIG yet if [ -z "$FIRST_CLIENT_ALIVE_COUNT_MAX" ] then # Prepend 'ClientAliveCountMax 0' before first uncommented # case-insensitive occurrence of Match block directive sed -i "$FIRST_MATCH_BLOCK s/^\([[:space:]]*Match[^\n]*\)/ClientAliveCountMax 0\n\1/I" $SSHD_CONFIG # Case: ClientAliveCountMax directive present in $SSHD_CONFIG and placed # before first Match block directive elif [ "$FIRST_CLIENT_ALIVE_COUNT_MAX" -lt "$FIRST_MATCH_BLOCK" ] then # Replace first uncommented case-insensitive occurrence # of ClientAliveCountMax directive sed -i "$FIRST_CLIENT_ALIVE_COUNT_MAX s/^[[:space:]]*ClientAliveCountMax.*$/ClientAliveCountMax 0/I" $SSHD_CONFIG # Case: ClientAliveCountMax directive present in $SSHD_CONFIG and placed # after first Match block directive else # Prepend 'ClientAliveCountMax 0' before first uncommented # case-insensitive occurrence of Match block directive sed -i "$FIRST_MATCH_BLOCK s/^\([[:space:]]*Match[^\n]*\)/ClientAliveCountMax 0\n\1/I" $SSHD_CONFIG fi fi scap-security-guide-0.1.39/shared/fixes/bash/sshd_use_approved_macs.sh000066400000000000000000000003511327242345500260550ustar00rootroot00000000000000# platform = multi_platform_rhel # Include source function library. . /usr/share/scap-security-guide/remediation_functions replace_or_append '/etc/ssh/sshd_config' '^MACs' 'hmac-sha2-512,hmac-sha2-256,hmac-sha1' '@CCENUM@' '%s %s' scap-security-guide-0.1.39/shared/fixes/bash/sshd_use_priv_separation.sh000066400000000000000000000003351327242345500264410ustar00rootroot00000000000000# platform = multi_platform_rhel # Include source function library. . /usr/share/scap-security-guide/remediation_functions replace_or_append '/etc/ssh/sshd_config' '^UsePrivilegeSeparation' 'sandbox' '@CCENUM@' '%s %s' scap-security-guide-0.1.39/shared/fixes/bash/sssd_enable_pam_services.sh000066400000000000000000000012711327242345500263610ustar00rootroot00000000000000# platform = multi_platform_rhel # Include source function library. . /usr/share/scap-security-guide/remediation_functions SSSD_SERVICES_PAM_REGEX="^[[:space:]]*\[sssd]([^\n]*\n+)+?[[:space:]]*services.*pam.*$" SSSD_SERVICES_REGEX="^[[:space:]]*\[sssd]([^\n]*\n+)+?[[:space:]]*services.*$" SSSD_PAM_SERVICES="[sssd] services = pam" SSSD_CONF="/etc/sssd/sssd.conf" # If there is services line with pam, good # If there is services line without pam, append pam # If not echo services line with pam grep -q "$SSSD_SERVICES_PAM_REGEX" $SSSD_CONF || \ grep -q "$SSSD_SERVICES_REGEX" $SSSD_CONF && \ sed -i "s/$SSSD_SERVICES_REGEX/&, pam/" $SSSD_CONF || \ echo "$SSSD_PAM_SERVICES" >> $SSSD_CONF scap-security-guide-0.1.39/shared/fixes/bash/sticky_world_writable_dirs.sh000066400000000000000000000002741327242345500267700ustar00rootroot00000000000000# platform = multi_platform_rhel df --local -P | awk {'if (NR!=1) print $6'} \ | xargs -I '{}' find '{}' -xdev -type d \ \( -perm -0002 -a ! -perm -1000 \) 2>/dev/null \ | xargs chmod a+t scap-security-guide-0.1.39/shared/fixes/puppet/000077500000000000000000000000001327242345500214025ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/fixes/puppet/file_permissions_sshd_private_key.pp000066400000000000000000000003101327242345500307320ustar00rootroot00000000000000# platform = multi_platform_all include ssh_private_key_perms class ssh_private_key_perms { exec { 'sshd_priv_key': command => "chmod 0640 /etc/ssh/*_key", path => '/bin:/usr/bin' } } scap-security-guide-0.1.39/shared/fixes/puppet/file_permissions_sshd_pub_key.pp000066400000000000000000000003051327242345500300520ustar00rootroot00000000000000# platform = multi_platform_all include ssh_public_key_perms class ssh_public_key_perms { exec { 'sshd_pub_key': command => "chmod 0644 /etc/ssh/*.pub", path => '/bin:/usr/bin' } } scap-security-guide-0.1.39/shared/guide/000077500000000000000000000000001327242345500200445ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/guide.benchmark000066400000000000000000000054321327242345500230210ustar00rootroot00000000000000--- documentation_complete: true title: Guide to the Secure Configuration of status: draft description: | This guide presents a catalog of security-relevant configuration settings for . It is a rendering of content structured in the eXtensible Configuration Checklist Description Format (XCCDF) in order to support security automation. The SCAP content is is available in the config_item="scap-security-guide" package which is developed at .

Providing system administrators with such guidance informs them how to securely configure systems under their control in a variety of network roles. Policy makers and baseline creators can use this catalog of settings, with its associated references to higher-level security control catalogs, in order to assist them in security baseline creation. This guide is a italics="catalog, not a checklist," and satisfaction of every item is not likely to be possible or sensible in many operational scenarios. However, the XCCDF format enables granular selection and adjustment of settings, and their association with OVAL and OCIL content provides an automated checking capability. Transformations of this document, and its associated automated checking content, are capable of providing baselines that meet a diverse set of policy objectives. Some example XCCDF italics="Profiles", which are selections of items that form checklists and can be used as baselines, are available with this guide. They can be processed, in an automated fashion, with tools that support the Security Content Automation Protocol (SCAP). The DISA STIG for , which provides required settings for US Department of Defense systems, is one example of a baseline created from this guidance. notice: id: terms_of_use description: | Do not attempt to implement any of the settings in this guide without first testing them in a non-operational environment. The creators of this guidance assume no responsibility whatsoever for its use by other parties, and makes no guarantees, expressed or implied, about its quality, reliability, or any other characteristic. front-matter: | The SCAP Security Guide Project
rear-matter: | Red Hat and Red Hat Enterprise Linux are either registered trademarks or trademarks of Red Hat, Inc. in the United States and other countries. All other names are registered trademarks or trademarks of their respective companies. cpes: - version: 0.9 scap-security-guide-0.1.39/shared/guide/intro/000077500000000000000000000000001327242345500211775ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/intro/general-principles/000077500000000000000000000000001327242345500247625ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/intro/general-principles/general-principles.group000066400000000000000000000003711327242345500316240ustar00rootroot00000000000000documentation_complete: true title: 'General Principles' description: |- The following general principles motivate much of the advice in this guide and should also influence any configuration decisions that are not explicitly covered. scap-security-guide-0.1.39/shared/guide/intro/general-principles/principle-encrypt-transmitted-data/000077500000000000000000000000001327242345500336745ustar00rootroot00000000000000principle-encrypt-transmitted-data.group000066400000000000000000000012061327242345500436040ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/intro/general-principles/principle-encrypt-transmitted-datadocumentation_complete: true title: 'Encrypt Transmitted Data Whenever Possible' description: |- Data transmitted over a network, whether wired or wireless, is susceptible to passive monitoring. Whenever practical solutions for encrypting such data exist, they should be applied. Even if data is expected to be transmitted only over a local network, it should still be encrypted. Encrypting authentication data, such as passwords, is particularly important. Networks of machines can and should be configured so that no unencrypted authentication data is ever transmitted between machines. scap-security-guide-0.1.39/shared/guide/intro/general-principles/principle-least-privilege/000077500000000000000000000000001327242345500320415ustar00rootroot00000000000000principle-least-privilege.group000066400000000000000000000013521327242345500401200ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/intro/general-principles/principle-least-privilegedocumentation_complete: true title: 'Least Privilege' description: |- Grant the least privilege necessary for user accounts and software to perform tasks. For example, sudo can be implemented to limit authorization to super user accounts on the system only to designated personnel. Another example is to limit logins on server systems to only those administrators who need to log into them in order to perform administration tasks. Using SELinux also follows the principle of least privilege: SELinux policy can confine software to perform only actions on the system that are specifically allowed. This can be far more restrictive than the actions permissible by the traditional Unix permissions model. scap-security-guide-0.1.39/shared/guide/intro/general-principles/principle-minimize-software/000077500000000000000000000000001327242345500324165ustar00rootroot00000000000000principle-minimize-software.group000066400000000000000000000025501327242345500410530ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/intro/general-principles/principle-minimize-softwaredocumentation_complete: true title: 'Minimize Software to Minimize Vulnerability' description: |- The simplest way to avoid vulnerabilities in software is to avoid installing that software. On , the RPM Package Manager (originally Red Hat Package Manager, abbreviated RPM) the Package Manager (originally ) allows for careful management of the set of software packages installed on a system. Installed software contributes to system vulnerability in several ways. Packages that include setuid programs may provide local attackers a potential path to privilege escalation. Packages that include network services may give this opportunity to network-based attackers. Packages that include programs which are predictably executed by local users (e.g. after graphical login) may provide opportunities for trojan horses or other attack code to be run undetected. The number of software packages installed on a system can almost always be significantly pruned to include only the software for which there is an environmental or operational need. scap-security-guide-0.1.39/shared/guide/intro/general-principles/principle-separate-servers/000077500000000000000000000000001327242345500322405ustar00rootroot00000000000000principle-separate-servers.group000066400000000000000000000005721327242345500405210ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/intro/general-principles/principle-separate-serversdocumentation_complete: true title: 'Run Different Network Services on Separate Systems' description: |- Whenever possible, a server should be dedicated to serving exactly one network service. This limits the number of other services that can be compromised in the event that an attacker is able to successfully exploit a software flaw in one network service. scap-security-guide-0.1.39/shared/guide/intro/general-principles/principle-use-security-tools/000077500000000000000000000000001327242345500325445ustar00rootroot00000000000000principle-use-security-tools.group000066400000000000000000000010721327242345500413250ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/intro/general-principles/principle-use-security-toolsdocumentation_complete: true title: 'Configure Security Tools to Improve System Robustness' description: |- Several tools exist which can be effectively used to improve a system's resistance to and detection of unknown attacks. These tools can improve robustness against attack at the cost of relatively little configuration effort. In particular, this guide recommends and discusses the use of host-based firewalling, SELinux for protection against vulnerable services, and a logging and auditing infrastructure for detection of problems. scap-security-guide-0.1.39/shared/guide/intro/how-to-use/000077500000000000000000000000001327242345500232065ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/intro/how-to-use/how-to-use.group000066400000000000000000000002141327242345500262700ustar00rootroot00000000000000documentation_complete: true title: 'How to Use This Guide' description: 'Readers should heed the following points when using the guide.' scap-security-guide-0.1.39/shared/guide/intro/how-to-use/intro-formatting-conventions/000077500000000000000000000000001327242345500310545ustar00rootroot00000000000000intro-formatting-conventions.group000066400000000000000000000005641327242345500377260ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/intro/how-to-use/intro-formatting-conventionsdocumentation_complete: true title: 'Formatting Conventions' description: |- Commands intended for shell execution, as well as configuration file text, are featured in a monospace font. Italics are used to indicate instances where the system administrator must substitute the appropriate information into a command or configuration file. scap-security-guide-0.1.39/shared/guide/intro/how-to-use/intro-read-sections-completely/000077500000000000000000000000001327242345500312525ustar00rootroot00000000000000intro-read-sections-completely.group000066400000000000000000000005521327242345500403170ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/intro/how-to-use/intro-read-sections-completelydocumentation_complete: true title: 'Read Sections Completely and in Order' description: |- Each section may build on information and recommendations discussed in prior sections. Each section should be read and understood completely; instructions should never be blindly applied. Relevant discussion may occur after instructions for an action. scap-security-guide-0.1.39/shared/guide/intro/how-to-use/intro-reboot-required/000077500000000000000000000000001327242345500274475ustar00rootroot00000000000000intro-reboot-required.group000066400000000000000000000006751327242345500347170ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/intro/how-to-use/intro-reboot-requireddocumentation_complete: true title: 'Reboot Required' description: |- A system reboot is implicitly required after some actions in order to complete the reconfiguration of the system. In many cases, the changes will not take effect until a reboot is performed. In order to ensure that changes are applied properly and to test functionality, always reboot the system after applying a set of recommendations from this guide. scap-security-guide-0.1.39/shared/guide/intro/how-to-use/intro-root-shell-assumed/000077500000000000000000000000001327242345500300665ustar00rootroot00000000000000intro-root-shell-assumed.group000066400000000000000000000011451327242345500357460ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/intro/how-to-use/intro-root-shell-assumeddocumentation_complete: true title: 'Root Shell Environment Assumed' description: |- Most of the actions listed in this document are written with the assumption that they will be executed by the root user running the /bin/bash shell. Commands preceded with a hash mark (#) assume that the administrator will execute the commands as root, i.e. apply the command via sudo whenever possible, or use su to gain root privileges if sudo cannot be used. Commands which can be executed as a non-root user are are preceded by a dollar sign ($) prompt. scap-security-guide-0.1.39/shared/guide/intro/how-to-use/intro-test-non-production/000077500000000000000000000000001327242345500302725ustar00rootroot00000000000000intro-test-non-production.group000066400000000000000000000004551327242345500363610ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/intro/how-to-use/intro-test-non-productiondocumentation_complete: true title: 'Test in Non-Production Environment' description: |- This guidance should always be tested in a non-production environment before deployment. This test environment should simulate the setup in which the system will be deployed as closely as possible. scap-security-guide-0.1.39/shared/guide/intro/intro.group000066400000000000000000000015141327242345500234110ustar00rootroot00000000000000documentation_complete: true title: Introduction description: |- The purpose of this guidance is to provide security configuration recommendations and baselines for the operating system. Recommended settings for the basic operating system are provided, as well as for many network services that the system can provide to other systems. The guide is intended for system administrators. Readers are assumed to possess basic system administration skills for Unix-like systems, as well as some familiarity with the product's documentation and administration conventions. Some instructions within this guide are complex. All directions should be followed completely and with understanding of their effects in order to avoid serious adverse effects on the system and its security. scap-security-guide-0.1.39/shared/guide/services/000077500000000000000000000000001327242345500216675ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/services/avahi/000077500000000000000000000000001327242345500227575ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/services/avahi/avahi.group000066400000000000000000000006521327242345500251300ustar00rootroot00000000000000documentation_complete: true title: 'Avahi Server' description: |- The Avahi daemon implements the DNS Service Discovery and Multicast DNS protocols, which provide service and host discovery on a network. It allows a system to automatically identify resources on the network, such as printers or web servers. This capability is also known as mDNSresponder and is a major part of Zeroconf networking. scap-security-guide-0.1.39/shared/guide/services/avahi/avahi_configuration/000077500000000000000000000000001327242345500267765ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/services/avahi/avahi_configuration/avahi_check_ttl.rule000066400000000000000000000015171327242345500330030ustar00rootroot00000000000000documentation_complete: true prodtype: rhel7 title: 'Check Avahi Responses'' TTL Field' description: |- To make Avahi ignore packets unless the TTL field is 255, edit /etc/avahi/avahi-daemon.conf and ensure the following line appears in the [server] section: 
check-response-ttl=yes
rationale: |- This helps to ensure that only mDNS responses from the local network are processed, because the TTL field in a packet is decremented from its initial value of 255 whenever it is routed from one network to another. Although a properly-configured router or firewall should not allow mDNS packets into the local network at all, this option provides another check to ensure they are not permitted. severity: unknown identifiers: cce@rhel7: 80340-3 references: nist: CM-7 scap-security-guide-0.1.39/shared/guide/services/avahi/avahi_configuration/avahi_configuration.group000066400000000000000000000010331327242345500340700ustar00rootroot00000000000000documentation_complete: true title: 'Configure Avahi if Necessary' description: |- If your system requires the Avahi daemon, its configuration can be restricted to improve security. The Avahi daemon configuration file is /etc/avahi/avahi-daemon.conf. The following security recommendations should be applied to this file: See the avahi-daemon.conf(5) man page, or documentation at , for more detailed information about the configuration options. avahi_disable_publishing.rule000066400000000000000000000010031327242345500346010ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/services/avahi/avahi_configurationdocumentation_complete: true prodtype: rhel7 title: 'Disable Avahi Publishing' description: |- To prevent other mDNS stacks from running, edit /etc/avahi/avahi-daemon.conf and ensure the following line appears in the [server] section: 
disallow-other-stacks=yes
rationale: |- This helps ensure that only Avahi is responsible for mDNS traffic coming from that port on the system. severity: unknown identifiers: cce@rhel7: 80342-9 references: nist: CM-7 scap-security-guide-0.1.39/shared/guide/services/avahi/avahi_configuration/avahi_ip_only.rule000066400000000000000000000007561327242345500325200ustar00rootroot00000000000000documentation_complete: true prodtype: rhel7 title: 'Serve Avahi Only via Required Protocol' description: |- If you are using only IPv4, edit /etc/avahi/avahi-daemon.conf and ensure the following line exists in the [server] section: 
use-ipv6=no
Similarly, if you are using only IPv6, disable IPv4 sockets with the line: 
use-ipv4=no
rationale: "" severity: unknown identifiers: cce@rhel7: 80339-5 references: nist: CM-7 avahi_prevent_port_sharing.rule000066400000000000000000000010321327242345500352160ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/services/avahi/avahi_configurationdocumentation_complete: true prodtype: rhel7 title: 'Prevent Other Programs from Using Avahi''s Port' description: |- To prevent other mDNS stacks from running, edit /etc/avahi/avahi-daemon.conf and ensure the following line appears in the [server] section: 
disallow-other-stacks=yes
rationale: |- This helps ensure that only Avahi is responsible for mDNS traffic coming from that port on the system. severity: unknown identifiers: cce@rhel7: 80341-1 references: nist: CM-7 avahi_restrict_published_information.rule000066400000000000000000000024461327242345500372710ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/services/avahi/avahi_configurationdocumentation_complete: true prodtype: rhel7 title: 'Restrict Information Published by Avahi' description: |- If it is necessary to publish some information to the network, it should not be joined by any extraneous information, or by information supplied by a non-trusted source on the system. Prevent user applications from using Avahi to publish services by adding or correcting the following line in the [publish] section: 
disable-user-service-publishing=yes
Implement as many of the following lines as possible, to restrict the information published by Avahi. 
publish-addresses=no
    publish-hinfo=no
    publish-workstation=no
    publish-domain=no
Inspect the files in the directory /etc/avahi/services/. Unless there is an operational need to publish information about each of these services, delete the corresponding file. rationale: |- These options prevent publishing attempts from succeeding, and can be applied even if publishing is disabled entirely via disable-publishing. Alternatively, these can be used to restrict the types of published information in the event that some information must be published. severity: unknown identifiers: cce@rhel7: 80343-7 references: nist: CM-7 scap-security-guide-0.1.39/shared/guide/services/avahi/disable_avahi_group/000077500000000000000000000000001327242345500267465ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/services/avahi/disable_avahi_group/disable_avahi_group.group000066400000000000000000000004101327242345500340060ustar00rootroot00000000000000documentation_complete: true title: 'Disable Avahi Server if Possible' description: |- Because the Avahi daemon service keeps an open network port, it is subject to network attacks. Disabling it can reduce the system's vulnerability to such attacks. service_avahi-daemon_disabled.rule000066400000000000000000000010711327242345500354570ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/services/avahi/disable_avahi_groupdocumentation_complete: true prodtype: rhel7 title: 'Disable Avahi Server Software' description: '' rationale: |- Because the Avahi daemon service keeps an open network port, it is subject to network attacks. Its functionality is convenient but is only appropriate if the local network can be trusted. severity: unknown identifiers: cce@rhel7: 80338-7 references: cis: 2.2.3 disa: 366 nist: CM-7 ocil: '' scap-security-guide-0.1.39/shared/guide/services/base/000077500000000000000000000000001327242345500226015ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/services/base/base.group000066400000000000000000000007441327242345500245760ustar00rootroot00000000000000documentation_complete: true title: 'Base Services' description: |- This section addresses the base services that are installed on a Red Hat Enterprise Linux 7 default installation which are not covered in other sections. Some of these services listen on the network and should be treated with particular discretion. Other services are local system utilities that may or may not be extraneous. In general, system services should be disabled if not required. scap-security-guide-0.1.39/shared/guide/services/base/service_abrtd_disabled.rule000066400000000000000000000016321327242345500301370ustar00rootroot00000000000000documentation_complete: true prodtype: rhel7 title: 'Disable Automatic Bug Reporting Tool (abrtd)' description: |- The Automatic Bug Reporting Tool (abrtd) daemon collects and reports crash data when an application crash is detected. Using a variety of plugins, abrtd can email crash reports to system administrators, log crash reports to files, or forward crash reports to a centralized issue tracking system such as RHTSupport. rationale: |- Mishandling crash data could expose sensitive information about vulnerabilities in software executing on the system, as well as sensitive information from within a process's address space or registers. severity: unknown identifiers: cce@rhel7: 26872-2 references: disa: "" nist: AC-17(8),CM-7 ocil: '' scap-security-guide-0.1.39/shared/guide/services/base/service_acpid_disabled.rule000066400000000000000000000014201327242345500301160ustar00rootroot00000000000000documentation_complete: true prodtype: rhel7 title: 'Disable Advanced Configuration and Power Interface (acpid)' description: |- The Advanced Configuration and Power Interface Daemon (acpid) dispatches ACPI events (such as power/reset button depressed) to userspace programs. rationale: |- ACPI support is highly desirable for systems in some network roles, such as laptops or desktops. For other systems, such as servers, it may permit accidental or trivially achievable denial of service situations and disabling it is appropriate. severity: unknown identifiers: cce@rhel7: 80252-0 references: nist: CM-7 ocil: '' scap-security-guide-0.1.39/shared/guide/services/base/service_certmonger_disabled.rule000066400000000000000000000015171327242345500312120ustar00rootroot00000000000000documentation_complete: true prodtype: rhel7 title: 'Disable Certmonger Service (certmonger)' description: |- Certmonger is a D-Bus based service that attempts to simplify interaction with certifying authorities on networks which use public-key infrastructure. It is often combined with Red Hat's IPA (Identity Policy Audit) security information management solution to aid in the management of certificates. rationale: |- The services provided by certmonger may be essential for systems fulfilling some roles a PKI infrastructure, but its functionality is not necessary for many other use cases. severity: unknown identifiers: cce@rhel7: 80253-8 references: nist: CM-7 ocil: '' scap-security-guide-0.1.39/shared/guide/services/base/service_cgconfig_disabled.rule000066400000000000000000000013471327242345500306250ustar00rootroot00000000000000documentation_complete: true prodtype: rhel7 title: 'Disable Control Group Config (cgconfig)' description: |- Control groups allow an administrator to allocate system resources (such as CPU, memory, network bandwidth, etc) among a defined group (or groups) of processes executing on a system. The cgconfig daemon starts at boot and establishes the predefined control groups. rationale: |- Unless control groups are used to manage system resources, running the cgconfig service is not necessary. severity: unknown identifiers: cce@rhel7: 80254-6 references: nist: CM-7 ocil: '' scap-security-guide-0.1.39/shared/guide/services/base/service_cgred_disabled.rule000066400000000000000000000011401327242345500301210ustar00rootroot00000000000000documentation_complete: true prodtype: rhel7 title: 'Disable Control Group Rules Engine (cgred)' description: |- The cgred service moves tasks into control groups according to parameters set in the /etc/cgrules.conf configuration file. rationale: |- Unless control groups are used to manage system resources, running the cgred service service is not necessary. severity: unknown identifiers: cce@rhel7: 80255-3 references: nist: CM-7 ocil: '' scap-security-guide-0.1.39/shared/guide/services/base/service_cpupower_disabled.rule000066400000000000000000000014261327242345500307100ustar00rootroot00000000000000documentation_complete: true prodtype: rhel7 title: 'Disable CPU Speed (cpupower)' description: |- The cpupower service can adjust the clock speed of supported CPUs based upon the current processing load thereby conserving power and reducing heat. rationale: |- The cpupower service is only necessary if adjusting the CPU clock speed provides benefit. Traditionally this has included laptops (to enhance battery life), but may also apply to server or desktop environments where conserving power is highly desirable or necessary. severity: unknown identifiers: cce@rhel7: 80256-1 references: nist: CM-7 ocil: '' scap-security-guide-0.1.39/shared/guide/services/base/service_irqbalance_enabled.rule000066400000000000000000000012271327242345500307670ustar00rootroot00000000000000documentation_complete: true prodtype: rhel7 title: 'Enable IRQ Balance (irqbalance)' description: |- The irqbalance service optimizes the balance between power savings and performance through distribution of hardware interrupts across multiple processors. rationale: |- In an environment with multiple processors (now common), the irqbalance service provides potential speedups for handling interrupt requests. severity: unknown identifiers: cce@rhel7: 80257-9 references: nist: CM-7 ocil: '' scap-security-guide-0.1.39/shared/guide/services/base/service_kdump_disabled.rule000066400000000000000000000022121327242345500301560ustar00rootroot00000000000000documentation_complete: true prodtype: rhel7 title: 'Disable KDump Kernel Crash Analyzer (kdump)' description: |- The kdump service provides a kernel crash dump analyzer. It uses the kexec system call to boot a secondary kernel ("capture" kernel) following a system crash, which can load information from the crashed kernel for analysis. rationale: "Kernel core dumps may contain the full contents of system memory at the time of the crash.\nKernel core dumps consume a considerable amount of disk space and may result in denial of \nservice by exhausting the available space on the target file system partition.\nUnless the system is used for kernel development or testing, there\nis little need to run the kdump service." severity: medium identifiers: cce@rhel7: 80258-7 references: disa: 366 hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3),164.308(a)(4),164.310(b),164.310(c),164.312(a),164.312(e) nist: AC-17(8),CM-7,CM-6(b) srg: SRG-OS-000480-GPOS-00227 stigid@rhel7: "021300" ocil: '' scap-security-guide-0.1.39/shared/guide/services/base/service_mdmonitor_disabled.rule000066400000000000000000000010711327242345500310500ustar00rootroot00000000000000documentation_complete: true prodtype: rhel7 title: 'Disable Software RAID Monitor (mdmonitor)' description: |- The mdmonitor service is used for monitoring a software RAID array; hardware RAID setups do not use this service. rationale: |- If software RAID monitoring is not required, there is no need to run this service. severity: unknown identifiers: cce@rhel7: 80259-5 references: nist: CM-7 ocil: '' scap-security-guide-0.1.39/shared/guide/services/base/service_messagebus_disabled.rule000066400000000000000000000015401327242345500311770ustar00rootroot00000000000000documentation_complete: true prodtype: rhel7 title: 'Disable D-Bus IPC Service (messagebus)' description: "D-Bus provides an IPC mechanism used by \na growing list of programs, such as those used for Gnome, Bluetooth, and Avahi.\nDue to these dependencies, disabling D-Bus may not be practical for\nmany systems.\n" rationale: |- If no services which require D-Bus are needed, then it can be disabled. As a broker for IPC between processes of different privilege levels, it could be a target for attack. However, disabling D-Bus is likely to be impractical for any system which needs to provide a graphical login session. severity: unknown identifiers: cce@rhel7: 80260-3 references: nist: CM-7 ocil: '' scap-security-guide-0.1.39/shared/guide/services/base/service_netconsole_disabled.rule000066400000000000000000000013641327242345500312160ustar00rootroot00000000000000documentation_complete: true prodtype: rhel7 title: 'Disable Network Console (netconsole)' description: |- The netconsole service is responsible for loading the netconsole kernel module, which logs kernel printk messages over UDP to a syslog server. This allows debugging of problems where disk logging fails and serial consoles are impractical. rationale: |- The netconsole service is not necessary unless there is a need to debug kernel panics, which is not common. severity: unknown identifiers: cce@rhel7: 80261-1 references: disa: 381 nist: AC-17(8),CM-7 ocil: '' scap-security-guide-0.1.39/shared/guide/services/base/service_ntpdate_disabled.rule000066400000000000000000000017051327242345500305030ustar00rootroot00000000000000documentation_complete: true prodtype: rhel7 title: 'Disable ntpdate Service (ntpdate)' description: |- The ntpdate service sets the local hardware clock by polling NTP servers when the system boots. It synchronizes to the NTP servers listed in /etc/ntp/step-tickers or /etc/ntp.conf and then sets the local hardware clock to the newly synchronized system time. rationale: |- The ntpdate service may only be suitable for systems which are rebooted frequently enough that clock drift does not cause problems between reboots. In any event, the functionality of the ntpdate service is now available in the ntpd program and should be considered deprecated. severity: unknown identifiers: cce@rhel7: 80262-9 references: disa: 382 nist: AC-17(8),CM-7 ocil: '' scap-security-guide-0.1.39/shared/guide/services/base/service_oddjobd_disabled.rule000066400000000000000000000016121327242345500304460ustar00rootroot00000000000000documentation_complete: true prodtype: rhel7 title: 'Disable Odd Job Daemon (oddjobd)' description: |- The oddjobd service exists to provide an interface and access control mechanism through which specified privileged tasks can run tasks for unprivileged client applications. Communication with oddjobd through the system message bus. rationale: |- The oddjobd service may provide necessary functionality in some environments, and can be disabled if it is not needed. Execution of tasks by privileged programs, on behalf of unprivileged ones, has traditionally been a source of privilege escalation security issues. severity: unknown identifiers: cce@rhel7: 80263-7 references: disa: 381 nist: CM-7 ocil: '' scap-security-guide-0.1.39/shared/guide/services/base/service_portreserve_disabled.rule000066400000000000000000000013251327242345500314220ustar00rootroot00000000000000documentation_complete: true prodtype: rhel7 title: 'Disable Portreserve (portreserve)' description: |- The portreserve service is a TCP port reservation utility that can be used to prevent portmap from binding to well known TCP ports that are required for other services. rationale: |- The portreserve service provides helpful functionality by preventing conflicting usage of ports in the reserved port range, but it can be disabled if not needed. severity: unknown identifiers: cce@rhel7: 80264-5 references: nist: AC-17(8),CM-7 ocil: '' scap-security-guide-0.1.39/shared/guide/services/base/service_psacct_enabled.rule000066400000000000000000000014471327242345500301470ustar00rootroot00000000000000documentation_complete: true prodtype: rhel7 title: 'Enable Process Accounting (psacct)' description: |- The process accounting service, psacct, works with programs including acct and ac to allow system administrators to view user activity, such as commands issued by users of the system. rationale: |- The psacct service can provide administrators a convenient view into some user activities. However, it should be noted that the auditing system and its audit records provide more authoritative and comprehensive records. severity: unknown identifiers: cce@rhel7: 80265-2 references: nist: AU-12,CM-7 ocil: '' scap-security-guide-0.1.39/shared/guide/services/base/service_qpidd_disabled.rule000066400000000000000000000017061327242345500301460ustar00rootroot00000000000000documentation_complete: true prodtype: rhel7 title: 'Disable Apache Qpid (qpidd)' description: |- The qpidd service provides high speed, secure, guaranteed delivery services. It is an implementation of the Advanced Message Queuing Protocol. By default the qpidd service will bind to port 5672 and listen for connection attempts. rationale: "The qpidd service is automatically installed when the \"base\" \npackage selection is selected during installation. The qpidd service listens \nfor network connections, which increases the attack surface of the system. If \nthe system is not intended to receive AMQP traffic, then the qpidd \nservice is not needed and should be disabled or removed." severity: unknown identifiers: cce@rhel7: 80266-0 references: disa: 382 nist: AC-17(8),CM-7 ocil: '' scap-security-guide-0.1.39/shared/guide/services/base/service_quota_nld_disabled.rule000066400000000000000000000017131327242345500310310ustar00rootroot00000000000000documentation_complete: true prodtype: rhel7 title: 'Disable Quota Netlink (quota_nld)' description: |- The quota_nld service provides notifications to users of disk space quota violations. It listens to the kernel via a netlink socket for disk quota violations and notifies the appropriate user of the violation using D-Bus or by sending a message to the terminal that the user has last accessed. rationale: |- If disk quotas are enforced on the local system, then the quota_nld service likely provides useful functionality and should remain enabled. However, if disk quotas are not used or user notification of disk quota violation is not desired then there is no need to run this service. severity: unknown identifiers: cce@rhel7: 80267-8 references: nist: CM-7 ocil: '' scap-security-guide-0.1.39/shared/guide/services/base/service_rdisc_disabled.rule000066400000000000000000000017061327242345500301510ustar00rootroot00000000000000documentation_complete: true prodtype: rhel7 title: 'Disable Network Router Discovery Daemon (rdisc)' description: |- The rdisc service implements the client side of the ICMP Internet Router Discovery Protocol (IRDP), which allows discovery of routers on the local subnet. If a router is discovered then the local routing table is updated with a corresponding default route. By default this daemon is disabled. rationale: |- General-purpose systems typically have their network and routing information configured statically by a system administrator. Workstations or some special-purpose systems often use DHCP (instead of IRDP) to retrieve dynamic network configuration information. severity: unknown identifiers: cce@rhel7: 80268-6 references: disa: 382 nist: AC-17(8),AC-4,CM-7 ocil: '' scap-security-guide-0.1.39/shared/guide/services/base/service_rhnsd_disabled.rule000066400000000000000000000017031327242345500301600ustar00rootroot00000000000000documentation_complete: true prodtype: rhel7 title: 'Disable Red Hat Network Service (rhnsd)' description: |- The Red Hat Network service automatically queries Red Hat Network servers to determine whether there are any actions that should be executed, such as package updates. This only occurs if the system was registered to an RHN server or satellite and managed as such. rationale: |- Although systems management and patching is extremely important to system security, management by a system outside the enterprise enclave is not desirable for some environments. However, if the system is being managed by RHN or RHN Satellite Server the rhnsd daemon can remain on. severity: unknown identifiers: cce@rhel7: 80269-4 references: cis: 1.2.5 disa: 382 nist: AC-17(8),CM-7 ocil: '' scap-security-guide-0.1.39/shared/guide/services/base/service_rhsmcertd_disabled.rule000066400000000000000000000015561327242345500310430ustar00rootroot00000000000000documentation_complete: true prodtype: rhel7 title: 'Disable Red Hat Subscription Manager Daemon (rhsmcertd)' description: |- The Red Hat Subscription Manager (rhsmcertd) periodically checks for changes in the entitlement certificates for a registered system and updates it accordingly. rationale: |- The rhsmcertd service can provide administrators with some additional control over which of their systems are entitled to particular subscriptions. However, for systems that are managed locally or which are not expected to require remote changes to their subscription status, it is unnecessary and can be disabled. severity: unknown identifiers: cce@rhel7: 80270-2 references: nist: CM-7 ocil: '' scap-security-guide-0.1.39/shared/guide/services/base/service_saslauthd_disabled.rule000066400000000000000000000017701327242345500310360ustar00rootroot00000000000000documentation_complete: true prodtype: rhel7 title: 'Disable Cyrus SASL Authentication Daemon (saslauthd)' description: |- The saslauthd service handles plaintext authentication requests on behalf of the SASL library. The service isolates all code requiring superuser privileges for SASL authentication into a single process, and can also be used to provide proxy authentication services to clients that do not understand SASL based authentication. rationale: |- The saslauthd service provides essential functionality for performing authentication in some directory environments, such as those which use Kerberos and LDAP. For others, however, in which only local files may be consulted, it is not necessary and should be disabled. severity: unknown identifiers: cce@rhel7: 80271-0 references: nist: AC-17(8),CM-7 ocil: '' scap-security-guide-0.1.39/shared/guide/services/base/service_smartd_disabled.rule000066400000000000000000000013571327242345500303410ustar00rootroot00000000000000documentation_complete: true prodtype: rhel7 title: 'Disable SMART Disk Monitoring Service (smartd)' description: |- SMART (Self-Monitoring, Analysis, and Reporting Technology) is a feature of hard drives that allows them to detect symptoms of disk failure and relay an appropriate warning. rationale: |- SMART can help protect against denial of service due to failing hardware. Nevertheless, if it is not needed or the system's drives are not SMART-capable (such as solid state drives), it can be disabled. severity: unknown identifiers: cce@rhel7: 80272-8 references: nist: CM-7 ocil: '' scap-security-guide-0.1.39/shared/guide/services/base/service_sysstat_disabled.rule000066400000000000000000000014411327242345500305530ustar00rootroot00000000000000documentation_complete: true prodtype: rhel7 title: 'Disable System Statistics Reset Service (sysstat)' description: |- The sysstat service resets various I/O and CPU performance statistics to zero in order to begin counting from a fresh state at boot time. rationale: |- By default the sysstat service merely runs a program at boot to reset the statistics, which can be retrieved using programs such as sar and sadc. These may provide useful insight into system operation, but unless used this service can be disabled. severity: unknown identifiers: cce@rhel7: 80273-6 references: nist: CM-7 ocil: '' scap-security-guide-0.1.39/shared/guide/services/cron_and_at/000077500000000000000000000000001327242345500241365ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/services/cron_and_at/cron_and_at.group000066400000000000000000000005651327242345500274710ustar00rootroot00000000000000documentation_complete: true title: 'Cron and At Daemons' description: |- The cron and at services are used to allow commands to be executed at a later time. The cron service is required by almost all systems to perform necessary maintenance tasks, while at may or may not be required on a given system. Both daemons should be configured defensively. scap-security-guide-0.1.39/shared/guide/services/cron_and_at/disable_anacron.rule000066400000000000000000000014451327242345500301370ustar00rootroot00000000000000documentation_complete: true prodtype: rhel7,fedora title: 'Disable anacron Service' description: "The cronie-anacron package, which provides anacron\nfunctionality, is installed by default. \n" rationale: |- The anacron service provides cron functionality for systems such as laptops and workstations that may be shut down during the normal times that cron jobs are scheduled to run. On systems which do not require this additional functionality, anacron could needlessly increase the possible attack surface for an intruder. severity: unknown identifiers: cce@rhel7: 80344-5 references: nist: CM-7 ocil: '' scap-security-guide-0.1.39/shared/guide/services/cron_and_at/restrict_at_cron_users/000077500000000000000000000000001327242345500307235ustar00rootroot00000000000000file_groupowner_cron_allow.rule000066400000000000000000000012441327242345500371630ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/services/cron_and_at/restrict_at_cron_usersdocumentation_complete: true prodtype: rhel7 title: 'Verify Group Who Owns /etc/cron.allow file' description: |- If /etc/cron.allow exists, it must be group-owned by root. rationale: |- If the owner of the cron.allow file is not set to root, the possibility exists for an unauthorized user to view or edit sensitive information. severity: medium identifiers: cce@rhel7: 80379-1 references: disa: 366 nist: AC-6 srg: SRG-OS-000480-GPOS-00227 stigid@rhel7: "021120" ocil: '' file_owner_cron_allow.rule000066400000000000000000000012231327242345500361030ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/services/cron_and_at/restrict_at_cron_usersdocumentation_complete: true prodtype: rhel7 title: 'Verify User Who Owns /etc/cron.allow file' description: |- If /etc/cron.allow exists, it must be owned by root. rationale: |- If the owner of the cron.allow file is not set to root, the possibility exists for an unauthorized user to view or edit sensitive information. severity: medium identifiers: cce@rhel7: 80378-3 references: disa: 366 nist: AC-6 srg: SRG-OS-000480-GPOS-00227 stigid@rhel7: "021110" ocil: '' restrict_at_cron_users.group000066400000000000000000000026261327242345500365150ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/services/cron_and_at/restrict_at_cron_usersdocumentation_complete: true title: 'Restrict at and cron to Authorized Users if Necessary' description: |- The /etc/cron.allow and /etc/at.allow files contain lists of users who are allowed to use cron and at to delay execution of processes. If these files exist and if the corresponding files /etc/cron.deny and /etc/at.deny do not exist, then only users listed in the relevant allow files can run the crontab and at commands to submit jobs to be run at scheduled intervals. On many systems, only the system administrator needs the ability to schedule jobs. Note that even if a given user is not listed in cron.allow, cron jobs can still be run as that user. The cron.allow file controls only administrative access to the crontab command for scheduling and modifying cron jobs.

To restrict at and cron to only authorized users:
  • Remove the cron.deny file:
    $ sudo rm /etc/cron.deny
  • Edit /etc/cron.allow, adding one line for each user allowed to use the crontab command to create cron jobs.
  • Remove the at.deny file:
    $ sudo rm /etc/at.deny
  • Edit /etc/at.allow, adding one line for each user allowed to use the at command to create at jobs.
scap-security-guide-0.1.39/shared/guide/services/cron_and_at/service_atd_disabled.rule000066400000000000000000000017131327242345500311500ustar00rootroot00000000000000documentation_complete: true prodtype: rhel7,fedora title: 'Disable At Service (atd)' description: |- The at and batch commands can be used to schedule tasks that are meant to be executed only once. This allows delayed execution in a manner similar to cron, except that it is not recurring. The daemon atd keeps track of tasks scheduled via at and batch, and executes them at the specified time. rationale: |- The atd service could be used by an unsophisticated insider to carry out activities outside of a normal login session, which could complicate accountability. Furthermore, the need to schedule tasks with at or batch is not common. severity: unknown identifiers: cce@rhel7: 80345-2 references: disa: 381 nist: CM-7 ocil: '' scap-security-guide-0.1.39/shared/guide/services/cron_and_at/service_crond_enabled.rule000066400000000000000000000013651327242345500313330ustar00rootroot00000000000000documentation_complete: true prodtype: rhel7,fedora title: 'Enable cron Service' description: |- The crond service is used to execute commands at preconfigured times. It is required by almost all systems to perform necessary maintenance tasks, such as notifying root of system activity. rationale: |- Due to its usage for maintenance and security-supporting tasks, enabling the cron daemon is essential. severity: medium identifiers: cce@rhel7: 27323-5 references: cis: 5.1.1 hipaa: 164.308(a)(4)(i),164.308(b)(1),164.308(b)(3),164.310(b),164.312(e)(1),164.312(e)(2)(ii) nist: CM-7 ocil: '' scap-security-guide-0.1.39/shared/guide/services/dhcp/000077500000000000000000000000001327242345500226055ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/services/dhcp/dhcp.group000066400000000000000000000011261327242345500246010ustar00rootroot00000000000000documentation_complete: true title: DHCP description: "The Dynamic Host Configuration Protocol (DHCP) allows\nsystems to request and obtain an IP address and other configuration\nparameters from a server.\n

\nThis guide recommends configuring networking on clients by manually editing\nthe appropriate files under /etc/sysconfig. Use of DHCP can make client \nsystems vulnerable to compromise by rogue DHCP servers, and should be avoided \nunless necessary. If using DHCP is necessary, however, there are best practices \nthat should be followed to minimize security risk." scap-security-guide-0.1.39/shared/guide/services/dhcp/dhcp_client_configuration/000077500000000000000000000000001327242345500300105ustar00rootroot00000000000000dhcp_client_configuration.group000066400000000000000000000007161327242345500362160ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/services/dhcp/dhcp_client_configurationdocumentation_complete: true title: 'Configure DHCP Client if Necessary' description: |- If DHCP must be used, then certain configuration changes can minimize the amount of information it receives and applies from the network, and thus the amount of incorrect information a rogue DHCP server could successfully distribute. For more information on configuring dhclient, see the dhclient(8) and dhclient.conf(5) man pages. dhcp_client_restrict_options/000077500000000000000000000000001327242345500356775ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/services/dhcp/dhcp_client_configurationdhcp_client_restrict_options.group000066400000000000000000000021471327242345500447270ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/services/dhcp/dhcp_client_configuration/dhcp_client_restrict_optionsdocumentation_complete: true title: 'Minimize the DHCP-Configured Options' description: |- Create the file /etc/dhcp/dhclient.conf, and add an appropriate setting for each of the ten configuration settings which can be obtained via DHCP. For each setting, do one of the following:
If the setting should not be configured remotely by the DHCP server, select an appropriate static value, and add the line: 
supersede setting value;
If the setting should be configured remotely by the DHCP server, add the lines: 
request setting;
    require setting;
For example, suppose the DHCP server should provide only the IP address itself and the subnet mask. Then the entire file should look like: 
supersede domain-name "example.com";
    supersede domain-name-servers 192.168.1.2;
    supersede nis-domain "";
    supersede nis-servers "";
    supersede ntp-servers "ntp.example.com ";
    supersede routers 192.168.1.1;
    supersede time-offset -18000;
    request subnet-mask;
    require subnet-mask;
scap-security-guide-0.1.39/shared/guide/services/dhcp/dhcp_server_configuration/000077500000000000000000000000001327242345500300405ustar00rootroot00000000000000dhcp_server_configuration.group000066400000000000000000000011661327242345500362760ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/services/dhcp/dhcp_server_configurationdocumentation_complete: true title: 'Disable DHCP Server' description: |- If the system must act as a DHCP server, the configuration information it serves should be minimized. Also, support for other protocols and DNS-updating schemes should be explicitly disabled unless needed. The configuration file for dhcpd is called /etc/dhcp/dhcpd.conf. The file begins with a number of global configuration options. The remainder of the file is divided into sections, one for each block of addresses offered by dhcpd, each of which contains configuration options specific to that address block. dhcp_server_configure_logging.rule000066400000000000000000000012001327242345500367160ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/services/dhcp/dhcp_server_configurationdocumentation_complete: true prodtype: rhel7 title: 'Configure Logging' description: |- Ensure that the following line exists in /etc/rsyslog.conf: 
daemon.*           /var/log/daemon.log
Configure logwatch or other log monitoring tools to summarize error conditions reported by the dhcpd process. rationale: |- By default, dhcpd logs notices to the daemon facility. Sending all daemon messages to a dedicated log file is part of the syslog configuration outlined in the Logging and Auditing section severity: unknown identifiers: cce@rhel7: 80336-1 references: nist: AU-12 dhcp_server_deny_bootp.rule000066400000000000000000000010601327242345500353750ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/services/dhcp/dhcp_server_configurationdocumentation_complete: true prodtype: rhel7 title: 'Deny BOOTP Queries' description: |- Unless your network needs to support older BOOTP clients, disable support for the bootp protocol by adding or correcting the global option: 
deny bootp;
rationale: |- The bootp option tells dhcpd to respond to BOOTP queries. If support for this simpler protocol is not needed, it should be disabled to remove attack vectors against the DHCP server. severity: unknown identifiers: cce@rhel7: 80334-6 references: nist: CM-7 dhcp_server_deny_decline.rule000066400000000000000000000013201327242345500356540ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/services/dhcp/dhcp_server_configurationdocumentation_complete: true prodtype: rhel7 title: 'Deny Decline Messages' description: |- Edit /etc/dhcp/dhcpd.conf and add or correct the following global option to prevent the DHCP server from responding the DHCPDECLINE messages, if possible: 
deny declines;
rationale: |- The DHCPDECLINE message can be sent by a DHCP client to indicate that it does not consider the lease offered by the server to be valid. By issuing many DHCPDECLINE messages, a malicious client can exhaust the DHCP server's pool of IP addresses, causing the DHCP server to forget old address allocations. severity: unknown identifiers: cce@rhel7: 80333-8 references: nist: CM-7 dhcp_server_disable_ddns.rule000066400000000000000000000017071327242345500356560ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/services/dhcp/dhcp_server_configurationdocumentation_complete: true prodtype: rhel7 title: 'Do Not Use Dynamic DNS' description: |- To prevent the DHCP server from receiving DNS information from clients, edit /etc/dhcp/dhcpd.conf, and add or correct the following global option: 
ddns-update-style none;
rationale: |- The Dynamic DNS protocol is used to remotely update the data served by a DNS server. DHCP servers can use Dynamic DNS to publish information about their clients. This setup carries security risks, and its use is not recommended. If Dynamic DNS must be used despite the risks it poses, it is critical that Dynamic DNS transactions be protected using TSIG or some other cryptographic authentication mechanism. See dhcpd.conf(5) for more information about protecting the DHCP server from passing along malicious DNS data from its clients. severity: unknown identifiers: cce@rhel7: 80332-0 references: nist: CM-7 dhcp_server_minimize_served_info/000077500000000000000000000000001327242345500365515ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/services/dhcp/dhcp_server_configurationdhcp_server_minimize_served_info.group000066400000000000000000000007361327242345500464250ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/services/dhcp/dhcp_server_configuration/dhcp_server_minimize_served_infodocumentation_complete: true title: 'Minimize Served Information' description: |- Edit /etc/dhcp/dhcpd.conf. Examine each address range section within the file, and ensure that the following options are not defined unless there is an operational need to provide this information via DHCP: 
option domain-name
    option domain-name-servers
    option nis-domain
    option nis-servers
    option ntp-servers
    option routers
    option time-offset
scap-security-guide-0.1.39/shared/guide/services/dhcp/disabling_dhcp_client/000077500000000000000000000000001327242345500270755ustar00rootroot00000000000000disabling_dhcp_client.group000066400000000000000000000005301327242345500343620ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/services/dhcp/disabling_dhcp_clientdocumentation_complete: true title: 'Disable DHCP Client' description: |- DHCP is the default network configuration method provided by the system installer, and common on many networks. Nevertheless, manual management of IP addresses for systems implies a greater degree of management and accountability for network activity. sysconfig_networking_bootproto_ifcfg.rule000066400000000000000000000026151327242345500374330ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/services/dhcp/disabling_dhcp_clientdocumentation_complete: true prodtype: rhel7 title: 'Disable DHCP Client' description: |- For each interface on the system (e.g. eth0), edit /etc/sysconfig/network-scripts/ifcfg-interface and make the following changes:
  • Correct the BOOTPROTO line to read: 
    BOOTPROTO=none
  • Add or correct the following lines, substituting the appropriate values based on your site's addressing scheme: 
    NETMASK=255.255.255.0
    IPADDR=192.168.1.2
    GATEWAY=192.168.1.1
rationale: |- DHCP relies on trusting the local network. If the local network is not trusted, then it should not be used. However, the automatic configuration provided by DHCP is commonly used and the alternative, manual configuration, presents an unacceptable burden in many circumstances. severity: unknown identifiers: cce@rhel7: 80337-9 references: disa: 366 nist: CM-7 ocil_clause: 'it does not' ocil: |- To verify that DHCP is not being used, examine the following file for each interface: 
# /etc/sysconfig/network-scripts/ifcfg-interface
Look for the following: 
BOOTPROTO=none
and the following, substituting the appropriate values based on your site's addressing scheme: 
NETMASK=255.255.255.0
    IPADDR=192.168.1.2
    GATEWAY=192.168.1.1
scap-security-guide-0.1.39/shared/guide/services/dhcp/disabling_dhcp_server/000077500000000000000000000000001327242345500271255ustar00rootroot00000000000000disabling_dhcp_server.group000066400000000000000000000004531327242345500344460ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/services/dhcp/disabling_dhcp_serverdocumentation_complete: true title: 'Disable DHCP Server' description: |- The DHCP server dhcpd is not installed or activated by default. If the software was installed and activated, but the system does not need to act as a DHCP server, it should be disabled and removed. package_dhcp_removed.rule000066400000000000000000000010271327242345500340510ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/services/dhcp/disabling_dhcp_serverdocumentation_complete: true prodtype: rhel7 title: 'Uninstall DHCP Server Package' description: |- If the system does not need to act as a DHCP server, the dhcp package can be uninstalled. rationale: |- Removing the DHCP server ensures that it cannot be easily or accidentally reactivated and disrupt network operation. severity: medium identifiers: cce@rhel7: 80331-2 references: disa: 366 nist: CM-7 ocil: '' service_dhcpd_disabled.rule000066400000000000000000000012061327242345500343670ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/services/dhcp/disabling_dhcp_serverdocumentation_complete: true prodtype: rhel7 title: 'Disable DHCP Service' description: |- The dhcpd service should be disabled on any system that does not need to act as a DHCP server. rationale: |- Unmanaged or unintentionally activated DHCP servers may provide faulty information to clients, interfering with the operation of a legitimate site DHCP server if there is one. severity: medium identifiers: cce@rhel7: 80330-4 references: cis: 2.2.5 disa: 366 nist: CM-7 ocil: '' scap-security-guide-0.1.39/shared/guide/services/dns/000077500000000000000000000000001327242345500224535ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/services/dns/disabling_dns_server/000077500000000000000000000000001327242345500266415ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/services/dns/disabling_dns_server/disabling_dns_server.group000066400000000000000000000005731327242345500341120ustar00rootroot00000000000000documentation_complete: true title: 'Disable DNS Server' description: |- DNS software should be disabled on any systems which does not need to be a nameserver. Note that the BIND DNS server software is not installed on Red Hat Enterprise Linux 7 by default. The remainder of this section discusses secure configuration of systems which must be nameservers. scap-security-guide-0.1.39/shared/guide/services/dns/disabling_dns_server/package_bind_removed.rule000066400000000000000000000010251327242345500336400ustar00rootroot00000000000000documentation_complete: true prodtype: rhel7 title: 'Uninstall bind Package' description: |- To remove the bind package, which contains the named service, run the following command: 
$ sudo yum erase bind
rationale: |- If there is no need to make DNS server software available, removing it provides a safeguard against its activation. severity: unknown identifiers: cce@rhel7: 80326-2 references: disa: 366 nist: CM-7 ocil: '' service_named_disabled.rule000066400000000000000000000007211327242345500341060ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/services/dns/disabling_dns_serverdocumentation_complete: true prodtype: rhel7 title: 'Disable DNS Server' description: '' rationale: |- All network services involve some risk of compromise due to implementation flaws and should be disabled if possible. severity: unknown identifiers: cce@rhel7: 80325-4 references: cis: 2.2.8 disa: 366 nist: CM-7 ocil: '' scap-security-guide-0.1.39/shared/guide/services/dns/dns.group000066400000000000000000000004761327242345500243240ustar00rootroot00000000000000documentation_complete: true title: 'DNS Server' description: |- Most organizations have an operational need to run at least one nameserver. However, there are many common attacks involving DNS server software, and this server software should be disabled on any system on which it is not needed. scap-security-guide-0.1.39/shared/guide/services/dns/dns_server_isolation/000077500000000000000000000000001327242345500267065ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/services/dns/dns_server_isolation/dns_server_chroot/000077500000000000000000000000001327242345500324365ustar00rootroot00000000000000dns_server_chroot.group000066400000000000000000000016231327242345500371670ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/services/dns/dns_server_isolation/dns_server_chrootdocumentation_complete: true title: 'Run DNS Software in a chroot Jail' description: |- Install the bind-chroot package: 
$ sudo yum install bind-chroot
Place a valid named.conf file inside the chroot jail: 
$ sudo cp /etc/named.conf /var/named/chroot/etc/named.conf
    $ sudo chown root:root /var/named/chroot/etc/named.conf
    $ sudo chmod 644 /var/named/chroot/etc/named.conf
Create and populate an appropriate zone directory within the jail, based on the options directive. If your named.conf includes: 
options {
    directory "/path/to/DIRNAME ";
    ...
    }
then copy that directory and its contents from the original zone directory: 
$ sudo cp -r /path/to/DIRNAME /var/named/chroot/DIRNAME
Add or correct the following line within /etc/sysconfig/named: 
ROOTDIR=/var/named/chroot
scap-security-guide-0.1.39/shared/guide/services/dns/dns_server_isolation/dns_server_dedicated/000077500000000000000000000000001327242345500330465ustar00rootroot00000000000000dns_server_dedicated.group000066400000000000000000000005001327242345500402000ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/services/dns/dns_server_isolation/dns_server_dedicateddocumentation_complete: true title: 'Run DNS Software on Dedicated Servers' description: |- Since DNS is a high-risk service which must frequently be made available to the entire Internet, it is strongly recommended that no other services be offered by systems which act as organizational DNS servers. scap-security-guide-0.1.39/shared/guide/services/dns/dns_server_isolation/dns_server_isolation.group000066400000000000000000000005461327242345500342240ustar00rootroot00000000000000documentation_complete: true title: 'Isolate DNS from Other Services' description: |- This section discusses mechanisms for preventing the DNS server from interfering with other services. This is done both to protect the remainder of the network should a nameserver be compromised, and to make direct attacks on nameservers more difficult. scap-security-guide-0.1.39/shared/guide/services/dns/dns_server_protection/000077500000000000000000000000001327242345500270735ustar00rootroot00000000000000dns_server_authenticate_zone_transfers.rule000066400000000000000000000040171327242345500377410ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/services/dns/dns_server_protectiondocumentation_complete: true prodtype: rhel7 title: 'Authenticate Zone Transfers' description: |- If it is necessary for a secondary nameserver to receive zone data via zone transfer from the primary server, follow the instructions here. Use dnssec-keygen to create a symmetric key file in the current directory: 
$ cd /tmp
    $ sudo dnssec-keygen -a HMAC-MD5 -b 128 -n HOST dns.example.com
    Kdns.example.com .+aaa +iiiii
This output is the name of a file containing the new key. Read the file to find the base64-encoded key string: 
$ sudo cat Kdns.example.com .+NNN +MMMMM .key
    dns.example.com IN KEY 512 3 157 base64-key-string
Add the directives to /etc/named.conf on the primary server: 
key zone-transfer-key {
      algorithm hmac-md5;
      secret "base64-key-string ";
    };
    zone "example.com " IN {
      type master;
      allow-transfer { key zone-transfer-key; };
      ...
    };
Add the directives below to /etc/named.conf on the secondary nameserver: 
key zone-transfer-key {
      algorithm hmac-md5;
      secret "base64-key-string ";
    };

    server IP-OF-MASTER {
      keys { zone-transfer-key; };
    };

    zone "example.com " IN {
      type slave;
      masters { IP-OF-MASTER ; };
      ...
    };
rationale: |- The BIND transaction signature (TSIG) functionality allows primary and secondary nameservers to use a shared secret to verify authorization to perform zone transfers. This method is more secure than using IP-based limiting to restrict nameserver access, since IP addresses can be easily spoofed. However, if you cannot configure TSIG between your servers because, for instance, the secondary nameserver is not under your control and its administrators are unwilling to configure TSIG, you can configure an allow-transfer directive with numerical IP addresses or ACLs as a last resort. severity: unknown identifiers: cce@rhel7: 80328-8 references: nist: CM-7 dns_server_disable_dynamic_updates.rule000066400000000000000000000017341327242345500370000ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/services/dns/dns_server_protectiondocumentation_complete: true prodtype: rhel7 title: 'Disable Dynamic Updates' description: |- Is there a mission-critical reason to enable the risky dynamic update functionality? If not, edit /etc/named.conf. For each zone specification, correct the following directive if necessary: 
zone "example.com " IN {
      allow-update { none; };
      ...
    };
rationale: |- Dynamic updates allow remote servers to add, delete, or modify any entries in your zone file. Therefore, they should be considered highly risky, and disabled unless there is a very good reason for their use. If dynamic updates must be allowed, IP-based ACLs are insufficient protection, since they are easily spoofed. Instead, use TSIG keys (see the previous section for an example), and consider using the update-policy directive to restrict changes to only the precise type of change needed. severity: unknown identifiers: cce@rhel7: 80329-6 dns_server_disable_zone_transfers.rule000066400000000000000000000016651327242345500366740ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/services/dns/dns_server_protectiondocumentation_complete: true prodtype: rhel7 title: 'Disable Zone Transfers from the Nameserver' description: |- Is it necessary for a secondary nameserver to receive zone data via zone transfer from the primary server? If not, follow the instructions in this section. If so, see the next section for instructions on protecting zone transfers. Add or correct the following directive within /etc/named.conf: 
options {
      allow-transfer { none; };
      ...
    }
rationale: |- If both the primary and secondary nameserver are under your control, or if you have only one nameserver, it may be possible to use an external configuration management mechanism to distribute zone updates. In that case, it is not necessary to allow zone transfers within BIND itself, so they should be disabled to avoid the potential for abuse. severity: unknown identifiers: cce@rhel7: 80327-0 dns_server_partition_with_views/000077500000000000000000000000001327242345500355275ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/services/dns/dns_server_protectiondns_server_partition_with_views.group000066400000000000000000000015321327242345500453210ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/services/dns/dns_server_protection/dns_server_partition_with_viewsdocumentation_complete: true title: 'Use Views to Partition External and Internal Information' description: |- If it is not possible to run external and internal nameservers on separate physical systems, run BIND9 and simulate this feature using views. Edit /etc/named.conf. Add or correct the following directives (where SUBNET is the numerical IP representation of your organization in the form xxx.xxx.xxx.xxx/xx): 
acl internal {
      SUBNET ;
      localhost;
    };
    view "internal-view" {
      match-clients { internal; };
      zone "." IN {
        type hint;
        file "db.cache";
      };
      zone "internal.example.com " IN {
        ...
      };
    };

    view "external-view" {
      match-clients { any; };
      recursion no;
      zone "example.com " IN {
        ...
      };
    };
dns_server_protection.group000066400000000000000000000004041327242345500345100ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/services/dns/dns_server_protectiondocumentation_complete: true title: 'Protect DNS Data from Tampering or Attack' description: |- This section discusses DNS configuration options which make it more difficult for attackers to gain access to private DNS data or to modify DNS data. dns_server_separate_internal_external/000077500000000000000000000000001327242345500366505ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/services/dns/dns_server_protectiondns_server_separate_internal_external.group000066400000000000000000000016111327242345500475610ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/services/dns/dns_server_protection/dns_server_separate_internal_externaldocumentation_complete: true title: 'Run Separate DNS Servers for External and Internal Queries' description: |- Is it possible to run external and internal nameservers on separate systems? If so, follow the configuration guidance in this section. On the external nameserver, edit /etc/named.conf to add or correct the following directives: 
options {
      allow-query { any; };
      recursion no;
      ...
    };
    zone "example.com " IN {
      ...
    };
On the internal nameserver, edit /etc/named.conf. Add or correct the following directives, where SUBNET is the numerical IP representation of your organization in the form xxx.xxx.xxx.xxx/xx: 
acl internal {
      SUBNET ;
      localhost;
    };
    options {
      allow-query { internal; };
      ...
    };
    zone "internal.example.com " IN {
      ...
    };
scap-security-guide-0.1.39/shared/guide/services/docker/000077500000000000000000000000001327242345500231365ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/services/docker/docker.group000066400000000000000000000003741327242345500254670ustar00rootroot00000000000000documentation_complete: true title: 'Docker Service' description: |- The docker service is necessary to create containers, which are self-sufficient and self-contained applications using the resource isolation features of the kernel. scap-security-guide-0.1.39/shared/guide/services/docker/docker_storage_configured.rule000066400000000000000000000015541327242345500312340ustar00rootroot00000000000000documentation_complete: true prodtype: rhel7 title: 'Use direct-lvm with the Device Mapper Storage Driver' description: |- To use Docker in production with the device mapper storage driver, the Docker daemon should be configured to use direct-lvm instead of loopback device as a storage. For setting up the LVM and configuring Docker, see the . rationale: |- For using Docker in production, the device mapper storage driver with loopback devices is discouraged. The suggested way of configuring device mapper storage driver is direct-lvm. Choosing the right storage driver and backing filesystem is crucial to stability and performance. severity: low identifiers: cce@rhel7: 80441-9 scap-security-guide-0.1.39/shared/guide/services/docker/service_docker_enabled.rule000066400000000000000000000010641327242345500304710ustar00rootroot00000000000000documentation_complete: true prodtype: rhel7 title: 'Enable the Docker service' description: |- The docker service is commonly needed to create containers. rationale: |- To be able to find any problems with misconfiguration of the docker daemon and running containers, the docker service has to be enabled. severity: medium identifiers: cce@rhel7: 80440-1 references: disa: "" nist: "" srg: "" ocil: '' scap-security-guide-0.1.39/shared/guide/services/ftp/000077500000000000000000000000001327242345500224605ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/services/ftp/disabling_vsftpd/000077500000000000000000000000001327242345500260025ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/services/ftp/disabling_vsftpd/disabling_vsftpd.group000066400000000000000000000002321327242345500323770ustar00rootroot00000000000000documentation_complete: true title: 'Disable vsftpd if Possible' description: |- To minimize attack surface, disable vsftpd if at all possible. scap-security-guide-0.1.39/shared/guide/services/ftp/disabling_vsftpd/package_vsftpd_removed.rule000066400000000000000000000007121327242345500333750ustar00rootroot00000000000000documentation_complete: true prodtype: rhel7 title: 'Uninstall vsftpd Package' description: '' rationale: |- Removing the vsftpd package decreases the risk of its accidental activation. severity: high identifiers: cce@rhel7: 80245-4 references: disa: 366 nist: CM-6(b),CM-7 srg: SRG-OS-000480-GPOS-00227 stigid@rhel7: "040690" ocil: '' scap-security-guide-0.1.39/shared/guide/services/ftp/disabling_vsftpd/service_vsftpd_disabled.rule000066400000000000000000000010771327242345500335550ustar00rootroot00000000000000documentation_complete: true prodtype: rhel7 title: 'Disable vsftpd Service' description: '' rationale: |- Running FTP server software provides a network-based avenue of attack, and should be disabled if not needed. Furthermore, the FTP protocol is unencrypted and creates a risk of compromising sensitive information. severity: unknown identifiers: cce@rhel7: 80244-7 references: cis: 2.2.9 disa: 1436 nist: CM-7 ocil: '' scap-security-guide-0.1.39/shared/guide/services/ftp/ftp.group000066400000000000000000000012041327242345500243240ustar00rootroot00000000000000documentation_complete: true title: 'FTP Server' description: |- FTP is a common method for allowing remote access to files. Like telnet, the FTP protocol is unencrypted, which means that passwords and other data transmitted during the session can be captured and that the session is vulnerable to hijacking. Therefore, running the FTP server software is not recommended.

However, there are some FTP server configurations which may be appropriate for some environments, particularly those which allow only read-only anonymous access as a means of downloading data available to the public. scap-security-guide-0.1.39/shared/guide/services/ftp/ftp_configure_vsftpd/000077500000000000000000000000001327242345500267005ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/services/ftp/ftp_configure_vsftpd/ftp_configure_firewall/000077500000000000000000000000001327242345500334175ustar00rootroot00000000000000ftp_configure_firewall.group000066400000000000000000000004041327242345500411330ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/services/ftp/ftp_configure_vsftpd/ftp_configure_firewalldocumentation_complete: true title: 'Configure Firewalls to Protect the FTP Server' description: |- By default, firewalld blocks access to the ports used by the web server. scap-security-guide-0.1.39/shared/guide/services/ftp/ftp_configure_vsftpd/ftp_configure_vsftpd.group000066400000000000000000000004001327242345500341700ustar00rootroot00000000000000documentation_complete: true title: 'Use vsftpd to Provide FTP Service if Necessary' description: |- The primary vsftpd configuration file is /etc/vsftpd.conf, if that file exists, or /etc/vsftpd/vsftpd.conf if it does not. scap-security-guide-0.1.39/shared/guide/services/ftp/ftp_configure_vsftpd/ftp_disable_uploads.rule000066400000000000000000000015261327242345500336000ustar00rootroot00000000000000documentation_complete: true prodtype: rhel7,fedora title: 'Disable FTP Uploads if Possible' description: |- Is there a mission-critical reason for users to upload files via FTP? If not, edit the vsftpd configuration file to add or correct the following configuration options: 
write_enable=NO
If FTP uploads are necessary, follow the guidance in the remainder of this section to secure these transactions as much as possible. rationale: |- Anonymous FTP can be a convenient way to make files available for universal download. However, it is less common to have a need to allow unauthenticated users to place files on the FTP server. If this must be done, it is necessary to ensure that files cannot be uploaded and downloaded from the same directory. severity: unknown identifiers: cce@rhel7: 80250-4 scap-security-guide-0.1.39/shared/guide/services/ftp/ftp_configure_vsftpd/ftp_home_partition.rule000066400000000000000000000010451327242345500334630ustar00rootroot00000000000000documentation_complete: true prodtype: rhel7,fedora title: 'Place the FTP Home Directory on its Own Partition' description: |- By default, the anonymous FTP root is the home directory of the FTP user account. The df command can be used to verify that this directory is on its own partition. rationale: |- If there is a mission-critical reason for anonymous users to upload files, precautions must be taken to prevent these users from filling a disk used by other services. severity: unknown identifiers: cce@rhel7: 80251-2 scap-security-guide-0.1.39/shared/guide/services/ftp/ftp_configure_vsftpd/ftp_log_transactions.rule000066400000000000000000000025411327242345500340150ustar00rootroot00000000000000documentation_complete: true prodtype: rhel7,fedora title: 'Enable Logging of All FTP Transactions' description: |- Add or correct the following configuration options within the vsftpd configuration file, located at /etc/vsftpd/vsftpd.conf: 
xferlog_enable=YES
    xferlog_std_format=NO
    log_ftp_protocol=YES
rationale: |- To trace malicious activity facilitated by the FTP service, it must be configured to ensure that all commands sent to the FTP server are logged using the verbose vsftpd log format. The default vsftpd log file is /var/log/vsftpd.log. severity: unknown identifiers: cce@rhel7: 80247-0 ocil_clause: 'xferlog_enable is missing, or is not set to yes' ocil: |- Find if logging is applied to the FTP daemon.

Procedures:

If vsftpd is started by xinetd the following command will indicate the xinetd.d startup file: 
$ grep vsftpd /etc/xinetd.d/*
$ grep server_args vsftpd xinetd.d startup file
This will indicate the vsftpd config file used when starting through xinetd. If the server_args line is missing or does not include the vsftpd configuration file, then the default config file (/etc/vsftpd/vsftpd.conf) is used. 
$ sudo grep xferlog_enable vsftpd config file
scap-security-guide-0.1.39/shared/guide/services/ftp/ftp_configure_vsftpd/ftp_present_banner.rule000066400000000000000000000017011327242345500334460ustar00rootroot00000000000000documentation_complete: true prodtype: rhel7,fedora title: 'Create Warning Banners for All FTP Users' description: |- Edit the vsftpd configuration file, which resides at /etc/vsftpd/vsftpd.conf by default. Add or correct the following configuration options: 
banner_file=/etc/issue
rationale: 'This setting will cause the system greeting banner to be used for FTP connections as well.' severity: medium identifiers: cce@rhel7: 80248-8 references: disa: 48 ocil_clause: 'it does not' ocil: |- If FTP services are not installed, this is not applicable.

To verify this configuration, run the following command: 
grep "banner_file" /etc/vsftpd/vsftpd.conf
The output should show the value of banner_file is set to /etc/issue, an example of which is shown below: 
$ sudo grep "banner_file" /etc/vsftpd/vsftpd.conf
    banner_file=/etc/issue
scap-security-guide-0.1.39/shared/guide/services/ftp/ftp_configure_vsftpd/ftp_restrict_users/000077500000000000000000000000001327242345500326315ustar00rootroot00000000000000ftp_limit_users/000077500000000000000000000000001327242345500357625ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/services/ftp/ftp_configure_vsftpd/ftp_restrict_usersftp_limit_users.group000066400000000000000000000014051327242345500422500ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/services/ftp/ftp_configure_vsftpd/ftp_restrict_users/ftp_limit_usersdocumentation_complete: true title: 'Limit Users Allowed FTP Access if Necessary' description: |- If there is a mission-critical reason for users to access their accounts via the insecure FTP protocol, limit the set of users who are allowed this access. Edit the vsftpd configuration file. Add or correct the following configuration options: 
userlist_enable=YES
    userlist_file=/etc/vsftp.ftpusers
    userlist_deny=NO
Edit the file /etc/vsftp.ftpusers. For each user USERNAME who should be allowed to access the system via FTP, add a line containing that user's name: 
USERNAME
If anonymous access is also required, add the anonymous usernames to /etc/vsftp.ftpusers as well. 
anonymous
    ftp
ftp_restrict_to_anon.rule000066400000000000000000000016371327242345500376770ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/services/ftp/ftp_configure_vsftpd/ftp_restrict_usersdocumentation_complete: true prodtype: rhel7,fedora title: 'Restrict Access to Anonymous Users if Possible' description: |- Is there a mission-critical reason for users to transfer files to/from their own accounts using FTP, rather than using a secure protocol like SCP/SFTP? If not, edit the vsftpd configuration file. Add or correct the following configuration option: 
local_enable=NO
If non-anonymous FTP logins are necessary, follow the guidance in the remainder of this section to secure these logins as much as possible. rationale: 'The use of non-anonymous FTP logins is strongly discouraged. Since SSH clients and servers are widely available, and since SSH provides support for a transfer mode which resembles FTP in user interface, there is no good reason to allow password-based FTP access.' severity: unknown identifiers: cce@rhel7: 80249-6 references: nist: CM-7,AC-3 ftp_restrict_users.group000066400000000000000000000005631327242345500375650ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/services/ftp/ftp_configure_vsftpd/ftp_restrict_usersdocumentation_complete: true title: 'Restrict the Set of Users Allowed to Access FTP' description: |- This section describes how to disable non-anonymous (password-based) FTP logins, or, if it is not possible to do this entirely due to legacy applications, how to restrict insecure FTP login to only those users who have an identified need for this access. scap-security-guide-0.1.39/shared/guide/services/ftp/ftp_use_vsftpd/000077500000000000000000000000001327242345500255135ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/services/ftp/ftp_use_vsftpd/ftp_use_vsftpd.group000066400000000000000000000002771327242345500316320ustar00rootroot00000000000000documentation_complete: true title: 'Use vsftpd to Provide FTP Service if Necessary' description: |- If your use-case requires FTP service, install and set-up vsftpd to provide it. scap-security-guide-0.1.39/shared/guide/services/ftp/ftp_use_vsftpd/package_vsftpd_installed.rule000066400000000000000000000011221327242345500334200ustar00rootroot00000000000000documentation_complete: true prodtype: rhel7,fedora title: 'Install vsftpd Package' description: |- If this system must operate as an FTP server, install the vsftpd package via the standard channels. 
$ sudo yum install vsftpd
rationale: |- After Red Hat Enterprise Linux 2.1, Red Hat switched from distributing wu-ftpd with Red Hat Enterprise Linux to distributing vsftpd. For security and for consistency with future Red Hat releases, the use of vsftpd is recommended. severity: unknown identifiers: cce@rhel7: 80246-2 references: nist: CM-7 scap-security-guide-0.1.39/shared/guide/services/http/000077500000000000000000000000001327242345500226465ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/services/http/disabling_httpd/000077500000000000000000000000001327242345500260055ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/services/http/disabling_httpd/disabling_httpd.group000066400000000000000000000003631327242345500322240ustar00rootroot00000000000000documentation_complete: true title: 'Disable Apache if Possible' description: |- If Apache was installed and activated, but the system does not need to act as a web server, then it should be disabled and removed from the system. scap-security-guide-0.1.39/shared/guide/services/http/disabling_httpd/package_httpd_removed.rule000066400000000000000000000006421327242345500332170ustar00rootroot00000000000000documentation_complete: true prodtype: rhel7 title: 'Uninstall httpd Package' description: '' rationale: |- If there is no need to make the web server software available, removing it provides a safeguard against its activation. severity: unknown identifiers: cce@rhel7: 80301-5 references: nist: CM-7 ocil: '' scap-security-guide-0.1.39/shared/guide/services/http/disabling_httpd/service_httpd_disabled.rule000066400000000000000000000006771327242345500334020ustar00rootroot00000000000000documentation_complete: true prodtype: rhel7 title: 'Disable httpd Service' description: '' rationale: |- Running web server software provides a network-based avenue of attack, and should be disabled if not needed. severity: unknown identifiers: cce@rhel7: 80300-7 references: cis: 2.2.10 nist: CM-7 ocil: '' scap-security-guide-0.1.39/shared/guide/services/http/http.group000066400000000000000000000012031327242345500246770ustar00rootroot00000000000000documentation_complete: true title: 'Web Server' description: |- The web server is responsible for providing access to content via the HTTP protocol. Web servers represent a significant security risk because:

  • The HTTP port is commonly probed by malicious sources
  • Web server software is very complex, and includes a long history of vulnerabilities
  • The HTTP protocol is unencrypted and vulnerable to passive monitoring


The system's default web server software is Apache 2 and is provided in the RPM package httpd. scap-security-guide-0.1.39/shared/guide/services/http/installing_httpd/000077500000000000000000000000001327242345500262155ustar00rootroot00000000000000httpd_minimal_modules_installed/000077500000000000000000000000001327242345500345565ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/services/http/installing_httpdhttpd_minimal_modules_installed.group000066400000000000000000000014231327242345500442540ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/services/http/installing_httpd/httpd_minimal_modules_installeddocumentation_complete: true title: 'Confirm Minimal Built-in Modules Installed' description: |- The default httpd installation minimizes the number of modules that are compiled directly into the binary (core prefork http_core mod_so). This minimizes risk by limiting the capabilities allowed by the web server. Query the set of compiled-in modules using the following command: 
$ httpd -l
If the number of compiled-in modules is significantly larger than the aforementioned set, this guide recommends re-installing httpd with a reduced configuration. Minimizing the number of modules that are compiled into the httpd binary, reduces risk by limiting the capabilities allowed by the webserver. scap-security-guide-0.1.39/shared/guide/services/http/installing_httpd/installing_httpd.group000066400000000000000000000013151327242345500326420ustar00rootroot00000000000000documentation_complete: true title: 'Install Apache if Necessary' description: |- If httpd was not installed and activated, but the system needs to act as a web server, then it should be installed on the system. Follow these guidelines to install it defensively. The httpd package can be installed with the following command: 
$ sudo yum install httpd
This method of installation is recommended over installing the "Web Server" package group during the system installation process. The Web Server package group includes many packages which are likely extraneous, while the command-line method installs only the required httpd package itself. scap-security-guide-0.1.39/shared/guide/services/http/securing_httpd/000077500000000000000000000000001327242345500256705ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/services/http/securing_httpd/httpd_configure_log_format.rule000066400000000000000000000024661327242345500341660ustar00rootroot00000000000000documentation_complete: true prodtype: rhel7 title: 'Configure Error Log Format' description: |- LogFormat should be enabled and set to the following in /etc/httpd/conf/httpd.conf: 
LogFormat "a %A %h %H %l %m %s %t %u %U \"%{Referer}i\" \"%{User-Agent}i\"" combined
rationale: |- The server error logs are invaluable because they can also be used to identify potential problems and enable proactive remediation. Log data can reveal anomalous behavior such as "not found" or "unauthorized" errors that may be an evidence of attack attempts. Failure to enable error logging can significantly reduce the ability of Web Administrators to detect or remediate problems. The LogFormat directive defines the format and information to be included in the access log entries. severity: medium identifiers: cce: "80548-1" references: disa: "" nist: "" srg: "" stigid: WA00612 ocil_clause: 'it is not' ocil: |- To verify if LogFormat is configured correctly in /etc/httpd/conf/httpd.conf, run the following command: 
$ grep -i logformat /etc/httpd/conf/httpd.conf
The output should contain the following: 
LogFormat "a %A %h %H %l %m %s %t %u %U \"%{Referer}i\" \"%{User-Agent}i\"" combined
httpd_configure_max_keepalive_requests.rule000066400000000000000000000024701327242345500365160ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/services/http/securing_httpddocumentation_complete: true prodtype: rhel7 title: 'Configure The Number of Allowed Simultaneous Requests' description: |- The MaxKeepAliveRequests directive should be set and configured to or greater by setting the following in /etc/httpd/conf/httpd.conf: 
MaxKeepAliveRequests
rationale: |- Resource exhaustion can occur when an unlimited number of concurrent requests are allowed on a web site, facilitating a denial of service attack. Mitigating this kind of attack will include limiting the number of concurrent HTTP/HTTPS requests per IP address and may include, where feasible, limiting parameter values associated with keepalive, (i.e., a parameter used to limit the amount of time a connection may be inactive). severity: medium identifiers: cce: "80551-5" references: disa: "" nist: "" srg: "" stigid: WG110 ocil_clause: 'it is not' ocil: |- To verify if MaxKeepAliveRequests is configured correctly in /etc/httpd/conf/httpd.conf, run the following command: 
$ grep -i maxkeepaliverequests /etc/httpd/conf/httpd.conf
The command should return the following: 
MaxKeepAliveRequests 100
httpd_configure_os_protect_web_server/000077500000000000000000000000001327242345500354615ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/services/http/securing_httpdhttpd_antivirus_scan_uploads.rule000066400000000000000000000024221327242345500443340ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/services/http/securing_httpd/httpd_configure_os_protect_web_serverdocumentation_complete: true prodtype: rhel7 title: 'Scan All Uploaded Content for Malicious Software' description: |- Install anti-virus software on the system and set it to automatically scan new files that are introduced to the web server. rationale: |- Remote web authors should not be able to upload files to the Document Root directory structure without virus checking and checking for malicious or mobile code. A remote web user, whose agency has a Memorandum of Agreement (MOA) with the hosting agency and has submitted a DoD form 2875 (System Authorization Access Request (SAAR)) or an equivalent document, will be allowed to post files to a temporary location on the server. All posted files to this temporary location will be scanned for viruses and content checked for malicious or mobile code. Only files free of viruses and malicious or mobile code will be posted to the appropriate DocumentRoot directory. severity: medium identifiers: cce: "80561-4" references: disa: "" nist: "" srg: "" stigid: WG237 ocil_clause: 'it is not' ocil: |- Remote web authors should not be able to upload files to the Document Root directory structure without virus checking and checking for malicious or mobile code. httpd_chroot/000077500000000000000000000000001327242345500401625ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/services/http/securing_httpd/httpd_configure_os_protect_web_serverhttpd_chroot.group000066400000000000000000000016661327242345500437520ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/services/http/securing_httpd/httpd_configure_os_protect_web_server/httpd_chrootdocumentation_complete: true title: 'Run httpd in a chroot Jail if Practical' description: |- Running httpd inside a chroot jail is designed to isolate the web server process to a small section of the filesystem, limiting the damage if it is compromised. Versions of Apache greater than 2.2.10 (such as the one included with Red Hat Enterprise Linux 7) provide the ChrootDir directive. To run Apache inside a chroot jail in /chroot/apache, add the following line to /etc/httpd/conf/httpd.conf: 
ChrootDir /chroot/apache
This necessitates placing all files required by httpd inside /chroot/apache , including httpd's binaries, modules, configuration files, and served web pages. The details of this configuration are beyond the scope of this guide. This may also require additional SELinux configuration. httpd_configure_firewalld.rule000066400000000000000000000020331327242345500435650ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/services/http/securing_httpd/httpd_configure_os_protect_web_serverdocumentation_complete: true prodtype: rhel7 title: 'Configure firewalld to Allow Access to the Web Server' description: |- By default, firewalld blocks access to the ports used by the web server. rationale: |- Failure to comply with DoD ports, protocols, and services (PPS) requirements can result in compromise of enclave boundary protections and/or functionality of the AIS. severity: low identifiers: cce: "" references: disa: "" nist: "" srg: "" stigid: WG610 ocil_clause: 'it is not' ocil: |- Review the web site to determine if HTTP and HTTPs are used in accordance with well known ports (e.g., 80 and 443) or those ports and services as registered and approved for use by the DoD PPSM. httpd_configure_os_protect_web_server.group000066400000000000000000000004301327242345500464040ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/services/http/securing_httpd/httpd_configure_os_protect_web_serverdocumentation_complete: true title: 'Configure Operating System to Protect Web Server' description: |- The following configuration steps should be taken on the system which hosts the web server, in order to provide as safe an environment as possible for the web server. httpd_configure_remote_session_encryption.rule000066400000000000000000000017571327242345500471400ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/services/http/securing_httpd/httpd_configure_os_protect_web_serverdocumentation_complete: true prodtype: rhel7 title: 'Ensure Remote Administrative Access Is Encrypted' description: |- Ensure that the SSH server service is enabled. rationale: |- Logging into a web server remotely using an unencrypted protocol or service when performing updates and maintenance is a major risk. Data, such as user account, is transmitted in plaintext and can easily be compromised. When performing remote administrative tasks, a protocol or service that encrypts the communication channel must be used.

An alternative to remote administration of the web server is to perform web server administration locally at the console. Local administration at the console implies physical access to the server. severity: high identifiers: cce: "" references: disa: "" nist: "" srg: "" stigid: WG230 ocil: '' httpd_restrict_file_dir_access/000077500000000000000000000000001327242345500437015ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/services/http/securing_httpd/httpd_configure_os_protect_web_serverdir_perms_etc_httpd_conf.rule000066400000000000000000000010121327242345500516130ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/services/http/securing_httpd/httpd_configure_os_protect_web_server/httpd_restrict_file_dir_accessdocumentation_complete: true prodtype: rhel7 title: 'Set Permissions on the /etc/httpd/conf/ Directory' description: '' rationale: |- Access to the web server's configuration files may allow an unauthorized user or attacker to access information about the web server or alter the server's configuration files. severity: unknown identifiers: cce@rhel7: 80323-9 ocil: '' dir_perms_var_log_httpd.rule000066400000000000000000000023101327242345500514660ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/services/http/securing_httpd/httpd_configure_os_protect_web_server/httpd_restrict_file_dir_accessdocumentation_complete: true prodtype: rhel7 title: 'Set Permissions on the /var/log/httpd/ Directory' description: |- Ensure that the permissions on the web server log directory is set to 700: 
$ sudo chmod 700 /var/log/httpd/
This is its default setting. rationale: |- A major tool in exploring the web site use, attempted use, unusual conditions, and problems are the access and error logs. In the event of a security incident, these logs can provide the SA and the web manager with valuable information. To ensure the integrity of the log files and protect the SA and the web manager from a conflict of interest related to the maintenance of these files, only the members of the Auditors group will be granted permissions to move, copy, and delete these files in the course of their duties related to the archiving of these files. severity: medium identifiers: cce@rhel7: 80322-1 references: nist: CM-7 ocil_clause: 'it is more permissive' ocil: |- Run the following command to check the mode of the httpd log directory: 
$ ls -l /var/log/ | grep httpd
Log directory must be mode 0700 or less permissive. file_permissions_httpd_server_conf_d_files.rule000066400000000000000000000011041327242345500554230ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/services/http/securing_httpd/httpd_configure_os_protect_web_server/httpd_restrict_file_dir_accessdocumentation_complete: true prodtype: rhel7 title: 'Set Permissions on All Configuration Files Inside /etc/httpd/conf.d/' description: '' rationale: |- Access to the web server's configuration files may allow an unauthorized user or attacker to access information about the web server or to alter the server's configuration files. severity: unknown identifiers: cce@rhel7: 80381-7 references: nist: CM-7 ocil: '' file_permissions_httpd_server_conf_files.rule000066400000000000000000000010761327242345500551300ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/services/http/securing_httpd/httpd_configure_os_protect_web_server/httpd_restrict_file_dir_accessdocumentation_complete: true prodtype: rhel7 title: 'Set Permissions on All Configuration Files Inside /etc/httpd/conf/' description: '' rationale: |- Access to the web server's configuration files may allow an unauthorized user or attacker to access information about the web server or to alter the server's configuration files. severity: unknown identifiers: cce@rhel7: 80324-7 references: nist: CM-7 ocil: '' file_permissions_httpd_server_modules_files.rule000066400000000000000000000011341327242345500556460ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/services/http/securing_httpd/httpd_configure_os_protect_web_server/httpd_restrict_file_dir_accessdocumentation_complete: true prodtype: rhel7 title: 'Set Permissions on All Configuration Files Inside /etc/httpd/conf.modules.d/' description: '' rationale: |- Access to the web server's configuration files may allow an unauthorized user or attacker to access information about the web server or to alter the server's configuration files. severity: unknown identifiers: cce@rhel7: 80382-5 references: nist: CM-7 ocil: '' http_configure_log_file_ownership.rule000066400000000000000000000020231327242345500535450ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/services/http/securing_httpd/httpd_configure_os_protect_web_server/httpd_restrict_file_dir_accessdocumentation_complete: true prodtype: rhel7 title: 'HTTPD Log Files Must Be Owned By Root' description: |- All httpd logs must be owned by root user and group. By default, the path for httpd logs is /var/log/httpd/ rationale: |- A major tool in exploring the web site use, attempted use, unusual conditions, and problems are the access and error logs. In the event of a security incident, these logs can provide the SA and the web administrator with valuable information. Because of the information that is captured in the logs, it is critical that only authorized individuals have access to the logs. severity: medium identifiers: cce: "80562-2" references: disa: "" nist: "" srg: "" stigid: WG255 ocil: |- httpd_restrict_file_dir_access.group000066400000000000000000000002341327242345500531760ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/services/http/securing_httpd/httpd_configure_os_protect_web_server/httpd_restrict_file_dir_accessdocumentation_complete: true title: 'Restrict File and Directory Access' description: 'Minimize access to critical httpd files and directories.' scap-security-guide-0.1.39/shared/guide/services/http/securing_httpd/httpd_configure_perl_securely/000077500000000000000000000000001327242345500340115ustar00rootroot00000000000000httpd_configure_perl_securely.group000066400000000000000000000007331327242345500431340ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/services/http/securing_httpd/httpd_configure_perl_securelydocumentation_complete: true title: 'Configure PHP Securely' description: |- PERL (Practical Extraction and Report Language) is an interpreted language optimized for scanning arbitrary text files, extracting information from those text files, and printing reports based on that information. The language is often used in shell scripting and is intended to be practical, easy to use, and efficient means of generating interactive web pages for the user. httpd_configure_perl_taint.rule000066400000000000000000000036711327242345500422370ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/services/http/securing_httpd/httpd_configure_perl_securelydocumentation_complete: true prodtype: rhel7 title: 'Configure HTTP PERL Scripts To Use TAINT Option' description: |- If the mod_perl module is installed, enable Perl Taint checking in /etc/httpd/conf/httpd.conf. To enable Perl Taint checking, add or uncomment the following to /etc/httpd/conf.d/perl.conf: 
PerlSwitches -T
rationale: |- PERL (Practical Extraction and Report Language) is an interpreted language optimized for scanning arbitrary text files, extracting information from those text files, and printing reports based on that information. The language is often used in shell scripting and is intended to be practical, easy to use, and efficient means of generating interactive web pages for the user. Unfortunately, many widely available freeware PERL programs (scripts) are extremely insecure. This is most readily accomplished by a malicious user substituting input to a PERL script during a POST or a GET operation.

Consequently, the founders of PERL have developed a mechanism named TAINT that protects the system from malicious input sent from outside the program. When the data is tainted, it cannot be used in programs or functions such as eval(), system(), exec(), pipes, or popen(). The script will exit with a warning message. severity: medium identifiers: cce: "80560-6" references: disa: "" nist: "" srg: "" stigid: WG460 ocil_clause: 'it is not' ocil: |- To verify if the mod_perl is installed, run the following command: 
$ rpm -qa | grep mod_perl
If the mod_perl module is installed, verify that PerlSwitches -T is enabled in /etc/httpd/conf.d/perl.conf by running the following command: 
$ grep -i "PerlSwitches -T" /etc/httpd/conf.d/perl.conf
The output should return uncommented: 
PerlSwitches -T
scap-security-guide-0.1.39/shared/guide/services/http/securing_httpd/httpd_configure_php_securely/000077500000000000000000000000001327242345500336365ustar00rootroot00000000000000httpd_configure_php_securely.group000066400000000000000000000022411327242345500426020ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/services/http/securing_httpd/httpd_configure_php_securelydocumentation_complete: true title: 'Configure PHP Securely' description: |- PHP is a widely-used and often misconfigured server-side scripting language. It should be used with caution, but configured appropriately when needed.

Review /etc/php.ini and make the following changes if possible: 
# Do not expose PHP error messages to external users
    display_errors = Off

    # Enable safe mode
    safe_mode = On

    # Only allow access to executables in isolated directory
    safe_mode_exec_dir = php-required-executables-path

    # Limit external access to PHP environment
    safe_mode_allowed_env_vars = PHP_

    # Restrict PHP information leakage
    expose_php = Off

    # Log all errors
    log_errors = On

    # Do not register globals for input data
    register_globals = Off

    # Minimize allowable PHP post size
    post_max_size = 1K

    # Ensure PHP redirects appropriately
    cgi.force_redirect = 0

    # Disallow uploading unless necessary
    file_uploads = Off

    # Disallow treatment of file requests as fopen calls
    allow_url_fopen = Off

    # Enable SQL safe mode
    sql.safe_mode = On
scap-security-guide-0.1.39/shared/guide/services/http/securing_httpd/httpd_directory_restrictions/000077500000000000000000000000001327242345500337075ustar00rootroot00000000000000httpd_anonymous_content_sharing.rule000066400000000000000000000024611327242345500432240ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/services/http/securing_httpd/httpd_directory_restrictionsdocumentation_complete: true prodtype: rhel7 title: 'Web Content Directories Must Not Be Shared Anonymously' description: |- Web content directories should not be shared anonymously over remote filesystems such as nfs and smb. Remove the shares from the applicable directories. rationale: |- Sharing web content is a security risk when a web server is involved. Users accessing the share anonymously could experience privileged access to the content of such directories. Network sharable directories expose those directories and their contents to unnecessary access. Any unnecessary exposure increases the risk that someone could exploit that access and either compromises the web content or cause web server performance problems. severity: medium identifiers: cce: "80555-6" references: disa: "" nist: "" srg: "" stigid: WG210 ocil_clause: 'it is not' ocil: |- To verify that web content directories should not be shared anonymously over remote filesystems such as nfs and smb, inspect each instance of DocumentRoot and serverRoot and verify that no entry in /etc/fstab exists or no remote filesystem process is running for any instance. 
$ ps -ef | grep "nfs\|smb"
httpd_configure_script_permissions.rule000066400000000000000000000022501327242345500437230ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/services/http/securing_httpd/httpd_directory_restrictionsdocumentation_complete: true prodtype: rhel7 title: 'Remove Write Permissions From Filesystem Paths And Server Scripts' description: |- Configure permissions for each instance of Alias, ScriptAlias, and ScriptAliasMatch that exist. 
$ sudo find DIR -type d -exec chmod 755 {} \;
    $ sudo find DIR -type f -exec chmod 555 {} \;
Where DIR matches the paths from Alias, ScriptAlias, and ScriptAliasMatch. rationale: |- Excessive permissions for the anonymous web user account are one of the most common faults contributing to the compromise of a web server. If this user is able to upload and execute files on the web server, the organization or owner of the server will no longer have control of the asset. severity: high identifiers: cce: "80556-4" references: disa: "" nist: "" srg: "" stigid: WG290 ocil_clause: 'it is not' ocil: |- Verify that the files and directories of each instance of Alias, ScriptAlias, and ScriptAliasMatch that exist have the correct file and directory permissions applied. httpd_directory_restrictions.group000066400000000000000000000004661327242345500427330ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/services/http/securing_httpd/httpd_directory_restrictionsdocumentation_complete: true title: 'Directory Restrictions' description: |- The Directory tags in the web server configuration file allow finer grained access control for a specified directory. All web directories should be configured on a case-by-case basis, allowing access only where needed. httpd_disable_anonymous_ftp_access.rule000066400000000000000000000024241327242345500436330ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/services/http/securing_httpd/httpd_directory_restrictionsdocumentation_complete: true prodtype: rhel7 title: 'Disable Anonymous FTP Access' description: |- If any directories that contain dynamic scripts can be accessed via FTP by any group or user that does not require access, remove permissions to such directories that allow anonymous access. Also, ensure that any such access employs an encrypted connection. rationale: |- The directories containing the CGI scripts, such as PERL, must not be accessible to anonymous users via FTP. This applies to all directories that contain scripts that can dynamically produce web pages in an interactive manner (i.e., scripts based upon user-provided input). Such scripts contain information that could be used to compromise a web service, access system resources, or deface a web site. severity: medium identifiers: cce: "80553-1" references: disa: "" nist: "" srg: "" stigid: WG430 ocil_clause: 'it is not' ocil: |- Locate the directories containing the CGI scripts. These directories should be language-specific (e.g., PERL, ASP, JS, JSP, etc.). Examine the file permissions on the directories using the following command: 
ls -l directories
Anonymous FTP users must not have access to these directories. httpd_ignore_htaccess_files.rule000066400000000000000000000024361327242345500422530ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/services/http/securing_httpd/httpd_directory_restrictionsdocumentation_complete: true prodtype: rhel7 title: 'Ignore HTTPD .htaccess Files' description: |- Set AllowOverride to none for each instant of <Directory>. rationale: |- CGI scripts represents one of the most common and exploitable means of compromising a web server. By definition, CGI are executable by the operating system of the host server. While access control is provided via the web service, the execution of CGI programs is not otherwise limited unless the SA or Web Manager takes specific measures. CGI programs can access and alter data files, launch other programs and use the network. CGI programs can be written in any available programming language. C, PERL, PHP, Javascript, VBScript and shell (sh, ksh, bash) are popular choices. severity: medium identifiers: cce: "80554-9" references: disa: "" nist: "" srg: "" stigid: WG400 ocil_clause: 'it is not' ocil: |- To preclude access to the servers root directory, ensure the following directive is in the httpd.conf file. This entry will also stop users from setting up .htaccess files which can override security features configured in /etc/httpd/conf/httpd.conf. 
AllowOverride none
httpd_limit_available_methods.rule000066400000000000000000000016611327242345500425710ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/services/http/securing_httpd/httpd_directory_restrictionsdocumentation_complete: true prodtype: rhel7 title: 'Limit Available Methods' description: |- Web server methods are defined in section 9 of RFC 2616 (). If a web server does not require the implementation of all available methods, they should be disabled.

Note: GET and POST are the most common methods. A majority of the others are limited to the WebDAV protocol. 
<Directory /var/www/html>
    # ...
       # Only allow specific methods (this command is case-sensitive!)
       <LimitExcept GET POST>
          Order allow,deny
       </LimitExcept>
    # ...
    </Directory>
rationale: |- Minimizing the number of available methods to the web client reduces risk by limiting the capabilities allowed by the web server. severity: unknown identifiers: cce@rhel7: 80319-7 httpd_restrict_critical_directories.rule000066400000000000000000000013741327242345500440360ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/services/http/securing_httpd/httpd_directory_restrictionsdocumentation_complete: true prodtype: rhel7 title: 'Restrict Other Critical Directories' description: |- All accessible web directories should be configured with similarly restrictive settings. The Options directive should be limited to necessary functionality and the AllowOverride directive should be used only if needed. The Order and Deny access control tags should be used to deny access by default, allowing access only where necessary. rationale: |- Directories accessible from a web client should be configured with the least amount of access possible in order to avoid unauthorized access to restricted content or server information. severity: unknown identifiers: cce@rhel7: 80318-9 httpd_restrict_root_directory.rule000066400000000000000000000007731327242345500427210ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/services/http/securing_httpd/httpd_directory_restrictionsdocumentation_complete: true prodtype: rhel7 title: 'Restrict Root Directory' description: |- The httpd root directory should always have the most restrictive configuration enabled. 
<Directory / >
       Options None
       AllowOverride None
       Order allow,deny
    </Directory>
rationale: |- The Web Server's root directory content should be protected from unauthorized access by web clients. severity: unknown identifiers: cce@rhel7: 80316-3 httpd_restrict_web_directory.rule000066400000000000000000000017531327242345500425120ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/services/http/securing_httpd/httpd_directory_restrictionsdocumentation_complete: true prodtype: rhel7 title: 'Restrict Web Directory' description: |- The default configuration for the web (/var/www/html) Directory allows directory indexing (Indexes) and the following of symbolic links (FollowSymLinks). Neither of these is recommended.

The /var/www/html directory hierarchy should not be viewable via the web, and symlinks should only be followed if the owner of the symlink also owns the linked file.

Ensure that this policy is adhered to by altering the related section of the configuration: 
<Directory "/var/www/html">
    #  ...
       Options SymLinksIfOwnerMatch
    #  ...
    </Directory>
rationale: |- Access to the web server's directory hierarchy could allow access to unauthorized files by web clients. Following symbolic links could also allow such access. severity: unknown identifiers: cce@rhel7: 80317-1 scap-security-guide-0.1.39/shared/guide/services/http/securing_httpd/httpd_disable_mime_types.rule000066400000000000000000000017311327242345500336240ustar00rootroot00000000000000documentation_complete: true prodtype: rhel7 title: 'MIME types for csh or sh shell programs must be disabled' description: |- Users must not be allowed to access the shell programs. rationale: |- Shell programs might execute shell escapes and could then perform unauthorized activities that could damage the security posture of the web server. A shell is a program that serves as the basic interface between the user and the operating system. In this regard, there are shells that are security risks in the context of a web server and shells that are unauthorized. severity: medium identifiers: cce: "" references: disa: "" nist: "" srg: "" stigid: "WG370" ocil_clause: 'either of these exist and they configure csh, or any other shell as a viewer for documents' ocil: |- Enter the following commands: 
grep Action /etc/httpd/conf/httpd.conf
    grep AddHandler /etc/httpd/conf/httpd.conf
scap-security-guide-0.1.39/shared/guide/services/http/securing_httpd/httpd_enable_error_logging.rule000066400000000000000000000021231327242345500341270ustar00rootroot00000000000000documentation_complete: true prodtype: rhel7 title: 'Enable HTTPD Error Logging' description: |- ErrorLog should be enabled and set to the following in /etc/httpd/conf/httpd.conf: 
ErrorLog "logs/error_log"
rationale: |- The server error logs are invaluable because they can also be used to identify potential problems and enable proactive remediation. Log data can reveal anomalous behavior such as "not found" or "unauthorized" errors that may be an evidence of attack attempts. Failure to enable error logging can significantly reduce the ability of Web Administrators to detect or remediate problems. severity: medium identifiers: cce: "81130-7" references: disa: "" nist: "" srg: "" stigid: WA00605 ocil_clause: 'it is not' ocil: |- To verify if ErrorLog is configured correctly in /etc/httpd/conf/httpd.conf, run the following command: 
$ grep -i errorlog /etc/httpd/conf/httpd.conf
The output should return the following: 
ErrorLog "logs/error_log"
scap-security-guide-0.1.39/shared/guide/services/http/securing_httpd/httpd_enable_loglevel.rule000066400000000000000000000026231327242345500331060ustar00rootroot00000000000000documentation_complete: true prodtype: rhel7 title: 'Enable HTTPD LogLevel' description: |- LogLevel should be enabled and set to . Add or edit the following in /etc/httpd/conf/httpd.conf: 
LogLevel
rationale: |- The server error logs are invaluable because they can also be used to identify potential problems and enable proactive remediation. Log data can reveal anomalous behavior such as "not found" or "unauthorized" errors that may be an evidence of attack attempts. Failure to enable error logging can significantly reduce the ability of Web Administrators to detect or remediate problems. While the ErrorLog directive configures the error log file name, the LogLevel directive is used to configure the severity level for the error logs. The log level values are the standard syslog levels: emerg, alert, crit, error, warn, notice, info and debug. severity: medium identifiers: cce: "80550-7" references: disa: "" nist: "" srg: "" stigid: WA00620 ocil_clause: 'it is not' ocil: |- To verify if LogLevel is configured correctly in /etc/httpd/conf/httpd.conf, run the following command: 
$ grep -i loglevel /etc/httpd/conf/httpd.conf
The command should return the following: 
LogLevel warn
httpd_enable_system_logging.rule000066400000000000000000000023141327242345500342450ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/services/http/securing_httpddocumentation_complete: true prodtype: rhel7 title: 'Enable HTTPD System Logging' description: |- CustomLog should be enabled and set to the following in /etc/httpd/conf/httpd.conf: 
CustomLog "logs/access_log" combined
rationale: |- The server error logs are invaluable because they can also be used to identify potential problems and enable proactive remediation. Log data can reveal anomalous behavior such as "not found" or "unauthorized" errors that may be an evidence of attack attempts. Failure to enable error logging can significantly reduce the ability of Web Administrators to detect or remediate problems. The CustomLog directive specifies the log file, syslog facility, or piped logging utility. severity: medium identifiers: cce: "80549-9" references: disa: "" nist: "" srg: "" stigid: WA00615 ocil_clause: 'it is not' ocil: |- To verify if CustomLog is configured correctly in /etc/httpd/conf/httpd.conf, run the following command: 
$ grep -i customlog /etc/httpd/conf/httpd.conf
The output should return the following: 
CustomLog "logs/access_log" combined
scap-security-guide-0.1.39/shared/guide/services/http/securing_httpd/httpd_entrust_passwords.rule000066400000000000000000000030101327242345500335670ustar00rootroot00000000000000documentation_complete: true prodtype: rhel7 title: 'The web server password(s) must be entrusted to the SA or Web Manager' description: |- Normally, a service account is established for the web server. This is because a privileged account is not desirable and the server is designed to run for long uninterrupted periods of time. The SA or Web Manager will need password access to the web server to restart the service in the event or an emergency as the web server is not to restart automatically after an unscheduled interruption. rationale: |- If the password is not entrusted to an SA or web manager the ability to ensure the availability of the web server is compromised. severity: medium identifiers: cce: "" references: disa: "" nist: "" srg: "" stigid: "WG050" ocil_clause: 'the web server password(s) are not entrusted to the SA or Web Manager' ocil: |- The reviewed should make a note of the name of the account being used for the web service. This information may be needed later in the SRR. There may also be other server services running related to the web server in support of a particular web application, these passwords must be entrusted to the SA or Web Manager as well. Query the SA or Web Manager to determine if they have the web service password(s). NOTE: For installations that run as a service, or without a password, the SA or Web Manager having an Admin account on the system would meet the intent of this check. httpd_minimize_loadable_modules/000077500000000000000000000000001327242345500342105ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/services/http/securing_httpdhttpd_core_modules/000077500000000000000000000000001327242345500400735ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/services/http/securing_httpd/httpd_minimize_loadable_moduleshttpd_basic_authentication/000077500000000000000000000000001327242345500454565ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/services/http/securing_httpd/httpd_minimize_loadable_modules/httpd_core_moduleshttpd_basic_authentication.group000066400000000000000000000025651327242345500541270ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/services/http/securing_httpd/httpd_minimize_loadable_modules/httpd_core_modules/httpd_basic_authenticationdocumentation_complete: true title: 'Minimize Modules for HTTP Basic Authentication' description: |- The following modules are necessary if this web server will provide content that will be restricted by a password.

Authentication can be performed using local plain text password files (authn_file), local DBM password files (authn_dbm) or an LDAP directory. The only module required by the web server depends on your choice of authentication. Comment out the modules you don't need from the following: 
LoadModule authn_file_module modules/mod_authn_file.so
    LoadModule authn_dbm_module modules/mod_authn_dbm.so
authn_alias allows for authentication based on aliases. authn_anon allows anonymous authentication similar to that of anonymous ftp sites. authz_owner allows authorization based on file ownership. authz_dbm allows for authorization based on group membership if the web server is using DBM authentication.

If the above functionality is unnecessary, comment out the related module: 
#LoadModule authn_alias_module modules/mod_authn_alias.so
    #LoadModule authn_anon_module modules/mod_authn_anon.so
    #LoadModule authz_owner_module modules/mod_authz_owner.so
    #LoadModule authz_dbm_module modules/mod_authz_dbm.so
httpd_cache_support.rule000066400000000000000000000014451327242345500450320ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/services/http/securing_httpd/httpd_minimize_loadable_modules/httpd_core_modulesdocumentation_complete: true prodtype: rhel7 title: 'Disable Cache Support' description: |- The cache module allows httpd to cache data, optimizing access to frequently accessed content. However, it introduces potential security flaws such as the possibility of circumventing Allow and Deny directives.

If this functionality is unnecessary, comment out the module: 
#LoadModule cache_module modules/mod_cache.so
If caching is required, it should not be enabled for any limited-access content. rationale: |- Minimizing the number of loadable modules available to the web server reduces risk by limiting the capabilities allowed by the web server. severity: unknown identifiers: cce@rhel7: 80314-8 httpd_cgi_support.rule000066400000000000000000000011471327242345500445300ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/services/http/securing_httpd/httpd_minimize_loadable_modules/httpd_core_modulesdocumentation_complete: true prodtype: rhel7 title: 'Disable CGI Support' description: |- The cgi module allows HTML to interact with the CGI web programming language.

If this functionality is unnecessary, comment out the module: 
#LoadModule cgi_module modules/mod_cgi.so
If the web server requires the use of CGI, enable mod_cgi. rationale: |- Minimizing the number of loadable modules available to the web server reduces risk by limiting the capabilities allowed by the web server. severity: unknown identifiers: cce@rhel7: 80315-5 httpd_core_modules.group000066400000000000000000000023211327242345500450320ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/services/http/securing_httpd/httpd_minimize_loadable_modules/httpd_core_modulesdocumentation_complete: true title: 'httpd Core Modules' description: |- These modules comprise a basic subset of modules that are likely needed for base httpd functionality; ensure they are not commented out in /etc/httpd/conf/httpd.conf: 
LoadModule auth_basic_module modules/mod_auth_basic.so
    LoadModule authn_default_module modules/mod_authn_default.so
    LoadModule authz_host_module modules/mod_authz_host.so
    LoadModule authz_user_module modules/mod_authz_user.so
    LoadModule authz_groupfile_module modules/mod_authz_groupfile.so
    LoadModule authz_default_module modules/mod_authz_default.so
    LoadModule log_config_module modules/mod_log_config.so
    LoadModule logio_module modules/mod_logio.so
    LoadModule setenvif_module modules/mod_setenvif.so
    LoadModule mime_module modules/mod_mome.so
    LoadModule autoindex_module modules/mod_autoindex.so
    LoadModule negotiation_module modules/mod_negotiation.so
    LoadModule dir_module modules/mod_dir.so
    LoadModule alias_module modules/mod_alias.so
Minimizing the number of loadable modules available to the web server reduces risk by limiting the capabilities allowed by the web server. httpd_digest_authentication.rule000066400000000000000000000010511327242345500465420ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/services/http/securing_httpd/httpd_minimize_loadable_modules/httpd_core_modulesdocumentation_complete: true prodtype: rhel7 title: 'Disable HTTP Digest Authentication' description: |- The auth_digest module provides encrypted authentication sessions. If this functionality is unnecessary, comment out the related module: 
#LoadModule auth_digest_module modules/mod_auth_digest.so
rationale: |- Minimizing the number of loadable modules available to the web server reduces risk by limiting the capabilities allowed by the web server. severity: unknown identifiers: cce@rhel7: 80304-9 httpd_enable_log_config.rule000066400000000000000000000022761327242345500456120ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/services/http/securing_httpd/httpd_minimize_loadable_modules/httpd_core_modulesdocumentation_complete: true prodtype: rhel7 title: 'Enable log_config_module For HTTPD Logging' description: |- The log_config_module should exist and be configured in the /etc/httpd/conf/httpd.conf file by adding the following module to configure logging: 
log_config_module
rationale: |- A major tool in exploring the web site use, attempted use, unusual conditions, and problems are reported in the access and error logs. In the event of a security incident, these logs can provide the SA and the web manager with valuable information. Without these log files, SAs and web managers are seriously hindered in their efforts to respond appropriately to suspicious or criminal actions targeted at the web site. severity: medium identifiers: cce: "80552-3" references: disa: "" nist: "" srg: "" stigid: WG240 ocil_clause: 'it is not' ocil: |- To verify that the log_config_module exists in /etc/httpd/conf/httpd.conf, run the following command: 
$ grep log_config_module /etc/httpd/conf/httpd.conf
The output should return: 
<IfModule log_config_module>
httpd_ldap_support.rule000066400000000000000000000012161327242345500447030ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/services/http/securing_httpd/httpd_minimize_loadable_modules/httpd_core_modulesdocumentation_complete: true prodtype: rhel7 title: 'Disable LDAP Support' description: |- The ldap module provides HTTP authentication via an LDAP directory. If its functionality is unnecessary, comment out the related modules: 
#LoadModule ldap_module modules/mod_ldap.so
    #LoadModule authnz_ldap_module modules/mod_authnz_ldap.so
If LDAP is to be used, SSL encryption should be used as well. rationale: |- Minimizing the number of loadable modules available to the web server reduces risk by limiting the capabilities allowed by the web server. severity: unknown identifiers: cce@rhel7: 80306-4 httpd_mime_magic.rule000066400000000000000000000011031327242345500442510ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/services/http/securing_httpd/httpd_minimize_loadable_modules/httpd_core_modulesdocumentation_complete: true prodtype: rhel7 title: 'Disable MIME Magic' description: |- The mime_magic module provides a second layer of MIME support that in most configurations is likely extraneous. If its functionality is unnecessary, comment out the related module: 
#LoadModule mime_magic_module modules/mod_mime_magic.so
rationale: |- Minimizing the number of loadable modules available to the web server reduces risk by limiting the capabilities allowed by the web server. severity: unknown identifiers: cce@rhel7: 80308-0 httpd_minimize_config_files_included/000077500000000000000000000000001327242345500474755ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/services/http/securing_httpd/httpd_minimize_loadable_modules/httpd_core_moduleshttpd_minimize_config_files_included/httpd_minimize_config_files_included.group000066400000000000000000000021141327242345500601530ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/services/http/securing_httpd/httpd_minimize_loadable_modules/httpd_core_modulesdocumentation_complete: true title: 'Minimize Configuration Files Included' description: |- The Include directive directs httpd to load supplementary configuration files from a provided path. The default configuration loads all files that end in .conf from the /etc/httpd/conf.d directory.

To restrict excess configuration, the following line should be commented out and replaced with Include directives that only reference required configuration files: 
#Include conf.d/*.conf
If the above change was made, ensure that the SSL encryption remains loaded by explicitly including the corresponding configuration file: 
Include conf.d/ssl.conf
If PHP is necessary, a similar alteration must be made: 
Include conf.d/php.conf
Explicitly listing the configuration files to be loaded during web server start-up avoids the possibility of unwanted or malicious configuration files to be automatically included as part of the server's running configuration. httpd_mod_rewrite.rule000066400000000000000000000012251327242345500445070ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/services/http/securing_httpd/httpd_minimize_loadable_modules/httpd_core_modulesdocumentation_complete: true prodtype: rhel7 title: 'Disable HTTP mod_rewrite' description: |- The mod_rewrite module is very powerful and can protect against certain classes of web attacks. However, it is also very complex and has a significant history of vulnerabilities itself. If its functionality is unnecessary, comment out the related module: 
#LoadModule rewrite_module modules/mod_rewrite.so
rationale: |- Minimizing the number of loadable modules available to the web server reduces risk by limiting the capabilities allowed by the web server. severity: unknown identifiers: cce@rhel7: 80305-6 httpd_optional_components/000077500000000000000000000000001327242345500453705ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/services/http/securing_httpd/httpd_minimize_loadable_modules/httpd_core_moduleshttpd_optional_components.group000066400000000000000000000024561327242345500537520ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/services/http/securing_httpd/httpd_minimize_loadable_modules/httpd_core_modules/httpd_optional_componentsdocumentation_complete: true title: 'Minimize Various Optional Components' description: |- The following modules perform very specific tasks, sometimes providing access to just a few additional directives. If such functionality is not required (or if you are not using these directives), comment out the associated module:
  • External filtering (response passed through external program prior to client delivery) 
    #LoadModule ext_filter_module modules/mod_ext_filter.so
  • User-specified Cache Control and Expiration 
    #LoadModule expires_module modules/mod_expires.so
  • Compression Output Filter (provides content compression prior to client delivery) 
    #LoadModule deflate_module modules/mod_deflate.so
  • HTTP Response/Request Header Customization 
    #LoadModule headers_module modules/mod_headers.so
  • User activity monitoring via cookies 
    #LoadModule usertrack_module modules/mod_usertrack.so
  • Dynamically configured mass virtual hosting 
    #LoadModule vhost_alias_module modules/mod_vhost_alias.so
Minimizing the number of loadable modules available to the web server reduces risk by limiting the capabilities allowed by the web server. httpd_proxy_support.rule000066400000000000000000000017701327242345500451510ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/services/http/securing_httpd/httpd_minimize_loadable_modules/httpd_core_modulesdocumentation_complete: true prodtype: rhel7 title: 'Disable Proxy Support' description: |- The proxy module provides proxying support, allowing httpd to forward requests and serve as a gateway for other servers. If its functionality is unnecessary, comment out the module: 
#LoadModule proxy_module modules/mod_proxy.so
If proxy support is needed, load mod_proxy and the appropriate proxy protocol handler module (one of mod_proxy_http, mod_proxy_ftp, or mod_proxy_connect). Additionally, make certain that a server is secure before enabling proxying, as open proxy servers are a security risk. mod_proxy_balancer enables load balancing, but requires that mod status be enabled. rationale: |- Minimizing the number of loadable modules available to the web server reduces risk by limiting the capabilities allowed by the web server. severity: unknown identifiers: cce@rhel7: 80313-0 httpd_server_activity_status.rule000066400000000000000000000014711327242345500470170ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/services/http/securing_httpd/httpd_minimize_loadable_modules/httpd_core_modulesdocumentation_complete: true prodtype: rhel7 title: 'Disable Server Activity Status' description: |- The status module provides real-time access to statistics on the internal operation of the web server. This may constitute an unnecessary information leak and should be disabled unless necessary. To do so, comment out the related module: 
#LoadModule status_module modules/mod_status.so
If there is a critical need for this module, ensure that access to the status page is properly restricted to a limited set of hosts in the status handler configuration. rationale: |- Minimizing the number of loadable modules available to the web server reduces risk by limiting the capabilities allowed by the web server. severity: unknown identifiers: cce@rhel7: 80310-6 httpd_server_configuration_display.rule000066400000000000000000000014251327242345500501530ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/services/http/securing_httpd/httpd_minimize_loadable_modules/httpd_core_modulesdocumentation_complete: true prodtype: rhel7 title: 'Disable Web Server Configuration Display' description: |- The info module creates a web page illustrating the configuration of the web server. This can create an unnecessary security leak and should be disabled. If its functionality is unnecessary, comment out the module: 
#LoadModule info_module modules/mod_info.so
If there is a critical need for this module, use the Location directive to provide an access control list to restrict access to the information. rationale: |- Minimizing the number of loadable modules available to the web server reduces risk by limiting the capabilities allowed by the web server. severity: unknown identifiers: cce@rhel7: 80311-4 httpd_server_side_includes.rule000066400000000000000000000016571327242345500464000ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/services/http/securing_httpd/httpd_minimize_loadable_modules/httpd_core_modulesdocumentation_complete: true prodtype: rhel7 title: 'Disable Server Side Includes' description: |- Server Side Includes provide a method of dynamically generating web pages through the insertion of server-side code. However, the technology is also deprecated and introduces significant security concerns. If this functionality is unnecessary, comment out the related module: 
#LoadModule include_module modules/mod_include.so
If there is a critical need for Server Side Includes, they should be enabled with the option IncludesNoExec to prevent arbitrary code execution. Additionally, user supplied data should be encoded to prevent cross-site scripting vulnerabilities. rationale: |- Minimizing the number of loadable modules available to the web server reduces risk by limiting the capabilities allowed by the web server. severity: unknown identifiers: cce@rhel7: 80307-2 httpd_url_correction.rule000066400000000000000000000012431327242345500452200ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/services/http/securing_httpd/httpd_minimize_loadable_modules/httpd_core_modulesdocumentation_complete: true prodtype: rhel7 title: 'Disable URL Correction on Misspelled Entries' description: |- The speling module attempts to find a document match by allowing one misspelling in an otherwise failed request. If this functionality is unnecessary, comment out the module: 
#LoadModule speling_module modules/mod_speling.so
This functionality weakens server security by making site enumeration easier. rationale: |- Minimizing the number of loadable modules available to the web server reduces risk by limiting the capabilities allowed by the web server. severity: unknown identifiers: cce@rhel7: 80312-2 httpd_webdav.rule000066400000000000000000000016071327242345500434430ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/services/http/securing_httpd/httpd_minimize_loadable_modules/httpd_core_modulesdocumentation_complete: true prodtype: rhel7 title: 'Disable WebDAV (Distributed Authoring and Versioning)' description: |- WebDAV is an extension of the HTTP protocol that provides distributed and collaborative access to web content. If its functionality is unnecessary, comment out the related modules: 
#LoadModule dav_module modules/mod_dav.so
    #LoadModule dav_fs_module modules/mod_dav_fs.so
If there is a critical need for WebDAV, extra care should be taken in its configuration. Since DAV access allows remote clients to manipulate server files, any location on the server that is DAV enabled should be protected by access controls. rationale: |- Minimizing the number of loadable modules available to the web server, reduces risk by limiting the capabilities allowed by the web server. severity: unknown identifiers: cce@rhel7: 80309-8 httpd_minimize_loadable_modules.group000066400000000000000000000022551327242345500436710ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/services/http/securing_httpd/httpd_minimize_loadable_modulesdocumentation_complete: true title: 'Minimize Web Server Loadable Modules' description: |- A default installation of httpd includes a plethora of dynamically shared objects (DSO) that are loaded at run-time. Unlike the aforementioned compiled-in modules, a DSO can be disabled in the configuration file by removing the corresponding LoadModule directive.

Note: A DSO only provides additional functionality if associated directives are included in the httpd configuration file. It should also be noted that removing a DSO will produce errors on httpd startup if the configuration file contains directives that apply to that module. Refer to for details on which directives are associated with each DSO.

Following each DSO removal, the configuration can be tested with the following command to check if everything still works: 
$ sudo service httpd configtest
The purpose of each of the modules loaded by default will now be addressed one at a time. If none of a module's directives are being used, remove it. scap-security-guide-0.1.39/shared/guide/services/http/securing_httpd/httpd_modules_improve_security/000077500000000000000000000000001327242345500342335ustar00rootroot00000000000000httpd_deploy_mod_security/000077500000000000000000000000001327242345500414415ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/services/http/securing_httpd/httpd_modules_improve_securityhttpd_deploy_mod_security.group000066400000000000000000000013531327242345500500060ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/services/http/securing_httpd/httpd_modules_improve_security/httpd_deploy_mod_securitydocumentation_complete: true title: 'Deploy mod_security' description: |- The security module provides an application level firewall for httpd. Following its installation with the base ruleset, specific configuration advice can be found at to design a policy that best matches the security needs of the web applications. Usage of mod_security is highly recommended for some environments, but it should be noted this module does not ship with Red Hat Enterprise Linux itself, and instead is provided via Extra Packages for Enterprise Linux (EPEL). For more information on EPEL please refer to http://fedoraproject.org/wiki/EPEL. httpd_install_mod_security.rule000066400000000000000000000007201327242345500477700ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/services/http/securing_httpd/httpd_modules_improve_security/httpd_deploy_mod_securitydocumentation_complete: true prodtype: rhel7 title: 'Install mod_security' description: |- Install the security module: 
$ sudo yum install mod_security
rationale: |- mod_security provides an additional level of protection for the web server by enabling the administrator to implement content access policies and filters at the application layer. severity: unknown identifiers: cce@rhel7: 80321-3 httpd_deploy_mod_ssl/000077500000000000000000000000001327242345500403735ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/services/http/securing_httpd/httpd_modules_improve_securityhttpd_configure_tls.rule000066400000000000000000000026141327242345500453350ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/services/http/securing_httpd/httpd_modules_improve_security/httpd_deploy_mod_ssldocumentation_complete: true prodtype: rhel7 title: 'Enable Transport Layer Security (TLS) Encryption' description: |- Disable old SSL and TLS version and enable the latest TLS encryption by setting the following in /etc/httpd/conf.modules.d/ssl.conf: 
SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
Make sure to also set SSLEngine to on in /etc/httpd/conf.modules.d/ssl.conf like the following: 
SSLEngine on
rationale: |- Transport Layer Security (TLS) encryption is a required security setting for a private web server. Encryption of private information is essential to ensuring data confidentiality. If private information is not encrypted, it can be intercepted and easily read by an unauthorized party. A web server must use a FIPS 140-2 approved TLS version, and all non-FIPS-approved SSL versions must be disabled. severity: medium identifiers: cce: "80557-2" references: disa: "" nist: "" srg: "" stigid: WG340 ocil_clause: 'it is not' ocil: |- To verify that TLS is configured properly in /etc/httpd/conf.modules.d/ssl.conf, run the following command: 
$ grep -i "sslengine\|sslprotocol" /etc/httpd/conf.d/ssl.conf
The output should return the following: 
    SSLEngine on
    SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
httpd_configure_valid_server_cert.rule000066400000000000000000000026211327242345500502330ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/services/http/securing_httpd/httpd_modules_improve_security/httpd_deploy_mod_ssldocumentation_complete: true prodtype: rhel7 title: 'Configure A Valid Server Certificate' description: |- Configure the web site to use a valid organizationally defined certificate. For DoD, this is a DoD server certificate issued by the DoD CA. rationale: |- This check verifies that DoD is a hosted web site's CA. The certificate is actually a DoD-issued server certificate used by the organization being reviewed. This is used to verify the authenticity of the web site to the user. If the certificate is not for the server (Certificate belongs to), if the certificate is not issued by DoD (Certificate was issued by), or if the current date is not included in the valid date (Certificate is valid from), then there is no assurance that the use of the certificate is valid. The entire purpose of using a certificate is, therefore, compromised. severity: medium identifiers: cce: "80559-8" references: disa: "" nist: "" srg: "" stigid: WG350 ocil_clause: 'it is not' ocil: |- Open browser window and browse to the appropriate site. Before entry to the site, you should be presented with the server's PKI credentials. Review these credentials for authenticity.

For DoD, find an entry which cites: 
    Issuer:
    CN =
    DOD CLASS 3 CA-3
    OU = PKI
    OU = DoD
    O = U.S. Government
    C = US
httpd_deploy_mod_ssl.group000066400000000000000000000012461327242345500456730ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/services/http/securing_httpd/httpd_modules_improve_security/httpd_deploy_mod_ssldocumentation_complete: true title: 'Deploy mod_ssl' description: |- Because HTTP is a plain text protocol, all traffic is susceptible to passive monitoring. If there is a need for confidentiality, SSL should be configured and enabled to encrypt content.

Note: mod_nss is a FIPS 140-2 certified alternative to mod_ssl. The modules share a considerable amount of code and should be nearly identical in functionality. If FIPS 140-2 validation is required, then mod_nss should be used. If it provides some feature or its greater compatibility is required, then mod_ssl should be used. httpd_install_mod_ssl.rule000066400000000000000000000007271327242345500456630ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/services/http/securing_httpd/httpd_modules_improve_security/httpd_deploy_mod_ssldocumentation_complete: true prodtype: rhel7 title: 'Install mod_ssl' description: |- Install the mod_ssl module: 
$ sudo yum install mod_ssl
rationale: |- mod_ssl provides encryption capabilities for the httpd Web server. Unencrypted content is transmitted in plain text which could be passively monitored and accessed by unauthorized parties. severity: unknown identifiers: cce@rhel7: 80320-5 httpd_require_client_certs.rule000066400000000000000000000020751327242345500467050ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/services/http/securing_httpd/httpd_modules_improve_security/httpd_deploy_mod_ssldocumentation_complete: true prodtype: rhel7 title: 'Require Client Certificates' description: |- SSLVerifyClient should be set and configured to require by setting the following in /etc/httpd/conf/httpd.conf: 
SSLVerifyClient require
rationale: |- Web sites requiring authentication within the DoD must utilize PKI as an authentication mechanism for web users. Information systems residing behind web servers requiring authorization based on individual identity must use the identity provided by certificate-based authentication to support access control decisions. severity: medium identifiers: cce: "80558-0" references: disa: "" nist: "" srg: "" stigid: WG140 ocil_clause: 'it is not' ocil: |- To verify if SSLVerifyClient is configured correctly in /etc/httpd/conf/httpd.conf, run the following command: 
$ grep -i sslverifyclient /etc/httpd/conf/httpd.conf
The command should return the following: 
SSLVerifyClient require
httpd_modules_improve_security.group000066400000000000000000000005231327242345500435750ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/services/http/securing_httpd/httpd_modules_improve_securitydocumentation_complete: true title: 'Use Appropriate Modules to Improve httpd''s Security' description: |- Among the modules available for httpd are several whose use may improve the security of the web server installation. This section recommends and discusses the deployment of security-relevant modules. scap-security-guide-0.1.39/shared/guide/services/http/securing_httpd/httpd_nipr_accredited_dmz.rule000066400000000000000000000034431327242345500337610ustar00rootroot00000000000000documentation_complete: true prodtype: rhel7 title: 'A public web server, if hosted on the NIPRNet, must be isolated in an accredited DoD DMZ extension' description: |- To minimize exposure of private assets to unnecesarry risk by attackers, public web servers must be isolated from internal systems. Logically relocate public web servers to be isolated from internal systems. In addition, ensure the public web server does not have trusted connections with assets outside the confines of the demilitarizez done (DMZ) other than application and/or database servers that are a part of the same system as the web server. rationale: |- Public web servers are by nature more vulnerabile to attack from publically based sources, such as the public Internet. Once compromised, a public server might be used as a base for further attack on private resources, unless additional layers of protection are implemented. Public web servers must be located in a DoD DMZ Extension, if hosted on the NIPRNet, with carefully controlled access. Failure to isolate resources in this way increase risk that private assets are exposed to attacks from public sources. An improperly located public web server is a potential threat to the entire network. severity: medium identifiers: cce: "" references: disa: "" nist: "" srg: "" stigid: "WA060" ocil_clause: 'the web server is not isolated in an accredited DoD DMZ Extension' ocil: |- Interview the SA or web administrator to see where the public web server is logically located in the data center. Review the site network diagram to see how the web server is connected to the LAN. Visually check the web server hardware connections to see if it conforms to the site network diagram. scap-security-guide-0.1.39/shared/guide/services/http/securing_httpd/httpd_no_compilers_in_prod.rule000066400000000000000000000022471327242345500341740ustar00rootroot00000000000000documentation_complete: true prodtype: rhel7 title: 'Installation of a compiler on production web server is prohibited' description: |- The presence of a compiler on a production server facilitates the malicious user's task of creating custom versions of programs and installing Trojan Horses or viruses. rationale: |- An attacker's code could be uploaded and compiled on the server under attack. severity: medium identifiers: cce: "" references: disa: "" nist: "" srg: "" stigid: "WG080" ocil_clause: |- the web server is part of an application suite and a comiler is needed for installation, patching, and upgrading of the suite or if the compiler is embedded and can't be removed without breaking the suite, document the installation of the compiler with the ISSO/ISSM and verify that the compiler is restricted to administrative users only. If documented and restricted to administrative users, this is not a finding. If an undocumented compiler is present, and available to non-administrative users ocil: |- Query the SA and the Web Manager to determine if a compiler is present on the server. httpd_private_server_on_separate_subnet.rule000066400000000000000000000026511327242345500367110ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/services/http/securing_httpddocumentation_complete: true prodtype: rhel7 title: 'A private web server must be located on a separate controlled access subnet' description: |- Private web servers, which host sites that serve controlled access data, must be protected from outside threats in addition to insider threats. Isolate the private web server from the public DMZ and separate it from the internal general population LAN. rationale: |- Insider threat may be accidental or intentional but, in either case, can cause a disruption in service of the web server. To protect the private web server from these threats, it must be located on a separate controlled access subnet and must not be part of the public DMZ that houses the public web servers. it also cannot be located inside the enclave as part of the local general population LAN. severity: medium identifiers: cce: "" references: disa: "" nist: "" srg: "" stigid: "WA070" ocil_clause: 'the private web server is not on a separate controlled access subnet' ocil: |- Verify the site's network diagram and visually check the web server, to ensure that the private web server is located on a separate controlled access subnet and is not part of the public DMZ that houses the public web servers. In addition, the private web server needs to be isolated via a controlled access mechanism from the local general population lan. httpd_public_resources_not_shared.rule000066400000000000000000000031661327242345500354710ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/services/http/securing_httpddocumentation_complete: true prodtype: rhel7 title: 'Public web server resources must not be shared with private assets' description: |- It is important to segregate public web server resources from private resources located behind the DoD DMZ in order to protect private assets. rationale: |- When folders, drives, or other resources are directly shared between the public web server and private servers the intent of data and resource segregation can be compromised. In addition to the requirements of the DoD Internet-NIPRNet DMZ STIG that isolates inbound traffic from external network to the internal network, resources such as printers, files, and folders/directories will not be shared between public web servers and assets located within the internal network. severity: medium identifiers: cce: "" references: disa: "" nist: "" srg: "" stigid: "WG040" ocil_clause: |- sharing is selected for any web folder, this is a finding. If private resources (e.g. drives, partitions, folders/directories, printers, etc.) are sharedw ith the public web server ocil: |- Configure the public web server to not have a trusted relationship with any system resources that is also not accessible to the public. Web content is not to be shared via Microsoft shares or NFS mounts. Determine whether the public web server has a two-way trust relationship with any private asset located within the network. Private web server resources (e.g. drives, folders, printers, etc.) will not be directly mapped to or shared with public web servers. scap-security-guide-0.1.39/shared/guide/services/http/securing_httpd/httpd_remove_backups.rule000066400000000000000000000045621327242345500330000ustar00rootroot00000000000000documentation_complete: true prodtype: rhel7 title: 'Backup interactive scripts on the production web server are prohibited' description: |- Copies of backup files will not execute on the server, but they can be read by the anonymous user if special precautions are not taken. rationale: |- Such backup copies contain the same sensitive information as the actual scripts being executed and, as such, are useful to malicious users. Techniques and systems exist today that search web servers for such files and are able to exploit the information contained in them. Backup copies of files are automatically created by some text editors such such as emacs and VIM. Editors may write a backup file with an extension ~ added to the name of the original file. The edit plus editor will create a .bak file. Of course, this would imply the presence and use of development tools on the web server, which is a finding under WG130. Having backup scripts on the web server provides one more opportunity for malicious persons to view these scripts and use the information found in them. severity: medium identifiers: cce: "" references: disa: "" nist: "" srg: "" stigid: "WG420" ocil_clause: |- If fileos with these extensions have no relationship with web activity, such as backup batch file for operating system utility, and they are not accessible by the web application, this is not a finding. If files with these extensions are found in either the document directory or the home directory of the web server, this is a finding. If files with these extensions are stored in a repository (not in the document root) as backups for the web server ocil: |- Ensure that CGI backup scripts are not left on the production web server. This check is limited to CGI/interactive content and not static HTML. Search for backup copies of CGI scripts on the web server or ask the Web Administrator if they keep backup copies of CGI scripts on the web server. Common backup file extensions are: *.bak, *.old, *.temp, *.tmp, *.backup, *.??0. This would also apply to .jsp files. On Red Hat Enterprise Linux, run the following commands to find backup scripts: 
find / name "*.bak" -print
    find / name "*.*" -print
    find / name "*.old" -print
scap-security-guide-0.1.39/shared/guide/services/http/securing_httpd/httpd_restrict_info_leakage/000077500000000000000000000000001327242345500334165ustar00rootroot00000000000000httpd_restrict_info_leakage.group000066400000000000000000000004151327242345500421430ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/services/http/securing_httpd/httpd_restrict_info_leakagedocumentation_complete: true title: 'Restrict Web Server Information Leakage' description: |- The ServerTokens and ServerSignature directives determine how much information the web server discloses about the configuration of the system. httpd_serversignature_off.rule000066400000000000000000000012661327242345500415220ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/services/http/securing_httpd/httpd_restrict_info_leakagedocumentation_complete: true prodtype: rhel7 title: 'Set httpd ServerSignature Directive to Off' description: |- ServerSignature Off restricts httpd from displaying server version number on error pages.

Add or correct the following directive in /etc/httpd/conf/httpd.conf: 
ServerSignature Off
rationale: |- Information disclosed to clients about the configuration of the web server and system could be used to plan an attack on the given system. This information disclosure should be restricted to a minimum. severity: unknown identifiers: cce@rhel7: 80303-1 references: nist: CM-7 httpd_servertokens_prod.rule000066400000000000000000000012461327242345500412140ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/services/http/securing_httpd/httpd_restrict_info_leakagedocumentation_complete: true prodtype: rhel7 title: 'Set httpd ServerTokens Directive to Prod' description: |- ServerTokens Prod restricts information in page headers, returning only the word "Apache."

Add or correct the following directive in /etc/httpd/conf/httpd.conf: 
ServerTokens Prod
rationale: |- Information disclosed to clients about the configuration of the web server and system could be used to plan an attack on the given system. This information disclosure should be restricted to a minimum. severity: unknown identifiers: cce@rhel7: 80302-3 references: nist: CM-7 scap-security-guide-0.1.39/shared/guide/services/http/securing_httpd/httpd_secure_content/000077500000000000000000000000001327242345500321135ustar00rootroot00000000000000httpd_configure_banner_page.rule000066400000000000000000000030101327242345500404240ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/services/http/securing_httpd/httpd_secure_contentdocumentation_complete: true prodtype: rhel7 title: 'Configure A Banner Page For Each Website' description: |- Configure a login banner for each website when authentication is required for user access. rationale: |- A consent banner will be in place to make prospective entrants aware that the website they are about to enter is a DoD web site and their activity is subject to monitoring. The document, DoDI 8500.01, establishes the policy on the use of DoD information systems. It requires the use of a standard Notice and Consent Banner and standard text to be included in user agreements. The requirement for the banner is for websites with security and access controls. These are restricted and not publicly accessible. If the website does not require authentication/authorization for use, then the banner does not need to be present. A manual check of the document root directory for a banner page file (such as banner.html) or navigation to the website via a browser can be used to confirm the information provided from interviewing the web staff. severity: low identifiers: cce: "" references: disa: "" nist: "" srg: "" stigid: WG265 ocil_clause: 'it is not display the required banner' ocil: 'The document, DoDI 8500.01, establishes the policy on the use of DoD information systems. It requires the use of a standard Notice and Consent Banner and standard text to be included in user agreements. The banner should be set to the following:' httpd_configure_documentroot.rule000066400000000000000000000026761327242345500407260ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/services/http/securing_httpd/httpd_secure_contentdocumentation_complete: true prodtype: rhel7 title: 'Each Web Content Directory Must Contain An index.html File' description: |- Every DocumentRoot that is configured should have an index.html file that exists. Add an index.html file to every configured DocumentRoot. rationale: |- The goal is to completely control the web users experience in navigating any portion of the web document root directories. Ensuring all web content directories have at least the equivalent of an index.html file is a significant factor to accomplish this end. Also, enumeration techniques, such as URL parameter manipulation, rely upon being able to obtain information about the web server's directory structure by locating directories with default pages. This practice helps ensure that the anonymous web user will not obtain directory browsing information or an error message that reveals the server type and version. severity: low identifiers: cce: "" references: disa: "" nist: "" srg: "" stigid: WG170 ocil_clause: 'it is not' ocil: |- To verify that each web content directory has an index.html file, run the following command: 
$ sudo find `grep -i documentroot /etc/httpd/conf/httpd.conf | awk -F'"' '{print $2}'` -name index.html
The output should return an index.html file for every DocumentRoot that is set. httpd_disable_content_symlinks.rule000066400000000000000000000021341327242345500412160ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/services/http/securing_httpd/httpd_secure_contentdocumentation_complete: true prodtype: rhel7 title: 'Disable Web Content Symbolic Links' description: |- For each <Directory> instance, remove the following: 
FollowSymLinks
If symbolic links are allowed, the following can be added for each <Directory> instance: 
Options SymLinksIfOwnerMatchDisable
rationale: |- A symbolic link allows a file or a directory to be referenced using a symbolic name raising a potential hazard if symbolic linkage is made to a sensitive area. When web scripts are executed and symbolic links are allowed, the web user could be allowed to access locations on the web server that are outside the scope of the web document root or home directory. severity: high identifiers: cce: "" references: disa: "" nist: "" srg: "" stigid: WG360 ocil_clause: 'it is not' ocil: |- Inspect each <Directory> instance and verify that either 
FollowSymLinks
does not exist, or 
Options SymLinksIfOwnerMatchDisable
is configured properly. httpd_encrypt_file_uploads.rule000066400000000000000000000017101327242345500403410ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/services/http/securing_httpd/httpd_secure_contentdocumentation_complete: true prodtype: rhel7 title: 'Encrypt All File Uploads' description: |- Use only secure encrypted logons and connections for uploading files to the web site. rationale: |- Logging in to a web server via an unencrypted protocol or service, to upload documents to the web site, is a risk if proper encryption is not utilized to protect the data being transmitted. An encrypted protocol or service must be used for remote access to web administration tasks. severity: high identifiers: cce: "" references: disa: "" nist: "" srg: "" stigid: WG235 ocil_clause: 'it is not' ocil: |- Determine if there is a process for the uploading of files to the web site. This process should include the requirement for the use of a secure encrypted logon and secure encrypted connection. If the remote users are uploading files without utilizing approved encryption methods, this is a finding. httpd_limit_java_files.rule000066400000000000000000000021541327242345500374330ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/services/http/securing_httpd/httpd_secure_contentdocumentation_complete: true prodtype: rhel7 title: 'Remove .java And .jpp Files' description: |- .java and .jpp files should not exist and should be removed from the web server. rationale: |- From the source code in a .java or a .jpp file, the Java compiler produces a binary file with an extension of .class. The .java or .jpp file would, therefore, reveal sensitive information regarding an application's logic and permissions to resources on the server. By contrast, the .class file, because it is intended to be machine independent, is referred to as bytecode. Bytecodes are run by the Java Virtual Machine (JVM), or the Java Runtime Environment (JRE), via a browser configured to permit Java code. severity: low identifiers: cce: "" references: disa: "" nist: "" srg: "" stigid: WG490 ocil_clause: 'it is not' ocil: |- To verify that no .java and .jpp files exist, run the following command: 
find / -name *.java -o -name *.jpp
The output should not return any .java or .jpp files httpd_remove_robots_file.rule000066400000000000000000000032751327242345500400230ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/services/http/securing_httpd/httpd_secure_contentdocumentation_complete: true prodtype: rhel7 title: 'The robots.txt Files Must Not Exist' description: |- Remove any robots.txt files that may exist with any web content. Other methods must be employed if there is information on the web site that needs protection from search engines and public view. Inspect all instances of DocumentRoot and Alias and remove any robots.txt file. 
$ sudo rm -f path/to/robots.txt
rationale: |- Search engines are constantly at work on the Internet. Search engines are augmented by agents, often referred to as spiders or bots, which endeavor to capture and catalog web-site content. In turn, these search engines make the content they obtain and catalog available to any public web user.

To request that a well behaved search engine not crawl and catalog a site, the web site may contain a file called robots.txt. This file contains directories and files that the web server SA desires not be crawled or cataloged, but this file can also be used, by an attacker or poorly coded search engine, as a directory and file index to a site. This information may be used to reduce an attacker's time searching and traversing the web site to find files that might be relevant. If information on the web site needs to be protected from search engines and public view, other methods must be used. severity: medium identifiers: cce: "" references: disa: "" nist: "" srg: "" stigid: WG310 ocil_clause: 'it is not' ocil: |- Inspect all instances of DocumentRoot and Alias. No robots.txt file should exist. httpd_secure_content.group000066400000000000000000000016501327242345500373370ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/services/http/securing_httpd/httpd_secure_contentdocumentation_complete: true title: 'Configure HTTPD-Served Web Content Securely' description: |- Running httpd inside a chroot jail is designed to isolate the web server process to a small section of the filesystem, limiting the damage if it is compromised. Versions of Apache greater than 2.2.10 (such as the one included with Red Hat Enterprise Linux 7) provide the ChrootDir directive. To run Apache inside a chroot jail in /chroot/apache, add the following line to /etc/httpd/conf/httpd.conf: 
ChrootDir /chroot/apache
This necessitates placing all files required by httpd inside /chroot/apache , including httpd's binaries, modules, configuration files, and served web pages. The details of this configuration are beyond the scope of this guide. This may also require additional SELinux configuration. partition_for_web_content.rule000066400000000000000000000025651327242345500402030ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/services/http/securing_httpd/httpd_secure_contentdocumentation_complete: true prodtype: rhel7 title: 'Ensure Web Content Located on Separate partition' description: |- The DocumentRoot directory is used for storing web content and data. Ensure that the DocumentRoot directory exists on a separate logical volume at installation time, or migrate it using LVM. rationale: |- Application partitioning enables an additional security measure by securing user traffic under one security context, while managing system and application files under another. Web content is can be to an anonymous web user. For such an account to have access to system files of any type is a major security risk that is avoidable and desirable. Failure to partition the system files from the web site documents increases risk of attack via directory traversal, or impede web site availability due to drive space exhaustion. severity: medium identifiers: cce: "" references: disa: "" nist: "" srg: "" stigid: WG205 ocil_clause: 'it is not' ocil: |- To verify that each web content directory exists on separate partitions, run the following command: 
$ grep `grep -i documentroot /etc/httpd/conf/httpd.conf | awk -F'"' '{print $2}'` /etc/fstab
Each of the corresponding DocumentRoot entries should have a corresponding entry in /etc/fstab. var_web_login_banner_text.var000066400000000000000000000231711327242345500377600ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/services/http/securing_httpd/httpd_secure_contentdocumentation_complete: true title: 'Login Banner Verbiage' description: |- Enter an appropriate login banner for your organization. Please note that new lines must be expressed by the '\n' character and special characters like parentheses and quotation marks must be escaped with '\'. type: string operator: equals interactive: false options: dod_banners: ^(You[\s\n]+are[\s\n]+accessing[\s\n]+a[\s\n]+U.S.[\s\n]+Government[\s\n]+\(USG\)[\s\n]+Information[\s\n]+System[\s\n]+\(IS\)[\s\n]+that[\s\n]+is[\s\n]+provided[\s\n]+for[\s\n]+USG-authorized[\s\n]+use[\s\n]+only.[\s\n]*By[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+\(which[\s\n]+includes[\s\n]+any[\s\n]+device[\s\n]+attached[\s\n]+to[\s\n]+this[\s\n]+IS\),[\s\n]+you[\s\n]+consent[\s\n]+to[\s\n]+the[\s\n]+following[\s\n]+conditions\:[\s\n]*-[\s\n]*The[\s\n]+USG[\s\n]+routinely[\s\n]+intercepts[\s\n]+and[\s\n]+monitors[\s\n]+communications[\s\n]+on[\s\n]+this[\s\n]+IS[\s\n]+for[\s\n]+purposes[\s\n]+including,[\s\n]+but[\s\n]+not[\s\n]+limited[\s\n]+to,[\s\n]+penetration[\s\n]+testing,[\s\n]+COMSEC[\s\n]+monitoring,[\s\n]+network[\s\n]+operations[\s\n]+and[\s\n]+defense,[\s\n]+personnel[\s\n]+misconduct[\s\n]+\(PM\),[\s\n]+law[\s\n]+enforcement[\s\n]+\(LE\),[\s\n]+and[\s\n]+counterintelligence[\s\n]+\(CI\)[\s\n]+investigations.[\s\n]*-[\s\n]*At[\s\n]+any[\s\n]+time,[\s\n]+the[\s\n]+USG[\s\n]+may[\s\n]+inspect[\s\n]+and[\s\n]+seize[\s\n]+data[\s\n]+stored[\s\n]+on[\s\n]+this[\s\n]+IS.[\s\n]*-[\s\n]*Communications[\s\n]+using,[\s\n]+or[\s\n]+data[\s\n]+stored[\s\n]+on,[\s\n]+this[\s\n]+IS[\s\n]+are[\s\n]+not[\s\n]+private,[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+routine[\s\n]+monitoring,[\s\n]+interception,[\s\n]+and[\s\n]+search,[\s\n]+and[\s\n]+may[\s\n]+be[\s\n]+disclosed[\s\n]+or[\s\n]+used[\s\n]+for[\s\n]+any[\s\n]+USG-authorized[\s\n]+purpose.[\s\n]*-[\s\n]*This[\s\n]+IS[\s\n]+includes[\s\n]+security[\s\n]+measures[\s\n]+\(e.g.,[\s\n]+authentication[\s\n]+and[\s\n]+access[\s\n]+controls\)[\s\n]+to[\s\n]+protect[\s\n]+USG[\s\n]+interests--not[\s\n]+for[\s\n]+your[\s\n]+personal[\s\n]+benefit[\s\n]+or[\s\n]+privacy.[\s\n]*-[\s\n]*Notwithstanding[\s\n]+the[\s\n]+above,[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+does[\s\n]+not[\s\n]+constitute[\s\n]+consent[\s\n]+to[\s\n]+PM,[\s\n]+LE[\s\n]+or[\s\n]+CI[\s\n]+investigative[\s\n]+searching[\s\n]+or[\s\n]+monitoring[\s\n]+of[\s\n]+the[\s\n]+content[\s\n]+of[\s\n]+privileged[\s\n]+communications,[\s\n]+or[\s\n]+work[\s\n]+product,[\s\n]+related[\s\n]+to[\s\n]+personal[\s\n]+representation[\s\n]+or[\s\n]+services[\s\n]+by[\s\n]+attorneys,[\s\n]+psychotherapists,[\s\n]+or[\s\n]+clergy,[\s\n]+and[\s\n]+their[\s\n]+assistants.[\s\n]+Such[\s\n]+communications[\s\n]+and[\s\n]+work[\s\n]+product[\s\n]+are[\s\n]+private[\s\n]+and[\s\n]+confidential.[\s\n]+See[\s\n]+User[\s\n]+Agreement[\s\n]+for[\s\n]+details.|I\'ve[\s\n]+read[\s\n]+\&[\s\n]+consent[\s\n]+to[\s\n]+terms[\s\n]+in[\s\n]+IS[\s\n]+user[\s\n]+agreem\'t.)$ dod_default: You[\s\n]+are[\s\n]+accessing[\s\n]+a[\s\n]+U.S.[\s\n]+Government[\s\n]+\(USG\)[\s\n]+Information[\s\n]+System[\s\n]+\(IS\)[\s\n]+that[\s\n]+is[\s\n]+provided[\s\n]+for[\s\n]+USG-authorized[\s\n]+use[\s\n]+only.[\s\n]*By[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+\(which[\s\n]+includes[\s\n]+any[\s\n]+device[\s\n]+attached[\s\n]+to[\s\n]+this[\s\n]+IS\),[\s\n]+you[\s\n]+consent[\s\n]+to[\s\n]+the[\s\n]+following[\s\n]+conditions\:[\s\n]*-[\s\n]*The[\s\n]+USG[\s\n]+routinely[\s\n]+intercepts[\s\n]+and[\s\n]+monitors[\s\n]+communications[\s\n]+on[\s\n]+this[\s\n]+IS[\s\n]+for[\s\n]+purposes[\s\n]+including,[\s\n]+but[\s\n]+not[\s\n]+limited[\s\n]+to,[\s\n]+penetration[\s\n]+testing,[\s\n]+COMSEC[\s\n]+monitoring,[\s\n]+network[\s\n]+operations[\s\n]+and[\s\n]+defense,[\s\n]+personnel[\s\n]+misconduct[\s\n]+\(PM\),[\s\n]+law[\s\n]+enforcement[\s\n]+\(LE\),[\s\n]+and[\s\n]+counterintelligence[\s\n]+\(CI\)[\s\n]+investigations.[\s\n]*-[\s\n]*At[\s\n]+any[\s\n]+time,[\s\n]+the[\s\n]+USG[\s\n]+may[\s\n]+inspect[\s\n]+and[\s\n]+seize[\s\n]+data[\s\n]+stored[\s\n]+on[\s\n]+this[\s\n]+IS.[\s\n]*-[\s\n]*Communications[\s\n]+using,[\s\n]+or[\s\n]+data[\s\n]+stored[\s\n]+on,[\s\n]+this[\s\n]+IS[\s\n]+are[\s\n]+not[\s\n]+private,[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+routine[\s\n]+monitoring,[\s\n]+interception,[\s\n]+and[\s\n]+search,[\s\n]+and[\s\n]+may[\s\n]+be[\s\n]+disclosed[\s\n]+or[\s\n]+used[\s\n]+for[\s\n]+any[\s\n]+USG-authorized[\s\n]+purpose.[\s\n]*-[\s\n]*This[\s\n]+IS[\s\n]+includes[\s\n]+security[\s\n]+measures[\s\n]+\(e.g.,[\s\n]+authentication[\s\n]+and[\s\n]+access[\s\n]+controls\)[\s\n]+to[\s\n]+protect[\s\n]+USG[\s\n]+interests--not[\s\n]+for[\s\n]+your[\s\n]+personal[\s\n]+benefit[\s\n]+or[\s\n]+privacy.[\s\n]*-[\s\n]*Notwithstanding[\s\n]+the[\s\n]+above,[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+does[\s\n]+not[\s\n]+constitute[\s\n]+consent[\s\n]+to[\s\n]+PM,[\s\n]+LE[\s\n]+or[\s\n]+CI[\s\n]+investigative[\s\n]+searching[\s\n]+or[\s\n]+monitoring[\s\n]+of[\s\n]+the[\s\n]+content[\s\n]+of[\s\n]+privileged[\s\n]+communications,[\s\n]+or[\s\n]+work[\s\n]+product,[\s\n]+related[\s\n]+to[\s\n]+personal[\s\n]+representation[\s\n]+or[\s\n]+services[\s\n]+by[\s\n]+attorneys,[\s\n]+psychotherapists,[\s\n]+or[\s\n]+clergy,[\s\n]+and[\s\n]+their[\s\n]+assistants.[\s\n]+Such[\s\n]+communications[\s\n]+and[\s\n]+work[\s\n]+product[\s\n]+are[\s\n]+private[\s\n]+and[\s\n]+confidential.[\s\n]+See[\s\n]+User[\s\n]+Agreement[\s\n]+for[\s\n]+details. dod_short: I\'ve[\s\n]+read[\s\n]+\&[\s\n]+consent[\s\n]+to[\s\n]+terms[\s\n]+in[\s\n]+IS[\s\n]+user[\s\n]+agreem\'t. dss_odaa_default: "[\\s\\n]+Use[\\s\\n]+of[\\s\\n]+this[\\s\\n]+or[\\s\\n]+any[\\s\\n]+other[\\s\\n]+DoD[\\s\\n]+interest[\\s\\n]+computer[\\s\\n]+system[\\s\\n]+constitutes[\\s\\n]+consent[\\s\\n]+to[\\s\\n]+monitoring[\\s\\n]+at[\\s\\n]+all[\\s\\n]+times.[\\s\\n]+This[\\s\\n]+is[\\s\\n]+a[\\s\\n]+DoD[\\s\\n]+interest[\\s\\n]+computer[\\s\\n]+system.[\\s\\n]+All[\\s\\n]+DoD[\\s\\n]+interest[\\s\\n]+computer[\\s\\n]+systems[\\s\\n]+and[\\s\\n]+related[\\s\\n]+equipment[\\s\\n]+are[\\s\\n]+intended[\\s\\n]+for[\\s\\n]+the[\\s\\n]+communication,[\\s\\n]+transmission,[\\s\\n]+processing,[\\s\\n]+and[\\s\\n]+storage[\\s\\n]+of[\\s\\n]+official[\\s\\n]+U.S.[\\s\\n]+Government[\\s\\n]+or[\\s\\n]+other[\\s\\n]+authorized[\\s\\n]+information[\\s\\n]+only.[\\s\\n]+All[\\s\\n]+DoD[\\s\\n]+interest[\\s\\n]+computer[\\s\\n]+systems[\\s\\n]+are[\\s\\n]+subject[\\s\\n]+to[\\s\\n]+monitoring[\\s\\n]+at[\\s\\n]+all[\\s\\n]+times[\\s\\n]+to[\\s\\n]+ensure[\\s\\n]+proper[\\s\\n]+functioning[\\s\\n]+of[\\\ s\\n]+equipment[\\s\\n]+and[\\s\\n]+systems[\\s\\n]+including[\\s\\n]+security[\\s\\n]+devices[\\s\\n]+and[\\s\\n]+systems,[\\s\\n]+to[\\s\\n]+prevent[\\s\\n]+unauthorized[\\s\\n]+use[\\s\\n]+and[\\s\\n]+violations[\\s\\n]+of[\\s\\n]+statutes[\\s\\n]+and[\\s\\n]+security[\\s\\n]+regulations,[\\s\\n]+to[\\s\\n]+deter[\\s\\n]+criminal[\\s\\n]+activity,[\\s\\n]+and[\\s\\n]+for[\\s\\n]+other[\\s\\n]+similar[\\s\\n]+purposes.[\\s\\n]+Any[\\s\\n]+user[\\s\\n]+of[\\s\\n]+a[\\s\\n]+DoD[\\s\\n]+interest[\\s\\n]+computer[\\s\\n]+system[\\s\\n]+should[\\s\\n]+be[\\s\\n]+aware[\\s\\n]+that[\\s\\n]+any[\\s\\n]+information[\\s\\n]+placed[\\s\\n]+in[\\s\\n]+the[\\s\\n]+system[\\s\\n]+is[\\s\\n]+subject[\\s\\n]+to[\\s\\n]+monitoring[\\s\\n]+and[\\s\\n]+is[\\s\\n]+not[\\s\\n]+subject[\\s\\n]+to[\\s\\n]+any[\\s\\n]+expectation[\\s\\n]+of[\\s\\n]+privacy.[\\s\\n]+If[\\s\\n]+monitoring[\\s\\n]+of[\\s\\n]+this[\\s\\n]+or[\\s\\n]+any[\\s\\n]+other[\\s\\n]+DoD[\\s\\n]+interest[\\s\\n]+computer[\\s\\n]+system[\\\ s\\n]+reveals[\\s\\n]+possible[\\s\\n]+evidence[\\s\\n]+of[\\s\\n]+violation[\\s\\n]+of[\\s\\n]+criminal[\\s\\n]+statutes,[\\s\\n]+this[\\s\\n]+evidence[\\s\\n]+and[\\s\\n]+any[\\s\\n]+other[\\s\\n]+related[\\s\\n]+information,[\\s\\n]+including[\\s\\n]+identification[\\s\\n]+information[\\s\\n]+about[\\s\\n]+the[\\s\\n]+user,[\\s\\n]+may[\\s\\n]+be[\\s\\n]+provided[\\s\\n]+to[\\s\\n]+law[\\s\\n]+enforcement[\\s\\n]+officials.[\\s\\n]+If[\\s\\n]+monitoring[\\s\\n]+of[\\s\\n]+this[\\s\\n]+or[\\s\\n]+any[\\s\\n]+other[\\s\\n]+DoD[\\s\\n]+interest[\\s\\n]+computer[\\s\\n]+systems[\\s\\n]+reveals[\\s\\n]+violations[\\s\\n]+of[\\s\\n]+security[\\s\\n]+regulations[\\s\\n]+or[\\s\\n]+unauthorized[\\s\\n]+use,[\\s\\n]+employees[\\s\\n]+who[\\s\\n]+violate[\\s\\n]+security[\\s\\n]+regulations[\\s\\n]+or[\\s\\n]+make[\\s\\n]+unauthorized[\\s\\n]+use[\\s\\n]+of[\\s\\n]+DoD[\\s\\n]+interest[\\s\\n]+computer[\\s\\n]+systems[\\s\\n]+are[\\s\\n]+subject[\\s\\n]+to[\\s\\n]+appropriate[\\s\\n]+disciplinary[\\\ s\\n]+action.[\\s\\n]+Use[\\s\\n]+of[\\s\\n]+this[\\s\\n]+or[\\s\\n]+any[\\s\\n]+other[\\s\\n]+DoD[\\s\\n]+interest[\\s\\n]+computer[\\s\\n]+system[\\s\\n]+constitutes[\\s\\n]+consent[\\s\\n]+to[\\s\\n]+monitoring[\\s\\n]+at[\\s\\n]+all[\\s\\n]+times." usgcb_default: --[\s\n]+WARNING[\s\n]+--[\s\n]*This[\s\n]+system[\s\n]+is[\s\n]+for[\s\n]+the[\s\n]+use[\s\n]+of[\s\n]+authorized[\s\n]+users[\s\n]+only.[\s\n]+Individuals[\s\n]*using[\s\n]+this[\s\n]+computer[\s\n]+system[\s\n]+without[\s\n]+authority[\s\n]+or[\s\n]+in[\s\n]+excess[\s\n]+of[\s\n]+their[\s\n]*authority[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+having[\s\n]+all[\s\n]+their[\s\n]+activities[\s\n]+on[\s\n]+this[\s\n]+system[\s\n]*monitored[\s\n]+and[\s\n]+recorded[\s\n]+by[\s\n]+system[\s\n]+personnel.[\s\n]+Anyone[\s\n]+using[\s\n]+this[\s\n]*system[\s\n]+expressly[\s\n]+consents[\s\n]+to[\s\n]+such[\s\n]+monitoring[\s\n]+and[\s\n]+is[\s\n]+advised[\s\n]+that[\s\n]*if[\s\n]+such[\s\n]+monitoring[\s\n]+reveals[\s\n]+possible[\s\n]+evidence[\s\n]+of[\s\n]+criminal[\s\n]+activity[\s\n]*system[\s\n]+personal[\s\n]+may[\s\n]+provide[\s\n]+the[\s\n]+evidence[\s\n]+of[\s\n]+such[\s\n]+monitoring[\s\n]+to[\s\n]+law[\s\n]*enforcement[\s\n]+officials. httpd_use_dos_protection_modules/000077500000000000000000000000001327242345500344535ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/services/http/securing_httpdhttpd_use_dos_protection_modules.group000066400000000000000000000012151327242345500443720ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/services/http/securing_httpd/httpd_use_dos_protection_modulesdocumentation_complete: true title: 'Use Denial-of-Service Protection Modules' description: |- Denial-of-service attacks are difficult to detect and prevent while maintaining acceptable access to authorized users. However, some traffic-shaping modules can be used to address the problem. Well-known DoS protection modules include: 
mod_cband mod_bwshare mod_limitipconn mod_evasive
Denial-of-service prevention should be implemented for a web server if such a threat exists. However, specific configuration details are very dependent on the environment and often best left at the discretion of the administrator. scap-security-guide-0.1.39/shared/guide/services/http/securing_httpd/securing_httpd.group000066400000000000000000000003671327242345500317760ustar00rootroot00000000000000documentation_complete: true title: 'Secure Apache Configuration' description: |- The httpd configuration file is /etc/httpd/conf/httpd.conf. Apply the recommendations in the remainder of this section to this file. scap-security-guide-0.1.39/shared/guide/services/http/securing_httpd/var_httpd_loglevel.var000066400000000000000000000004301327242345500322630ustar00rootroot00000000000000documentation_complete: true title: 'HTTPD Log Level' description: 'The setting for LogLevel in /etc/httpd/conf/httpd.conf' type: string operator: interactive: false options: alert: alert crit: crit default: warn emerg: emerg error: error warn: warn scap-security-guide-0.1.39/shared/guide/services/http/securing_httpd/var_max_keepalive_requests.var000066400000000000000000000004441327242345500340210ustar00rootroot00000000000000documentation_complete: true title: 'Maximum KeepAlive Requests for HTTPD' description: 'The setting for MaxKeepAliveRequests in httpd.conf' type: number operator: interactive: false options: 100: 100 1000: 1000 10000: 10000 100000: 100000 500: 500 default: 100 scap-security-guide-0.1.39/shared/guide/services/imap/000077500000000000000000000000001327242345500226155ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/services/imap/configure_dovecot/000077500000000000000000000000001327242345500263215ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/services/imap/configure_dovecot/configure_dovecot.group000066400000000000000000000003641327242345500331060ustar00rootroot00000000000000documentation_complete: true title: 'Configure Dovecot if Necessary' description: |- If the system will operate as an IMAP or POP3 server, the dovecot software should be configured securely by following the recommendations below. scap-security-guide-0.1.39/shared/guide/services/imap/configure_dovecot/dovecot_allow_imap_access/000077500000000000000000000000001327242345500335115ustar00rootroot00000000000000dovecot_allow_imap_access.group000066400000000000000000000006441327242345500417040ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/services/imap/configure_dovecot/dovecot_allow_imap_accessdocumentation_complete: true title: 'Allow IMAP Clients to Access the Server' description: |- The default firewalld configuration does not allow inbound access to any services. This modification will allow remote hosts to initiate connections to the IMAP daemon, while keeping all other ports on the server in their default protected state. scap-security-guide-0.1.39/shared/guide/services/imap/configure_dovecot/dovecot_enabling_ssl/000077500000000000000000000000001327242345500325045ustar00rootroot00000000000000dovecot_configure_ssl_cert.rule000066400000000000000000000016111327242345500407170ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/services/imap/configure_dovecot/dovecot_enabling_ssldocumentation_complete: true prodtype: rhel7 title: 'Configure Dovecot to Use the SSL Certificate file' description: "This option tells Dovecot where to find the the mail \nserver's SSL Certificate.\n

\nEdit /etc/dovecot/conf.d/10-ssl.conf and add or correct the following \nline (note: the path below is the default path set by the Dovecot installation. If \nyou are using a different path, ensure you reference the appropriate file):\n
ssl_cert = </etc/pki/dovecot/certs/dovecot.pem
" rationale: "SSL certificates are used by the client to authenticate the identity\nof the server, as well as to encrypt credentials and message traffic.\nNot using SSL to encrypt mail server traffic could allow unauthorized\naccess to credentials and mail messages since they are sent in plain \ntext over the network." severity: unknown identifiers: cce@rhel7: 80297-5 dovecot_configure_ssl_key.rule000066400000000000000000000015721327242345500405600ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/services/imap/configure_dovecot/dovecot_enabling_ssldocumentation_complete: true prodtype: rhel7 title: 'Configure Dovecot to Use the SSL Key file' description: "This option tells Dovecot where to find the the mail \nserver's SSL Key.\n

\nEdit /etc/dovecot/conf.d/10-ssl.conf and add or correct the following \nline (note: the path below is the default path set by the Dovecot installation. If \nyou are using a different path, ensure you reference the appropriate file):\n
ssl_key = </etc/pki/dovecot/private/dovecot.pem
" rationale: "SSL certificates are used by the client to authenticate the identity\nof the server, as well as to encrypt credentials and message traffic.\nNot using SSL to encrypt mail server traffic could allow unauthorized\naccess to credentials and mail messages since they are sent in plain \ntext over the network." severity: unknown identifiers: cce@rhel7: 80298-3 dovecot_disable_plaintext_auth.rule000066400000000000000000000007731327242345500415640ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/services/imap/configure_dovecot/dovecot_enabling_ssldocumentation_complete: true prodtype: rhel7 title: 'Disable Plaintext Authentication' description: "To prevent Dovecot from attempting plaintext \nauthentication of clients, edit /etc/dovecot/conf.d/10-auth.conf and add\nor correct the following line:\n
disable_plaintext_auth = yes
" rationale: "Using plain text authentication to the mail server could allow an \nattacker access to credentials by monitoring network traffic." severity: unknown identifiers: cce@rhel7: 80299-1 dovecot_enable_ssl.rule000066400000000000000000000013201327242345500371440ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/services/imap/configure_dovecot/dovecot_enabling_ssldocumentation_complete: true prodtype: rhel7 title: 'Enable the SSL flag in /etc/dovecot.conf' description: |- To allow clients to make encrypted connections the ssl flag in Dovecot's configuration file needs to be set to yes.

Edit /etc/dovecot/conf.d/10-ssl.conf and add or correct the following line: 
ssl = yes
rationale: "SSL encrypt network traffic between the Dovecot server and its clients \nprotecting user credentials, mail as it is downloaded, and clients may use \nSSL certificates to authenticate the server, preventing another system from \nimpersonating the server." severity: unknown identifiers: cce@rhel7: 80296-7 dovecot_enabling_ssl.group000066400000000000000000000007651327242345500376760ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/services/imap/configure_dovecot/dovecot_enabling_ssldocumentation_complete: true title: 'Enable SSL Support' description: "SSL should be used to encrypt network traffic between the \nDovecot server and its clients. Users must authenticate to the Dovecot \nserver in order to read their mail, and passwords should never be \ntransmitted in clear text. In addition, protecting mail as it is \ndownloaded is a privacy measure, and clients may use SSL certificates \nto authenticate the server, preventing another system from impersonating \nthe server." dovecot_support_necessary_protocols/000077500000000000000000000000001327242345500356615ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/services/imap/configure_dovecotdovecot_support_necessary_protocols.group000066400000000000000000000015511327242345500463600ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/services/imap/configure_dovecot/dovecot_support_necessary_protocolsdocumentation_complete: true title: 'Support Only the Necessary Protocols' description: "Dovecot supports the IMAP and POP3 protocols, as well as \nSSL-protected versions of those protocols. Configure the Dovecot server \nto support only the protocols needed by your site. Edit /etc/dovecot/dovecot.conf. \nAdd or correct the following lines, replacing PROTOCOL with \nonly the subset of protocols (imap, imaps, \npop3, pop3s) required:\n
protocols = PROTOCOL
\nIf possible, require SSL protection for all transactions. The SSL \nprotocol variants listen on alternate ports (995 instead of 110 for \npop3s, and 993 instead of 143 for imaps), and require SSL-aware clients. \nAn alternate approach is to listen on the standard port and require the \nclient to use the STARTTLS command before authenticating." scap-security-guide-0.1.39/shared/guide/services/imap/disabling_dovecot/000077500000000000000000000000001327242345500262745ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/services/imap/disabling_dovecot/disabling_dovecot.group000066400000000000000000000003071327242345500330310ustar00rootroot00000000000000documentation_complete: true title: 'Disable Dovecot' description: |- If the system does not need to operate as an IMAP or POP3 server, the dovecot software should be disabled and removed. scap-security-guide-0.1.39/shared/guide/services/imap/disabling_dovecot/package_dovecot_removed.rule000066400000000000000000000007261327242345500340310ustar00rootroot00000000000000documentation_complete: true prodtype: rhel7 title: 'Uninstall dovecot Package' description: |- The dovecot package can be uninstalled with the following command: 
$ sudo yum erase dovecot
rationale: |- If there is no need to make the Dovecot software available, removing it provides a safeguard against its activation. severity: unknown identifiers: cce@rhel7: 80295-9 ocil: '' service_dovecot_disabled.rule000066400000000000000000000006711327242345500341240ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/services/imap/disabling_dovecotdocumentation_complete: true prodtype: rhel7 title: 'Disable Dovecot Service' description: '' rationale: |- Running an IMAP or POP3 server provides a network-based avenue of attack, and should be disabled if not needed. severity: unknown identifiers: cce@rhel7: 80294-2 references: cis: 2.2.11 ocil: '' scap-security-guide-0.1.39/shared/guide/services/imap/imap.group000066400000000000000000000004521327242345500246220ustar00rootroot00000000000000documentation_complete: true title: 'IMAP and POP3 Server' description: |- Dovecot provides IMAP and POP3 services. It is not installed by default. The project page at contains more detailed information about Dovecot configuration. scap-security-guide-0.1.39/shared/guide/services/ldap/000077500000000000000000000000001327242345500226075ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/services/ldap/ldap.group000066400000000000000000000004541327242345500246100ustar00rootroot00000000000000documentation_complete: true title: LDAP description: |- LDAP is a popular directory service, that is, a standardized way of looking up information from a central database. Red Hat Enterprise Linux 7 includes software that enables a system to act as both an LDAP client and server. scap-security-guide-0.1.39/shared/guide/services/ldap/openldap_client/000077500000000000000000000000001327242345500257475ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/services/ldap/openldap_client/enable_ldap_client.rule000066400000000000000000000022161327242345500324250ustar00rootroot00000000000000documentation_complete: true prodtype: rhel7 title: 'Enable the LDAP Client For Use in Authconfig' description: |- To determine if LDAP is being used for authentication, use the following command: 
$ sudo grep -i useldapauth /etc/sysconfig/authconfig


If USELDAPAUTH=yes, then LDAP is being used. If not, set USELDAPAUTH to yes. rationale: |- Without cryptographic integrity protections, information can be altered by unauthorized users without detection. The ssl directive specifies whether to use TLS or not. If not specified it will default to no. It should be set to start_tls rather than doing LDAP over SSL. severity: medium identifiers: cce@rhel7: 80448-4 references: disa: 1453 nist: AC-17(2),CM-7 srg: SRG-OS-000250-GPOS-00093 ocil_clause: 'USELDAPAUTH=yes is not configured correctly in /etc/sysconfig/authconfig' ocil: |- To determine if LDAP is being used for authentication, use the following command: 
$ sudo grep -i useldapauth /etc/sysconfig/authconfig
The output should return: 
USELDAPAUTH=yes
scap-security-guide-0.1.39/shared/guide/services/ldap/openldap_client/ldap_client_start_tls.rule000066400000000000000000000023431327242345500332170ustar00rootroot00000000000000documentation_complete: true prodtype: rhel7 title: 'Configure LDAP Client to Use TLS For All Transactions' description: |- This check verifies that RHEL7 implements cryptography to protect the integrity of remote LDAP authentication sessions.

To determine if LDAP is being used for authentication, use the following command: 
$ sudo grep -i useldapauth /etc/sysconfig/authconfig


If USELDAPAUTH=yes, then LDAP is being used. To check if LDAP is configured to use TLS, use the following command: 
$ sudo grep -i ssl /etc/pam_ldap.conf
rationale: "Without cryptographic integrity protections, information can be\naltered by unauthorized users without detection. The ssl directive specifies \nwhether to use TLS or not. If not specified it will default to no. \nIt should be set to start_tls rather than doing LDAP over SSL." severity: medium identifiers: cce@rhel7: 80291-8 references: disa: 1453 nist: AC-17(2),CM-7 srg: SRG-OS-000250-GPOS-00093 ocil_clause: 'the ''ssl'' option is not ''start_tls''' ocil: |- If the system is not using TLS, set the ssl option in /etc/pam_ldap.conf to start_tls. ldap_client_tls_cacertpath.rule000066400000000000000000000021771327242345500341260ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/services/ldap/openldap_clientdocumentation_complete: true prodtype: rhel7 title: 'Configure Certificate Directives for LDAP Use of TLS' description: "Ensure a copy of a trusted CA certificate has been placed in\nthe file /etc/pki/tls/CA/cacert.pem. Configure LDAP to enforce TLS \nuse and to trust certificates signed by that CA. First, edit the file \n/etc/nslcd.conf, and add or correct either of the following lines:\n
tls_cacertdir /etc/pki/tls/CA
\nor\n
tls_cacertfile /etc/pki/tls/CA/cacert.pem
\nThen review the LDAP server and ensure TLS has been configured." rationale: |- The tls_cacertdir or tls_cacertfile directives are required when tls_checkpeer is configured (which is the default for openldap versions 2.1 and up). These directives define the path to the trust certificates signed by the site CA. severity: medium identifiers: cce@rhel7: 80292-6 references: disa: 776,778,1453 nist: CM-7 ocil_clause: 'there is no output, or the lines are commented out' ocil: |- To ensure TLS is configured with trust certificates, run the following command: 
$ grep cert /etc/nslcd.conf
scap-security-guide-0.1.39/shared/guide/services/ldap/openldap_client/openldap_client.group000066400000000000000000000017141327242345500321700ustar00rootroot00000000000000documentation_complete: true title: 'Configure OpenLDAP Clients' description: |- This section provides information on which security settings are important to configure in OpenLDAP clients by manually editing the appropriate configuration files. Red Hat Enterprise Linux 7 provides an automated configuration tool called authconfig and a graphical wrapper for authconfig called system-config-authentication. However, these tools do not provide as much control over configuration as manual editing of configuration files. The authconfig tools do not allow you to specify locations of SSL certificate files, which is useful when trying to use SSL cleanly across several protocols. Installation and configuration of OpenLDAP on Red Hat Enterprise Linux 7 is available at . scap-security-guide-0.1.39/shared/guide/services/ldap/openldap_server/000077500000000000000000000000001327242345500257775ustar00rootroot00000000000000ldap_server_config_certificate_files/000077500000000000000000000000001327242345500352775ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/services/ldap/openldap_serverldap_server_config_certificate_files.group000066400000000000000000000032421327242345500457350ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/services/ldap/openldap_server/ldap_server_config_certificate_filesdocumentation_complete: true title: 'Install and Protect LDAP Certificate Files' description: |- Create the PKI directory for LDAP certificates if it does not already exist: 
$ sudo mkdir /etc/pki/tls/ldap
    $ sudo chown root:root /etc/pki/tls/ldap
    $ sudo chmod 755 /etc/pki/tls/ldap
Using removable media or some other secure transmission format, install the certificate files onto the LDAP server:
  • /etc/pki/tls/ldap/serverkey.pem: the private key ldapserverkey.pem
  • /etc/pki/tls/ldap/servercert.pem: the certificate file ldapservercert.pem
Verify the ownership and permissions of these files: 
$ sudo chown root:ldap /etc/pki/tls/ldap/serverkey.pem
    $ sudo chown root:ldap /etc/pki/tls/ldap/servercert.pem
    $ sudo chmod 640 /etc/pki/tls/ldap/serverkey.pem
    $ sudo chmod 640 /etc/pki/tls/ldap/servercert.pem
Verify that the CA's public certificate file has been installed as /etc/pki/tls/CA/cacert.pem, and has the correct permissions: 
$ sudo mkdir /etc/pki/tls/CA
    $ sudo chown root:root /etc/pki/tls/CA/cacert.pem
    $ sudo chmod 644 /etc/pki/tls/CA/cacert.pem
As a result of these steps, the LDAP server will have access to its own private certificate and the key with which that certificate is encrypted, and to the public certificate file belonging to the CA. Note that it would be possible for the key to be protected further, so that processes running as ldap could not read it. If this were done, the LDAP server process would need to be restarted manually whenever the server rebooted. scap-security-guide-0.1.39/shared/guide/services/ldap/openldap_server/openldap_server.group000066400000000000000000000006361327242345500322520ustar00rootroot00000000000000documentation_complete: true title: 'Configure OpenLDAP Server' description: |- This section details some security-relevant settings for an OpenLDAP server. Installation and configuration of OpenLDAP on Red Hat Enterprise Linux 7 is available at: . package_openldap-servers_removed.rule000066400000000000000000000022401327242345500352740ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/services/ldap/openldap_serverdocumentation_complete: true prodtype: rhel7 title: 'Uninstall openldap-servers Package' description: |- The openldap-servers package should be removed if not in use. Is this system the OpenLDAP server? If not, remove the package. 
$ sudo yum erase openldap-servers
The openldap-servers RPM is not installed by default on Red Hat Enterprise Linux 7 system. It is needed only by the OpenLDAP server, not by the clients which use LDAP for authentication. If the system is not intended for use as an LDAP Server it should be removed. rationale: |- Unnecessary packages should not be installed to decrease the attack surface of the system. While this software is clearly essential on an LDAP server, it is not necessary on typical desktop or workstation systems. severity: unknown identifiers: cce@rhel7: 80293-4 references: disa: 366 nist: CM-7 ocil_clause: 'it does not' ocil: "To verify the openldap-servers package is not installed, \nrun the following command:\n
$ rpm -q openldap-servers
\nThe output should show the following:\n
package openldap-servers is not installed
" scap-security-guide-0.1.39/shared/guide/services/mail/000077500000000000000000000000001327242345500226115ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/services/mail/mail.group000066400000000000000000000027751327242345500246240ustar00rootroot00000000000000documentation_complete: true title: 'Mail Server Software' description: |- Mail servers are used to send and receive email over the network. Mail is a very common service, and Mail Transfer Agents (MTAs) are obvious targets of network attack. Ensure that systems are not running MTAs unnecessarily, and configure needed MTAs as defensively as possible.

Very few systems at any site should be configured to directly receive email over the network. Users should instead use mail client programs to retrieve email from a central server that supports protocols such as IMAP or POP3. However, it is normal for most systems to be independently capable of sending email, for instance so that cron jobs can report output to an administrator. Most MTAs, including Postfix, support a submission-only mode in which mail can be sent from the local system to a central site MTA (or directly delivered to a local account), but the system still cannot receive mail directly over a network.

The alternatives program in Red Hat Enterprise Linux permits selection of other mail server software (such as Sendmail), but Postfix is the default and is preferred. Postfix was coded with security in mind and can also be more effectively contained by SELinux as its modular design has resulted in separate processes performing specific actions. More information is available on its website, . scap-security-guide-0.1.39/shared/guide/services/mail/package_sendmail_removed.rule000066400000000000000000000010731327242345500304730ustar00rootroot00000000000000documentation_complete: true prodtype: rhel7 title: 'Uninstall Sendmail Package' description: |- Sendmail is not the default mail transfer agent and is not installed by default. rationale: |- The sendmail software was not developed with security in mind and its design prevents it from being effectively contained by SELinux. Postfix should be used instead. severity: medium identifiers: cce@rhel7: 80288-4 references: nist: CM-7 ocil: '' scap-security-guide-0.1.39/shared/guide/services/mail/postfix_client/000077500000000000000000000000001327242345500256435ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/services/mail/postfix_client/postfix_client.group000066400000000000000000000002671327242345500317600ustar00rootroot00000000000000documentation_complete: true title: 'Configure SMTP For Mail Clients' description: |- This section discusses settings for Postfix in a submission-only e-mail configuration. postfix_network_listening_disabled.rule000066400000000000000000000015321327242345500356260ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/services/mail/postfix_clientdocumentation_complete: true prodtype: rhel7 title: 'Disable Postfix Network Listening' description: |- Edit the file /etc/postfix/main.cf to ensure that only the following inet_interfaces line appears: 
inet_interfaces = localhost
rationale: |- This ensures postfix accepts mail messages (such as cron job reports) from the local system only, and not from the network, which protects it from network attack. severity: medium identifiers: cce@rhel7: 80289-2 references: cis: 2.2.15 disa: 382 nist: CM-7 ocil_clause: 'it does not' ocil: |- Run the following command to ensure postfix accepts mail messages from only the local system: 
$ grep inet_interfaces /etc/postfix/main.cf
If properly configured, the output should show only localhost. scap-security-guide-0.1.39/shared/guide/services/mail/postfix_harden_os/000077500000000000000000000000001327242345500263275ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/services/mail/postfix_harden_os/postfix_configure_ssl_certs/000077500000000000000000000000001327242345500341455ustar00rootroot00000000000000postfix_configure_ssl_certs.group000066400000000000000000000010301327242345500427540ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/services/mail/postfix_harden_os/postfix_configure_ssl_certsdocumentation_complete: true title: 'Configure SSL Certificates for Use with SMTP AUTH' description: |- If SMTP AUTH is to be used, the use of SSL to protect credentials in transit is strongly recommended. There are also configurations for which it may be desirable to encrypt all mail in transit from one MTA to another, though such configurations are beyond the scope of this guide. In either event, the steps for creating and installing an SSL certificate are independent of the MTA in use, and are described here. postfix_install_ssl_cert/000077500000000000000000000000001327242345500412065ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/services/mail/postfix_harden_os/postfix_configure_ssl_certspostfix_install_ssl_cert.group000066400000000000000000000022161327242345500474050ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/services/mail/postfix_harden_os/postfix_configure_ssl_certs/postfix_install_ssl_certdocumentation_complete: true title: 'Ensure Security of Postfix SSL Certificate' description: |- Create the PKI directory for mail certificates, if it does not already exist: 
$ sudo mkdir /etc/pki/tls/mail
    $ sudo chown root:root /etc/pki/tls/mail
    $ sudo chmod 755 /etc/pki/tls/mail
Using removable media or some other secure transmission format, install the files generated in the previous step onto the mail server: 
/etc/pki/tls/mail/serverkey.pem: the private key mailserverkey.pem
    /etc/pki/tls/mail/servercert.pem: the certificate file mailservercert.pem
Verify the ownership and permissions of these files: 
$ sudo chown root:root /etc/pki/tls/mail/serverkey.pem
    $ sudo chown root:root /etc/pki/tls/mail/servercert.pem
    $ sudo chmod 600 /etc/pki/tls/mail/serverkey.pem
    $ sudo chmod 644 /etc/pki/tls/mail/servercert.pem
Verify that the CA's public certificate file has been installed as /etc/pki/tls/CA/cacert.pem, and has the correct permissions: 
$ sudo chown root:root /etc/pki/tls/CA/cacert.pem
    $ sudo chmod 644 /etc/pki/tls/CA/cacert.pem
scap-security-guide-0.1.39/shared/guide/services/mail/postfix_harden_os/postfix_harden_os.group000066400000000000000000000004371327242345500331270ustar00rootroot00000000000000documentation_complete: true title: 'Configure Operating System to Protect Mail Server' description: |- The guidance in this section is appropriate for any host which is operating as a site MTA, whether the mail server runs using Sendmail, Postfix, or some other software. postfix_server_configuration/000077500000000000000000000000001327242345500342615ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/services/mail/postfix_harden_ospostfix_server_banner.rule000066400000000000000000000020731327242345500415630ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/services/mail/postfix_harden_os/postfix_server_configurationdocumentation_complete: true prodtype: rhel7 title: 'Configure SMTP Greeting Banner' description: |- Edit /etc/postfix/main.cf, and add or correct the following line, substituting some other wording for the banner information if you prefer: 
smtpd_banner = $myhostname ESMTP
rationale: |- The default greeting banner discloses that the listening mail process is Postfix. When remote mail senders connect to the MTA on port 25, they are greeted by an initial banner as part of the SMTP dialogue. This banner is necessary, but it frequently gives away too much information, including the MTA software which is in use, and sometimes also its version number. Remote mail senders do not need this information in order to send mail, so the banner should be changed to reveal only the hostname (which is already known and may be useful) and the word ESMTP, to indicate that the modern SMTP protocol variant is supported. severity: medium identifiers: cce@rhel7: 80290-0 references: nist: 'AC-22, AU-13' postfix_server_configuration.group000066400000000000000000000003651327242345500433540ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/services/mail/postfix_harden_os/postfix_server_configurationdocumentation_complete: true title: 'Configure Postfix if Necessary' description: |- Postfix stores its configuration files in the directory /etc/postfix by default. The primary configuration file is /etc/postfix/main.cf. postfix_server_denial_of_service/000077500000000000000000000000001327242345500430635ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/services/mail/postfix_harden_os/postfix_server_configurationpostfix_server_denial_of_service.group000066400000000000000000000010451327242345500527430ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/services/mail/postfix_harden_os/postfix_server_configuration/postfix_server_denial_of_servicedocumentation_complete: true title: 'Configure Postfix Resource Usage to Limit Denial of Service Attacks' description: |- Edit /etc/postfix/main.cf. Edit the following lines to configure the amount of system resources Postfix can consume: 
default_process_limit = 100
    smtpd_client_connection_count_limit = 10
    smtpd_client_connection_rate_limit = 30
    queue_minfree = 20971520
    header_size_limit = 51200
    message_size_limit = 10485760
    smtpd_recipient_limit = 100
The values here are examples. postfix_server_mail_relay/000077500000000000000000000000001327242345500415415ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/services/mail/postfix_harden_os/postfix_server_configurationpostfix_prevent_unrestricted_relay.rule000066400000000000000000000017141327242345500516630ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/services/mail/postfix_harden_os/postfix_server_configuration/postfix_server_mail_relaydocumentation_complete: true prodtype: rhel7 title: 'Prevent Unrestricted Mail Relaying' description: |- Modify the 
/etc/postfix/main.cf
file to restrict client connections to the local network with the following command: 
$ sudo postconf -e 'smtpd_client_restrictions = permit_mynetworks,reject'
rationale: |- If unrestricted mail relaying is permitted, unauthorized senders could use this host as a mail relay for the purpose of sending spam or other unauthorized activity. severity: medium identifiers: cce: 80512-7 references: disa: 366 nist: "" srg: SRG-OS-000480-GPOS-00227 stigid: "040680" ocil_clause: 'it is not' ocil: |- To verify the system is configured to prevent unrestricted mail relaying, run the following command: 
$ sudo postconf -n smtpd_client_restrictions
The output should return: 
smtpd_client_restrictions = permit_mynetworks,reject
postfix_server_mail_relay.group000066400000000000000000000010451327242345500500770ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/services/mail/postfix_harden_os/postfix_server_configuration/postfix_server_mail_relaydocumentation_complete: true title: 'Control Mail Relaying' description: |- Postfix's mail relay controls are implemented with the help of the smtpd recipient restrictions option, which controls the restrictions placed on the SMTP dialogue once the sender and recipient envelope addresses are known. The guidance in the following sections should be applied to all systems. If there are systems which must be allowed to relay mail, but which cannot be trusted to relay unconditionally, configure SMTP AUTH with SSL support. postfix_server_mail_relay_require_tls_for_smtp_auth/000077500000000000000000000000001327242345500543715ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/services/mail/postfix_harden_os/postfix_server_configuration/postfix_server_mail_relay1a26fec698c5249222af28bf2d78300a97cec800.paxheader00006660000000000000000000000366132724234550020447xustar00rootroot00000000000000246 path=scap-security-guide-0.1.39/shared/guide/services/mail/postfix_harden_os/postfix_server_configuration/postfix_server_mail_relay/postfix_server_mail_relay_require_tls_for_smtp_auth/postfix_server_mail_relay_require_tls_for_smtp_auth.group 1a26fec698c5249222af28bf2d78300a97cec800.data000066400000000000000000000006741327242345500173070ustar00rootroot00000000000000documentation_complete: true title: 'Use TLS for SMTP AUTH' description: |- Postfix provides options to use TLS for certificate-based authentication and encrypted sessions. An encrypted session protects the information that is transmitted with SMTP mail or with SASL authentication. To configure Postfix to protect all SMTP AUTH transactions using TLS, see . postfix_server_mail_relay_set_trusted_networks/000077500000000000000000000000001327242345500534025ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/services/mail/postfix_harden_os/postfix_server_configuration/postfix_server_mail_relaypostfix_server_mail_relay_set_trusted_networks/postfix_server_mail_relay_set_trusted_networks.group000066400000000000000000000017201327242345500663210ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/services/mail/postfix_harden_os/postfix_server_configuration/postfix_server_mail_relaydocumentation_complete: true title: 'Configure Trusted Networks and Hosts' description: |- Edit /etc/postfix/main.cf, and configure the contents of the mynetworks variable in one of the following ways:
  • If any system in the subnet containing the MTA may be trusted to relay messages, add or correct the following line: 
    mynetworks_style = subnet
    This is also the default setting, and is in effect if all my_networks_style directives are commented.
  • If only the MTA host itself is trusted to relay messages, add or correct the following line: 
    mynetworks_style = host
  • If the set of systems which can relay is more complicated, manually specify an entry for each netblock or IP address which is trusted to relay by setting the mynetworks variable directly: 
    mynetworks = 10.0.0.0/16, 192.168.1.0/24, 127.0.0.1
postfix_server_mail_relay_smtp_auth_for_untrusted_networks/000077500000000000000000000000001327242345500560245ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/services/mail/postfix_harden_os/postfix_server_configuration/postfix_server_mail_relayd95e7ba6b31ba4877aa6d5d3d7925867dda69ba0.paxheader00006660000000000000000000000404132724234550020674xustar00rootroot00000000000000260 path=scap-security-guide-0.1.39/shared/guide/services/mail/postfix_harden_os/postfix_server_configuration/postfix_server_mail_relay/postfix_server_mail_relay_smtp_auth_for_untrusted_networks/postfix_server_mail_relay_smtp_auth_for_untrusted_networks.group d95e7ba6b31ba4877aa6d5d3d7925867dda69ba0.data000066400000000000000000000007231327242345500175360ustar00rootroot00000000000000documentation_complete: true title: 'Require SMTP AUTH Before Relaying from Untrusted Clients' description: |- SMTP authentication allows remote clients to relay mail safely by requiring them to authenticate before submitting mail. Postfix's SMTP AUTH uses an authentication library called SASL, which is not part of Postfix itself. To enable the use of SASL authentication, see postfix_server_mail_smtpd_recipient_restrictions/000077500000000000000000000000001327242345500537065ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/services/mail/postfix_harden_os/postfix_server_configuration/postfix_server_mail_relay553cd8b729cfa7a79f738652e00b7ed806b020b6.paxheader00006660000000000000000000000360132724234550020450xustar00rootroot00000000000000240 path=scap-security-guide-0.1.39/shared/guide/services/mail/postfix_harden_os/postfix_server_configuration/postfix_server_mail_relay/postfix_server_mail_smtpd_recipient_restrictions/postfix_server_mail_smtpd_recipient_restrictions.group 553cd8b729cfa7a79f738652e00b7ed806b020b6.data000066400000000000000000000015311327242345500173070ustar00rootroot00000000000000documentation_complete: true title: 'Enact SMTP Recipient Restrictions' description: |- To configure Postfix to restrict addresses to which it will send mail, see:
The full contents of smtpd_recipient_restrictions will vary by site, since this is a common place to put spam restrictions and other site-specific options. The permit_mynetworks option allows all mail to be relayed from the systems in mynetworks. Then, the reject_unauth_destination option denies all mail whose destination address is not local, preventing any other systems from relaying. These two options should always appear in this order, and should usually follow one another immediately unless SMTP AUTH is used. postfix_server_mail_smtpd_relay_restrictions/000077500000000000000000000000001327242345500530405ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/services/mail/postfix_harden_os/postfix_server_configuration/postfix_server_mail_relaypostfix_server_mail_smtpd_relay_restrictions/postfix_server_mail_smtpd_relay_restrictions.group000066400000000000000000000015251327242345500654200ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/services/mail/postfix_harden_os/postfix_server_configuration/postfix_server_mail_relaydocumentation_complete: true title: 'Enact SMTP Relay Restrictions' description: |- To configure Postfix to restrict addresses to which it will send mail, see:
The full contents of smtpd_recipient_restrictions will vary by site, since this is a common place to put spam restrictions and other site-specific options. The permit_mynetworks option allows all mail to be relayed from the systems in mynetworks. Then, the reject_unauth_destination option denies all mail whose destination address is not local, preventing any other systems from relaying. These two options should always appear in this order, and should usually follow one another immediately unless SMTP AUTH is used. scap-security-guide-0.1.39/shared/guide/services/mail/service_postfix_enabled.rule000066400000000000000000000014111327242345500303650ustar00rootroot00000000000000documentation_complete: true prodtype: rhel7 title: 'Enable Postfix Service' description: |- The Postfix mail transfer agent is used for local mail delivery within the system. The default configuration only listens for connections to the default SMTP port (port 25) on the loopback interface (127.0.0.1). It is recommended to leave this service enabled for local mail delivery. rationale: |- Local mail delivery is essential to some system maintenance and notification tasks. severity: unknown identifiers: cce@rhel7: 80287-6 ocil_clause: 'the system is not a cross domain solution and the service is not enabled' ocil: '' scap-security-guide-0.1.39/shared/guide/services/nfs_and_rpc/000077500000000000000000000000001327242345500241435ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/services/nfs_and_rpc/disabling_nfs/000077500000000000000000000000001327242345500267455ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/services/nfs_and_rpc/disabling_nfs/disabling_nfs.group000066400000000000000000000004251327242345500326260ustar00rootroot00000000000000documentation_complete: true title: 'Disable All NFS Services if Possible' description: |- If there is not a reason for the system to operate as either an NFS client or an NFS server, follow all instructions in this section to disable subsystems required by NFS. scap-security-guide-0.1.39/shared/guide/services/nfs_and_rpc/disabling_nfs/disabling_nfs_services/000077500000000000000000000000001327242345500334525ustar00rootroot00000000000000disabling_nfs_services.group000066400000000000000000000006011327242345500411530ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/services/nfs_and_rpc/disabling_nfs/disabling_nfs_servicesdocumentation_complete: true title: 'Disable Services Used Only by NFS' description: |- If NFS is not needed, disable the NFS client daemons nfslock, rpcgssd, and rpcidmapd.

All of these daemons run with elevated privileges, and many listen for network connections. If they are not needed, they should be disabled to improve system security posture. service_nfslock_disabled.rule000066400000000000000000000010301327242345500412640ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/services/nfs_and_rpc/disabling_nfs/disabling_nfs_servicesdocumentation_complete: true prodtype: rhel7,fedora title: 'Disable Network File System Lock Service (nfslock)' description: |- The Network File System Lock (nfslock) service starts the required remote procedure call (RPC) processes which allow clients to lock files on the server. If the local system is not configured to mount NFS filesystems then this service should be disabled. rationale: "" severity: unknown identifiers: cce@rhel7: 80228-0 service_rpcbind_disabled.rule000066400000000000000000000012661327242345500412610ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/services/nfs_and_rpc/disabling_nfs/disabling_nfs_servicesdocumentation_complete: true prodtype: rhel7 title: 'Disable rpcbind Service' description: "The rpcbind utility maps RPC services to the ports on which they listen. RPC\nprocesses notify rpcbind when they start, registering the ports they are\nlistening on and the RPC program numbers they expect to serve. The rpcbind\nservice redirects the client to the proper port number so it can communicate \nwith the requested service. If the system does not require RPC (such as for NFS\nservers) then this service should be disabled.\n" rationale: "" severity: unknown identifiers: cce@rhel7: 80230-6 references: cis: 2.2.7 service_rpcgssd_disabled.rule000066400000000000000000000010211327242345500412720ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/services/nfs_and_rpc/disabling_nfs/disabling_nfs_servicesdocumentation_complete: true prodtype: rhel7,fedora title: 'Disable Secure RPC Client Service (rpcgssd)' description: |- The rpcgssd service manages RPCSEC GSS contexts required to secure protocols that use RPC (most often Kerberos and NFS). The rpcgssd service is the client-side of RPCSEC GSS. If the system does not require secure RPC then this service should be disabled. rationale: "" severity: unknown identifiers: cce@rhel7: 80229-8 service_rpcidmapd_disabled.rule000066400000000000000000000007011327242345500415740ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/services/nfs_and_rpc/disabling_nfs/disabling_nfs_servicesdocumentation_complete: true prodtype: rhel7,fedora title: 'Disable RPC ID Mapping Service (rpcidmapd)' description: |- The rpcidmapd service is used to map user names and groups to UID and GID numbers on NFSv4 mounts. If NFS is not in use on the local system then this service should be disabled. rationale: "" severity: unknown identifiers: cce@rhel7: 80231-4 scap-security-guide-0.1.39/shared/guide/services/nfs_and_rpc/nfs_and_rpc.group000066400000000000000000000007611327242345500275010ustar00rootroot00000000000000documentation_complete: true title: 'NFS and RPC' description: |- The Network File System is a popular distributed filesystem for the Unix environment, and is very widely deployed. This section discusses the circumstances under which it is possible to disable NFS and its dependencies, and then details steps which should be taken to secure NFS's configuration. This section is relevant to systems operating as NFS clients, as well as to those operating as NFS servers. scap-security-guide-0.1.39/shared/guide/services/nfs_and_rpc/nfs_configuring_all_machines/000077500000000000000000000000001327242345500320225ustar00rootroot00000000000000nfs_client_or_server_not_both/000077500000000000000000000000001327242345500400515ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/services/nfs_and_rpc/nfs_configuring_all_machinesnfs_client_or_server_not_both.group000066400000000000000000000011421327242345500472330ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/services/nfs_and_rpc/nfs_configuring_all_machines/nfs_client_or_server_not_bothdocumentation_complete: true title: 'Make Each System a Client or a Server, not Both' description: |- If NFS must be used, it should be deployed in the simplest configuration possible to avoid maintainability problems which may lead to unnecessary security exposure. Due to the reliability and security problems caused by NFS (specially NFSv3 and NFSv2), it is not a good idea for systems which act as NFS servers to also mount filesystems via NFS. At the least, crossed mounts (the situation in which each of two servers mounts a filesystem from the other) should never be used. nfs_configure_fixed_ports/000077500000000000000000000000001327242345500372005ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/services/nfs_and_rpc/nfs_configuring_all_machinesnfs_configure_fixed_ports.group000066400000000000000000000024741327242345500455220ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/services/nfs_and_rpc/nfs_configuring_all_machines/nfs_configure_fixed_portsdocumentation_complete: true title: 'Configure NFS Services to Use Fixed Ports (NFSv3 and NFSv2)' description: |- Firewalling should be done at each host and at the border firewalls to protect the NFS daemons from remote access, since NFS servers should never be accessible from outside the organization. However, by default for NFSv3 and NFSv2, the RPC Bind service assigns each NFS service to a port dynamically at service startup time. Dynamic ports cannot be protected by port filtering firewalls such as firewalld.

Therefore, restrict each service to always use a given port, so that firewalling can be done effectively. Note that, because of the way RPC is implemented, it is not possible to disable the RPC Bind service even if ports are assigned statically to all RPC services.

In NFSv4, the mounting and locking protocols have been incorporated into the protocol, and the server listens on the the well-known TCP port 2049. As such, NFSv4 does not need to interact with the rpcbind, lockd, and rpc.statd daemons, which can and should be disabled in a pure NFSv4 environment. The rpc.mountd daemon is still required on the NFS server to setup exports, but is not involved in any over-the-wire operations. nfs_fixed_lockd_tcp_port.rule000066400000000000000000000012221327242345500451210ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/services/nfs_and_rpc/nfs_configuring_all_machines/nfs_configure_fixed_portsdocumentation_complete: true prodtype: rhel7,fedora title: 'Configure lockd to use static TCP port' description: |- Configure the lockd daemon to use a static TCP port as opposed to letting the RPC Bind service dynamically assign a port. Edit the file /etc/sysconfig/nfs. Add or correct the following line: 
LOCKD_TCPPORT=lockd-port
Where lockd-port is a port which is not used by any other service on your network. rationale: |- Restrict service to always use a given port, so that firewalling can be done effectively. severity: unknown identifiers: cce@rhel7: 80232-2 nfs_fixed_lockd_udp_port.rule000066400000000000000000000012311327242345500451230ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/services/nfs_and_rpc/nfs_configuring_all_machines/nfs_configure_fixed_portsdocumentation_complete: true prodtype: rhel7,fedora title: 'Configure lockd to use static UDP port' description: |- Configure the lockd daemon to use a static UDP port as opposed to letting the RPC Bind service dynamically assign a port. Edit the file /etc/sysconfig/nfs. Add or correct the following line: 
LOCKD_UDPPORT=lockd-port
Where lockd-port is a port which is not used by any other service on your network. rationale: |- Restricting services to always use a given port enables firewalling to be done more effectively. severity: unknown identifiers: cce@rhel7: 80233-0 nfs_fixed_mountd_port.rule000066400000000000000000000012161327242345500444700ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/services/nfs_and_rpc/nfs_configuring_all_machines/nfs_configure_fixed_portsdocumentation_complete: true prodtype: rhel7,fedora title: 'Configure mountd to use static port' description: |- Configure the mountd daemon to use a static port as opposed to letting the RPC Bind service dynamically assign a port. Edit the file /etc/sysconfig/nfs. Add or correct the following line: 
MOUNTD_PORT=statd-port
Where mountd-port is a port which is not used by any other service on your network. rationale: |- Restricting services to always use a given port enables firewalling to be done more effectively. severity: unknown identifiers: cce@rhel7: 80235-5 nfs_fixed_statd_port.rule000066400000000000000000000012121327242345500442750ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/services/nfs_and_rpc/nfs_configuring_all_machines/nfs_configure_fixed_portsdocumentation_complete: true prodtype: rhel7,fedora title: 'Configure statd to use static port' description: |- Configure the statd daemon to use a static port as opposed to letting the RPC Bind service dynamically assign a port. Edit the file /etc/sysconfig/nfs. Add or correct the following line: 
STATD_PORT=statd-port
Where statd-port is a port which is not used by any other service on your network. rationale: |- Restricting services to always use a given port enables firewalling to be done more effectively. severity: unknown identifiers: cce@rhel7: 80234-8 nfs_configuring_all_machines.group000066400000000000000000000003341327242345500407000ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/services/nfs_and_rpc/nfs_configuring_all_machinesdocumentation_complete: true title: 'Configure All Systems which Use NFS' description: |- The steps in this section are appropriate for all systems which run NFS, whether they operate as clients or as servers. scap-security-guide-0.1.39/shared/guide/services/nfs_and_rpc/nfs_configuring_clients/000077500000000000000000000000001327242345500310445ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/services/nfs_and_rpc/nfs_configuring_clients/disabling_nfsd/000077500000000000000000000000001327242345500340125ustar00rootroot00000000000000disabling_nfsd.group000066400000000000000000000004741327242345500377640ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/services/nfs_and_rpc/nfs_configuring_clients/disabling_nfsddocumentation_complete: true title: 'Disable NFS Server Daemons' description: |- There is no need to run the NFS server daemons nfs and rpcsvcgssd except on a small number of properly secured systems designated as NFS servers. Ensure that these daemons are turned off on clients. nfs_no_anonymous.rule000066400000000000000000000017341327242345500402230ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/services/nfs_and_rpc/nfs_configuring_clients/disabling_nfsddocumentation_complete: true prodtype: rhel7,fedora title: 'Specify UID and GID for Anonymous NFS Connections' description: "To specify the UID and GID for remote root users, edit the /etc/exports file and add the following for each export:\n
\nanonuid=value greater than UID_MAX from /etc/login.defs\nanongid=value greater than GID_MAX from /etc/login.defs \n
\nAlternatively, functionally equivalent values of 60001, 65534, 65535 may be used." rationale: "Specifying the anonymous UID and GID ensures that the remote root user is mapped \nto a local account which has no permissions on the system." severity: unknown identifiers: cce@rhel7: 80236-3 ocil_clause: 'anonuid or anongid are not set to a value greater than UID_MAX (for anonuid) and GID_MAX (for anongid)' ocil: |- Inspect the mounts configured in /etc/exports. Each mount should specify a value greater than UID_MAX and GID_MAX as defined in /etc/login.defs. service_nfs_disabled.rule000066400000000000000000000012631327242345500407630ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/services/nfs_and_rpc/nfs_configuring_clients/disabling_nfsddocumentation_complete: true prodtype: rhel7,fedora title: 'Disable Network File System (nfs)' description: |- The Network File System (NFS) service allows remote hosts to mount and interact with shared filesystems on the local system. If the local system is not designated as a NFS server then this service should be disabled. rationale: 'Unnecessary services should be disabled to decrease the attack surface of the system.' severity: unknown identifiers: cce@rhel7: 80237-1 references: cis: 2.2.7 nist: AC-3 ocil_clause: 'it does not' ocil: '' service_rpcsvcgssd_disabled.rule000066400000000000000000000012671327242345500423620ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/services/nfs_and_rpc/nfs_configuring_clients/disabling_nfsddocumentation_complete: true prodtype: rhel7,fedora title: 'Disable Secure RPC Server Service (rpcsvcgssd)' description: |- The rpcsvcgssd service manages RPCSEC GSS contexts required to secure protocols that use RPC (most often Kerberos and NFS). The rpcsvcgssd service is the server-side of RPCSEC GSS. If the system does not require secure RPC then this service should be disabled. rationale: 'Unnecessary services should be disabled to decrease the attack surface of the system.' severity: unknown identifiers: cce@rhel7: 80238-9 ocil: '' mounting_remote_filesystems/000077500000000000000000000000001327242345500366275ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/services/nfs_and_rpc/nfs_configuring_clientsmount_option_krb_sec_remote_filesystems.rule000066400000000000000000000021711327242345500477450ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/services/nfs_and_rpc/nfs_configuring_clients/mounting_remote_filesystemsdocumentation_complete: true prodtype: rhel7 title: 'Mount Remote Filesystems with Kerberos Security' description: '' rationale: |- When an NFS server is configured to use AUTH_SYS a selected userid and groupid are used to handle requests from the remote user. The userid and groupid could mistakenly or maliciously be set incorrectly. The AUTH_GSS method of authentication uses certificates on the server and client systems to more securely authenticate the remote mount request. severity: medium identifiers: cce@rhel7: 27458-9 references: disa: 366 nist: AC-14(1) srg: SRG-OS-000480-GPOS-00227 stigid@rhel7: "040750" ocil_clause: 'the setting is not configured, has the ''sys'' option added, or does not have all Kerberos options added' ocil: |- To verify the sec option is configured for all NFS mounts, run the following command: 
$ mount | grep "sec="
All NFS mounts should show the sec=krb5:krb5i:krb5p setting in parentheses. This is not applicable if NFS is not implemented. mount_option_nodev_remote_filesystems.rule000066400000000000000000000012721327242345500474510ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/services/nfs_and_rpc/nfs_configuring_clients/mounting_remote_filesystemsdocumentation_complete: true prodtype: rhel7 title: 'Mount Remote Filesystems with nodev' description: '' rationale: |- Legitimate device files should only exist in the /dev directory. NFS mounts should not present device files to users. severity: medium identifiers: cce@rhel7: 80239-7 references: nist: CM-7,MP-2 ocil_clause: 'the setting does not show' ocil: "To verify the nodev option is configured for all NFS mounts, run the following command:\n
$ mount | grep nfs
\nAll NFS mounts should show the nodev setting in parentheses. This is not applicable if NFS is \nnot implemented." mount_option_noexec_remote_filesystems.rule000066400000000000000000000017551327242345500476250ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/services/nfs_and_rpc/nfs_configuring_clients/mounting_remote_filesystemsdocumentation_complete: true prodtype: rhel7 title: 'Mount Remote Filesystems with noexec' description: '' rationale: |- The noexec mount option causes the system not to execute binary files. This option must be used for mounting any file system not containing approved binary files as they may be incompatible. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. severity: medium identifiers: cce@rhel7: 80436-9 references: disa: 366 nist: AC-6 srg: SRG-OS-000480-GPOS-00227 stigid@rhel7: "021021" ocil_clause: 'the setting does not show' ocil: |- To verify the noexec option is configured for all NFS mounts, run the following command: 
$ mount | grep nfs
All NFS mounts should show the noexec setting in parentheses. This is not applicable if NFS is not implemented. mount_option_nosuid_remote_filesystems.rule000066400000000000000000000014611327242345500476370ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/services/nfs_and_rpc/nfs_configuring_clients/mounting_remote_filesystemsdocumentation_complete: true prodtype: rhel7 title: 'Mount Remote Filesystems with nosuid' description: '' rationale: |- NFS mounts should not present suid binaries to users. Only vendor-supplied suid executables should be installed to their default location on the local filesystem. severity: medium identifiers: cce@rhel7: 80240-5 references: disa: 366 nist: AC-6 srg: SRG-OS-000480-GPOS-00227 stigid@rhel7: "021020" ocil_clause: 'the setting does not show' ocil: "To verify the nosuid option is configured for all NFS mounts, run the following command:\n
$ mount | grep nfs
\nAll NFS mounts should show the nosuid setting in parentheses. This is not applicable if NFS is \nnot implemented." mounting_remote_filesystems.group000066400000000000000000000015471327242345500455560ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/services/nfs_and_rpc/nfs_configuring_clients/mounting_remote_filesystemsdocumentation_complete: true title: 'Mount Remote Filesystems with Restrictive Options' description: |- Edit the file /etc/fstab. For each filesystem whose type (column 3) is nfs or nfs4, add the text ,nodev,nosuid to the list of mount options in column 4. If appropriate, also add ,noexec.

See the section titled "Restrict Partition Mount Options" for a description of the effects of these options. In general, execution of files mounted via NFS should be considered risky because of the possibility that an adversary could intercept the request and substitute a malicious file. Allowing setuid files to be executed from remote servers is particularly risky, both for this reason and because it requires the clients to extend root-level trust to the NFS server. nfs_configuring_clients.group000066400000000000000000000002411327242345500367410ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/services/nfs_and_rpc/nfs_configuring_clientsdocumentation_complete: true title: 'Configure NFS Clients' description: 'The steps in this section are appropriate for systems which operate as NFS clients.' scap-security-guide-0.1.39/shared/guide/services/nfs_and_rpc/nfs_configuring_servers/000077500000000000000000000000001327242345500310745ustar00rootroot00000000000000configure_exports_restrictively/000077500000000000000000000000001327242345500375525ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/services/nfs_and_rpc/nfs_configuring_serversconfigure_exports_restrictively.group000066400000000000000000000015241327242345500473670ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/services/nfs_and_rpc/nfs_configuring_servers/configure_exports_restrictivelydocumentation_complete: true title: 'Configure the Exports File Restrictively' description: "Linux's NFS implementation uses the file /etc/exports to control what filesystems\nand directories may be accessed via NFS. (See the exports(5) manpage for more information about the\nformat of this file.)\n

\nThe syntax of the exports file is not necessarily checked fully on reload, and syntax errors\ncan leave your NFS configuration more open than intended. Therefore, exercise caution when modifying\nthe file.\n

\nThe syntax of each line in /etc/exports is:\n
/DIR\thost1(opt1,opt2) host2(opt3)
\nwhere /DIR is a directory or filesystem to export, hostN is an IP address, netblock,\nhostname, domain, or netgroup to which to export, and optN is an option." export_filesystems_read_only/000077500000000000000000000000001327242345500370215ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/services/nfs_and_rpc/nfs_configuring_serversexport_filesystems_read_only.group000066400000000000000000000006711327242345500461070ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/services/nfs_and_rpc/nfs_configuring_servers/export_filesystems_read_onlydocumentation_complete: true title: 'Export Filesystems Read-Only if Possible' description: |- If a filesystem is being exported so that users can view the files in a convenient fashion, but there is no need for users to edit those files, exporting the filesystem read-only removes an attack vector against the server. The default filesystem export mode is ro, so do not specify rw without a good reason. nfs_configuring_servers.group000066400000000000000000000002411327242345500370210ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/services/nfs_and_rpc/nfs_configuring_serversdocumentation_complete: true title: 'Configure NFS Servers' description: 'The steps in this section are appropriate for systems which operate as NFS servers.' no_insecure_locks_exports.rule000066400000000000000000000022551327242345500372020ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/services/nfs_and_rpc/nfs_configuring_serversdocumentation_complete: true prodtype: rhel7,fedora title: 'Ensure Insecure File Locking is Not Allowed' description: "By default the NFS server requires secure file-lock requests,\nwhich require credentials from the client in order to lock a file. Most NFS\nclients send credentials with file lock requests, however, there are a few\nclients that do not send credentials when requesting a file-lock, allowing the\nclient to only be able to lock world-readable files. To get around this, the\ninsecure_locks option can be used so these clients can access the\ndesired export. This poses a security risk by potentially allowing the client\naccess to data for which it does not have authorization.\nRemove any instances of the \ninsecure_locks option from the file /etc/exports." rationale: |- Allowing insecure file locking could allow for sensitive data to be viewed or edited by an unauthorized user. severity: medium identifiers: cce@rhel7: 80243-9 references: disa: 764 ocil_clause: 'there is output' ocil: |- To verify insecure file locking has been disabled, run the following command: 
$ grep insecure_locks /etc/exports
restrict_nfs_clients_to_privileged_ports.rule000066400000000000000000000017601327242345500423030ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/services/nfs_and_rpc/nfs_configuring_serversdocumentation_complete: true prodtype: rhel7,fedora title: 'Restrict NFS Clients to Privileged Ports' description: |- By default, the server NFS implementation requires that all client requests be made from ports less than 1024. If your organization has control over systems connected to its network, and if NFS requests are prohibited at the border firewall, this offers some protection against malicious requests from unprivileged users. Therefore, the default should not be changed.

To ensure that the default has not been changed, ensure no line in /etc/exports contains the option insecure. rationale: |- Allowing client requests to be made from ports higher than 1024 could allow a unprivileged user to initiate an NFS connection. If the unprivileged user account has been compromised, an attacker could gain access to data on the NFS server. severity: unknown identifiers: cce@rhel7: 80242-1 references: nist: AC-3 use_acl_enforce_auth_restrictions/000077500000000000000000000000001327242345500377625ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/services/nfs_and_rpc/nfs_configuring_serversuse_acl_enforce_auth_restrictions.group000066400000000000000000000015741327242345500500140ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/services/nfs_and_rpc/nfs_configuring_servers/use_acl_enforce_auth_restrictionsdocumentation_complete: true title: 'Use Access Lists to Enforce Authorization Restrictions' description: |- When configuring NFS exports, ensure that each export line in /etc/exports contains a list of hosts which are allowed to access that export. If no hosts are specified on an export line, then that export is available to any remote host which requests it. All lines of the exports file should specify the hosts (or subnets, if needed) which are allowed to access the exported directory, so that unknown or remote hosts will be denied.

Authorized hosts can be specified in several different formats:
  • Name or alias that is recognized by the resolver
  • Fully qualified domain name
  • IP address
  • IP subnets in the format address/netmask or address/CIDR
use_kerberos_security_all_exports.rule000066400000000000000000000025701327242345500407450ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/services/nfs_and_rpc/nfs_configuring_serversdocumentation_complete: true prodtype: rhel7 title: 'Use Kerberos Security on All Exports' description: |- Using Kerberos on all exported mounts prevents a malicious client or user from impersonating a system user. To cryptography authenticate users to the NFS server, add sec=krb5:krb5i:krb5p to each export in /etc/exports. rationale: |- When an NFS server is configured to use AUTH_SYS a selected userid and groupid are used to handle requests from the remote user. The userid and groupid could mistakenly or maliciously be set incorrectly. The AUTH_GSS method of authentication uses certificates on the server and client systems to more securely authenticate the remote mount request. severity: medium identifiers: cce@rhel7: 27464-7 references: disa: 366 hipaa: 164.308(a)(4)(i),164.308(b)(1),164.308(b)(3),164.310(b),164.312(e)(1),164.312(e)(2)(ii) nist: AC-14(1) srg: SRG-OS-000480-GPOS-00227 ocil_clause: 'the setting is not configured, has the ''sys'' option added, or does not have all Kerberos options added' ocil: |- To verify the sec option is configured for all NFS mounts, run the following command: 
$ grep "sec=" /etc/exports
All configured NFS exports should show the sec=krb5:krb5i:krb5p setting in parentheses. This is not applicable if NFS is not implemented. use_root_squashing_all_exports.rule000066400000000000000000000013461327242345500402470ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/services/nfs_and_rpc/nfs_configuring_serversdocumentation_complete: true prodtype: rhel7,fedora title: 'Use Root-Squashing on All Exports' description: |- If a filesystem is exported using root squashing, requests from root on the client are considered to be unprivileged (mapped to a user such as nobody). This provides some mild protection against remote abuse of an NFS server. Root squashing is enabled by default, and should not be disabled.

Ensure that no line in /etc/exports contains the option no_root_squash. rationale: |- If the NFS server allows root access to local file systems from remote hosts, this access could be used to compromise the system. severity: unknown identifiers: cce@rhel7: 80241-3 scap-security-guide-0.1.39/shared/guide/services/ntp/000077500000000000000000000000001327242345500224705ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/services/ntp/chronyd_or_ntpd_set_maxpoll.rule000066400000000000000000000025671327242345500311750ustar00rootroot00000000000000documentation_complete: true prodtype: rhel7,fedora title: 'Configure Time Service Maxpoll Interval' description: |- The maxpoll should be configured to in /etc/ntp.conf or /etc/chrony.conf to continuously poll time servers. To configure maxpoll in /etc/ntp.conf or /etc/chrony.conf add the following: 
maxpoll
rationale: |- Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time a particular event occurred on a system is critical when conducting forensic analysis and investigating system events. Sources outside the configured acceptable allowance (drift) may be inaccurate. severity: unknown identifiers: cce@rhel7: 80439-3 references: disa: 1891,2046 nist: AU-8(1)(a) srg: 'SRG-OS-000355-GPOS-00143, SRG-OS-000356-GPOS-00144' stigid@rhel7: "040500" ocil_clause: 'it does not exist or maxpoll has not been set to the expected value' ocil: |- To verify that maxpoll has been set properly, perform the following: 
$ sudo grep maxpoll /etc/ntp.conf /etc/chrony.conf
The output should return 
maxpoll
. scap-security-guide-0.1.39/shared/guide/services/ntp/chronyd_or_ntpd_specify_multiple_servers.rule000066400000000000000000000032731327242345500337670ustar00rootroot00000000000000documentation_complete: true prodtype: rhel7,fedora title: 'Specify Additional Remote NTP Servers' description: |- Depending on specific functional requirements of a concrete production environment, the Red Hat Enterprise Linux 7 Server system can be configured to utilize the services of the chronyd NTP daemon (the default), or services of the ntpd NTP daemon. Refer to for more detailed comparison of the features of both of the choices, and for further guidance how to choose between the two NTP daemons.
Additional NTP servers can be specified for time synchronization. To do so, perform the following:
  • if the system is configured to use the chronyd as the NTP daemon (the default), edit the file /etc/chrony.conf as follows,
  • if the system is configured to use the ntpd as the NTP daemon, edit the file /etc/ntp.conf as documented below.
Add additional lines of the following form, substituting the IP address or hostname of a remote NTP server for ntpserver: 
server ntpserver
rationale: |- Specifying additional NTP servers increases the availability of accurate time data, in the event that one of the specified servers becomes unavailable. This is typical for a system acting as an NTP server for other systems. severity: unknown identifiers: cce@rhel7: 27012-4 references: nist: AU-8(1) pcidss: Req-10.4.3 scap-security-guide-0.1.39/shared/guide/services/ntp/chronyd_or_ntpd_specify_remote_server.rule000066400000000000000000000044041327242345500332410ustar00rootroot00000000000000documentation_complete: true prodtype: rhel7,fedora title: 'Specify a Remote NTP Server' description: |- Depending on specific functional requirements of a concrete production environment, the Red Hat Enterprise Linux 7 Server system can be configured to utilize the services of the chronyd NTP daemon (the default), or services of the ntpd NTP daemon. Refer to for more detailed comparison of the features of both of the choices, and for further guidance how to choose between the two NTP daemons.
To specify a remote NTP server for time synchronization, perform the following:
  • if the system is configured to use the chronyd as the NTP daemon (the default), edit the file /etc/chrony.conf as follows,
  • if the system is configured to use the ntpd as the NTP daemon, edit the file /etc/ntp.conf as documented below.
Add or correct the following lines, substituting the IP or hostname of a remote NTP server for ntpserver: 
server ntpserver
This instructs the NTP software to contact that remote server to obtain time data. rationale: |- Synchronizing with an NTP server makes it possible to collate system logs from multiple sources or correlate computer events with real time events. severity: medium identifiers: cce@rhel7: 27278-1 references: cis: 3.6 cui: 3.3.7 disa: 160 nist: AU-8(1) pcidss: Req-10.4.1,Req-10.4.3 ocil_clause: 'this is not the case' ocil: |- To verify that a remote NTP service is configured for time synchronization, open the following file: 
  • /etc/chrony.conf
    in the case the system in question is configured to use the chronyd as the NTP daemon (default setting)
  • /etc/ntp.conf
    in the case the system in question is configured to use the ntpd as the NTP daemon
In the file, there should be a section similar to the following: 
server ntpserver
scap-security-guide-0.1.39/shared/guide/services/ntp/ntp.group000066400000000000000000000070131327242345500243500ustar00rootroot00000000000000documentation_complete: true title: 'Network Time Protocol' description: |- The Network Time Protocol is used to manage the system clock over a network. Computer clocks are not very accurate, so time will drift unpredictably on unmanaged systems. Central time protocols can be used both to ensure that time is consistent among a network of systems, and that their time is consistent with the outside world.

If every system on a network reliably reports the same time, then it is much easier to correlate log messages in case of an attack. In addition, a number of cryptographic protocols (such as Kerberos) use timestamps to prevent certain types of attacks. If your network does not have synchronized time, these protocols may be unreliable or even unusable.

Depending on the specifics of the network, global time accuracy may be just as important as local synchronization, or not very important at all. If your network is connected to the Internet, using a public timeserver (or one provided by your enterprise) provides globally accurate timestamps which may be essential in investigating or responding to an attack which originated outside of your network.

A typical network setup involves a small number of internal systems operating as NTP servers, and the remainder obtaining time information from those internal servers.

There is a choice between the daemons ntpd and chronyd, which are available from the repositories in the ntp and chrony packages respectively.

The default chronyd daemon can work well when external time references are only intermittently accesible, can perform well even when the network is congested for longer periods of time, can usually synchronize the clock faster and with better time accuracy, and quickly adapts to sudden changes in the rate of the clock, for example, due to changes in the temperature of the crystal oscillator. Chronyd should be considered for all systems which are frequently suspended or otherwise intermittently disconnected and reconnected to a network. Mobile and virtual systems for example.

The ntpd NTP daemon fully supports NTP protocol version 4 (RFC 5905), including broadcast, multicast, manycast clients and servers, and the orphan mode. It also supports extra authentication schemes based on public-key cryptography (RFC 5906). The NTP daemon (ntpd) should be considered for systems which are normally kept permanently on. Systems which are required to use broadcast or multicast IP, or to perform authentication of packets with the Autokey protocol, should consider using ntpd.

Refer to for more detailed comparison of features of chronyd and ntpd daemon features respectively, and for further guidance how to choose between the two NTP daemons.

The upstream manual pages at for chronyd and for ntpd provide additional information on the capabilities and configuration of each of the NTP daemons. scap-security-guide-0.1.39/shared/guide/services/ntp/service_chronyd_or_ntpd_enabled.rule000066400000000000000000000036071327242345500317540ustar00rootroot00000000000000documentation_complete: true prodtype: rhel7,fedora title: 'Enable the NTP Daemon' description: |- Note: The chronyd daemon is enabled by default.

Note: The ntpd daemon is not enabled by default. Though as mentioned in the previous sections in certain environments the ntpd daemon might be preferred to be used rather than the chronyd one. Refer to: for guidance which NTP daemon to choose depending on the environment used. rationale: |- Enabling some of chronyd or ntpd services ensures that the NTP daemon will be running and that the system will synchronize its time to any servers specified. This is important whether the system is configured to be a client (and synchronize only its own clock) or it is also acting as an NTP server to other systems. Synchronizing time is essential for authentication services such as Kerberos, but it is also important for maintaining accurate logs and auditing possible security breaches.

The chronyd and ntpd NTP daemons offer all of the functionality of ntpdate, which is now deprecated. Additional information on this is available at severity: medium identifiers: cce@rhel7: 27444-9 references: cis: 2.2.1.1 cui: 3.3.7 disa: 160 nist: AU-8(1) pcidss: Req-10.4 ocil: |- scap-security-guide-0.1.39/shared/guide/services/ntp/var_multiple_time_servers.var000066400000000000000000000005661327242345500305030ustar00rootroot00000000000000documentation_complete: true title: 'Vendor Approved Time Servers' description: 'The list of vendor-approved time servers' type: string operator: interactive: false options: fedora: "0.fedora.pool.ntp.org,1.fedora.pool.ntp.org,2.fedora.pool.ntp.org,3.fedora.pool.ntp.org" rhel: "0.rhel.pool.ntp.org,1.rhel.pool.ntp.org,2.rhel.pool.ntp.org,3.rhel.pool.ntp.org" scap-security-guide-0.1.39/shared/guide/services/ntp/var_time_service_set_maxpoll.var000066400000000000000000000004301327242345500311340ustar00rootroot00000000000000documentation_complete: true title: 'Maximum NTP or Chrony Poll' description: 'The maximum NTP or Chrony poll interval number in seconds specified as a power of two.' type: number operator: interactive: false options: 36_hours: 17 default: 10 system_default: 10 scap-security-guide-0.1.39/shared/guide/services/obsolete/000077500000000000000000000000001327242345500235035ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/services/obsolete/inetd_and_xinetd/000077500000000000000000000000001327242345500270035ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/services/obsolete/inetd_and_xinetd/inetd_and_xinetd.group000066400000000000000000000006531327242345500333650ustar00rootroot00000000000000documentation_complete: true title: Xinetd description: |- The xinetd service acts as a dedicated listener for some network services (mostly, obsolete ones) and can be used to provide access controls and perform some logging. It has been largely obsoleted by other features, and it is not installed by default. The older Inetd service is not even available as part of Red Hat Enterprise Linux 7. package_tcp_wrappers_installed.rule000066400000000000000000000014271327242345500360440ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/services/obsolete/inetd_and_xinetddocumentation_complete: true prodtype: rhel7 title: 'Install tcp_wrappers Package' description: |- When network services are using the xinetd service, the tcp_wrappers package should be installed. rationale: |- Access control methods provide the ability to enhance system security posture by restricting services and known good IP addresses and address ranges. This prevents connections from unknown hosts and protocols. severity: medium identifiers: cce@rhel7: 27361-5 references: cis: 3.4.1 disa: 366 nist: CM-6(b) srg: SRG-OS-000480-GPOS-00227 stigid@rhel7: TBD ocil_clause: 'the package is not installed' ocil: '' package_xinetd_removed.rule000066400000000000000000000013131327242345500343020ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/services/obsolete/inetd_and_xinetddocumentation_complete: true prodtype: rhel7 title: 'Uninstall xinetd Package' description: |- The xinetd package can be uninstalled with the following command: 
$ sudo yum erase xinetd
rationale: |- Removing the xinetd package decreases the risk of the xinetd service's accidental (or intentional) activation. severity: unknown identifiers: cce@rhel7: 27354-0 references: disa: 305 hipaa: 164.308(a)(4)(i),164.308(b)(1),164.308(b)(3),164.310(b),164.312(e)(1),164.312(e)(2)(ii) nist: AC-17(8),CM-7 ocil: |- If network services are using the xinetd service, this is not applicable.

service_xinetd_disabled.rule000066400000000000000000000015111327242345500344550ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/services/obsolete/inetd_and_xinetddocumentation_complete: true prodtype: rhel7 title: 'Disable xinetd Service' description: '' rationale: |- The xinetd service provides a dedicated listener service for some programs, which is no longer necessary for commonly-used network services. Disabling it ensures that these uncommon services are not running, and also prevents attacks against xinetd itself. severity: medium identifiers: cce@rhel7: 27443-1 references: cis: 2.1.7 cui: 3.4.7 disa: 305 hipaa: 164.308(a)(4)(i),164.308(b)(1),164.308(b)(3),164.310(b),164.312(e)(1),164.312(e)(2)(ii) nist: AC-17(8),CM-7 ocil: |- If network services are using the xinetd service, this is not applicable.

scap-security-guide-0.1.39/shared/guide/services/obsolete/nis/000077500000000000000000000000001327242345500242745ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/services/obsolete/nis/nis.group000066400000000000000000000006641327242345500261510ustar00rootroot00000000000000documentation_complete: true title: NIS description: |- The Network Information Service (NIS), also known as 'Yellow Pages' (YP), and its successor NIS+ have been made obsolete by Kerberos, LDAP, and other modern centralized authentication services. NIS should not be used because it suffers from security problems inherent in its design, such as inadequate protection of important authentication information. scap-security-guide-0.1.39/shared/guide/services/obsolete/nis/package_ypbind_removed.rule000066400000000000000000000016751327242345500316570ustar00rootroot00000000000000documentation_complete: true prodtype: rhel7 title: 'Remove NIS Client' description: |- The Network Information Service (NIS), formerly known as Yellow Pages, is a client-server directory service protocol used to distribute system configuration files. The NIS client (ypbind) was used to bind a system to an NIS server and receive the distributed configuration files. rationale: "The NIS service is inherently an insecure system that has been vulnerable\nto DOS attacks, buffer overflows and has poor authentication for querying NIS maps.\nNIS generally has been replaced by such protocols as Lightweight Directory Access \nProtocol (LDAP). It is recommended that the service be removed." severity: unknown identifiers: cce@rhel7: 27396-1 references: cis: 2.3.1 hipaa: 164.308(a)(4)(i),164.308(b)(1),164.308(b)(3),164.310(b),164.312(e)(1),164.312(e)(2)(ii) ocil: '' scap-security-guide-0.1.39/shared/guide/services/obsolete/nis/package_ypserv_removed.rule000066400000000000000000000015411327242345500317120ustar00rootroot00000000000000documentation_complete: true prodtype: rhel7 title: 'Uninstall ypserv Package' description: |- The ypserv package can be uninstalled with the following command: 
$ sudo yum erase ypserv
rationale: "The NIS service provides an unencrypted authentication service which does not\nprovide for the confidentiality and integrity of user passwords or the remote session.\n\nRemoving the ypserv package decreases the risk of the accidental (or intentional) \nactivation of NIS or NIS+ services." severity: high identifiers: cce@rhel7: 27399-5 references: cis: 2.2.16 disa: 381 hipaa: 164.308(a)(4)(i),164.308(b)(1),164.308(b)(3),164.310(b),164.312(e)(1),164.312(e)(2)(ii) nist: AC-17(8),CM-7(a) srg: SRG-OS-000095-GPOS-00049 stigid@rhel7: "020010" ocil: '' scap-security-guide-0.1.39/shared/guide/services/obsolete/nis/service_ypbind_disabled.rule000066400000000000000000000013371327242345500320250ustar00rootroot00000000000000documentation_complete: true prodtype: rhel7 title: 'Disable ypbind Service' description: |- The ypbind service, which allows the system to act as a client in a NIS or NIS+ domain, should be disabled. rationale: |- Disabling the ypbind service ensures the system is not acting as a client in a NIS or NIS+ domain. This service should be disabled unless in use. severity: medium identifiers: cce@rhel7: 27385-4 references: disa: 305 hipaa: 164.308(a)(4)(i),164.308(b)(1),164.308(b)(3),164.310(b),164.312(e)(1),164.312(e)(2)(ii) nist: AC-17(8),CM-7 ocil: '' scap-security-guide-0.1.39/shared/guide/services/obsolete/obsolete.group000066400000000000000000000016451327242345500264030ustar00rootroot00000000000000documentation_complete: true title: 'Obsolete Services' description: |- This section discusses a number of network-visible services which have historically caused problems for system security, and for which disabling or severely limiting the service has been the best available guidance for some time. As a result of this, many of these services are not installed as part of Red Hat Enterprise Linux 7 by default.

Organizations which are running these services should switch to more secure equivalents as soon as possible. If it remains absolutely necessary to run one of these services for legacy reasons, care should be taken to restrict the service as much as possible, for instance by configuring host firewall software such as firewalld to restrict access to the vulnerable service to only those remote hosts which have a known need to use it. scap-security-guide-0.1.39/shared/guide/services/obsolete/r_services/000077500000000000000000000000001327242345500256475ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/services/obsolete/r_services/no_host_based_files.rule000066400000000000000000000021121327242345500325250ustar00rootroot00000000000000documentation_complete: true prodtype: rhel7 title: 'Remove Host-Based Authentication Files' description: |- The shosts.equiv file list remote hosts and users that are trusted by the local system. To remove these files, run the following command to delete them from any location: 
$ sudo rm /[path]/[to]/[file]/shosts.equiv
rationale: |- The shosts.equiv files are used to configure host-based authentication for the system via SSH. Host-based authentication is not sufficient for preventing unauthorized access to the system, as it does not require interactive identification and authentication of a connection request, or for the use of two-factor authentication. severity: high identifiers: cce: 80513-5 references: disa: 366 nist: "" srg: SRG-OS-000480-GPOS-00227 stigid: "040550" ocil_clause: 'these files exist' ocil: |- To verify that there are no shosts.equiv files on the system, run the following command: 
$ find / -name shosts.equiv
No output should be returned. scap-security-guide-0.1.39/shared/guide/services/obsolete/r_services/no_rsh_trust_files.rule000066400000000000000000000020421327242345500324510ustar00rootroot00000000000000documentation_complete: true prodtype: rhel7,ol7 title: 'Remove Rsh Trust Files' description: |- The files /etc/hosts.equiv and ~/.rhosts (in each user's home directory) list remote hosts and users that are trusted by the local system when using the rshd daemon. To remove these files, run the following command to delete them from any location: 
$ sudo rm /etc/hosts.equiv
$ rm ~/.rhosts
rationale: |- Trust files are convenient, but when used in conjunction with the R-services, they can allow unauthenticated access to a system. severity: high identifiers: cce@rhel7: 27406-8 references: cis: 6.2.14 disa: 1436 hipaa: 164.308(a)(4)(i),164.308(b)(1),164.308(b)(3),164.310(b),164.312(e)(1),164.312(e)(2)(ii) nist: AC-17(8),CM-7 ocil_clause: 'these files exist' ocil: |- The existence of the file /etc/hosts.equiv or a file named .rhosts inside a user home directory indicates the presence of an Rsh trust relationship. scap-security-guide-0.1.39/shared/guide/services/obsolete/r_services/no_user_host_based_files.rule000066400000000000000000000021621327242345500335700ustar00rootroot00000000000000documentation_complete: true prodtype: rhel7 title: 'Remove User Host-Based Authentication Files' description: |- The ~/.shosts (in each user's home directory) files list remote hosts and users that are trusted by the local system. To remove these files, run the following command to delete them from any location: 
$ sudo rm ~/.shosts
rationale: |- The .shosts files are used to configure host-based authentication for individual users or the system via SSH. Host-based authentication is not sufficient for preventing unauthorized access to the system, as it does not require interactive identification and authentication of a connection request, or for the use of two-factor authentication.false severity: high identifiers: cce: 80514-3 references: disa: 366 nist: "" srg: SRG-OS-000480-GPOS-00227 stigid: "040540" ocil_clause: 'these files exist' ocil: |- To verify that there are no /etc/shosts.equiv files on the system, run the following command: 
$ sudo find / -name '*.shosts'
No output should be returned. scap-security-guide-0.1.39/shared/guide/services/obsolete/r_services/package_rsh-server_removed.rule000066400000000000000000000022071327242345500340350ustar00rootroot00000000000000documentation_complete: true prodtype: rhel7 title: 'Uninstall rsh-server Package' description: |- The rsh-server package can be uninstalled with the following command: 
$ sudo yum erase rsh-server
rationale: |- The rsh-server service provides unencrypted remote access service which does not provide for the confidentiality and integrity of user passwords or the remote session and has very weak authentication. If a privileged user were to login using this service, the privileged user password could be compromised. The rsh-server package provides several obsolete and insecure network services. Removing it decreases the risk of those services' accidental (or intentional) activation. severity: high identifiers: cce@rhel7: 27342-5 references: disa: 381 hipaa: 164.308(a)(4)(i),164.308(b)(1),164.308(b)(3),164.310(b),164.312(e)(1),164.312(e)(2)(ii) iso27001-2013: A.8.2.3,A.13.1.1,A.13.2.1,A.13.2.3,A.14.1.2,A.14.1.3 nist: AC-17(8),CM-7(a) srg: SRG-OS-000095-GPOS-00049 stigid@rhel7: "020000" ocil: '' scap-security-guide-0.1.39/shared/guide/services/obsolete/r_services/package_rsh_removed.rule000066400000000000000000000017031327242345500325310ustar00rootroot00000000000000documentation_complete: true prodtype: rhel7 title: 'Uninstall rsh Package' description: |- The rsh package contains the client commands for the rsh services rationale: |- These legacy clients contain numerous security exposures and have been replaced with the more secure SSH package. Even if the server is removed, it is best to ensure the clients are also removed to prevent users from inadvertently attempting to use these commands and therefore exposing their credentials. Note that removing the rsh package removes the clients for rsh,rcp, and rlogin. severity: unknown identifiers: cce@rhel7: 27274-0 references: cis: 2.3.2 cui: 3.1.13 hipaa: 164.308(a)(4)(i),164.308(b)(1),164.308(b)(3),164.310(b),164.312(e)(1),164.312(e)(2)(ii) iso27001-2013: A.8.2.3,A.13.1.1,A.13.2.1,A.13.2.3,A.14.1.2,A.14.1.3 ocil: '' scap-security-guide-0.1.39/shared/guide/services/obsolete/r_services/r_services.group000066400000000000000000000003151327242345500310700ustar00rootroot00000000000000documentation_complete: true title: 'Rlogin, Rsh, and Rexec' description: |- The Berkeley r-commands are legacy services which allow cleartext remote access and have an insecure trust model. scap-security-guide-0.1.39/shared/guide/services/obsolete/r_services/service_rexec_disabled.rule000066400000000000000000000020761327242345500332220ustar00rootroot00000000000000documentation_complete: true prodtype: rhel7 title: 'Disable rexec Service' description: "The rexec service, which is available with\nthe rsh-server package and runs as a service through xinetd or separately\nas a systemd socket, should be disabled.\nIf using xinetd, set disable to yes in /etc/xinetd.d/rexec. \nIf using systemd, " rationale: |- The rexec service uses unencrypted network communications, which means that data from the login session, including passwords and all other information transmitted during the session, can be stolen by eavesdroppers on the network. severity: high identifiers: cce@rhel7: 27408-4 references: cis: 2.2.17 cui: 3.1.13,3.4.7 disa: 68,1436 hipaa: 164.308(a)(4)(i),164.308(b)(1),164.308(b)(3),164.310(b),164.312(e)(1),164.312(e)(2)(ii) nist: AC-17(8),CM-7 ocil: |- scap-security-guide-0.1.39/shared/guide/services/obsolete/r_services/service_rlogin_disabled.rule000066400000000000000000000021351327242345500334020ustar00rootroot00000000000000documentation_complete: true prodtype: rhel7,ol7 title: 'Disable rlogin Service' description: |- The rlogin service, which is available with the rsh-server package and runs as a service through xinetd or separately as a systemd socket, should be disabled. If using xinetd, set disable to yes in /etc/xinetd.d/rlogin. If using systemd, rationale: |- The rlogin service uses unencrypted network communications, which means that data from the login session, including passwords and all other information transmitted during the session, can be stolen by eavesdroppers on the network. severity: high identifiers: cce@rhel7: 27336-7 references: cis: 2.2.17 cui: 3.1.13,3.4.7 disa: 1436 hipaa: 164.308(a)(4)(i),164.308(b)(1),164.308(b)(3),164.310(b),164.312(e)(1),164.312(e)(2)(ii) nist: AC-17(8),CM-7,IA-5(1)(c) ocil: |- scap-security-guide-0.1.39/shared/guide/services/obsolete/r_services/service_rsh_disabled.rule000066400000000000000000000021131327242345500327000ustar00rootroot00000000000000documentation_complete: true prodtype: rhel7,ol7 title: 'Disable rsh Service' description: |- The rsh service, which is available with the rsh-server package and runs as a service through xinetd or separately as a systemd socket, should be disabled. If using xinetd, set disable to yes in /etc/xinetd.d/rsh. If using systemd, rationale: |- The rsh service uses unencrypted network communications, which means that data from the login session, including passwords and all other information transmitted during the session, can be stolen by eavesdroppers on the network. severity: high identifiers: cce@rhel7: 27337-5 references: cis: 2.2.17 cui: 3.1.13,3.4.7 disa: 68,1436 hipaa: 164.308(a)(4)(i),164.308(b)(1),164.308(b)(3),164.310(b),164.312(e)(1),164.312(e)(2)(ii) nist: AC-17(8),CM-7,IA-5(1)(c) ocil: |- scap-security-guide-0.1.39/shared/guide/services/obsolete/talk/000077500000000000000000000000001327242345500244365ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/services/obsolete/talk/package_talk-server_removed.rule000066400000000000000000000012001327242345500327530ustar00rootroot00000000000000documentation_complete: true prodtype: rhel7 title: 'Uninstall talk-server Package' description: '' rationale: |- The talk software presents a security risk as it uses unencrypted protocols for communications. Removing the talk-server package decreases the risk of the accidental (or intentional) activation of talk services. severity: medium identifiers: cce@rhel7: 27210-4 references: cis: 2.2.21 hipaa: 164.308(a)(4)(i),164.308(b)(1),164.308(b)(3),164.310(b),164.312(e)(1),164.312(e)(2)(ii) ocil: '' scap-security-guide-0.1.39/shared/guide/services/obsolete/talk/package_talk_removed.rule000066400000000000000000000016001327242345500314530ustar00rootroot00000000000000documentation_complete: true prodtype: rhel7 title: 'Uninstall talk Package' description: |- The talk package contains the client program for the Internet talk protocol, which allows the user to chat with other users on different systems. Talk is a communication program which copies lines from one terminal to the terminal of another user. rationale: |- The talk software presents a security risk as it uses unencrypted protocols for communications. Removing the talk package decreases the risk of the accidental (or intentional) activation of talk client program. severity: unknown identifiers: cce@rhel7: 27432-4 references: cis: 2.3.3 hipaa: 164.308(a)(4)(i),164.308(b)(1),164.308(b)(3),164.310(b),164.312(e)(1),164.312(e)(2)(ii) ocil: '' scap-security-guide-0.1.39/shared/guide/services/obsolete/talk/talk.group000066400000000000000000000003161327242345500264470ustar00rootroot00000000000000documentation_complete: true title: 'Chat/Messaging Services' description: |- The talk software makes it possible for users to send and receive messages across systems through a terminal session. scap-security-guide-0.1.39/shared/guide/services/obsolete/telnet/000077500000000000000000000000001327242345500247765ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/services/obsolete/telnet/package_telnet-server_removed.rule000066400000000000000000000025601327242345500336650ustar00rootroot00000000000000documentation_complete: true prodtype: rhel7 title: 'Uninstall telnet-server Package' description: |- The telnet-server package can be uninstalled with the following command: 
$ sudo yum erase telnet-server
rationale: "It is detrimental for operating systems to provide, or install by default, functionality exceeding\nrequirements or mission objectives. These unnecessary capabilities are often overlooked and therefore\nmay remain unsecure. They increase the risk to the platform by providing additional attack vectors.\n
\nThe telnet service provides an unencrypted remote access service which does not provide for the \nconfidentiality and integrity of user passwords or the remote session. If a privileged user were\nto login using this service, the privileged user password could be compromised.\n
\nRemoving the telnet-server package decreases the risk of the telnet service's accidental \n(or intentional) activation." severity: high identifiers: cce@rhel7: 27165-0 references: cis: 2.1.1 disa: 381 hipaa: 164.308(a)(4)(i),164.308(b)(1),164.308(b)(3),164.310(b),164.312(e)(1),164.312(e)(2)(ii) iso27001-2013: A.8.2.3,A.13.1.1,A.13.2.1,A.13.2.3,A.14.1.2,A.14.1.3 nist: AC-17(8),CM-7(a) srg: SRG-OS-000095-GPOS-00049 stigid@rhel7: "021710" ocil: '' scap-security-guide-0.1.39/shared/guide/services/obsolete/telnet/package_telnet_removed.rule000066400000000000000000000014751327242345500323650ustar00rootroot00000000000000documentation_complete: true prodtype: rhel7 title: 'Remove telnet Clients' description: "The telnet client allows users to start connections to other \nsystems via the telnet protocol." rationale: |- The telnet protocol is insecure and unencrypted. The use of an unencrypted transmission medium could allow an unauthorized user to steal credentials. The ssh package provides an encrypted session and stronger security and is included in Red Hat Enterprise Linux. severity: low identifiers: cce@rhel7: 27305-2 references: cis: 2.3.4 cui: 3.1.13 hipaa: 164.308(a)(4)(i),164.308(b)(1),164.308(b)(3),164.310(b),164.312(e)(1),164.312(e)(2)(ii) iso27001-2013: A.8.2.3,A.13.1.1,A.13.2.1,A.13.2.3,A.14.1.2,A.14.1.3 ocil: '' scap-security-guide-0.1.39/shared/guide/services/obsolete/telnet/service_telnet_disabled.rule000066400000000000000000000034311327242345500325320ustar00rootroot00000000000000documentation_complete: true prodtype: rhel7 title: 'Disable telnet Service' description: |- The telnet service configuration file /etc/xinetd.d/telnet is not created automatically. If it was created manually, check the /etc/xinetd.d/telnet file and ensure that disable = no is changed to read disable = yes as follows below: 
    # description: The telnet server serves telnet sessions; it uses \\
    #       unencrypted username/password pairs for authentication.
    service telnet
    {
            flags           = REUSE
            socket_type     = stream

            wait            = no
            user            = root
            server          = /usr/sbin/in.telnetd
            log_on_failure  += USERID
            disable         = yes
    }
If the /etc/xinetd.d/telnet file does not exist, make sure that the activation of the telnet service on system boot is disabled via the following command: rationale: |- The telnet protocol uses unencrypted network communication, which means that data from the login session, including passwords and all other information transmitted during the session, can be stolen by eavesdroppers on the network. The telnet protocol is also subject to man-in-the-middle attacks. severity: high identifiers: cce@rhel7: 27401-9 references: cis: 2.2.18 cui: 3.1.13,3.4.7 disa: "" hipaa: 164.308(a)(4)(i),164.308(b)(1),164.308(b)(3),164.310(b),164.312(e)(1),164.312(e)(2)(ii) nist: AC-17(8),CM-7,IA-5(1)(c) ocil: |- scap-security-guide-0.1.39/shared/guide/services/obsolete/telnet/telnet.group000066400000000000000000000005271327242345500273530ustar00rootroot00000000000000documentation_complete: true title: Telnet description: |- The telnet protocol does not provide confidentiality or integrity for information transmitted on the network. This includes authentication information such as passwords. Organizations which use telnet should be actively working to migrate to a more secure protocol. scap-security-guide-0.1.39/shared/guide/services/obsolete/tftp/000077500000000000000000000000001327242345500244605ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/services/obsolete/tftp/package_tftp-server_removed.rule000066400000000000000000000014601327242345500330270ustar00rootroot00000000000000documentation_complete: true prodtype: rhel7 title: 'Uninstall tftp-server Package' description: '' rationale: "Removing the tftp-server package decreases the risk of the\naccidental (or intentional) activation of tftp services.\n

\nIf TFTP is required for operational support (such as transmission of router configurations),\nits use must be documented with the Information Systems Securty Manager (ISSM), restricted to \nonly authorized personnel, and have access control rules established." severity: high identifiers: cce@rhel7: 80213-2 references: disa: 318,368,1812,1813,1814 nist: AC-17(8),CM-6(c),CM-7 srg: SRG-OS-000480-GPOS-00227 stigid@rhel7: "040700" ocil: '' scap-security-guide-0.1.39/shared/guide/services/obsolete/tftp/package_tftp_removed.rule000066400000000000000000000013411327242345500315210ustar00rootroot00000000000000documentation_complete: true prodtype: rhel7 title: 'Remove tftp Daemon' description: |- Trivial File Transfer Protocol (TFTP) is a simple file transfer protocol, typically used to automatically transfer configuration or boot files between systems. TFTP does not support authentication and can be easily hacked. The package tftp is a client program that allows for connections to a tftp server. rationale: |- It is recommended that TFTP be removed, unless there is a specific need for TFTP (such as a boot server). In that case, use extreme caution when configuring the services. severity: high identifiers: cce@rhel7: 80443-5 ocil: '' scap-security-guide-0.1.39/shared/guide/services/obsolete/tftp/service_tftp_disabled.rule000066400000000000000000000010501327242345500316710ustar00rootroot00000000000000documentation_complete: true prodtype: rhel7 title: 'Disable tftp Service' description: |- The tftp service should be disabled. rationale: |- Disabling the tftp service ensures the system is not acting as a TFTP server, which does not provide encryption or authentication. severity: medium identifiers: cce@rhel7: 80212-4 references: cis: 2.1.6 disa: 1436 nist: AC-17(8),CM-7 ocil: '' scap-security-guide-0.1.39/shared/guide/services/obsolete/tftp/tftp.group000066400000000000000000000007451327242345500265210ustar00rootroot00000000000000documentation_complete: true title: 'TFTP Server' description: |- TFTP is a lightweight version of the FTP protocol which has traditionally been used to configure networking equipment. However, TFTP provides little security, and modern versions of networking operating systems frequently support configuration via SSH or other more secure protocols. A TFTP server should be run only if no more secure method of supporting existing equipment can be found. scap-security-guide-0.1.39/shared/guide/services/obsolete/tftp/tftpd_uses_secure_mode.rule000066400000000000000000000026631327242345500321120ustar00rootroot00000000000000documentation_complete: true prodtype: rhel7 title: 'Ensure tftp Daemon Uses Secure Mode' description: |- If running the tftp service is necessary, it should be configured to change its root directory at startup. To do so, ensure /etc/xinetd.d/tftp includes -s as a command line argument, as shown in the following example (which is also the default): 
server_args = -s /var/lib/tftpboot
rationale: |- Using the -s option causes the TFTP service to only serve files from the given directory. Serving files from an intentionally-specified directory reduces the risk of sharing files which should remain private. severity: medium identifiers: cce@rhel7: 80214-0 references: disa: 366 nist: AC-6,AC-17(8),CM-7 srg: SRG-OS-000480-GPOS-00227 stigid@rhel7: "040720" ocil_clause: 'this flag is missing' ocil: "If TFTP is not installed, this is not applicable. To determine if TFTP is installed, \nrun the following command:\n
$ rpm -qa | grep tftp
\n

\nVerify tftp is configured by with the -s option by running the\nfollowing command:\n
grep \"server_args\" /etc/xinetd.d/tftp
\nThe output should indicate the server_args variable is configured with the -s\nflag, matching the example below:\n
$ grep \"server_args\" /etc/xinetd.d/tftp\nserver_args = -s /var/lib/tftpboot
" scap-security-guide-0.1.39/shared/guide/services/openstack/000077500000000000000000000000001327242345500236565ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/services/openstack/cinder/000077500000000000000000000000001327242345500251225ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/services/openstack/cinder/cinder.group000066400000000000000000000002251327242345500274430ustar00rootroot00000000000000documentation_complete: true prodtype: osp7 title: 'Cinder STIG Checklist' description: 'High level overview of Cinder STIG settings to go here!' scap-security-guide-0.1.39/shared/guide/services/openstack/cinder/cinder_file_ownership.rule000066400000000000000000000027301327242345500323560ustar00rootroot00000000000000documentation_complete: true prodtype: osp7 title: 'Check-Block-01: Is user/group ownership of config files set to root/cinder?' description: |- Configuration files contain critical parameters and information required for smooth functioning of the component. If an unprivileged user, either intentionally or accidentally, modifies or deletes any of the parameters or the file itself then it would cause severe availability issues resulting in a denial of service to the other end users. Thus user ownership of such critical configuration files must be set to root and group ownership must be set to cinder.

Run the following commands:

$ stat -L -c "%U %G" /etc/cinder/cinder.conf | egrep "root cinder"
$ stat -L -c "%U %G" /etc/cinder/api-paste.ini | egrep "root cinder"
$ stat -L -c "%U %G" /etc/cinder/policy.json | egrep "root cinder"
$ stat -L -c "%U %G" /etc/cinder/rootwrap.conf | egrep "root cinder"

Pass: If user and group ownership of all these config files is set to root and cinder respectively. The above commands show output of root cinder.

Fail: If the above commands does not return any output as the user and group ownership might have set to any user other than root or any group other than cinder. rationale: "" severity: unknown identifiers: cce: RHELOSP-CCE-TBD references: nist: FOO-1(a) scap-security-guide-0.1.39/shared/guide/services/openstack/cinder/cinder_file_perms.rule000066400000000000000000000031421327242345500314640ustar00rootroot00000000000000documentation_complete: true prodtype: osp7 title: 'Check-Block-02: Are strict permissions set for Compute configuration files?' description: |- Similar to the previous check, it is recommended to set strict access permissions for such configuration files.

Run the following commands:

$ stat -L -c "%a" /etc/cinder/cinder.conf
$ stat -L -c "%a" /etc/cinder/api-paste.ini
$ stat -L -c "%a" /etc/cinder/policy.json
$ stat -L -c "%a" /etc/cinder/rootwrap.conf

Pass: If permissions are set to 640 or stricter. The permissions of 640 translates into owner r/w, group r, and no rights to others i.e. “u=rw,g=r,o=”. Note that with Check-Block-01: Is user/group ownership of config files set to root/cinder? and permissions set to 640, root has read/write access and cinder has read access to these configuration files. The access rights can also be validated using the following command. This command will only be available on your system if it supports ACLs.

$ getfacl --tabular -a /etc/cinder/cinder.conf
getfacl: Removing leading '/' from absolute path names
# file: etc/cinder/cinder.conf
USER root rw-
GROUP cinder r--
mask r--
other ---

Fail: If permissions are not set to at least 640. rationale: "" severity: unknown identifiers: cce: RHELOSP-CCE-TBD references: nist: FOO-1(a) scap-security-guide-0.1.39/shared/guide/services/openstack/cinder/cinder_glance_tls.rule000066400000000000000000000013311327242345500314500ustar00rootroot00000000000000documentation_complete: true prodtype: osp7 title: 'Check-Block-06: Does cinder communicates with glance over TLS?' description: |- Similar to previous check (Check-Block-05: Does cinder communicates with nova over TLS?), it is recommended all the components must communicate with each other using a secured communication protocol.

Pass: If value of parameter glance_api_insecure under [DEFAULT] section in /etc/cinder/cinder.conf is set to False.

Fail: If value of parameter glance_api_insecure under [DEFAULT] section in /etc/cinder/cinder.conf is set to True. rationale: "" severity: unknown identifiers: cce: RHELOSP-CCE-TBD references: nist: FOO-1(a) cinder_nas_secure_file_permissions.rule000066400000000000000000000040601327242345500350410ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/services/openstack/cinderdocumentation_complete: true prodtype: osp7 title: 'Check-Block-07: Is NAS operating in secure enviornment?' description: "Cinder supports an NFS driver which works differently than a traditional block storage driver. The NFS driver does not actually allow an instance to access a storage device at the block level. Instead, files are created on an NFS share and mapped to instances, which emulates a block device. Cinder supports secure configuration for such files by controlling the file permissions when cinder volumes are created. Cinder configuration can also control whether file operations are run as the root user or the current OpenStack process user.\n\n
\n
\nPass: If value of parameter nas_secure_file_permissions under [DEFAULT] section in /etc/cinder/cinder.conf is set to auto. When set to auto, a check is done during cinder startup to determine if there are existing cinder volumes, no volumes will set the option to True, and use secure file permissions. The detection of existing volumes will set the option to False, and use the current insecure method of handling file permissions.\ \ If value of parameter nas_secure_file_operations under [DEFAULT] section in /etc/cinder/cinder.conf is set to auto. When set to “auto”, a check is done during cinder startup to determine if there are existing cinder volumes, no volumes will set the option to True, be secure and do NOT run as the root user. The detection of existing volumes will set the option to False, and use the current method of running operations as the root user. For new installations, a “marker file” is written so that subsequent restarts of cinder will know what the original determination had been.\n\n
\n
\nFail: If value of parameter nas_secure_file_permissions under [DEFAULT] section in /etc/cinder/cinder.conf is set to False and if value of parameter nas_secure_file_operations under [DEFAULT] section in /etc/cinder/cinder.conf is set to False." rationale: "" severity: unknown identifiers: cce: RHELOSP-CCE-TBD references: nist: FOO-1(a) scap-security-guide-0.1.39/shared/guide/services/openstack/cinder/cinder_nova_tls.rule000066400000000000000000000015311327242345500311640ustar00rootroot00000000000000documentation_complete: true prodtype: osp7 title: 'Check-Block-05: Does cinder communicates with nova over TLS?' description: |- OpenStack components communicate with each other using various protocols and the communication might involve sensitive / confidential data. An attacker may try to eavesdrop on the channel in order to get access to sensitive information. Thus all the components must communicate with each other using a secured communication protocol.

Pass: If value of parameter nova_api_insecure under [DEFAULT] section in /etc/cinder/cinder.conf is set to False.

Fail: If value of parameter nova_api_insecure under [DEFAULT] section in /etc/cinder/cinder.conf is set to True. rationale: "" severity: unknown identifiers: cce: RHELOSP-CCE-TBD references: nist: FOO-1(a) scap-security-guide-0.1.39/shared/guide/services/openstack/cinder/cinder_osapi_max_request_body.rule000066400000000000000000000021751327242345500341110ustar00rootroot00000000000000documentation_complete: true prodtype: osp7 title: 'Check-Block-08: Is max size for the body of a request set to default (114688)?' description: |- If the maximum body size per request is not defined, the attacker can craft an arbitrary osapi request of large size causing the service to crash and finally resulting in Denial Of Service attack. Assigning the maximum value ensures that any malicious oversized request gets blocked ensuring continued availability of the service.

Pass: If value of parameter osapi_max_request_body_size under [DEFAULT] section in /etc/cinder/cinder.conf is set to 114688 or if value of parameter max_request_body_size under [oslo_middleware] section in /etc/cinder/cinder.conf is set to 114688.

Fail: If value of parameter osapi_max_request_body_size under [DEFAULT] section in /etc/cinder/cinder.conf is not set to 114688 or if value of parameter max_request_body_size under [oslo_middleware] section in /etc/cinder/cinder.conf is not set to 114688. rationale: "" severity: unknown identifiers: cce: RHELOSP-CCE-TBD references: nist: FOO-1(a) scap-security-guide-0.1.39/shared/guide/services/openstack/cinder/cinder_tls_enabled.rule000066400000000000000000000026251327242345500316200ustar00rootroot00000000000000documentation_complete: true prodtype: osp7 title: 'Check-Block-04: Is TLS enabled for authentication?' description: |- OpenStack components communicate with each other using various protocols and the communication might involve sensitive / confidential data. An attacker may try to eavesdrop on the channel in order to get access to sensitive information. Thus all the components must communicate with each other using a secured communication protocol.

Pass: If value of parameter auth_protocol under [keystone_authtoken] section in /etc/cinder/cinder.conf is set to https, or if value of parameter identity_uri under [keystone_authtoken] section in /etc/cinder/cinder.conf is set to Identity API endpoint starting with https:// and value of parameter insecure under the same [keystone_authtoken] section in the same /etc/cinder/cinder.conf is set to False.

Fail: If value of parameter auth_protocol under [keystone_authtoken] section in /etc/cinder/cinder.conf is set to http, or if value of parameter identity_uri under [keystone_authtoken] section in /etc/cinder/cinder.conf is not set to Identity API endpoint starting with https:// or value of parameter insecure under the same [keystone_authtoken] section in the same /etc/cinder/cinder.conf is set to True. rationale: "" severity: unknown identifiers: cce: RHELOSP-CCE-TBD references: nist: FOO-1(a) scap-security-guide-0.1.39/shared/guide/services/openstack/cinder/cinder_using_keystone.rule000066400000000000000000000016151327242345500324100ustar00rootroot00000000000000documentation_complete: true prodtype: osp7 title: 'Check-Block-03: Is keystone used for authentication?' description: |- OpenStack supports various authentication strategies like noauth, keystone etc. If the ‘noauth’ strategy is used then the users could interact with OpenStack services without any authentication. This could be a potential risk since an attacker might gain unauthorized access to the OpenStack components. Thus it is strongly recommended that all services must be authenticated with keystone using their service accounts.

Pass: If value of parameter auth_strategy under [DEFAULT] section in /etc/cinder/cinder.conf is set to keystone.

Fail: If value of parameter auth_strategy under [DEFAULT] section is set to noauth. rationale: "" severity: unknown identifiers: cce: RHELOSP-CCE-TBD references: nist: FOO-1(a) scap-security-guide-0.1.39/shared/guide/services/openstack/horizon/000077500000000000000000000000001327242345500253465ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/services/openstack/horizon/horizon.group000066400000000000000000000002271327242345500301150ustar00rootroot00000000000000documentation_complete: true prodtype: osp7 title: 'Horizon STIG Checklist' description: 'High level overview of Horizon STIG settings to go here!' scap-security-guide-0.1.39/shared/guide/services/openstack/horizon/horizon_csrf_cookie_secure.rule000066400000000000000000000014401327242345500336420ustar00rootroot00000000000000documentation_complete: true prodtype: osp7 title: 'Check-Dashboard-04: Is CSRF_COOKIE_SECURE parameter set to True?' description: |- CSRF (Cross-site request forgery) is an attack which forces an end user to execute unauthorized commands on a web application in which he/she is currently authenticated. A successful CSRF exploit can compromise end user data and operations in case of normal user. If the targeted end user has admin privileges, this can compromise the entire web application.

Pass: If value of parameter CSRF_COOKIE_SECURE in /etc/openstack-dashboard/local_settings is set to True.

Fail: If value of parameter CSRF_COOKIE_SECURE in /etc/openstack-dashboard/local_settings is set to False. rationale: "" severity: unknown horizon_disable_password_reveal.rule000066400000000000000000000010151327242345500346100ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/services/openstack/horizondocumentation_complete: true prodtype: osp7 title: 'Check-Dashboard-08: Is disable_password_reveal set to True?' description: |- Similar to the previous check, it is recommended not to reveal password fields.

Pass: If value of parameter disable_password_reveal in /etc/openstack-dashboard/local_settings is set to True.

Fail: If value of parameter disable_password_reveal in /etc/openstack-dashboard/local_settings is set to False. rationale: "" severity: unknown scap-security-guide-0.1.39/shared/guide/services/openstack/horizon/horizon_file_ownership.rule000066400000000000000000000022221327242345500330220ustar00rootroot00000000000000documentation_complete: true prodtype: osp7 title: 'Check-Dashboard-01: Is user/group of config files set to root/horizon?' description: |- Configuration files contain critical parameters and information required for smooth functioning of the component. If an unprivileged user, either intentionally or accidentally modifies or deletes any of the parameters or the file itself then it would cause severe availability issues causing a denial of service to the other end users. Thus user ownership of such critical configuration files must be set to root and group ownership must be set to horizon.

Run the following commands:
$ stat -L -c "%U %G" /etc/openstack-dashboard/local_settings | egrep "root horizon"

Pass: If user and group ownership of the config file is set to root and horizon respectively. The above commands show output of root horizon.

Fail: If the above commands does not return any output as the user and group ownership might have set to any user other than root or any group other than horizon. rationale: "" severity: unknown scap-security-guide-0.1.39/shared/guide/services/openstack/horizon/horizon_file_perms.rule000066400000000000000000000026341327242345500321410ustar00rootroot00000000000000documentation_complete: true prodtype: osp7 title: 'Check-Dashboard-02: Are strict permissions set for horizon configuration files?' description: |- Similar to the previous check, it is recommended to set strict access permissions for such configuration files.

Run the following commands:
$ stat -L -c "%a" /etc/openstack-dashboard/local_settings

Pass: If permissions are set to 640 or stricter. The permissions of 640 translates into owner r/w, group r, and no rights to others i.e. “u=rw,g=r,o=”. Note that with Check-Dashboard-01: Is user/group of config files set to root/horizon? and permissions set to 640, root has read/write access and horizon has read access to these configuration files. The access rights can also be validated using the following command. This command will only be available on your system if it supports ACLs.

$ getfacl --tabular -a /etc/openstack-dashboard/local_settings
getfacl: Removing leading '/' from absolute path names
# file: etc/openstack-dashboard/local_settings
USER root rw-
GROUP horizon r--
mask r--
other ---

Fail: If permissions are not set to at least 640. rationale: "" severity: unknown horizon_password_autocomplete.rule000066400000000000000000000016201327242345500343520ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/services/openstack/horizondocumentation_complete: true prodtype: osp7 title: 'Check-Dashboard-07: Is password_autocomplete set to False?' description: |- Common feature that applications use to provide users a convenience is to cache the password locally in the browser (on the client machine) and having it ‘pre-typed’ in all subsequent requests. While this feature can be perceived as extremely friendly for the average user, at the same time, it introduces a flaw, as the user account becomes easily accessible to anyone that uses the same account on the client machine and thus may lead to compromise of the user account.

Pass: If value of parameter password_autocomplete in /etc/openstack-dashboard/local_settings is set to off.

Fail: If value of parameter password_autocomplete in /etc/openstack-dashboard/local_settings is set to on. rationale: "" severity: unknown horizon_session_cookie_httponly.rule000066400000000000000000000013271327242345500347100ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/services/openstack/horizondocumentation_complete: true prodtype: osp7 title: 'Check-Dashboard-06: Is SESSION_COOKIE_HTTPONLY parameter set to True?' description: |- The “HTTPONLY” cookie attribute instructs web browsers not to allow scripts (e.g. JavaScript or VBscript) an ability to access the cookies via the DOM document.cookie object. This session ID protection is mandatory to prevent session ID stealing through XSS attacks.

Pass: If value of parameter SESSION_COOKIE_HTTPONLY in /etc/openstack-dashboard/local_settings is set to True.

Fail: If value of parameter SESSION_COOKIE_HTTPONLY in /etc/openstack-dashboard/local_settings is set to False. rationale: "" severity: unknown horizon_session_cookie_secure.rule000066400000000000000000000014441327242345500343150ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/services/openstack/horizondocumentation_complete: true prodtype: osp7 title: 'Check-Dashboard-05: Is SESSION_COOKIE_SECURE parameter set to True?' description: |- The “SECURE” cookie attribute instructs web browsers to only send the cookie through an encrypted HTTPS (SSL/TLS) connection. This session protection mechanism is mandatory to prevent the disclosure of the session ID through MitM (Man-in-the-Middle) attacks. It ensures that an attacker cannot simply capture the session ID from web browser traffic.

Pass: If value of parameter SESSION_COOKIE_SECURE in /etc/openstack-dashboard/local_settings is set to True.

Fail: If value of parameter SESSION_COOKIE_SECURE in /etc/openstack-dashboard/local_settings is set to False. rationale: "" severity: unknown scap-security-guide-0.1.39/shared/guide/services/openstack/horizon/horizon_use_ssl.rule000066400000000000000000000013611327242345500314650ustar00rootroot00000000000000documentation_complete: true prodtype: osp7 title: 'Check-Dashboard-03: Is USE_SSL parameter set to True?' description: |- Openstack services communicate with each other using various protocols and the communication might involve sensitive/confidential information. An attacker may try to eavesdrop on the channel in order to get access to sensitive information. Thus all the services must communicate with each other using a secured communication protocol like HTTPS.

Pass: If value of parameter USE_SSL in /etc/openstack-dashboard/local_settings is set to True.

Fail: If value of parameter USE_SSL in /etc/openstack-dashboard/local_settings is set to False. rationale: "" severity: unknown scap-security-guide-0.1.39/shared/guide/services/openstack/keystone/000077500000000000000000000000001327242345500255175ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/services/openstack/keystone/keystone.group000066400000000000000000000002311327242345500304320ustar00rootroot00000000000000documentation_complete: true prodtype: osp7 title: 'Keystone STIG Checklist' description: 'High level overview of Keystone STIG settings to go here!' scap-security-guide-0.1.39/shared/guide/services/openstack/keystone/keystone_algorithm_hashing.rule000066400000000000000000000012441327242345500340210ustar00rootroot00000000000000documentation_complete: true prodtype: osp7 title: 'Check-Identity-04: Does Identity use strong hashing algorithms for PKI tokens?' description: |- MD5 is a weak and depreciated hashing algorithm. It can be cracked using brute force attack. Identity tokens are sensitive and need to be protected with a stronger hashing algorithm to prevent unauthorized disclosure and subsequent access.

Pass: If value of parameter hash_algorithm under [token] section in /etc/keystone/keystone.conf is set to SHA256.

Fail: If value of parameter hash_algorithm under [token]section is set to MD5. rationale: "" severity: unknown keystone_disable_admin_token.rule000066400000000000000000000012761327242345500342330ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/services/openstack/keystonedocumentation_complete: true prodtype: osp7 title: 'Check-Identity-06: Disable admin token in /etc/keystone/keystone.conf' description: |- The admin token is generally used to bootstrap Identity. This token is the most valuable Identity asset, which could be used to gain cloud admin privileges.

Pass: If admin_token under [DEFAULT] section in /etc/keystone/keystone.conf is disabled. And, AdminTokenAuthMiddleware under [filter:admin_token_auth] is deleted from /etc/keystone/keystone-paste.ini

Fail: If admin_token under [DEFAULT] section is set and AdminTokenAuthMiddleware exists in keystone-paste.ini. rationale: "" severity: unknown scap-security-guide-0.1.39/shared/guide/services/openstack/keystone/keystone_file_ownership.rule000066400000000000000000000032221327242345500333450ustar00rootroot00000000000000documentation_complete: true prodtype: osp7 title: 'Check-Identity-01: Is user/group ownership of config files set to keystone?' description: |- Configuration files contain critical parameters and information required for smooth functioning of the component. If an unprivileged user, either intentionally or accidentally modifies or deletes any of the parameters or the file itself then it would cause severe availability issues causing a denial of service to the other end users. Thus user and group ownership of such critical configuration files must be set to that component owner.

Run the following commands:

$ stat -L -c "%U %G" /etc/keystone/keystone.conf | egrep "keystone keystone"
$ stat -L -c "%U %G" /etc/keystone/keystone-paste.ini | egrep "keystone keystone"
$ stat -L -c "%U %G" /etc/keystone/policy.json | egrep "keystone keystone"
$ stat -L -c "%U %G" /etc/keystone/logging.conf | egrep "keystone keystone"
$ stat -L -c "%U %G" /etc/keystone/ssl/certs/signing_cert.pem | egrep "keystone keystone"
$ stat -L -c "%U %G" /etc/keystone/ssl/private/signing_key.pem | egrep "keystone keystone"
$ stat -L -c "%U %G" /etc/keystone/ssl/certs/ca.pem | egrep "keystone keystone"

Pass: If user and group ownership of all these config files is set to keystone. The above commands show output of keystone keystone.

Fail: If the above commands does not return any output as the user or group ownership might have set to any user other than keystone. rationale: "" severity: unknown scap-security-guide-0.1.39/shared/guide/services/openstack/keystone/keystone_file_perms.rule000066400000000000000000000016321327242345500324600ustar00rootroot00000000000000documentation_complete: true prodtype: osp7 title: 'Check-Identity-02: Are strict permissions set for Identity configuration files?' description: "Similar to the previous check, it is recommended to set strict access permissions for such configuration files.\n
\n
\nRun the following commands:\n
\n
\n \n$ stat -L -c \"%a\" /etc/keystone/keystone.conf
\n$ stat -L -c \"%a\" /etc/keystone/keystone-paste.ini
\n$ stat -L -c \"%a\" /etc/keystone/policy.json
\n$ stat -L -c \"%a\" /etc/keystone/logging.conf
\n$ stat -L -c \"%a\" /etc/keystone/ssl/certs/signing_cert.pem
\n$ stat -L -c \"%a\" /etc/keystone/ssl/private/signing_key.pem
\n$ stat -L -c \"%a\" /etc/keystone/ssl/certs/ca.pem
\n\n
\n
\nPass: If permissions are set to 640 or stricter.\n
\n
\nFail: If permissions are not set to at least 640." rationale: "" severity: unknown keystone_max_request_body_size.rule000066400000000000000000000015271327242345500346630ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/services/openstack/keystonedocumentation_complete: true prodtype: osp7 title: 'Check-Identity-05: Is max_request_body_size set to default (114688)?' description: |- The parameter max_request_body_size defines the maximum body size per request in bytes. If the maximum size is not defined, the attacker could craft an arbitrary request of large size causing the service to crash and finally resulting in Denial Of Service attack. Assigning the maximum value ensures that any malicious oversized request gets blocked ensuring continued availability of the component.

Pass: If value of parameter max_request_body_size in /etc/keystone/keystone.conf is set to default (114688) or some reasonable value based on your environment.

Fail: If value of parameter max_request_body_size is not set. rationale: "" severity: unknown scap-security-guide-0.1.39/shared/guide/services/openstack/keystone/keystone_use_ssl.rule000066400000000000000000000013361327242345500320110ustar00rootroot00000000000000documentation_complete: true prodtype: osp7 title: 'Check-Identity-03: is SSL enabled for Identity?' description: |- OpenStack components communicate with each other using various protocols and the communication might involve sensitive or confidential data. An attacker may try to eavesdrop on the channel in order to get access to sensitive information. Thus all the components must communicate with each other using a secured communication protocol like HTTPS.

Pass: If value of parameter enable under [ssl] section in /etc/keystone/keystone.conf is set to True.

Fail: If value of parameter enable under [ssl] section is not set to True. rationale: "" severity: unknown scap-security-guide-0.1.39/shared/guide/services/openstack/neutron/000077500000000000000000000000001327242345500253505ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/services/openstack/neutron/neutron.group000066400000000000000000000002271327242345500301210ustar00rootroot00000000000000documentation_complete: true prodtype: osp7 title: 'Neutron STIG Checklist' description: 'High level overview of Neutron STIG settings to go here!' scap-security-guide-0.1.39/shared/guide/services/openstack/neutron/neutron_api_use_ssl.rule000066400000000000000000000010161327242345500323170ustar00rootroot00000000000000documentation_complete: true prodtype: osp7 title: 'Check-Neutron-05: Is SSL enabled on Neutron API server?' description: |- Similar to the previous check, it is recommended to enable secure communication on API server.

Pass: If value of parameter use_ssl under [DEFAULT] section in /etc/neutron/neutron.conf is set to True.

Fail: If value of parameter use_ssl under [DEFAULT] section in /etc/neutron/neutron.conf is set to False. rationale: "" severity: unknown scap-security-guide-0.1.39/shared/guide/services/openstack/neutron/neutron_file_ownership.rule000066400000000000000000000025231327242345500330320ustar00rootroot00000000000000documentation_complete: true prodtype: osp7 title: 'Check-Neutron-01: Is user/group ownership of config files set to root/neutron?' description: |- Configuration files contain critical parameters and information required for smooth functioning of the component. If an unprivileged user, either intentionally or accidentally modifies or deletes any of the parameters or the file itself then it would cause severe availability issues causing a denial of service to the other end users. Thus user ownership of such critical configuration files must be set to root and group ownership must be set to neutron.

Run the following commands:

$ stat -L -c "%U %G" /etc/neutron/neutron.conf | egrep "root neutron" $ stat -L -c "%U %G" /etc/neutron/api-paste.ini | egrep "root neutron" $ stat -L -c "%U %G" /etc/neutron/policy.json | egrep "root neutron" $ stat -L -c "%U %G" /etc/neutron/rootwrap.conf | egrep "root neutron" Pass: If user and group ownership of all these config files is set to root and neutron respectively. The above commands show output of root neutron.

Fail: If the above commands does not return any output as the user and group ownership might have set to any user other than root or any group other than neutron. rationale: "" severity: unknown scap-security-guide-0.1.39/shared/guide/services/openstack/neutron/neutron_file_perms.rule000066400000000000000000000031001327242345500321320ustar00rootroot00000000000000documentation_complete: true prodtype: osp7 title: 'Check-Neutron-02: Are strict permissions set for Compute configuration files?' description: |- Similar to the previous check, it is recommended to set strict access permissions for such configuration files.

Run the following commands:

$ stat -L -c "%a" /etc/neutron/neutron.conf
$ stat -L -c "%a" /etc/neutron/api-paste.ini
$ stat -L -c "%a" /etc/neutron/policy.json
$ stat -L -c "%a" /etc/neutron/rootwrap.conf

Pass: If permissions are set to 640 or stricter. The permissions of 640 translates into owner r/w, group r, and no rights to others i.e. “u=rw,g=r,o=”. Note that with Check-Neutron-01: Is user/group ownership of config files set to root/neutron? and permissions set to 640, root has read/write access and neutron has read access to these configuration files. The access rights can also be validated using the following command. This command will only be available on your system if it supports ACLs.

$ getfacl --tabular -a /etc/neutron/neutron.conf
getfacl: Removing leading '/' from absolute path names

# file: etc/neutron/neutron.conf
USER root rw-
GROUP neutron r--
mask r--
other ---

Fail: If permissions are not set to at least 640. rationale: "" severity: unknown scap-security-guide-0.1.39/shared/guide/services/openstack/neutron/neutron_use_https.rule000066400000000000000000000021461327242345500320340ustar00rootroot00000000000000documentation_complete: true prodtype: osp7 title: 'Check-Neutron-04: Is secure protocol used for authentication?' description: |- OpenStack components communicate with each other using various protocols and the communication might involve sensitive / confidential data. An attacker may try to eavesdrop on the channel in order to get access to sensitive information. Thus all the components must communicate with each other using a secured communication protocol.

Pass: If value of parameter auth_protocol under [keystone_authtoken] section in /etc/neutron/neutron.conf is set to https, or if value of parameter identity_uri under [keystone_authtoken] section in /etc/neutron/neutron.conf is set to Identity API endpoint starting with https://.

Fail: If value of parameter auth_protocol under [keystone_authtoken] section in /etc/neutron/neutron.conf is set to http`, or if value of parameter identity_uri under [keystone_authtoken] section in /etc/neutron/neutron.conf is not set to Identity API endpoint starting with https://. rationale: "" severity: unknown scap-security-guide-0.1.39/shared/guide/services/openstack/neutron/neutron_use_keystone.rule000066400000000000000000000015251327242345500325330ustar00rootroot00000000000000documentation_complete: true prodtype: osp7 title: 'Check-Neutron-03: Is keystone used for authentication?' description: |- OpenStack supports various authentication strategies like noauth, keystone etc. If the ‘noauth’ strategy is used then the users could interact with OpenStack services without any authentication. This could be a potential risk since an attacker might gain unauthorized access to the OpenStack components. Thus it is strongly recommended that all services must be authenticated with keystone using their service accounts.

Pass: If value of parameter auth_strategy under [DEFAULT] section in /etc/neutron/neutron.conf is set to keystone.

Fail: If value of parameter auth_strategy under [DEFAULT] section is set to noauth or noauth2. rationale: "" severity: unknown scap-security-guide-0.1.39/shared/guide/services/openstack/nova/000077500000000000000000000000001327242345500246215ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/services/openstack/nova/nova.group000066400000000000000000000002211327242345500266350ustar00rootroot00000000000000documentation_complete: true prodtype: osp7 title: 'Nova STIG Checklist' description: 'High level overview of Nova STIG settings to go here!' scap-security-guide-0.1.39/shared/guide/services/openstack/nova/nova_file_ownership.rule000066400000000000000000000025631327242345500315600ustar00rootroot00000000000000documentation_complete: true prodtype: osp7 title: 'Check-Compute-01: Is user/group ownership of config files set to root/nova?' description: |- Configuration files contain critical parameters and information required for smooth functioning of the component. If an unprivileged user, either intentionally or accidentally modifies or deletes any of the parameters or the file itself then it would cause severe availability issues causing a denial of service to the other end users. Thus user ownership of such critical configuration files must be set to root and group ownership must be set to nova.

Run the following commands:

$ stat -L -c "%U %G" /etc/nova/nova.conf | egrep "root nova"
$ stat -L -c "%U %G" /etc/nova/api-paste.ini | egrep "root nova"
$ stat -L -c "%U %G" /etc/nova/policy.json | egrep "root nova"
$ stat -L -c "%U %G" /etc/nova/rootwrap.conf | egrep "root nova"

Pass: If user and group ownership of all these config files is set to root and nova respectively. The above commands show output of root nova.

Fail: If the above commands does not return any output as the user and group ownership might have set to any user other than root or any group other than nova. rationale: "" severity: unknown scap-security-guide-0.1.39/shared/guide/services/openstack/nova/nova_file_perms.rule000066400000000000000000000027631327242345500306720ustar00rootroot00000000000000documentation_complete: true prodtype: osp7 title: 'Check-Compute-02: Are strict permissions set for Compute configuration files?' description: |- Similar to the previous check, it is recommended to set strict access permissions for such configuration files.

Run the following commands:
$ stat -L -c "%a" /etc/nova/nova.conf
$ stat -L -c "%a" /etc/nova/api-paste.ini
$ stat -L -c "%a" /etc/nova/policy.json
$ stat -L -c "%a" /etc/nova/rootwrap.conf

Pass: If permissions are set to 640 or stricter. The permissions of 640 translates into owner r/w, group r, and no rights to others i.e. “u=rw,g=r,o=”. Note that with Check-Compute-01: Is user/group ownership of config files set to root/nova? and permissions set to 640, root has read/write access and nova has read access to these configuration files. The access rights can also be validated using the following command. This command will only be available on your system if it supports ACLs.
$ getfacl --tabular -a /etc/nova/nova.conf
getfacl: Removing leading '/' from absolute path names
# file: etc/nova/nova.conf
USER root rw-
GROUP nova r--
mask r--
other ---

Fail: If permissions are not set to at least 640. rationale: "" severity: unknown scap-security-guide-0.1.39/shared/guide/services/openstack/nova/nova_secure_authentication.rule000066400000000000000000000021161327242345500331220ustar00rootroot00000000000000documentation_complete: true prodtype: osp7 title: 'Check-Compute-04: Is secure protocol used for authentication?' description: |- OpenStack components communicate with each other using various protocols and the communication might involve sensitive / confidential data. An attacker may try to eavesdrop on the channel in order to get access to sensitive information. Thus all the components must communicate with each other using a secured communication protocol.

Pass: If value of parameter auth_protocol under [keystone_authtoken] section in /etc/nova/nova.conf is set to https, or if value of parameter identity_uri under [keystone_authtoken] section in /etc/nova/nova.conf is set to Identity API endpoint starting with https://.

Fail: If value of parameter auth_protocol under [keystone_authtoken] section in /etc/nova/nova.conf is set to http`, or if value of parameter identity_uri under [keystone_authtoken] section in /etc/nova/nova.conf is not set to Identity API endpoint starting with https://. rationale: "" severity: unknown scap-security-guide-0.1.39/shared/guide/services/openstack/nova/nova_secure_glance.rule000066400000000000000000000017571327242345500313460ustar00rootroot00000000000000documentation_complete: true prodtype: osp7 title: 'Check-Compute-05: Does Nova communicates with Glance securely?' description: |- OpenStack components communicate with each other using various protocols and the communication might involve sensitive / confidential data. An attacker may try to eavesdrop on the channel in order to get access to sensitive information. Thus all the components must communicate with each other using a secured communication protocol.

Pass: If value of parameter glance_api_insecure under [DEFAULT] section in /etc/nova/nova.conf is set to False, or if value of parameter api_insecure under [glance] section in /etc/nova/nova.conf is set to False.

Fail: If value of parameter glance_api_insecure under [DEFAULT] section in /etc/nova/nova.conf is set to True, or if value of parameter api_insecure under [glance] section in /etc/nova/nova.conf is set to True.

rationale: "" severity: unknown scap-security-guide-0.1.39/shared/guide/services/openstack/nova/nova_use_keystone.rule000066400000000000000000000015171327242345500312560ustar00rootroot00000000000000documentation_complete: true prodtype: osp7 title: 'Check-Compute-03: Is keystone used for authentication?' description: |- OpenStack supports various authentication strategies like noauth, keystone etc. If the ‘noauth’ strategy is used then the users could interact with OpenStack services without any authentication. This could be a potential risk since an attacker might gain unauthorized access to the OpenStack components. Thus it is strongly recommended that all services must be authenticated with keystone using their service accounts.

Pass: If value of parameter auth_strategy under [DEFAULT] section in /etc/nova/nova.conf is set to keystone.

Fail: If value of parameter auth_strategy under [DEFAULT] section is set to noauth or noauth2. rationale: "" severity: unknown scap-security-guide-0.1.39/shared/guide/services/openstack/openstack.group000066400000000000000000000001231327242345500267170ustar00rootroot00000000000000documentation_complete: true title: OpenStack description: |- TODO TODO TODO scap-security-guide-0.1.39/shared/guide/services/printing/000077500000000000000000000000001327242345500235215ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/services/printing/configure_printing/000077500000000000000000000000001327242345500274145ustar00rootroot00000000000000configure_printing.group000066400000000000000000000010531327242345500343050ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/services/printing/configure_printingdocumentation_complete: true title: 'Configure the CUPS Service if Necessary' description: |- CUPS provides the ability to easily share local printers with other systems over the network. It does this by allowing systems to share lists of available printers. Additionally, each system that runs the CUPS service can potentially act as a print server. Whenever possible, the printer sharing and print server capabilities of CUPS should be limited or disabled. The following recommendations should demonstrate how to do just that. cups_disable_browsing.rule000066400000000000000000000023441327242345500346000ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/services/printing/configure_printingdocumentation_complete: true prodtype: rhel7 title: 'Disable Printer Browsing Entirely if Possible' description: |- By default, CUPS listens on the network for printer list broadcasts on UDP port 631. This functionality is called printer browsing. To disable printer browsing entirely, edit the CUPS configuration file, located at /etc/cups/cupsd.conf, to include the following: 
Browsing Off
    BrowseAllow none
rationale: |- The CUPS print service can be configured to broadcast a list of available printers to the network. Other systems on the network, also running the CUPS print service, can be configured to listen to these broadcasts and add and configure these printers for immediate use. By disabling this browsing capability, the system will no longer generate or receive such broadcasts. severity: unknown identifiers: cce@rhel7: 80283-5 references: nist: CM-7 ocil_clause: 'printer browsing is not disabled' ocil: |- To verify that CUPS printer browsing is disabled, run the following command: 
$ sudo grep "Browsing\|BrowseAllow" /etc/cups/cupsd.conf
The output should return the following: 
Browsing Off
    BrowseAllow none
cups_disable_printserver.rule000066400000000000000000000022751327242345500353340ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/services/printing/configure_printingdocumentation_complete: true prodtype: rhel7 title: 'Disable Print Server Capabilities' description: |- To prevent remote users from potentially connecting to and using locally configured printers, disable the CUPS print server sharing capabilities. To do so, limit how the server will listen for print jobs by removing the more generic port directive from /etc/cups/cupsd.conf: 
Port 631
and replacing it with the Listen directive: 
Listen localhost:631
This will prevent remote users from printing to locally configured printers while still allowing local users on the system to print normally. rationale: |- By default, locally configured printers will not be shared over the network, but if this functionality has somehow been enabled, these recommendations will disable it again. Be sure to disable outgoing printer list broadcasts, or remote users will still be able to see the locally configured printers, even if they cannot actually print to them. To limit print serving to a particular set of users, use the Policy directive. severity: unknown identifiers: cce@rhel7: 80284-3 references: nist: CM-7 scap-security-guide-0.1.39/shared/guide/services/printing/printing.group000066400000000000000000000011231327242345500264260ustar00rootroot00000000000000documentation_complete: true title: 'Print Support' description: |- The Common Unix Printing System (CUPS) service provides both local and network printing support. A system running the CUPS service can accept print jobs from other systems, process them, and send them to the appropriate printer. It also provides an interface for remote administration through a web browser. The CUPS service is installed and activated by default. The project homepage and more detailed documentation are available at .

scap-security-guide-0.1.39/shared/guide/services/printing/service_cups_disabled.rule000066400000000000000000000005761327242345500307430ustar00rootroot00000000000000documentation_complete: true prodtype: rhel7 title: 'Disable the CUPS Service' description: '' rationale: 'Turn off unneeded services to reduce attack surface.' severity: unknown identifiers: cce@rhel7: 80282-7 references: cis: 2.2.4 nist: CM-7 ocil: '' scap-security-guide-0.1.39/shared/guide/services/proxy/000077500000000000000000000000001327242345500230505ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/services/proxy/disabling_squid/000077500000000000000000000000001327242345500262115ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/services/proxy/disabling_squid/disabling_squid.group000066400000000000000000000003431327242345500324300ustar00rootroot00000000000000documentation_complete: true title: 'Disable Squid if Possible' description: |- If Squid was installed and activated, but the system does not need to act as a proxy server, then it should be disabled and removed. scap-security-guide-0.1.39/shared/guide/services/proxy/disabling_squid/package_squid_removed.rule000066400000000000000000000006101327242345500334200ustar00rootroot00000000000000documentation_complete: true prodtype: rhel7 title: 'Uninstall squid Package' description: '' rationale: |- If there is no need to make the proxy server software available, removing it provides a safeguard against its activation. severity: unknown identifiers: cce@rhel7: 80286-8 ocil: '' scap-security-guide-0.1.39/shared/guide/services/proxy/disabling_squid/service_squid_disabled.rule000066400000000000000000000006511327242345500336000ustar00rootroot00000000000000documentation_complete: true prodtype: rhel7 title: 'Disable Squid' description: '' rationale: |- Running proxy server software provides a network-based avenue of attack, and should be removed if not needed. severity: unknown identifiers: cce@rhel7: 80285-0 references: cis: 2.2.13 ocil: '' scap-security-guide-0.1.39/shared/guide/services/proxy/proxy.group000066400000000000000000000007741327242345500253170ustar00rootroot00000000000000documentation_complete: true title: 'Proxy Server' description: |- A proxy server is a very desirable target for a potential adversary because much (or all) sensitive data for a given infrastructure may flow through it. Therefore, if one is required, the system acting as a proxy server should be dedicated to that purpose alone and be stored in a physically secure location. The system's default proxy server software is Squid, and provided in an RPM package of the same name. scap-security-guide-0.1.39/shared/guide/services/routing/000077500000000000000000000000001327242345500233565ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/services/routing/disabling_quagga/000077500000000000000000000000001327242345500266375ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/services/routing/disabling_quagga/disabling_quagga.group000066400000000000000000000003371327242345500332010ustar00rootroot00000000000000documentation_complete: true title: 'Disable Quagga if Possible' description: |- If Quagga was installed and activated, but the system does not need to act as a router, then it should be disabled and removed. package_quagga_removed.rule000066400000000000000000000013501327242345500341110ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/services/routing/disabling_quaggadocumentation_complete: true prodtype: rhel7 title: 'Uninstall quagga Package' description: '' rationale: |- Routing software is typically used on routers to exchange network topology information with other routers. If routing software is used when not required, system network information may be unnecessarily transmitted across the network.
If there is no need to make the router software available, removing it provides a safeguard against its activation. severity: medium identifiers: cce@rhel7: 27594-1 references: disa: 366 nist: SC-32 srg: SRG-OS-000480-GPOS-00227 stigid@rhel7: TBD ocil: '' service_zebra_disabled.rule000066400000000000000000000013211327242345500341200ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/services/routing/disabling_quaggadocumentation_complete: true prodtype: rhel7 title: 'Disable Quagga Service' description: '' rationale: |- Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If routing daemons are used when not required, system network information may be unnecessarily transmitted across the network. severity: medium identifiers: cce@rhel7: 27191-6 references: disa: 366 hipaa: 164.308(a)(4)(i),164.308(b)(1),164.308(b)(3),164.310(b),164.312(e)(1),164.312(e)(2)(ii) nist: SC-32 srg: SRG-OS-000480-GPOS-00227 ocil: '' scap-security-guide-0.1.39/shared/guide/services/routing/routing.group000066400000000000000000000010271327242345500261230ustar00rootroot00000000000000documentation_complete: true title: 'Network Routing' description: "A router is a very desirable target for a\npotential adversary because they fulfill a variety of \ninfrastructure networking roles such as access to network segments,\ngateways to other networks, filtering, etc. Therefore, if one is\nrequired, the system acting as a router should be dedicated\nto that purpose alone and be stored in a physically secure\nlocation. The system's default routing software is Quagga, and\nprovided in an RPM package of the same name." scap-security-guide-0.1.39/shared/guide/services/services.group000066400000000000000000000013741327242345500245750ustar00rootroot00000000000000documentation_complete: true title: Services description: |- The best protection against vulnerable software is running less software. This section describes how to review the software which installs on a system and disable software which is not needed. It then enumerates the software packages installed on a default system and provides guidance about which ones can be safely disabled.

provides a convenient minimal install option that essentially installs the bare necessities for a functional system. When building systems, it is highly recommended to select the minimal packages and then build up the system from there. scap-security-guide-0.1.39/shared/guide/services/smb/000077500000000000000000000000001327242345500224505ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/services/smb/configuring_samba/000077500000000000000000000000001327242345500261255ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/services/smb/configuring_samba/configuring_samba.group000066400000000000000000000011161327242345500326570ustar00rootroot00000000000000documentation_complete: true title: 'Configure Samba if Necessary' description: |- All settings for the Samba daemon can be found in /etc/samba/smb.conf. Settings are divided between a [global] configuration section and a series of user created share definition sections meant to describe file or print shares on the system. By default, Samba will operate in user mode and allow client systems to access local home directories and printers. It is recommended that these settings be changed or that additional limitations be set in place. mount_option_smb_client_signing.rule000066400000000000000000000017411327242345500354110ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/services/smb/configuring_sambadocumentation_complete: true prodtype: rhel7 title: 'Require Client SMB Packet Signing, if using mount.cifs' description: |- Require packet signing of clients who mount Samba shares using the mount.cifs program (e.g., those who specify shares in /etc/fstab). To do so, ensure signing options (either sec=krb5i or sec=ntlmv2i) are used.

See the mount.cifs(8) man page for more information. A Samba client should only communicate with servers who can support SMB packet signing. rationale: |- Packet signing can prevent man-in-the-middle attacks which modify SMB packets in transit. severity: unknown identifiers: cce@rhel7: 80281-9 ocil_clause: 'it does not' ocil: |- To verify that Samba clients using mount.cifs must use packet signing, run the following command: 
$ grep sec /etc/fstab
The output should show either krb5i or ntlmv2i in use. package_samba-common_installed.rule000066400000000000000000000007401327242345500350230ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/services/smb/configuring_sambadocumentation_complete: true prodtype: rhel7 title: 'Install the Samba Common Package' description: |- The samba-common package should be installed. rationale: 'If the samba-common package is not installed, samba cannot be configured.' severity: medium identifiers: cce@rhel7: 80360-1 ocil_clause: 'the package is not installed' ocil: '' require_smb_client_signing.rule000066400000000000000000000017141327242345500343330ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/services/smb/configuring_sambadocumentation_complete: true prodtype: rhel7 title: 'Require Client SMB Packet Signing, if using smbclient' description: |- To require samba clients running smbclient to use packet signing, add the following to the [global] section of the Samba configuration file, /etc/samba/smb.conf: 
client signing = mandatory
Requiring samba clients such as smbclient to use packet signing ensures they can only communicate with servers that support packet signing. rationale: |- Packet signing can prevent man-in-the-middle attacks which modify SMB packets in transit. severity: unknown identifiers: cce@rhel7: 80280-1 ocil_clause: 'it is not' ocil: |- To verify that Samba clients running smbclient must use packet signing, run the following command: 
$ grep signing /etc/samba/smb.conf
The output should show: 
client signing = mandatory
scap-security-guide-0.1.39/shared/guide/services/smb/configuring_samba/smb_disable_printing/000077500000000000000000000000001327242345500323035ustar00rootroot00000000000000smb_disable_printing.group000066400000000000000000000025351327242345500374650ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/services/smb/configuring_samba/smb_disable_printingdocumentation_complete: true title: 'Restrict Printer Sharing' description: |- By default, Samba utilizes the CUPS printing service to enable printer sharing with Microsoft Windows workstations. If there are no printers on the local system, or if printer sharing with Microsoft Windows is not required, disable the printer sharing capability by commenting out the following lines, found in /etc/samba/smb.conf: 
[global]
      load printers = yes
      cups options = raw
    [printers]
      comment = All Printers
      path = /usr/spool/samba
      browseable = no
      guest ok = no
      writable = no
      printable = yes
There may be other options present, but these are the only options enabled and uncommented by default. Removing the [printers] share should be enough for most users. If the Samba printer sharing capability is needed, consider disabling the Samba network browsing capability or restricting access to a particular set of users or network addresses. Set the valid users parameter to a small subset of users or restrict it to a particular group of users with the shorthand @. Separate each user or group of users with a space. For example, under the [printers] share: 
[printers]
      valid users = user @printerusers
scap-security-guide-0.1.39/shared/guide/services/smb/configuring_samba/smb_restrict_file_sharing/000077500000000000000000000000001327242345500333375ustar00rootroot00000000000000smb_restrict_file_sharing.group000066400000000000000000000023111327242345500415450ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/services/smb/configuring_samba/smb_restrict_file_sharingdocumentation_complete: true title: 'Restrict SMB File Sharing to Configured Networks' description: |- Only users with local user accounts will be able to log in to Samba shares by default. Shares can be limited to particular users or network addresses. Use the hosts allow and hosts deny directives accordingly, and consider setting the valid users directive to a limited subset of users or to a group of users. Separate each address, user, or user group with a space as follows for a particular share or global: 
[share]
      hosts allow = 192.168.1. 127.0.0.1
      valid users = userone usertwo @usergroup
It is also possible to limit read and write access to particular users with the read list and write list options, though the permissions set by the system itself will override these settings. Set the read only attribute for each share to ensure that global settings will not accidentally override the individual share settings. Then, as with the valid users directive, separate each user or group of users with a space: 
[share]
      read only = yes
      write list = userone usertwo @usergroup
scap-security-guide-0.1.39/shared/guide/services/smb/configuring_samba/smb_server_disable_root.rule000066400000000000000000000014721327242345500337170ustar00rootroot00000000000000documentation_complete: true prodtype: rhel7 title: 'Disable Root Access to SMB Shares' description: |- Administrators should not use administrator accounts to access Samba file and printer shares. Disable the root user and the wheel administrator group: 
[share]
      invalid users = root @wheel
If administrator accounts cannot be disabled, ensure that local system passwords and Samba service passwords do not match. rationale: |- Typically, administrator access is required when Samba must create user and system accounts and shares. Domain member servers and standalone servers may not need administrator access at all. If that is the case, add the invalid users parameter to [global] instead. severity: unknown identifiers: cce@rhel7: 80279-3 scap-security-guide-0.1.39/shared/guide/services/smb/disabling_samba/000077500000000000000000000000001327242345500255475ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/services/smb/disabling_samba/disabling_samba.group000066400000000000000000000004631327242345500317270ustar00rootroot00000000000000documentation_complete: true title: 'Disable Samba if Possible' description: |- Even after the Samba server package has been installed, it will remain disabled. Do not enable this service unless it is absolutely necessary to provide Microsoft Windows file and print sharing functionality. scap-security-guide-0.1.39/shared/guide/services/smb/disabling_samba/package_samba_removed.rule000066400000000000000000000007141327242345500327210ustar00rootroot00000000000000documentation_complete: true prodtype: rhel7 title: 'Uninstall Samba Package' description: |- The samba package can be uninstalled with the following command: 
$ sudo yum erase samba
rationale: |- If there is no need to make the Samba software available, removing it provides a safeguard against its activation. severity: unknown identifiers: cce@rhel7: 80278-5 ocil: '' scap-security-guide-0.1.39/shared/guide/services/smb/disabling_samba/service_smb_disabled.rule000066400000000000000000000006561327242345500325770ustar00rootroot00000000000000documentation_complete: true prodtype: rhel7 title: 'Disable Samba' description: '' rationale: |- Running a Samba server provides a network-based avenue of attack, and should be disabled if not needed. severity: unknown identifiers: cce@rhel7: 80277-7 references: cis: 2.2.12 disa: 1436 ocil: '' scap-security-guide-0.1.39/shared/guide/services/smb/smb.group000066400000000000000000000013321327242345500243060ustar00rootroot00000000000000documentation_complete: true title: 'Samba(SMB) Microsoft Windows File Sharing Server' description: |- When properly configured, the Samba service allows Linux systems to provide file and print sharing to Microsoft Windows systems. There are two software packages that provide Samba support. The first, samba-client, provides a series of command line tools that enable a client system to access Samba shares. The second, simply labeled samba, provides the Samba service. It is this second package that allows a Linux system to act as an Active Directory server, a domain controller, or as a domain member. Only the samba-client package is installed by default. scap-security-guide-0.1.39/shared/guide/services/snmp/000077500000000000000000000000001327242345500226445ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/services/snmp/disabling_snmp_service/000077500000000000000000000000001327242345500273555ustar00rootroot00000000000000disabling_snmp_service.group000066400000000000000000000004641327242345500350710ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/services/snmp/disabling_snmp_servicedocumentation_complete: true title: 'Disable SNMP Server if Possible' description: |- The system includes an SNMP daemon that allows for its remote monitoring, though it not installed by default. If it was installed and activated but is not needed, the software should be disabled and removed. package_net-snmp_removed.rule000066400000000000000000000007411327242345500351260ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/services/snmp/disabling_snmp_servicedocumentation_complete: true prodtype: rhel7,fedora title: 'Uninstall net-snmp Package' description: |- The net-snmp package provides the snmpd service. rationale: |- If there is no need to run SNMP server software, removing the package provides a safeguard against its activation. severity: unknown identifiers: cce@rhel7: 80275-1 ocil: '' service_snmpd_disabled.rule000066400000000000000000000006631327242345500346640ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/services/snmp/disabling_snmp_servicedocumentation_complete: true prodtype: rhel7 title: 'Disable snmpd Service' description: '' rationale: |- Running SNMP software provides a network-based avenue of attack, and should be disabled if not needed. severity: unknown identifiers: cce@rhel7: 80274-4 references: cis: 2.2.14 ocil: '' scap-security-guide-0.1.39/shared/guide/services/snmp/snmp.group000066400000000000000000000006421327242345500247010ustar00rootroot00000000000000documentation_complete: true title: 'SNMP Server' description: |- The Simple Network Management Protocol allows administrators to monitor the state of network devices, including computers. Older versions of SNMP were well-known for weak security, such as plaintext transmission of the community string (used for authentication) and usage of easily-guessable choices for the community string. scap-security-guide-0.1.39/shared/guide/services/snmp/snmp_configure_server/000077500000000000000000000000001327242345500272505ustar00rootroot00000000000000snmp_configure_server.group000066400000000000000000000023701327242345500346550ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/services/snmp/snmp_configure_serverdocumentation_complete: true title: 'Configure SNMP Server if Necessary' description: |- If it is necessary to run the snmpd agent on the system, some best practices should be followed to minimize the security risk from the installation. The multiple security models implemented by SNMP cannot be fully covered here so only the following general configuration advice can be offered:
  • use only SNMP version 3 security models and enable the use of authentication and encryption
  • write access to the MIB (Management Information Base) should be allowed only if necessary
  • all access to the MIB should be restricted following a principle of least privilege
  • network access should be limited to the maximum extent possible including restricting to expected network addresses both in the configuration files and in the system firewall rules
  • ensure SNMP agents send traps only to, and accept SNMP queries only from, authorized management stations
  • ensure that permissions on the snmpd.conf configuration file (by default, in /etc/snmp) are 640 or more restrictive
  • ensure that any MIB files' permissions are also 640 or more restrictive
snmpd_not_default_password.rule000066400000000000000000000022751327242345500355170ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/services/snmp/snmp_configure_serverdocumentation_complete: true prodtype: rhel7,fedora title: 'Ensure Default SNMP Password Is Not Used' description: |- Edit /etc/snmp/snmpd.conf, remove or change the default community strings of public and private. Once the default community strings have been changed, restart the SNMP service: 
$ sudo service snmpd restart
rationale: |- Whether active or not, default simple network management protocol (SNMP) community strings must be changed to maintain security. If the service is running with the default authenticators, then anyone can gather data about the system and the network and use the information to potentially compromise the integrity of the system and network(s). severity: high identifiers: cce@rhel7: 27386-2 references: disa: 366 nist: IA-5.1(ii) srg: SRG-OS-000480-GPOS-00227 stigid@rhel7: "040800" ocil_clause: 'the default SNMP passwords public and private have not been changed or removed' ocil: |- To ensure the default password is not set, run the following command: 
$ sudo grep -v "^#" /etc/snmp/snmpd.conf| grep -E 'public|private'
There should be no output. snmpd_use_newer_protocol.rule000066400000000000000000000014471327242345500352060ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/services/snmp/snmp_configure_serverdocumentation_complete: true prodtype: rhel7,fedora title: 'Configure SNMP Service to Use Only SNMPv3 or Newer' description: |- Edit /etc/snmp/snmpd.conf, removing any references to rocommunity, rwcommunity, or com2sec. Upon doing that, restart the SNMP service: 
$ sudo service snmpd restart
rationale: "Earlier versions of SNMP are considered insecure, as they potentially allow \nunauthorized access to detailed system management information." severity: medium identifiers: cce@rhel7: 80276-9 ocil_clause: 'there is output' ocil: |- To ensure only SNMPv3 or newer is used, run the following command: 
$ sudo grep 'rocommunity\|rwcommunity\|com2sec' /etc/snmp/snmpd.conf | grep -v "^#"
There should be no output. scap-security-guide-0.1.39/shared/guide/services/ssh/000077500000000000000000000000001327242345500224645ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/services/ssh/file_permissions_sshd_private_key.rule000066400000000000000000000010551327242345500323530ustar00rootroot00000000000000documentation_complete: true title: 'Verify Permissions on SSH Server Private *_key Key Files' description: '' rationale: |- If an unauthorized user obtains the private SSH host key file, the host could be impersonated. severity: medium identifiers: cce@rhel7: 27485-2 references: cui: 3.1.13,3.13.10 disa: 366 nist: AC-6 srg: SRG-OS-000480-GPOS-00227 stigid@rhel7: "040420" ocil: '' scap-security-guide-0.1.39/shared/guide/services/ssh/file_permissions_sshd_pub_key.rule000066400000000000000000000010601327242345500314630ustar00rootroot00000000000000documentation_complete: true title: 'Verify Permissions on SSH Server Public *.pub Key Files' description: '' rationale: |- If a public host key file is modified by an unauthorized user, the SSH service may be compromised. severity: medium identifiers: cce@rhel7: 27311-0 references: cui: 3.1.13,3.13.10 disa: 366 nist: AC-6 srg: SRG-OS-000480-GPOS-00227 stigid@rhel7: "040410" ocil: '' scap-security-guide-0.1.39/shared/guide/services/ssh/firewalld_sshd_disabled.rule000066400000000000000000000012101327242345500301700ustar00rootroot00000000000000documentation_complete: true prodtype: rhel7 title: 'Remove SSH Server firewalld Firewall exception (Unusual)' description: |- By default, inbound connections to SSH's port are allowed. If the SSH server is not being used, this exception should be removed from the firewall configuration.

rationale: |- If inbound SSH connections are not expected, disallowing access to the SSH port will avoid possible exploitation of the port by an attacker. severity: unknown identifiers: cce@rhel7: 80218-1 references: cui: 3.1.12 scap-security-guide-0.1.39/shared/guide/services/ssh/firewalld_sshd_zone.var000066400000000000000000000006451327242345500272300ustar00rootroot00000000000000documentation_complete: true title: 'SSH enabled firewalld zone' description: 'Specify firewalld zone to enable SSH service. This value is used only for remediation purposes.' type: string operator: equals interactive: false options: block: block default: public dmz: dmz drop: drop external: external home: home internal: internal public: public trusted: trusted work: work scap-security-guide-0.1.39/shared/guide/services/ssh/package_openssh-server_installed.rule000066400000000000000000000014301327242345500320500ustar00rootroot00000000000000documentation_complete: true prodtype: rhel7,ol7 title: 'Install the OpenSSH Server Package' description: |- The openssh-server package should be installed. rationale: |- Without protection of the transmitted information, confidentiality, and integrity may be compromised because unprotected communications can be intercepted and either read or altered. severity: medium identifiers: cce@rhel7: 80215-7 references: disa: 2418,2420,2421,2422 nist: SC-8 srg: SRG-OS-000423-GPOS-00187,SRG-OS-000423-GPOS-00188,SRG-OS-000423-GPOS-00189,SRG-OS000423-GPOS-00190 stigid@rhel7: "040300" ocil_clause: 'the package is not installed' ocil: '' scap-security-guide-0.1.39/shared/guide/services/ssh/service_sshd_disabled.rule000066400000000000000000000006741327242345500276740ustar00rootroot00000000000000documentation_complete: true prodtype: rhel7,ol7 title: 'Disable SSH Server If Possible (Unusual)' description: |- The SSH server service, sshd, is commonly needed. However, if it can be disabled, do so. This is unusual, as SSH is a common method for encrypted and authenticated remote access. rationale: "" severity: unknown identifiers: cce@rhel7: 80217-3 scap-security-guide-0.1.39/shared/guide/services/ssh/service_sshd_enabled.rule000066400000000000000000000022401327242345500275060ustar00rootroot00000000000000documentation_complete: true prodtype: rhel7 title: 'Enable the OpenSSH Service' description: |- The SSH server service, sshd, is commonly needed. rationale: |- Without protection of the transmitted information, confidentiality, and integrity may be compromised because unprotected communications can be intercepted and either read or altered.

This checklist item applies to both internal and external networks and all types of information system components from which information can be transmitted (e.g., servers, mobile devices, notebook computers, printers, copiers, scanners, etc). Communication paths outside the physical protection of a controlled boundary are exposed to the possibility of interception and modification. severity: medium identifiers: cce@rhel7: 80216-5 references: cui: 3.1.13,3.5.4,3.13.8 disa: 2418,2420,2421,2422 nist: SC-8 srg: SRG-OS-000423-GPOS-00187,SRG-OS-000423-GPOS-00188,SRG-OS-000423-GPOS-00189,SRG-OS000423-GPOS-00190 stigid@rhel7: "040310" ocil: '' scap-security-guide-0.1.39/shared/guide/services/ssh/ssh.group000066400000000000000000000011141327242345500243340ustar00rootroot00000000000000documentation_complete: true title: 'SSH Server' description: "The SSH protocol is recommended for remote login and\nremote file transfer. SSH provides confidentiality and integrity\nfor data exchanged between two systems, as well as server\nauthentication, through the use of public key cryptography. The\nimplementation included with the system is called OpenSSH, and more\ndetailed documentation is available from its website,\n. Its server program \nis called sshd and provided by the RPM package\nopenssh-server." scap-security-guide-0.1.39/shared/guide/services/ssh/ssh_server/000077500000000000000000000000001327242345500246475ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/services/ssh/ssh_server/disable_host_auth.rule000066400000000000000000000020201327242345500312130ustar00rootroot00000000000000documentation_complete: true title: 'Disable Host-Based Authentication' description: |- SSH's cryptographic host-based authentication is more secure than .rhosts authentication. However, it is not recommended that hosts unilaterally trust one another, even within an organization.

To disable host-based authentication, add or correct the following line in /etc/ssh/sshd_config: 
HostbasedAuthentication no
rationale: |- SSH trust relationships mean a compromise on one host can allow an attacker to move trivially to other hosts. severity: medium identifiers: cce@rhel7: 27413-4 references: cis: 5.2.7 cjis: 5.5.6 cui: 3.1.12 disa: 366 hipaa: 164.308(a)(4)(i),164.308(b)(1),164.308(b)(3),164.310(b),164.312(e)(1),164.312(e)(2)(ii) nist: AC-3,CM-6(b) ospp@rhel7: FIA_AFL.1 srg: SRG-OS-000480-GPOS-00229 stigid@rhel7: "010470" ocil: '' scap-security-guide-0.1.39/shared/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled.rule000066400000000000000000000013201327242345500332440ustar00rootroot00000000000000documentation_complete: true prodtype: rhel7 title: 'Enable SSH Server firewalld Firewall exception' description: |- By default, inbound connections to SSH's port are allowed. If the SSH server is being used but denied by the firewall, this exception should be added to the firewall configuration.

rationale: |- If inbound SSH connections are expected, adding a firewall rule exception will allow remote access through the SSH port. severity: unknown identifiers: cce@rhel7: 80361-9 references: cui: 3.1.12 ocil: '' scap-security-guide-0.1.39/shared/guide/services/ssh/ssh_server/ssh_server.group000066400000000000000000000006161327242345500301130ustar00rootroot00000000000000documentation_complete: true title: 'Configure OpenSSH Server if Necessary' description: |- If the system needs to act as an SSH server, then certain changes should be made to the OpenSSH daemon configuration file /etc/ssh/sshd_config. The following recommendations can be applied to this file. See the sshd_config(5) man page for more detailed information. scap-security-guide-0.1.39/shared/guide/services/ssh/ssh_server/sshd_allow_only_protocol2.rule000066400000000000000000000026271327242345500327520ustar00rootroot00000000000000documentation_complete: true title: 'Allow Only SSH Protocol 2' description: |- Only SSH protocol version 2 connections should be permitted. The default setting in /etc/ssh/sshd_config is correct, and can be verified by ensuring that the following line appears: 
Protocol 2
rationale: |- SSH protocol version 1 is an insecure implementation of the SSH protocol and has many well-known vulnerability exploits. Exploits of the SSH daemon could provide immediate root access to the system. severity: high identifiers: cce@rhel7: 27320-1 references: cis: 5.2.2 cjis: 5.5.6 cui: 3.1.13,3.5.4 disa: 197,366 hipaa: 164.308(a)(4)(i),164.308(b)(1),164.308(b)(3),164.310(b),164.312(e)(1),164.312(e)(2)(ii) nist: AC-17(8).1(ii),IA-5(1)(c) srg: SRG-OS-000074-GPOS-00042,SRG-OS-000480-GPOS-00227 stigid@rhel7: "040390" ocil_clause: 'it is commented out or is not set correctly to Protocol 2' ocil: |- To check which SSH protocol version is allowed, check version of openssh-server with following command: 
$ rpm -qi openssh-server | grep Version
Versions equal to or higher than 7.4 only allow Protocol 2. If version is lower than 7.4, run the following command to check configuration: 
$ sudo grep Protocol /etc/ssh/sshd_config
If configured properly, output should be 
Protocol 2
scap-security-guide-0.1.39/shared/guide/services/ssh/ssh_server/sshd_disable_compression.rule000066400000000000000000000026631327242345500326140ustar00rootroot00000000000000documentation_complete: true title: 'Disable Compression Or Set Compression to delayed' description: |- Compression is useful for slow network connections over long distances but can cause performance issues on local LANs. If use of compression is required, it should be enabled only after a user has authenticated; otherwise , it should be disabled. To disable compression or delay compression until after a user has successfully authenticated, add or correct the following line in the /etc/ssh/sshd_config file: 
Compression no
or 
Compression delayed
rationale: |- If compression is allowed in an SSH connection prior to authentication, vulnerabilities in the compression software could result in compromise of the system from an unauthenticated connection, potentially wih root privileges. severity: medium identifiers: cce@rhel7: 80224-9 references: cui: 3.1.12 disa: 366 hipaa: 164.308(a)(4)(i),164.308(b)(1),164.308(b)(3),164.310(b),164.312(e)(1),164.312(e)(2)(ii) nist: CM-6(b) srg: SRG-OS-000480-GPOS-00227 stigid@rhel7: "040470" ocil_clause: 'it is commented out, or is not set to no or delayed' ocil: |- To check if compression is enabled or set correctly, run the following command: 
$ sudo grep Compression /etc/ssh/sshd_config
If configured properly, output should be 
no
or 
delayed
. scap-security-guide-0.1.39/shared/guide/services/ssh/ssh_server/sshd_disable_empty_passwords.rule000066400000000000000000000021061327242345500335060ustar00rootroot00000000000000documentation_complete: true title: 'Disable SSH Access via Empty Passwords' description: |- To explicitly disallow SSH login from accounts with empty passwords, add or correct the following line in /etc/ssh/sshd_config: 
PermitEmptyPasswords no

Any accounts with empty passwords should be disabled immediately, and PAM configuration should prevent users from being able to assign themselves empty passwords. rationale: "Configuring this setting for the SSH daemon provides additional assurance that\nremote login via SSH will require a password, even in the event of \nmisconfiguration elsewhere." severity: high identifiers: cce@rhel7: 27471-2 references: cis: 5.2.9 cjis: 5.5.6 cui: 3.1.1,3.1.5 disa: 366 hipaa: 164.308(a)(4)(i),164.308(b)(1),164.308(b)(3),164.310(b),164.312(e)(1),164.312(e)(2)(ii) nist: AC-3,AC-6,CM-6(b) ospp@rhel7: FIA_AFL.1 srg: SRG-OS-000480-GPOS-00229 stigid@rhel7: "010300" ocil: '' scap-security-guide-0.1.39/shared/guide/services/ssh/ssh_server/sshd_disable_gssapi_auth.rule000066400000000000000000000023011327242345500325470ustar00rootroot00000000000000documentation_complete: true title: 'Disable GSSAPI Authentication' description: |- Unless needed, SSH should not permit extraneous or unnecessary authentication mechanisms like GSSAPI. To disable GSSAPI authentication, add or correct the following line in the /etc/ssh/sshd_config file: 
GSSAPIAuthentication no
rationale: |- GSSAPI authentication is used to provide additional authentication mechanisms to applications. Allowing GSSAPI authentication through SSH exposes the system's GSSAPI to remote hosts, increasing the attack surface of the system. severity: medium identifiers: cce@rhel7: 80220-7 references: cui: 3.1.12 disa: 368,318,1812,1813,1814 hipaa: 164.308(a)(4)(i),164.308(b)(1),164.308(b)(3),164.310(b),164.312(e)(1),164.312(e)(2)(ii) nist: CM-6(c) ospp@rhel7: FIA_AFL.1 srg: SRG-OS-000364-GPOS-00151 stigid@rhel7: "040430" ocil_clause: 'it is commented out or is not disabled' ocil: |- To check if GSSAPIAuthentication is disabled or set correctly, run the following command: 
$ sudo grep GSSAPIAuthentication /etc/ssh/sshd_config
If configured properly, output should be 
no
scap-security-guide-0.1.39/shared/guide/services/ssh/ssh_server/sshd_disable_kerb_auth.rule000066400000000000000000000024001327242345500322040ustar00rootroot00000000000000documentation_complete: true title: 'Disable Kerberos Authentication' description: |- Unless needed, SSH should not permit extraneous or unnecessary authentication mechanisms like Kerberos. To disable Kerberos authentication, add or correct the following line in the /etc/ssh/sshd_config file: 
KerberosAuthentication no
rationale: |- Kerberos authentication for SSH is often implemented using GSSAPI. If Kerberos is enabled through SSH, the SSH daemon provides a means of access to the system's Kerberos implementation. Vulnerabilities in the system's Kerberos implementations may be subject to exploitation. severity: medium identifiers: cce@rhel7: 80221-5 references: cui: 3.1.12 disa: 368,318,1812,1813,1814 hipaa: 164.308(a)(4)(i),164.308(b)(1),164.308(b)(3),164.310(b),164.312(e)(1),164.312(e)(2)(ii) nist: CM-6(c) ospp@rhel7: FIA_AFL.1 srg: SRG-OS-000364-GPOS-00151 stigid@rhel7: "040440" ocil_clause: 'it is commented out or is not disabled' ocil: |- To check if KerberosAuthentication is disabled or set correctly, run the following command: 
$ sudo grep KerberosAuthentication /etc/ssh/sshd_config
If configured properly, output should be 
no
scap-security-guide-0.1.39/shared/guide/services/ssh/ssh_server/sshd_disable_rhosts.rule000066400000000000000000000015411327242345500315670ustar00rootroot00000000000000documentation_complete: true title: 'Disable SSH Support for .rhosts Files' description: |- SSH can emulate the behavior of the obsolete rsh command in allowing users to enable insecure access to their accounts via .rhosts files.

To ensure this behavior is disabled, add or correct the following line in /etc/ssh/sshd_config: 
IgnoreRhosts yes
rationale: |- SSH trust relationships mean a compromise on one host can allow an attacker to move trivially to other hosts. severity: medium identifiers: cce@rhel7: 27377-1 references: cis: 5.2.6 cjis: 5.5.6 cui: 3.1.12 disa: 366 nist: AC-3,CM-6(a) ospp@rhel7: FIA_AFL.1 srg: SRG-OS-000480-GPOS-00227 stigid@rhel7: "040350" ocil: '' scap-security-guide-0.1.39/shared/guide/services/ssh/ssh_server/sshd_disable_rhosts_rsa.rule000066400000000000000000000025521327242345500324370ustar00rootroot00000000000000documentation_complete: true title: 'Disable SSH Support for Rhosts RSA Authentication' description: |- SSH can allow authentication through the obsolete rsh command through the use of the authenticating user's SSH keys. This should be disabled.

To ensure this behavior is disabled, add or correct the following line in /etc/ssh/sshd_config: 
RhostsRSAAuthentication no
rationale: |- Configuring this setting for the SSH daemon provides additional assurance that remove login via SSH will require a password, even in the event of misconfiguration elsewhere. severity: medium identifiers: cce@rhel7: 80373-4 references: cui: 3.1.12 disa: 366 hipaa: 164.308(a)(4)(i),164.308(b)(1),164.308(b)(3),164.310(b),164.312(e)(1),164.312(e)(2)(ii) nist: CM-6(a) ospp@rhel7: FIA_AFL.1 srg: SRG-OS-000480-GPOS-00227 stigid@rhel7: "040330" ocil: |- To check which SSH protocol version is allowed, check version of openssh-server with following command: 
$ rpm -qi openssh-server | grep Version
Versions equal to or higher than 7.4 have deprecated the RhostsRSAAuthentication option. If version is lower than 7.4, run the following command to check configuration: scap-security-guide-0.1.39/shared/guide/services/ssh/ssh_server/sshd_disable_root_login.rule000066400000000000000000000021641327242345500324220ustar00rootroot00000000000000documentation_complete: true title: 'Disable SSH Root Login' description: |- The root user should never be allowed to login to a system directly over a network. To disable root login via SSH, add or correct the following line in /etc/ssh/sshd_config: 
PermitRootLogin no
rationale: |- Even though the communications channel may be encrypted, an additional layer of security is gained by extending the policy of not logging directly on as root. In addition, logging in with a user-specific account provides individual accountability of actions performed on the system and also helps to minimize direct attack attempts on root's password. severity: medium identifiers: cce@rhel7: 27445-6 references: cis: 5.2.8 cjis: 5.5.6 cui: '3.1.1, 3.1.5' disa: 366 hipaa: 164.308(a)(4)(i),164.308(b)(1),164.308(b)(3),164.310(b),164.312(e)(1),164.312(e)(2)(ii) nist: AC-3,AC-6(2),IA-2(1),IA-2(5) ospp@rhel7: FIA_AFL.1 srg: SRG-OS-000480-GPOS-00227 stigid@rhel7: "040370" ocil: '' scap-security-guide-0.1.39/shared/guide/services/ssh/ssh_server/sshd_disable_user_known_hosts.rule000066400000000000000000000020101327242345500336470ustar00rootroot00000000000000documentation_complete: true title: 'Disable SSH Support for User Known Hosts' description: |- SSH can allow system users user host-based authentication to connect to systems if a cache of the remote systems public keys are available. This should be disabled.

To ensure this behavior is disabled, add or correct the following line in /etc/ssh/sshd_config: 
IgnoreUserKnownHosts yes
rationale: |- Configuring this setting for the SSH daemon provides additional assurance that remove login via SSH will require a password, even in the event of misconfiguration elsewhere. severity: medium identifiers: cce@rhel7: 80372-6 references: cui: 3.1.12 disa: 366 hipaa: 164.308(a)(4)(i),164.308(b)(1),164.308(b)(3),164.310(b),164.312(e)(1),164.312(e)(2)(ii) nist: CM-6(a) ospp@rhel7: FIA_AFL.1 srg: SRG-OS-000480-GPOS-00227 stigid@rhel7: "040380" ocil: '' scap-security-guide-0.1.39/shared/guide/services/ssh/ssh_server/sshd_do_not_permit_user_env.rule000066400000000000000000000020151327242345500333270ustar00rootroot00000000000000documentation_complete: true title: 'Do Not Allow SSH Environment Options' description: |- To ensure users are not able to override environment options to the SSH daemon, add or correct the following line in /etc/ssh/sshd_config: 
PermitUserEnvironment no
rationale: |- SSH environment options potentially allow users to bypass access restriction in some configurations. severity: medium identifiers: cce@rhel7: 27363-1 references: cis: 5.2.10 cjis: 5.5.6 cui: 3.1.12 disa: 366 hipaa: 164.308(a)(4)(i),164.308(b)(1),164.308(b)(3),164.310(b),164.312(e)(1),164.312(e)(2)(ii) nist: CM-6(b) srg: SRG-OS-000480-GPOS-00229 stigid@rhel7: "010460" ocil_clause: 'PermitUserEnvironment is not disabled' ocil: |- To ensure users are not able to present environment daemons, run the following command: 
$ sudo grep PermitUserEnvironment /etc/ssh/sshd_config
If properly configured, output should be: 
PermitUserEnvironment no
scap-security-guide-0.1.39/shared/guide/services/ssh/ssh_server/sshd_enable_strictmodes.rule000066400000000000000000000021671327242345500324350ustar00rootroot00000000000000documentation_complete: true title: 'Enable Use of Strict Mode Checking' description: |- SSHs StrictModes option checks file and ownership permissions in the user's home directory .ssh folder before accepting login. If world- writable permissions are found, logon is rejected. To enable StrictModes in SSH, add or correct the following line in the /etc/ssh/sshd_config file: 
StrictModes yes
rationale: |- If other users have access to modify user-specific SSH configuration files, they may be able to log into the system as another user. severity: medium identifiers: cce@rhel7: 80222-3 references: cui: 3.1.12 disa: 366 hipaa: 164.308(a)(4)(i),164.308(b)(1),164.308(b)(3),164.310(b),164.312(e)(1),164.312(e)(2)(ii) nist: AC-6 srg: SRG-OS-000480-GPOS-00227 stigid@rhel7: "040450" ocil_clause: 'it is commented out or is not enabled' ocil: |- To check if StrictModes is enabled or set correctly, run the following command: 
$ sudo grep StrictModes /etc/ssh/sshd_config
If configured properly, output should be 
yes
scap-security-guide-0.1.39/shared/guide/services/ssh/ssh_server/sshd_enable_warning_banner.rule000066400000000000000000000022571327242345500330670ustar00rootroot00000000000000documentation_complete: true title: 'Enable SSH Warning Banner' description: |- To enable the warning banner and ensure it is consistent across the system, add or correct the following line in /etc/ssh/sshd_config: 
Banner /etc/issue
Another section contains information on how to create an appropriate system-wide warning banner. rationale: |- The warning message reinforces policy awareness during the logon process and facilitates possible legal action against attackers. Alternatively, systems whose ownership should not be obvious should ensure usage of a banner that does not provide easy attribution. severity: medium identifiers: cce@rhel7: 27314-4 references: cis: 5.2.16 cjis: 5.5.6 cui: 3.1.9 disa: 48,50,1384,1385,1386,1387,1388 hipaa: 164.308(a)(4)(i),164.308(b)(1),164.308(b)(3),164.310(b),164.312(e)(1),164.312(e)(2)(ii) nist: AC-8(a),AC-8(b),AC-8(c)(1),AC-8(c)(2),AC-8(c)(3) ospp@rhel7: FMT_MOF_EXT.1 srg: SRG-OS-000023-GPOS-00006,SRG-OS-000024-GPOS-00007,SRG-OS-000228-GPOS-00088 stigid@rhel7: "040170" ocil: '' scap-security-guide-0.1.39/shared/guide/services/ssh/ssh_server/sshd_enable_x11_forwarding.rule000066400000000000000000000014701327242345500327240ustar00rootroot00000000000000documentation_complete: true title: 'Enable Encrypted X11 Forwarding' description: |- By default, remote X11 connections are not encrypted when initiated by users. SSH has the capability to encrypt remote X11 connections when SSH's X11Forwarding option is enabled.

To enable X11 Forwarding, add or correct the following line in /etc/ssh/sshd_config: 
X11Forwarding yes
rationale: |- Open X displays allow an attacker to capture keystrokes and to execute commands remotely. severity: high identifiers: cce@rhel7: 80226-4 references: cis: 5.2.4 cui: 3.1.13 disa: 366 nist: CM-2(1)(b) srg: SRG-OS-000480-GPOS-00227 stigid@rhel7: "040710" ocil: '' scap-security-guide-0.1.39/shared/guide/services/ssh/ssh_server/sshd_limit_user_access.rule000066400000000000000000000013011327242345500322510ustar00rootroot00000000000000documentation_complete: true title: 'Limit Users'' SSH Access' description: |- By default, the SSH configuration allows any user with an account to access the system. In order to specify the users that are allowed to login via SSH and deny all other users, add or correct the following line in the /etc/ssh/sshd_config file: 
DenyUsers USER1 USER2
Where USER1 and USER2 are valid user names. rationale: |- Specifying which accounts are allowed SSH access into the system reduces the possibility of unauthorized access to the system. severity: unknown identifiers: cce@rhel7: 80219-9 references: cui: 3.1.12 nist: AC-3 scap-security-guide-0.1.39/shared/guide/services/ssh/ssh_server/sshd_print_last_log.rule000066400000000000000000000015751327242345500316110ustar00rootroot00000000000000documentation_complete: true title: 'Print Last Log' description: |- When enabled, SSH will display the date and time of the last successful account logon. To enable LastLog in SSH, add or correct the following line in the /etc/ssh/sshd_config file: 
PrintLastLog yes
rationale: |- Providing users feedback on when account accesses last occurred facilitates user recognition and reporting of unauthorized account use. severity: low identifiers: cce@rhel7: 80225-6 references: disa: 366 nist: AC-9 srg: SRG-OS-000480-GPOS-00227 stigid@rhel7: "040360" ocil_clause: 'it is commented out or is not enabled' ocil: |- To check if PrintLastLog is enabled or set correctly, run the following command: 
$ sudo grep PrintLastLog /etc/ssh/sshd_config
If configured properly, output should be 
yes
scap-security-guide-0.1.39/shared/guide/services/ssh/ssh_server/sshd_set_idle_timeout.rule000066400000000000000000000030311327242345500321140ustar00rootroot00000000000000documentation_complete: true title: 'Set SSH Idle Timeout Interval' description: "SSH allows administrators to set an idle timeout\ninterval.\nAfter this interval has passed, the idle user will be\nautomatically logged out.\n

\nTo set an idle timeout interval, edit the following line in /etc/ssh/sshd_config as\nfollows:\n
ClientAliveInterval interval
\nThe timeout interval is given in seconds. To have a timeout\nof 10 minutes, set interval to 600.\n

\nIf a shorter timeout has already been set for the login shell, that value will \npreempt any SSH setting made here. Keep in mind that some processes may stop SSH\nfrom correctly detecting that the user is idle." rationale: |- Terminating an idle ssh session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been let unattended. severity: unknown identifiers: cce@rhel7: 27433-2 references: cis: 5.2.12 cjis: 5.5.6 cui: 3.1.11 disa: 1133,2361 nist: AC-2(5),SA-8(i),AC-12 pcidss: Req-8.1.8 srg: SRG-OS-000163-GPOS-00072,SRG-OS-000279-GPOS-00109 stigid@rhel7: "040320" ocil_clause: 'it is commented out or not configured properly' ocil: |- Run the following command to see what the timeout interval is: 
$ sudo grep ClientAliveInterval /etc/ssh/sshd_config
If properly configured, the output should be: 
ClientAliveInterval 600
scap-security-guide-0.1.39/shared/guide/services/ssh/ssh_server/sshd_set_keepalive.rule000066400000000000000000000020761327242345500314060ustar00rootroot00000000000000documentation_complete: true title: 'Set SSH Client Alive Count' description: |- To ensure the SSH idle timeout occurs precisely when the ClientAliveCountMax is set, edit /etc/ssh/sshd_config as follows: 
ClientAliveCountMax 0
rationale: |- This ensures a user login will be terminated as soon as the ClientAliveCountMax is reached. severity: medium identifiers: cce@rhel7: 27082-7 references: cis: 5.2.12 cjis: 5.5.6 cui: 3.1.11 disa: 1133,2361 hipaa: 164.308(a)(4)(i),164.308(b)(1),164.308(b)(3),164.310(b),164.312(e)(1),164.312(e)(2)(ii) nist: AC-2(5),SA-8,AC-12 srg: SRG-OS-000163-GPOS-00072,SRG-OS-000279-GPOS-00109 stigid@rhel7: "040340" ocil_clause: 'it is commented out or not configured properly' ocil: |- To ensure the SSH idle timeout will occur when the ClientAliveCountMax is set, run the following command: 
$ sudo grep ClientAliveCountMax /etc/ssh/sshd_config
If properly configured, output should be: 
ClientAliveCountMax 0
scap-security-guide-0.1.39/shared/guide/services/ssh/ssh_server/sshd_set_loglevel_info.rule000066400000000000000000000023661327242345500322670ustar00rootroot00000000000000documentation_complete: true title: 'Set LogLevel to INFO' description: |- The INFO parameter specifices that record login and logout activity will be logged. To specify the log level in SSH, add or correct the following line in the /etc/ssh/sshd_config file: 
LogLevel INFO
rationale: |- SSH provides several logging levels with varying amounts of verbosity. DEBUG is specifically not recommended other than strictly for debugging SSH communications since it provides so much data that it is difficult to identify important security information. INFO level is the basic level that only records login activity of SSH users. In many situations, such as Incident Response, it is important to determine when a particular user was active on a system. The logout record can eliminate those users who disconnected, which helps narrow the field. severity: low references: cis@debian8: 9.3.2 cis@rhel7: 5.2.3 ocil_clause: 'it is commented out or is not enabled' ocil: |- To check if LogLevel is enabled or set correctly, run the following command: 
$ sudo grep "^LogLevel" /etc/ssh/sshd_config
If configured properly, output should be 
LogLevel INFO
scap-security-guide-0.1.39/shared/guide/services/ssh/ssh_server/sshd_set_max_auth_tries.rule000066400000000000000000000016631327242345500324560ustar00rootroot00000000000000documentation_complete: true title: 'Set SSH authentication attempt limit' description: |- The MaxAuthTries parameter specifies the maximum number of authentication attempts permitted per connection. Once the number of failures reaches half this value, additional failures are logged. to set MaxAUthTries edit /etc/ssh/sshd_config as follows: 
MaxAuthTries tries
rationale: |- Setting the MaxAuthTries parameter to a low number will minimize the risk of successful brute force attacks to the SSH server. severity: medium references: cis@debian8: 9.3.5 cis@rhel7: 5.2.5 ocil_clause: 'it is commented out or not configured properly' ocil: |- To ensure the MaxAuthTries parameter is set, run the following command: 
$ sudo grep MaxAuthTries /etc/ssh/sshd_config
If properly configured, output should be: 
MaxAuthTries tries
scap-security-guide-0.1.39/shared/guide/services/ssh/ssh_server/sshd_strengthen_firewall/000077500000000000000000000000001327242345500317365ustar00rootroot00000000000000sshd_strengthen_firewall.group000066400000000000000000000013701327242345500400250ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/services/ssh/ssh_server/sshd_strengthen_firewalldocumentation_complete: true title: 'Strengthen Firewall Configuration if Possible' description: |- If the SSH server is expected to only receive connections from the local network, then strengthen the default firewall rule for the SSH service to only accept connections from the appropriate network segment(s).

Determine an appropriate network block, netwk, network mask, mask, and network protocol, ip_protocol, representing the systems on your network which will be allowed to access this SSH server.

Run the following command: 
firewall-cmd --permanent --add-rich-rule='rule family="ip_protocol" source address="netwk/mask" service name="ssh" accept'
scap-security-guide-0.1.39/shared/guide/services/ssh/ssh_server/sshd_use_approved_ciphers.rule000066400000000000000000000044721327242345500330010ustar00rootroot00000000000000documentation_complete: true title: 'Use Only FIPS 140-2 Validated Ciphers' description: "Limit the ciphers to those algorithms which are FIPS-approved.\nCounter (CTR) mode is also preferred over cipher-block chaining (CBC) mode.\nThe following line in /etc/ssh/sshd_config demonstrates use of \nFIPS 140-2 validated ciphers:\n
Ciphers aes128-ctr,aes192-ctr,aes256-ctr
\n

\nThe following ciphers are FIPS 140-2 certified on RHEL 7:\n
- aes128-ctr\n
- aes192-ctr\n
- aes256-ctr\n
- aes128-cbc\n
- aes192-cbc\n
- aes256-cbc\n
- 3des-cbc\n
- rijndael-cbc@lysator.liu.se\n

\nAny combination of the above ciphers will pass this check. Official FIPS 140-2 paperwork for \nRHEL7 can be found at http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp2630.pdf." rationale: |- Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore cannot be relied upon to provide confidentiality or integrity, and system data may be compromised.
Operating systems utilizing encryption are required to use FIPS-compliant mechanisms for authenticating to cryptographic modules.
FIPS 140-2 is the current standard for validating that mechanisms used to access cryptographic modules utilize authentication that meets industry and government requirements. For government systems, this allows Security Levels 1, 2, 3, or 4 for use on Red Hat Enterprise Linux. severity: medium identifiers: cce@rhel7: 27295-5 references: cis: 5.2.10 cjis: 5.5.6 cui: 3.1.13,3.13.11,3.13.8 disa: 68,366,803 hipaa: 164.308(b)(1),164.308(b)(2),164.312(e)(1),164.312(e)(2)(i),164.312(e)(2)(ii),164.314(b)(2)(i) nist: AC-3,AC-17(2),AU-10(5),CM-6(b),IA-5(1)(c),IA-7 srg: SRG-OS-000033-GPOS-00014,SRG-OS-000120-GPOS-00061,SRG-OS-000125-GPOS-00065,SRG-OS-000250-GPOS-00093,SRG-OS-000393-GPOS-00173 stigid@rhel7: "040110" ocil_clause: 'FIPS ciphers are not configured or the enabled ciphers are not FIPS-approved' ocil: |- Only FIPS ciphers should be used. To verify that only FIPS-approved ciphers are in use, run the following command: 
$ sudo grep Ciphers /etc/ssh/sshd_config
The output should contain only those ciphers which are FIPS-approved. scap-security-guide-0.1.39/shared/guide/services/ssh/ssh_server/sshd_use_approved_macs.rule000066400000000000000000000033331327242345500322620ustar00rootroot00000000000000documentation_complete: true title: 'Use Only FIPS 140-2 Validated MACs' description: "Limit the MACs to those hash algorithms which are FIPS-approved.\nThe following line in /etc/ssh/sshd_config demonstrates use \nof FIPS-approved MACs:\n

\n
MACs hmac-sha2-512,hmac-sha2-256
\n

\nOnly the following message authentication codes are FIPS 140-2 certified on RHEL 7:\n
- hmac-sha1\n
- hmac-sha2-256\n
- hmac-sha2-512\n
- hmac-sha1-etm@openssh.com\n
- hmac-sha2-256-etm@openssh.com\n
- hmac-sha2-512-etm@openssh.com\n

\nAny combination of the above MACs will pass this check. Official FIPS 140-2 paperwork for\nRHEL7 can be found at http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp2630.pdf." rationale: |- DoD Information Systems are required to use FIPS-approved cryptographic hash functions. The only SSHv2 hash algorithms meeting this requirement is SHA2. severity: medium identifiers: cce@rhel7: 27455-5 references: cis: 5.2.12 cui: 3.1.13,3.13.11,3.13.8 disa: 1453 hipaa: 164.308(b)(1),164.308(b)(2),164.312(e)(1),164.312(e)(2)(i),164.312(e)(2)(ii),164.314(b)(2)(i) nist: AC-17(2),IA-7,SC-13 srg: SRG-OS-000250-GPOS-00093 stigid@rhel7: "040400" ocil_clause: 'MACs option is commented out or not using FIPS-approved hash algorithms' ocil: |- Only FIPS-approved MACs should be used. To verify that only FIPS-approved MACs are in use, run the following command: 
$ sudo grep -i macs /etc/ssh/sshd_config
The output should contain only those MACs which are FIPS-approved. Any use of other ciphers or algorithms will result in the module entering the non-FIPS mode of operation. scap-security-guide-0.1.39/shared/guide/services/ssh/ssh_server/sshd_use_priv_separation.rule000066400000000000000000000022051327242345500326410ustar00rootroot00000000000000documentation_complete: true title: 'Enable Use of Privilege Separation' description: |- When enabled, SSH will create an unprivileged child process that has the privilege of the authenticated user. To enable privilege separation in SSH, add or correct the following line in the /etc/ssh/sshd_config file: 
UsePrivilegeSeparation sandbox
rationale: |- SSH daemon privilege separation causes the SSH process to drop root privileges when not needed which would decrease the impact of software vulnerabilities in the unprivileged section. severity: medium identifiers: cce@rhel7: 80223-1 references: cui: 3.1.12 disa: 366 hipaa: 164.308(a)(4)(i),164.308(b)(1),164.308(b)(3),164.310(b),164.312(e)(1),164.312(e)(2)(ii) nist: AC-6 srg: SRG-OS-000480-GPOS-00227 stigid@rhel7: "040460" ocil_clause: 'it is commented out or is not enabled' ocil: |- To check if UsePrivilegeSeparation is enabled or set correctly, run the following command: 
$ sudo grep UsePrivilegeSeparation /etc/ssh/sshd_config
If configured properly, output should be 
sandbox
scap-security-guide-0.1.39/shared/guide/services/ssh/ssh_server/sshd_use_strong_ciphers.rule000066400000000000000000000031021327242345500324620ustar00rootroot00000000000000documentation_complete: true title: 'Use Only Strong Ciphers' description: |- Limit the ciphers to strong algorithms. Counter (CTR) mode is also preferred over cipher-block chaining (CBC) mode. The following line in /etc/ssh/sshd_config demonstrates use of those ciphers: 
Ciphers aes128-ctr,aes192-ctr,aes256-ctr
chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes128-ctr
The man page sshd_config(5) contains a list of supported ciphers. rationale: |- Based on research conducted at various institutions, it was determined that the symmetric portion of the SSH Transport Protocol (as described in RFC 4253) has security weaknesses that allowed recovery of up to 32 bits of plaintext from a block of ciphertext that was encrypted with the Cipher Block Chaining (CBD) method. From that research, new Counter mode algorithms (as described in RFC4344) were designed that are not vulnerable to these types of attacks and these algorithms are now recommended for standard use. severity: medium references: cis@debian: 9.3.11 ocil_clause: 'ciphers are not configured or not using strong ciphers' ocil: |- Only strong ciphers should be used. To verify that only strong ciphers are in use, run the following command: 
$ sudo grep Ciphers /etc/ssh/sshd_config
The output should contain only those ciphers which are considered strong, namely, chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes128-ctr scap-security-guide-0.1.39/shared/guide/services/ssh/ssh_server/sshd_use_strong_macs.rule000066400000000000000000000024111327242345500317520ustar00rootroot00000000000000documentation_complete: true title: 'Use Only Strong MACs' description: |- Limit the MACs to strong hash algorithms. The following line in /etc/ssh/sshd_config demonstrates use of those MACs: 
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160
rationale: |- MD5 and 96-bit MAC algorithms are considered weak and have been shown to increase exploitability in SSH downgrade attacks. Weak algorithms continue to have a great deal of attention as a weak spot that can be exploited with expanded computing power. An attacker that breaks the algorithm could take advantage of a MiTM position to decrypt the SSH tunnel and capture credentials and information severity: medium ocil_clause: 'MACs option is commented out or not using strong hash algorithms' ocil: |- Only strong MACs should be used. To verify that only strong MACs are in use, run the following command: 
$ sudo grep -i macs /etc/ssh/sshd_config
The output should contain only those MACs which are strong, namely, hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160 hash functions. scap-security-guide-0.1.39/shared/guide/services/ssh/sshd_approved_macs.var000066400000000000000000000006421327242345500270440ustar00rootroot00000000000000documentation_complete: true title: 'SSH Approved MACs by FIPS' description: "Specify the FIPS approved MACs (message authentication code) algorithms\n\tthat are used for data integrity protection by the SSH server." type: string operator: equals interactive: false options: default: hmac-sha2-512,hmac-sha2-256,hmac-sha1,hmac-sha1-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com scap-security-guide-0.1.39/shared/guide/services/ssh/sshd_idle_timeout_value.var000066400000000000000000000004761327242345500301050ustar00rootroot00000000000000documentation_complete: true title: 'SSH session Idle time' description: 'Specify duration of allowed idle time.' type: number operator: equals interactive: false options: 10_minutes: 600 120_minutes: 7200 15_minutes: 900 30_minutes: 1800 5_minutes: 300 60_minutes: 3600 default: 300 scap-security-guide-0.1.39/shared/guide/services/ssh/sshd_listening_port.var000066400000000000000000000003111327242345500272520ustar00rootroot00000000000000documentation_complete: true title: 'SSH Server Listening Port' description: 'Specify port the SSH server is listening.' type: number operator: equals interactive: false options: default: 22 scap-security-guide-0.1.39/shared/guide/services/ssh/sshd_max_auth_tries_value.var000066400000000000000000000004201327242345500304230ustar00rootroot00000000000000documentation_complete: true title: 'SSH Max authentication attempts' description: 'Specify the maximum number of authentication attempts per connection.' type: number operator: equals interactive: false options: 10: 10 3: 3 4: 4 5: 5 default: 4 scap-security-guide-0.1.39/shared/guide/services/ssh/sshd_required.var000066400000000000000000000013111327242345500260330ustar00rootroot00000000000000documentation_complete: true title: 'SSH is required to be installed' description: |- Specify if the Policy requires SSH to be installed. Used by SSH Rules to determine if SSH should be uninstalled or configured.
A value of 0 means that the policy doesn't care if OpenSSH server is installed or not. If it is installed, scanner will check for it's configuration, if it's not installed, the check will pass.
A value of 1 indicates that OpenSSH server package is not required by the policy;
A value of 2 indicates that OpenSSH server package is required by the policy.
type: number operator: equals interactive: false options: default: "0" no: 1 yes: 2 scap-security-guide-0.1.39/shared/guide/services/sssd/000077500000000000000000000000001327242345500226435ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/services/sssd/package_sssd_installed.rule000066400000000000000000000010111327242345500302130ustar00rootroot00000000000000documentation_complete: true prodtype: rhel6,rhel7 title: 'Install the SSSD Package' description: |- The sssd package should be installed. rationale: "" severity: medium identifiers: cce@rhel6: RHEL6-CCE-TBD cce@rhel7: 80362-7 references: disa: TBD disa@rhel6: TBD nist: IA-5(10) nist@rhel6: IA-5(10) srg: TBD stigid@rhel7: TBD ocil_clause: 'the package is not installed' ocil: '' scap-security-guide-0.1.39/shared/guide/services/sssd/service_sssd_enabled.rule000066400000000000000000000010241327242345500276770ustar00rootroot00000000000000documentation_complete: true prodtype: rhel6,rhel7 title: 'Enable the SSSD Service' description: |- The SSSD service should be enabled. rationale: "" severity: medium identifiers: cce@rhel6: RHEL6-CCE-TBD cce@rhel7: 80363-5 references: disa: TBD disa@rhel6: TBD nist: IA-5(10) nist@rhel6: IA-5(10) srg: TBD stigid@rhel7: TBD ocil_clause: 'the service is not enabled' ocil: '' scap-security-guide-0.1.39/shared/guide/services/sssd/sssd-ldap/000077500000000000000000000000001327242345500245355ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/services/sssd/sssd-ldap/sssd-ldap.group000066400000000000000000000013351327242345500275070ustar00rootroot00000000000000documentation_complete: true prodtype: rhel7 title: 'System Security Services Daemon (SSSD) - LDAP' description: |- The System Security Services Daemon (SSSD) is a system daemon that provides access to different identity and authentication providers such as Red Hat's IdM, Microsoft's AD, openLDAP, MIT Kerberos, etc. It uses a common framework that can provide caching and offline support to systems utilizing SSSD. SSSD using caching to reduce load on authentication servers permit offline authentication as well as store extended user data.

SSSD can support many backends including LDAP. The sssd-ldap backend allows SSSD to fetch identity information from an LDAP server. scap-security-guide-0.1.39/shared/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_ca.rule000066400000000000000000000026761327242345500330030ustar00rootroot00000000000000documentation_complete: true prodtype: rhel7 title: 'Configure SSSD LDAP Backend Client CA Certificate' description: |- Configure SSSD to implement cryptography to protect the integrity of LDAP remote access sessions. By setting the 
ldap_tls_cacert
option in 
/etc/sssd/sssd.conf
to point to the path for the X.509 certificates used for peer authentication. 
ldap_tls_cacert /path/to/tls/ca.cert
rationale: |- Without cryptographic integrity protections, information can be altered by unauthorized users without detection.

Cryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the key used to generate the hash. severity: medium identifiers: cce: 80516-8 references: disa: 1453 nist: "" srg: SRG-OS-000250-GPOS-00093 stigid: "040200" ocil_clause: 'the TLS CA cert is not configured' ocil: |- To verify the operating system implements cryptography to protect the integrity of remote ldap access sessions, run the following command: 
$ sudo grep ldap_tls_cacert /etc/sssd/sssd.conf
The output should return the following with a correctly configured CA cert path: 
ldap_tls_cacert /path/to/tls/ca.cert
scap-security-guide-0.1.39/shared/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_ca_dir.rule000066400000000000000000000027211327242345500336300ustar00rootroot00000000000000documentation_complete: true prodtype: rhel7 title: 'Configure SSSD LDAP Backend Client CA Certificate Location' description: |- Configure SSSD to implement cryptography to protect the integrity of LDAP remote access sessions. By setting the 
ldap_tls_cacertdir
option in 
/etc/sssd/sssd.conf
to point to the path for the X.509 certificates used for peer authentication. 
ldap_tls_cacertdir /path/to/tls/cacert
rationale: |- Without cryptographic integrity protections, information can be altered by unauthorized users without detection.

Cryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the key used to generate the hash. severity: medium identifiers: cce: 80515-0 references: disa: 1453 nist: "" srg: SRG-OS-000250-GPOS-00093 stigid: "040190" ocil_clause: 'the TLS CA cert is not configured' ocil: |- To verify the operating system implements cryptography to protect the integrity of remote ldap access sessions, run the following command: 
$ sudo grep ldap_tls_cacertdir /etc/sssd/sssd.conf
The output should return the following with a correctly configured CA cert path: 
ldap_tls_cacertdir /path/to/tls/cacert
scap-security-guide-0.1.39/shared/guide/services/sssd/sssd-ldap/sssd_ldap_start_tls.rule000066400000000000000000000025051327242345500315030ustar00rootroot00000000000000documentation_complete: true prodtype: rhel7 title: 'Configure SSSD LDAP Backend to Use TLS For All Transactions' description: |- This check verifies that RHEL7 implements cryptography to protect the integrity of remote LDAP authentication sessions.

To determine if LDAP is being used for authentication, use the following command: 
$ sudo grep -i useldapauth /etc/sysconfig/authconfig


If USELDAPAUTH=yes, then LDAP is being used. To check if LDAP is configured to use TLS, use the following command: 
$ sudo grep -i ldap_id_use_start_tls /etc/sssd/sssd.conf
rationale: |- Without cryptographic integrity protections, information can be altered by unauthorized users without detection. The ssl directive specifies whether to use TLS or not. If not specified it will default to no. It should be set to start_tls rather than doing LDAP over SSL. severity: medium identifiers: cce@rhel7: 80546-5 references: disa: 1453 nist: AC-17(2),CM-7 srg: SRG-OS-000250-GPOS-00093 stigid@rhel7: "040180" ocil_clause: 'the ''ldap_id_use_start_tls'' option is not set to ''True''' ocil: |- If the system is not using TLS, set the ldap_id_use_start_tls option in /etc/sssd/sssd.conf to True. scap-security-guide-0.1.39/shared/guide/services/sssd/sssd.group000066400000000000000000000017561327242345500247060ustar00rootroot00000000000000documentation_complete: true prodtype: rhel6,rhel7 title: 'System Security Services Daemon' description: |- The System Security Services Daemon (SSSD) is a system daemon that provides access to different identity and authentication providers such as Red Hat's IdM, Microsoft's AD, openLDAP, MIT Kerberos, etc. It uses a common framework that can provide caching and offline support to systems utilizing SSSD. SSSD using caching to reduce load on authentication servers permit offline authentication as well as store extended user data.

For more information, see scap-security-guide-0.1.39/shared/guide/services/sssd/sssd_enable_pam_services.rule000066400000000000000000000023301327242345500305540ustar00rootroot00000000000000documentation_complete: true prodtype: rhel7 title: 'Configure PAM in SSSD Services' description: |- SSSD should be configured to run SSSD pam services. To configure SSSD to known SSH hosts, add pam to services under the [sssd] section in /etc/sssd/sssd.conf. For example: 
[sssd]
    services = sudo, autofs, pam
rationale: |- Using an authentication device, such as a CAC or token that is separate from the information system, ensures that even if the information system is compromised, that compromise will not affect credentials stored on the authentication device. severity: medium identifiers: cce@rhel7: 80437-7 references: disa: 1948,1953,1954 nist: IA-2(11) srg: SRG-OS-000375-GPOS-00160,SRG-OS-000375-GPOS-00161,SRG-OS-000375-GPOS-00162 stigid@rhel7: "041002" ocil_clause: 'it does not exist or ''pam'' is not added to the ''services'' option under the ''sssd'' section' ocil: |- To verify that SSSD is configured for PAM services, run the following command: 
$ sudo grep services /etc/sssd/sssd.conf
If configured properly, output should be similar to 
services = pam
scap-security-guide-0.1.39/shared/guide/services/sssd/sssd_memcache_timeout.rule000066400000000000000000000021101327242345500300720ustar00rootroot00000000000000documentation_complete: true prodtype: rhel6,rhel7 title: 'Configure SSSD''s Memory Cache to Expire' description: |- SSSD's memory cache should be configured to set to expire records after 1 day. To configure SSSD to expire memory cache, set memcache_timeout to 86400 under the [nss] section in /etc/sssd/sssd.conf. For example: 
[nss]
    memcache_timeout = 86400
rationale: |- If cached authentication information is out-of-date, the validity of the authentication information may be questionable. severity: medium identifiers: cce@rhel6: RHEL6-CCE-TBD cce@rhel7: 80364-3 references: disa: 2007 nist: 'IA-5(10), IA-5(13)' ospp@rhel7: FIA_AFL.1 srg: SRG-OS-000383-GPOS-00166 ocil_clause: 'it does not exist or is not configured properly' ocil: |- To verify that SSSD's in-memory cache expires after a day, run the following command: 
$ sudo grep memcache_timeout /etc/sssd/sssd.conf
If configured properly, output should be 
memcache_timeout = 86400
. scap-security-guide-0.1.39/shared/guide/services/sssd/sssd_offline_cred_expiration.rule000066400000000000000000000021421327242345500314500ustar00rootroot00000000000000documentation_complete: true prodtype: rhel6,rhel7 title: 'Configure SSSD to Expire Offline Credentials' description: |- SSSD should be configured to expire offline credentials after 1 day. To configure SSSD to expire offline credentials, set offline_credentials_expiration to 1 under the [pam] section in /etc/sssd/sssd.conf. For example: 
[pam]
    offline_credentials_expiration = 1
rationale: |- If cached authentication information is out-of-date, the validity of the authentication information may be questionable. severity: medium identifiers: cce@rhel6: RHEL6-CCE-TBD cce@rhel7: 80365-0 references: disa: 2007 nist: IA-5(13) ospp@rhel7: FIA_AFL.1 srg: SRG-OS-000383-GPOS-00166 ocil_clause: 'it does not exist or is not configured properly' ocil: |- To verify that SSSD expires offline credentials, run the following command: 
$ sudo grep offline_credentials_expiration /etc/sssd/sssd.conf
If configured properly, output should be 
offline_credentials_expiration = 1
scap-security-guide-0.1.39/shared/guide/services/sssd/sssd_ssh_known_hosts_timeout.rule000066400000000000000000000020571327242345500315730ustar00rootroot00000000000000documentation_complete: true prodtype: rhel6,rhel7 title: 'Configure SSSD to Expire SSH Known Hosts' description: |- SSSD should be configured to expire keys from known SSH hosts after 1 day. To configure SSSD to known SSH hosts, set ssh_known_hosts_timeout to 86400 under the [ssh] section in /etc/sssd/sssd.conf. For example: 
[ssh]
    ssh_known_hosts_timeout = 86400
rationale: |- If cached authentication information is out-of-date, the validity of the authentication information may be questionable. severity: medium identifiers: cce@rhel6: RHEL6-CCE-TBD cce@rhel7: 80366-8 references: disa: 2007 nist: IA-5(13) srg: SRG-OS-000383-GPOS-00166 ocil_clause: 'it does not exist or is not configured properly' ocil: |- To verify that SSSD expires known SSH host keys, run the following command: 
$ sudo grep ssh_known_hosts_timeout /etc/sssd/sssd.conf
If configured properly, output should be 
ssh_known_hosts_timeout = 86400
scap-security-guide-0.1.39/shared/guide/services/xwindows/000077500000000000000000000000001327242345500235515ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/services/xwindows/disabling_xwindows/000077500000000000000000000000001327242345500274475ustar00rootroot00000000000000disabling_xwindows.group000066400000000000000000000010141327242345500343400ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/services/xwindows/disabling_xwindowsdocumentation_complete: true title: 'Disable X Windows' description: |- Unless there is a mission-critical reason for the system to run a graphical user interface, ensure X is not set to start automatically at boot and remove the X Windows software packages. There is usually no reason to run X Windows on a dedicated server system, as it increases the system's attack surface and consumes system resources. Administrators of server systems should instead login via SSH or on the text console. package_xorg-x11-server-common_removed.rule000066400000000000000000000024351327242345500376410ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/services/xwindows/disabling_xwindowsdocumentation_complete: true prodtype: rhel7,fedora title: 'Remove the X Windows Package Group' description: |- By removing the xorg-x11-server-common package, the system no longer has X Windows installed. If X Windows is not installed then the system cannot boot into graphical user mode. This prevents the system from being accidentally or maliciously booted into a graphical.target mode. To do so, run the following command: 
$ sudo yum groupremove "X Window System"
$ sudo yum remove xorg-x11-server-common
rationale: |- Unnecessary service packages must not be installed to decrease the attack surface of the system. X windows has a long history of security vulnerabilities and should not be installed unless approved and documented. severity: medium identifiers: cce@rhel7: CCE-27218-7 references: cis: 2.2.2 disa: 366 nist: AC-17(8).1(ii) srg: SRG-OS-000480-GPOS-00227 stigid@rhel7: "040730" ocil_clause: 'the X Windows package group or xorg-x11-server-common has not be removed' ocil: |- To ensure the X Windows package group is removed, run the following command: 
$ rpm -qi xorg-x11-server-common
The output should be: 
package xorg-x11-server-common is not installed
xwindows_runlevel_setting.rule000066400000000000000000000026311327242345500356160ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/services/xwindows/disabling_xwindowsdocumentation_complete: true prodtype: rhel7,fedora title: 'Disable X Windows Startup By Setting Default Target' description: |- Systems that do not require a graphical user interface should only boot by default into multi-user.target mode. This prevents accidental booting of the system into a graphical.target mode. Setting the system's default target to multi-user.target will prevent automatic startup of the X server. To do so, run: 
$ systemctl set-default multi-user.target
You should see the following output: 
rm '/etc/systemd/system/default.target'
    ln -s '/usr/lib/systemd/system/multi-user.target' '/etc/systemd/system/default.target'
rationale: |- Services that are not required for system and application processes must not be active to decrease the attack surface of the system. X windows has a long history of security vulnerabilities and should not be used unless approved and documented. severity: medium identifiers: cce@rhel7: CCE-27285-6 references: disa: 366 nist: AC-17(8).1(ii) srg: SRG-OS-000480-GPOS-00227 ocil_clause: 'the X windows display server is running and/or has not been disabled' ocil: |- To verify the default target is multi-user, run the following command: 
$ systemctl get-default
The output should show the following: 
multi-user.target
scap-security-guide-0.1.39/shared/guide/services/xwindows/xwindows.group000066400000000000000000000002351327242345500265110ustar00rootroot00000000000000documentation_complete: true title: 'X Window System' description: |- The X Window System implementation included with the system is called X.org. scap-security-guide-0.1.39/shared/guide/system/000077500000000000000000000000001327242345500213705ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/accounts/000077500000000000000000000000001327242345500232075ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/accounts/accounts-banners/000077500000000000000000000000001327242345500264545ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/accounts/accounts-banners/accounts-banners.group000066400000000000000000000016751327242345500330100ustar00rootroot00000000000000documentation_complete: true title: 'Warning Banners for System Accesses' description: |- Each system should expose as little information about itself as possible.

System banners, which are typically displayed just before a login prompt, give out information about the service or the host's operating system. This might include the distribution name and the system kernel version, and the particular version of a network service. This information can assist intruders in gaining access to the system as it can reveal whether the system is running vulnerable software. Most network services can be configured to limit what information is displayed.

Many organizations implement security policies that require a system banner provide notice of the system's ownership, provide warning to unauthorized users, and remind authorized users of their consent to monitoring. scap-security-guide-0.1.39/shared/guide/system/accounts/accounts-banners/banner_etc_issue.rule000066400000000000000000000052601327242345500326600ustar00rootroot00000000000000documentation_complete: true prodtype: rhel7,fedora title: 'Modify the System Login Banner' description: "To configure the system login banner edit /etc/issue. Replace \nthe default text with a message compliant with the local site policy \nor a legal disclaimer.\n\nThe DoD required text is either:\n

\nYou are accessing a U.S. Government (USG) Information System (IS) that is\nprovided for USG-authorized use only. By using this IS (which includes any\ndevice attached to this IS), you consent to the following conditions: \n
-The USG routinely intercepts and monitors communications on this IS for purposes\nincluding, but not limited to, penetration testing, COMSEC monitoring, network\noperations and defense, personnel misconduct (PM), law enforcement (LE), and\ncounterintelligence (CI) investigations. \n
-At any time, the USG may inspect and seize data stored on this IS. \n
-Communications using, or data stored on, this IS are not private, are subject \nto routine monitoring, interception, and search, and may be disclosed or used \nfor any USG-authorized\ \ purpose. \n
-This IS includes security measures (e.g., authentication and access controls) \nto protect USG interests -- not for your personal benefit or privacy. \n
-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative\nsearching or monitoring of the content of privileged communications, or work\nproduct, related to personal representation or services by attorneys,\npsychotherapists, or clergy, and their assistants. Such communications and work\nproduct are private and confidential. See User Agreement for details.\n

\nOR:\n

\nI've read & consent to terms in IS user agreem't." rationale: "Display of a standardized and approved use notification before granting access to the operating system\nensures privacy and security notification verbiage used is consistent with applicable federal laws,\nExecutive Orders, directives, policies, regulations, standards, and guidance. \n

\nSystem use notifications are required only for access via login interfaces with human users and\nare not required when such human interfaces do not exist." severity: medium identifiers: cce@rhel7: 27303-7 references: cis: 1.7.1.2 cui: 3.1.9 disa: 48 nist: AC-8(a),AC-8(b),AC-8(c)(1),AC-8(c)(2),AC-8(c)(3) ospp@rhel7: FMT_MOF_EXT.1 srg: SRG-OS-000023-GPOS-00006,SRG-OS-000024-GPOS-00007 stigid@rhel7: "010050" ocil_clause: 'it does not display the required banner' ocil: |- To check if the system login banner is compliant, run the following command: 
$ cat /etc/issue
scap-security-guide-0.1.39/shared/guide/system/accounts/accounts-banners/gui_login_banner/000077500000000000000000000000001327242345500317555ustar00rootroot00000000000000dconf_gnome_banner_enabled.rule000066400000000000000000000042531327242345500400500ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/accounts/accounts-banners/gui_login_bannerdocumentation_complete: true prodtype: rhel7,fedora title: 'Enable GNOME3 Login Warning Banner' description: |- In the default graphical environment, displaying a login warning banner in the GNOME Display Manager's login screen can be enabled on the login screen by setting banner-message-enable to true.

To enable, add or edit banner-message-enable to /etc/dconf/db/gdm.d/00-security-settings. For example: 
[org/gnome/login-screen]
    banner-message-enable=true
Once the setting has been added, add a lock to /etc/dconf/db/gdm.d/locks/00-security-settings-lock to prevent user modification. For example: 
/org/gnome/login-screen/banner-message-enable
After the settings have been set, run dconf update. The banner text must also be set. rationale: |- Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.

For U.S. Government systems, system use notifications are required only for access via login interfaces with human users and are not required when such human interfaces do not exist. severity: medium identifiers: cce@rhel7: 26970-4 references: cis: 1.7.2 cui: 3.1.9 disa: 48 nist: AC-8(a),AC-8(b),AC-8(c)(1),AC-8(c)(2),AC-8(c)(3) ospp@rhel7: FMT_MOF_EXT.1 srg: OS-SRG-000023-GPOS-00006,SRG-OS-000024-GPOS-00007,SRG-OS-000228-GPOS-00088 stigid@rhel7: "010030" ocil_clause: 'it is not' ocil: |- To ensure a login warning banner is enabled, run the following: 
$ grep banner-message-enable /etc/dconf/db/gdm.d/*
If properly configured, the output should be true. To ensure a login warning banner is locked and cannot be changed by a user, run the following: 
$ grep banner-message-enable /etc/dconf/db/gdm.d/locks/*
If properly configured, the output should be /org/gnome/login-screen/banner-message-enable. dconf_gnome_login_banner_text.rule000066400000000000000000000041001327242345500406210ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/accounts/accounts-banners/gui_login_bannerdocumentation_complete: true prodtype: rhel7,fedora title: 'Set the GNOME3 Login Warning Banner Text' description: |- In the default graphical environment, configuring the login warning banner text in the GNOME Display Manager's login screen can be configured on the login screen by setting banner-message-text to string 'APPROVED_BANNER' where APPROVED_BANNER is the approved banner for your environment.

To enable, add or edit banner-message-text to /etc/dconf/db/gdm.d/00-security-settings. For example: 
[org/gnome/login-screen]
    banner-message-text=string 'APPROVED_BANNER'
Once the setting has been added, add a lock to /etc/dconf/db/gdm.d/locks/00-security-settings-lock to prevent user modification. For example: 
/org/gnome/login-screen/banner-message-text
After the settings have been set, run dconf update. When entering a warning banner that spans several lines, remember to begin and end the string with ' and use \n for new lines. rationale: |- An appropriate warning message reinforces policy awareness during the logon process and facilitates possible legal action against attackers. severity: medium identifiers: cce@rhel7: 26892-0 references: cis: 1.7.2 cui: 3.1.9 disa: 48 nist: AC-8(a),AC-8(b),AC-8(c) ospp@rhel7: FMT_MOF_EXT.1 srg: SRG-OS-000023-GPOS-00006,SRG-OS-000024-GPOS-00007,SRG-OS-000228-GPOS-00088 stigid@rhel7: "010040" ocil_clause: 'it does not' ocil: |- To ensure the login warning banner text is properly set, run the following: 
$ grep banner-message-text /etc/dconf/db/gdm.d/*
If properly configured, the proper banner text will appear. To ensure the login warning banner text is locked and cannot be changed by a user, run the following: 
$ grep banner-message-text /etc/dconf/db/gdm.d/locks/*
If properly configured, the output should be /org/gnome/login-screen/banner-message-text. gui_login_banner.group000066400000000000000000000006471327242345500362640ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/accounts/accounts-banners/gui_login_bannerdocumentation_complete: true title: 'Implement a GUI Warning Banner' description: |- In the default graphical environment, users logging directly into the system are greeted with a login screen provided by the GNOME3 Display Manager (GDM). The warning banner should be displayed in this graphical environment for these users. The following sections describe how to configure the GDM login banner. scap-security-guide-0.1.39/shared/guide/system/accounts/accounts-banners/login_banner_text.var000066400000000000000000000232521327242345500326730ustar00rootroot00000000000000documentation_complete: true title: 'Login Banner Verbiage' description: |- Enter an appropriate login banner for your organization. Please note that new lines must be expressed by the '\n' character and special characters like parentheses and quotation marks must be escaped with '\'. type: string operator: equals interactive: false options: dod_banners: ^(You[\s\n]+are[\s\n]+accessing[\s\n]+a[\s\n]+U.S.[\s\n]+Government[\s\n]+\(USG\)[\s\n]+Information[\s\n]+System[\s\n]+\(IS\)[\s\n]+that[\s\n]+is[\s\n]+provided[\s\n]+for[\s\n]+USG-authorized[\s\n]+use[\s\n]+only.[\s\n]*By[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+\(which[\s\n]+includes[\s\n]+any[\s\n]+device[\s\n]+attached[\s\n]+to[\s\n]+this[\s\n]+IS\),[\s\n]+you[\s\n]+consent[\s\n]+to[\s\n]+the[\s\n]+following[\s\n]+conditions\:(\\n)*(\n)*-[\s\n]*The[\s\n]+USG[\s\n]+routinely[\s\n]+intercepts[\s\n]+and[\s\n]+monitors[\s\n]+communications[\s\n]+on[\s\n]+this[\s\n]+IS[\s\n]+for[\s\n]+purposes[\s\n]+including,[\s\n]+but[\s\n]+not[\s\n]+limited[\s\n]+to,[\s\n]+penetration[\s\n]+testing,[\s\n]+COMSEC[\s\n]+monitoring,[\s\n]+network[\s\n]+operations[\s\n]+and[\s\n]+defense,[\s\n]+personnel[\s\n]+misconduct[\s\n]+\(PM\),[\s\n]+law[\s\n]+enforcement[\s\n]+\(LE\),[\s\n]+and[\s\n]+counterintelligence[\s\n]+\(CI\)[\s\n]+investigations.(\\n)*(\n)*-[\s\n]*At[\s\n]+any[\s\n]+time,[\s\n]+the[\s\n]+USG[\s\n]+may[\s\n]+inspect[\s\n]+and[\s\n]+seize[\s\n]+data[\s\n]+stored[\s\n]+on[\s\n]+this[\s\n]+IS.(\\n)*(\n)*-[\s\n]*Communications[\s\n]+using,[\s\n]+or[\s\n]+data[\s\n]+stored[\s\n]+on,[\s\n]+this[\s\n]+IS[\s\n]+are[\s\n]+not[\s\n]+private,[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+routine[\s\n]+monitoring,[\s\n]+interception,[\s\n]+and[\s\n]+search,[\s\n]+and[\s\n]+may[\s\n]+be[\s\n]+disclosed[\s\n]+or[\s\n]+used[\s\n]+for[\s\n]+any[\s\n]+USG-authorized[\s\n]+purpose.(\\n)*(\n)*-[\s\n]*This[\s\n]+IS[\s\n]+includes[\s\n]+security[\s\n]+measures[\s\n]+\(e.g.,[\s\n]+authentication[\s\n]+and[\s\n]+access[\s\n]+controls\)[\s\n]+to[\s\n]+protect[\s\n]+USG[\s\n]+interests--not[\s\n]+for[\s\n]+your[\s\n]+personal[\s\n]+benefit[\s\n]+or[\s\n]+privacy.(\\n)*(\n)*-[\s\n]*Notwithstanding[\s\n]+the[\s\n]+above,[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+does[\s\n]+not[\s\n]+constitute[\s\n]+consent[\s\n]+to[\s\n]+PM,[\s\n]+LE[\s\n]+or[\s\n]+CI[\s\n]+investigative[\s\n]+searching[\s\n]+or[\s\n]+monitoring[\s\n]+of[\s\n]+the[\s\n]+content[\s\n]+of[\s\n]+privileged[\s\n]+communications,[\s\n]+or[\s\n]+work[\s\n]+product,[\s\n]+related[\s\n]+to[\s\n]+personal[\s\n]+representation[\s\n]+or[\s\n]+services[\s\n]+by[\s\n]+attorneys,[\s\n]+psychotherapists,[\s\n]+or[\s\n]+clergy,[\s\n]+and[\s\n]+their[\s\n]+assistants.[\s\n]+Such[\s\n]+communications[\s\n]+and[\s\n]+work[\s\n]+product[\s\n]+are[\s\n]+private[\s\n]+and[\s\n]+confidential.[\s\n]+See[\s\n]+User[\s\n]+Agreement[\s\n]+for[\s\n]+details.|I\'ve[\s\n]+read[\s\n]+\&[\s\n]+consent[\s\n]+to[\s\n]+terms[\s\n]+in[\s\n]+IS[\s\n]+user[\s\n]+agreem\'t$) dod_default: You[\s\n]+are[\s\n]+accessing[\s\n]+a[\s\n]+U.S.[\s\n]+Government[\s\n]+\(USG\)[\s\n]+Information[\s\n]+System[\s\n]+\(IS\)[\s\n]+that[\s\n]+is[\s\n]+provided[\s\n]+for[\s\n]+USG-authorized[\s\n]+use[\s\n]+only.[\s\n]*By[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+\(which[\s\n]+includes[\s\n]+any[\s\n]+device[\s\n]+attached[\s\n]+to[\s\n]+this[\s\n]+IS\),[\s\n]+you[\s\n]+consent[\s\n]+to[\s\n]+the[\s\n]+following[\s\n]+conditions\:(\\n)*(\n)*-[\s\n]*The[\s\n]+USG[\s\n]+routinely[\s\n]+intercepts[\s\n]+and[\s\n]+monitors[\s\n]+communications[\s\n]+on[\s\n]+this[\s\n]+IS[\s\n]+for[\s\n]+purposes[\s\n]+including,[\s\n]+but[\s\n]+not[\s\n]+limited[\s\n]+to,[\s\n]+penetration[\s\n]+testing,[\s\n]+COMSEC[\s\n]+monitoring,[\s\n]+network[\s\n]+operations[\s\n]+and[\s\n]+defense,[\s\n]+personnel[\s\n]+misconduct[\s\n]+\(PM\),[\s\n]+law[\s\n]+enforcement[\s\n]+\(LE\),[\s\n]+and[\s\n]+counterintelligence[\s\n]+\(CI\)[\s\n]+investigations.(\\n)*(\n)*-[\s\n]*At[\s\n]+any[\s\n]+time,[\s\n]+the[\s\n]+USG[\s\n]+may[\s\n]+inspect[\s\n]+and[\s\n]+seize[\s\n]+data[\s\n]+stored[\s\n]+on[\s\n]+this[\s\n]+IS.(\\n)*(\n)*-[\s\n]*Communications[\s\n]+using,[\s\n]+or[\s\n]+data[\s\n]+stored[\s\n]+on,[\s\n]+this[\s\n]+IS[\s\n]+are[\s\n]+not[\s\n]+private,[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+routine[\s\n]+monitoring,[\s\n]+interception,[\s\n]+and[\s\n]+search,[\s\n]+and[\s\n]+may[\s\n]+be[\s\n]+disclosed[\s\n]+or[\s\n]+used[\s\n]+for[\s\n]+any[\s\n]+USG-authorized[\s\n]+purpose.(\\n)*(\n)*-[\s\n]*This[\s\n]+IS[\s\n]+includes[\s\n]+security[\s\n]+measures[\s\n]+\(e.g.,[\s\n]+authentication[\s\n]+and[\s\n]+access[\s\n]+controls\)[\s\n]+to[\s\n]+protect[\s\n]+USG[\s\n]+interests--not[\s\n]+for[\s\n]+your[\s\n]+personal[\s\n]+benefit[\s\n]+or[\s\n]+privacy.(\\n)*(\n)*-[\s\n]*Notwithstanding[\s\n]+the[\s\n]+above,[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+does[\s\n]+not[\s\n]+constitute[\s\n]+consent[\s\n]+to[\s\n]+PM,[\s\n]+LE[\s\n]+or[\s\n]+CI[\s\n]+investigative[\s\n]+searching[\s\n]+or[\s\n]+monitoring[\s\n]+of[\s\n]+the[\s\n]+content[\s\n]+of[\s\n]+privileged[\s\n]+communications,[\s\n]+or[\s\n]+work[\s\n]+product,[\s\n]+related[\s\n]+to[\s\n]+personal[\s\n]+representation[\s\n]+or[\s\n]+services[\s\n]+by[\s\n]+attorneys,[\s\n]+psychotherapists,[\s\n]+or[\s\n]+clergy,[\s\n]+and[\s\n]+their[\s\n]+assistants.[\s\n]+Such[\s\n]+communications[\s\n]+and[\s\n]+work[\s\n]+product[\s\n]+are[\s\n]+private[\s\n]+and[\s\n]+confidential.[\s\n]+See[\s\n]+User[\s\n]+Agreement[\s\n]+for[\s\n]+details. dod_short: I(\\\')*(\')*ve[\s\n]+read[\s\n]+\&[\s\n]+consent[\s\n]+to[\s\n]+terms[\s\n]+in[\s\n]+IS[\s\n]+user[\s\n]+agreement. dss_odaa_default: "[\\s\\n]+Use[\\s\\n]+of[\\s\\n]+this[\\s\\n]+or[\\s\\n]+any[\\s\\n]+other[\\s\\n]+DoD[\\s\\n]+interest[\\s\\n]+computer[\\s\\n]+system[\\s\\n]+constitutes[\\s\\n]+consent[\\s\\n]+to[\\s\\n]+monitoring[\\s\\n]+at[\\s\\n]+all[\\s\\n]+times.[\\s\\n]+This[\\s\\n]+is[\\s\\n]+a[\\s\\n]+DoD[\\s\\n]+interest[\\s\\n]+computer[\\s\\n]+system.[\\s\\n]+All[\\s\\n]+DoD[\\s\\n]+interest[\\s\\n]+computer[\\s\\n]+systems[\\s\\n]+and[\\s\\n]+related[\\s\\n]+equipment[\\s\\n]+are[\\s\\n]+intended[\\s\\n]+for[\\s\\n]+the[\\s\\n]+communication,[\\s\\n]+transmission,[\\s\\n]+processing,[\\s\\n]+and[\\s\\n]+storage[\\s\\n]+of[\\s\\n]+official[\\s\\n]+U.S.[\\s\\n]+Government[\\s\\n]+or[\\s\\n]+other[\\s\\n]+authorized[\\s\\n]+information[\\s\\n]+only.[\\s\\n]+All[\\s\\n]+DoD[\\s\\n]+interest[\\s\\n]+computer[\\s\\n]+systems[\\s\\n]+are[\\s\\n]+subject[\\s\\n]+to[\\s\\n]+monitoring[\\s\\n]+at[\\s\\n]+all[\\s\\n]+times[\\s\\n]+to[\\s\\n]+ensure[\\s\\n]+proper[\\s\\n]+functioning[\\s\\n]+of[\\\ s\\n]+equipment[\\s\\n]+and[\\s\\n]+systems[\\s\\n]+including[\\s\\n]+security[\\s\\n]+devices[\\s\\n]+and[\\s\\n]+systems,[\\s\\n]+to[\\s\\n]+prevent[\\s\\n]+unauthorized[\\s\\n]+use[\\s\\n]+and[\\s\\n]+violations[\\s\\n]+of[\\s\\n]+statutes[\\s\\n]+and[\\s\\n]+security[\\s\\n]+regulations,[\\s\\n]+to[\\s\\n]+deter[\\s\\n]+criminal[\\s\\n]+activity,[\\s\\n]+and[\\s\\n]+for[\\s\\n]+other[\\s\\n]+similar[\\s\\n]+purposes.[\\s\\n]+Any[\\s\\n]+user[\\s\\n]+of[\\s\\n]+a[\\s\\n]+DoD[\\s\\n]+interest[\\s\\n]+computer[\\s\\n]+system[\\s\\n]+should[\\s\\n]+be[\\s\\n]+aware[\\s\\n]+that[\\s\\n]+any[\\s\\n]+information[\\s\\n]+placed[\\s\\n]+in[\\s\\n]+the[\\s\\n]+system[\\s\\n]+is[\\s\\n]+subject[\\s\\n]+to[\\s\\n]+monitoring[\\s\\n]+and[\\s\\n]+is[\\s\\n]+not[\\s\\n]+subject[\\s\\n]+to[\\s\\n]+any[\\s\\n]+expectation[\\s\\n]+of[\\s\\n]+privacy.[\\s\\n]+If[\\s\\n]+monitoring[\\s\\n]+of[\\s\\n]+this[\\s\\n]+or[\\s\\n]+any[\\s\\n]+other[\\s\\n]+DoD[\\s\\n]+interest[\\s\\n]+computer[\\s\\n]+system[\\\ s\\n]+reveals[\\s\\n]+possible[\\s\\n]+evidence[\\s\\n]+of[\\s\\n]+violation[\\s\\n]+of[\\s\\n]+criminal[\\s\\n]+statutes,[\\s\\n]+this[\\s\\n]+evidence[\\s\\n]+and[\\s\\n]+any[\\s\\n]+other[\\s\\n]+related[\\s\\n]+information,[\\s\\n]+including[\\s\\n]+identification[\\s\\n]+information[\\s\\n]+about[\\s\\n]+the[\\s\\n]+user,[\\s\\n]+may[\\s\\n]+be[\\s\\n]+provided[\\s\\n]+to[\\s\\n]+law[\\s\\n]+enforcement[\\s\\n]+officials.[\\s\\n]+If[\\s\\n]+monitoring[\\s\\n]+of[\\s\\n]+this[\\s\\n]+or[\\s\\n]+any[\\s\\n]+other[\\s\\n]+DoD[\\s\\n]+interest[\\s\\n]+computer[\\s\\n]+systems[\\s\\n]+reveals[\\s\\n]+violations[\\s\\n]+of[\\s\\n]+security[\\s\\n]+regulations[\\s\\n]+or[\\s\\n]+unauthorized[\\s\\n]+use,[\\s\\n]+employees[\\s\\n]+who[\\s\\n]+violate[\\s\\n]+security[\\s\\n]+regulations[\\s\\n]+or[\\s\\n]+make[\\s\\n]+unauthorized[\\s\\n]+use[\\s\\n]+of[\\s\\n]+DoD[\\s\\n]+interest[\\s\\n]+computer[\\s\\n]+systems[\\s\\n]+are[\\s\\n]+subject[\\s\\n]+to[\\s\\n]+appropriate[\\s\\n]+disciplinary[\\\ s\\n]+action.[\\s\\n]+Use[\\s\\n]+of[\\s\\n]+this[\\s\\n]+or[\\s\\n]+any[\\s\\n]+other[\\s\\n]+DoD[\\s\\n]+interest[\\s\\n]+computer[\\s\\n]+system[\\s\\n]+constitutes[\\s\\n]+consent[\\s\\n]+to[\\s\\n]+monitoring[\\s\\n]+at[\\s\\n]+all[\\s\\n]+times." usgcb_default: --[\s\n]+WARNING[\s\n]+--[\s\n]*This[\s\n]+system[\s\n]+is[\s\n]+for[\s\n]+the[\s\n]+use[\s\n]+of[\s\n]+authorized[\s\n]+users[\s\n]+only.[\s\n]+Individuals[\s\n]*using[\s\n]+this[\s\n]+computer[\s\n]+system[\s\n]+without[\s\n]+authority[\s\n]+or[\s\n]+in[\s\n]+excess[\s\n]+of[\s\n]+their[\s\n]*authority[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+having[\s\n]+all[\s\n]+their[\s\n]+activities[\s\n]+on[\s\n]+this[\s\n]+system[\s\n]*monitored[\s\n]+and[\s\n]+recorded[\s\n]+by[\s\n]+system[\s\n]+personnel.[\s\n]+Anyone[\s\n]+using[\s\n]+this[\s\n]*system[\s\n]+expressly[\s\n]+consents[\s\n]+to[\s\n]+such[\s\n]+monitoring[\s\n]+and[\s\n]+is[\s\n]+advised[\s\n]+that[\s\n]*if[\s\n]+such[\s\n]+monitoring[\s\n]+reveals[\s\n]+possible[\s\n]+evidence[\s\n]+of[\s\n]+criminal[\s\n]+activity[\s\n]*system[\s\n]+personal[\s\n]+may[\s\n]+provide[\s\n]+the[\s\n]+evidence[\s\n]+of[\s\n]+such[\s\n]+monitoring[\s\n]+to[\s\n]+law[\s\n]*enforcement[\s\n]+officials. scap-security-guide-0.1.39/shared/guide/system/accounts/accounts-pam/000077500000000000000000000000001327242345500256015ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/accounts/accounts-pam/accounts-pam.group000066400000000000000000000034021327242345500312500ustar00rootroot00000000000000documentation_complete: true title: 'Protect Accounts by Configuring PAM' description: |- PAM, or Pluggable Authentication Modules, is a system which implements modular authentication for Linux programs. PAM provides a flexible and configurable architecture for authentication, and it should be configured to minimize exposure to unnecessary risk. This section contains guidance on how to accomplish that.

PAM is implemented as a set of shared objects which are loaded and invoked whenever an application wishes to authenticate a user. Typically, the application must be running as root in order to take advantage of PAM, because PAM's modules often need to be able to access sensitive stores of account information, such as /etc/shadow. Traditional privileged network listeners (e.g. sshd) or SUID programs (e.g. sudo) already meet this requirement. An SUID root application, userhelper, is provided so that programs which are not SUID or privileged themselves can still take advantage of PAM.

PAM looks in the directory /etc/pam.d for application-specific configuration information. For instance, if the program login attempts to authenticate a user, then PAM's libraries follow the instructions in the file /etc/pam.d/login to determine what actions should be taken.

One very important file in /etc/pam.d is /etc/pam.d/system-auth. This file, which is included by many other PAM configuration files, defines 'default' system authentication measures. Modifying this file is a good way to make far-reaching authentication changes, for instance when implementing a centralized authentication service. scap-security-guide-0.1.39/shared/guide/system/accounts/accounts-pam/display_login_attempts.rule000066400000000000000000000025401327242345500332510ustar00rootroot00000000000000documentation_complete: true prodtype: rhel7,fedora title: 'Set Last Logon/Access Notification' description: |- To configure the system to notify users of last logon/access using pam_lastlog, add or correct the pam_lastlog settings in /etc/pam.d/postlogin to read as follows: 
session     [success=1 default=ignore] pam_succeed_if.so service !~ gdm* service !~ su* quiet
    session     [default=1]   pam_lastlog.so nowtmp showfailed
    session     optional      pam_lastlog.so silent noupdate showfailed
rationale: |- Users need to be aware of activity that occurs regarding their account. Providing users with information regarding the number of unsuccessful attempts that were made to login to their account allows the user to determine if any unauthorized activity has occurred and gives them an opportunity to notify administrators. severity: low identifiers: cce@rhel7: 27275-7 references: cjis: 5.5.2 disa: 366 nist: AC-9 pcidss: Req-10.2.4 srg: SRG-OS-000480-GPOS-00227 stigid@rhel7: "040530" ocil_clause: 'that is not the case' ocil: |- To ensure that last logon/access notification is configured correctly, run the following command: 
$ grep pam_lastlog.so /etc/pam.d/postlogin
The output should show output showfailed. scap-security-guide-0.1.39/shared/guide/system/accounts/accounts-pam/locking_out_password_attempts/000077500000000000000000000000001327242345500337615ustar00rootroot00000000000000accounts_password_pam_unix_remember.rule000066400000000000000000000032211327242345500441100ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/accounts/accounts-pam/locking_out_password_attemptsdocumentation_complete: true prodtype: rhel7,fedora title: 'Limit Password Reuse' description: "Do not allow users to reuse recent passwords. This can be\naccomplished by using the remember option for the pam_unix\nor pam_pwhistory PAM modules. \n

\nIn the file /etc/pam.d/system-auth, append remember=\nto the line which refers to the pam_unix.so or pam_pwhistory.somodule, as shown below:\n
    \n
  • for the pam_unix.so case:\n
    password sufficient pam_unix.so ...existing_options... remember=
    \n
    • \n
  • for the pam_pwhistory.so case:\n
    password requisite pam_pwhistory.so ...existing_options... remember=
    \n
    • \n
\nThe DoD STIG requirement is 5 passwords." rationale: 'Preventing re-use of previous passwords helps ensure that a compromised password is not re-used by a user.' severity: medium identifiers: cce@rhel7: 26923-3 references: cis: 5.3.3 cjis: 5.6.2.1.1 cui: 3.5.8 disa: 200 nist: IA-5(f),IA-5(1)(e) pcidss: Req-8.2.5 srg: SRG-OS-000077-GPOS-00045 stigid@rhel7: "010270" ocil_clause: 'the value of remember is not set equal to or greater than the expected setting' ocil: |- To verify the password reuse setting is compliant, run the following command: 
$ grep remember /etc/pam.d/system-auth
The output should show the following at the end of the line: 
remember=
accounts_passwords_pam_faillock_deny.rule000066400000000000000000000040751327242345500442450ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/accounts/accounts-pam/locking_out_password_attemptsdocumentation_complete: true prodtype: rhel7,fedora title: 'Set Deny For Failed Password Attempts' description: |- To configure the system to lock out accounts after a number of incorrect login attempts using pam_faillock.so, modify the content of both /etc/pam.d/system-auth and /etc/pam.d/password-auth as follows:

  • add the following line immediately before the pam_unix.so statement in the AUTH section: 
    auth required pam_faillock.so preauth silent deny= unlock_time= fail_interval=
  • add the following line immediately after the pam_unix.so statement in the AUTH section: 
    auth [default=die] pam_faillock.so authfail deny= unlock_time= fail_interval=
  • add the following line immediately before the pam_unix.so statement in the ACCOUNT section: 
    account required pam_faillock.so
rationale: |- Locking out user accounts after a number of incorrect attempts prevents direct password guessing attacks. severity: medium identifiers: cce@rhel7: 27350-8 references: cis: 5.3.2 cjis: 5.5.3 cui: 3.1.8 disa: 2238 nist: AC-7(b) ospp@rhel7: FMT_MOF_EXT.1 pcidss: Req-8.1.6 srg: SRG-OS-000329-GPOS-00128,SRG-OS-000021-GPOS-00005 stigid@rhel7: "010320" ocil_clause: 'that is not the case' ocil: |- To ensure the failed password attempt policy is configured correctly, run the following command: 
$ grep pam_faillock /etc/pam.d/system-auth
The output should show deny=. accounts_passwords_pam_faillock_deny_root.rule000066400000000000000000000036561327242345500453140ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/accounts/accounts-pam/locking_out_password_attemptsdocumentation_complete: true prodtype: rhel7 title: 'Configure the root Account for Failed Password Attempts' description: "To configure the system to lock out the root account after a number of incorrect login\nattempts using pam_faillock.so, modify the content of both\n/etc/pam.d/system-auth and /etc/pam.d/password-auth as follows:\n

\n
    \n
  • Modify the following line in the AUTH section to add even_deny_root:\n
    auth required pam_faillock.so preauth silent even_deny_root deny= unlock_time= fail_interval=
    • \n
  • Modify the following line in the AUTH section to add even_deny_root:\n
    auth [default=die] pam_faillock.so authfail even_deny_root deny= unlock_time= fail_interval=
    • \n
" rationale: |- By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-forcing, is reduced. Limits are imposed by locking the account. severity: medium identifiers: cce@rhel7: 80353-6 references: disa: 2238 nist: AC-7(b) ospp@rhel7: FMT_MOF_EXT.1 srg: SRG-OS-000329-GPOS-00128,SRG-OS-000021-GPOS-00005 stigid@rhel7: "010330" ocil_clause: 'that is not the case' ocil: |- To ensure that even the root account is locked after a defined number of failed password attempts, run the following command: 
$ grep even_deny_root /etc/pam.d/system-auth
The output should show even_deny_root. accounts_passwords_pam_faillock_interval.rule000066400000000000000000000046551327242345500451360ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/accounts/accounts-pam/locking_out_password_attemptsdocumentation_complete: true prodtype: rhel7,fedora title: 'Set Interval For Counting Failed Password Attempts' description: "Utilizing pam_faillock.so, the fail_interval directive \nconfigures the system to lock out an accounts after a number of incorrect login\nattempts within a specified time period. Modify the content of both \n/etc/pam.d/system-auth and /etc/pam.d/password-auth as follows:\n

\n
    \n
  • Add the following line immediately before the pam_unix.so statement in the AUTH section:\n
    auth required pam_faillock.so preauth silent deny= unlock_time= fail_interval=
    • \n
  • Add the following line immediately after the pam_unix.so statement in the AUTH section:\n
    auth [default=die] pam_faillock.so authfail deny= unlock_time= fail_interval=
    • \n
  • Add the following line immediately before the pam_unix.so statement in the ACCOUNT section:\n
    account required pam_faillock.so
    • \n
" rationale: |- By limiting the number of failed logon attempts the risk of unauthorized system access via user password guessing, otherwise known as brute-forcing, is reduced. Limits are imposed by locking the account. severity: medium identifiers: cce@rhel7: 27297-1 references: disa: 2238 nist: AC-7(b) ospp@rhel7: FMT_MOF_EXT.1 srg: SRG-OS-000329-GPOS-00128,SRG-OS-000021-GPOS-00005 stigid@rhel7: "010320" ocil_clause: 'fail_interval is less than the required value' ocil: "To ensure the failed password attempt policy is configured correctly, run the following command:\n
$ grep pam_faillock /etc/pam.d/system-auth /etc/pam.d/password-auth
\nFor each file, the output should show fail_interval=<interval-in-seconds> where interval-in-seconds is \n or greater. \nIf the fail_interval parameter is not set, the default setting of 900 seconds is acceptable." accounts_passwords_pam_faillock_unlock_time.rule000066400000000000000000000044151327242345500456150ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/accounts/accounts-pam/locking_out_password_attemptsdocumentation_complete: true prodtype: rhel7,fedora title: 'Set Lockout Time For Failed Password Attempts' description: |- To configure the system to lock out accounts after a number of incorrect login attempts and require an administrator to unlock the account using pam_faillock.so, modify the content of both /etc/pam.d/system-auth and /etc/pam.d/password-auth as follows:

  • add the following line immediately before the pam_unix.so statement in the AUTH section: 
    auth required pam_faillock.so preauth silent deny= unlock_time= fail_interval=
  • add the following line immediately after the pam_unix.so statement in the AUTH section: 
    auth [default=die] pam_faillock.so authfail deny= unlock_time= fail_interval=
  • add the following line immediately before the pam_unix.so statement in the ACCOUNT section: 
    account required pam_faillock.so
rationale: |- Locking out user accounts after a number of incorrect attempts prevents direct password guessing attacks. Ensuring that an administrator is involved in unlocking locked accounts draws appropriate attention to such situations. severity: medium identifiers: cce@rhel7: 26884-7 references: cis: 5.3.2 cjis: 5.5.3 cui: 3.1.8 disa: "002238" nist: AC-7(b) ospp@rhel7: FMT_MOF_EXT.1 pcidss: Req-8.1.7 srg: SRG-OS-000329-GPOS-00128,SRG-OS-000021-GPOS-00005 stigid@rhel7: "010320" ocil_clause: 'unlock_time is less than the expected value' ocil: |- To ensure the failed password attempt policy is configured correctly, run the following command: 
$ grep pam_faillock /etc/pam.d/system-auth
The output should show unlock_time=<some-large-number> or never. locking_out_password_attempts.group000066400000000000000000000005431327242345500431420ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/accounts/accounts-pam/locking_out_password_attemptsdocumentation_complete: true title: 'Set Lockouts for Failed Password Attempts' description: |- The pam_faillock PAM module provides the capability to lock out user accounts after a number of failed login attempts. Its documentation is available in /usr/share/doc/pam-VERSION/txts/README.pam_faillock.

scap-security-guide-0.1.39/shared/guide/system/accounts/accounts-pam/password_quality/000077500000000000000000000000001327242345500312135ustar00rootroot00000000000000password_quality.group000066400000000000000000000023331327242345500356250ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/accounts/accounts-pam/password_qualitydocumentation_complete: true title: 'Set Password Quality Requirements' description: |- The default pam_pwquality PAM module provides strength checking for passwords. It performs a number of checks, such as making sure passwords are not similar to dictionary words, are of at least a certain length, are not the previous password reversed, and are not simply a change of case from the previous password. It can also require passwords to be in certain character classes. The pam_pwquality module is the preferred way of configuring password requirements.

The pam_cracklib PAM module can also provide strength checking for passwords as the pam_pwquality module. It performs a number of checks, such as making sure passwords are not similar to dictionary words, are of at least a certain length, are not the previous password reversed, and are not simply a change of case from the previous password. It can also require passwords to be in certain character classes.

The man pages pam_pwquality(8) and pam_cracklib(8) provide information on the capabilities and configuration of each. password_quality_pwquality/000077500000000000000000000000001327242345500366655ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/accounts/accounts-pam/password_qualityaccounts_password_pam_dcredit.rule000066400000000000000000000035061327242345500456560ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/accounts/accounts-pam/password_quality/password_quality_pwqualitydocumentation_complete: true prodtype: rhel7,fedora title: 'Set Password Strength Minimum Digit Characters' description: "The pam_pwquality module's dcredit parameter controls requirements for\nusage of digits in a password. When set to a negative number, any password will be required to\ncontain that many digits. When set to a positive number, pam_pwquality will grant +1 additional\nlength credit for each digit. Modify the dcredit setting in \n/etc/security/pwquality.conf to require the use of a digit in passwords." rationale: "Use of a complex password helps to increase the time and resources required\nto compromise the password. Password complexity, or strength, is a measure of\nthe effectiveness of a password in resisting attempts at guessing and brute-force\nattacks. \n

\nPassword complexity is one factor of several that determines how long it takes\nto crack a password. The more complex the password, the greater the number of \npossble combinations that need to be tested before the password is compromised.\nRequiring digits makes password guessing attacks more difficult by ensuring a larger\nsearch space." severity: medium identifiers: cce@rhel7: 27214-6 references: cis: 6.3.2 disa: 194 nist: IA-5(1)(a),IA-5(b),IA-5(c),194 ospp@rhel7: FMT_MOF_EXT.1 pcidss: Req-8.2.3 srg: SRG-OS-000071-GPOS-00039 stigid@rhel7: "010140" ocil_clause: 'dcredit is not found or not equal to or less than the required value' ocil: |- To check how many digits are required in a password, run the following command: 
$ grep dcredit /etc/security/pwquality.conf
The dcredit parameter (as a negative number) will indicate how many digits are required. The DoD requires at least one digit in a password. This would appear as dcredit = -1. accounts_password_pam_difok.rule000066400000000000000000000034471327242345500453400ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/accounts/accounts-pam/password_quality/password_quality_pwqualitydocumentation_complete: true prodtype: rhel7,fedora title: 'Set Password Strength Minimum Different Characters' description: "The pam_pwquality module's difok parameter sets the number of characters\nin a password that must not be present in and old password during a password change. \n

\nModify the difok setting in /etc/security/pwquality.conf\nto equal to require differing characters \nwhen changing passwords." rationale: "Use of a complex password helps to increase the time and resources \nrequired to compromise the password. Password complexity, or strength, \nis a measure of the effectiveness of a password in resisting attempts \nat guessing and brute–force attacks.\n

\nPassword complexity is one factor of several that determines how long \nit takes to crack a password. The more complex the password, the \ngreater the number of possible combinations that need to be tested \nbefore the password is compromised.\n

\nRequiring a minimum number of different characters during password changes ensures that\nnewly changed passwords should not resemble previously compromised ones.\nNote that passwords which are changed on compromised systems will still be compromised, however." severity: medium identifiers: cce@rhel7: 26631-2 references: cjis: 5.6.2.1.1 disa: 195 nist: IA-5(b),IA-5(c),IA-5(1)(b) srg: SRG-OS-000072-GPOS-00040 stigid@rhel7: "010160" ocil_clause: 'difok is not found or not equal to or greater than the required value' ocil: |- To check how many characters must differ during a password change, run the following command: 
$ grep difok /etc/security/pwquality.conf
The difok parameter will indicate how many characters must differ. accounts_password_pam_lcredit.rule000066400000000000000000000036771327242345500456770ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/accounts/accounts-pam/password_quality/password_quality_pwqualitydocumentation_complete: true prodtype: rhel7,fedora title: 'Set Password Strength Minimum Lowercase Characters' description: "The pam_pwquality module's lcredit parameter controls requirements for\nusage of lowercase letters in a password. When set to a negative number, any password will be required to\ncontain that many lowercase characters. When set to a positive number, pam_pwquality will grant +1 additional\nlength credit for each lowercase character. Modify the lcredit setting in \n/etc/security/pwquality.conf to require the use of a lowercase character in passwords." rationale: "Use of a complex password helps to increase the time and resources required\nto compromise the password. Password complexity, or strength, is a measure of\nthe effectiveness of a password in resisting attempts at guessing and brute-force\nattacks. \n

\nPassword complexity is one factor of several that determines how long it takes\nto crack a password. The more complex the password, the greater the number of \npossble combinations that need to be tested before the password is compromised.\nRequiring a minimum number of lowercase characters makes password guessing attacks\nmore difficult by ensuring a larger search space." severity: medium identifiers: cce@rhel7: 27345-8 references: disa: 193 nist: IA-5(b),IA-5(c),IA-5(1)(a) ospp@rhel7: FMT_MOF_EXT.1 pcidss: Req-8.2.3 srg: SRG-OS-000070-GPOS-00038 stigid@rhel7: "010130" ocil_clause: 'lcredit is not found or not less than or equal to the required value' ocil: |- To check how many lowercase characters are required in a password, run the following command: 
$ grep lcredit /etc/security/pwquality.conf
The lcredit parameter (as a negative number) will indicate how many special characters are required. The DoD and FISMA require at least one lowercase character in a password. This would appear as lcredit = -1. accounts_password_pam_maxclassrepeat.rule000066400000000000000000000032541327242345500472540ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/accounts/accounts-pam/password_quality/password_quality_pwqualitydocumentation_complete: true prodtype: rhel7,fedora title: 'Set Password to Maximum of Consecutive Repeating Characters from Same Character Class' description: |- The pam_pwquality module's maxclassrepeat parameter controls requirements for consecutive repeating characters from the same character class. When set to a positive number, it will reject passwords which contain more than that number of consecutive characters from the same character class. Modify the maxclassrepeat setting in /etc/security/pwquality.conf to equal to prevent a run of ( + 1) or more identical characters. rationale: |- Use of a complex password helps to increase the time and resources required to comrpomise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.
Password complexity is one factor of several that determines how long it takes to crack a password. The more complex a password, the greater the number of possible combinations that need to be tested before the password is compromised. severity: medium identifiers: cce@rhel7: 27512-3 references: disa: 195 nist: IA-5,IA-5(c) srg: SRG-OS-000072-GPOS-00040 stigid@rhel7: "010190" ocil_clause: 'that is not the case' ocil: |- To check the value for maximum consecutive repeating characters, run the following command: 
$ grep maxclassrepeat /etc/security/pwquality.conf
For DoD systems, the output should show maxclassrepeat=4. accounts_password_pam_maxrepeat.rule000066400000000000000000000034041327242345500462230ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/accounts/accounts-pam/password_quality/password_quality_pwqualitydocumentation_complete: true prodtype: rhel7,fedora title: 'Set Password Maximum Consecutive Repeating Characters' description: "The pam_pwquality module's maxrepeat parameter controls requirements for\nconsecutive repeating characters. When set to a positive number, it will reject passwords\nwhich contain more than that number of consecutive characters. Modify the maxrepeat setting\nin /etc/security/pwquality.conf to equal to prevent a \nrun of ( + 1) or more identical characters." rationale: "Use of a complex password helps to increase the time and resources required to compromise the password. \nPassword complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at \nguessing and brute-force attacks.\n

\nPassword complexity is one factor of several that determines how long it takes to crack a password. The more\ncomplex the password, the greater the number of possible combinations that need to be tested before the\npassword is compromised.\n

\nPasswords with excessive repeating characters may be more vulnerable to password-guessing attacks." severity: medium identifiers: cce@rhel7: 27333-4 references: disa: 195 nist: IA-5,IA-5(c) srg: SRG-OS-000072-GPOS-00040 stigid@rhel7: "010180" ocil_clause: 'maxrepeat is not found or not greater than or equal to the required value' ocil: |- To check the maximum value for consecutive repeating characters, run the following command: 
$ grep maxrepeat /etc/security/pwquality.conf
Look for the value of the maxrepeat parameter. The DoD requirement is 2, which would appear as maxrepeat=2. accounts_password_pam_minclass.rule000066400000000000000000000043671327242345500460570ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/accounts/accounts-pam/password_quality/password_quality_pwqualitydocumentation_complete: true prodtype: rhel7,fedora title: 'Set Password Strength Minimum Different Categories' description: "The pam_pwquality module's minclass parameter controls\nrequirements for usage of different character classes, or types, of character\nthat must exist in a password before it is considered valid. For example,\nsetting this value to three (3) requires that any password must have characters\nfrom at least three different categories in order to be approved. The default\nvalue is zero (0), meaning there are no required classes. There are four\ncategories available:\n
\n* Upper-case characters\n* Lower-case characters\n* Digits\n* Special characters (for example, punctuation)\n
\nModify the minclass setting in /etc/security/pwquality.conf entry to require \ndiffering categories of characters when changing passwords." rationale: "Use of a complex password helps to increase the time and resources required to compromise the password.\nPassword complexity, or strength, is a measure of the effectiveness of a password in resisting attempts \nat guessing and brute-force attacks.\n

\nPassword complexity is one factor of several that determines how long it takes to crack a password. The\nmore complex the password, the greater the number of possible combinations that need to be tested before\nthe password is compromised.\n

\nRequiring a minimum number of character categories makes password guessing attacks more difficult \nby ensuring a larger search space." severity: medium identifiers: cce@rhel7: CCE-27115-5 references: disa: 195 nist: IA-5 srg: SRG-OS-000072-GPOS-00040 stigid@rhel7: "010170" ocil_clause: 'minclass is not found or not set equal to or greater than the required value' ocil: |- To check how many categories of characters must be used in password during a password change, run the following command: 
$ grep minclass /etc/security/pwquality.conf
The minclass parameter will indicate how many character classes must be used. If the requirement was for the password to contain characters from three different categories, then this would appear as minclass = 3. accounts_password_pam_minlen.rule000066400000000000000000000027401327242345500455210ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/accounts/accounts-pam/password_quality/password_quality_pwqualitydocumentation_complete: true prodtype: rhel7,fedora title: 'Set Password Minimum Length' description: |- The pam_pwquality module's minlen parameter controls requirements for minimum characters required in a password. Add minlen= after pam_pwquality to set minimum password length requirements. rationale: "The shorter the password, the lower the number of possible combinations\nthat need to be tested before the password is compromised.\n
\nPassword complexity, or strength, is a measure of the effectiveness of a \npassword in resisting attempts at guessing and brute-force attacks. \nPassword length is one factor of several that helps to determine strength\nand how long it takes to crack a password. Use of more characters in a password\nhelps to exponentially increase the time and/or resources required to \ncompromose the password." severity: medium identifiers: cce@rhel7: 27293-0 references: cis: 6.3.2 cjis: 5.6.2.1.1 disa: 205 nist: IA-5(1)(a) ospp@rhel7: FMT_MOF_EXT.1 pcidss: Req-8.2.3 srg: SRG-OS-000078-GPOS-00046 stigid@rhel7: "010280" ocil_clause: 'minlen is not found, or not equal to or greater than the required value' ocil: |- To check how many characters are required in a password, run the following command: 
$ grep minlen /etc/security/pwquality.conf
Your output should contain minlen = accounts_password_pam_ocredit.rule000066400000000000000000000037421327242345500456730ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/accounts/accounts-pam/password_quality/password_quality_pwqualitydocumentation_complete: true prodtype: rhel7,fedora title: 'Set Password Strength Minimum Special Characters' description: "The pam_pwquality module's ocredit= parameter controls requirements for\nusage of special (or \"other\") characters in a password. When set to a negative number, any password will be\nrequired to contain that many special characters. When set to a positive number, pam_pwquality will grant +1 \nadditional length credit for each special character. Modify the ocredit setting in \n/etc/security/pwquality.conf to equal to require use of a special character in passwords." rationale: "Use of a complex password helps to increase the time and resources required\nto compromise the password. Password complexity, or strength, is a measure of\nthe effectiveness of a password in resisting attempts at guessing and brute-force\nattacks. \n

\nPassword complexity is one factor of several that determines how long it takes\nto crack a password. The more complex the password, the greater the number of \npossble combinations that need to be tested before the password is compromised.\nRequiring a minimum number of special characters makes password guessing attacks\nmore difficult by ensuring a larger search space." severity: medium identifiers: cce@rhel7: 27360-7 references: disa: 1619 nist: IA-5(b),IA-5(c),IA-5(1)(a) ospp@rhel7: FMT_MOF_EXT.1 srg: SRG-OS-000266-GPOS-00101 stigid@rhel7: "010150" ocil_clause: 'ocredit is not found or not equal to or less than the required value' ocil: |- To check how many special characters are required in a password, run the following command: 
$ grep ocredit /etc/security/pwquality.conf
The ocredit parameter (as a negative number) will indicate how many special characters are required. The DoD and FISMA require at least one special character in a password. This would appear as ocredit = -1. accounts_password_pam_retry.rule000066400000000000000000000027311327242345500454040ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/accounts/accounts-pam/password_quality/password_quality_pwqualitydocumentation_complete: true prodtype: rhel7,fedora title: 'Set Password Retry Prompts Permitted Per-Session' description: "To configure the number of retry prompts that are permitted per-session:\n

\nEdit the pam_pwquality.so statement in /etc/pam.d/system-auth to \nshow retry=, or a lower value if site policy is more restrictive.\n

\nThe DoD requirement is a maximum of 3 prompts per session." rationale: |- Setting the password retry prompts that are permitted on a per-session basis to a low value requires some software, such as SSH, to re-connect. This can slow down and draw additional attention to some types of password-guessing attacks. Note that this is different from account lockout, which is provided by the pam_faillock module. severity: unknown identifiers: cce@rhel7: 27160-1 references: cis: 6.3.2 cjis: 5.5.3 disa: 366 nist: CM-6(b),IA-5(c) ospp@rhel7: FMT_MOF_EXT.1 srg: SRG-OS-000480-GPOS-00225 stigid@rhel7: "010119" ocil_clause: 'it is not the required value' ocil: |- To check how many retry attempts are permitted on a per-session basis, run the following command: 
$ grep pam_pwquality /etc/pam.d/system-auth
The retry parameter will indicate how many attempts are permitted. The DoD required value is less than or equal to 3. This would appear as retry=3, or a lower value. accounts_password_pam_ucredit.rule000066400000000000000000000035701327242345500457000ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/accounts/accounts-pam/password_quality/password_quality_pwqualitydocumentation_complete: true prodtype: rhel7,fedora title: 'Set Password Strength Minimum Uppercase Characters' description: |- The pam_pwquality module's ucredit= parameter controls requirements for usage of uppercase letters in a password. When set to a negative number, any password will be required to contain that many uppercase characters. When set to a positive number, pam_pwquality will grant +1 additional length credit for each uppercase character. Modify the ucredit setting in /etc/security/pwquality.conf to require the use of an uppercase character in passwords. rationale: |- Use of a complex password helps to increase the time and resources reuiqred to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.

Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. severity: medium identifiers: cce@rhel7: 27200-5 references: cis: 6.3.2 disa: 192 nist: IA-5(b),IA-5(c),IA-5(1)(a) ospp@rhel7: FMT_MOF_EXT.1 pcidss: Req-8.2.3 srg: SRG-OS-000069-GPOS-00037 stigid@rhel7: "010120" ocil_clause: 'ucredit is not found or not set less than or equal to the required value' ocil: |- To check how many uppercase characters are required in a password, run the following command: 
$ grep ucredit /etc/security/pwquality.conf
The ucredit parameter (as a negative number) will indicate how many uppercase characters are required. The DoD and FISMA require at least one uppercase character in a password. This would appear as ucredit = -1. password_quality_pwquality.group000066400000000000000000000020571327242345500455000ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/accounts/accounts-pam/password_quality/password_quality_pwqualitydocumentation_complete: true title: 'Set Password Quality Requirements with pam_pwquality' description: |- The pam_pwquality PAM module can be configured to meet requirements for a variety of policies.

For example, to configure pam_pwquality to require at least one uppercase character, lowercase character, digit, and other (special) character, make sure that pam_pwquality exists in /etc/pam.d/system-auth: 
password    requisite     pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
If no such line exists, add one as the first line of the password section in /etc/pam.d/system-auth. Next, modify the settings in /etc/security/pwquality.conf to match the following: 
difok = 4
    minlen = 14
    dcredit = -1
    ucredit = -1
    lcredit = -1
    ocredit = -1
    maxrepeat = 3
The arguments can be modified to ensure compliance with your organization's security policy. Discussion of each parameter follows. var_accounts_passwords_pam_faillock_deny.var000066400000000000000000000003511327242345500477120ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/accounts/accounts-pam/password_quality/password_quality_pwqualitydocumentation_complete: true title: fail_deny description: 'Number of failed login attempts before account lockout' type: number operator: equals interactive: false options: 10: 10 3: 3 5: 5 6: 6 default: 3 var_accounts_passwords_pam_faillock_fail_interval.var000066400000000000000000000004521327242345500515740ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/accounts/accounts-pam/password_quality/password_quality_pwqualitydocumentation_complete: true title: fail_interval description: 'Interval for counting failed login attempts before account lockout' type: number operator: equals interactive: false options: 100000000: 100000000 1800: 1800 3600: 3600 86400: 86400 900: 900 default: 900 var_accounts_passwords_pam_faillock_unlock_time.var000066400000000000000000000005341327242345500512670ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/accounts/accounts-pam/password_quality/password_quality_pwqualitydocumentation_complete: true title: fail_unlock_time description: 'Seconds before automatic unlocking or permanently locking after excessive failed logins' type: string operator: equals interactive: false options: 1800: 1800 3600: 3600 600: 600 604800: 604800 86400: 86400 900: 900 default: never never: never var_password_pam_dcredit.var000066400000000000000000000003211327242345500444400ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/accounts/accounts-pam/password_quality/password_quality_pwqualitydocumentation_complete: true title: dcredit description: 'Minimum number of digits in password' type: number operator: equals interactive: false options: "0": "0" 1: -1 2: -2 default: -1 var_password_pam_difok.var000066400000000000000000000004241327242345500441220ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/accounts/accounts-pam/password_quality/password_quality_pwqualitydocumentation_complete: true title: difok description: |- Minimum number of characters not present in old password type: number operator: equals interactive: false options: 15: 15 2: 2 3: 3 4: 4 5: 5 6: 6 7: 7 8: 8 default: 8 var_password_pam_lcredit.var000066400000000000000000000003251327242345500444540ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/accounts/accounts-pam/password_quality/password_quality_pwqualitydocumentation_complete: true title: lcredit description: 'Minimum number of lower case in password' type: number operator: equals interactive: false options: "0": "0" 1: -1 2: -2 default: -1 var_password_pam_maxclassrepeat.var000066400000000000000000000004241327242345500460420ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/accounts/accounts-pam/password_quality/password_quality_pwqualitydocumentation_complete: true title: maxclassrepeat description: 'Maximum Number of Consecutive Repeating Characters in a Password From the Same Character Class' type: number operator: equals interactive: false options: 1: 1 2: 2 3: 3 4: 4 default: 4 var_password_pam_maxrepeat.var000066400000000000000000000003501327242345500450120ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/accounts/accounts-pam/password_quality/password_quality_pwqualitydocumentation_complete: true title: maxrepeat description: 'Maximum Number of Consecutive Repeating Characters in a Password' type: number operator: equals interactive: false options: 1: 1 2: 2 3: 3 default: 3 var_password_pam_minclass.var000066400000000000000000000003701327242345500446370ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/accounts/accounts-pam/password_quality/password_quality_pwqualitydocumentation_complete: true title: minclass description: 'Minimum number of categories of characters that must exist in a password' type: number operator: equals interactive: false options: 1: 1 2: 2 3: 3 4: 4 default: 3 var_password_pam_minlen.var000066400000000000000000000003721327242345500443120ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/accounts/accounts-pam/password_quality/password_quality_pwqualitydocumentation_complete: true title: minlen description: 'Minimum number of characters in password' type: number operator: equals interactive: false options: 10: 10 12: 12 14: 14 15: 15 6: 6 7: 7 8: 8 default: 15 var_password_pam_ocredit.var000066400000000000000000000003561327242345500444630ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/accounts/accounts-pam/password_quality/password_quality_pwqualitydocumentation_complete: true title: ocredit description: |- Minimum number of other (special characters) in password type: number operator: equals interactive: false options: "0": "0" 1: -1 2: -2 default: -1 var_password_pam_retry.var000066400000000000000000000003421327242345500441720ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/accounts/accounts-pam/password_quality/password_quality_pwqualitydocumentation_complete: true title: retry description: 'Number of retry attempts before erroring out' type: number operator: equals interactive: false options: 1: 1 2: 2 3: 3 4: 4 5: 5 default: 3 var_password_pam_ucredit.var000066400000000000000000000003251327242345500444650ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/accounts/accounts-pam/password_quality/password_quality_pwqualitydocumentation_complete: true title: ucredit description: 'Minimum number of upper case in password' type: number operator: equals interactive: false options: "0": "0" 1: -1 2: -2 default: -1 scap-security-guide-0.1.39/shared/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/000077500000000000000000000000001327242345500340655ustar00rootroot00000000000000set_password_hashing_algorithm.group000066400000000000000000000003571327242345500433550ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/accounts/accounts-pam/set_password_hashing_algorithmdocumentation_complete: true title: 'Set Password Hashing Algorithm' description: |- The system's default algorithm for storing password hashes in /etc/shadow is SHA-512. This can be configured in several locations. set_password_hashing_algorithm_libuserconf.rule000066400000000000000000000026351327242345500455640ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/accounts/accounts-pam/set_password_hashing_algorithmdocumentation_complete: true prodtype: rhel7,fedora title: 'Set Password Hashing Algorithm in /etc/libuser.conf' description: |- In /etc/libuser.conf, add or correct the following line in its [defaults] section to ensure the system will use the SHA-512 algorithm for password hashing: 
crypt_style = sha512
rationale: "Passwords need to be protected at all times, and encryption is the standard method for protecting\npasswords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily\ncompromised. Passwords that are encrypted with a weak algorithm are no more protected than if they \nare kepy in plain text.\n

\nThis setting ensures user and group account administration utilities are configured to store only\nencrypted representations of passwords. Additionally, the crypt_style configuration option\nensures the use of a strong hashing algorithm that makes password cracking attacks more difficult." severity: medium identifiers: cce@rhel7: 27053-8 references: cjis: 5.6.2.2 cui: 3.13.11 disa: 196 nist: IA-5(b),IA-5(c),IA-5(1)(c),IA-7 pcidss: Req-8.2.1 srg: SRG-OS-000073-GPOS-00041 stigid@rhel7: "010220" ocil_clause: 'it does not' ocil: |- Inspect /etc/libuser.conf and ensure the following line appears in the [default] section: 
crypt_style = sha512
set_password_hashing_algorithm_logindefs.rule000066400000000000000000000022101327242345500452100ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/accounts/accounts-pam/set_password_hashing_algorithmdocumentation_complete: true prodtype: rhel7,fedora title: 'Set Password Hashing Algorithm in /etc/login.defs' description: |- In /etc/login.defs, add or correct the following line to ensure the system will use SHA-512 as the hashing algorithm: 
ENCRYPT_METHOD SHA512
rationale: |- Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. Passwords that are encrypted with a weak algorithm are no more protected than if they are kept in plain text.

Using a stronger hashing algorithm makes password cracking attacks more difficult. severity: medium identifiers: cce@rhel7: 27124-7 references: cis: 6.3.1 cjis: 5.6.2.2 cui: 3.13.11 disa: 196 nist: IA-5(b),IA-5(c),IA-5(1)(c),IA-7 pcidss: Req-8.2.1 srg: SRG-OS-000073-GPOS-00041 stigid@rhel7: "010210" ocil_clause: 'it does not' ocil: |- Inspect /etc/login.defs and ensure the following line appears: 
ENCRYPT_METHOD SHA512
set_password_hashing_algorithm_systemauth.rule000066400000000000000000000035711327242345500454570ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/accounts/accounts-pam/set_password_hashing_algorithmdocumentation_complete: true prodtype: rhel7,fedora title: 'Set PAM''s Password Hashing Algorithm' description: "The PAM system service can be configured to only store encrypted representations of passwords.\nIn /etc/pam.d/system-auth, the password section of the file controls \nwhich PAM modules execute during a password change. Set the pam_unix.so \nmodule in the password section to include the argument sha512, as shown below:\n
\n
password    sufficient    pam_unix.so sha512 other arguments...
\n
\nThis will help ensure when local users change their passwords, hashes for the new\npasswords will be generated using the SHA-512 algorithm. This is the default." rationale: "Passwords need to be protected at all times, and encryption is the standard method for protecting\npasswords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily\ncompromised. Passwords that are encrypted with a weak algorithm are no more protected than if they \nare kepy in plain text.\n

\nThis setting ensures user and group account administration utilities are configured to store only\nencrypted representations of passwords. Additionally, the crypt_style configuration option\nensures the use of a strong hashing algorithm that makes password cracking attacks more difficult." severity: medium identifiers: cce@rhel7: 27104-9 references: cis: 6.3.1 cjis: 5.6.2.2 cui: 3.13.11 disa: 196 nist: IA-5(b),IA-5(c),IA-5(1)(c),IA-7 pcidss: Req-8.2.1 srg: SRG-OS-000073-GPOS-00041 stigid@rhel7: "010200" ocil_clause: 'it does not' ocil: |- Inspect the password section of /etc/pam.d/system-auth and ensure that the pam_unix.so module includes the argument sha512: 
$ grep sha512 /etc/pam.d/system-auth
var_password_pam_unix_remember.var000066400000000000000000000006271327242345500345310ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/accounts/accounts-pamdocumentation_complete: true title: remember description: |- The last n passwords for each user are saved in /etc/security/opasswd in order to force password change history and keep the user from alternating between the same password too frequently. type: number operator: equals interactive: false options: "0": "0" 10: 10 24: 24 4: 4 5: 5 default: 5 scap-security-guide-0.1.39/shared/guide/system/accounts/accounts-physical/000077500000000000000000000000001327242345500266405ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/accounts/accounts-physical/accounts-physical.group000066400000000000000000000006611327242345500333520ustar00rootroot00000000000000documentation_complete: true title: 'Protect Physical Console Access' description: |- It is impossible to fully protect a system from an attacker with physical access, so securing the space in which the system is located should be considered a necessary step. However, there are some steps which, if taken, make it more difficult for an attacker to quickly or undetectably modify a system from its console. scap-security-guide-0.1.39/shared/guide/system/accounts/accounts-physical/bootloader/000077500000000000000000000000001327242345500307725ustar00rootroot00000000000000bootloader.group000066400000000000000000000014401327242345500341220ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/accounts/accounts-physical/bootloaderdocumentation_complete: true title: 'Set Boot Loader Password' description: |- During the boot process, the boot loader is responsible for starting the execution of the kernel and passing options to it. The boot loader allows for the selection of different kernels - possibly on different partitions or media. The default Red Hat Enterprise Linux boot loader for x86 systems is called GRUB2. Options it can pass to the kernel include single-user mode, which provides root access without any authentication, and the ability to disable SELinux. To prevent local users from modifying the boot parameters and endangering security, protect the boot loader configuration with a password and ensure its configuration file's permissions are set properly. bootloader_no_removeable_media.rule000066400000000000000000000022571327242345500400000ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/accounts/accounts-physical/bootloaderdocumentation_complete: true prodtype: rhel7 title: 'Boat Loader Is Not Installed On Removeable Media' description: |- The system must not allow removable media to be used as the boot loader. Remove alternate methods of booting the system from removable media. usb0, cd, fd0, etc. are some examples of removeable media which should not exist in the line: 
set root='hd0,msdos1'
rationale: |- Malicious users with removable boot media can gain access to a system configured to use removable media as the boot loader. severity: medium identifiers: cce: 80517-6 references: disa: 1814 nist: "" srg: SRG-OS-000364-GPOS-00151 stigid: "021700" ocil_clause: 'it is not' ocil: |- To verify the system is not configured to use a boot loader on removable media, run the following command: 
$ sudo grep "set root='hd0" /boot/grub2/grub.cfg
The output should return something similar to: 
set root='hd0,msdos1'
usb0, cd, fd0, etc. are some examples of removeable media which should not exist in the line: 
set root='hd0,msdos1'
bootloader_password.rule000066400000000000000000000062721327242345500356670ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/accounts/accounts-physical/bootloaderdocumentation_complete: true prodtype: rhel7,fedora title: 'Set Boot Loader Password' description: "The grub2 boot loader should have a superuser account and password\nprotection enabled to protect boot-time settings.\n

\nTo do so, select a superuser account name and password and and modify the\n/etc/grub.d/01_users configuration file with the new account name.\n

\nSince plaintext passwords are a security risk, generate a hash for the pasword\nby running the following command:\n
$ grub2-setpassword
\nWhen prompted, enter the password that was selected. \n

\nNOTE: It is recommended not to use common administrator account names like root,\nadmin, or administrator for the grub2 superuser account. \n

\nChange the superuser to a different username (The default is 'root').\n
$ sed -i s/root/bootuser/g /etc/grub.d/01_users
\n

\nTo meet FISMA Moderate, the bootloader superuser account and password MUST \ndiffer from the root account and password.\nOnce the superuser account and password have been added,\ \ update the \ngrub.cfg file by running:\n
grub2-mkconfig -o /boot/grub2/grub.cfg
\nNOTE: Do NOT manually add the superuser account and password to the \ngrub.cfg file as the grub2-mkconfig command overwrites this file." rationale: |- Password protection on the boot loader configuration ensures users with physical access cannot trivially alter important bootloader settings. These include which kernel to use, and whether to enter single-user mode. For more information on how to configure the grub2 superuser account and password, please refer to
    • .
severity: high identifiers: cce@rhel7: 27309-4 references: cis: 1.4.2 cui: 3.4.5 disa: 213 hipaa: 164.308(a)(1)(ii)(B),164.308(a)(7)(i),164.308(a)(7)(ii)(A),164.310(a)(1),164.310(a)(2)(i),164.310(a)(2)(ii),164.310(a)(2)(iii),164.310(b),164.310(c),164.310(d)(1),164.310(d)(2)(iii) nist: IA-2(1),IA-5(e),AC-3 ospp@rhel7: FIA_AFL.1 srg: SRG-OS-000080-GPOS-00048 stigid@rhel7: "010480" ocil_clause: 'it does not' ocil: |- To verify the boot loader superuser account has been set, run the following command: 
sudo grep -A1 "superusers\|password" /etc/grub2.cfg
The output should show the following: 
set superusers="superusers-account"
    export superusers
    password_pbkdf2 superusers-account ${GRUB2_PASSWORD}
To verify the boot loader superuser account password has been set, and the password encrypted, run the following command: 
sudo cat /boot/grub2/user.cfg
The output should be similar to: 
GRUB2_PASSWORD=grub.pbkdf2.sha512.10000.C4E08AC72FBFF7E837FD267BFAD7AEB3D42DDC
    2C99F2A94DD5E2E75C2DC331B719FE55D9411745F82D1B6CFD9E927D61925F9BBDD1CFAA0080E0
    916F7AB46E0D.1302284FCCC52CD73BA3671C6C12C26FF50BA873293B24EE2A96EE3B57963E6D7
    0C83964B473EC8F93B07FE749AA6710269E904A9B08A6BBACB00A2D242AD828
bootloader_uefi_no_removeable_media.rule000066400000000000000000000022671327242345500410110ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/accounts/accounts-physical/bootloaderdocumentation_complete: true prodtype: rhel7 title: 'UEFI Boat Loader Is Not Installed On Removeable Media' description: |- The system must not allow removable media to be used as the boot loader. Remove alternate methods of booting the system from removable media. usb0, cd, fd0, etc. are some examples of removeable media which should not exist in the line: 
set root='hd0,msdos1'
rationale: |- Malicious users with removable boot media can gain access to a system configured to use removable media as the boot loader. severity: medium identifiers: cce: 80518-4 references: disa: 1814 nist: "" srg: SRG-OS-000364-GPOS-00151 stigid: "" ocil_clause: 'it is not' ocil: |- To verify the system is not configured to use a boot loader on removable media, run the following command: 
$ sudo grep "set root='hd0" /boot/efi/EFI/redhat/grub.cfg
The output should return something similar to: 
set root='hd0,msdos1'
usb0, cd, fd0, etc. are some examples of removeable media which should not exist in the line: 
set root='hd0,msdos1'
bootloader_uefi_password.rule000066400000000000000000000063131327242345500366730ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/accounts/accounts-physical/bootloaderdocumentation_complete: true prodtype: rhel7,fedora title: 'Set the UEFI Boot Loader Password' description: "The grub2 boot loader should have a superuser account and password\nprotection enabled to protect boot-time settings.\n

\nTo do so, select a superuser account name and password and and modify the\n/etc/grub.d/01_users configuration file with the new account name.\n

\nSince plaintext passwords are a security risk, generate a hash for the pasword\nby running the following command:\n
$ grub2-setpassword
\nWhen prompted, enter the password that was selected. \n

\nNOTE: It is recommended not to use common administrator account names like root,\nadmin, or administrator for the grub2 superuser account. \n

\nChange the superuser to a different username (The default is 'root').\n
$ sed -i s/root/bootuser/g /etc/grub.d/01_users
\n

\nTo meet FISMA Moderate, the bootloader superuser account and password MUST \ndiffer from the root account and password.\nOnce the superuser account and password have been added,\ \ update the \ngrub.cfg file by running:\n
grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfg
\nNOTE: Do NOT manually add the superuser account and password to the \ngrub.cfg file as the grub2-mkconfig command overwrites this file." rationale: |- Password protection on the boot loader configuration ensures users with physical access cannot trivially alter important bootloader settings. These include which kernel to use, and whether to enter single-user mode. For more information on how to configure the grub2 superuser account and password, please refer to
    • .
severity: medium identifiers: cce@rhel7: 80354-4 references: cis: 1.4.2 cui: 3.4.5 disa: 213 hipaa: 164.308(a)(1)(ii)(B),164.308(a)(7)(i),164.308(a)(7)(ii)(A),164.310(a)(1),164.310(a)(2)(i),164.310(a)(2)(ii),164.310(a)(2)(iii),164.310(b),164.310(c),164.310(d)(1),164.310(d)(2)(iii) nist: AC-3 ospp@rhel7: FIA_AFL.1 srg: SRG-OS-000080-GPOS-00048 stigid@rhel7: "010490" ocil_clause: 'it does not' ocil: |- To verify the boot loader superuser account has been set, run the following command: 
sudo grep -A1 "superusers\|password" /etc/grub2-efi.cfg
The output should show the following: 
set superusers="superusers-account"
    export superusers
    password_pbkdf2 superusers-account ${GRUB2_PASSWORD}
To verify the boot loader superuser account password has been set, and the password encrypted, run the following command: 
sudo cat /boot/efi/EFI/redhat/user.cfg
The output should be similar to: 
GRUB2_PASSWORD=grub.pbkdf2.sha512.10000.C4E08AC72FBFF7E837FD267BFAD7AEB3D42DDC
    2C99F2A94DD5E2E75C2DC331B719FE55D9411745F82D1B6CFD9E927D61925F9BBDD1CFAA0080E0
    916F7AB46E0D.1302284FCCC52CD73BA3671C6C12C26FF50BA873293B24EE2A96EE3B57963E6D7
    0C83964B473EC8F93B07FE749AA6710269E904A9B08A6BBACB00A2D242AD828
file_group_owner_efi_grub2_cfg.rule000066400000000000000000000014261327242345500377170ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/accounts/accounts-physical/bootloaderdocumentation_complete: true prodtype: rhel7 title: 'Verify /boot/efi/EFI/redhat/grub.cfg Group Ownership' description: |- The file /boot/efi/EFI/redhat/grub.cfg should be group-owned by the root group to prevent destruction or modification of the file. rationale: |- The root group is a highly-privileged group. Furthermore, the group-owner of this file should not have any access privileges anyway. severity: medium identifiers: cce@rhel7: TBD references: cis: 1.4.1 cjis: 5.5.2.2 cui: 3.4.5 disa: 225 nist: AC-6(7) pcidss: Req-7.1 ocil: '' file_group_owner_grub2_cfg.rule000066400000000000000000000016761327242345500371030ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/accounts/accounts-physical/bootloaderdocumentation_complete: true prodtype: rhel7,fedora title: 'Verify /boot/grub2/grub.cfg Group Ownership' description: |- The file /boot/grub2/grub.cfg should be group-owned by the root group to prevent destruction or modification of the file. rationale: |- The root group is a highly-privileged group. Furthermore, the group-owner of this file should not have any access privileges anyway. severity: medium identifiers: cce@rhel7: 26812-8 references: cis: 1.4.1 cjis: 5.5.2.2 cui: 3.4.5 disa: 225 hipaa: 164.308(a)(1)(ii)(B),164.308(a)(7)(i),164.308(a)(7)(ii)(A),164.310(a)(1),164.310(a)(2)(i),164.310(a)(2)(ii),164.310(a)(2)(iii),164.310(b),164.310(c),164.310(d)(1),164.310(d)(2)(iii) nist: AC-6(7) pcidss: Req-7.1 ocil: '' file_permissions_efi_grub2_cfg.rule000066400000000000000000000014461327242345500377260ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/accounts/accounts-physical/bootloaderdocumentation_complete: true prodtype: rhel7 title: 'Verify /boot/efi/EFI/redhat/grub.cfg Permissions' description: |- File permissions for /boot/efi/EFI/redhat/grub.cfg should be set to 600. rationale: |- Proper permissions ensure that only the root user can modify important boot parameters. severity: medium identifiers: cce@rhel7: TBD references: cis: 1.4.1 cui: 3.4.5 disa: 225 nist: AC-6(7) ocil_clause: 'it does not' ocil: |- To check the permissions of /boot/efi/EFI/redhat/grub.cfg, run the command: 
$ sudo ls -lL /boot/efi/EFI/redhat/grub.cfg
If properly configured, the output should indicate the following permissions: -rwx------ file_permissions_grub2_cfg.rule000066400000000000000000000017051327242345500371010ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/accounts/accounts-physical/bootloaderdocumentation_complete: true prodtype: rhel7,fedora title: 'Verify /boot/grub2/grub.cfg Permissions' description: |- File permissions for /boot/grub2/grub.cfg should be set to 600. rationale: |- Proper permissions ensure that only the root user can modify important boot parameters. severity: medium identifiers: cce@rhel7: 27054-6 references: cis: 1.4.1 cui: 3.4.5 disa: 225 hipaa: 164.308(a)(1)(ii)(B),164.308(a)(7)(i),164.308(a)(7)(ii)(A),164.310(a)(1),164.310(a)(2)(i),164.310(a)(2)(ii),164.310(a)(2)(iii),164.310(b),164.310(c),164.310(d)(1),164.310(d)(2)(iii) nist: AC-6(7) ocil_clause: 'it does not' ocil: |- To check the permissions of /boot/grub2/grub.cfg, run the command: 
$ sudo ls -lL /boot/grub2/grub.cfg
If properly configured, the output should indicate the following permissions: -rw------- file_user_owner_efi_grub2_cfg.rule000066400000000000000000000012531327242345500375370ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/accounts/accounts-physical/bootloaderdocumentation_complete: true prodtype: rhel7 title: 'Verify /boot/efi/EFI/redhat/grub.cfg User Ownership' description: |- The file /boot/efi/EFI/redhat/grub.cfg should be owned by the root user to prevent destruction or modification of the file. rationale: 'Only root should be able to modify important boot parameters.' severity: medium identifiers: cce@rhel7: TBD references: cis: 1.4.1 cjis: 5.5.2.2 cui: 3.4.5 disa: 225 nist: AC-6(7) pcidss: Req-7.1 ocil: '' file_user_owner_grub2_cfg.rule000066400000000000000000000015231327242345500367140ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/accounts/accounts-physical/bootloaderdocumentation_complete: true prodtype: rhel7,fedora title: 'Verify /boot/grub2/grub.cfg User Ownership' description: |- The file /boot/grub2/grub.cfg should be owned by the root user to prevent destruction or modification of the file. rationale: 'Only root should be able to modify important boot parameters.' severity: medium identifiers: cce@rhel7: 26860-7 references: cis: 1.4.1 cjis: 5.5.2.2 cui: 3.4.5 disa: 225 hipaa: 164.308(a)(1)(ii)(B),164.308(a)(7)(i),164.308(a)(7)(ii)(A),164.310(a)(1),164.310(a)(2)(i),164.310(a)(2)(ii),164.310(a)(2)(iii),164.310(b),164.310(c),164.310(d)(1),164.310(d)(2)(iii) nist: AC-6(7) pcidss: Req-7.1 ocil: '' disable_ctrlaltdel_burstaction.rule000066400000000000000000000027331327242345500357110ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/accounts/accounts-physicaldocumentation_complete: true prodtype: rhel7 title: 'Disable Ctrl-Alt-Del Burst Action' description: |- By default, SystemD will reboot the system if the Ctrl-Alt-Del key sequence is pressed Ctrl-Alt-Delete more than 7 times in 2 seconds.

To configure the system to ignore the CtrlAltDelBurstAction setting, add or modify the following to /etc/systemd/system.conf: 
CtrlAltDelBurstAction=none
rationale: |- A locally logged-in user who presses Ctrl-Alt-Del, when at the console, can reboot the system. If accidentally pressed, as could happen in the case of mixed OS environment, this can create the risk of short-term loss of availability of systems due to unintentional reboot. severity: high identifiers: cce@rhel7: 80449-2 references: cui: 3.4.5 disa: 366 hipaa: 164.308(a)(1)(ii)(B),164.308(a)(7)(i),164.308(a)(7)(ii)(A),164.310(a)(1),164.310(a)(2)(i),164.310(a)(2)(ii),164.310(a)(2)(iii),164.310(b),164.310(c),164.310(d)(1),164.310(d)(2)(iii) nist: AC-6 srg: SRG-OS-000480-GPOS-00227 ocil_clause: 'the system is configured to reboot when Ctrl-Alt-Del is pressed more than 7 times in 2 seconds.' ocil: |- To ensure the system is configured to ignore the Ctrl-Alt-Del setting, enter the following command: 
$ sudo grep -i ctrlaltdelburstaction /etc/systemd/system.conf
The output should return: 
CtrlAltDelBurstAction=none
disable_ctrlaltdel_reboot.rule000066400000000000000000000032701327242345500346430ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/accounts/accounts-physicaldocumentation_complete: true prodtype: rhel7,fedora title: 'Disable Ctrl-Alt-Del Reboot Activation' description: |- By default, SystemD will reboot the system if the Ctrl-Alt-Del key sequence is pressed.

To configure the system to ignore the Ctrl-Alt-Del key sequence from the command line instead of rebooting the system, do either of the following: 
ln -sf /dev/null /etc/systemd/system/ctrl-alt-del.target
or 
systemctl mask ctrl-alt-del.target


Do not simply delete the /usr/lib/systemd/system/ctrl-alt-del.service file, as this file may be restored during future system updates. rationale: |- A locally logged-in user who presses Ctrl-Alt-Del, when at the console, can reboot the system. If accidentally pressed, as could happen in the case of mixed OS environment, this can create the risk of short-term loss of availability of systems due to unintentional reboot. severity: high identifiers: cce@rhel7: 27511-5 references: cui: 3.4.5 disa: 366 hipaa: 164.308(a)(1)(ii)(B),164.308(a)(7)(i),164.308(a)(7)(ii)(A),164.310(a)(1),164.310(a)(2)(i),164.310(a)(2)(ii),164.310(a)(2)(iii),164.310(b),164.310(c),164.310(d)(1),164.310(d)(2)(iii) nist: AC-6 srg: SRG-OS-000480-GPOS-00227 stigid@rhel7: "020230" ocil_clause: 'the system is configured to reboot when Ctrl-Alt-Del is pressed' ocil: |- To ensure the system is configured to mask the Ctrl-Alt-Del sequence, enter the following command: 
$ sudo ln -sf /dev/null /etc/systemd/system/ctrl-alt-del.target
or 
$ sudo systemctl mask ctrl-alt-del.target
disable_interactive_boot.rule000066400000000000000000000026771327242345500345110ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/accounts/accounts-physicaldocumentation_complete: true prodtype: rhel7,fedora title: 'Verify that Interactive Boot is Disabled' description: |- Red Hat Enterprise Linux systems support an "interactive boot" option that can be used to prevent services from being started. On a Red Hat Enterprise Linux 7 system, interactive boot can be enabled by providing a 1, yes, true, or on value to the systemd.confirm_spawn kernel argument in /etc/default/grub. Remove any instance of 
systemd.confirm_spawn=(1|yes|true|on)
from the kernel arguments in that file to disable interactive boot. rationale: |- Using interactive boot, the console user could disable auditing, firewalls, or other services, weakening system security. severity: medium identifiers: cce@rhel7: 27335-9 references: cui: 3.1.2,3.4.5 disa: 213 hipaa: 164.308(a)(1)(ii)(B),164.308(a)(7)(i),164.308(a)(7)(ii)(A),164.310(a)(1),164.310(a)(2)(i),164.310(a)(2)(ii),164.310(a)(2)(iii),164.310(b),164.310(c),164.310(d)(1),164.310(d)(2)(iii) nist: SC-2,AC-3 ospp@rhel7: FIA_AFL.1 ocil_clause: 'Interactive boot is enabled at boot time' ocil: |- Inspect /etc/default/grub for any instances of systemd.confirm_spawn=(1|yes|true|on) in the kernel boot arguments. Presence of a systemd.confirm_spawn=(1|yes|true|on) indicates that interactive boot is enabled at boot time. require_singleuser_auth.rule000066400000000000000000000030111327242345500344020ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/accounts/accounts-physicaldocumentation_complete: true prodtype: rhel7,fedora title: 'Require Authentication for Single User Mode' description: |- Single-user mode is intended as a system recovery method, providing a single user root access to the system by providing a boot option at startup. By default, no authentication is performed if single-user mode is selected.

By default, single-user mode is protected by requiring a password and is set in /usr/lib/systemd/system/rescue.service. rationale: |- This prevents attackers with physical access from trivially bypassing security on the machine and gaining root access. Such accesses are further prevented by configuring the bootloader password. severity: medium identifiers: cce@rhel7: 27287-2 references: cis: 1.4.3 cui: 3.1.1,3.4.5 disa: 213 hipaa: 164.308(a)(1)(ii)(B),164.308(a)(7)(i),164.308(a)(7)(ii)(A),164.310(a)(1),164.310(a)(2)(i),164.310(a)(2)(ii),164.310(a)(2)(iii),164.310(b),164.310(c),164.310(d)(1),164.310(d)(2)(iii) nist: IA-2(1),AC-3 ospp@rhel7: FIA_AFL.1 srg: SRG-OS-000080-GPOS-00048 stigid: "010481" stigid@rhel7: "010481" ocil_clause: 'the output is different' ocil: |- To check if authentication is required for single-user mode, run the following command: 
$ grep sulogin /usr/lib/systemd/system/rescue.service
The output should be similar to the following, and the line must begin with ExecStart and /sbin/sulogin: 
ExecStart=-/sbin/sulogin
scap-security-guide-0.1.39/shared/guide/system/accounts/accounts-physical/screen_locking/000077500000000000000000000000001327242345500316255ustar00rootroot00000000000000console_screen_locking/000077500000000000000000000000001327242345500362555ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/accounts/accounts-physical/screen_lockingconsole_screen_locking.group000066400000000000000000000003231327242345500440400ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/accounts/accounts-physical/screen_locking/console_screen_lockingdocumentation_complete: true title: 'Configure Console Screen Locking' description: |- A console screen locking mechanism is provided in the screen package, which is not installed by default. package_screen_installed.rule000066400000000000000000000024511327242345500441410ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/accounts/accounts-physical/screen_locking/console_screen_lockingdocumentation_complete: true prodtype: rhel7,fedora title: 'Install the screen Package' description: |- To enable console screen locking, install the screen package: 
$ sudo yum install screen
Instruct users to begin new terminal sessions with the following command: 
$ screen
The console can now be locked with the following key combination: 
ctrl+a x
rationale: |- A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but des not logout because of the temporary nature of the absence. Rather than relying on the user to manually lock their operation system session prior to vacating the vicinity, operating systems need to be able to identify when a user's session has idled and take action to initiate the session lock.

The screen package allows for a session lock to be implemented and configured. severity: medium identifiers: cce@rhel7: 27351-6 references: cui: 3.1.10 disa: 57 nist: AC-11(a) ospp@rhel7: FMT_MOF_EXT.1 srg: SRG-OS-000029-GPOS-00010 stigid@rhel7: "010090" ocil_clause: 'the package is not installed' ocil: '' screen_locking.group000066400000000000000000000010031327242345500356030ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/accounts/accounts-physical/screen_lockingdocumentation_complete: true title: 'Configure Screen Locking' description: |- When a user must temporarily leave an account logged-in, screen locking should be employed to prevent passersby from abusing the account. User education and training is particularly important for screen locking to be effective, and policies can be implemented to reinforce this.

Automatic screen locking is only meant as a safeguard for those cases where a user forgot to lock the screen. smart_card_login/000077500000000000000000000000001327242345500350555ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/accounts/accounts-physical/screen_lockinginstall_smartcard_packages.rule000066400000000000000000000025211327242345500433120ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/accounts/accounts-physical/screen_locking/smart_card_logindocumentation_complete: true prodtype: rhel7 title: 'Install Smart Card Packages For Multifactor Authentication' description: |- Configure the operating system to implement multifactor authentication by installing the required packages with the following command: 
$ sudo yum install esc pam_pkcs11 authconfig-gtk
rationale: |- Using an authentication device, such as a CAC or token that is separate from the information system, ensures that even if the information system is compromised, that compromise will not affect credentials stored on the authentication device.

Multifactor solutions that require devices separate from information systems gaining access include, for example, hardware tokens providing time-based or challenge-response authenticators and smart cards such as the U.S. Government Personal Identity Verification card and the DoD Common Access Card. severity: medium identifiers: cce: 80519-2 references: disa: 1954 nist: "" srg: SRG-OS-000375-GPOS-00160 stigid: "041001" ocil_clause: 'smartcard software is not installed' ocil: |- To verify the operating system has the packages required for multifactor authentication installed, run the following command: 
$ sudo yum list installed esc pam_pkcs11 authconfig-gtk
smart_card_login.group000066400000000000000000000006151327242345500414440ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/accounts/accounts-physical/screen_locking/smart_card_logindocumentation_complete: true title: 'Hardware Tokens for Authentication' description: |- The use of hardware tokens such as smart cards for system login provides stronger, two-factor authentication than using a username and password. In Red Hat Enterprise Linux servers and workstations, hardware token login is not enabled by default and must be enabled in the system settings. smartcard_auth.rule000066400000000000000000000040051327242345500407460ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/accounts/accounts-physical/screen_locking/smart_card_logindocumentation_complete: true prodtype: rhel7,fedora title: 'Enable Smart Card Login' description: |- To enable smart card authentication, consult the documentation at:
For guidance on enabling SSH to authenticate against a Common Access Card (CAC), consult documentation at:
rationale: |- Smart card login provides two-factor authentication stronger than that provided by a username and password combination. Smart cards leverage PKI (public key infrastructure) in order to provide and verify credentials. severity: medium identifiers: cce@rhel7: 80207-4 references: disa: 765,766,767,768,771,772,884 nist: IA-2(2) pcidss: Req-8.3 srg: SRG-OS-000104-GPOS-00051,SRG-OS-000106-GPOS-00053,SRG-OS-000107-GPOS-00054,SRG-OS-000109-GPOS-00056,SRG-OS-000108-GPOS-00055,SRG-OS-000108-GPOS-00057,SRG-OS-000108-GPOS-00058 stigid@rhel7: "010500" ocil_clause: 'non-exempt accounts are not using CAC authentication' ocil: "Interview the SA to determine if all accounts not exempted by policy are\nusing CAC authentication.\nFor DoD systems, the following systems and accounts are exempt from using\nsmart card (CAC) authentication:\n
    \n
  • SIPRNET systems
    • \n
  • Standalone systems
    • \n
  • Application accounts
    • \n
  • Temporary employee accounts, such as students or interns, who cannot easily receive a CAC or PIV
    • \n
  • Operational tactical locations that are not collocated with RAPIDS workstations to issue CAC or ALT
    • \n
  • Test systems, such as those with an Interim Approval to Test (IATT) and use a separate VPN, firewall, or security measure preventing access to network and system components from outside the protection boundary documented in the IATT.
    • \n
" smartcard_configure_cert_checking.rule000066400000000000000000000031241327242345500446370ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/accounts/accounts-physical/screen_locking/smart_card_logindocumentation_complete: true prodtype: rhel7 title: 'Configure Smart Card Certificate Status Checking' description: |- Configure the operating system to do certificate status checking for PKI authentication. Modify all of the cert_policy lines in /etc/pam_pkcs11/pam_pkcs11.conf to include ocsp_on like so: 
cert_policy = ca, ocsp_on, signature;
rationale: |- Using an authentication device, such as a CAC or token that is separate from the information system, ensures that even if the information system is compromised, that compromise will not affect credentials stored on the authentication device.

Multifactor solutions that require devices separate from information systems gaining access include, for example, hardware tokens providing time-based or challenge-response authenticators and smart cards such as the U.S. Government Personal Identity Verification card and the DoD Common Access Card. severity: medium identifiers: cce: 80520-0 references: disa: 1954 nist: "" srg: SRG-OS-000375-GPOS-00160 stigid: "041003" ocil_clause: 'ocsp_on is not configured' ocil: |- To verify the operating system implements certificate status checking for PKI authentication, run the following command: 
$ sudo grep -i cert_policy /etc/pam_pkcs11/pam_pkcs11.conf
The output should return multiple lines similiar to the following: 
cert_policy = ca, ocsp_on, signature;
    cert_policy = ca, ocsp_on, signature;
    cert_policy = ca, ocsp_on, signature;
service_debug-shell_disabled.rule000066400000000000000000000023741327242345500352220ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/accounts/accounts-physicaldocumentation_complete: true prodtype: rhel7,fedora title: 'Disable debug-shell SystemD Service' description: |- SystemD's debug-shell service is intended to diagnose SystemD related boot issues with various systemctl commands. Once enabled and following a system reboot, the root shell will be available on tty9 which is access by pressing CTRL-ALT-F9. The debug-shell service should only be used for SystemD related issues and should otherwise be disabled.

By default, the debug-shell SystemD service is disabled. rationale: |- This prevents attackers with physical access from trivially bypassing security on the machine through valid troubleshooting configurations and gaining root access when the system is rebooted. severity: medium identifiers: cce@rhel7: 80206-6 references: cui: 3.4.5 hipaa: 164.308(a)(1)(ii)(B),164.308(a)(7)(i),164.308(a)(7)(ii)(A),164.310(a)(1),164.310(a)(2)(i),164.310(a)(2)(ii),164.310(a)(2)(iii),164.310(b),164.310(c),164.310(d)(1),164.310(d)(2)(iii) ospp@rhel7: FIA_AFL.1 ocil: '' scap-security-guide-0.1.39/shared/guide/system/accounts/accounts-restrictions/000077500000000000000000000000001327242345500275545ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/accounts/accounts-restrictions/account_expiration/000077500000000000000000000000001327242345500334525ustar00rootroot00000000000000account_disable_post_pw_expiration.rule000066400000000000000000000042121327242345500434170ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/accounts/accounts-restrictions/account_expirationdocumentation_complete: true prodtype: rhel7,fedora title: 'Set Account Expiration Following Inactivity' description: |- To specify the number of days after a password expires (which signifies inactivity) until an account is permanently disabled, add or correct the following lines in /etc/default/useradd, substituting NUM_DAYS appropriately: 
INACTIVE=
A value of 35 is recommended; however, this profile expects that the value is set to . If a password is currently on the verge of expiration, then 35 days remain until the account is automatically disabled. However, if the password will not expire for another 60 days, then 95 days could elapse until the account would be automatically disabled. See the useradd man page for more information. Determining the inactivity timeout must be done with careful consideration of the length of a "normal" period of inactivity for users in the particular environment. Setting the timeout too low incurs support costs and also has the potential to impact availability of the system to legitimate users. rationale: |- Disabling inactive accounts ensures that accounts which may not have been responsibly removed are not available to attackers who may have compromised their credentials. severity: medium identifiers: cce@rhel7: 27355-7 references: cjis: 5.6.2.1.1 cui: 3.5.6 disa: 795 nist: AC-2(2),AC-2(3),IA-4(e) pcidss: Req-8.1.4 srg: SRG-OS-000118-GPOS-00060 stigid@rhel7: "010310" ocil_clause: 'the value of INACTIVE is greater than the expected value' ocil: |- To verify the INACTIVE setting, run the following command: 
$ grep "INACTIVE" /etc/default/useradd
The output should indicate the INACTIVE configuration option is set to an appropriate integer as shown in the example below: 
$ grep "INACTIVE" /etc/default/useradd
    INACTIVE=
account_expiration.group000066400000000000000000000020461327242345500403510ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/accounts/accounts-restrictions/account_expirationdocumentation_complete: true title: 'Set Account Expiration Parameters' description: |- Accounts can be configured to be automatically disabled after a certain time period, meaning that they will require administrator interaction to become usable again. Expiration of accounts after inactivity can be set for all accounts by default and also on a per-account basis, such as for accounts that are known to be temporary. To configure automatic expiration of an account following the expiration of its password (that is, after the password has expired and not been changed), run the following command, substituting NUM_DAYS and USER appropriately: 
$ sudo chage -I NUM_DAYS USER
Accounts, such as temporary accounts, can also be configured to expire on an explicitly-set date with the -E option. The file /etc/default/useradd controls default settings for all newly-created accounts created with the system's normal command line utilities. account_temp_expire_date.rule000066400000000000000000000032041327242345500413150ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/accounts/accounts-restrictions/account_expirationdocumentation_complete: true prodtype: rhel7,fedora title: 'Assign Expiration Date to Temporary Accounts' description: "Temporary accounts are established as part of normal account activation procedures\nwhen there is a need for short-term accounts. In the event temporary \nor emergency accounts are required, configure the system to terminate \nthem after a documented time period. For every temporary and\nemergency account, run the following command to set an expiration date on it,\nsubstituting USER and YYYY-MM-DD appropriately:\n
$ sudo chage -E YYYY-MM-DD USER
\nYYYY-MM-DD indicates the documented expiration date for the account.\nFor U.S. Government systems, the operating system must be configured to automatically terminate\nthese types of accounts after a period of 72 hours." rationale: |- If temporary user accounts remain active when no longer needed or for an excessive period, these accounts may be used to gain unauthorized access. To mitigate this risk, automated termination of all temporary accounts must be set upon account creation.
severity: unknown identifiers: cce@rhel7: 27498-5 references: disa: 16,1682 nist: AC-2(2),AC-2(3) srg: 2 ocil_clause: 'any temporary or emergency accounts have no expiration date set or do not expire within a documented time frame' ocil: |- For every temporary and emergency account, run the following command to obtain its account aging and expiration information: 
$ sudo chage -l USER
Verify each of these accounts has an expiration date set as documented. account_unique_name.rule000066400000000000000000000011271327242345500403070ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/accounts/accounts-restrictions/account_expirationdocumentation_complete: true prodtype: rhel7,fedora title: 'Ensure All Accounts on the System Have Unique Names' description: 'Change usernames, or delete accounts, so each has a unique name.' rationale: 'Unique usernames allow for accountability on the system.' severity: unknown identifiers: cce@rhel7: 80208-2 references: cjis: 5.5.2 disa: 770,804 pcidss: Req-8.1.1 ocil_clause: 'a line is returned' ocil: |- Run the following command to check for duplicate account names: 
$ sudo pwck -qr
If there are no duplicate names, no line will be returned. var_account_disable_post_pw_expiration.var000066400000000000000000000006061327242345500441130ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/accounts/accounts-restrictions/account_expirationdocumentation_complete: true title: 'number of days after a password expires until the account is permanently disabled' description: 'The number of days to wait after a password expires, until the account will be permanently disabled.' type: number operator: interactive: false options: "0": "0" 180: 180 30: 30 35: 35 40: 40 60: 60 90: 90 default: 35 accounts-restrictions.group000066400000000000000000000012511327242345500351170ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/accounts/accounts-restrictionsdocumentation_complete: true title: 'Protect Accounts by Restricting Password-Based Login' description: |- Conventionally, Unix shell accounts are accessed by providing a username and password to a login program, which tests these values for correctness using the /etc/passwd and /etc/shadow files. Password-based login is vulnerable to guessing of weak passwords, and to sniffing and man-in-the-middle attacks against passwords entered over a network or at an insecure console. Therefore, mechanisms for accessing accounts by entering usernames and passwords should be restricted to those which are operationally necessary. scap-security-guide-0.1.39/shared/guide/system/accounts/accounts-restrictions/password_expiration/000077500000000000000000000000001327242345500336605ustar00rootroot00000000000000accounts_maximum_age_login_defs.rule000066400000000000000000000031441327242345500430550ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/accounts/accounts-restrictions/password_expirationdocumentation_complete: true prodtype: rhel7,fedora title: 'Set Password Maximum Age' description: "To specify password maximum age for new accounts,\nedit the file /etc/login.defs\nand add or correct the following line:\n
PASS_MAX_DAYS
\nA value of 180 days is sufficient for many environments. \nThe DoD requirement is 60.\nThe profile requirement is ." rationale: "Any password, no matter how complex, can eventually be cracked. Therefore, passwords\nneed to be changed periodically. If the operating system does not limit the lifetime\nof passwords and force users to change their passwords, there is the risk that the\noperating system passwords could be compromised. \n

\nSetting the password maximum age ensures users are required to\nperiodically change their passwords. Requiring shorter password lifetimes\nincreases the risk of users writing down the password in a convenient\nlocation subject to physical compromise." severity: medium identifiers: cce@rhel7: 27051-2 references: cis: 5.4.1.1 cjis: 5.6.2.1 cui: 3.5.6 disa: 199 nist: IA-5(f),IA-5(g),IA-5(1)(d) pcidss: Req-8.2.4 srg: SRG-OS-000076-GPOS-00044 stigid@rhel7: "010250" ocil_clause: 'PASS_MAX_DAYS is not set equal to or greater than the required value' ocil: |- To check the maximum password age, run the command: 
$ grep PASS_MAX_DAYS /etc/login.defs
The DoD and FISMA requirement is 60. A value of 180 days is sufficient for many environments. accounts_minimum_age_login_defs.rule000066400000000000000000000026431327242345500430560ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/accounts/accounts-restrictions/password_expirationdocumentation_complete: true prodtype: rhel7,fedora title: 'Set Password Minimum Age' description: |- To specify password minimum age for new accounts, edit the file /etc/login.defs and add or correct the following line: 
PASS_MIN_DAYS
A value of 1 day is considered sufficient for many environments. The DoD requirement is 1. The profile requirement is . rationale: "Enforcing a minimum password lifetime helps to prevent repeated password changes to defeat\nthe password reuse or history enforcement requirement. If users are allowed to immediately\nand continually change their password, then the password could be repeatedly changed in a \nshort period of time to defeat the organization's policy regarding password reuse.\n

\nSetting the minimum password age protects against users cycling back to a favorite password\nafter satisfying the password reuse requirement." severity: medium identifiers: cce@rhel7: 27002-5 references: cjis: 5.6.2.1.1 cui: 3.5.8 disa: 198 nist: IA-5(f),IA-5(1)(d) srg: SRG-OS-000075-GPOS-00043 stigid@rhel7: "010230" ocil_clause: 'it is not equal to or greater than the required value' ocil: |- To check the minimum password age, run the command: 
$ grep PASS_MIN_DAYS /etc/login.defs
accounts_password_minlen_login_defs.rule000066400000000000000000000027561327242345500440000ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/accounts/accounts-restrictions/password_expirationdocumentation_complete: true prodtype: rhel7,fedora title: 'Set Password Minimum Length in login.defs' description: "To specify password length requirements for new accounts,\nedit the file /etc/login.defs and add or correct the following\nline:\n
PASS_MIN_LEN
\n

\nThe DoD requirement is 15. \nThe FISMA requirement is 12.\nThe profile requirement is .\nIf a program consults /etc/login.defs and also another PAM module\n(such as pam_pwquality) during a password change operation,\nthen the most restrictive must be satisfied. See PAM section\nfor more information about enforcing password quality requirements." rationale: |- Requiring a minimum password length makes password cracking attacks more difficult by ensuring a larger search space. However, any security benefit from an onerous requirement must be carefully weighed against usability problems, support costs, or counterproductive behavior that may result. severity: medium identifiers: cce@rhel7: 27123-9 references: cjis: 5.6.2.1 cui: 3.5.7 disa: "" nist: IA-5(f),IA-5(1)(a) ospp@rhel7: FMT_MOF_EXT.1 ocil_clause: 'it is not set to the required value' ocil: |- To check the minimum password length, run the command: 
$ grep PASS_MIN_LEN /etc/login.defs
The DoD requirement is 15. accounts_password_set_max_life_existing.rule000066400000000000000000000022271327242345500446670ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/accounts/accounts-restrictions/password_expirationdocumentation_complete: true prodtype: rhel7 title: 'Set Existing Passwords Maximum Age' description: |- Configure non-compliant accounts to enforce a 60-day maximum password lifetime restriction by running the following command: 
$ sudo chage -M 60 USER
rationale: |- Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed periodically. If the operating system does not limit the lifetime of passwords and force users to change their passwords, there is the risk that the operating system passwords could be compromised. severity: medium identifiers: cce: 80522-6 references: disa: 199 nist: "" srg: SRG-OS-000076-GPOS-00044 stigid: "010260" ocil_clause: 'existing passwords are not configured correctly' ocil: "Check whether the maximum time period for existing passwords is restricted to\n60 days by running the following command for each user:\n
$ sudo chage -l USER | grep Maximum
\nThe output for each user should return something similary to the following:\n
Maximum number of days between password change\t\t: 60
" accounts_password_set_min_life_existing.rule000066400000000000000000000023261327242345500446650ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/accounts/accounts-restrictions/password_expirationdocumentation_complete: true prodtype: rhel7 title: 'Set Existing Passwords Minimum Age' description: |- Configure non-compliant accounts to enforce a 24 hours/1 day minimum password lifetime by running the following command: 
$ sudo chage -m 1 USER
rationale: |- Enforcing a minimum password lifetime helps to prevent repeated password changes to defeat the password reuse or history enforcement requirement. If users are allowed to immediately and continually change their password, the password could be repeatedly changed in a short period of time to defeat the organization's policy regarding password reuse. severity: medium identifiers: cce: 80521-8 references: disa: 198 nist: "" srg: SRG-OS-000075-GPOS-00043 stigid: "010240" ocil_clause: 'existing passwords are not configured correctly' ocil: "Check whether the minimum time period between password changes for each user\naccount is one day or greater by running the following command for each user:\n
$ sudo chage -l USER | grep Minimum
\nThe output for each user should return something similary to the following:\n
Minimum number of days between password change\t\t: 1
" accounts_password_warn_age_login_defs.rule000066400000000000000000000016421327242345500442720ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/accounts/accounts-restrictions/password_expirationdocumentation_complete: true prodtype: rhel7,fedora title: 'Set Password Warning Age' description: |- To specify how many days prior to password expiration that a warning will be issued to users, edit the file /etc/login.defs and add or correct the following line: 
PASS_WARN_AGE
The DoD requirement is 7. The profile requirement is . rationale: |- Setting the password warning age enables users to make the change at a practical time. severity: unknown identifiers: cce@rhel7: 26486-1 references: cui: 3.5.8 nist: AC-2(2),IA-5(f) ocil_clause: 'it is not set to the required value' ocil: |- To check the password warning age, run the command: 
$ grep PASS_WARN_AGE /etc/login.defs
The DoD requirement is 7. password_expiration.group000066400000000000000000000032621327242345500407660ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/accounts/accounts-restrictions/password_expirationdocumentation_complete: true title: 'Set Password Expiration Parameters' description: |- The file /etc/login.defs controls several password-related settings. Programs such as passwd, su, and login consult /etc/login.defs to determine behavior with regard to password aging, expiration warnings, and length. See the man page login.defs(5) for more information.

Users should be forced to change their passwords, in order to decrease the utility of compromised passwords. However, the need to change passwords often should be balanced against the risk that users will reuse or write down passwords if forced to change them too often. Forcing password changes every 90-360 days, depending on the environment, is recommended. Set the appropriate value as PASS_MAX_DAYS and apply it to existing accounts with the -M flag.

The PASS_MIN_DAYS (-m) setting prevents password changes for 7 days after the first change, to discourage password cycling. If you use this setting, train users to contact an administrator for an emergency password change in case a new password becomes compromised. The PASS_WARN_AGE (-W) setting gives users 7 days of warnings at login time that their passwords are about to expire.

For example, for each existing human user USER, expiration parameters could be adjusted to a 180 day maximum password age, 7 day minimum password age, and 7 day warning period with the following command: 
$ sudo chage -M 180 -m 7 -W 7 USER
var_accounts_maximum_age_login_defs.var000066400000000000000000000003431327242345500435440ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/accounts/accounts-restrictions/password_expirationdocumentation_complete: true title: 'maximum password age' description: 'Maximum age of password in days' type: number operator: interactive: false options: 120: 120 180: 180 60: 60 90: 90 default: 60 var_accounts_minimum_age_login_defs.var000066400000000000000000000003431327242345500435420ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/accounts/accounts-restrictions/password_expirationdocumentation_complete: true title: 'minimum password age' description: 'Minimum age of password in days' type: number operator: interactive: false options: "0": "0" 1: 1 2: 2 5: 5 7: 7 default: 7 var_accounts_password_minlen_login_defs.var000066400000000000000000000003751327242345500444640ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/accounts/accounts-restrictions/password_expirationdocumentation_complete: true title: 'minimum password length' description: 'Minimum number of characters in password' type: number operator: interactive: false options: 10: 10 12: 12 14: 14 15: 15 6: 6 8: 8 default: 15 var_accounts_password_warn_age_login_defs.var000066400000000000000000000004011327242345500447530ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/accounts/accounts-restrictions/password_expirationdocumentation_complete: true title: 'warning days before password expires' description: 'The number of days'' warning given before a password expires.' type: number operator: interactive: false options: "0": "0" 14: 14 7: 7 default: 7 scap-security-guide-0.1.39/shared/guide/system/accounts/accounts-restrictions/password_storage/000077500000000000000000000000001327242345500331425ustar00rootroot00000000000000accounts_password_all_shadowed.rule000066400000000000000000000021251327242345500422230ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/accounts/accounts-restrictions/password_storagedocumentation_complete: true prodtype: rhel7,fedora,ol7 title: 'Verify All Account Password Hashes are Shadowed' description: |- If any password hashes are stored in /etc/passwd (in the second field, instead of an x or *), the cause of this misconfiguration should be investigated. The account should have its password reset and the hash should be properly stored, or the account should be deleted entirely. rationale: |- The hashes for all user account passwords should be stored in the file /etc/shadow and never in /etc/passwd, which is readable by all users. severity: medium identifiers: cce@rhel7: 27352-4 references: cjis: 5.5.2 cui: 3.5.10 disa: "" nist: IA-5(h) pcidss: Req-8.2.1 ocil_clause: 'any stored hashes are found in /etc/passwd' ocil: |- To check that no password hashes are stored in /etc/passwd, run the following command: 
awk '!/\S:x|\*/ {print}' /etc/passwd
If it produces any output, then a password hash is stored in /etc/passwd. gid_passwd_group_same.rule000066400000000000000000000017101327242345500403200ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/accounts/accounts-restrictions/password_storagedocumentation_complete: true prodtype: rhel7,fedora title: 'All GIDs referenced in /etc/passwd must be defined in /etc/group' description: 'Add a group to the system for each GID referenced without a corresponding group.' rationale: |- If a user is assigned the Group Identifier (GID) of a group not existing on the system, and a group with the Gruop Identifier (GID) is subsequently created, the user may have unintended rights to any files associated with the group. severity: low identifiers: cce@rhel7: CCE-27503-2 references: cjis: 5.5.2 disa: 764 nist: IA-2 pcidss: Req-8.5.a srg: SRG-OS-000104-GPOS-00051 stigid@rhel7: "020300" ocil_clause: 'GIFs referenced in /etc/passwd are returned as not defined in /etc/group' ocil: |- To ensure all GIDs referenced in /etc/passwd are defined in /etc/group, run the following command: 
$ sudo pwck -qr
There should be no output. no_empty_passwords.rule000066400000000000000000000027321327242345500377170ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/accounts/accounts-restrictions/password_storagedocumentation_complete: true prodtype: rhel7,fedora,ol7 title: 'Prevent Log In to Accounts With Empty Password' description: |- If an account is configured for password authentication but does not have an assigned password, it may be possible to log into the account without authentication. Remove any instances of the nullok option in /etc/pam.d/system-auth to prevent logins with empty passwords. rationale: |- If an account has an empty password, anyone could log in and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments. severity: high identifiers: cce@rhel7: 27286-4 references: cjis: 5.5.2 cui: '3.1.1, 3.1.5' disa: 366 hipaa: 164.308(a)(1)(ii)(B),164.308(a)(7)(i),164.308(a)(7)(ii)(A),164.310(a)(1),164.310(a)(2)(i),164.310(a)(2)(ii),164.310(a)(2)(iii),164.310(b),164.310(c),164.310(d)(1),164.310(d)(2)(iii) nist: AC-6,IA-5(b),IA-5(c),IA-5(1)(a) ospp@rhel7: FIA_AFL.1 pcidss: Req-8.2.3 srg: SRG-OS-000480-GPOS-00227 stigid@rhel7: "010290" ocil_clause: 'NULL passwords can be used' ocil: |- To verify that null passwords cannot be used, run the following command: 
$ grep nullok /etc/pam.d/system-auth
If this produces any output, it may be possible to log into accounts with empty passwords. Remove any instances of the nullok option to prevent logins with empty passwords. no_netrc_files.rule000066400000000000000000000016761327242345500367570ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/accounts/accounts-restrictions/password_storagedocumentation_complete: true prodtype: rhel7,fedora title: 'Verify No netrc Files Exist' description: |- The .netrc files contain login information used to auto-login into FTP servers and reside in the user's home directory. These files may contain unencrypted passwords to remote FTP servers making them susceptible to access by unauthorized users and should not be used. Any .netrc files should be removed. rationale: |- Unencrypted passwords for remote FTP servers may be stored in .netrc files. DoD policy requires passwords be encrypted in storage and not used in access scripts. severity: medium identifiers: cce@rhel7: 80211-6 references: disa: 196 nist: IA-5(h),AC-3 ocil_clause: 'any .netrc files exist' ocil: |- To check the system for the existence of any .netrc files, run the following command: 
$ sudo find /home -xdev -name .netrc
password_storage.group000066400000000000000000000014151327242345500375300ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/accounts/accounts-restrictions/password_storagedocumentation_complete: true title: |- Verify Proper Storage and Existence of Password Hashes description: |- By default, password hashes for local accounts are stored in the second field (colon-separated) in /etc/shadow. This file should be readable only by processes running with root credentials, preventing users from casually accessing others' password hashes and attempting to crack them. However, it remains possible to misconfigure the system and store password hashes in world-readable files such as /etc/passwd, or to even store passwords themselves in plaintext on the system. Using system-provided tools for password change/creation should allow administrators to avoid such misconfiguration. scap-security-guide-0.1.39/shared/guide/system/accounts/accounts-restrictions/root_logins/000077500000000000000000000000001327242345500321125ustar00rootroot00000000000000accounts_no_uid_except_zero.rule000066400000000000000000000032001327242345500405020ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/accounts/accounts-restrictions/root_loginsdocumentation_complete: true prodtype: rhel7,fedora title: 'Verify Only Root Has UID 0' description: "If any account other than root has a UID of 0, this misconfiguration should \nbe investigated and the accounts other than root should be removed or \nhave their UID changed.\n
\nIf the account is associated with system commands or applications the UID should be changed\nto one greater than \"0\" but less than \"1000.\" Otherwise assign a UID greater than \"1000\" that\nhas not already been assigned." rationale: |- An account has root authority if it has a UID of 0. Multiple accounts with a UID of 0 afford more opportunity for potential intruders to guess a password for a privileged account. Proper configuration of sudo is recommended to afford multiple system administrators access to root privileges in an accountable manner. severity: high identifiers: cce@rhel7: 27175-9 references: cis: 6.2.5 cui: 3.1.1,3.1.5 disa: 366 nist: AC-6,IA-2(1),IA-4 srg: SRG-OS-000480-GPOS-00227 stigid@rhel7: "020310" ocil_clause: 'any account other than root has a UID of 0' ocil: "To list all password file entries for accounts with UID 0, run the following command:\n
$ awk -F: '($3 == \"0\") {print}' /etc/passwd
\nThis should print only one line, for the user root.\n
\nIf there is a finding, change the UID of the failing (non-root) user. If the account is\nassociated with the system commands or applications the UID should be changed to one \ngreater than 0 but less than 1000. Otherwise assign a UID of\ngreater than 1000 that has not already been assigned." no_direct_root_logins.rule000066400000000000000000000035451327242345500373170ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/accounts/accounts-restrictions/root_loginsdocumentation_complete: true prodtype: rhel7,fedora title: 'Direct root Logins Not Allowed' description: |- To further limit access to the root account, administrators can disable root logins at the console by editing the /etc/securetty file. This file lists all devices the root user is allowed to login to. If the file does not exist at all, the root user can login through any communication device on the system, whether via the console or via a raw network interface. This is dangerous as user can login to the system as root via Telnet, which sends the password in plain text over the network. By default, Red Hat Enteprise Linux's /etc/securetty file only allows the root user to login at the console physically attached to the system. To prevent root from logging in, remove the contents of this file. To prevent direct root logins, remove the contents of this file by typing the following command: 
    $ sudo echo > /etc/securetty
rationale: |- Disabling direct root logins ensures proper accountability and multifactor authentication to privileged accounts. Users will first login, then escalate to privileged (root) access via su / sudo. This is required for FISMA Low and FISMA Moderate systems. severity: medium identifiers: cce@rhel7: 27294-8 references: cis: 5.5 cui: 3.1.1,3.1.6 hipaa: 164.308(a)(1)(ii)(B),164.308(a)(7)(i),164.308(a)(7)(ii)(A),164.310(a)(1),164.310(a)(2)(i),164.310(a)(2)(ii),164.310(a)(2)(iii),164.310(b),164.310(c),164.310(d)(1),164.310(d)(2)(iii) nist: IA-2(1) ocil_clause: 'the /etc/securetty file is not empty' ocil: |- To ensure root may not directly login to the system over physical consoles, run the following command: 
cat /etc/securetty
If any output is returned, this is a finding. no_root_webbrowsing.rule000066400000000000000000000013651327242345500370200ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/accounts/accounts-restrictions/root_loginsdocumentation_complete: true prodtype: rhel7,fedora title: 'Restrict Web Browser Use for Administrative Accounts' description: |- Enforce policy requiring administrative accounts use web browsers only for local service administration. rationale: |- If a browser vulnerability is exploited while running with administrative privileges, the entire system could be compromised. Specific exceptions for local service administration should be documented in site-defined policy. severity: unknown identifiers: cce@rhel7: 80209-0 ocil_clause: 'this is not the case' ocil: |- Check the root home directory for a .mozilla directory. If one exists, ensure browsing is limited to local service administration. no_shelllogin_for_systemaccounts.rule000066400000000000000000000033711327242345500415760ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/accounts/accounts-restrictions/root_loginsdocumentation_complete: true prodtype: rhel7,fedora title: 'Ensure that System Accounts Do Not Run a Shell Upon Login' description: |- Some accounts are not associated with a human user of the system, and exist to perform some administrative function. Should an attacker be able to log into these accounts, they should not be granted access to a shell.

The login shell for each local account is stored in the last field of each line in /etc/passwd. System accounts are those user accounts with a user ID less than UID_MIN, where value of UID_MIN directive is set in /etc/login.defs configuration file. In the default configuration UID_MIN is set to 1000, thus system accounts are those user accounts with a user ID less than 1000. The user ID is stored in the third field. If any system account SYSACCT (other than root) has a login shell, disable it with the command: 
$ sudo usermod -s /sbin/nologin SYSACCT
rationale: |- Ensuring shells are not given to system accounts upon login makes it more difficult for attackers to make use of system accounts. severity: medium identifiers: cce@rhel7: 26448-1 references: cis: 5.4.2 disa: "" nist: AC-2 ocil_clause: 'any system account (other than root) has a login shell' ocil: |- To obtain a listing of all users, their UIDs, and their shells, run the command: 
$ awk -F: '{print $1 ":" $3 ":" $7}' /etc/passwd
Identify the system accounts from this listing. These will primarily be the accounts with UID numbers less than UID_MIN, other than root. Value of the UID_MIN directive is set in /etc/login.defs configuration file. In the default configuration UID_MIN is set to 1000. restrict_serial_port_logins.rule000066400000000000000000000020201327242345500405330ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/accounts/accounts-restrictions/root_loginsdocumentation_complete: true prodtype: rhel7,fedora title: 'Restrict Serial Port Root Logins' description: |- To restrict root logins on serial ports, ensure lines of this form do not appear in /etc/securetty: 
ttyS0
    ttyS1
rationale: |- Preventing direct root login to serial port interfaces helps ensure accountability for actions taken on the systems using the root account. severity: unknown identifiers: cce@rhel7: 27268-2 references: cui: '3.1.1, 3.1.5' disa: 770 hipaa: 164.308(a)(1)(ii)(B),164.308(a)(7)(i),164.308(a)(7)(ii)(A),164.310(a)(1),164.310(a)(2)(i),164.310(a)(2)(ii),164.310(a)(2)(iii),164.310(b),164.310(c),164.310(d)(1),164.310(d)(2)(iii) nist: AC-6(2) ocil_clause: 'root login over serial ports is permitted' ocil: |- To check for serial port entries which permit root login, run the following command: 
$ sudo grep ^ttyS/[0-9] /etc/securetty
If any output is returned, then root login over serial ports is permitted. root_logins.group000066400000000000000000000024371327242345500354550ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/accounts/accounts-restrictions/root_loginsdocumentation_complete: true title: 'Restrict Root Logins' description: |- Direct root logins should be allowed only for emergency use. In normal situations, the administrator should access the system via a unique unprivileged account, and then use su or sudo to execute privileged commands. Discouraging administrators from accessing the root account directly ensures an audit trail in organizations with multiple administrators. Locking down the channels through which root can connect directly also reduces opportunities for password-guessing against the root account. The login program uses the file /etc/securetty to determine which interfaces should allow root logins. The virtual devices /dev/console and /dev/tty* represent the system consoles (accessible via the Ctrl-Alt-F1 through Ctrl-Alt-F6 keyboard sequences on a default installation). The default securetty file also contains /dev/vc/*. These are likely to be deprecated in most environments, but may be retained for compatibility. Root should also be prohibited from connecting via network protocols. Other sections of this document include guidance describing how to prevent root from logging in via SSH. root_path_default.rule000066400000000000000000000016561327242345500364370ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/accounts/accounts-restrictions/root_loginsdocumentation_complete: true prodtype: rhel7,fedora title: 'Root Path Must Be Vendor Default' description: |- Assuming root shell is bash, edit the following files: 
~/.profile
~/.bashrc
Change any PATH variables to the vendor default for root and remove any empty PATH entries or references to relative paths. rationale: |- The root account's executable search path must be the vendor default, and must contain only absolute paths. severity: unknown identifiers: cce@rhel7: 80210-8 references: nist: SA-8 ocil_clause: 'any of these conditions are not met' ocil: |- To view the root user's PATH, run the following command: 
$ sudo env | grep PATH
If correctly configured, the PATH must: use vendor default settings, have no empty entries, and have no entries beginning with a character other than a slash (/). securetty_root_login_console_only.rule000066400000000000000000000021351327242345500417720ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/accounts/accounts-restrictions/root_loginsdocumentation_complete: true prodtype: rhel7,fedora title: 'Restrict Virtual Console Root Logins' description: |- To restrict root logins through the (deprecated) virtual console devices, ensure lines of this form do not appear in /etc/securetty: 
vc/1
    vc/2
    vc/3
    vc/4
rationale: |- Preventing direct root login to virtual console devices helps ensure accountability for actions taken on the system using the root account. severity: medium identifiers: cce@rhel7: 27318-5 references: cui: '3.1.1, 3.1.5' disa: 770 hipaa: 164.308(a)(1)(ii)(B),164.308(a)(7)(i),164.308(a)(7)(ii)(A),164.310(a)(1),164.310(a)(2)(i),164.310(a)(2)(ii),164.310(a)(2)(iii),164.310(b),164.310(c),164.310(d)(1),164.310(d)(2)(iii) nist: AC-6(2) ocil_clause: 'root login over virtual console devices is permitted' ocil: |- To check for virtual console entries which permit root login, run the following command: 
$ sudo grep ^vc/[0-9] /etc/securetty
If any output is returned, then root logins over virtual console devices is permitted. scap-security-guide-0.1.39/shared/guide/system/accounts/accounts-session/000077500000000000000000000000001327242345500265075ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/accounts/accounts-session/accounts-session.group000066400000000000000000000013371327242345500330710ustar00rootroot00000000000000documentation_complete: true title: 'Secure Session Configuration Files for Login Accounts' description: |- When a user logs into a Unix account, the system configures the user's session by reading a number of files. Many of these files are located in the user's home directory, and may have weak permissions as a result of user error or misconfiguration. If an attacker can modify or even read certain types of account configuration information, they can often gain full access to the affected user's account. Therefore, it is important to test and correct configuration file permissions for interactive accounts, particularly those of privileged users such as root or system administrators. accounts_have_homedir_login_defs.rule000066400000000000000000000021111327242345500360360ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/accounts/accounts-sessiondocumentation_complete: true prodtype: rhel7 title: 'Ensure Home Directories are Created for New Users' description: |- All local interactive user accounts, upon creation, should be assigned a home directory.

Configure the operating system to assign home directories to all new local interactive users by setting the CREATE_HOME parameter in /etc/login.defs to yes as follows: 

CREATE_HOME yes
rationale: |- If local interactive users are not assigned a valid home directory, there is no place for the storage and control of files they should own. severity: medium identifiers: cce@rhel7: 80434-4 references: srg: SRG-OS-000480-GPOS-00227 stigid@rhel7: "020610" ocil_clause: 'the value of CREATE_HOME is not set to yes, is missing, or the line is commented out' ocil: |- Check if the system is configured to create home directories for local interactive users with the following command: 

$ sudo grep create_home /etc/login.defs


accounts_logon_fail_delay.rule000066400000000000000000000023411327242345500345070ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/accounts/accounts-sessiondocumentation_complete: true prodtype: rhel7 title: 'Ensure the Logon Failure Delay is Set Correctly in login.defs' description: |- To ensure the logon failure delay controlled by /etc/login.defs is set properly, add or correct the FAIL_DELAY setting in /etc/login.defs to read as follows: 
FAIL_DELAY
rationale: |- Increasing the time between a failed authentication attempt and re-prompting to enter credentials helps to slow a single-threaded brute force attack. severity: unknown identifiers: cce@rhel7: 80352-8 references: disa: 366 nist: CM-6(b) srg: SRG-OS-000480-GPOS-00226 stigid@rhel7: "010430" ocil_clause: 'the above command returns no output, or FAIL_DELAY is configured less than the expected value' ocil: |- Verify the FAIL_DELAY setting is configured correctly in the /etc/login.defs file by running the following command: 
$ sudo grep -i "FAIL_DELAY" /etc/login.defs
All output must show the value of FAIL_DELAY set as shown in the below: 
$ sudo grep -i "FAIL_DELAY" /etc/login.defs
    fail_delay
accounts_max_concurrent_login_sessions.rule000066400000000000000000000026631327242345500373740ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/accounts/accounts-sessiondocumentation_complete: true prodtype: rhel7,fedora title: 'Limit the Number of Concurrent Login Sessions Allowed Per User' description: |- Limiting the number of allowed users and sessions per user can limit risks related to Denial of Service attacks. This addresses concurrent sessions for a single account and does not address concurrent sessions by a single user via multiple accounts. To set the number of concurrent sessions per user add the following line in /etc/security/limits.conf: 
* hard maxlogins
rationale: |- Limiting simultaneous user logins can insulate the system from denial of service problems caused by excessive logins. Automated login processes operating improperly or maliciously may result in an exceptional number of simultaneous login sessions. severity: low identifiers: cce@rhel7: 27081-9 references: cjis: 5.5.2.2 disa: 54 nist: AC-10 srg: SRG-OS-000027-GPOS-00008 stigid@rhel7: "040000" ocil_clause: 'maxlogins is not equal to or less than the expected value' ocil: "Run the following command to ensure the maxlogins value is configured for all users\non the system:\n
# grep \"maxlogins\" /etc/security/limits.conf
\nYou should receive output similar to the following:\n
*\t\thard\tmaxlogins\t
" scap-security-guide-0.1.39/shared/guide/system/accounts/accounts-session/accounts_tmout.rule000066400000000000000000000022521327242345500324500ustar00rootroot00000000000000documentation_complete: true prodtype: rhel7 title: 'Set Interactive Session Timeout' description: |- Setting the TMOUT option in /etc/profile ensures that all user sessions will terminate based on inactivity. The TMOUT setting in /etc/profile should read as follows: 
TMOUT=
rationale: |- Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. severity: medium identifiers: cce@rhel7: 27557-8 references: cui: 3.1.11 disa: 1133,0361 nist: AC-12,SC-10 ospp@rhel7: FMT_MOF_EXT.1 srg: SRG-OS-000163-GPOS-00072 stigid@rhel7: "040160" ocil_clause: 'value of TMOUT is not less than or equal to expected setting' ocil: |- Run the following command to ensure the TMOUT value is configured for all users on the system: 
$ sudo grep TMOUT /etc/profile
The output should return the following: 
TMOUT=
accounts_user_dot_group_ownership.rule000066400000000000000000000022571327242345500363640ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/accounts/accounts-sessiondocumentation_complete: true prodtype: rhel7 title: 'User Initialization Files Must Be Group-Owned By The Primary User' description: |- Change the group owner of interactive users files to the group found in 
/etc/passwd
for the user. To change the group owner of a local interactive user home directory, use the following command: 
$ sudo chgrp USER_GROUP /home/USER/.INIT_FILE
rationale: |- Local initialization files for interactive users are used to configure the user's shell environment upon logon. Malicious modification of these files could compromise accounts upon logon. severity: medium identifiers: cce: 80526-7 references: disa: 366 nist: "" srg: SRG-OS-000480-GPOS-00227 stigid: "020700" ocil_clause: 'they are not' ocil: |- To verify the local initialization files of all local interactive users are group- owned by the appropriate user, inspect the primary group of the respective users in /etc/passwd and verify all initialization files under the respective users home directory. Check the group owner of all local interactive users initialization files. accounts_user_dot_no_world_writable_programs.rule000066400000000000000000000021511327242345500405510ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/accounts/accounts-sessiondocumentation_complete: true prodtype: rhel7 title: 'User Initialization Files Must Not Run World-Writable Programs' description: |- Set the mode on files being executed by the user initialization files with the following command: 
$ sudo chmod 0755 FILE
rationale: |- If user start-up files execute world-writable programs, especially in unprotected directories, they could be maliciously modified to destroy user files or otherwise compromise the system at the user level. If the system is compromised at the user level, it is easier to elevate privileges to eventually compromise the system at the root and network level. severity: medium identifiers: cce: 80523-4 references: disa: 366 nist: "" srg: SRG-OS-000480-GPOS-00227 stigid: "020730" ocil_clause: 'files are executing world-writable programs' ocil: |- To verify that local initialization files do not execute world-writable programs, execute the following command: 
$ sudo find /home -perm -002 -type f -exec ls -ld {} -name ".[^.]*"\;
There should be no output. accounts_user_dot_user_ownership.rule000066400000000000000000000016551327242345500362070ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/accounts/accounts-sessiondocumentation_complete: true prodtype: rhel7 title: 'User Initialization Files Must Be Owned By the Primary User' description: |- Set the owner of the user initialization files for interactive users to the primary owner with the following command: 
$ sudo chown USER /home/USER/.*
rationale: |- Local initialization files are used to configure the user's shell environment upon logon. Malicious modification of these files could compromise accounts upon logon. severity: medium identifiers: cce: 80527-5 references: disa: 366 nist: "" srg: SRG-OS-000480-GPOS-00227 stigid: "020690" ocil_clause: 'they are not' ocil: |- To verify all local initialization files for interactive users are owned by the primary user, run the following command: 
$ sudo ls -al /home/USER/.*
The user initialization files should be owned by USER. accounts_user_home_paths_only.rule000066400000000000000000000031771327242345500354560ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/accounts/accounts-sessiondocumentation_complete: true prodtype: rhel7 title: 'Ensure that Users Path Contains Only Local Directories' description: |- Ensure that all interactive user initialization files executable search path statements do not contain statements that will reference a working directory other than the users home directory. rationale: |- The executable search path (typically the PATH environment variable) contains a list of directories for the shell to search to find executables. If this path includes the current working directory (other than the users home directory), executables in these directories may be executed instead of system commands. This variable is formatted as a colon-separated list of directories. If there is an empty entry, such as a leading or trailing colon or two consecutive colons, this is interpreted as the current working directory. If deviations from the default system search path for the local interactive user are required, they must be documented with the Information System Security Officer (ISSO). severity: medium identifiers: cce: 80524-2 references: disa: 366 nist: "" srg: SRG-OS-000480-GPOS-00227 stigid: "020720" ocil_clause: 'paths contain more than local home directories' ocil: |- To verify that all interactive user initialization files executable search path statements do not contain statements that will reference a working directory other than the users home directory, run the following command: 
$ sudo grep -r PATH /home/
Inspect the output for any PATH is references directories outside the home directory. accounts_user_interactive_home_directory_defined.rule000066400000000000000000000015571327242345500413550ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/accounts/accounts-sessiondocumentation_complete: true prodtype: rhel7 title: 'All Interactive Users Must Have A Home Directory Defined' description: |- Assign home directories to all interactive users that currently do not have a home directory assigned. rationale: |- If local interactive users are not assigned a valid home directory, there is no place for the storage and control of files they should own. severity: medium identifiers: cce: 80528-3 references: disa: 366 nist: "" srg: SRG-OS-000480-GPOS-00227 stigid: "020600" ocil_clause: 'users home directory is not defined' ocil: |- To verify interactive users on the system have a home directory assigned, run the following command: 
$ sudo awk -F":" '{print $1 ":" $6}' /etc/passwd
Inspect the output and verify that all interactive users have a home directory defined. accounts_user_interactive_home_directory_exists.rule000066400000000000000000000022631327242345500412710ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/accounts/accounts-sessiondocumentation_complete: true prodtype: rhel7 title: 'All Interactive Users Home Directories Must Exist' description: |- Create home directories to all interactive users that currently do not have a home directory assigned. Use the following commands to create the user home directory assigned in /etc/passwd: 
$ sudo mkdir /home/USER
rationale: |- If a local interactive user has a home directory defined that does not exist, the user may be given access to the / directory as the current working directory upon logon. This could create a Denial of Service because the user would not be able to access their logon configuration files, and it may give them visibility to system files they normally would not be able to access. severity: medium identifiers: cce: 80529-1 references: disa: 366 nist: "" srg: SRG-OS-000480-GPOS-00227 stigid: "020620" ocil_clause: 'users home directory does not exist' ocil: |- To verify the assigned home directory of all interactive users on the system exist, run the following command: 
$ sudo pwck -r
The output should not return any interactive users. accounts_users_home_files_groupownership.rule000066400000000000000000000020461327242345500377300ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/accounts/accounts-sessiondocumentation_complete: true prodtype: rhel7 title: 'All User Files and Directories In The Home Directory Must Be Group-Owned By The Primary User' description: |- Change the group of a local interactive users files and directories to a group that the interactive user is a member of. To change the group owner of a local interactive users files and directories, use the following command: 
$ sudo chgrp USER_GROUP /home/USER/FILE_DIR
rationale: |- If a local interactive users files are group-owned by a group of which the user is not a member, unintended users may be able to access them. severity: medium identifiers: cce: 80534-1 references: disa: 366 nist: "" srg: SRG-OS-000480-GPOS-00227 stigid: "020670" ocil_clause: 'the group ownership is incorrect' ocil: |- To verify all files and directories in interactive user home directory are group-owned by a group the user is a member of, run the following command: 
$ sudo ls -lLR /home/USER
accounts_users_home_files_ownership.rule000066400000000000000000000020031327242345500366440ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/accounts/accounts-sessiondocumentation_complete: true prodtype: rhel7 title: 'All User Files and Directories In The Home Directory Must Be Owned By The Primary User' description: |- Change the owner of a interactive users files and directories to that owner. To change the of a local interactive users files and directories, use the following command: 
$ sudo chown -R USER /home/USER
rationale: |- If local interactive users do not own the files in their directories, unauthorized users may be able to access them. Additionally, if files are not owned by the user, this could be an indication of system compromise. severity: medium identifiers: cce: 80533-3 references: disa: 366 nist: "" srg: SRG-OS-000480-GPOS-00227 stigid: "020660" ocil_clause: 'the user ownership is incorrect' ocil: |- To verify all files and directories in interactive users home directory are owned by the user, run the following command: 
$ sudo ls -lLR /home/USER
accounts_users_home_files_permissions.rule000066400000000000000000000016751327242345500372170ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/accounts/accounts-sessiondocumentation_complete: true prodtype: rhel7 title: 'All User Files and Directories In The Home Directory Must Have Mode 0750 Or Less Permissive' description: |- Set the mode on files and directories in the local interactive user home directory with the following command: 
$ sudo chmod 0750 /home/USER/FILE_DIR
rationale: |- If a local interactive user files have excessive permissions, unintended users may be able to access or modify them. severity: medium identifiers: cce: 80535-8 references: disa: 366 nist: "" srg: SRG-OS-000480-GPOS-00227 stigid: "020680" ocil_clause: 'home directory files or folders have incorrect permissions' ocil: |- To verify all files and directories contained in interactive user home directory, excluding local initialization files, have a mode of 0750, run the following command: 
$ sudo ls -lLR /home/USER
file_groupownership_home_directories.rule000066400000000000000000000021761327242345500370250ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/accounts/accounts-sessiondocumentation_complete: true prodtype: rhel7 title: 'All Interactive User Home Directories Must Be Group-Owned By The Primary User' description: |- Change the group owner of interactive users home directory to the group found in /etc/passwd. To change the group owner of interactive users home directory, use the following command: 
$ sudo chgrp USER_GROUP /home/USER
rationale: |- If the Group Identifier (GID) of a local interactive users home directory is not the same as the primary GID of the user, this would allow unauthorized access to the users files, and users that share the same group may not be able to access files that they legitimately should. severity: medium identifiers: cce: 80532-5 references: disa: 366 nist: "" srg: SRG-OS-000480-GPOS-00227 stigid: "020650" ocil_clause: 'the group ownership is incorrect' ocil: |- To verify the assigned home directory of all interactive users is group- owned by that users primary GID, run the following command: 
$ sudo ls -ld $ (egrep ':[0-9]{4}' /etc/passwd | cut -d: -f6)
file_ownership_home_directories.rule000066400000000000000000000016471327242345500357520ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/accounts/accounts-sessiondocumentation_complete: true prodtype: rhel7 title: 'All Interactive User Home Directories Must Be Owned By The Primary User' description: |- Change the owner of interactive users home directories to that correct owner. To change the owner of a interactive users home directory, use the following command: 
$ sudo chown USER /home/USER
rationale: |- If a local interactive user does not own their home directory, unauthorized users could access or modify the user's files, and the users may not be able to access their own files. severity: medium identifiers: cce: 80531-7 references: disa: 366 nist: "" srg: SRG-OS-000480-GPOS-00227 stigid: "020640" ocil_clause: 'the user ownership is incorrect' ocil: |- To verify the home directory ownership, run the following command: 
$ sudo ls -ld $(egrep ':[0-9]{4}' /etc/passwd | cut -d: -f6)
file_permission_user_init_files.rule000066400000000000000000000016761327242345500357650ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/accounts/accounts-sessiondocumentation_complete: true prodtype: rhel7 title: 'Ensure All User Initialization Files Have Mode 0740 Or Less Permissive' description: |- Set the mode of the user initialization files to 0740 with the following command: 
$ sudo chmod 0740 /home/USER/.INIT_FILE
rationale: |- Local initialization files are used to configure the user's shell environment upon logon. Malicious modification of these files could compromise accounts upon logon. severity: medium identifiers: cce: 80525-9 references: disa: 366 nist: "" srg: SRG-OS-000480-GPOS-00227 stigid: "020710" ocil_clause: 'they are not 0740 or more permissive' ocil: |- To verify that all user initialization files have a mode of 0740 or less permissive, run the following command: 
$ sudo find /home -type f -name '\.*' \( -perm -0002 -o -perm -0020 \)
There should be no output. file_permissions_home_directories.rule000066400000000000000000000017251327242345500363040ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/accounts/accounts-sessiondocumentation_complete: true prodtype: rhel7 title: 'All Interactive User Home Directories Must Have mode 0750 Or Less Permissive' description: |- Change the mode of interactive users home directories to 0750. To change the mode of interactive users home directory, use the following command: 
$ sudo chmod 0750 /home/USER
rationale: |- Excessive permissions on local interactive user home directories may allow unauthorized access to user files by other users. severity: medium identifiers: cce: 80530-9 references: disa: 366 nist: "" srg: SRG-OS-000480-GPOS-00227 stigid: "020630" ocil_clause: 'they are more permissive' ocil: |- To verify the assigned home directory of all interactive user home directories have a mode of 
0750
or less permissive, run the following command: 
$ sudo ls -l /home
Inspect the output for any directories with incorrect permissions. file_permissions_home_dirs.rule000066400000000000000000000025651327242345500347340ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/accounts/accounts-sessiondocumentation_complete: true prodtype: rhel7,fedora title: 'Ensure that User Home Directories are not Group-Writable or World-Readable' description: |- For each human user of the system, view the permissions of the user's home directory: 
# ls -ld /home/USER
Ensure that the directory is not group-writable and that it is not world-readable. If necessary, repair the permissions: 
# chmod g-w /home/USER
    # chmod o-rwx /home/USER
rationale: |- User home directories contain many configuration files which affect the behavior of a user's account. No user should ever have write permission to another user's home directory. Group shared directories can be configured in sub-directories or elsewhere in the filesystem if they are needed. Typically, user home directories should not be world-readable, as it would disclose file names to other users. If a subset of users need read access to one another's home directories, this can be provided using groups or ACLs. severity: unknown identifiers: cce@rhel7: 80201-7 references: disa: 225 nist: AC-6(7) ocil_clause: 'the user home directory is group-writable or world-readable' ocil: |- To ensure the user home directory is not group-writable or world-readable, run the following: 
# ls -ld /home/USER
scap-security-guide-0.1.39/shared/guide/system/accounts/accounts-session/root_paths/000077500000000000000000000000001327242345500306715ustar00rootroot00000000000000accounts_root_path_dirs_no_write.rule000066400000000000000000000014351327242345500403330ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/accounts/accounts-session/root_pathsdocumentation_complete: true prodtype: rhel7,fedora,ol7 title: 'Ensure that Root''s Path Does Not Include World or Group-Writable Directories' description: |- For each element in root's path, run: 
# ls -ld DIR
and ensure that write permissions are disabled for group and other. rationale: |- Such entries increase the risk that root could execute code provided by unprivileged users, and potentially malicious code. severity: unknown identifiers: cce@rhel7: 80200-9 references: disa: 366 nist: CM-6(b) ocil_clause: 'group or other write permissions exist' ocil: |- To ensure write permissions are disabled for group and other for each element in root's path, run the following command: 
# ls -ld DIR
root_path_no_dot.rule000066400000000000000000000015621327242345500350500ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/accounts/accounts-session/root_pathsdocumentation_complete: true prodtype: rhel7,fedora,ol7 title: 'Ensure that Root''s Path Does Not Include Relative Paths or Null Directories' description: |- Ensure that none of the directories in root's path is equal to a single . character, or that it contains any instances that lead to relative path traversal, such as .. or beginning a path without the slash (/) character. Also ensure that there are no "empty" elements in the path, such as in these examples: 
PATH=:/bin
    PATH=/bin:
    PATH=/bin::/sbin
These empty elements have the same effect as a single . character. rationale: |- Including these entries increases the risk that root could execute code from an untrusted location. severity: unknown identifiers: cce@rhel7: 80199-3 references: disa: 366 nist: CM-6(b) scap-security-guide-0.1.39/shared/guide/system/accounts/accounts-session/root_paths/root_paths.group000066400000000000000000000016561327242345500341410ustar00rootroot00000000000000documentation_complete: true title: 'Ensure that No Dangerous Directories Exist in Root''s Path' description: |- The active path of the root account can be obtained by starting a new root shell and running: 
# echo $PATH
This will produce a colon-separated list of directories in the path.

Certain path elements could be considered dangerous, as they could lead to root executing unknown or untrusted programs, which could contain malicious code. Since root may sometimes work inside untrusted directories, the . character, which represents the current directory, should never be in the root path, nor should any directory which can be written to by an unprivileged or semi-privileged (system) user.

It is a good practice for administrators to always execute privileged commands by typing the full path to the command. scap-security-guide-0.1.39/shared/guide/system/accounts/accounts-session/user_umask/000077500000000000000000000000001327242345500306655ustar00rootroot00000000000000accounts_umask_etc_bashrc.rule000066400000000000000000000022621327242345500366750ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/accounts/accounts-session/user_umaskdocumentation_complete: true prodtype: rhel7 title: 'Ensure the Default Bash Umask is Set Correctly' description: |- To ensure the default umask for users of the Bash shell is set properly, add or correct the umask setting in /etc/bashrc to read as follows: 
umask
rationale: |- The umask value influences the permissions assigned to files when they are created. A misconfigured umask value could result in files with excessive permissions that can be read or written to by unauthorized users. severity: unknown identifiers: cce@rhel7: 80202-5 references: cis: 5.4.4 disa: 366 nist: SA-8 ocil_clause: 'the above command returns no output, or if the umask is configured incorrectly' ocil: |- Verify the umask setting is configured correctly in the /etc/bashrc file by running the following command: 
# grep "umask" /etc/bashrc
All output must show the value of umask set as shown below: 
# grep "umask" /etc/bashrc
    umask 
    umask
accounts_umask_etc_csh_cshrc.rule000066400000000000000000000022001327242345500373620ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/accounts/accounts-session/user_umaskdocumentation_complete: true prodtype: rhel7 title: 'Ensure the Default C Shell Umask is Set Correctly' description: |- To ensure the default umask for users of the C shell is set properly, add or correct the umask setting in /etc/csh.cshrc to read as follows: 
umask
rationale: |- The umask value influences the permissions assigned to files when they are created. A misconfigured umask value could result in files with excessive permissions that can be read or written to by unauthorized users. severity: unknown identifiers: cce@rhel7: 80203-3 references: disa: 366 nist: SA-8 ocil_clause: 'the above command returns no output, or if the umask is configured incorrectly' ocil: |- Verify the umask setting is configured correctly in the /etc/csh.cshrc file by running the following command: 
# grep "umask" /etc/csh.cshrc
All output must show the value of umask set as shown in the below: 
# grep "umask" /etc/csh.cshrc
    umask
accounts_umask_etc_login_defs.rule000066400000000000000000000023441327242345500375450ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/accounts/accounts-session/user_umaskdocumentation_complete: true prodtype: rhel7 title: 'Ensure the Default Umask is Set Correctly in login.defs' description: |- To ensure the default umask controlled by /etc/login.defs is set properly, add or correct the UMASK setting in /etc/login.defs to read as follows: 
UMASK
rationale: |- The umask value influences the permissions assigned to files when they are created. A misconfigured umask value could result in files with excessive permissions that can be read and written to by unauthorized users. severity: unknown identifiers: cce@rhel7: 80205-8 references: disa: 366 nist: CM-6(b),SA-8 srg: SRG-OS-000480-GPOS-00228 stigid@rhel7: "020240" ocil_clause: 'the above command returns no output, or if the umask is configured incorrectly' ocil: |- Verify the UMASK setting is configured correctly in the /etc/login.defs file by running the following command: 
# grep -i "UMASK" /etc/login.defs
All output must show the value of umask set as shown in the below: 
# grep -i "UMASK" /etc/login.defs
    umask
accounts_umask_etc_profile.rule000066400000000000000000000022411327242345500370700ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/accounts/accounts-session/user_umaskdocumentation_complete: true prodtype: rhel7,fedora title: 'Ensure the Default Umask is Set Correctly in /etc/profile' description: |- To ensure the default umask controlled by /etc/profile is set properly, add or correct the umask setting in /etc/profile to read as follows: 
umask
rationale: |- The umask value influences the permissions assigned to files when they are created. A misconfigured umask value could result in files with excessive permissions that can be read or written to by unauthorized users. severity: unknown identifiers: cce@rhel7: 80204-1 references: cis: 5.4.4 disa: 366 nist: SA-8 ocil_clause: 'the above command returns no output, or if the umask is configured incorrectly' ocil: |- Verify the umask setting is configured correctly in the /etc/profile file by running the following command: 
# grep "umask" /etc/profile
All output must show the value of umask set as shown in the below: 
# grep "umask" /etc/profile
    umask
accounts_umask_interactive_users.rule000066400000000000000000000021611327242345500403340ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/accounts/accounts-session/user_umaskdocumentation_complete: true prodtype: rhel7 title: 'Ensure the Default Umask is Set Correctly For Interactive Users' description: 'Remove the UMASK environment variable from all interactive users initialization files.' rationale: |- The umask controls the default access mode assigned to newly created files. A umask of 077 limits new files to mode 700 or less permissive. Although umask can be represented as a four-digit number, the first digit representing special access modes is typically ignored or required to be 0. This requirement applies to the globally configured system defaults and the local interactive user defaults for each account on the system. severity: medium identifiers: cce: 80536-6 references: disa: 1814 nist: "" srg: SRG-OS-000480-GPOS-00227 stigid: "021040" ocil_clause: 'the above command returns no output, or if the umask is configured incorrectly' ocil: |- Verify the UMASK setting is not configured for interactive users, run the following command: 
$ sudo grep -ri "UMASK" /home
There should be no output. scap-security-guide-0.1.39/shared/guide/system/accounts/accounts-session/user_umask/user_umask.group000066400000000000000000000017231327242345500341240ustar00rootroot00000000000000documentation_complete: true title: 'Ensure that Users Have Sensible Umask Values' description: |- The umask setting controls the default permissions for the creation of new files. With a default umask setting of 077, files and directories created by users will not be readable by any other user on the system. Users who wish to make specific files group- or world-readable can accomplish this by using the chmod command. Additionally, users can make all their files readable to their group by default by setting a umask of 027 in their shell configuration files. If default per-user groups exist (that is, if every user has a default group whose name is the same as that user's username and whose only member is the user), then it may even be safe for users to select a umask of 007, making it very easy to intentionally share files with groups of which the user is a member.

var_accounts_user_umask.var000066400000000000000000000003641327242345500362500ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/accounts/accounts-session/user_umaskdocumentation_complete: true title: 'Sensible umask' description: 'Enter default user umask' type: string operator: equals interactive: false options: "007": "007" "022": "022" "027": "027" "077": "077" default: "027" scap-security-guide-0.1.39/shared/guide/system/accounts/accounts-session/var_accounts_fail_delay.var000066400000000000000000000004271327242345500340640ustar00rootroot00000000000000documentation_complete: true title: 'Maximum login attempts delay' description: 'Maximum time in seconds between fail login attempts before re-prompting.' type: number operator: equals interactive: false options: 1: 1 2: 2 3: 3 4: 4 5: 5 default: 4 var_accounts_max_concurrent_login_sessions.var000066400000000000000000000004221327242345500400540ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/accounts/accounts-sessiondocumentation_complete: true title: 'Maximum concurrent login sessions' description: 'Maximum number of concurrent sessions by a user' type: number operator: equals interactive: false options: 1: 1 10: 10 15: 15 20: 20 3: 3 5: 5 default: 1 scap-security-guide-0.1.39/shared/guide/system/accounts/accounts-session/var_accounts_tmout.var000066400000000000000000000006761327242345500331510ustar00rootroot00000000000000documentation_complete: true title: 'Account Inactivity Timeout (minutes)' description: |- In an interactive shell, the value is interpreted as the number of seconds to wait for input after issueing the primary prompt. Bash terminates after waiting for that number of seconds if input does not arrive. type: number operator: equals interactive: false options: 10_min: 600 15_min: 900 5_min: 300 default: 600 scap-security-guide-0.1.39/shared/guide/system/accounts/accounts.group000066400000000000000000000010611327242345500261020ustar00rootroot00000000000000documentation_complete: true title: 'Account and Access Control' description: |- In traditional Unix security, if an attacker gains shell access to a certain login account, they can perform any action or access any file to which that account has access. Therefore, making it more difficult for unauthorized people to gain shell access to accounts, particularly to privileged accounts, is a necessary part of securing a system. This section introduces mechanisms for restricting access to accounts under . scap-security-guide-0.1.39/shared/guide/system/auditing/000077500000000000000000000000001327242345500231745ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/auditing/auditd_configure_rules/000077500000000000000000000000001327242345500277215ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/auditing/auditd_configure_rules/audit_dac_actions/000077500000000000000000000000001327242345500333565ustar00rootroot00000000000000audit_dac_actions.group000066400000000000000000000031651327242345500400170ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/auditing/auditd_configure_rules/audit_dac_actionsdocumentation_complete: true title: 'Record Events that Modify the System''s Discretionary Access Controls' description: |- At a minimum, the audit system should collect file permission changes for all users and root. Note that the "-F arch=b32" lines should be present even on a 64 bit system. These commands identify system calls for auditing. Even if the system is 64 bit it can still execute 32 bit system calls. Additionally, these rules can be configured in a number of ways while still achieving the desired effect. An example of this is that the "-S" calls could be split up and placed on separate lines, however, this is less efficient. Add the following to /etc/audit/audit.rules: 
-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=4294967295 -F key=perm_mod
        -a always,exit -F arch=b32 -S chown,fchown,fchownat,lchown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod
        -a always,exit -F arch=b32 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod
If your system is 64 bit then these lines should be duplicated and the arch=b32 replaced with arch=b64 as follows: 
-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=4294967295 -F key=perm_mod
        -a always,exit -F arch=b64 -S chown,fchown,fchownat,lchown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod
        -a always,exit -F arch=b64 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod
audit_rules_dac_modification_chmod.rule000066400000000000000000000042101327242345500432130ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/auditing/auditd_configure_rules/audit_dac_actionsdocumentation_complete: true prodtype: rhel7,fedora title: 'Record Events that Modify the System''s Discretionary Access Controls - chmod' description: |- At a minimum, the audit system should collect file permission changes for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: 
-a always,exit -F arch=b32 -S chmod -F auid>=1000 -F auid!=4294967295 -F key=perm_mod
If the system is 64 bit then also add the following line: 
-a always,exit -F arch=b64 -S chmod -F auid>=1000 -F auid!=4294967295 -F key=perm_mod
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: 
-a always,exit -F arch=b32 -S chmod -F auid>=1000 -F auid!=4294967295 -F key=perm_mod
If the system is 64 bit then also add the following line: 
-a always,exit -F arch=b64 -S chmod -F auid>=1000 -F auid!=4294967295 -F key=perm_mod
rationale: |- The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users. severity: unknown identifiers: cce@rhel7: 27339-1 references: cis: 5.2.10 cjis: 5.4.1.1 cui: 3.1.7 disa: 126,172 hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e) nist: AC-17(7),AU-1(b),AU-2(a),AU-2(c),AU-2(d),AU-12(a),AU-12(c),IR-5 ospp@rhel7: FAU_GEN.1.1.c pcidss: Req-10.5.5 srg: SRG-OS-000064-GPOS-00033,SRG-OS-000392-GPOS-00172,SRG-OS-000458-GPOS-00203 stigid@rhel7: "030410" ocil_clause: 'the system is not configured to audit permission changes' ocil: '' audit_rules_dac_modification_chown.rule000066400000000000000000000041301327242345500432400ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/auditing/auditd_configure_rules/audit_dac_actionsdocumentation_complete: true prodtype: rhel7,fedora title: 'Record Events that Modify the System''s Discretionary Access Controls - chown' description: |- At a minimum, the audit system should collect file permission changes for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: 
-a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod
If the system is 64 bit then also add the following line: 
-a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: 
-a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod
If the system is 64 bit then also add the following line: 
-a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod
rationale: |- The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users. severity: unknown identifiers: cce@rhel7: 27364-9 references: cis: 5.2.10 cjis: 5.4.1.1 cui: 3.1.7 disa: 126,172 hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e) nist: AC-17(7),AU-1(b),AU-2(a),AU-2(c),AU-2(d),AU-12(a),AU-12(c),IR-5 ospp@rhel7: FAU_GEN.1.1.c pcidss: Req-10.5.5 srg: SRG-OS-000064-GPOS-00033,SRG-OS-000392-GPOS-00172,SRG-OS-000458-GPOS-00203,SRG-OS-000474-GPOS-00219 stigid@rhel7: "030370" ocil: '' audit_rules_dac_modification_fchmod.rule000066400000000000000000000041051327242345500433640ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/auditing/auditd_configure_rules/audit_dac_actionsdocumentation_complete: true prodtype: rhel7,fedora title: 'Record Events that Modify the System''s Discretionary Access Controls - fchmod' description: |- At a minimum, the audit system should collect file permission changes for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: 
-a always,exit -F arch=b32 -S fchmod -F auid>=1000 -F auid!=4294967295 -F key=perm_mod
If the system is 64 bit then also add the following line: 
-a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=4294967295 -F key=perm_mod
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: 
-a always,exit -F arch=b32 -S fchmod -F auid>=1000 -F auid!=4294967295 -F key=perm_mod
If the system is 64 bit then also add the following line: 
-a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=4294967295 -F key=perm_mod
rationale: |- The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users. severity: unknown identifiers: cce@rhel7: 27393-8 references: cis: 5.2.10 cjis: 5.4.1.1 cui: 3.1.7 disa: 126,172 hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e) nist: AC-17(7),AU-1(b),AU-2(a),AU-2(c),AU-2(d),AU-12(a),AU-12(c),IR-5 ospp@rhel7: FAU_GEN.1.1.c pcidss: Req-10.5.5 srg: SRG-OS-000064-GPOS-00033,SRG-OS-000392-GPOS-00172,SRG-OS-000458-GPOS-00203 stigid@rhel7: "030420" ocil: '' audit_rules_dac_modification_fchmodat.rule000066400000000000000000000041211327242345500437070ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/auditing/auditd_configure_rules/audit_dac_actionsdocumentation_complete: true prodtype: rhel7,fedora title: 'Record Events that Modify the System''s Discretionary Access Controls - fchmodat' description: |- At a minimum, the audit system should collect file permission changes for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: 
-a always,exit -F arch=b32 -S fchmodat -F auid>=1000 -F auid!=4294967295 -F key=perm_mod
If the system is 64 bit then also add the following line: 
-a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=4294967295 -F key=perm_mod
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: 
-a always,exit -F arch=b32 -S fchmodat -F auid>=1000 -F auid!=4294967295 -F key=perm_mod
If the system is 64 bit then also add the following line: 
-a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=4294967295 -F key=perm_mod
rationale: |- The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users. severity: unknown identifiers: cce@rhel7: 27388-8 references: cis: 5.2.10 cjis: 5.4.1.1 cui: 3.1.7 disa: 126,172 hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e) nist: AC-17(7),AU-1(b),AU-2(a),AU-2(c),AU-2(d),AU-12(a),AU-12(c),IR-5 ospp@rhel7: FAU_GEN.1.1.c pcidss: Req-10.5.5 srg: SRG-OS-000064-GPOS-00033,SRG-OS-000392-GPOS-00172,SRG-OS-000458-GPOS-00203 stigid@rhel7: "030430" ocil: '' audit_rules_dac_modification_fchown.rule000066400000000000000000000041361327242345500434140ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/auditing/auditd_configure_rules/audit_dac_actionsdocumentation_complete: true prodtype: rhel7,fedora title: 'Record Events that Modify the System''s Discretionary Access Controls - fchown' description: |- At a minimum, the audit system should collect file permission changes for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: 
-a always,exit -F arch=b32 -S fchown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod
If the system is 64 bit then also add the following line: 
-a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: 
-a always,exit -F arch=b32 -S fchown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod
If the system is 64 bit then also add the following line: 
-a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod
rationale: |- The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users. severity: unknown identifiers: cce@rhel7: 27356-5 references: cis: 5.2.10 cjis: 5.4.1.1 cui: 3.1.7 disa: 126,172 hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e) nist: AC-17(7),AU-1(b),AU-2(a),AU-2(c),AU-2(d),AU-12(a),AU-12(c),IR-5 ospp@rhel7: FAU_GEN.1.1.c pcidss: Req-10.5.5 srg: SRG-OS-000064-GPOS-00033,SRG-OS-000392-GPOS-00172,SRG-OS-000458-GPOS-00203,SRG-OS-000474-GPOS-00219 stigid@rhel7: "030380" ocil: '' audit_rules_dac_modification_fchownat.rule000066400000000000000000000041521327242345500437370ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/auditing/auditd_configure_rules/audit_dac_actionsdocumentation_complete: true prodtype: rhel7,fedora title: 'Record Events that Modify the System''s Discretionary Access Controls - fchownat' description: |- At a minimum, the audit system should collect file permission changes for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: 
-a always,exit -F arch=b32 -S fchownat -F auid>=1000 -F auid!=4294967295 -F key=perm_mod
If the system is 64 bit then also add the following line: 
-a always,exit -F arch=b64 -S fchownat -F auid>=1000 -F auid!=4294967295 -F key=perm_mod
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: 
-a always,exit -F arch=b32 -S fchownat -F auid>=1000 -F auid!=4294967295 -F key=perm_mod
If the system is 64 bit then also add the following line: 
-a always,exit -F arch=b64 -S fchownat -F auid>=1000 -F auid!=4294967295 -F key=perm_mod
rationale: |- The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users. severity: unknown identifiers: cce@rhel7: 27387-0 references: cis: 5.2.10 cjis: 5.4.1.1 cui: 3.1.7 disa: 126,172 hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e) nist: AC-17(7),AU-1(b),AU-2(a),AU-2(c),AU-2(d),AU-12(a),AU-12(c),IR-5 ospp@rhel7: FAU_GEN.1.1.c pcidss: Req-10.5.5 srg: SRG-OS-000064-GPOS-00033,SRG-OS-000392-GPOS-00172,SRG-OS-000458-GPOS-00203,SRG-OS-000474-GPOS-00219 stigid@rhel7: "030400" ocil: '' audit_rules_dac_modification_fremovexattr.rule000066400000000000000000000042541327242345500446570ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/auditing/auditd_configure_rules/audit_dac_actionsdocumentation_complete: true prodtype: rhel7,fedora title: 'Record Events that Modify the System''s Discretionary Access Controls - fremovexattr' description: |- At a minimum, the audit system should collect file permission changes for all users and root.

If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: 
-a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod


If the system is 64 bit then also add the following line: 
-a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod


If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: 
-a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod


If the system is 64 bit then also add the following line: 
-a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod
rationale: |- The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users. severity: medium identifiers: cce@rhel7: 27353-2 references: cis: 5.2.10 cjis: 5.4.1.1 cui: 3.1.7 disa: 172 hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e) nist: AC-17(7),AU-1(b),AU-2(a),AU-2(c),AU-2(d),AU-12(a),AU-12(c),IR-5 ospp@rhel7: FAU_GEN.1.1.c pcidss: Req-10.5.5 srg: SRG-OS-000064-GPOS-00033,SRG-OS-000392-GPOS-00172,SRG-OS-000458-GPOS-00203 stigid@rhel7: "030480" ocil: '' audit_rules_dac_modification_fsetxattr.rule000066400000000000000000000041271327242345500441540ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/auditing/auditd_configure_rules/audit_dac_actionsdocumentation_complete: true prodtype: rhel7,fedora title: 'Record Events that Modify the System''s Discretionary Access Controls - fsetxattr' description: |- At a minimum, the audit system should collect file permission changes for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: 
-a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod
If the system is 64 bit then also add the following line: 
-a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: 
-a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod
If the system is 64 bit then also add the following line: 
-a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod
rationale: |- The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users. severity: unknown identifiers: cce@rhel7: 27389-6 references: cis: 5.2.10 cjis: 5.4.1.1 cui: 3.1.7 disa: 126,172 hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e) nist: AC-17(7),AU-1(b),AU-2(a),AU-2(c),AU-2(d),AU-12(a),AU-12(c),IR-5 ospp@rhel7: FAU_GEN.1.1.c pcidss: Req-10.5.5 srg: SRG-OS-000064-GPOS-00033,SRG-OS-000392-GPOS-00172,SRG-OS-000458-GPOS-00203 stigid@rhel7: "030450" ocil: '' audit_rules_dac_modification_lchown.rule000066400000000000000000000041361327242345500434220ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/auditing/auditd_configure_rules/audit_dac_actionsdocumentation_complete: true prodtype: rhel7,fedora title: 'Record Events that Modify the System''s Discretionary Access Controls - lchown' description: |- At a minimum, the audit system should collect file permission changes for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: 
-a always,exit -F arch=b32 -S lchown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod
If the system is 64 bit then also add the following line: 
-a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: 
-a always,exit -F arch=b32 -S lchown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod
If the system is 64 bit then also add the following line: 
-a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=4294967295 -F key=perm_mod
rationale: |- The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users. severity: unknown identifiers: cce@rhel7: 27083-5 references: cis: 5.2.10 cjis: 5.4.1.1 cui: 3.1.7 disa: 126,172 hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e) nist: AC-17(7),AU-1(b),AU-2(a),AU-2(c),AU-2(d),AU-12(a),AU-12(c),IR-5 ospp@rhel7: FAU_GEN.1.1.c pcidss: Req-10.5.5 srg: SRG-OS-000064-GPOS-00033,SRG-OS-000392-GPOS-00172,SRG-OS-000458-GPOS-00203,SRG-OS-000474-GPOS-00219 stigid@rhel7: "030390" ocil: '' audit_rules_dac_modification_lremovexattr.rule000066400000000000000000000042541327242345500446650ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/auditing/auditd_configure_rules/audit_dac_actionsdocumentation_complete: true prodtype: rhel7,fedora title: 'Record Events that Modify the System''s Discretionary Access Controls - lremovexattr' description: |- At a minimum, the audit system should collect file permission changes for all users and root.

If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: 
-a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod


If the system is 64 bit then also add the following line: 
-a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod


If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: 
-a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod


If the system is 64 bit then also add the following line: 
-a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod
rationale: |- The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users. severity: medium identifiers: cce@rhel7: 27410-0 references: cis: 5.2.10 cjis: 5.4.1.1 cui: 3.1.7 disa: 172 hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e) nist: AC-17(7),AU-1(b),AU-2(a),AU-2(c),AU-2(d),AU-12(a),AU-12(c),IR-5 ospp@rhel7: FAU_GEN.1.1.c pcidss: Req-10.5.5 srg: SRG-OS-000064-GPOS-00033,SRG-OS-000392-GPOS-00172,SRG-OS-000458-GPOS-00203 stigid@rhel7: "030490" ocil: '' audit_rules_dac_modification_lsetxattr.rule000066400000000000000000000041601327242345500441570ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/auditing/auditd_configure_rules/audit_dac_actionsdocumentation_complete: true prodtype: rhel7,fedora title: 'Record Events that Modify the System''s Discretionary Access Controls - lsetxattr' description: |- At a minimum, the audit system should collect file permission changes for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: 
-a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod
If the system is 64 bit then also add the following line: 
-a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: 
-a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod
If the system is 64 bit then also add the following line: 
-a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod
rationale: |- The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users. severity: unknown identifiers: cce@rhel7: 27280-7 references: cis: 5.2.10 cjis: 5.4.1.1 cui: 3.1.7 disa: 126,172 hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e) nist: AC-17(7),AU-1(b),AU-2(a),AU-2(c),AU-2(d),AU-12(a),AU-12(c),IR-5 ospp@rhel7: FAU_GEN.1.1.c pcidss: Req-10.5.5 srg: SRG-OS-000064-GPOS-00033,SRG-OS-000392-GPOS-00172,SRG-OS-000458-GPOS-00203,SRG-OS-000474-GPOS-00219 stigid@rhel7: "030460" ocil: '' audit_rules_dac_modification_removexattr.rule000066400000000000000000000042421327242345500445060ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/auditing/auditd_configure_rules/audit_dac_actionsdocumentation_complete: true prodtype: rhel7,fedora title: 'Record Events that Modify the System''s Discretionary Access Controls - removexattr' description: |- At a minimum, the audit system should collect file permission changes for all users and root.

If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: 
-a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod


If the system is 64 bit then also add the following line: 
-a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod


If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: 
-a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod


If the system is 64 bit then also add the following line: 
-a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod
rationale: |- The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users. severity: medium identifiers: cce@rhel7: 27367-2 references: cis: 5.2.10 cjis: 5.4.1.1 cui: 3.1.7 disa: 172 hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e) nist: AC-17(7),AU-1(b),AU-2(a),AU-2(c),AU-2(d),AU-12(a),AU-12(c),IR-5 ospp@rhel7: FAU_GEN.1.1.c pcidss: Req-10.5.5 srg: SRG-OS-000064-GPOS-00033,SRG-OS-000392-GPOS-00172,SRG-OS-000458-GPOS-00203 stigid@rhel7: "030470" ocil: '' audit_rules_dac_modification_setxattr.rule000066400000000000000000000041211327242345500440000ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/auditing/auditd_configure_rules/audit_dac_actionsdocumentation_complete: true prodtype: rhel7,fedora title: 'Record Events that Modify the System''s Discretionary Access Controls - setxattr' description: |- At a minimum, the audit system should collect file permission changes for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: 
-a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod
If the system is 64 bit then also add the following line: 
-a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: 
-a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod
If the system is 64 bit then also add the following line: 
-a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod
rationale: |- The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users. severity: unknown identifiers: cce@rhel7: 27213-8 references: cis: 5.2.10 cjis: 5.4.1.1 cui: 3.1.7 disa: 126,172 hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e) nist: AC-17(7),AU-1(b),AU-2(a),AU-2(c),AU-2(d),AU-12(a),AU-12(c),IR-5 ospp@rhel7: FAU_GEN.1.1.c pcidss: Req-10.5.5 srg: SRG-OS-000064-GPOS-00033,SRG-OS-000392-GPOS-00172,SRG-OS-000458-GPOS-00203 stigid@rhel7: "030440" ocil: '' audit_execution_selinux_commands/000077500000000000000000000000001327242345500364635ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/auditing/auditd_configure_rulesaudit_execution_selinux_commands.group000066400000000000000000000003601327242345500463610ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commandsdocumentation_complete: true title: 'Record Execution Attempts to Run SELinux Privileged Commands' description: |- At a minimum, the audit system should collect the execution of SELinux privileged commands for all users and root. audit_rules_execution_chcon.rule000066400000000000000000000046021327242345500451330ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commandsdocumentation_complete: true prodtype: rhel7 title: 'Record Any Attempts to Run chcon' description: |- At a minimum, the audit system should collect any execution attempt of the chcon command for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d: 
-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged-priv_change
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: 
-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged-priv_change
rationale: |- Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threast.

Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity. severity: medium identifiers: cce@rhel7: 80393-2 references: cui: 3.1.7 disa: 172,2884 hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e) nist: AU-12(c) ospp@rhel7: FAU_GEN.1.1.c srg: SRG-OS-000392-GPOS-00172,SRG-OS-000463-GPOS-00207,SRG-OS-000465-GPOS-00209 stigid@rhel7: "030580" ocil: |- To verify that execution of the command is being audited, run the following command: 
$ sudo grep "path=/usr/bin/chcon" /etc/audit/audit.rules /etc/audit/rules.d/*
The output should return something similar to: 
-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged-priv_change
audit_rules_execution_restorecon.rule000066400000000000000000000046111327242345500462240ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commandsdocumentation_complete: true prodtype: rhel7 title: 'Record Any Attempts to Run restorecon' description: |- At a minimum, the audit system should collect any execution attempt of the restorecon command for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d: 
-a always,exit -F path=/usr/sbin/restorecon -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged-priv_change
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: 
-a always,exit -F path=/usr/sbin/restorecon -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged-priv_change
rationale: |- Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threast.

Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity. severity: medium identifiers: cce@rhel7: 80394-0 references: cui: 3.1.7 disa: 172,2884 hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e) nist: AU-12(c) ospp@rhel7: FAU_GEN.1.1.c srg: SRG-OS-000392-GPOS-00172,SRG-OS-000463-GPOS-00207,SRG-OS-000465-GPOS-00209 ocil: |- To verify that execution of the command is being audited, run the following command: 
$ sudo grep "path=/usr/sbin/restorecon" /etc/audit/audit.rules /etc/audit/rules.d/*
The output should return something similar to: 
-a always,exit -F path=/usr/sbin/restorecon -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged-priv_change
audit_rules_execution_semanage.rule000066400000000000000000000046301327242345500456220ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commandsdocumentation_complete: true prodtype: rhel7 title: 'Record Any Attempts to Run semanage' description: |- At a minimum, the audit system should collect any execution attempt of the semanage command for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d: 
-a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged-priv_change
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: 
-a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged-priv_change
rationale: |- Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threast.

Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity. severity: medium identifiers: cce@rhel7: 80391-6 references: cui: 3.1.7 disa: 172,2884 hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e) nist: AU-12(c) ospp@rhel7: FAU_GEN.1.1.c srg: SRG-OS-000392-GPOS-00172,SRG-OS-000463-GPOS-00207,SRG-OS-000465-GPOS-00209 stigid@rhel7: "030560" ocil: |- To verify that execution of the command is being audited, run the following command: 
$ sudo grep "path=/usr/sbin/semanage" /etc/audit/audit.rules /etc/audit/rules.d/*
The output should return something similar to: 
-a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged-priv_change
audit_rules_execution_setfiles.rule000066400000000000000000000043421327242345500456600ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commandsdocumentation_complete: true prodtype: rhel7 title: 'Record Any Attempts to Run setfiles' description: |- At a minimum, the audit system should collect any execution attempt of the setfiles command for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d: 
-a always,exit -F path=/usr/sbin/setfiles -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged-priv_change
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: 
-a always,exit -F path=/usr/sbin/setfiles -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged-priv_change
rationale: |- Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threast.

Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity. severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: disa: 172,2884 srg: SRG-OS-000392-GPOS-00172,SRG-OS-000463-GPOS-00207,SRG-OS-000465-GPOS-00209 stigid@rhel7: "030590" ocil: |- To verify that execution of the command is being audited, run the following command: 
$ sudo grep "path=/usr/sbin/setfiles" /etc/audit/audit.rules /etc/audit/rules.d/*
The output should return something similar to: 
-a always,exit -F path=/usr/sbin/setfiles -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged-priv_change
audit_rules_execution_setsebool.rule000066400000000000000000000046361327242345500460470ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/auditing/auditd_configure_rules/audit_execution_selinux_commandsdocumentation_complete: true prodtype: rhel7 title: 'Record Any Attempts to Run setsebool' description: |- At a minimum, the audit system should collect any execution attempt of the setsebool command for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d: 
-a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged-priv_change
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: 
-a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged-priv_change
rationale: |- Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threast.

Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity. severity: medium identifiers: cce@rhel7: 80392-4 references: cui: 3.1.7 disa: 172,2884 hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e) nist: AU-12(c) ospp@rhel7: FAU_GEN.1.1.c srg: SRG-OS-000392-GPOS-00172,SRG-OS-000463-GPOS-00207,SRG-OS-000465-GPOS-00209 stigid@rhel7: "030570" ocil: |- To verify that execution of the command is being audited, run the following command: 
$ sudo grep "path=/usr/sbin/setsebool" /etc/audit/audit.rules /etc/audit/rules.d/*
The output should return something similar to: 
-a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged-priv_change
audit_file_deletion_events/000077500000000000000000000000001327242345500352165ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/auditing/auditd_configure_rulesaudit_file_deletion_events.group000066400000000000000000000020441327242345500436500ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/auditing/auditd_configure_rules/audit_file_deletion_eventsdocumentation_complete: true title: 'Record File Deletion Events by User' description: |- At a minimum, the audit system should collect file deletion events for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as appropriate for your system: 
-a always,exit -F arch=ARCH -S rmdir,unlink,unlinkat,rename,renameat -F auid>=1000 -F auid!=4294967295 -F key=delete
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file, setting ARCH to either b32 or b64 as appropriate for your system: 
-a always,exit -F arch=ARCH -S rmdir,unlink,unlinkat,rename,renameat -F auid>=1000 -F auid!=4294967295 -F key=delete
audit_rules_file_deletion_events.rule000066400000000000000000000036041327242345500447000ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/auditing/auditd_configure_rules/audit_file_deletion_eventsdocumentation_complete: true prodtype: rhel7,fedora title: 'Ensure auditd Collects File Deletion Events by User' description: |- At a minimum the audit system should collect file deletion events for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as appropriate for your system: 
-a always,exit -F arch=ARCH -S rmdiri,unlink,unlinkat,rename,renameat -F auid>=1000 -F auid!=4294967295 -F key=delete
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file, setting ARCH to either b32 or b64 as appropriate for your system: 
-a always,exit -F arch=ARCH -S rmdir,unlink,unlinkat,rename -S renameat -F auid>=1000 -F auid!=4294967295 -F key=delete
rationale: |- Auditing file deletions will create an audit trail for files that are removed from the system. The audit trail could aid in system troubleshooting, as well as, detecting malicious processes that attempt to delete log files to conceal their presence. severity: medium identifiers: cce@rhel7: 27206-2 references: cis: 5.2.14 cjis: 5.4.1.1 cui: 3.1.7 disa: 366,172,2884 nist: AC-17(7),AU-1(b),AU-2(a),AU-2(c),AU-2(d),AU-12(a),AU-12(c),IR-5 ospp@rhel7: FAU_GEN.1.1.c pcidss: Req-10.2.7 ocil: |- audit_rules_file_deletion_events_rename.rule000066400000000000000000000035561327242345500462350ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/auditing/auditd_configure_rules/audit_file_deletion_eventsdocumentation_complete: true prodtype: rhel7 title: 'Ensure auditd Collects File Deletion Events by User - rename' description: |- At a minimum, the audit system should collect file deletion events for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as appropriate for your system: 
-a always,exit -F arch=ARCH -S rename -F auid>=1000 -F auid!=4294967295 -F key=delete
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file, setting ARCH to either b32 or b64 as appropriate for your system: 
-a always,exit -F arch=ARCH -S rename -F auid>=1000 -F auid!=4294967295 -F key=delete
rationale: |- Auditing file deletions will create an audit trail for files that are removed from the system. The audit trail could aid in system troubleshooting, as well as, detecting malicious processes that attempt to delete log files to conceal their presence. severity: medium identifiers: cce@rhel7: 27206-2 references: cis: 5.2.14 cui: 3.1.7 disa: 366,172,2884 hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e) nist: AC-17(7),AU-1(b),AU-2(a),AU-2(c),AU-2(d),AU-12(a),AU-12(c),IR-5,MA-4(1)(a) ospp@rhel7: FAU_GEN.1.1.c pcidss: Req-10.2.7 srg: SRG-OS-000466-GPOS-00210,SRG-OS-000467-GPOS-00210,SRG-OS-000468-GPOS-00212,SRG-OS-000392-GPOS-00172 stigid@rhel7: "030880" ocil: '' audit_rules_file_deletion_events_renameat.rule000066400000000000000000000035661327242345500465630ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/auditing/auditd_configure_rules/audit_file_deletion_eventsdocumentation_complete: true prodtype: rhel7 title: 'Ensure auditd Collects File Deletion Events by User - renameat' description: |- At a minimum, the audit system should collect file deletion events for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as appropriate for your system: 
-a always,exit -F arch=ARCH -S renameat -F auid>=1000 -F auid!=4294967295 -F key=delete
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file, setting ARCH to either b32 or b64 as appropriate for your system: 
-a always,exit -F arch=ARCH -S renameat -F auid>=1000 -F auid!=4294967295 -F key=delete
rationale: |- Auditing file deletions will create an audit trail for files that are removed from the system. The audit trail could aid in system troubleshooting, as well as, detecting malicious processes that attempt to delete log files to conceal their presence. severity: medium identifiers: cce@rhel7: 80413-8 references: cis: 5.2.14 cui: 3.1.7 disa: 366,172,2884 hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e) nist: AC-17(7),AU-1(b),AU-2(a),AU-2(c),AU-2(d),AU-12(a),AU-12(c),IR-5,MA-4(1)(a) ospp@rhel7: FAU_GEN.1.1.c pcidss: Req-10.2.7 srg: SRG-OS-000466-GPOS-00210,SRG-OS-000467-GPOS-00210,SRG-OS-000468-GPOS-00212,SRG-OS-000392-GPOS-00172 stigid@rhel7: "030890" ocil: '' audit_rules_file_deletion_events_rmdir.rule000066400000000000000000000035521327242345500460770ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/auditing/auditd_configure_rules/audit_file_deletion_eventsdocumentation_complete: true prodtype: rhel7 title: 'Ensure auditd Collects File Deletion Events by User - rmdir' description: |- At a minimum, the audit system should collect file deletion events for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as appropriate for your system: 
-a always,exit -F arch=ARCH -S rmdir -F auid>=1000 -F auid!=4294967295 -F key=delete
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file, setting ARCH to either b32 or b64 as appropriate for your system: 
-a always,exit -F arch=ARCH -S rmdir -F auid>=1000 -F auid!=4294967295 -F key=delete
rationale: |- Auditing file deletions will create an audit trail for files that are removed from the system. The audit trail could aid in system troubleshooting, as well as, detecting malicious processes that attempt to delete log files to conceal their presence. severity: medium identifiers: cce@rhel7: 80412-0 references: cis: 5.2.14 cui: 3.1.7 disa: 366,172,2884 hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e) nist: AC-17(7),AU-1(b),AU-2(a),AU-2(c),AU-2(d),AU-12(a),AU-12(c),IR-5,MA-4(1)(a) ospp@rhel7: FAU_GEN.1.1.c pcidss: Req-10.2.7 srg: SRG-OS-000466-GPOS-00210,SRG-OS-000467-GPOS-00210,SRG-OS-000468-GPOS-00212,SRG-OS-000392-GPOS-00172 stigid@rhel7: "030900" ocil: '' audit_rules_file_deletion_events_unlink.rule000066400000000000000000000035561327242345500462660ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/auditing/auditd_configure_rules/audit_file_deletion_eventsdocumentation_complete: true prodtype: rhel7 title: 'Ensure auditd Collects File Deletion Events by User - unlink' description: |- At a minimum, the audit system should collect file deletion events for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as appropriate for your system: 
-a always,exit -F arch=ARCH -S unlink -F auid>=1000 -F auid!=4294967295 -F key=delete
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file, setting ARCH to either b32 or b64 as appropriate for your system: 
-a always,exit -F arch=ARCH -S unlink -F auid>=1000 -F auid!=4294967295 -F key=delete
rationale: |- Auditing file deletions will create an audit trail for files that are removed from the system. The audit trail could aid in system troubleshooting, as well as, detecting malicious processes that attempt to delete log files to conceal their presence. severity: medium identifiers: cce@rhel7: 27206-2 references: cis: 5.2.14 cui: 3.1.7 disa: 366,172,2884 hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e) nist: AC-17(7),AU-1(b),AU-2(a),AU-2(c),AU-2(d),AU-12(a),AU-12(c),IR-5,MA-4(1)(a) ospp@rhel7: FAU_GEN.1.1.c pcidss: Req-10.2.7 srg: SRG-OS-000466-GPOS-00210,SRG-OS-000467-GPOS-00210,SRG-OS-000468-GPOS-00212,SRG-OS-000392-GPOS-00172 stigid@rhel7: "030910" ocil: '' audit_rules_file_deletion_events_unlinkat.rule000066400000000000000000000035661327242345500466140ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/auditing/auditd_configure_rules/audit_file_deletion_eventsdocumentation_complete: true prodtype: rhel7 title: 'Ensure auditd Collects File Deletion Events by User - unlinkat' description: |- At a minimum, the audit system should collect file deletion events for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as appropriate for your system: 
-a always,exit -F arch=ARCH -S unlinkat -F auid>=1000 -F auid!=4294967295 -F key=delete
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file, setting ARCH to either b32 or b64 as appropriate for your system: 
-a always,exit -F arch=ARCH -S unlinkat -F auid>=1000 -F auid!=4294967295 -F key=delete
rationale: |- Auditing file deletions will create an audit trail for files that are removed from the system. The audit trail could aid in system troubleshooting, as well as, detecting malicious processes that attempt to delete log files to conceal their presence. severity: medium identifiers: cce@rhel7: 27206-2 references: cis: 5.2.14 cui: 3.1.7 disa: 366,172,2884 hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e) nist: AC-17(7),AU-1(b),AU-2(a),AU-2(c),AU-2(d),AU-12(a),AU-12(c),IR-5,MA-4(1)(a) ospp@rhel7: FAU_GEN.1.1.c pcidss: Req-10.2.7 srg: SRG-OS-000466-GPOS-00210,SRG-OS-000467-GPOS-00210,SRG-OS-000468-GPOS-00212,SRG-OS-000392-GPOS-00172 stigid@rhel7: "030920" ocil: '' audit_kernel_module_loading/000077500000000000000000000000001327242345500353525ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/auditing/auditd_configure_rulesaudit_kernel_module_loading.group000066400000000000000000000016671327242345500441520ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loadingdocumentation_complete: true title: 'Record Information on Kernel Modules Loading and Unloading' description: |- To capture kernel module loading and unloading events, use following lines, setting ARCH to either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit: 
    -w /usr/sbin/insmod -p x -k modules
    -w /usr/sbin/rmmod -p x -k modules
    -w /usr/sbin/modprobe -p x -k modules
    -a always,exit -F arch=ARCH -S init_module,delete_module -F key=modules
Place to add the lines depends on a way auditd daemon is configured. If it is configured to use the augenrules program (the default), add the lines to a file with suffix .rules in the directory /etc/audit/rules.d. If the auditd daemon is configured to use the auditctl utility, add the lines to file /etc/audit/audit.rules. audit_rules_kernel_module_loading.rule000066400000000000000000000031221327242345500451630ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loadingdocumentation_complete: true prodtype: rhel7,fedora title: 'Ensure auditd Collects Information on Kernel Module Loading and Unloading' description: |- To capture kernel module loading and unloading events, use following lines, setting ARCH to either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit: 
    -w /usr/sbin/insmod -p x -k modules
    -w /usr/sbin/rmmod -p x -k modules
    -w /usr/sbin/modprobe -p x -k modules
    -a always,exit -F arch=ARCH -S init_module,delete_module -F key=modules
Place to add the lines depends on a way auditd daemon is configured. If it is configured to use the augenrules program (the default), add the lines to a file with suffix .rules in the directory /etc/audit/rules.d. If the auditd daemon is configured to use the auditctl utility, add the lines to file /etc/audit/audit.rules. rationale: |- The addition/removal of kernel modules can be used to alter the behavior of the kernel and potentially introduce malicious code into kernel space. It is important to have an audit trail of modules that have been introduced into the kernel. severity: medium identifiers: cce@rhel7: 27129-6 references: cis: 5.2.17 cjis: 5.4.1.1 cui: 3.1.7 disa: 172 nist: AC-17(7),AU-1(b),AU-2(a),AU-2(c),AU-2(d),AU-12(a),AU-12(c),IR-5 pcidss: Req-10.2.7 ocil: |- audit_rules_kernel_module_loading_create.rule000066400000000000000000000024611327242345500465130ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loadingdocumentation_complete: true prodtype: rhel7 title: 'Ensure auditd Collects Information on Kernel Module Loading - create_module' description: |- To capture kernel module loading events, use following line, setting ARCH to either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit: 
-a always,exit -F arch=ARCH -S create_module -F key=modules
Place to add the line depends on a way auditd daemon is configured. If it is configured to use the augenrules program (the default), add the line to a file with suffix .rules in the directory /etc/audit/rules.d. If the auditd daemon is configured to use the auditctl utility, add the line to file /etc/audit/audit.rules. rationale: |- The addition of kernel modules can be used to alter the behavior of the kernel and potentially introduce malicious code into kernel space. It is important to have an audit trail of modules that have been introduced into the kernel. severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: disa: 172 srg: SRG-OS-000471-GPOS-00216,SRG-OS-000477-GPOS-00222 stigid@rhel7: "030819" ocil: '' audit_rules_kernel_module_loading_delete.rule000066400000000000000000000031101327242345500465020ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loadingdocumentation_complete: true prodtype: rhel7 title: 'Ensure auditd Collects Information on Kernel Module Unloading - delete_module' description: |- To capture kernel module unloading events, use following line, setting ARCH to either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit: 
-a always,exit -F arch=ARCH -S delete_module -F key=modules
Place to add the line depends on a way auditd daemon is configured. If it is configured to use the augenrules program (the default), add the line to a file with suffix .rules in the directory /etc/audit/rules.d. If the auditd daemon is configured to use the auditctl utility, add the line to file /etc/audit/audit.rules. rationale: |- The removal of kernel modules can be used to alter the behavior of the kernel and potentially introduce malicious code into kernel space. It is important to have an audit trail of modules that have been introduced into the kernel. severity: medium identifiers: cce@rhel7: 80415-3 references: cis: 5.2.17 cui: 3.1.7 disa: 172 hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e) nist: AC-17(7),AU-1(b),AU-2(a),AU-2(c),AU-2(d),AU-12(a),AU-12(c),IR-5 ospp@rhel7: FAU_GEN.1.1.c pcidss: Req-10.2.7 srg: SRG-OS-000471-GPOS-00216,SRG-OS-000477-GPOS-00222 stigid@rhel7: "030830" ocil: '' audit_rules_kernel_module_loading_finit.rule000066400000000000000000000034251327242345500463620ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loadingdocumentation_complete: true title: 'Ensure auditd Collects Information on Kernel Module Loading and Unloading - finit_module' description: |- If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d to capture kernel module loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system: 
-a always,exit -F arch=ARCH -S finit_module -F key=modules
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file in order to capture kernel module loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system: 
-a always,exit -F arch=ARCH -S finit_module -F key=modules
rationale: |- The addition/removal of kernel modules can be used to alter the behavior of the kernel and potentially introduce malicious code into kernel space. It is important to have an audit trail of modules that have been introduced into the kernel. severity: medium identifiers: cce@rhel7: 80547-3 references: cis: 5.2.17 cui: 3.1.7 disa: 172 hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e) nist: AC-17(7),AU-1(b),AU-2(a),AU-2(c),AU-2(d),AU-12(a),AU-12(c),IR-5 ospp@rhel7: FAU_GEN.1.1.c pcidss: Req-10.2.7 srg: SRG-OS-000471-GPOS-00216,SRG-OS-000477-GPOS-00222 stigid@rhel7: "030821" ocil: '' audit_rules_kernel_module_loading_init.rule000066400000000000000000000027031327242345500462120ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loadingdocumentation_complete: true prodtype: rhel7 title: 'Ensure auditd Collects Information on Kernel Module Loading - init_module' description: |- To capture kernel module loading events, use following line, setting ARCH to either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit: 
-a always,exit -F arch=ARCH -S init_module -F key=modules
Place to add the line depends on a way auditd daemon is configured. If it is configured to use the augenrules program (the default), add the line to a file with suffix .rules in the directory /etc/audit/rules.d. If the auditd daemon is configured to use the auditctl utility, add the line to file /etc/audit/audit.rules. rationale: |- The addition of kernel modules can be used to alter the behavior of the kernel and potentially introduce malicious code into kernel space. It is important to have an audit trail of modules that have been introduced into the kernel. severity: medium identifiers: cce@rhel7: 80414-6 references: cis: 5.2.17 cui: 3.1.7 disa: 172 nist: AC-17(7),AU-1(b),AU-2(a),AU-2(c),AU-2(d),AU-12(a),AU-12(c),IR-5 ospp@rhel7: FAU_GEN.1.1.c pcidss: Req-10.2.7 srg: SRG-OS-000471-GPOS-00216,SRG-OS-000477-GPOS-00222 stigid@rhel7: "030820" ocil: '' audit_rules_kernel_module_loading_insmod.rule000066400000000000000000000031501327242345500465350ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loadingdocumentation_complete: true prodtype: rhel7 title: 'Ensure auditd Collects Information on Kernel Module Loading - insmod' description: |- To capture invocation of insmod, utility used to insert modules into kernel, use the following line: 
-w /usr/sbin/insmod -p x -k modules
Place to add the line depends on a way auditd daemon is configured. If it is configured to use the augenrules program (the default), add the line to a file with suffix .rules in the directory /etc/audit/rules.d. If the auditd daemon is configured to use the auditctl utility, add the line to file /etc/audit/audit.rules. rationale: |- The addition of kernel modules can be used to alter the behavior of the kernel and potentially introduce malicious code into kernel space. It is important to have an audit trail of modules that have been introduced into the kernel. severity: medium identifiers: cce@rhel7: 80446-8 references: cis: 5.2.17 cui: 3.1.7 disa: 172 hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e) nist: AC-17(7),AU-1(b),AU-2(a),AU-2(c),AU-2(d),AU-12(a),AU-12(c),IR-5 ospp@rhel7: FAU_GEN.1.1.c pcidss: Req-10.2.7 srg: SRG-OS-000471-GPOS-00216,SRG-OS-000477-GPOS-00222 stigid@rhel7: "030840" ocil_clause: 'there is not output' ocil: |- To verify that auditing is configured for system administrator actions, run the following command: 
$ sudo auditctl -l | grep "watch=/usr/sbin/insmod"
audit_rules_kernel_module_loading_modprobe.rule000066400000000000000000000032171327242345500470570ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loadingdocumentation_complete: true prodtype: rhel7 title: 'Ensure auditd Collects Information on Kernel Module Loading and Unloading - modprobe' description: |- To capture invocation of modprobe, utility used to insert / remove modules from kernel, add the following line: 
-w /usr/sbin/modprobe -p x -k modules
Place to add the line depends on a way auditd daemon is configured. If it is configured to use the augenrules program (the default), add the line to a file with suffix .rules in the directory /etc/audit/rules.d. If the auditd daemon is configured to use the auditctl utility, add the line to file /etc/audit/audit.rules. rationale: |- The addition/removal of kernel modules can be used to alter the behavior of the kernel and potentially introduce malicious code into kernel space. It is important to have an audit trail of modules that have been introduced into the kernel. severity: medium identifiers: cce@rhel7: 80417-9 references: cis: 5.2.17 cui: 3.1.7 disa: 172 hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e) nist: AC-17(7),AU-1(b),AU-2(a),AU-2(c),AU-2(d),AU-12(a),AU-12(c),IR-5 ospp@rhel7: FAU_GEN.1.1.c pcidss: Req-10.2.7 srg: SRG-OS-000471-GPOS-00216,SRG-OS-000477-GPOS-00222 stigid@rhel7: "030860" ocil_clause: 'there is not output' ocil: |- To verify that auditing is configured for system administrator actions, run the following command: 
$ sudo auditctl -l | grep "watch=/usr/sbin/modprobe"
audit_rules_kernel_module_loading_rmmod.rule000066400000000000000000000031451327242345500463660ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loadingdocumentation_complete: true prodtype: rhel7 title: 'Ensure auditd Collects Information on Kernel Module Unloading - rmmod' description: |- To capture invocation of rmmod, utility used to remove modules from kernel, add the following line: 
-w /usr/sbin/rmmod -p x -k modules
Place to add the line depends on a way auditd daemon is configured. If it is configured to use the augenrules program (the default), add the line to a file with suffix .rules in the directory /etc/audit/rules.d. If the auditd daemon is configured to use the auditctl utility, add the line to file /etc/audit/audit.rules. rationale: |- The removal of kernel modules can be used to alter the behavior of the kernel and potentially introduce malicious code into kernel space. It is important to have an audit trail of modules that have been introduced into the kernel. severity: medium identifiers: cce@rhel7: 80416-1 references: cis: 5.2.17 cui: 3.1.7 disa: 172 hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e) nist: AC-17(7),AU-1(b),AU-2(a),AU-2(c),AU-2(d),AU-12(a),AU-12(c),IR-5 ospp@rhel7: FAU_GEN.1.1.c pcidss: Req-10.2.7 srg: SRG-OS-000471-GPOS-00216,SRG-OS-000477-GPOS-00222 stigid@rhel7: "030850" ocil_clause: 'there is not output' ocil: |- To verify that auditing is configured for system administrator actions, run the following command: 
$ sudo auditctl -l | grep "watch=/usr/sbin/rmmod"
scap-security-guide-0.1.39/shared/guide/system/auditing/auditd_configure_rules/audit_login_events/000077500000000000000000000000001327242345500336035ustar00rootroot00000000000000audit_login_events.group000066400000000000000000000021161327242345500404640ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/auditing/auditd_configure_rules/audit_login_eventsdocumentation_complete: true title: 'Record Attempts to Alter Logon and Logout Events' description: |- The audit system already collects login information for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d in order to watch for attempted manual edits of files involved in storing logon events: 
-w /var/log/tallylog -p wa -k logins
    -w /var/run/faillock/ -p wa -k logins
    -w /var/log/lastlog -p wa -k logins
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file in order to watch for unattempted manual edits of files involved in storing logon events: 
-w /var/log/tallylog -p wa -k logins
    -w /var/run/faillock/ -p wa -k logins
    -w /var/log/lastlog -p wa -k logins
audit_rules_login_events.rule000066400000000000000000000026671327242345500415240ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/auditing/auditd_configure_rules/audit_login_eventsdocumentation_complete: true title: 'Record Attempts to Alter Logon and Logout Events' description: |- The audit system already collects login information for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d in order to watch for attempted manual edits of files involved in storing logon events: 
-w /var/log/tallylog -p wa -k logins
    -w /var/run/faillock/ -p wa -k logins
    -w /var/log/lastlog -p wa -k logins
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file in order to watch for unattempted manual edits of files involved in storing logon events: 
-w /var/log/tallylog -p wa -k logins
    -w /var/run/faillock/ -p wa -k logins
    -w /var/log/lastlog -p wa -k logins
rationale: |- Manual editing of these files may indicate nefarious activity, such as an attacker attempting to remove evidence of an intrusion. severity: medium identifiers: cce@rhel7: 27204-7 references: cis: 5.2.8 cjis: 5.4.1.1 cui: 3.1.7 disa: 172,2884 nist: AC-17(7),AU-1(b),AU-12(a),AU-12(c),IR-5 pcidss: Req-10.2.3 audit_rules_login_events_faillock.rule000066400000000000000000000034041327242345500433560ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/auditing/auditd_configure_rules/audit_login_eventsdocumentation_complete: true prodtype: rhel7 title: 'Record Attempts to Alter Logon and Logout Events - faillock' description: |- The audit system already collects login information for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d in order to watch for attempted manual edits of files involved in storing logon events: 
-w /var/run/faillock/ -p wa -k logins
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file in order to watch for unattempted manual edits of files involved in storing logon events: 
-w /var/run/faillock/ -p wa -k logins
rationale: |- Manual editing of these files may indicate nefarious activity, such as an attacker attempting to remove evidence of an intrusion. severity: medium identifiers: cce@rhel7: 80383-3 references: cis: 5.2.8 cui: 3.1.7 disa: 172,2884,126 hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e) nist: AC-17(7),AU-1(b),AU-12(a),AU-12(c),IR-5 ospp@rhel7: FAU_GEN.1.1.c pcidss: Req-10.2.3 srg: SRG-OS-000392-GPOS-00172,SRG-OS-000470-GPOS-00214,SRG-OS-000473-GPOS-00218 stigid@rhel7: "030610" ocil_clause: 'there is not output' ocil: |- To verify that auditing is configured for system administrator actions, run the following command: 
$ sudo auditctl -l | grep "watch=/var/log/faillock"
audit_rules_login_events_lastlog.rule000066400000000000000000000033761327242345500432470ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/auditing/auditd_configure_rules/audit_login_eventsdocumentation_complete: true prodtype: rhel7 title: 'Record Attempts to Alter Logon and Logout Events - lastlog' description: |- The audit system already collects login information for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d in order to watch for attempted manual edits of files involved in storing logon events: 
-w /var/log/lastlog -p wa -k logins
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file in order to watch for unattempted manual edits of files involved in storing logon events: 
-w /var/log/lastlog -p wa -k logins
rationale: |- Manual editing of these files may indicate nefarious activity, such as an attacker attempting to remove evidence of an intrusion. severity: medium identifiers: cce@rhel7: 80384-1 references: cis: 5.2.8 cui: 3.1.7 disa: 172,2884,126 hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e) nist: AC-17(7),AU-1(b),AU-12(a),AU-12(c),IR-5 ospp@rhel7: FAU_GEN.1.1.c pcidss: Req-10.2.3 srg: SRG-OS-000392-GPOS-00172,SRG-OS-000470-GPOS-00214,SRG-OS-000473-GPOS-00218 stigid@rhel7: "030620" ocil_clause: 'there is not output' ocil: |- To verify that auditing is configured for system administrator actions, run the following command: 
$ sudo auditctl -l | grep "watch=/var/log/lastlog"
audit_rules_login_events_tallylog.rule000066400000000000000000000034021327242345500434170ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/auditing/auditd_configure_rules/audit_login_eventsdocumentation_complete: true prodtype: rhel7 title: 'Record Attempts to Alter Logon and Logout Events - tallylog' description: |- The audit system already collects login information for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d in order to watch for attempted manual edits of files involved in storing logon events: 
-w /var/log/tallylog -p wa -k logins
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file in order to watch for unattempted manual edits of files involved in storing logon events: 
-w /var/log/tallylog -p wa -k logins
rationale: |- Manual editing of these files may indicate nefarious activity, such as an attacker attempting to remove evidence of an intrusion. severity: medium identifiers: cce@rhel7: 80382-5 references: cis: 5.2.8 cui: 3.1.7 disa: 172,2884,126 hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e) nist: AC-17(7),AU-1(b),AU-12(a),AU-12(c),IR-5 ospp@rhel7: FAU_GEN.1.1.c pcidss: Req-10.2.3 srg: SRG-OS-000392-GPOS-00172,SRG-OS-000470-GPOS-00214,SRG-OS-000473-GPOS-00218 stigid@rhel7: "030600" ocil_clause: 'there is not output' ocil: |- To verify that auditing is configured for system administrator actions, run the following command: 
$ sudo auditctl -l | grep "watch=/var/log/tallylog"
audit_privileged_commands/000077500000000000000000000000001327242345500350435ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/auditing/auditd_configure_rulesaudit_privileged_commands.group000066400000000000000000000003401327242345500433170ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/auditing/auditd_configure_rules/audit_privileged_commandsdocumentation_complete: true title: 'Record Information on the Use of Privileged Commands' description: |- At a minimum, the audit system should collect the execution of privileged commands for all users and root. audit_rules_privileged_commands.rule000066400000000000000000000061221327242345500443500ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/auditing/auditd_configure_rules/audit_privileged_commandsdocumentation_complete: true title: 'Ensure auditd Collects Information on the Use of Privileged Commands' description: |- At a minimum, the audit system should collect the execution of privileged commands for all users and root. To find the relevant setuid / setgid programs, run the following command for each local partition PART: 
$ sudo find PART -xdev -type f -perm -4000 -o -type f -perm -2000 2>/dev/null
If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d for each setuid / setgid program on the system, replacing the SETUID_PROG_PATH part with the full path of that setuid / setgid program in the list: 
-a always,exit -F path=SETUID_PROG_PATH -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules for each setuid / setgid program on the system, replacing the SETUID_PROG_PATH part with the full path of that setuid / setgid program in the list: 
-a always,exit -F path=SETUID_PROG_PATH -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged
rationale: |- Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threast.

Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity. severity: medium identifiers: cce@rhel7: 27437-3 references: cis: 5.2.10 cjis: 5.4.1.1 cui: 3.1.7 disa: 2234 nist: AC-17(7),AU-1(b),AU-2(a),AU-2(c),AU-2(d),AU-2(4),AU-6(9),AU-12(a),AU-12(c),IR-5 pcidss: Req-10.2.2 srg: SRG-OS-000327-GPOS-00127 stigid@rhel7: "030360" ocil_clause: 'it is not the case' ocil: |- To verify that auditing of privileged command use is configured, run the following command for each local partition PART to find relevant setuid / setgid programs: 
$ sudo find PART -xdev -type f -perm -4000 -o -type f -perm -2000 2>/dev/null
Run the following command to verify entries in the audit rules for all programs found with the previous command: 
$ sudo grep path /etc/audit/audit.rules
It should be the case that all relevant setuid / setgid programs have a line in the audit rules. audit_rules_privileged_commands_chage.rule000066400000000000000000000044441327242345500455040ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/auditing/auditd_configure_rules/audit_privileged_commandsdocumentation_complete: true prodtype: rhel7 title: 'Ensure auditd Collects Information on the Use of Privileged Commands - chage' description: |- At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d: 
-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: 
-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged
rationale: |- Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threast.

Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity. severity: medium identifiers: cce@rhel7: 80398-1 references: cui: 3.1.7 disa: 135,172,2884 hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e) nist: AU-3(1),AU-12(c) srg: SRG-OS-000042-GPOS-00020,SRG-OS-000392-GPOS-00172,SRG-OS-000471-GPOS-00215 stigid@rhel7: "030660" ocil_clause: 'it is not the case' ocil: |- To verify that auditing of privileged command use is configured, run the following command: 
$ sudo grep chage /etc/audit/audit.rules /etc/audit/rules.d/*
It should return a relevant line in the audit rules. audit_rules_privileged_commands_chsh.rule000066400000000000000000000044401327242345500453560ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/auditing/auditd_configure_rules/audit_privileged_commandsdocumentation_complete: true prodtype: rhel7 title: 'Ensure auditd Collects Information on the Use of Privileged Commands - chsh' description: |- At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d: 
-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: 
-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged
rationale: |- Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threast.

Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity. severity: medium identifiers: cce@rhel7: 80404-7 references: cui: 3.1.7 disa: 135,172,2884 hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e) nist: AU-3(1),AU-12(c) srg: SRG-OS-000042-GPOS-00020,SRG-OS-000392-GPOS-00172,SRG-OS-000471-GPOS-00215 stigid@rhel7: "030720" ocil_clause: 'it is not the case' ocil: |- To verify that auditing of privileged command use is configured, run the following command: 
$ sudo grep chsh /etc/audit/audit.rules /etc/audit/rules.d/*
It should return a relevant line in the audit rules. audit_rules_privileged_commands_crontab.rule000066400000000000000000000044541327242345500460660ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/auditing/auditd_configure_rules/audit_privileged_commandsdocumentation_complete: true prodtype: rhel7 title: 'Ensure auditd Collects Information on the Use of Privileged Commands - crontab' description: |- At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d: 
-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: 
-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged
rationale: |- Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threast.

Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity. severity: medium identifiers: cce@rhel7: 80410-4 references: cui: 3.1.7 disa: 135,172,2884 hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e) nist: AU-3(1),AU-12(c) srg: SRG-OS-000042-GPOS-00020,SRG-OS-000392-GPOS-00172,SRG-OS-000471-GPOS-00215 stigid@rhel7: "030800" ocil_clause: 'it is not the case' ocil: |- To verify that auditing of privileged command use is configured, run the following command: 
$ sudo grep crontab /etc/audit/audit.rules /etc/audit/rules.d/*
It should return a relevant line in the audit rules. audit_rules_privileged_commands_gpasswd.rule000066400000000000000000000045121327242345500461010ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/auditing/auditd_configure_rules/audit_privileged_commandsdocumentation_complete: true prodtype: rhel7 title: 'Ensure auditd Collects Information on the Use of Privileged Commands - gpasswd' description: |- At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d: 
-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: 
-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged
rationale: |- Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threast.

Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity. severity: medium identifiers: cce@rhel7: 80397-3 references: cui: 3.1.7 disa: 135,172,2884 hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e) nist: AU-3(1),AU-12(c) ospp@rhel7: FAU_GEN.1.1.c srg: SRG-OS-000042-GPOS-00020,SRG-OS-000392-GPOS-00172,SRG-OS-000471-GPOS-00215 stigid@rhel7: "030650" ocil_clause: 'it is not the case' ocil: |- To verify that auditing of privileged command use is configured, run the following command: 
$ sudo grep gpasswd /etc/audit/audit.rules /etc/audit/rules.d/*
It should return a relevant line in the audit rules. audit_rules_privileged_commands_newgrp.rule000066400000000000000000000045061327242345500457360ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/auditing/auditd_configure_rules/audit_privileged_commandsdocumentation_complete: true prodtype: rhel7 title: 'Ensure auditd Collects Information on the Use of Privileged Commands - newgrp' description: |- At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d: 
-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: 
-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged
rationale: |- Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threast.

Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity. severity: medium identifiers: cce@rhel7: 80403-9 references: cui: 3.1.7 disa: 135,172,2884 hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e) nist: AU-3(1),AU-12(c) ospp@rhel7: FAU_GEN.1.1.c srg: SRG-OS-000042-GPOS-00020,SRG-OS-000392-GPOS-00172,SRG-OS-000471-GPOS-00215 stigid@rhel7: "030710" ocil_clause: 'it is not the case' ocil: |- To verify that auditing of privileged command use is configured, run the following command: 
$ sudo grep newgrp /etc/audit/audit.rules /etc/audit/rules.d/*
It should return a relevant line in the audit rules. audit_rules_privileged_commands_pam_timestamp_check.rule000066400000000000000000000045361327242345500504340ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/auditing/auditd_configure_rules/audit_privileged_commandsdocumentation_complete: true prodtype: rhel7 title: 'Ensure auditd Collects Information on the Use of Privileged Commands - pam_timestamp_check' description: |- At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d: 
-a always,exit -F path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: 
-a always,exit -F path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged
rationale: |- Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threast.

Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity. severity: medium identifiers: cce@rhel7: 80411-2 references: cui: 3.1.7 disa: 135,172,2884 hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e) nist: AU-3(1),AU-12(c) srg: SRG-OS-000042-GPOS-00020,SRG-OS-000392-GPOS-00172,SRG-OS-000471-GPOS-00215 stigid@rhel7: "030810" ocil_clause: 'it is not the case' ocil: |- To verify that auditing of privileged command use is configured, run the following command: 
$ sudo grep pam_timestamp_check /etc/audit/audit.rules /etc/audit/rules.d/*
It should return a relevant line in the audit rules. audit_rules_privileged_commands_passwd.rule000066400000000000000000000045061327242345500457350ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/auditing/auditd_configure_rules/audit_privileged_commandsdocumentation_complete: true prodtype: rhel7 title: 'Ensure auditd Collects Information on the Use of Privileged Commands - passwd' description: |- At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d: 
-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: 
-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged
rationale: |- Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threast.

Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity. severity: medium identifiers: cce@rhel7: 80395-7 references: cui: 3.1.7 disa: 135,172,2884 hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e) nist: AU-3(1),AU-12(c) ospp@rhel7: FAU_GEN.1.1.c srg: SRG-OS-000042-GPOS-00020,SRG-OS-000392-GPOS-00172,SRG-OS-000471-GPOS-00215 stigid@rhel7: "030630" ocil_clause: 'it is not the case' ocil: |- To verify that auditing of privileged command use is configured, run the following command: 
$ sudo grep passwd /etc/audit/audit.rules /etc/audit/rules.d/*
It should return a relevant line in the audit rules. audit_rules_privileged_commands_postdrop.rule000066400000000000000000000044621327242345500463070ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/auditing/auditd_configure_rules/audit_privileged_commandsdocumentation_complete: true prodtype: rhel7 title: 'Ensure auditd Collects Information on the Use of Privileged Commands - postdrop' description: |- At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d: 
-a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: 
-a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged
rationale: |- Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threast.

Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity. severity: medium identifiers: cce@rhel7: 80406-2 references: cui: 3.1.7 disa: 135,172,2884 hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e) nist: AU-3(1),AU-12(c) srg: SRG-OS-000042-GPOS-00020,SRG-OS-000392-GPOS-00172,SRG-OS-000471-GPOS-00215 stigid@rhel7: "030760" ocil_clause: 'it is not the case' ocil: |- To verify that auditing of privileged command use is configured, run the following command: 
$ sudo grep postdrop /etc/audit/audit.rules /etc/audit/rules.d/*
It should return a relevant line in the audit rules. audit_rules_privileged_commands_postqueue.rule000066400000000000000000000044661327242345500464730ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/auditing/auditd_configure_rules/audit_privileged_commandsdocumentation_complete: true prodtype: rhel7 title: 'Ensure auditd Collects Information on the Use of Privileged Commands - postqueue' description: |- At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d: 
-a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: 
-a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged
rationale: |- Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threast.

Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity. severity: medium identifiers: cce@rhel7: 80407-0 references: cui: 3.1.7 disa: 135,172,2884 hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e) nist: AU-3(1),AU-12(c) srg: SRG-OS-000042-GPOS-00020,SRG-OS-000392-GPOS-00172,SRG-OS-000471-GPOS-00215 stigid@rhel7: "030770" ocil_clause: 'it is not the case' ocil: |- To verify that auditing of privileged command use is configured, run the following command: 
$ sudo grep postqueue /etc/audit/audit.rules /etc/audit/rules.d/*
It should return a relevant line in the audit rules. audit_rules_privileged_commands_pt_chown.rule000066400000000000000000000042411327242345500462510ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/auditing/auditd_configure_rules/audit_privileged_commandsdocumentation_complete: true prodtype: rhel7 title: 'Ensure auditd Collects Information on the Use of Privileged Commands - pt_chown' description: |- At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d: 
-a always,exit -F path=/usr/libexec/pt_chown -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: 
-a always,exit -F path=/usr/libexec/pt_chown -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged
rationale: |- Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threast.

Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity. severity: medium identifiers: cce@rhel7: 80409-6 references: cui: 3.1.7 disa: 135,172,2884 nist: AU-3(1),AU-12(c) srg: SRG-OS-000042-GPOS-00020,SRG-OS-000392-GPOS-00172,SRG-OS-000471-GPOS-00215 ocil_clause: 'it is not the case' ocil: |- To verify that auditing of privileged command use is configured, run the following command: 
$ sudo grep pt_chown /etc/audit/audit.rules /etc/audit/rules.d/*
It should return a relevant line in the audit rules. audit_rules_privileged_commands_ssh_keysign.rule000066400000000000000000000045571327242345500467700ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/auditing/auditd_configure_rules/audit_privileged_commandsdocumentation_complete: true prodtype: rhel7 title: 'Ensure auditd Collects Information on the Use of Privileged Commands - ssh-keysign' description: |- At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d: 
-a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: 
-a always,exit -F path=/usr/libexec/openssh/key-sign -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged
rationale: |- Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threast.

Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity. severity: medium identifiers: cce@rhel7: 80408-8 references: cui: 3.1.7 disa: 135,172,2884 hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e) nist: AU-3(1),AU-12(c) ospp@rhel7: FAU_GEN.1.1.c srg: SRG-OS-000042-GPOS-00020,SRG-OS-000392-GPOS-00172,SRG-OS-000471-GPOS-00215 stigid@rhel7: "030780" ocil_clause: 'it is not the case' ocil: |- To verify that auditing of privileged command use is configured, run the following command: 
$ sudo grep ssh-keysign /etc/audit/audit.rules /etc/audit/rules.d/*
It should return a relevant line in the audit rules. audit_rules_privileged_commands_su.rule000066400000000000000000000044661327242345500450700ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/auditing/auditd_configure_rules/audit_privileged_commandsdocumentation_complete: true prodtype: rhel7 title: 'Ensure auditd Collects Information on the Use of Privileged Commands - su' description: |- At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d: 
-a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: 
-a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged
rationale: |- Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threast.

Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity. severity: medium identifiers: cce@rhel7: 80400-5 references: cui: 3.1.7 disa: 135,172,2884 hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e) nist: AU-3(1),AU-12(c) ospp@rhel7: FAU_GEN.1.1.c srg: SRG-OS-000042-GPOS-00020,SRG-OS-000392-GPOS-00172,SRG-OS-000471-GPOS-00215 stigid@rhel7: "030680" ocil_clause: 'it is not the case' ocil: |- To verify that auditing of privileged command use is configured, run the following command: 
$ sudo grep su /etc/audit/audit.rules /etc/audit/rules.d/*
It should return a relevant line in the audit rules. audit_rules_privileged_commands_sudo.rule000066400000000000000000000044761327242345500454140ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/auditing/auditd_configure_rules/audit_privileged_commandsdocumentation_complete: true prodtype: rhel7 title: 'Ensure auditd Collects Information on the Use of Privileged Commands - sudo' description: |- At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d: 
-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: 
-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged
rationale: |- Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threast.

Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity. severity: medium identifiers: cce@rhel7: 80401-3 references: cui: 3.1.7 disa: 135,172,2884 hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e) nist: AU-3(1),AU-12(c) ospp@rhel7: FAU_GEN.1.1.c srg: SRG-OS-000042-GPOS-00020,SRG-OS-000392-GPOS-00172,SRG-OS-000471-GPOS-00215 stigid@rhel7: "030690" ocil_clause: 'it is not the case' ocil: |- To verify that auditing of privileged command use is configured, run the following command: 
$ sudo grep sudo /etc/audit/audit.rules /etc/audit/rules.d/*
It should return a relevant line in the audit rules. audit_rules_privileged_commands_sudoedit.rule000066400000000000000000000045161327242345500462550ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/auditing/auditd_configure_rules/audit_privileged_commandsdocumentation_complete: true prodtype: rhel7 title: 'Ensure auditd Collects Information on the Use of Privileged Commands - sudoedit' description: |- At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d: 
-a always,exit -F path=/usr/bin/sudoedit -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: 
-a always,exit -F path=/usr/bin/sudoedit -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged
rationale: |- Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threast.

Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity. severity: medium identifiers: cce@rhel7: 80402-1 references: cui: 3.1.7 disa: 135,172,2884 hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e) nist: AU-3(1),AU-12(c) ospp@rhel7: FAU_GEN.1.1.c srg: SRG-OS-000042-GPOS-00020,SRG-OS-000392-GPOS-00172,SRG-OS-000471-GPOS-00215 stigid@rhel7: "030730" ocil_clause: 'it is not the case' ocil: |- To verify that auditing of privileged command use is configured, run the following command: 
$ sudo grep sudoedit /etc/audit/audit.rules /etc/audit/rules.d/*
It should return a relevant line in the audit rules. audit_rules_privileged_commands_umount.rule000066400000000000000000000044501327242345500457610ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/auditing/auditd_configure_rules/audit_privileged_commandsdocumentation_complete: true prodtype: rhel7 title: 'Ensure auditd Collects Information on the Use of Privileged Commands - umount' description: |- At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d: 
-a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: 
-a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged
rationale: |- Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threast.

Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity. severity: medium identifiers: cce@rhel7: 80405-4 references: cui: 3.1.7 disa: 135,172,2884 hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e) nist: AU-3(1),AU-12(c) srg: SRG-OS-000042-GPOS-00020,SRG-OS-000392-GPOS-00172,SRG-OS-000471-GPOS-00215 stigid@rhel7: "030750" ocil_clause: 'it is not the case' ocil: |- To verify that auditing of privileged command use is configured, run the following command: 
$ sudo grep umount /etc/audit/audit.rules /etc/audit/rules.d/*
It should return a relevant line in the audit rules. audit_rules_privileged_commands_unix_chkpwd.rule000066400000000000000000000045321327242345500467560ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/auditing/auditd_configure_rules/audit_privileged_commandsdocumentation_complete: true prodtype: rhel7 title: 'Ensure auditd Collects Information on the Use of Privileged Commands - unix_chkpwd' description: |- At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d: 
-a always,exit -F path=/usr/bin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: 
-a always,exit -F path=/usr/bin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged
rationale: |- Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threast.

Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity. severity: medium identifiers: cce@rhel7: 80396-5 references: cui: 3.1.7 disa: 135,172,2884 hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e) nist: AU-3(1),AU-12(c) ospp@rhel7: FAU_GEN.1.1.c srg: SRG-OS-000042-GPOS-00020,SRG-OS-000392-GPOS-00172,SRG-OS-000471-GPOS-00215 stigid@rhel7: "030640" ocil_clause: 'it is not the case' ocil: |- To verify that auditing of privileged command use is configured, run the following command: 
$ sudo grep unix_chkpwd /etc/audit/audit.rules /etc/audit/rules.d/*
It should return a relevant line in the audit rules. audit_rules_privileged_commands_userhelper.rule000066400000000000000000000045261327242345500466140ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/auditing/auditd_configure_rules/audit_privileged_commandsdocumentation_complete: true prodtype: rhel7 title: 'Ensure auditd Collects Information on the Use of Privileged Commands - userhelper' description: |- At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d: 
-a always,exit -F path=/usr/bin/userhelper -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules: 
-a always,exit -F path=/usr/bin/userhelper -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged
rationale: |- Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threast.

Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity. severity: medium identifiers: cce@rhel7: 80399-9 references: cui: 3.1.7 disa: 135,172,2884 hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e) nist: AU-3(1),AU-12(c) ospp@rhel7: FAU_GEN.1.1.c srg: SRG-OS-000042-GPOS-00020,SRG-OS-000392-GPOS-00172,SRG-OS-000471-GPOS-00215 stigid@rhel7: "030670" ocil_clause: 'it is not the case' ocil: |- To verify that auditing of privileged command use is configured, run the following command: 
$ sudo grep userhelper /etc/audit/audit.rules /etc/audit/rules.d/*
It should return a relevant line in the audit rules. audit_rules_immutable.rule000066400000000000000000000026051327242345500351150ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/auditing/auditd_configure_rulesdocumentation_complete: true prodtype: rhel7,fedora title: 'Make the auditd Configuration Immutable' description: |- If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d in order to make the auditd configuration immutable: 
-e 2
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file in order to make the auditd configuration immutable: 
-e 2
With this setting, a reboot will be required to change any audit rules. rationale: |- Making the audit configuration immutable prevents accidental as well as malicious modification of the audit rules, although it may be problematic if legitimate changes are needed during system operation severity: medium identifiers: cce@rhel7: 27097-5 references: cis: 4.1.18 cjis: 5.4.1.1 cui: 3.3.1,3.4.3 hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.310(a)(2)(iv),164.312(d),164.310(d)(2)(iii),164.312(b),164.312(e) nist: AC-6,AU-1(b),AU-2(a),AU-2(c),AU-2(d),IR-5 pcidss: Req-10.5.2 audit_rules_mac_modification.rule000066400000000000000000000033311327242345500364200ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/auditing/auditd_configure_rulesdocumentation_complete: true prodtype: rhel7,fedora title: 'Record Events that Modify the System''s Mandatory Access Controls' description: |- If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: 
-w /etc/selinux/ -p wa -k MAC-policy
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: 
-w /etc/selinux/ -p wa -k MAC-policy
rationale: |- The system's mandatory access policy (SELinux) should not be arbitrarily changed by anything other than administrator action. All changes to MAC policy should be audited. severity: unknown identifiers: cce@rhel7: 27168-4 references: cis: 5.2.7 cjis: 5.4.1.1 cui: 3.1.8 hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e) nist: AC-17(7),AU-1(b),AU-2(a),AU-2(c),AU-2(d),AU-12(a),AU-12(c),IR-5 ospp@rhel7: FAU_GEN.1.1.c pcidss: Req-10.5.5 ocil_clause: 'the system is not configured to audit attempts to change the MAC policy' ocil: |- To determine if the system is configured to audit changes to its SELinux configuration files, run the following command: 
$ sudo auditctl -l | grep "dir=/etc/selinux"
If the system is configured to watch for changes to its SELinux configuration, a line should be returned (including perm=wa indicating permissions that are watched). audit_rules_media_export.rule000066400000000000000000000040231327242345500356120ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/auditing/auditd_configure_rulesdocumentation_complete: true prodtype: rhel7,fedora title: 'Ensure auditd Collects Information on Exporting to Media (successful)' description: |- At a minimum, the audit system should collect media exportation events for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as appropriate for your system: 
-a always,exit -F arch=ARCH -S mount -F auid>=1000 -F auid!=4294967295 -F key=export
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file, setting ARCH to either b32 or b64 as appropriate for your system: 
-a always,exit -F arch=ARCH -S mount -F auid>=1000 -F auid!=4294967295 -F key=export
rationale: |- The unauthorized exportation of data to external media could result in an information leak where classified information, Privacy Act information, and intellectual property could be lost. An audit trail should be created each time a filesystem is mounted to help identify and guard against information loss. severity: medium identifiers: cce@rhel7: 27447-2 references: cis: 5.2.13 cjis: 5.4.1.1 cui: 3.1.7 disa: 135,2884 hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e) nist: AC-17(7),AU-1(b),AU-2(a),AU-2(c),AU-2(d),AU-3(1),AU-12(a),AU-12(c),IR-5 pcidss: Req-10.2.7 srg: SRG-OS-000042-GPOS-00020,SRG-OS-000392-GPOS-00172 stigid@rhel7: "030740" ocil_clause: 'there is not output' ocil: |- To verify that auditing is configured for all media exportation events, run the following command: 
$ sudo auditctl -l | grep syscall | grep mount
audit_rules_networkconfig_modification.rule000066400000000000000000000047741327242345500405530ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/auditing/auditd_configure_rulesdocumentation_complete: true prodtype: rhel7,fedora title: 'Record Events that Modify the System''s Network Environment' description: |- If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as appropriate for your system: 
-a always,exit -F arch=ARCH -S sethostname,setdomainname -F key=audit_rules_networkconfig_modification
    -w /etc/issue -p wa -k audit_rules_networkconfig_modification
    -w /etc/issue.net -p wa -k audit_rules_networkconfig_modification
    -w /etc/hosts -p wa -k audit_rules_networkconfig_modification
    -w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modification
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file, setting ARCH to either b32 or b64 as appropriate for your system: 
-a always,exit -F arch=ARCH -S sethostname,setdomainname -F key=audit_rules_networkconfig_modification
    -w /etc/issue -p wa -k audit_rules_networkconfig_modification
    -w /etc/issue.net -p wa -k audit_rules_networkconfig_modification
    -w /etc/hosts -p wa -k audit_rules_networkconfig_modification
    -w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modification
rationale: |- The network environment should not be modified by anything other than administrator action. Any change to network parameters should be audited. severity: unknown identifiers: cce@rhel7: 27076-9 references: cis: 5.2.6 cjis: 5.4.1.1 cui: 3.1.7 hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e) nist: AC-17(7),AU-1(b),AU-2(a),AU-2(c),AU-2(d),AU-12(a),AU-12(c),IR-5 pcidss: Req-10.5.5 ocil_clause: 'the system is not configured to audit changes of the network configuration' ocil: |- To determine if the system is configured to audit changes to its network configuration, run the following command: 
auditctl -l | egrep '(/etc/issue|/etc/issue.net|/etc/hosts|/etc/sysconfig/network)'
If the system is configured to watch for network configuration changes, a line should be returned for each file specified (and perm=wa should be indicated for each). audit_rules_session_events.rule000066400000000000000000000032101327242345500361760ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/auditing/auditd_configure_rulesdocumentation_complete: true prodtype: rhel7,fedora title: 'Record Attempts to Alter Process and Session Initiation Information' description: |- The audit system already collects process information for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d in order to watch for attempted manual edits of files involved in storing such process information: 
-w /var/run/utmp -p wa -k session
    -w /var/log/btmp -p wa -k session
    -w /var/log/wtmp -p wa -k session
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file in order to watch for attempted manual edits of files involved in storing such process information: 
-w /var/run/utmp -p wa -k session
    -w /var/log/btmp -p wa -k session
    -w /var/log/wtmp -p wa -k session
rationale: |- Manual editing of these files may indicate nefarious activity, such as an attacker attempting to remove evidence of an intrusion. severity: unknown identifiers: cce@rhel7: 27301-1 references: cis: 5.2.9 cjis: 5.4.1.1 cui: 3.1.7 hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e) nist: AC-17(7),AU-1(b),AU-2(a),AU-2(c),AU-2(d),AU-12(a),AU-12(c),IR-5 ospp@rhel7: FAU_GEN.1.1.c pcidss: Req-10.2.3 audit_rules_sysadmin_actions.rule000066400000000000000000000035111327242345500365020ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/auditing/auditd_configure_rulesdocumentation_complete: true prodtype: rhel7,fedora title: 'Ensure auditd Collects System Administrator Actions' description: |- At a minimum, the audit system should collect administrator actions for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: 
-w /etc/sudoers -p wa -k actions
    -w /etc/sudoers.d/ -p wa -k actions
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: 
-w /etc/sudoers -p wa -k actions
    -w /etc/sudoers.d/ -p wa -k actions
rationale: |- The actions taken by system administrators should be audited to keep a record of what was executed on the system, as well as, for accountability purposes. severity: unknown identifiers: cce@rhel7: 27461-3 references: cjis: 5.4.1.1 cui: 3.1.7 disa: 126,130,135,172,2884 hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e) nist: AC-2(7)(b),AC-17(7),AU-1(b),AU-2(a),AU-2(c),AU-2(d),iAU-3(1),AU-12(a),AU-12(c),IR-5 ospp@rhel7: FAU_GEN.1.1.c pcidss: Req-10.2.2,Req-10.2.5.b srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215 stigid@rhel7: "030700" ocil_clause: 'there is not output' ocil: |- To verify that auditing is configured for system administrator actions, run the following command: 
$ sudo auditctl -l | grep "watch=/etc/sudoers\|watch=/etc/sudoers.d"
audit_rules_system_shutdown.rule000066400000000000000000000033601327242345500364140ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/auditing/auditd_configure_rulesdocumentation_complete: true prodtype: rhel7 title: 'Shutdown System When Auditing Failures Occur' description: |- If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: 
-f 2
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to the top of the /etc/audit/audit.rules file: 
-f 2
rationale: |- It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without this notification, the security personnel may be unaware of an impending failure of the audit capability, and system operation may be adversely affected.

Audit processing failures include software/hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded. severity: medium identifiers: cce@rhel7: 80381-7 references: cui: 3.3.1,3.3.4 disa: 139 hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e) nist: AU-5,AU-5(a) srg: SRG-OS-000046-GPOS-00022,SRG-OS-000047-GPOS-00023 stigid@rhel7: "030010" ocil_clause: 'the system is not configured to shutdown on auditd failures' ocil: |- To verify that the system will shutdown when auditd fails, run the following command: 
$ sudo grep "\-f 2" /etc/audit/audit.rules
The output should contain: 
-f 2
audit_rules_usergroup_modification.rule000066400000000000000000000046751327242345500377270ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/auditing/auditd_configure_rulesdocumentation_complete: true title: 'Record Events that Modify User/Group Information' description: |- If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d, in order to capture events that modify account changes: 
-w /etc/group -p wa -k audit_rules_usergroup_modification
    -w /etc/passwd -p wa -k audit_rules_usergroup_modification
    -w /etc/gshadow -p wa -k audit_rules_usergroup_modification
    -w /etc/shadow -p wa -k audit_rules_usergroup_modification
    -w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification

If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file, in order to capture events that modify account changes: 
-w /etc/group -p wa -k audit_rules_usergroup_modification
    -w /etc/passwd -p wa -k audit_rules_usergroup_modification
    -w /etc/gshadow -p wa -k audit_rules_usergroup_modification
    -w /etc/shadow -p wa -k audit_rules_usergroup_modification
    -w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification
rationale: |- In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy. severity: unknown identifiers: cce@rhel7: 27192-4 references: cis: 5.2.5 cjis: 5.4.1.1 cui: 3.1.7 disa: 18,172,1403,2130 nist: AC-2(4),AC-17(7),AU-1(b),AU-2(a),AU-2(c),AU-2(d),AU-12(a),AU-12(c),IR-5 pcidss: Req-10.2.5 srg: SRG-OS-000004-GPOS-00004,SRG-OS-000239-GPOS-00089,SRG-OS-000241-GPOS-00090,SRG-OS-000241-GPOS-00091,SRG-OS-000303-GPOS-00120,SRG-OS-000476-GPOS-00221 stigid@rhel7: "030710" ocil_clause: 'the system is not configured to audit account changes' ocil: |- To determine if the system is configured to audit account changes, run the following command: 
auditctl -l | egrep '(/etc/passwd|/etc/shadow|/etc/group|/etc/gshadow|/etc/security/opasswd)'
If the system is configured to watch for account changes, lines should be returned for each file specified (and with perm=wa for each). audit_rules_usergroup_modification_group.rule000066400000000000000000000037701327242345500411360ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/auditing/auditd_configure_rulesdocumentation_complete: true prodtype: rhel7 title: 'Record Events that Modify User/Group Information - /etc/group' description: |- If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d, in order to capture events that modify account changes: 

-w /etc/group -p wa -k audit_rules_usergroup_modification


If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file, in order to capture events that modify account changes: 

-w /etc/group -p wa -k audit_rules_usergroup_modification
rationale: |- In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy. severity: medium identifiers: cce@rhel7: 80433-6 references: cis: 5.2.5 cjis: 5.4.1.1 cui: 3.1.7 disa: 18,172,1403,2130 hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e) nist: AC-2(4),AC-17(7),AU-1(b),AU-2(a),AU-2(c),AU-2(d),AU-12(a),AU-12(c),IR-5 ospp@rhel7: FAU_GEN.1.1.c pcidss: Req-10.2.5 srg: SRG-OS-000004-GPOS-00004 stigid@rhel7: "030871" ocil_clause: 'the system is not configured to audit account changes' ocil: |- To determine if the system is configured to audit account changes, run the following command: 

auditctl -l | egrep '(/etc/group)'


If the system is configured to watch for account changes, lines should be returned for each file specified (and with perm=wa for each). audit_rules_usergroup_modification_gshadow.rule000066400000000000000000000040001327242345500414210ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/auditing/auditd_configure_rulesdocumentation_complete: true prodtype: rhel7 title: 'Record Events that Modify User/Group Information - /etc/gshadow' description: |- If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d, in order to capture events that modify account changes: 

-w /etc/gshadow -p wa -k audit_rules_usergroup_modification


If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file, in order to capture events that modify account changes: 

-w /etc/gshadow -p wa -k audit_rules_usergroup_modification
rationale: |- In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy. severity: medium identifiers: cce@rhel7: 80432-8 references: cis: 5.2.5 cjis: 5.4.1.1 cui: 3.1.7 disa: 18,172,1403,2130 hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e) nist: AC-2(4),AC-17(7),AU-1(b),AU-2(a),AU-2(c),AU-2(d),AU-12(a),AU-12(c),IR-5 ospp@rhel7: FAU_GEN.1.1.c pcidss: Req-10.2.5 srg: SRG-OS-000004-GPOS-00004 stigid@rhel7: "030872" ocil_clause: 'the system is not configured to audit account changes' ocil: |- To determine if the system is configured to audit account changes, run the following command: 

auditctl -l | egrep '(/etc/gshadow)'


If the system is configured to watch for account changes, lines should be returned for each file specified (and with perm=wa for each). audit_rules_usergroup_modification_opasswd.rule000066400000000000000000000040441327242345500414550ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/auditing/auditd_configure_rulesdocumentation_complete: true prodtype: rhel7 title: 'Record Events that Modify User/Group Information - /etc/security/opasswd' description: |- If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d, in order to capture events that modify account changes: 

-w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification


If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file, in order to capture events that modify account changes: 

-w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification
rationale: |- In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy. severity: medium identifiers: cce@rhel7: 80430-2 references: cis: 5.2.5 cjis: 5.4.1.1 cui: 3.1.7 disa: 18,172,1403,2130 hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e) nist: AC-2(4),AC-17(7),AU-1(b),AU-2(a),AU-2(c),AU-2(d),AU-12(a),AU-12(c),IR-5 ospp@rhel7: FAU_GEN.1.1.c pcidss: Req-10.2.5 srg: SRG-OS-000004-GPOS-00004 stigid@rhel7: "030874" ocil_clause: 'the system is not configured to audit account changes' ocil: |- To determine if the system is configured to audit account changes, run the following command: 

auditctl -l | egrep '(/etc/security/opasswd)'


If the system is configured to watch for account changes, lines should be returned for each file specified (and with perm=wa for each). audit_rules_usergroup_modification_passwd.rule000066400000000000000000000041711327242345500412770ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/auditing/auditd_configure_rulesdocumentation_complete: true prodtype: rhel7 title: 'Record Events that Modify User/Group Information - /etc/passwd' description: |- If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d, in order to capture events that modify account changes: 

-w /etc/passwd -p wa -k audit_rules_usergroup_modification


If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file, in order to capture events that modify account changes: 

-w /etc/passwd -p wa -k audit_rules_usergroup_modification
rationale: |- In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy. severity: medium identifiers: cce@rhel7: 80435-1 references: cis: 5.2.5 cjis: 5.4.1.1 cui: 3.1.7 disa: 18,172,1403,2130 hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e) nist: AC-2(4),AC-17(7),AU-1(b),AU-2(a),AU-2(c),AU-2(d),AU-12(a),AU-12(c),IR-5 ospp@rhel7: FAU_GEN.1.1.c pcidss: Req-10.2.5 srg: SRG-OS-000004-GPOS-00004,SRG-OS-000239-GPOS-00089,SRG-OS-000240-GPOS-00090,SRG-OS-000241-GPOS-00091,SRG-OS-000303-GPOS-00120,SRG-OS-000476-GPOS-00221 stigid@rhel7: "030870" ocil_clause: 'the system is not configured to audit account changes' ocil: |- To determine if the system is configured to audit account changes, run the following command: 

auditctl -l | egrep '(/etc/passwd)'


If the system is configured to watch for account changes, lines should be returned for each file specified (and with perm=wa for each). audit_rules_usergroup_modification_shadow.rule000066400000000000000000000037741327242345500412730ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/auditing/auditd_configure_rulesdocumentation_complete: true prodtype: rhel7 title: 'Record Events that Modify User/Group Information - /etc/shadow' description: |- If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d, in order to capture events that modify account changes: 

-w /etc/shadow -p wa -k audit_rules_usergroup_modification


If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file, in order to capture events that modify account changes: 

-w /etc/shadow -p wa -k audit_rules_usergroup_modification
rationale: |- In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy. severity: medium identifiers: cce@rhel7: 80431-0 references: cis: 5.2.5 cjis: 5.4.1.1 cui: 3.1.7 disa: 18,172,1403,2130 hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e) nist: AC-2(4),AC-17(7),AU-1(b),AU-2(a),AU-2(c),AU-2(d),AU-12(a),AU-12(c),IR-5 ospp@rhel7: FAU_GEN.1.1.c pcidss: Req-10.2.5 srg: SRG-OS-000004-GPOS-00004 stigid@rhel7: "030873" ocil_clause: 'the system is not configured to audit account changes' ocil: |- To determine if the system is configured to audit account changes, run the following command: 

auditctl -l | egrep '(/etc/shadow)'


If the system is configured to watch for account changes, lines should be returned for each file specified (and with perm=wa for each). scap-security-guide-0.1.39/shared/guide/system/auditing/auditd_configure_rules/audit_time_rules/000077500000000000000000000000001327242345500332575ustar00rootroot00000000000000audit_rules_time_adjtimex.rule000066400000000000000000000042271327242345500413210ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/auditing/auditd_configure_rules/audit_time_rulesdocumentation_complete: true prodtype: rhel7,fedora title: 'Record attempts to alter time through adjtimex' description: |- If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: 
-a always,exit -F arch=b32 -S adjtimex -F key=audit_time_rules
If the system is 64 bit then also add the following line: 
-a always,exit -F arch=b64 -S adjtimex -F key=audit_time_rules
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: 
-a always,exit -F arch=b32 -S adjtimex -F key=audit_time_rules
If the system is 64 bit then also add the following line: 
-a always,exit -F arch=b64 -S adjtimex -F key=audit_time_rules
The -k option allows for the specification of a key in string form that can be used for better reporting capability through ausearch and aureport. Multiple system calls can be defined on the same line to save space if desired, but is not required. See an example of multiple combined syscalls: 
-a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=audit_time_rules
rationale: |- Arbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited. severity: unknown identifiers: cce@rhel7: 27290-6 references: cis: 5.2.4 cjis: 5.4.1.1 cui: 3.1.7 disa: 1487,169 hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e) nist: AC-17(7),AU-1(b),AU-2(a),AU-2(c),AU-2(d),AU-12(a),AU-12(c),IR-5 pcidss: Req-10.4.2.b ocil_clause: 'the system is not configured to audit time changes' ocil: '' audit_rules_time_clock_settime.rule000066400000000000000000000043111327242345500423330ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/auditing/auditd_configure_rules/audit_time_rulesdocumentation_complete: true prodtype: rhel7,fedora title: 'Record Attempts to Alter Time Through clock_settime' description: |- If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: 
-a always,exit -F arch=b32 -S clock_settime -F a0=0x0 -F key=time-change
If the system is 64 bit then also add the following line: 
-a always,exit -F arch=b64 -S clock_settime -F a0=0x0 -F key=time-change
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: 
-a always,exit -F arch=b32 -S clock_settime -F a0=0x0 -F key=time-change
If the system is 64 bit then also add the following line: 
-a always,exit -F arch=b64 -S clock_settime -F a0=0x0 -F key=time-change
The -k option allows for the specification of a key in string form that can be used for better reporting capability through ausearch and aureport. Multiple system calls can be defined on the same line to save space if desired, but is not required. See an example of multiple combined syscalls: 
-a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=audit_time_rules
rationale: |- Arbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited. severity: unknown identifiers: cce@rhel7: 27219-5 references: cis: 5.2.4 cjis: 5.4.1.1 cui: 3.1.7 disa: 1487,169 hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e) nist: AC-17(7),AU-1(b),AU-2(a),AU-2(c),AU-2(d),AU-12(a),AU-12(c),IR-5 pcidss: Req-10.4.2.b ocil_clause: 'the system is not configured to audit time changes' ocil: '' audit_rules_time_settimeofday.rule000066400000000000000000000042571327242345500422140ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/auditing/auditd_configure_rules/audit_time_rulesdocumentation_complete: true prodtype: rhel7,fedora title: 'Record attempts to alter time through settimeofday' description: |- If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: 
-a always,exit -F arch=b32 -S settimeofday -F key=audit_time_rules
If the system is 64 bit then also add the following line: 
-a always,exit -F arch=b64 -S settimeofday -F key=audit_time_rules
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: 
-a always,exit -F arch=b32 -S settimeofday -F key=audit_time_rules
If the system is 64 bit then also add the following line: 
-a always,exit -F arch=b64 -S settimeofday -F key=audit_time_rules
The -k option allows for the specification of a key in string form that can be used for better reporting capability through ausearch and aureport. Multiple system calls can be defined on the same line to save space if desired, but is not required. See an example of multiple combined syscalls: 
-a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=audit_time_rules
rationale: |- Arbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited. severity: unknown identifiers: cce@rhel7: 27216-1 references: cis: 5.2.4 cjis: 5.4.1.1 cui: 3.1.7 disa: 1487,169 hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e) nist: AC-17(7),AU-1(b),AU-2(a),AU-2(c),AU-2(d),AU-12(a),AU-12(c),IR-5 pcidss: Req-10.4.2.b ocil_clause: 'the system is not configured to audit time changes' ocil: '' audit_rules_time_stime.rule000066400000000000000000000052701327242345500406340ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/auditing/auditd_configure_rules/audit_time_rulesdocumentation_complete: true prodtype: rhel7,fedora title: 'Record Attempts to Alter Time Through stime' description: |- If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d for both 32 bit and 64 bit systems: 
-a always,exit -F arch=b32 -S stime -F key=audit_time_rules
Since the 64 bit version of the "stime" system call is not defined in the audit lookup table, the corresponding "-F arch=b64" form of this rule is not expected to be defined on 64 bit systems (the aforementioned "-F arch=b32" stime rule form itself is sufficient for both 32 bit and 64 bit systems). If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file for both 32 bit and 64 bit systems: 
-a always,exit -F arch=b32 -S stime -F key=audit_time_rules
Since the 64 bit version of the "stime" system call is not defined in the audit lookup table, the corresponding "-F arch=b64" form of this rule is not expected to be defined on 64 bit systems (the aforementioned "-F arch=b32" stime rule form itself is sufficient for both 32 bit and 64 bit systems). The -k option allows for the specification of a key in string form that can be used for better reporting capability through ausearch and aureport. Multiple system calls can be defined on the same line to save space if desired, but is not required. See an example of multiple combined system calls: 
-a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=audit_time_rules
rationale: |- Arbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited. severity: unknown identifiers: cce@rhel7: 27299-7 references: cjis: 5.4.1.1 cui: 3.1.7 disa: 1487,169 hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e) nist: AC-17(7),AU-1(b),AU-2(a),AU-2(c),AU-2(d),AU-12(a),AU-12(c),IR-5 pcidss: Req-10.4.2.b ocil_clause: 'the system is not configured to audit time changes' ocil: |- If the system is not configured to audit time changes, this is a finding. If the system is 64-bit only, this is not applicable
audit_rules_time_watch_localtime.rule000066400000000000000000000035521327242345500426530ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/auditing/auditd_configure_rules/audit_time_rulesdocumentation_complete: true prodtype: rhel7,fedora title: 'Record Attempts to Alter the localtime File' description: |- If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d: 
-w /etc/localtime -p wa -k audit_time_rules
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file: 
-w /etc/localtime -p wa -k audit_time_rules
The -k option allows for the specification of a key in string form that can be used for better reporting capability through ausearch and aureport and should always be used. rationale: |- Arbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited. severity: unknown identifiers: cce@rhel7: 27310-2 references: cis: 5.2.4 cjis: 5.4.1.1 cui: 3.1.7 disa: 1487,169 hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e) nist: AC-17(7),AU-1(b),AU-2(a),AU-2(c),AU-2(d),AU-12(a),AU-12(b),IR-5 pcidss: Req-10.4.2.b ocil_clause: 'the system is not configured to audit time changes' ocil: |- To determine if the system is configured to audit attempts to alter time via the /etc/localtime file, run the following command: 
$ sudo auditctl -l | grep "watch=/etc/localtime"
If the system is configured to audit this activity, it will return a line. audit_time_rules.group000066400000000000000000000005571327242345500376230ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/auditing/auditd_configure_rules/audit_time_rulesdocumentation_complete: true title: 'Records Events that Modify Date and Time Information' description: |- Arbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time. All changes to the system time should be audited. audit_unsuccessful_file_modification/000077500000000000000000000000001327242345500372765ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/auditing/auditd_configure_rulesaudit_rules_unsuccessful_file_modification.rule000066400000000000000000000056341327242345500510450ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modificationdocumentation_complete: true prodtype: rhel7,fedora title: 'Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful)' description: |- At a minimum the audit system should collect unauthorized file accesses for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d: 
-a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access
    -a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access
If the system is 64 bit then also add the following lines: 
    -a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access
    -a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: 
-a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access
    -a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access
If the system is 64 bit then also add the following lines: 
    -a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access
    -a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access
rationale: |- Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise. severity: medium identifiers: cce@rhel7: 27347-4 references: cis: 5.2.10 cjis: 5.4.1.1 cui: 3.1.7 disa: 172,2884 nist: AC-17(7),AU-1(b),AU-2(a),AU-2(c),AU-2(d),AU-12(a),AU-12(c),IR-5 pcidss: Req-10.2.4,Req-10.2.1 ocil_clause: '32-bit and 64-bit system calls to creat, open, openat, open_by_handle_at, truncate, and ftruncate are not audited during EACCES and EPERM' ocil: |- To verify that the audit system collects unauthorized file accesses, run the following commands: 
$ sudo grep EACCES /etc/audit/audit.rules
$ sudo grep EPERM /etc/audit/audit.rules
audit_rules_unsuccessful_file_modification_creat.rule000066400000000000000000000047121327242345500522170ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modificationdocumentation_complete: true prodtype: rhel7 title: 'Record Unauthorized Access Attempts to Files (unsuccessful) - creat' description: |- At a minimum, the audit system should collect unauthorized file accesses for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d: 
-a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access
    -a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access
If the system is 64 bit then also add the following lines: 
    -a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access
    -a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: 
-a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access
    -a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access
If the system is 64 bit then also add the following lines: 
    -a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access
    -a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access
rationale: |- Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise. severity: medium identifiers: cce@rhel7: 80385-8 references: cis: 5.2.10 cui: 3.1.7 disa: 172,2884 hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e) nist: AC-17(7),AU-1(b),AU-2(a),AU-2(c),AU-2(d),AU-12(a),AU-12(c),IR-5 ospp@rhel7: FAU_GEN.1.1.c pcidss: Req-10.2.4,Req-10.2.1 srg: SRG-OS-000064-GPOS-00033,SRG-OS-000458-GPOS-00203,SRG-OS-000461-GPOS-00205,SRG-OS-000392-GPOS-00172 stigid@rhel7: "030500" ocil: '' audit_rules_unsuccessful_file_modification_ftruncate.rule000066400000000000000000000047621327242345500531210ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modificationdocumentation_complete: true prodtype: rhel7 title: 'Record Unauthorized Access Attempts to Files (unsuccessful) - ftruncate' description: |- At a minimum, the audit system should collect unauthorized file accesses for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d: 
-a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access
    -a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access
If the system is 64 bit then also add the following lines: 
    -a always,exit -F arch=b64 -S ftruncate -F exiu=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access
    -a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: 
-a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access
    -a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access
If the system is 64 bit then also add the following lines: 
    -a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access
    -a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access
rationale: |- Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise. severity: medium identifiers: cce@rhel7: 80390-8 references: cis: 5.2.10 cui: 3.1.7 disa: 172,2884 hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e) nist: AC-17(7),AU-1(b),AU-2(a),AU-2(c),AU-2(d),AU-12(a),AU-12(c),IR-5 ospp@rhel7: FAU_GEN.1.1.c pcidss: Req-10.2.4,Req-10.2.1 srg: SRG-OS-000064-GPOS-00033,SRG-OS-000458-GPOS-00203,SRG-OS-000461-GPOS-00205,SRG-OS-000392-GPOS-00172 stigid@rhel7: "030550" ocil: '' audit_rules_unsuccessful_file_modification_open.rule000066400000000000000000000047001327242345500520570ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modificationdocumentation_complete: true prodtype: rhel7 title: 'Record Unauthorized Access Attempts to Files (unsuccessful) - open' description: |- At a minimum, the audit system should collect unauthorized file accesses for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d: 
-a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access
    -a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access
If the system is 64 bit then also add the following lines: 
    -a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access
    -a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: 
-a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access
    -a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access
If the system is 64 bit then also add the following lines: 
    -a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access
    -a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access
rationale: |- Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise. severity: medium identifiers: cce@rhel7: 80386-6 references: cis: 5.2.10 cui: 3.1.7 disa: 172,2884 hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e) nist: AC-17(7),AU-1(b),AU-2(a),AU-2(c),AU-2(d),AU-12(a),AU-12(c),IR-5 ospp@rhel7: FAU_GEN.1.1.c pcidss: Req-10.2.4,Req-10.2.1 srg: SRG-OS-000064-GPOS-00033,SRG-OS-000458-GPOS-00203,SRG-OS-000461-GPOS-00205,SRG-OS-000392-GPOS-00172 stigid@rhel7: "030510" ocil: '' audit_rules_unsuccessful_file_modification_open_by_handle_at.rule000066400000000000000000000052161327242345500545530ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modificationdocumentation_complete: true prodtype: rhel7 title: 'Record Unauthorized Access Attempts to Files (unsuccessful) - open_by_handle_at' description: |- At a minimum, the audit system should collect unauthorized file accesses for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d: 
-a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access
    -a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access
If the system is 64 bit then also add the following lines: 
    -a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access
    -a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: 
-a always,exit -F arch=b32 -S open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access
    -a always,exit -F arch=b32 -S open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access
If the system is 64 bit then also add the following lines: 
    -a always,exit -F arch=b64 -S open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access
    -a always,exit -F arch=b64 -S open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access
rationale: |- Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise. severity: medium identifiers: cce@rhel7: 80388-2 references: cis: 5.2.10 cui: 3.1.7 disa: 172,2884 hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e) nist: AC-17(7),AU-1(b),AU-2(a),AU-2(c),AU-2(d),AU-12(a),AU-12(c),IR-5 ospp@rhel7: FAU_GEN.1.1.c pcidss: Req-10.2.4,Req-10.2.1 srg: SRG-OS-000064-GPOS-00033,SRG-OS-000458-GPOS-00203,SRG-OS-000461-GPOS-00205,SRG-OS-000392-GPOS-00172 stigid@rhel7: "030530" ocil: '' audit_rules_unsuccessful_file_modification_openat.rule000066400000000000000000000047241327242345500524120ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modificationdocumentation_complete: true prodtype: rhel7 title: 'Record Unauthorized Access Attempts to Files (unsuccessful) - openat' description: |- At a minimum, the audit system should collect unauthorized file accesses for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d: 
-a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access
    -a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access
If the system is 64 bit then also add the following lines: 
    -a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access
    -a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: 
-a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access
    -a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access
If the system is 64 bit then also add the following lines: 
    -a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access
    -a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access
rationale: |- Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise. severity: medium identifiers: cce@rhel7: 80387-4 references: cis: 5.2.10 cui: 3.1.7 disa: 172,2884 hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e) nist: AC-17(7),AU-1(b),AU-2(a),AU-2(c),AU-2(d),AU-12(a),AU-12(c),IR-5 ospp@rhel7: FAU_GEN.1.1.c pcidss: Req-10.2.4,Req-10.2.1 srg: SRG-OS-000064-GPOS-00033,SRG-OS-000458-GPOS-00203,SRG-OS-000461-GPOS-00205,SRG-OS-000392-GPOS-00172 stigid@rhel7: "030520" ocil: '' audit_rules_unsuccessful_file_modification_truncate.rule000066400000000000000000000047501327242345500527500ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modificationdocumentation_complete: true prodtype: rhel7 title: 'Record Unauthorized Access Attempts to Files (unsuccessful) - truncate' description: |- At a minimum, the audit system should collect unauthorized file accesses for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d: 
-a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access
    -a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access
If the system is 64 bit then also add the following lines: 
    -a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access
    -a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file: 
-a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access
    -a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access
If the system is 64 bit then also add the following lines: 
    -a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access
    -a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access
rationale: |- Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise. severity: medium identifiers: cce@rhel7: 80389-0 references: cis: 5.2.10 cui: 3.1.7 disa: 172,2884 hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e) nist: AC-17(7),AU-1(b),AU-2(a),AU-2(c),AU-2(d),AU-12(a),AU-12(c),IR-5 ospp@rhel7: FAU_GEN.1.1.c pcidss: Req-10.2.4,Req-10.2.1 srg: SRG-OS-000064-GPOS-00033,SRG-OS-000458-GPOS-00203,SRG-OS-000461-GPOS-00205,SRG-OS-000392-GPOS-00172 stigid@rhel7: "030540" ocil: '' audit_unsuccessful_file_modification.group000066400000000000000000000027451327242345500500200ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/auditing/auditd_configure_rules/audit_unsuccessful_file_modificationdocumentation_complete: true title: 'Record Unauthorized Access Attempts Events to Files (unsuccessful)' description: |- At a minimum, the audit system should collect unauthorized file accesses for all users and root. Note that the "-F arch=b32" lines should be present even on a 64 bit system. These commands identify system calls for auditing. Even if the system is 64 bit it can still execute 32 bit system calls. Additionally, these rules can be configured in a number of ways while still achieving the desired effect. An example of this is that the "-S" calls could be split up and placed on separate lines, however, this is less efficient. Add the following to /etc/audit/audit.rules: 
-a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access
        -a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access
If your system is 64 bit then these lines should be duplicated and the arch=b32 replaced with arch=b64 as follows: 
-a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access
        -a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access
auditd_configure_rules.group000066400000000000000000000036731327242345500354560ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/auditing/auditd_configure_rulesdocumentation_complete: true title: 'Configure auditd Rules for Comprehensive Auditing' description: |- The auditd program can perform comprehensive monitoring of system activity. This section describes recommended configuration settings for comprehensive auditing, but a full description of the auditing system's capabilities is beyond the scope of this guide. The mailing list linux-audit@redhat.com exists to facilitate community discussion of the auditing system.

The audit subsystem supports extensive collection of events, including:
  • Tracing of arbitrary system calls (identified by name or number) on entry or exit.
  • Filtering by PID, UID, call success, system call argument (with some limitations), etc.
  • Monitoring of specific files for modifications to the file's contents or metadata.

Auditing rules at startup are controlled by the file /etc/audit/audit.rules. Add rules to it to meet the auditing requirements for your organization. Each line in /etc/audit/audit.rules represents a series of arguments that can be passed to auditctl and can be individually tested during runtime. See documentation in /usr/share/doc/audit-VERSION and in the related man pages for more details.

If copying any example audit rulesets from /usr/share/doc/audit-VERSION, be sure to comment out the lines containing arch= which are not appropriate for your system's architecture. Then review and understand the following rules, ensuring rules are activated as needed for the appropriate architecture.

After reviewing all the rules, reading the following sections, and editing as needed, the new rules can be activated as follows: 
$ sudo service auditd restart
file_ownership_var_log_audit.rule000066400000000000000000000015541327242345500364540ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/auditing/auditd_configure_rulesdocumentation_complete: true prodtype: rhel7,fedora title: 'System Audit Logs Must Be Owned By Root' description: |- All audit logs must be owned by root user and group. By default, the path for audit log is 
/var/log/audit/
. rationale: |- Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality. severity: medium identifiers: cce@rhel7: 80125-8 references: cjis: 5.4.1.1 cui: 3.3.1 disa: 163 nist: AC-6,AU-1(b),AU-9,IR-5 pcidss: Req-10.5.1 srg: SRG-OS-000058-GPOS-00028 ocil: |- file_permissions_var_log_audit.rule000066400000000000000000000017551327242345500370140ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/auditing/auditd_configure_rulesdocumentation_complete: true prodtype: rhel7,fedora title: 'System Audit Logs Must Have Mode 0640 or Less Permissive' description: |- If log_group in /etc/audit/auditd.conf is set to a group other than the root group account, change the mode of the audit log files with the following command: 
$ sudo chmod 0640 audit_file

Otherwise, change the mode of the audit log files with the following command: 
$ sudo chmod 0600 audit_file
rationale: 'If users can write to audit logs, audit trails can be modified or destroyed.' severity: medium identifiers: cce@rhel7: 27205-4 references: cjis: 5.4.1.1 cui: 3.3.1 disa: "" nist: AC-6,AU-1(b),AU-9,IR-5 pcidss: Req-10.5 ocil_clause: 'any are more permissive' ocil: |- Run the following command to check the mode of the system audit logs: 
$ sudo ls -l /var/log/audit
Audit logs must be mode 0640 or less permissive. scap-security-guide-0.1.39/shared/guide/system/auditing/auditing.group000066400000000000000000000140561327242345500260640ustar00rootroot00000000000000documentation_complete: true title: 'System Accounting with auditd' description: |- The audit service provides substantial capabilities for recording system activities. By default, the service audits about SELinux AVC denials and certain types of security-relevant events such as system logins, account modifications, and authentication events performed by programs such as sudo. Under its default configuration, auditd has modest disk space requirements, and should not noticeably impact system performance.

NOTE: The Linux Audit daemon auditd can be configured to use the augenrules program to read audit rules files (*.rules) located in /etc/audit/rules.d location and compile them to create the resulting form of the /etc/audit/audit.rules configuration file during the daemon startup (default configuration). Alternatively, the auditd daemon can use the auditctl utility to read audit rules from the /etc/audit/audit.rules configuration file during daemon startup, and load them into the kernel. The expected behavior is configured via the appropriate ExecStartPost directive setting in the /usr/lib/systemd/system/auditd.service configuration file. To instruct the auditd daemon to use the augenrules program to read audit rules (default configuration), use the following setting: 
ExecStartPost=-/sbin/augenrules --load
in the /usr/lib/systemd/system/auditd.service configuration file. In order to instruct the auditd daemon to use the auditctl utility to read audit rules, use the following setting: 
ExecStartPost=-/sbin/auditctl -R /etc/audit/audit.rules
in the /usr/lib/systemd/system/auditd.service configuration file. Refer to [Service] section of the /usr/lib/systemd/system/auditd.service configuration file for further details.

Government networks often have substantial auditing requirements and auditd can be configured to meet these requirements. Examining some example audit records demonstrates how the Linux audit system satisfies common requirements. The following example from Fedora Documentation available at shows the substantial amount of information captured in a two typical "raw" audit messages, followed by a breakdown of the most important fields. In this example the message is SELinux-related and reports an AVC denial (and the associated system call) that occurred when the Apache HTTP Server attempted to access the /var/www/html/file1 file (labeled with the samba_share_t type): 
type=AVC msg=audit(1226874073.147:96): avc:  denied  { getattr } for pid=2465 comm="httpd"
    path="/var/www/html/file1" dev=dm-0 ino=284133 scontext=unconfined_u:system_r:httpd_t:s0
    tcontext=unconfined_u:object_r:samba_share_t:s0 tclass=file

    type=SYSCALL msg=audit(1226874073.147:96): arch=40000003 syscall=196 success=no exit=-13
    a0=b98df198 a1=bfec85dc a2=54dff4 a3=2008171 items=0 ppid=2463 pid=2465 auid=502 uid=48
    gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=6 comm="httpd"
    exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null)
  • msg=audit(1226874073.147:96)
    • The number in parentheses is the unformatted time stamp (Epoch time) for the event, which can be converted to standard time by using the date command.
  • { getattr }
    • The item in braces indicates the permission that was denied. getattr indicates the source process was trying to read the target file's status information. This occurs before reading files. This action is denied due to the file being accessed having the wrong label. Commonly seen permissions include getattr, read, and write.
  • comm="httpd"
    • The executable that launched the process. The full path of the executable is found in the exe= section of the system call (SYSCALL) message, which in this case, is exe="/usr/sbin/httpd".
  • path="/var/www/html/file1"
    • The path to the object (target) the process attempted to access.
  • scontext="unconfined_u:system_r:httpd_t:s0"
    • The SELinux context of the process that attempted the denied action. In this case, it is the SELinux context of the Apache HTTP Server, which is running in the httpd_t domain.
  • tcontext="unconfined_u:object_r:samba_share_t:s0"
    • The SELinux context of the object (target) the process attempted to access. In this case, it is the SELinux context of file1. Note: the samba_share_t type is not accessible to processes running in the httpd_t domain.
  • From the system call (SYSCALL) message, two items are of interest:
    • success=no: indicates whether the denial (AVC) was enforced or not. success=no indicates the system call was not successful (SELinux denied access). success=yes indicates the system call was successful - this can be seen for permissive domains or unconfined domains, such as initrc_t and kernel_t.
    • exe="/usr/sbin/httpd": the full path to the executable that launched the process, which in this case, is exe="/usr/sbin/httpd".
scap-security-guide-0.1.39/shared/guide/system/auditing/bootloader_audit_argument.rule000066400000000000000000000032031327242345500313050ustar00rootroot00000000000000documentation_complete: true prodtype: rhel7,fedora title: 'Enable Auditing for Processes Which Start Prior to the Audit Daemon' description: |- To ensure all processes can be audited, even those which start prior to the audit daemon, add the argument audit=1 to the default GRUB 2 command line for the Linux operating system in /etc/default/grub, in the manner below: 
GRUB_CMDLINE_LINUX="crashkernel=auto rd.lvm.lv=VolGroup/LogVol06 rd.lvm.lv=VolGroup/lv_swap rhgb quiet rd.shell=0 audit=1"
rationale: |- Each process on the system carries an "auditable" flag which indicates whether its activities can be audited. Although auditd takes care of enabling this for all processes which launch after it does, adding the kernel argument ensures it is set for every process during boot. severity: medium identifiers: cce@rhel7: 27212-0 references: cis: 4.1.3 cjis: 5.4.1.1 cui: 3.3.1 disa: 1464,130 hipaa: 164.308(a)(1)(ii)(D),164.308(a)(5)(ii)(C),164.310(a)(2)(iv),164.310(d)(2)(iii),164.312(b) nist: AC-17(1),AU-14(1),AU-1(b),AU-2(a),AU-2(c),AU-2(d),AU-10,IR-5 pcidss: Req-10.3 ocil_clause: 'auditing is not enabled at boot time' ocil: |- Inspect the form of default GRUB 2 command line for the Linux operating system in /etc/default/grub. If they include audit=1, then auditing is enabled at boot time.

To ensure audit=1 is configured on all installed kernels, the following command may be used: 
$ sudo /sbin/grubby --update-kernel=ALL --args="audit=1"

scap-security-guide-0.1.39/shared/guide/system/auditing/configure_auditd_data_retention/000077500000000000000000000000001327242345500315675ustar00rootroot00000000000000auditd_audispd_configure_remote_server.rule000066400000000000000000000025771327242345500424010ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/auditing/configure_auditd_data_retentiondocumentation_complete: true prodtype: rhel7 title: 'Configure audispd Plugin To Send Logs To Remote Server' description: |- Configure the audispd plugin to off-load audit records onto a different system or media from the system being audited. Set the remote_server option in 
/etc/audisp/audisp-remote.conf
with an IP address or hostname of the system that the audispd plugin should send audit records to. For example replacing REMOTE_SYSTEM with an IP address or hostname: 
remote_server = REMOTE_SYSTEM
rationale: |- Information stored in one location is vulnerable to accidental or incidental deletion or alteration.Off-loading is a common process in information systems with limited audit storage capacity. severity: medium identifiers: cce: 80541-6 references: disa: 1851 nist: "" srg: SRG-OS-000342-GPOS-00133 stigid: "030300" ocil_clause: 'audispd is not sending logs to a remote system' ocil: |- To verify the audispd plugin off-loads audit records onto a different system or media from the system being audited, run the following command: 
$ sudo grep -i remote_server /etc/audisp/audisp-remote.conf
The output should return something similar to where REMOTE_SYSTEM is an IP address or hostname: 
remote_server = REMOTE_SYSTEM
auditd_audispd_disk_full_action.rule000066400000000000000000000031111327242345500407510ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/auditing/configure_auditd_data_retentiondocumentation_complete: true prodtype: rhel7 title: 'Configure audispd''s Plugin disk_full_action When Disk Is Full' description: |- Configure the action the operating system takes if the disk the audit records are written to becomes full. Edit the file /etc/audisp/audisp-remote.conf. Add or modify the following line, substituting ACTION appropriately: 
disk_full_action = ACTION
Set this value to single to cause the system to switch to single user mode for corrective action. Acceptable values also include syslog and halt. For certain systems, the need for availability outweighs the need to log all actions, and a different setting should be determined. rationale: |- Taking appropriate action in case of a filled audit storage volume will minimize the possibility of losing audit records. severity: medium identifiers: cce: 80539-0 references: disa: 1851 nist: "" srg: SRG-OS-000342-GPOS-00133 stigid: "030320" ocil_clause: 'the system is not configured to switch to single user mode for corrective action' ocil: |- Inspect /etc/audisp/audisp-remote.conf and locate the following line to determine if the system is configured to either send to syslog, switch to single user mode, or halt when the disk is full: 
grep -i disk_full_action /etc/audisp/audisp-remote.conf
The output should return something similar to: 
disk_full_action = single
Acceptable values also include syslog and halt. auditd_audispd_encrypt_sent_records.rule000066400000000000000000000022721327242345500417050ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/auditing/configure_auditd_data_retentiondocumentation_complete: true prodtype: rhel7 title: 'Encrypt Audit Records Sent With audispd Plugin' description: |- Configure the operating system to encrypt the transfer of off-loaded audit records onto a different system or media from the system being audited. Uncomment the enable_krb5 option in 
/etc/audisp/audisp-remote.conf
, and set it with the following line: 
enable_krb5 = yes
rationale: |- Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Off-loading is a common process in information systems with limited audit storage capacity. severity: medium identifiers: cce: 80540-8 references: disa: 1851 nist: "" srg: SRG-OS-000342-GPOS-00133 stigid: "030310" ocil_clause: 'audispd is not encrypting audit records when sent over the network' ocil: |- To verify the audispd plugin encrypts audit records off-loaded onto a different system or media from the system being audited, run the following command: 
$ sudo grep -i enable_krb5 /etc/audisp/audisp-remote.conf
The output should return the following: 
enable_krb5 = yes
auditd_audispd_network_failure_action.rule000066400000000000000000000032241327242345500422020ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/auditing/configure_auditd_data_retentiondocumentation_complete: true prodtype: rhel7 title: 'Configure audispd''s Plugin network_failure_action On Network Failure' description: |- Configure the action the operating system takes if there is an error sending audit records to a remote system. Edit the file /etc/audisp/audisp-remote.conf. Add or modify the following line, substituting ACTION appropriately: 
network_failure_action = ACTION
Set this value to single to cause the system to switch to single user mode for corrective action. Acceptable values also include syslog and halt. For certain systems, the need for availability outweighs the need to log all actions, and a different setting should be determined. rationale: |- Taking appropriate action when there is an error sending audit records to a remote system will minimize the possibility of losing audit records. severity: medium identifiers: cce: 80538-2 references: disa: 1851 nist: "" srg: SRG-OS-000342-GPOS-00133 stigid: "030321" ocil_clause: 'the system is not configured to switch to single user mode for corrective action' ocil: |- Inspect /etc/audisp/audisp-remote.conf and locate the following line to determine if the system is configured to either send to syslog, switch to single user mode, or halt when there is a network failure with audispd: 
grep -i network_failure_action /etc/audisp/audisp-remote.conf
The output should return something similar to: 
network_failure_action = single
Acceptable values also include syslog and halt. auditd_audispd_syslog_plugin_activated.rule000066400000000000000000000024731327242345500423740ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/auditing/configure_auditd_data_retentiondocumentation_complete: true prodtype: rhel7,fedora title: 'Configure auditd to use audispd''s syslog plugin' description: |- To configure the auditd service to use the syslog plug-in of the audispd audit event multiplexor, set the active line in /etc/audisp/plugins.d/syslog.conf to yes. Restart the auditd service: 
$ sudo service auditd restart
rationale: |- The auditd service does not include the ability to send audit records to a centralized server for management directly. It does, however, include a plug-in for audit event multiplexor (audispd) to pass audit records to the local syslog server severity: medium identifiers: cce@rhel7: 27341-7 references: cjis: 5.4.1.1 cui: 3.3.1 disa: 136 hipaa: 164.308(a)(1)(ii)(D),164.308(a)(5)(ii)(B),164.308(a)(5)(ii)(C),164.308(a)(6)(ii),164.308(a)(8),164.310(d)(2)(iii),164.312(b),164.314(a)(2)(i)(C),164.314(a)(2)(iii) nist: AU-1(b),AU-3(2),IR-5 ospp@rhel7: FAU_GEN.1.1.c pcidss: Req-10.5.3 ocil_clause: 'it is not' ocil: |- To verify the audispd's syslog plugin is active, run the following command: 
$ sudo grep active /etc/audisp/plugins.d/syslog.conf
If the plugin is active, the output will show yes. auditd_data_retention_action_mail_acct.rule000066400000000000000000000023551327242345500422710ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/auditing/configure_auditd_data_retentiondocumentation_complete: true prodtype: rhel7,fedora title: 'Configure auditd mail_acct Action on Low Disk Space' description: |- The auditd service can be configured to send email to a designated account in certain situations. Add or correct the following line in /etc/audit/auditd.conf to ensure that administrators are notified via email for those situations: 
action_mail_acct =
rationale: |- Email sent to the root account is typically aliased to the administrators of the system, who can take appropriate action. severity: medium identifiers: cce@rhel7: 27394-6 references: cis: 5.2.1.2 cjis: 5.4.1.1 cui: 3.3.1 disa: 1855 hipaa: 164.312(a)(2)(ii) iso27001-2013: A.12.3.1 nist: AU-1(b),AU-4,AU-5(1),AU-5(a),IR-5 pcidss: Req-10.7.a srg: SRG-OS-000343-GPOS-00134 stigid@rhel7: "030350" ocil_clause: 'auditd is not configured to send emails per identified actions' ocil: |- Inspect /etc/audit/auditd.conf and locate the following line to determine if the system is configured to send email to an account when it needs to notify an administrator: 
action_mail_acct = root
auditd_data_retention_admin_space_left_action.rule000066400000000000000000000033651327242345500436340ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/auditing/configure_auditd_data_retentiondocumentation_complete: true prodtype: rhel7,fedora title: 'Configure auditd admin_space_left Action on Low Disk Space' description: |- The auditd service can be configured to take an action when disk space is running low but prior to running out of space completely. Edit the file /etc/audit/auditd.conf. Add or modify the following line, substituting ACTION appropriately: 
admin_space_left_action = ACTION
Set this value to single to cause the system to switch to single user mode for corrective action. Acceptable values also include suspend and halt. For certain systems, the need for availability outweighs the need to log all actions, and a different setting should be determined. Details regarding all possible values for ACTION are described in the auditd.conf man page. rationale: |- Administrators should be made aware of an inability to record audit records. If a separate partition or logical volume of adequate size is used, running low on space for audit records should never occur. severity: medium identifiers: cce@rhel7: 27370-6 references: cis: 5.2.1.2 cjis: 5.4.1.1 cui: 3.3.1 disa: 140,1343 hipaa: 164.312(a)(2)(ii) iso27001-2013: A.12.3.1 nist: AU-1(b),AU-4,AU-5(b),IR-5 pcidss: Req-10.7 stigid@rhel7: "030340" ocil_clause: 'the system is not configured to switch to single user mode for corrective action' ocil: |- Inspect /etc/audit/auditd.conf and locate the following line to determine if the system is configured to either suspend, switch to single user mode, or halt when disk space has run low: 
admin_space_left_action single
auditd_data_retention_flush.rule000066400000000000000000000025111327242345500401330ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/auditing/configure_auditd_data_retentiondocumentation_complete: true prodtype: rhel7,fedora title: 'Configure auditd flush priority' description: |- The auditd service can be configured to synchronously write audit event data to disk. Add or correct the following line in /etc/audit/auditd.conf to ensure that audit event data is fully synchronized with the log files on the disk: 
flush =
rationale: |- Audit data should be synchronously written to disk to ensure log integrity. These parameters assure that all audit event data is fully synchronized with the log files on the disk. severity: unknown identifiers: cce@rhel7: 27331-8 references: cui: 3.3.1 disa: 1576 hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e) nist: AU-9,AU-12(1) ocil_clause: 'auditd is not configured to synchronously write audit event data to disk' ocil: |- Inspect /etc/audit/auditd.conf and locate the following line to determine if the system is configured to synchronize audit event data with the log files on the disk: $ sudo grep flush /etc/audit/auditd.conf 
flush = DATA
Acceptable values are DATA, and SYNC. The setting is case-insensitive. auditd_data_retention_max_log_file.rule000066400000000000000000000024311327242345500414400ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/auditing/configure_auditd_data_retentiondocumentation_complete: true prodtype: rhel7,fedora title: 'Configure auditd Max Log File Size' description: |- Determine the amount of audit data (in megabytes) which should be retained in each log file. Edit the file /etc/audit/auditd.conf. Add or modify the following line, substituting the correct value of for STOREMB: 
max_log_file = STOREMB
Set the value to 6 (MB) or higher for general-purpose systems. Larger values, of course, support retention of even more audit data. rationale: |- The total storage for audit log files must be large enough to retain log information over the period required. This is a function of the maximum log file size and the number of logs retained. severity: medium identifiers: cce@rhel7: 27319-3 references: cis: 5.2.1.1 cjis: 5.4.1.1 nist: AU-1(b),AU-11,IR-5 pcidss: Req-10.7 ocil_clause: 'the system audit data threshold has not been properly configured' ocil: |- Inspect /etc/audit/auditd.conf and locate the following line to determine how much data the system will retain in each audit log file: $ sudo grep max_log_file /etc/audit/auditd.conf 
max_log_file = 6
auditd_data_retention_max_log_file_action.rule000066400000000000000000000034101327242345500427730ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/auditing/configure_auditd_data_retentiondocumentation_complete: true prodtype: rhel7,fedora title: 'Configure auditd max_log_file_action Upon Reaching Maximum Log Size' description: |- The default action to take when the logs reach their maximum size is to rotate the log files, discarding the oldest one. To configure the action taken by auditd, add or correct the line in /etc/audit/auditd.conf: 
max_log_file_action = ACTION
Possible values for ACTION are described in the auditd.conf man page. These include:
  • syslog
  • suspend
  • rotate
  • keep_logs
Set the ACTION to rotate to ensure log rotation occurs. This is the default. The setting is case-insensitive. rationale: |- Automatically rotating logs (by setting this to rotate) minimizes the chances of the system unexpectedly running out of disk space by being overwhelmed with log data. However, for systems that must never discard log data, or which use external processes to transfer it and reclaim space, keep_logs can be employed. severity: medium identifiers: cce@rhel7: 27231-0 references: cis: 5.2.1.3 cjis: 5.4.1.1 hipaa: 164.312(a)(2)(ii) iso27001-2013: A.12.3.1 nist: AU-1(b),AU-4,AU-11,IR-5 pcidss: Req-10.7 ocil_clause: 'the system has not been properly configured to rotate audit logs' ocil: |- Inspect /etc/audit/auditd.conf and locate the following line to determine if the system is configured to rotate logs when they reach their maximum size: $ sudo grep max_log_file_action /etc/audit/auditd.conf 
max_log_file_action rotate
auditd_data_retention_num_logs.rule000066400000000000000000000023331327242345500406370ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/auditing/configure_auditd_data_retentiondocumentation_complete: true prodtype: rhel7,fedora title: 'Configure auditd Number of Logs Retained' description: |- Determine how many log files auditd should retain when it rotates logs. Edit the file /etc/audit/auditd.conf. Add or modify the following line, substituting NUMLOGS with the correct value of : 
num_logs = NUMLOGS
Set the value to 5 for general-purpose systems. Note that values less than 2 result in no log rotation. rationale: |- The total storage for audit log files must be large enough to retain log information over the period required. This is a function of the maximum log file size and the number of logs retained. severity: medium identifiers: cce@rhel7: 27348-2 references: cjis: 5.4.1.1 cui: 3.3.1 nist: AU-1(b),AU-11,IR-5 pcidss: Req-10.7 ocil_clause: 'the system log file retention has not been properly configured' ocil: |- Inspect /etc/audit/auditd.conf and locate the following line to determine how many logs the system is configured to retain after rotation: $ sudo grep num_logs /etc/audit/auditd.conf 
num_logs = 5
auditd_data_retention_space_left.rule000066400000000000000000000022371327242345500411240ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/auditing/configure_auditd_data_retentiondocumentation_complete: true prodtype: rhel7 title: 'Configure auditd space_left on Low Disk Space' description: |- The auditd service can be configured to take an action when disk space is running low but prior to running out of space completely. Edit the file /etc/audit/auditd.conf. Add or modify the following line, substituting SIZE_in_MB appropriately: 
space_left = SIZE_in_MB
Set this value to the appropriate size in Megabytes cause the system to notify the user of an issue. rationale: |- Notifying administrators of an impending disk space problem may allow them to take corrective action prior to any disruption. severity: medium identifiers: cce: 80537-4 references: disa: 1855 nist: AU-1(b),AU-4,AU-5(b),IR-5 pcidss: Req-10.7 srg: SRG-OS-000343-GPOS-00134 stigid: "030330" ocil_clause: 'the system is not configured a specfic size in MB to notify administrators of an issue' ocil: |- Inspect /etc/audit/auditd.conf and locate the following line to determine if the system is configured correctly: 
space_left SIZE_in_MB
auditd_data_retention_space_left_action.rule000066400000000000000000000035561327242345500424660ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/auditing/configure_auditd_data_retentiondocumentation_complete: true prodtype: rhel7,fedora title: 'Configure auditd space_left Action on Low Disk Space' description: |- The auditd service can be configured to take an action when disk space starts to run low. Edit the file /etc/audit/auditd.conf. Modify the following line, substituting ACTION appropriately: 
space_left_action = ACTION
Possible values for ACTION are described in the auditd.conf man page. These include:
  • syslog
  • email
  • exec
  • suspend
  • single
  • halt
Set this to email (instead of the default, which is suspend) as it is more likely to get prompt attention. Acceptable values also include suspend, single, and halt. rationale: |- Notifying administrators of an impending disk space problem may allow them to take corrective action prior to any disruption. severity: medium identifiers: cce@rhel7: 27375-5 references: cis: 5.2.1.2 cjis: 5.4.1.1 cui: 3.3.1 disa: 1855 hipaa: 164.312(a)(2)(ii) iso27001-2013: A.12.3.1 nist: AU-1(b),AU-4,AU-5(1),AU-5(b),IR-5 pcidss: Req-10.7 srg: SRG-OS-000343-GPOS-00134 ocil_clause: 'the system is not configured to send an email to the system administrator when disk space is starting to run low' ocil: |- Inspect /etc/audit/auditd.conf and locate the following line to determine if the system is configured to email the administrator when disk space is starting to run low: $ sudo grep space_left_action /etc/audit/auditd.conf 
space_left_action
Acceptable values are email, suspend, single, and halt. configure_auditd_data_retention.group000066400000000000000000000041411327242345500411610ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/auditing/configure_auditd_data_retentiondocumentation_complete: true title: 'Configure auditd Data Retention' description: |- The audit system writes data to /var/log/audit/audit.log. By default, auditd rotates 5 logs by size (6MB), retaining a maximum of 30MB of data in total, and refuses to write entries when the disk is too full. This minimizes the risk of audit data filling its partition and impacting other services. This also minimizes the risk of the audit daemon temporarily disabling the system if it cannot write audit log (which it can be configured to do). For a busy system or a system which is thoroughly auditing system activity, the default settings for data retention may be insufficient. The log file size needed will depend heavily on what types of events are being audited. First configure auditing to log all the events of interest. Then monitor the log size manually for awhile to determine what file size will allow you to keep the required data for the correct time period.

Using a dedicated partition for /var/log/audit prevents the auditd logs from disrupting system functionality if they fill, and, more importantly, prevents other activity in /var from filling the partition and stopping the audit trail. (The audit logs are size-limited and therefore unlikely to grow without bound unless configured to do so.) Some machines may have requirements that no actions occur which cannot be audited. If this is the case, then auditd can be configured to halt the machine if it runs out of space. Note: Since older logs are rotated, configuring auditd this way does not prevent older logs from being rotated away before they can be viewed. If your system is configured to halt when logging cannot be performed, make sure this can never happen under normal circumstances! Ensure that /var/log/audit is on its own partition, and that this partition is larger than the maximum amount of data auditd will retain normally. var_audispd_disk_full_action.var000066400000000000000000000005341327242345500401160ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/auditing/configure_auditd_data_retentiondocumentation_complete: true title: 'Action for audispd to take when disk is full' description: 'The setting for disk_full_action in /etc/audisp/audisp-remote.conf' type: string operator: interactive: false options: default: single email: email exec: exec halt: halt single: single suspend: suspend syslog: syslog var_audispd_network_failure_action.var000066400000000000000000000005431327242345500413420ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/auditing/configure_auditd_data_retentiondocumentation_complete: true title: 'Action for audispd to take when network fails' description: 'The setting for network_failure_action in /etc/audisp/audisp-remote.conf' type: string operator: interactive: false options: default: single email: email exec: exec halt: halt single: single suspend: suspend syslog: syslog var_audispd_remote_server.var000066400000000000000000000003771327242345500374730ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/auditing/configure_auditd_data_retentiondocumentation_complete: true title: 'Remote server for audispd to send audit records' description: 'The setting for remote_server in /etc/audisp/audisp-remote.conf' type: string operator: interactive: false options: default: myhost.mydomain.com var_auditd_action_mail_acct.var000066400000000000000000000004201327242345500376710ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/auditing/configure_auditd_data_retentiondocumentation_complete: true title: 'Account for auditd to send email when actions occurs' description: 'The setting for action_mail_acct in /etc/audit/auditd.conf' type: string operator: interactive: false options: admin: admin default: root root: root var_auditd_admin_space_left_action.var000066400000000000000000000006021327242345500412340ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/auditing/configure_auditd_data_retentiondocumentation_complete: true title: 'Action for auditd to take when disk space just starts to run low' description: 'The setting for admin_space_left_action in /etc/audit/auditd.conf' type: string operator: interactive: false options: default: single email: email exec: exec halt: halt single: single suspend: suspend syslog: syslog rotate: rotate var_auditd_flush.var000066400000000000000000000004441327242345500355470ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/auditing/configure_auditd_data_retentiondocumentation_complete: true title: 'Auditd priority for flushing data to disk' description: 'The setting for flush in /etc/audit/auditd.conf' type: string operator: interactive: false options: data: data default: data incremental: incremental none: none sync: sync var_auditd_max_log_file.var000066400000000000000000000004141327242345500370500ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/auditing/configure_auditd_data_retentiondocumentation_complete: true title: 'Maximum audit log file size for auditd' description: 'The setting for max_log_size in /etc/audit/auditd.conf' type: number operator: interactive: false options: 1: 1 10: 10 20: 20 5: 5 6: 6 default: 6 var_auditd_max_log_file_action.var000066400000000000000000000005261327242345500404110ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/auditing/configure_auditd_data_retentiondocumentation_complete: true title: 'Action for auditd to take when log files reach their maximum size' description: 'The setting for max_log_file_action in /etc/audit/auditd.conf' type: string operator: interactive: false options: default: rotate keep_logs: keep_logs rotate: rotate suspend: suspend syslog: syslog var_auditd_num_logs.var000066400000000000000000000004231327242345500362460ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/auditing/configure_auditd_data_retentiondocumentation_complete: true title: 'Number of log files for auditd to retain' description: 'The setting for num_logs in /etc/audit/auditd.conf' type: number operator: interactive: false options: "0": "0" 1: 1 2: 2 3: 3 4: 4 5: 5 default: 5 var_auditd_space_left.var000066400000000000000000000005061327242345500365320ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/auditing/configure_auditd_data_retentiondocumentation_complete: true title: 'Size remaining in disk space before prompting space_left_action' description: 'The setting for space_left (MB) in /etc/audit/auditd.conf' type: number operator: interactive: false options: 1000MB: 1000 100MB: 100 250MB: 250 500MB: 500 750MB: 750 default: 100 var_auditd_space_left_action.var000066400000000000000000000005731327242345500400730ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/auditing/configure_auditd_data_retentiondocumentation_complete: true title: 'Action for auditd to take when disk space just starts to run low' description: 'The setting for space_left_action in /etc/audit/auditd.conf' type: string operator: interactive: false options: default: email email: email exec: exec halt: halt single: single suspend: suspend syslog: syslog rotate: rotate scap-security-guide-0.1.39/shared/guide/system/auditing/service_auditd_enabled.rule000066400000000000000000000026061327242345500305350ustar00rootroot00000000000000documentation_complete: true prodtype: rhel7,fedora title: 'Enable auditd Service' description: |- The auditd service is an essential userspace component of the Linux Auditing System, as it is responsible for writing audit records to disk. rationale: |- Without establishing what type of events occurred, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack. Ensuring the auditd service is active ensures audit records generated by the kernel are appropriately recorded.

Additionally, a properly configured audit subsystem ensures that actions of individual system users can be uniquely traced to those users so they can be held accountable for their actions. severity: high identifiers: cce@rhel7: 27407-6 references: cis: 4.1.2 cjis: 5.4.1.1 cui: 3.3.1,3.3.2,3.3.6 disa: 126,131 hipaa: 164.308(a)(1)(ii)(D),164.308(a)(5)(ii)(C),164.310(a)(2)(iv),164.310(d)(2)(iii),164.312(b) nist: AU-3,AC-17(1),AU-1(b),AU-10,AU-12(a),AU-12(c),AU-14(1),IR-5 pcidss: Req-10 srg: SRG-OS-000038-GPOS-00016,SRG-OS-000039-GPOS-00017,SRG-OS-000042-GPOS-00021,SRG-OS-000254-GPOS-00095,SRG-OS-000255-GPOS-00096 stigid@rhel7: "030000" ocil: '' scap-security-guide-0.1.39/shared/guide/system/logging/000077500000000000000000000000001327242345500230165ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/logging/configure_logwatch_on_logserver/000077500000000000000000000000001327242345500314535ustar00rootroot00000000000000configure_logwatch_on_logserver.group000066400000000000000000000003321327242345500411050ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/logging/configure_logwatch_on_logserverdocumentation_complete: true title: 'Configure Logwatch on the Central Log Server' description: 'Is this system the central log server? If so, edit the file /etc/logwatch/conf/logwatch.conf as shown below.' logwatch_configured_hostlimit.rule000066400000000000000000000007251327242345500404020ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/logging/configure_logwatch_on_logserverdocumentation_complete: true prodtype: rhel7,fedora title: 'Configure Logwatch HostLimit Line' description: "On a central logserver, you want Logwatch to summarize all syslog entries, including those which did not originate \non the logserver itself. The HostLimit setting tells Logwatch to report on all hosts, not just the one on which it \nis running. \n
 HostLimit = no
" rationale: "" severity: unknown identifiers: cce@rhel7: 80196-9 logwatch_configured_splithosts.rule000066400000000000000000000007531327242345500406030ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/logging/configure_logwatch_on_logserverdocumentation_complete: true prodtype: rhel7,fedora title: 'Configure Logwatch SplitHosts Line' description: "If SplitHosts is set, Logwatch will separate entries by hostname. This makes the report longer but significantly \nmore usable. If it is not set, then Logwatch will not report which host generated a given log entry, and that \ninformation is almost always necessary\n
 SplitHosts = yes
" rationale: "" severity: unknown identifiers: cce@rhel7: 80197-7 scap-security-guide-0.1.39/shared/guide/system/logging/disable_logwatch_for_logserver.rule000066400000000000000000000012041327242345500321350ustar00rootroot00000000000000documentation_complete: true prodtype: rhel7,fedora title: 'Disable Logwatch on Clients if a Logserver Exists' description: "Does your site have a central logserver which has been configured to report on logs received from all systems? \nIf so:\n
 \n$ sudo rm /etc/cron.daily/0logwatch \n
\nIf no logserver exists, it will be necessary for each system to run Logwatch individually. Using a central \nlogserver provides the security and reliability benefits discussed earlier, and also makes monitoring logs easier \nand less time-intensive for administrators." rationale: "" severity: unknown identifiers: cce@rhel7: 80198-5 scap-security-guide-0.1.39/shared/guide/system/logging/ensure_rsyslog_log_file_configuration/000077500000000000000000000000001327242345500326705ustar00rootroot00000000000000ensure_rsyslog_log_file_configuration.group000066400000000000000000000026211327242345500435420ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/logging/ensure_rsyslog_log_file_configurationdocumentation_complete: true title: 'Ensure Proper Configuration of Log Files' description: "The file /etc/rsyslog.conf controls where log message are written.\nThese are controlled by lines called rules, which consist of a\nselector and an action.\nThese rules are often customized depending on the role of the system, the\nrequirements of the environment, and whatever may enable\nthe administrator to most effectively make use of log data.\nThe default rules in Red Hat Enterprise Linux 7 are:\n
*.info;mail.none;authpriv.none;cron.none                /var/log/messages\nauthpriv.*                                              /var/log/secure\nmail.*                                                  -/var/log/maillog\ncron.*                                                  /var/log/cron\n*.emerg                                                 *\nuucp,news.crit                                          /var/log/spooler\nlocal7.*                                                /var/log/boot.log
\nSee the man page rsyslog.conf(5)\ \ for more information.\nNote that the rsyslog daemon can be configured to use a timestamp format that\nsome log processing programs may not understand. If this occurs, \nedit the file /etc/rsyslog.conf and add or edit the following line:\n
$ ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
" file_groupowner_logfiles_value.var000066400000000000000000000003631327242345500416130ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/logging/ensure_rsyslog_log_file_configurationdocumentation_complete: true title: 'group who owns log files' description: |- Specify group owner of all logfiles specified in /etc/rsyslog.conf. type: string operator: equals interactive: false options: root: root file_owner_logfiles_value.var000066400000000000000000000003611327242345500405340ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/logging/ensure_rsyslog_log_file_configurationdocumentation_complete: true title: 'User who owns log files' description: |- Specify user owner of all logfiles specified in /etc/rsyslog.conf. type: string operator: equals interactive: false options: root: root rsyslog_cron_logging.rule000066400000000000000000000022741327242345500377400ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/logging/ensure_rsyslog_log_file_configurationdocumentation_complete: true prodtype: rhel7,fedora title: 'Ensure cron Is Logging To Rsyslog' description: |- Cron logging must be implemented to spot intrusions or trace cron job status. If cron is not logging to rsyslog, it can be implemented by adding the following to the RULES section of /etc/rsyslog.conf: 
cron.*                                                  /var/log/cron
rationale: |- Cron logging can be used to trace the successful or unsuccessful execution of cron jobs. It can also be used to spot intrusions into the use of the cron facility by unauthorized and malicious users. severity: medium identifiers: cce@rhel7: 80380-9 references: disa: 366 nist: AU-2(d) ospp@rhel7: FAU_GEN.1.1.c srg: SRG-OS-000480-GPOS-00227 stigid@rhel7: "021100" ocil_clause: 'cron is not logging to rsyslog' ocil: |- To verify that cron is logging to rsyslog, run the following command: 
grep -rni "cron\.\*" /etc/rsyslog.*
The output should return some similar to: 
cron.*                                                  /var/log/cron
rsyslog_files_groupownership.rule000066400000000000000000000026511327242345500415450ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/logging/ensure_rsyslog_log_file_configurationdocumentation_complete: true prodtype: rhel7,fedora title: 'Ensure Log Files Are Owned By Appropriate Group' description: |- The group-owner of all log files written by rsyslog should be root. These log files are determined by the second part of each Rule line in /etc/rsyslog.conf and typically all appear in /var/log. For each log file LOGFILE referenced in /etc/rsyslog.conf, run the following command to inspect the file's group owner: 
$ ls -l LOGFILE
If the owner is not root, run the following command to correct this: 
$ sudo chgrp root LOGFILE
rationale: |- The log files generated by rsyslog contain valuable information regarding system configuration, user authentication, and other such information. Log files should be protected from unauthorized access. severity: medium identifiers: cce@rhel7: 80190-2 references: disa: 1314 nist: AC-6,SI-11 pcidss: Req-10.5.1,Req-10.5.2 ocil_clause: 'the group-owner is not root' ocil: |- The group-owner of all log files written by rsyslog should be root. These log files are determined by the second part of each Rule line in /etc/rsyslog.conf and typically all appear in /var/log. To see the group-owner of a given log file, run the following command: 
$ ls -l LOGFILE
rsyslog_files_ownership.rule000066400000000000000000000026121327242345500404650ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/logging/ensure_rsyslog_log_file_configurationdocumentation_complete: true prodtype: rhel7,fedora title: 'Ensure Log Files Are Owned By Appropriate User' description: |- The owner of all log files written by rsyslog should be root. These log files are determined by the second part of each Rule line in /etc/rsyslog.conf and typically all appear in /var/log. For each log file LOGFILE referenced in /etc/rsyslog.conf, run the following command to inspect the file's owner: 
$ ls -l LOGFILE
If the owner is not root, run the following command to correct this: 
$ sudo chown root LOGFILE
rationale: |- The log files generated by rsyslog contain valuable information regarding system configuration, user authentication, and other such information. Log files should be protected from unauthorized access. severity: medium identifiers: cce@rhel7: 80189-4 references: disa: 1314 nist: AC-6,SI-11 pcidss: Req-10.5.1,Req-10.5.2 ocil_clause: 'the owner is not root' ocil: |- The owner of all log files written by rsyslog should be root. These log files are determined by the second part of each Rule line in /etc/rsyslog.conf and typically all appear in /var/log. To see the owner of a given log file, run the following command: 
$ ls -l LOGFILE
rsyslog_files_permissions.rule000066400000000000000000000030231327242345500410170ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/logging/ensure_rsyslog_log_file_configurationdocumentation_complete: true prodtype: rhel7,fedora title: 'Ensure System Log Files Have Correct Permissions' description: "The file permissions for all log files written by\nrsyslog should be set to 600, or more restrictive.\nThese log files are determined by the second part of each Rule line in\n/etc/rsyslog.conf and typically all appear in /var/log. \nFor each log file LOGFILE referenced in /etc/rsyslog.conf,\nrun the following command to inspect the file's permissions:\n
$ ls -l LOGFILE
\nIf the permissions are not 600 or more restrictive,\nrun the following command to correct this:\n
$ sudo chmod 0600 LOGFILE
" rationale: |- Log files can contain valuable information regarding system configuration. If the system log files are not protected unauthorized users could change the logged data, eliminating their forensic value. severity: medium identifiers: cce@rhel7: 80191-0 references: cis: 4.2.1.3 disa: 1314 nist: SI-11 pcidss: Req-10.5.1,Req-10.5.2 ocil_clause: 'the permissions are not correct' ocil: "The file permissions for all log files written by rsyslog \nshould be set to 600, or more restrictive.\nThese log files are determined by the second part of each Rule line in\n/etc/rsyslog.conf and typically all appear in /var/log.\nTo see the permissions of a given log file, run the following command:\n
$ ls -l LOGFILE
\nThe permissions should be 600, or more restrictive." scap-security-guide-0.1.39/shared/guide/system/logging/log_rotation/000077500000000000000000000000001327242345500255165ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/logging/log_rotation/ensure_logrotate_activated.rule000066400000000000000000000021141327242345500340120ustar00rootroot00000000000000documentation_complete: true prodtype: rhel7,fedora title: 'Ensure Logrotate Runs Periodically' description: "The logrotate utility allows for the automatic rotation of \nlog files. The frequency of rotation is specified in /etc/logrotate.conf, \nwhich triggers a cron task. To configure logrotate to run daily, add or correct \nthe following line in /etc/logrotate.conf:\n
# rotate log files frequency\ndaily
" rationale: |- Log files that are not properly rotated run the risk of growing so large that they fill up the /var/log partition. Valuable logging information could be lost if the /var/log partition becomes full. severity: unknown identifiers: cce@rhel7: 80195-1 references: disa: 366 nist: AU-9 pcidss: Req-10.7 ocil_clause: 'logrotate is not configured to run daily' ocil: "To determine the status and frequency of logrotate, run the following command:\n
$ sudo grep logrotate /var/log/cron*
\nIf logrotate is configured properly, output should include references to \n/etc/cron.daily." scap-security-guide-0.1.39/shared/guide/system/logging/log_rotation/log_rotation.group000066400000000000000000000024311327242345500312740ustar00rootroot00000000000000documentation_complete: true title: 'Ensure All Logs are Rotated by logrotate' description: |- Edit the file /etc/logrotate.d/syslog. Find the first line, which should look like this (wrapped for clarity): 
/var/log/messages /var/log/secure /var/log/maillog /var/log/spooler \
      /var/log/boot.log /var/log/cron {
Edit this line so that it contains a one-space-separated listing of each log file referenced in /etc/rsyslog.conf.

All logs in use on a system must be rotated regularly, or the log files will consume disk space over time, eventually interfering with system operation. The file /etc/logrotate.d/syslog is the configuration file used by the logrotate program to maintain all log files written by syslog. By default, it rotates logs weekly and stores four archival copies of each log. These settings can be modified by editing /etc/logrotate.conf, but the defaults are sufficient for purposes of this guide.

Note that logrotate is run nightly by the cron job /etc/cron.daily/logrotate. If particularly active logs need to be rotated more often than once a day, some other mechanism must be used. scap-security-guide-0.1.39/shared/guide/system/logging/logging.group000066400000000000000000000017701327242345500255270ustar00rootroot00000000000000documentation_complete: true title: 'Configure Syslog' description: |- The syslog service has been the default Unix logging mechanism for many years. It has a number of downsides, including inconsistent log format, lack of authentication for received messages, and lack of authentication, encryption, or reliable transport for messages sent over a network. However, due to its long history, syslog is a de facto standard which is supported by almost all Unix applications.

In Red Hat Enterprise Linux 7, rsyslog has replaced ksyslogd as the syslog daemon of choice, and it includes some additional security features such as reliable, connection-oriented (i.e. TCP) transmission of logs, the option to log to database formats, and the encryption of log data en route to a central logging server. This section discusses how to configure rsyslog for best effect, and how to use tools provided with the system to maintain and monitor logs. scap-security-guide-0.1.39/shared/guide/system/logging/package_rsyslog_installed.rule000066400000000000000000000011411327242345500311200ustar00rootroot00000000000000documentation_complete: true prodtype: rhel7,fedora title: 'Ensure rsyslog is Installed' description: "Rsyslog is installed by default. \n" rationale: |- The rsyslog package provides the rsyslog daemon, which provides system logging services. severity: medium identifiers: cce@rhel7: 80187-8 references: anssi: NT28(R5),NT28(R46) cis: 4.2.3 disa: 1311,1312 hipaa: 164.312(a)(2)(ii) iso27001-2013: A.12.3.1 nist: AU-9(2) ocil_clause: 'the package is not installed' ocil: '' scap-security-guide-0.1.39/shared/guide/system/logging/rsyslog_accepting_remote_messages/000077500000000000000000000000001327242345500317775ustar00rootroot00000000000000rsyslog_accept_remote_messages_tcp.rule000066400000000000000000000013101327242345500417350ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/logging/rsyslog_accepting_remote_messagesdocumentation_complete: true prodtype: rhel7,fedora title: 'Enable rsyslog to Accept Messages via TCP, if Acting As Log Server' description: |- The rsyslog daemon should not accept remote messages unless the system acts as a log server. If the system needs to act as a central log server, add the following lines to /etc/rsyslog.conf to enable reception of messages over TCP: 
$ModLoad imtcp
    $InputTCPServerRun 514
rationale: |- If the system needs to act as a log server, this ensures that it can receive messages over a reliable TCP connection. severity: unknown identifiers: cce@rhel7: 80193-6 references: cis: 4.2.1.5 nist: AU-9 rsyslog_accept_remote_messages_udp.rule000066400000000000000000000014611327242345500417460ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/logging/rsyslog_accepting_remote_messagesdocumentation_complete: true prodtype: rhel7,fedora title: 'Enable rsyslog to Accept Messages via UDP, if Acting As Log Server' description: |- The rsyslog daemon should not accept remote messages unless the system acts as a log server. If the system needs to act as a central log server, add the following lines to /etc/rsyslog.conf to enable reception of messages over UDP: 
$ModLoad imudp
    $UDPServerRun 514
rationale: |- Many devices, such as switches, routers, and other Unix-like systems, may only support the traditional syslog transmission over UDP. If the system must act as a log server, this enables it to receive their messages as well. severity: unknown identifiers: cce@rhel7: 80194-4 references: cis: 4.2.1.5 nist: AU-9 rsyslog_accepting_remote_messages.group000066400000000000000000000007721327242345500417650ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/logging/rsyslog_accepting_remote_messagesdocumentation_complete: true title: 'Configure rsyslogd to Accept Remote Messages If Acting as a Log Server' description: |- By default, rsyslog does not listen over the network for log messages. If needed, modules can be enabled to allow the rsyslog daemon to receive messages from other systems and for the system thus to act as a log server. If the system is not a log server, then lines concerning these modules should remain commented out.

rsyslog_nolisten.rule000066400000000000000000000017311327242345500362300ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/logging/rsyslog_accepting_remote_messagesdocumentation_complete: true prodtype: rhel7,fedora title: 'Ensure rsyslog Does Not Accept Remote Messages Unless Acting As Log Server' description: |- The rsyslog daemon should not accept remote messages unless the system acts as a log server. To ensure that it is not listening on the network, ensure the following lines are not found in /etc/rsyslog.conf: 
$ModLoad imtcp
    $InputTCPServerRun port
    $ModLoad imudp
    $UDPServerRun port
    $ModLoad imrelp
    $InputRELPServerRun port
rationale: |- Any process which receives messages from the network incurs some risk of receiving malicious messages. This risk can be eliminated for rsyslog by configuring it not to listen on the network. severity: unknown identifiers: cce@rhel7: 80192-8 references: disa: 318,368,1812,1813,1814 nist: AU-9(2),AC-4,CM-6(c) srg: SRG-OS-000480-GPOS-00227 stigid@rhel7: "031010" scap-security-guide-0.1.39/shared/guide/system/logging/rsyslog_sending_messages/000077500000000000000000000000001327242345500301165ustar00rootroot00000000000000rsyslog_remote_loghost.rule000066400000000000000000000050661327242345500355530ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/logging/rsyslog_sending_messagesdocumentation_complete: true prodtype: rhel7,fedora title: 'Ensure Logs Sent To Remote Host' description: |- To configure rsyslog to send logs to a remote log server, open /etc/rsyslog.conf and read and understand the last section of the file, which describes the multiple directives necessary to activate remote logging. Along with these other directives, the system can be configured to forward its logs to a particular log server by adding or correcting one of the following lines, substituting loghost.example.com appropriately. The choice of protocol depends on the environment of the system; although TCP and RELP provide more reliable message delivery, they may not be supported in all environments.
To use UDP for log message delivery: 
*.* @loghost.example.com

To use TCP for log message delivery: 
*.* @@loghost.example.com

To use RELP for log message delivery: 
*.* :omrelp:loghost.example.com

There must be a resolvable DNS CNAME or Alias record set to "" for logs to be sent correctly to the centralized logging utility. rationale: |- A log server (loghost) receives syslog messages from one or more systems. This data can be used as an additional log source in the event a system is compromised and its local logs are suspect. Forwarding log messages to a remote loghost also provides system administrators with a centralized place to view the status of multiple hosts within the enterprise. severity: unknown identifiers: cce@rhel7: 27343-3 references: cis: 4.2.1.4 disa: 366,1348,136,1851 hipaa: 164.308(a)(1)(ii)(D),164.308(a)(5)(ii)(B),164.308(a)(5)(ii)(C),164.308(a)(6)(ii),164.308(a)(8),164.310(d)(2)(iii),164.312(b),164.314(a)(2)(i)(C),164.314(a)(2)(iii) iso27001-2013: A.12.3.1 nist: AU-3(2),AU-4(1),AU-9 ospp@rhel7: FAU_GEN.1.1.c srg: SRG-OS-000480-GPOS-00227 stigid@rhel7: "031000" ocil_clause: 'none of these are present' ocil: |- To ensure logs are sent to a remote host, examine the file /etc/rsyslog.conf. If using UDP, a line similar to the following should be present: 
 *.* @loghost.example.com
If using TCP, a line similar to the following should be present: 
 *.* @@loghost.example.com
If using RELP, a line similar to the following should be present: 
 *.* :omrelp:loghost.example.com
rsyslog_remote_loghost_address.var000066400000000000000000000003761327242345500371000ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/logging/rsyslog_sending_messagesdocumentation_complete: true title: 'Remote Log Server' description: 'Specify an URI or IP address of a remote host where the log messages will be sent and stored.' type: string operator: equals interactive: true options: default: logcollector rsyslog_sending_messages.group000066400000000000000000000024301327242345500362140ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/logging/rsyslog_sending_messagesdocumentation_complete: true title: 'Rsyslog Logs Sent To Remote Host' description: |- If system logs are to be useful in detecting malicious activities, it is necessary to send logs to a remote server. An intruder who has compromised the root account on a system may delete the log entries which indicate that the system was attacked before they are seen by an administrator.

However, it is recommended that logs be stored on the local host in addition to being sent to the loghost, especially if rsyslog has been configured to use the UDP protocol to send messages over a network. UDP does not guarantee reliable delivery, and moderately busy sites will lose log messages occasionally, especially in periods of high traffic which may be the result of an attack. In addition, remote rsyslog messages are not authenticated in any way by default, so it is easy for an attacker to introduce spurious messages to the central log server. Also, some problems cause loss of network connectivity, which will prevent the sending of messages to the central server. For all of these reasons, it is better to store log messages both centrally and on each host, so that they can be correlated if necessary. scap-security-guide-0.1.39/shared/guide/system/logging/service_rsyslog_enabled.rule000066400000000000000000000013111327242345500305770ustar00rootroot00000000000000documentation_complete: true prodtype: rhel7,fedora title: 'Enable rsyslog Service' description: |- The rsyslog service provides syslog-style logging by default on Red Hat Enterprise Linux 7. rationale: |- The rsyslog service must be running in order to provide logging services, which are essential to system administration. severity: medium identifiers: cce@rhel7: 80188-6 references: anssi: NT28(R5),NT28(R46) cis: 4.2.1.1 disa: 1311,1312,1557,1851 hipaa: 164.312(a)(2)(ii) iso27001-2013: A.12.3.1 nist: AU-4(1),AU-12 ocil: '' scap-security-guide-0.1.39/shared/guide/system/network/000077500000000000000000000000001327242345500230615ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/network/network-firewalld/000077500000000000000000000000001327242345500265215ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/network/network-firewalld/firewalld_activation/000077500000000000000000000000001327242345500327135ustar00rootroot00000000000000firewalld_activation.group000066400000000000000000000101431327242345500401030ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/network/network-firewalld/firewalld_activationdocumentation_complete: true title: 'Inspect and Activate Default firewalld Rules' description: |- Firewalls can be used to separate networks into different zones based on the level of trust the user has decided to place on the devices and traffic within that network. NetworkManager informs firewalld to which zone an interface belongs. An interface's assigned zone can be changed by NetworkManager or via the firewall-config tool.
The zone settings in /etc/firewalld/ are a range of preset settings which can be quickly applied to a network interface. These are the zones provided by firewalld sorted according to the default trust level of the zones from untrusted to trusted:
  • drop

    Any incoming network packets are dropped, there is no reply. Only outgoing network connections are possible.

  • block

    Any incoming network connections are rejected with an icmp-host-prohibited message for IPv4 and icmp6-adm-prohibited for IPv6. Only network connections initiated from within the system are possible.

  • public

    For use in public areas. You do not trust the other computers on the network to not harm your computer. Only selected incoming connections are accepted.

  • external

    For use on external networks with masquerading enabled especially for routers. You do not trust the other computers on the network to not harm your computer. Only selected incoming connections are accepted.

  • dmz

    For computers in your demilitarized zone that are publicly-accessible with limited access to your internal network. Only selected incoming connections are accepted.

  • work

    For use in work areas. You mostly trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.

  • home

    For use in home areas. You mostly trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.

  • internal

    For use on internal networks. You mostly trust the other computers on the networks to not harm your computer. Only selected incoming connections are accepted.

  • trusted

    All network connections are accepted.


It is possible to designate one of these zones to be the default zone. When interface connections are added to NetworkManager, they are assigned to the default zone. On installation, the default zone in firewalld is set to be the public zone.
To find out all the settings of a zone, for example the public zone, enter the following command as root: 
# firewall-cmd --zone=public --list-all
Example output of this command might look like the following: 
    # firewall-cmd --zone=public --list-all
    public
      interfaces:
      services: mdns dhcpv6-client ssh
      ports:
      forward-ports:
      icmp-blocks: source-quench
To view the network zones currently active, enter the following command as root: 
# firewall-cmd --get-service
The following listing displays the result of this command on common Red Hat Enterprise Linux 7 Server system: 
    # firewall-cmd --get-service
    amanda-client bacula bacula-client dhcp dhcpv6 dhcpv6-client dns ftp
    high-availability http https imaps ipp ipp-client ipsec kerberos kpasswd
    ldap ldaps libvirt libvirt-tls mdns mountd ms-wbt mysql nfs ntp openvpn
    pmcd pmproxy pmwebapi pmwebapis pop3s postgresql proxy-dhcp radius rpc-bind
    samba samba-client smtp ssh telnet tftp tftp-client transmission-client
    vnc-server wbem-https
Finally to view the network zones that will be active after the next firewalld service reload, enter the following command as root: 
# firewall-cmd --get-service --permanent
package_firewalld_installed.rule000066400000000000000000000006121327242345500412070ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/network/network-firewalld/firewalld_activationdocumentation_complete: true prodtype: rhel7 title: 'Install firewalld' description: |- Install the firewalld package with the command: 
$ sudo yum install firewalld
rationale: 'The firewalld package should be installed to provide access control methods.' severity: medium ocil_clause: 'the package is not installed' ocil: '' service_firewalld_enabled.rule000066400000000000000000000012651327242345500406740ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/network/network-firewalld/firewalld_activationdocumentation_complete: true prodtype: rhel7,fedora title: 'Verify firewalld Enabled' description: '' rationale: |- Access control methods provide the ability to enhance system security posture by restricting services and known good IP addresses and address ranges. This prevents connections from unknown hosts and protocols. severity: medium identifiers: cce@rhel7: 27361-5 references: cis: 4.7 cui: 3.1.3,3.4.7 disa: 366 nist: CM-6(b) ospp@rhel7: FMT_MOF_EXT.1 srg: SRG-OS-000480-GPOS-00227 stigid@rhel7: "040520" ocil: '' scap-security-guide-0.1.39/shared/guide/system/network/network-firewalld/network-firewalld.group000066400000000000000000000022131327242345500332350ustar00rootroot00000000000000documentation_complete: true title: firewalld description: |- The dynamic firewall daemon firewalld provides a dynamically managed firewall with support for network “zones” to assign a level of trust to a network and its associated connections and interfaces. It has support for IPv4 and IPv6 firewall settings. It supports Ethernet bridges and has a separation of runtime and permanent configuration options. It also has an interface for services or applications to add firewall rules directly.
A graphical configuration tool, firewall-config, is used to configure firewalld, which in turn uses iptables tool to communicate with Netfilter in the kernel which implements packet filtering.
The firewall service provided by firewalld is dynamic rather than static because changes to the configuration can be made at anytime and are immediately implemented. There is no need to save or apply the changes. No unintended disruption of existing network connections occurs as no part of the firewall has to be reloaded. scap-security-guide-0.1.39/shared/guide/system/network/network-firewalld/ruleset_modifications/000077500000000000000000000000001327242345500331145ustar00rootroot00000000000000configure_firewalld_ports.rule000066400000000000000000000041641327242345500411740ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/network/network-firewalld/ruleset_modificationsdocumentation_complete: true prodtype: rhel7 title: 'Configure the Firewalld Ports' description: |- Configure the firewalld ports to allow approved services to have access to the system. To configure firewalld to open ports, run the following command: 
$ sudo firewall-cmd --permanent --add-port=port_number/tcp
or 
$ sudo firewall-cmd --permanent --add-port=service_name
Run the command list above for each of the ports listed below: rationale: "In order to prevent unauthorized connection of devices, unauthorized transfer of information,\nor unauthorized tunneling (i.e., embedding of data types within data types), organizations must disable or\nrestrict unused or unnecessary physical and logical ports/protocols on information systems. \n

\nOperating systems are capable of providing a wide variety of functions and services. Some of the functions\nand services provided by default may not be necessary to support essential organizational operations.\nAdditionally, it is sometimes convenient to provide multiple services from a single component\n(e.g., VPN and IPS); however, doing so increases risk over limiting the services provided by any one component. \n

\nTo support the requirements and principles of least functionality, the operating system must support the\norganizational requirements, providing only essential capabilities and limiting the use of ports, protocols,\nand/or services to only those\ \ required, authorized, and approved to conduct official business or to address\nauthorized quality of life issues." severity: medium identifiers: cce@rhel7: 80447-6 references: disa: 382,2314 nist: CM-7,CM-7.1(iii),CM-7(b),AC-17(1) srg: SRG-OS-000096-GPOS-00050,SRG-OS-000297-GPOS-00115 stigid@rhel7: "040100" ocil_clause: 'the default rules are not configured' ocil: |- Inspect the list of enabled firewall ports and verify they are configured correctly by running the following command: 
$ sudo firewall-cmd --list-all
configure_firewalld_rate_limiting.rule000066400000000000000000000034571327242345500426600ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/network/network-firewalld/ruleset_modificationsdocumentation_complete: true prodtype: rhel7 title: 'Configure firewalld To Rate Limit Connections' description: |- Create a direct firewall rule to protect against DoS attacks with the following command: 
$ sudo firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT_direct 0 -p tcp -m limit --limit 25/minute --limit-burst 100  -j ACCEPT
rationale: |- DoS is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity.

This requirement addresses the configuration of the operating system to mitigate the impact of DoS attacks that have occurred or are ongoing on system availability. For each system, known and potential DoS attacks must be identified and solutions for each type implemented. A variety of technologies exist to limit or, in some cases, eliminate the effects of DoS attacks (e.g., limiting processes or establishing memory partitions). Employing increased capacity and bandwidth, combined with service redundancy, may reduce the susceptibility to some DoS attacks. severity: medium identifiers: cce: 80542-4 references: disa: 2385 nist: "" srg: SRG-OS-000420-GPOS-00186 stigid: "040510" ocil_clause: 'firewalld is not rate limiting connections' ocil: |- To verify the operating system protects against or limits the effects of DoS attacks by ensuring the operating system is implementing rate-limiting measures on impacted network interfaces, run the following command: 
$ sudo firewall-cmd --permanent --direct --get-rules ipv4 filter INPUT_direct
The output should return: 
0 -p tcp -m limit --limit 25/minute --limit-burst 100 -j ACCEPT
ruleset_modifications.group000066400000000000000000000015551327242345500405140ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/network/network-firewalld/ruleset_modificationsdocumentation_complete: true title: 'Strengthen the Default Ruleset' description: |- The default rules can be strengthened. The system scripts that activate the firewall rules expect them to be defined in configuration files under the /etc/firewalld/services and /etc/firewalld/zones directories.

The following recommendations describe how to strengthen the default ruleset configuration file. An alternative to editing this configuration file is to create a shell script that makes calls to the firewall-cmd program to load in rules under the /etc/firewalld/services and /etc/firewalld/zones directories.

Instructions apply to both unless otherwise noted. Language and address conventions for regular firewalld rules are used throughout this section. set_firewalld_default_zone.rule000066400000000000000000000023161327242345500413130ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/network/network-firewalld/ruleset_modificationsdocumentation_complete: true prodtype: rhel7,fedora title: 'Set Default firewalld Zone for Incoming Packets' description: |- To set the default zone to drop for the built-in default zone which processes incoming IPv4 and IPv6 packets, modify the following line in /etc/firewalld/firewalld.conf to be: 
DefaultZone=drop
rationale: |- In firewalld the default zone is applied only after all the applicable rules in the table are examined for a match. Setting the default zone to drop implements proper design for a firewall, i.e. any packets which are not explicitly permitted should not be accepted. severity: medium identifiers: cce@rhel7: 27349-0 references: cjis: 5.10.1 cui: 3.1.3,3.4.7,3.13.6 disa: 366 nist: CM-6(b),CM-7 ospp@rhel7: FMT_MOF_EXT.1 srg: SRG-OS-000480-GPOS-00227 stigid@rhel7: "040810" ocil_clause: 'the default zone is not set to DROP' ocil: |- Inspect the file /etc/firewalld/firewalld.conf to determine the default zone for the firewalld. It should be set to DefaultZone=drop: 
$ sudo grep DefaultZone /etc/firewalld/firewalld.conf
scap-security-guide-0.1.39/shared/guide/system/network/network-ipsec/000077500000000000000000000000001327242345500256535ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/network/network-ipsec/libreswan_approved_tunnels.rule000066400000000000000000000021571327242345500342070ustar00rootroot00000000000000documentation_complete: true prodtype: rhel7,fedora title: 'Verify Any Configured IPSec Tunnel Connections' description: |- Libreswan provides an implementation of IPsec and IKE, which permits the creation of secure tunnels over untrusted networks. As such, IPsec can be used to circumvent certain network requirements such as filtering. Verify that if any IPsec connection (conn) configured in /etc/ipsec.conf and /etc/ipsec.d exists is an approved organizational connection. rationale: 'IP tunneling mechanisms can be used to bypass network filtering.' severity: medium identifiers: cce@rhel7: 80171-2 references: disa: 336 hipaa: 164.308(a)(4)(i),164.308(b)(1),164.308(b)(3),164.310(b),164.312(e)(1),164.312(e)(2)(ii) nist: AC-4 srg: SRG-OS-000480-GPOS-00227 stigid@rhel7: "040820" ocil_clause: 'the IPSec tunnels are not approved' ocil: |- To check for configured IPsec connections (conn), perform the following: 
grep -rni conn /etc/ipsec.conf /etc/ipsec.d/
Verify any returned results for organizational approval. scap-security-guide-0.1.39/shared/guide/system/network/network-ipsec/network-ipsec.group000066400000000000000000000002671327242345500315300ustar00rootroot00000000000000documentation_complete: true title: 'IPSec Support' description: |- Support for Internet Protocol Security (IPsec) is provided in Red Hat Enterprise Linux 7 with Libreswan. package_libreswan_installed.rule000066400000000000000000000013231327242345500341640ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/network/network-ipsecdocumentation_complete: true prodtype: rhel7,fedora title: 'Install libreswan Package' description: |- The Libreswan package provides an implementation of IPsec and IKE, which permits the creation of secure tunnels over untrusted networks. rationale: |- Providing the ability for remote users or systems to initiate a secure VPN connection protects information when it is transmitted over a wide area network. severity: medium identifiers: cce@rhel7: 80170-4 references: disa: 1130,1131 nist: 'AC-17, MA-4, SC-9' pcidss: Req-4.1 ocil_clause: 'the package is not installed' ocil: '' scap-security-guide-0.1.39/shared/guide/system/network/network-ipv6/000077500000000000000000000000001327242345500254345ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/network/network-ipv6/configuring_ipv6/000077500000000000000000000000001327242345500307125ustar00rootroot00000000000000configuring_ipv6.group000066400000000000000000000006711327242345500351730ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/network/network-ipv6/configuring_ipv6documentation_complete: true title: 'Configure IPv6 Settings if Necessary' description: |- A major feature of IPv6 is the extent to which systems implementing it can automatically configure their networking devices using information from the network. From a security perspective, manually configuring important configuration information is preferable to accepting it from the network in an unauthenticated fashion. disabling_ipv6_autoconfig/000077500000000000000000000000001327242345500357515ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/network/network-ipv6/configuring_ipv6disabling_ipv6_autoconfig.group000066400000000000000000000005351327242345500441500ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/network/network-ipv6/configuring_ipv6/disabling_ipv6_autoconfigdocumentation_complete: true title: 'Disable Automatic Configuration' description: |- Disable the system's acceptance of router advertisements and redirects by adding or correcting the following line in /etc/sysconfig/network (note that this does not disable sending router solicitations): 
IPV6_AUTOCONF=no
sysconfig_network_IPV6_AUTOCONF_value.var000066400000000000000000000004131327242345500455340ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/network/network-ipv6/configuring_ipv6/disabling_ipv6_autoconfigdocumentation_complete: true title: IPV6_AUTOCONF description: |- Toggle global IPv6 auto-configuration (only, if global forwarding is disabled) type: string operator: equals interactive: false options: default: no disabled: no enabled: yes sysctl_net_ipv6_conf_all_accept_ra.rule000066400000000000000000000007401327242345500456340ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/network/network-ipv6/configuring_ipv6/disabling_ipv6_autoconfigdocumentation_complete: true prodtype: rhel7 title: 'Configure Accepting IPv6 Router Advertisements' description: '' rationale: 'An illicit router advertisement message could result in a man-in-the-middle attack.' severity: unknown identifiers: cce@rhel7: 80180-3 references: cis: 3.3.1 cui: 3.1.20 nist: CM-7 ocil: '' sysctl_net_ipv6_conf_all_accept_ra_value.var000066400000000000000000000003431327242345500466500ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/network/network-ipv6/configuring_ipv6/disabling_ipv6_autoconfigdocumentation_complete: true title: net.ipv6.conf.all.accept_ra description: 'Accept all router advertisements?' type: number operator: equals interactive: false options: default: "0" disabled: "0" enabled: 1 sysctl_net_ipv6_conf_all_accept_redirects.rule000066400000000000000000000007641327242345500472240ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/network/network-ipv6/configuring_ipv6/disabling_ipv6_autoconfigdocumentation_complete: true prodtype: rhel7 title: 'Configure Accepting IPv6 Redirects By Default' description: '' rationale: 'An illicit ICMP redirect message could result in a man-in-the-middle attack.' severity: medium identifiers: cce@rhel7: 80182-9 references: cis: 3.3.2 cui: 3.1.20 disa: 1551 nist: CM-7 ocil: '' sysctl_net_ipv6_conf_all_accept_redirects_value.var000066400000000000000000000003501327242345500502300ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/network/network-ipv6/configuring_ipv6/disabling_ipv6_autoconfigdocumentation_complete: true title: net.ipv6.conf.all.accept_redirects description: 'Toggle ICMP Redirect Acceptance' type: number operator: equals interactive: false options: default: "0" disabled: "0" enabled: 1 sysctl_net_ipv6_conf_all_accept_source_route.rule000066400000000000000000000020301327242345500477420ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/network/network-ipv6/configuring_ipv6/disabling_ipv6_autoconfigdocumentation_complete: true prodtype: rhel7 title: 'Configure Kernel Parameter for Accepting Source-Routed Packets for All Interfaces' description: '' rationale: |- Source-routed packets allow the source of the packet to suggest routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routerd traffic, such as when IPv6 forwarding is enabled and the system is functioning as a router.

Accepting source-routed packets in the IPv6 protocol has few legitimate uses. It should be disabled unless it is absolutely required. severity: medium identifiers: cce@rhel7: 80179-5 references: cui: 3.1.20 disa: 366 nist: AC-4 srg: SRG-OS-000480-GPOS-00227 stigid@rhel7: "040830" ocil: '' sysctl_net_ipv6_conf_all_accept_source_route_value.var000066400000000000000000000005601327242345500507650ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/network/network-ipv6/configuring_ipv6/disabling_ipv6_autoconfigdocumentation_complete: true title: net.ipv6.conf.all.accept_source_route description: |- Trackers could be using source-routed packets to generate traffic that seems to be intra-net, but actually was created outside and has been redirected. type: number operator: equals interactive: false options: default: "0" disabled: "0" enabled: 1 sysctl_net_ipv6_conf_all_forwarding.rule000066400000000000000000000012271327242345500460560ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/network/network-ipv6/configuring_ipv6/disabling_ipv6_autoconfigdocumentation_complete: true prodtype: rhel7 title: 'Disable Kernel Parameter for IPv6 Forwarding' description: '' rationale: |- IP forwarding permits the kernel to forward packets from one network interface to another. The ability to forward packets between two networks is only appropriate for systems acting as routers. severity: medium identifiers: cce@rhel7: 80356-9 references: disa: 366 nist: CM-7,SC-5 ocil: |- The ability to forward packets is only appropriate for routers. sysctl_net_ipv6_conf_all_forwarding_value.var000066400000000000000000000003311327242345500470660ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/network/network-ipv6/configuring_ipv6/disabling_ipv6_autoconfigdocumentation_complete: true title: net.ipv6.conf.all.forwarding description: 'Toggle IPv6 Forwarding' type: number operator: equals interactive: false options: default: "0" disabled: "0" enabled: 1 sysctl_net_ipv6_conf_default_accept_ra.rule000066400000000000000000000007571327242345500465200ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/network/network-ipv6/configuring_ipv6/disabling_ipv6_autoconfigdocumentation_complete: true prodtype: rhel7,fedora title: 'Configure Accepting IPv6 Router Advertisements' description: '' rationale: 'An illicit router advertisement message could result in a man-in-the-middle attack.' severity: unknown identifiers: cce@rhel7: 80181-1 references: cis: 3.3.1 cui: 3.1.20 nist: CM-7 ocil: '' sysctl_net_ipv6_conf_default_accept_ra_value.var000066400000000000000000000003661327242345500475310ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/network/network-ipv6/configuring_ipv6/disabling_ipv6_autoconfigdocumentation_complete: true title: net.ipv6.conf.default.accept_ra description: 'Accept default router advertisements by default?' type: number operator: equals interactive: false options: default: "0" disabled: "0" enabled: 1 sysctl_net_ipv6_conf_default_accept_redirects.rule000066400000000000000000000010031327242345500500630ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/network/network-ipv6/configuring_ipv6/disabling_ipv6_autoconfigdocumentation_complete: true prodtype: rhel7,fedora title: 'Configure Accepting IPv6 Redirects By Default' description: '' rationale: 'An illicit ICMP redirect message could result in a man-in-the-middle attack.' severity: medium identifiers: cce@rhel7: 80183-7 references: cis: 3.3.2 cui: 3.1.20 disa: 1551 nist: CM-7 ocil: '' sysctl_net_ipv6_conf_default_accept_redirects_value.var000066400000000000000000000003671327242345500511140ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/network/network-ipv6/configuring_ipv6/disabling_ipv6_autoconfigdocumentation_complete: true title: net.ipv6.conf.default.accept_redirects description: 'Toggle ICMP Redirect Acceptance By Default' type: number operator: equals interactive: false options: default: "0" disabled: "0" enabled: 1 sysctl_net_ipv6_conf_default_accept_source_route.rule000066400000000000000000000017321327242345500506260ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/network/network-ipv6/configuring_ipv6/disabling_ipv6_autoconfigdocumentation_complete: true prodtype: rhel7 title: 'Configure Kernel Parameter for Accepting Source-Routed Packets for Interfaces By Default' description: '' rationale: |- Source-routed packets allow the source of the packet to suggest routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routerd traffic, such as when IPv6 forwarding is enabled and the system is functioning as a router. Accepting source-routed packets in the IPv6 protocol has few legitimate uses. It should be disabled unless it is absolutely required. severity: medium identifiers: cce@rhel7: 80335-1 references: cui: 3.1.20 disa: 366 nist: AC-4 ocil: '' sysctl_net_ipv6_conf_default_accept_source_route_value.var000066400000000000000000000005641327242345500516450ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/network/network-ipv6/configuring_ipv6/disabling_ipv6_autoconfigdocumentation_complete: true title: net.ipv6.conf.default.accept_source_route description: |- Trackers could be using source-routed packets to generate traffic that seems to be intra-net, but actually was created outside and has been redirected. type: number operator: equals interactive: false options: default: "0" disabled: "0" enabled: 1 network_ipv6_default_gateway.rule000066400000000000000000000010501327242345500374020ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/network/network-ipv6/configuring_ipv6documentation_complete: true prodtype: rhel7,fedora title: 'Manually Assign IPv6 Router Address' description: |- Edit the file /etc/sysconfig/network-scripts/ifcfg-interface, and add or correct the following line (substituting your gateway IP as appropriate): 
IPV6_DEFAULTGW=2001:0DB8::0001
Router addresses should be manually set and not accepted via any auto-configuration or router advertisement. rationale: "" severity: unknown identifiers: cce@rhel7: 80186-0 references: disa: 366 network_ipv6_limit_requests/000077500000000000000000000000001327242345500364215ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/network/network-ipv6/configuring_ipv6network_ipv6_limit_requests.group000066400000000000000000000036541327242345500452750ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/network/network-ipv6/configuring_ipv6/network_ipv6_limit_requestsdocumentation_complete: true title: 'Limit Network-Transmitted Configuration if Using Static IPv6 Addresses' description: |- To limit the configuration information requested from other systems and accepted from the network on a system that uses statically-configured IPv6 addresses, add the following lines to /etc/sysctl.conf: 
net.ipv6.conf.default.router_solicitations = 0
    net.ipv6.conf.default.accept_ra_rtr_pref = 0
    net.ipv6.conf.default.accept_ra_pinfo = 0
    net.ipv6.conf.default.accept_ra_defrtr = 0
    net.ipv6.conf.default.autoconf = 0
    net.ipv6.conf.default.dad_transmits = 0
    net.ipv6.conf.default.max_addresses = 1
The router_solicitations setting determines how many router solicitations are sent when bringing up the interface. If addresses are statically assigned, there is no need to send any solicitations.

The accept_ra_pinfo setting controls whether the system will accept prefix info from the router.

The accept_ra_defrtr setting controls whether the system will accept Hop Limit settings from a router advertisement. Setting it to 0 prevents a router from changing your default IPv6 Hop Limit for outgoing packets.

The autoconf setting controls whether router advertisements can cause the system to assign a global unicast address to an interface.

The dad_transmits setting determines how many neighbor solicitations to send out per address (global and link-local) when bringing up an interface to ensure the desired address is unique on the network.

The max_addresses setting determines how many global unicast IPv6 addresses can be assigned to each interface. The default is 16, but it should be set to exactly the number of statically configured global addresses required. network_ipv6_privacy_extensions.rule000066400000000000000000000014241327242345500401760ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/network/network-ipv6/configuring_ipv6documentation_complete: true prodtype: rhel7,fedora title: 'Use Privacy Extensions for Address' description: |- To introduce randomness into the automatic generation of IPv6 addresses, add or correct the following line in /etc/sysconfig/network-scripts/ifcfg-interface: 
IPV6_PRIVACY=rfc3041
Automatically-generated IPv6 addresses are based on the underlying hardware (e.g. Ethernet) address, and so it becomes possible to track a piece of hardware over its lifetime using its traffic. If it is important for a system's IP address to not trivially reveal its hardware address, this setting should be applied. rationale: "" severity: unknown identifiers: cce@rhel7: 80185-2 references: cui: 3.1.20 disa: 366 network_ipv6_static_address.rule000066400000000000000000000012711327242345500372360ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/network/network-ipv6/configuring_ipv6documentation_complete: true prodtype: rhel7,fedora title: 'Manually Assign Global IPv6 Address' description: |- To manually assign an IP address for an interface, edit the file /etc/sysconfig/network-scripts/ifcfg-interface. Add or correct the following line (substituting the correct IPv6 address): 
IPV6ADDR=2001:0DB8::ABCD/64
Manually assigning an IP address is preferable to accepting one from routers or from the network otherwise. The example address here is an IPv6 address reserved for documentation purposes, as defined by RFC3849. rationale: "" severity: unknown identifiers: cce@rhel7: 80184-5 references: disa: 366 scap-security-guide-0.1.39/shared/guide/system/network/network-ipv6/disabling_ipv6/000077500000000000000000000000001327242345500303345ustar00rootroot00000000000000disabling_ipv6.group000066400000000000000000000006461327242345500342410ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/network/network-ipv6/disabling_ipv6documentation_complete: true title: 'Disable Support for IPv6 Unless Needed' description: |- Despite configuration that suggests support for IPv6 has been disabled, link-local IPv6 address auto-configuration occurs even when only an IPv4 address is assigned. The only way to effectively prevent execution of the IPv6 networking stack is to instruct the system not to activate the IPv6 kernel module. network_ipv6_disable_interfaces.rule000066400000000000000000000005301327242345500374670ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/network/network-ipv6/disabling_ipv6documentation_complete: true prodtype: rhel7,fedora title: 'Disable Interface Usage of IPv6' description: |- To disable interface usage of IPv6, add or correct the following lines in /etc/sysconfig/network: 
NETWORKING_IPV6=no
    IPV6INIT=no
rationale: "" severity: unknown identifiers: cce@rhel7: 80176-1 network_ipv6_disable_rpc.rule000066400000000000000000000013131327242345500361300ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/network/network-ipv6/disabling_ipv6documentation_complete: true prodtype: rhel7,fedora title: 'Disable Support for RPC IPv6' description: |- RPC services for NFSv4 try to load transport modules for udp6 and tcp6 by default, even if IPv6 has been disabled in /etc/modprobe.d. To prevent RPC services such as rpc.mountd from attempting to start IPv6 network listeners, remove or comment out the following two lines in /etc/netconfig: 
udp6       tpi_clts      v     inet6    udp     -       -
    tcp6       tpi_cots_ord  v     inet6    tcp     -       -
rationale: "" severity: unknown identifiers: cce@rhel7: 80177-9 references: cui: 3.1.20 nist: CM-7 sysctl_net_ipv6_conf_all_disable_ipv6.rule000066400000000000000000000026621327242345500405730ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/network/network-ipv6/disabling_ipv6documentation_complete: true prodtype: rhel7,fedora title: 'Disable IPv6 Networking Support Automatic Loading' description: |- To disable support for (ipv6) add the following line to /etc/sysctl.d/ipv6.conf (or another file in /etc/sysctl.d): 
net.ipv6.conf.all.disable_ipv6 = 1
This disables IPv6 on all network interfaces as other services and system functionality require the IPv6 stack loaded to work. rationale: |- Any unnecessary network stacks - including IPv6 - should be disabled, to reduce the vulnerability to exploitation. severity: medium identifiers: cce@rhel7: 80175-3 references: cis: 3.3.3 cui: 3.1.20 disa: 1551 nist: CM-7 ocil_clause: 'the ipv6 support is disabled on network interfaces' ocil: "If the system uses IPv6, this is not applicable.\n

\nIf the system is configured to prevent the usage of the\nipv6 on network interfaces, it will contain a line\nof the form:\n
net.ipv6.conf.all.disable_ipv6 = 1
\nSuch lines may be inside any file in the /etc/sysctl.d directory. \nThis permits insertion of the IPv6 kernel module (which other parts of \nthe system expect to be present), but otherwise keeps all network interfaces\nfrom using IPv6.\nRun the following command to search for such\nlines in all files in /etc/sysctl.d:\n
$ grep -r ipv6 /etc/sysctl.d
" scap-security-guide-0.1.39/shared/guide/system/network/network-ipv6/network-ipv6.group000066400000000000000000000005341327242345500310670ustar00rootroot00000000000000documentation_complete: true title: IPv6 description: |- The system includes support for Internet Protocol version 6. A major and often-mentioned improvement over IPv4 is its enormous increase in the number of available addresses. Another important feature is its support for automatic configuration of many network settings. scap-security-guide-0.1.39/shared/guide/system/network/network-kernel/000077500000000000000000000000001327242345500260305ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/network/network-kernel/network-kernel.group000066400000000000000000000004611327242345500320560ustar00rootroot00000000000000documentation_complete: true title: 'Kernel Parameters Which Affect Networking' description: |- The sysctl utility is used to set parameters which affect the operation of the Linux kernel. Kernel parameters which affect networking and have security implications are described here. network_host_and_router_parameters/000077500000000000000000000000001327242345500351445ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/network/network-kernelnetwork_host_and_router_parameters.group000066400000000000000000000004731327242345500454210ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/network/network-kernel/network_host_and_router_parametersdocumentation_complete: true title: 'Network Related Kernel Runtime Parameters for Hosts and Routers' description: |- Certain kernel parameters should be set for systems which are acting as either hosts or routers to improve the system's ability defend against certain types of IPv4 protocol attacks. sysctl_net_ipv4_conf_all_accept_redirects.rule000066400000000000000000000016711327242345500464130ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/network/network-kernel/network_host_and_router_parametersdocumentation_complete: true prodtype: rhel7,fedora title: 'Configure Kernel Parameter for Accepting ICMP Redirects for All Interfaces' description: '' rationale: "ICMP redirect messages are used by routers to inform hosts that a more direct\nroute exists for a particular destination. These messages modify the host's route table \nand are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle\nattack.\n
\nThis feature of the IPv4 protocol has few legitimate uses. It should be disabled unless \nabsolutely required." severity: medium identifiers: cce@rhel7: 80158-9 references: cis: 3.2.2 cjis: 5.10.1.1 cui: 3.1.20 disa: 366,1503,1551 nist: CM-6(d),CM-7,SC-5 srg: SRG-OS-000480-GPOS-00227 stigid@rhel7: "040641" ocil: '' sysctl_net_ipv4_conf_all_accept_redirects_value.var000066400000000000000000000003511327242345500474220ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/network/network-kernel/network_host_and_router_parametersdocumentation_complete: true title: net.ipv4.conf.all.accept_redirects description: 'Disable ICMP Redirect Acceptance' type: number operator: equals interactive: false options: default: "0" disabled: "0" enabled: 1 sysctl_net_ipv4_conf_all_accept_source_route.rule000066400000000000000000000020371327242345500471420ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/network/network-kernel/network_host_and_router_parametersdocumentation_complete: true prodtype: rhel7,fedora title: 'Configure Kernel Parameter for Accepting Source-Routed Packets for All Interfaces' description: '' rationale: "Source-routed packets allow the source of the packet to suggest routers\nforward the packet along a different path than configured on the router, which can\nbe used to bypass network security measures. This requirement applies only to the\nforwarding of source-routerd traffic, such as when IPv4 forwarding is enabled and \nthe system is functioning as a router.\n

\nAccepting source-routed packets in the IPv4 protocol has few legitimate\nuses. It should be disabled unless it is absolutely required." severity: medium identifiers: cce@rhel7: 27434-0 references: cis: 3.2.1 cui: 3.1.20 disa: 366 nist: AC-4,CM-7,SC-5 srg: SRG-OS-000480-GPOS-00227 stigid@rhel7: "040610" ocil: '' sysctl_net_ipv4_conf_all_accept_source_route_value.var000066400000000000000000000005601327242345500501560ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/network/network-kernel/network_host_and_router_parametersdocumentation_complete: true title: net.ipv4.conf.all.accept_source_route description: |- Trackers could be using source-routed packets to generate traffic that seems to be intra-net, but actually was created outside and has been redirected. type: number operator: equals interactive: false options: default: "0" disabled: "0" enabled: 1 sysctl_net_ipv4_conf_all_log_martians.rule000066400000000000000000000012741327242345500455660ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/network/network-kernel/network_host_and_router_parametersdocumentation_complete: true prodtype: rhel7,fedora title: 'Configure Kernel Parameter to Log Martian Packets' description: '' rationale: |- The presence of "martian" packets (which have impossible addresses) as well as spoofed packets, source-routed packets, and redirects could be a sign of nefarious network activity. Logging these packets enables this activity to be detected. severity: unknown identifiers: cce@rhel7: 80160-5 references: cis: 3.2.4 cui: 3.1.20 disa: 126 nist: AC-17(7),CM-7,SC-5(3) ocil: '' sysctl_net_ipv4_conf_all_log_martians_value.var000066400000000000000000000004351327242345500466010ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/network/network-kernel/network_host_and_router_parametersdocumentation_complete: true title: net.ipv4.conf.all.log_martians description: |- Disable so you don't Log Spoofed Packets, Source Routed Packets, Redirect Packets type: number operator: equals interactive: false options: default: 1 disabled: "0" enabled: 1 sysctl_net_ipv4_conf_all_rp_filter.rule000066400000000000000000000014051327242345500450710ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/network/network-kernel/network_host_and_router_parametersdocumentation_complete: true prodtype: rhel7,fedora title: 'Configure Kernel Parameter to Use Reverse Path Filtering for All Interfaces' description: '' rationale: |- Enabling reverse path filtering drops packets with source addresses that should not have been able to be received on the interface they were received on. It should not be used on systems which are routers for complicated networks, but is helpful for end hosts and routers serving small networks. severity: medium identifiers: cce@rhel7: 80167-0 references: cis: 3.2.7 cui: 3.1.20 disa: 1551 nist: AC-4,SC-5,SC-7 ocil: '' sysctl_net_ipv4_conf_all_rp_filter_value.var000066400000000000000000000007361327242345500461140ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/network/network-kernel/network_host_and_router_parametersdocumentation_complete: true title: net.ipv4.conf.all.rp_filter description: |- Enable to enforce sanity checking, also called ingress filtering or egress filtering. The point is to drop a packet if the source and destination IP addresses in the IP header do not make sense when considered in light of the physical interface on which it arrived. type: number operator: equals interactive: false options: default: 1 disabled: "0" enabled: 1 sysctl_net_ipv4_conf_all_secure_redirects.rule000066400000000000000000000012151327242345500464340ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/network/network-kernel/network_host_and_router_parametersdocumentation_complete: true prodtype: rhel7,fedora title: 'Configure Kernel Parameter for Accepting Secure Redirects for All Interfaces' description: '' rationale: |- Accepting "secure" ICMP redirects (from those gateways listed as default gateways) has few legitimate uses. It should be disabled unless it is absolutely required. severity: medium identifiers: cce@rhel7: 80159-7 references: cis: 3.2.3 cui: 3.1.20 disa: 1503,1551 nist: AC-4,CM-7,SC-5 ocil: '' sysctl_net_ipv4_conf_all_secure_redirects_value.var000066400000000000000000000006241327242345500474540ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/network/network-kernel/network_host_and_router_parametersdocumentation_complete: true title: net.ipv4.conf.all.secure_redirects description: |- Enable to prevent hijacking of routing path by only allowing redirects from gateways known in routing table. Disable to refuse acceptance of secure ICMP redirected packets on all interfaces. type: number operator: equals interactive: false options: default: "0" disabled: "0" enabled: 1 sysctl_net_ipv4_conf_default_accept_redirects.rule000066400000000000000000000016611327242345500472660ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/network/network-kernel/network_host_and_router_parametersdocumentation_complete: true prodtype: rhel7,fedora title: 'Configure Kernel Parameter for Accepting ICMP Redirects By Default' description: '' rationale: "ICMP redirect messages are used by routers to inform hosts that a more direct\nroute exists for a particular destination. These messages modify the host's route table\nand are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle\nattack.\n
\nThis feature of the IPv4 protocol has few legitimate uses. It should be disabled unless \nabsolutely required." severity: medium identifiers: cce@rhel7: 80163-9 references: cis: 3.2.2 cjis: 5.10.1.1 cui: 3.1.20 disa: 1551 nist: AC-4,CM-7,SC-5,SC-7 srg: SRG-OS-000480-GPOS-00227 stigid@rhel7: "040640" ocil: '' sysctl_net_ipv4_conf_default_accept_redirects_value.var000066400000000000000000000003561327242345500503030ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/network/network-kernel/network_host_and_router_parametersdocumentation_complete: true title: net.ipv4.conf.default.accept_redirects description: 'Disable ICMP Redirect Acceptance?' type: number operator: equals interactive: false options: default: "0" disabled: "0" enabled: 1 sysctl_net_ipv4_conf_default_accept_source_route.rule000066400000000000000000000017701327242345500500210ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/network/network-kernel/network_host_and_router_parametersdocumentation_complete: true prodtype: rhel7,fedora title: 'Configure Kernel Parameter for Accepting Source-Routed Packets By Default' description: '' rationale: "Source-routed packets allow the source of the packet to suggest routers\nforward the packet along a different path than configured on the router, which can \nbe used to bypass network security measures.\n
\nAccepting source-routed packets in the IPv4 protocol has few legitimate\nuses. It should be disabled unless it is absolutely required, such as when\nIPv4 forwarding is enabled and the system is legitimately functioning as\na router." severity: medium identifiers: cce@rhel7: 80162-1 references: cis: 3.2.1 cjis: 5.10.1.1 cui: 3.1.20 disa: 366,1551 nist: AC-4,CM-7,SC-5,SC-7 srg: SRG-OS-000480-GPOS-00227 stigid@rhel7: "040620" ocil: '' sysctl_net_ipv4_conf_default_accept_source_route_value.var000066400000000000000000000003521327242345500510310ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/network/network-kernel/network_host_and_router_parametersdocumentation_complete: true title: net.ipv4.conf.default.accept_source_route description: 'Disable IP source routing?' type: number operator: equals interactive: false options: default: "0" disabled: "0" enabled: 1 sysctl_net_ipv4_conf_default_log_martians.rule000066400000000000000000000013171327242345500464400ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/network/network-kernel/network_host_and_router_parametersdocumentation_complete: true prodtype: rhel7,fedora title: 'Configure Kernel Parameter to Log Martian Packets By Default' description: '' rationale: |- The presence of "martian" packets (which have impossible addresses) as well as spoofed packets, source-routed packets, and redirects could be a sign of nefarious network activity. Logging these packets enables this activity to be detected. severity: unknown identifiers: cce@rhel7: 80161-3 references: cis: 3.2.4 cui: 3.1.20 disa: 126 nist: AC-17(7),CM-7,SC-5(3) ocil: '' sysctl_net_ipv4_conf_default_log_martians_value.var000066400000000000000000000004411327242345500474520ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/network/network-kernel/network_host_and_router_parametersdocumentation_complete: true title: net.ipv4.conf.default.log_martians description: |- Disable so you don't Log Spoofed Packets, Source Routed Packets, Redirect Packets type: number operator: equals interactive: false options: default: 1 disabled: "0" enabled: 1 sysctl_net_ipv4_conf_default_rp_filter.rule000066400000000000000000000013661327242345500457530ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/network/network-kernel/network_host_and_router_parametersdocumentation_complete: true prodtype: rhel7,fedora title: 'Configure Kernel Parameter to Use Reverse Path Filtering by Default' description: '' rationale: |- Enabling reverse path filtering drops packets with source addresses that should not have been able to be received on the interface they were received on. It should not be used on systems which are routers for complicated networks, but is helpful for end hosts and routers serving small networks. severity: medium identifiers: cce@rhel7: 80168-8 references: cis: 3.2.7 cui: 3.1.20 nist: AC-4,SC-5,SC-7 ocil: '' sysctl_net_ipv4_conf_default_rp_filter_value.var000066400000000000000000000003451327242345500467640ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/network/network-kernel/network_host_and_router_parametersdocumentation_complete: true title: net.ipv4.conf.default.rp_filter description: 'Enables source route verification' type: number operator: equals interactive: false options: default: 1 disabled: "0" enabled: 1 sysctl_net_ipv4_conf_default_secure_redirects.rule000066400000000000000000000012151327242345500473100ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/network/network-kernel/network_host_and_router_parametersdocumentation_complete: true prodtype: rhel7,fedora title: 'Configure Kernel Parameter for Accepting Secure Redirects By Default' description: '' rationale: |- Accepting "secure" ICMP redirects (from those gateways listed as default gateways) has few legitimate uses. It should be disabled unless it is absolutely required. severity: medium identifiers: cce@rhel7: 80164-7 references: cis: 3.2.3 cui: 3.1.20 disa: 1551 nist: AC-4,CM-7,SC-5,SC-7 ocil: '' sysctl_net_ipv4_conf_default_secure_redirects_value.var000066400000000000000000000006221327242345500503260ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/network/network-kernel/network_host_and_router_parametersdocumentation_complete: true title: net.ipv4.conf.default.secure_redirects description: |- Enable to prevent hijacking of routing path by only allowing redirects from gateways known in routing table. Disable to refuse acceptance of secure ICMP redirected packages by default. type: number operator: equals interactive: false options: default: "0" disabled: "0" enabled: 1 sysctl_net_ipv4_icmp_echo_ignore_broadcasts.rule000066400000000000000000000015011327242345500467410ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/network/network-kernel/network_host_and_router_parametersdocumentation_complete: true prodtype: rhel7,fedora title: 'Configure Kernel Parameter to Ignore ICMP Broadcast Echo Requests' description: '' rationale: |- Responding to broadcast (ICMP) echoes facilitates network mapping and provides a vector for amplification attacks.
Ignoring ICMP echo requests (pings) sent to broadcast or multicast addresses makes the system slightly more difficult to enumerate on the network. severity: medium identifiers: cce@rhel7: 80165-4 references: cis: 3.2.5 cjis: 5.10.1.1 cui: 3.1.20 disa: 366 nist: AC-4,CM-7,SC-5 srg: SRG-OS-000480-GPOS-00227 stigid@rhel7: "040630" ocil: '' sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value.var000066400000000000000000000004401327242345500477570ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/network/network-kernel/network_host_and_router_parametersdocumentation_complete: true title: net.ipv4.icmp_echo_ignore_broadcasts description: |- Ignore all ICMP ECHO and TIMESTAMP requests sent to it via broadcast/multicast type: number operator: equals interactive: false options: default: 1 disabled: "0" enabled: 1 sysctl_net_ipv4_icmp_ignore_bogus_error_responses.rule000066400000000000000000000010621327242345500502510ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/network/network-kernel/network_host_and_router_parametersdocumentation_complete: true prodtype: rhel7,fedora title: 'Configure Kernel Parameter to Ignore Bogus ICMP Error Responses' description: '' rationale: |- Ignoring bogus ICMP error responses reduces log size, although some activity would not be logged. severity: unknown identifiers: cce@rhel7: 80166-2 references: cis: 3.2.6 cui: 3.1.20 nist: CM-7,SC-5 ocil: '' sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value.var000066400000000000000000000003641327242345500512720ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/network/network-kernel/network_host_and_router_parametersdocumentation_complete: true title: net.ipv4.icmp_ignore_bogus_error_responses description: 'Enable to prevent unnecessary logging' type: number operator: equals interactive: false options: default: 1 disabled: "0" enabled: 1 sysctl_net_ipv4_tcp_syncookies.rule000066400000000000000000000016651327242345500443120ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/network/network-kernel/network_host_and_router_parametersdocumentation_complete: true prodtype: rhel7,fedora title: 'Configure Kernel Parameter to Use TCP Syncookies' description: '' rationale: |- A TCP SYN flood attack can cause a denial of service by filling a system's TCP connection table with connections in the SYN_RCVD state. Syncookies can be used to track a connection when a subsequent ACK is received, verifying the initiator is attempting a valid connection and is not a flood source. This feature is activated when a flood condition is detected, and enables the system to continue servicing valid connection requests. severity: medium identifiers: cce@rhel7: 27495-1 references: cis: 3.2.8 cjis: 5.10.1.1 cui: 3.1.20 disa: 366 nist: AC-4,SC-5(1)(2),SC-5(2),SC-5(3) srg: SRG-OS-000480-GPOS-00227 ocil: '' sysctl_net_ipv4_tcp_syncookies_value.var000066400000000000000000000003601327242345500453160ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/network/network-kernel/network_host_and_router_parametersdocumentation_complete: true title: net.ipv4.tcp_syncookies description: |- Enable to turn on TCP SYN Cookie Protection type: number operator: equals interactive: false options: default: 1 disabled: "0" enabled: 1 scap-security-guide-0.1.39/shared/guide/system/network/network-kernel/network_host_parameters/000077500000000000000000000000001327242345500330015ustar00rootroot00000000000000network_host_parameters.group000066400000000000000000000004021327242345500407450ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/network/network-kernel/network_host_parametersdocumentation_complete: true title: 'Network Parameters for Hosts Only' description: |- If the system is not going to be used as a router, then setting certain kernel parameters ensure that the host will not perform routing of network traffic. sysctl_net_ipv4_conf_all_send_redirects.rule000066400000000000000000000016001327242345500436530ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/network/network-kernel/network_host_parametersdocumentation_complete: true prodtype: rhel7,fedora title: 'Disable Kernel Parameter for Sending ICMP Redirects for All Interfaces' description: '' rationale: |- ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain information from the system's route table possibly revealing portions of the network topology.
The ability to send ICMP redirects is only appropriate for systems acting as routers. severity: medium identifiers: cce@rhel7: 80156-3 references: cis: 3.1.2 cjis: 5.10.1.1 cui: 3.1.20 disa: 366 nist: AC-4,CM-7,SC-5(1) srg: SRG-OS-000480-GPOS-00227 stigid@rhel7: "040660" ocil: '' sysctl_net_ipv4_conf_default_send_redirects.rule000066400000000000000000000016021327242345500445310ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/network/network-kernel/network_host_parametersdocumentation_complete: true prodtype: rhel7,fedora title: 'Disable Kernel Parameter for Sending ICMP Redirects by Default' description: '' rationale: |- ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain information from the system's route table possibly revealing portions of the network topology.
The ability to send ICMP redirects is only appropriate for systems acting as routers. severity: medium identifiers: cce@rhel7: 80156-3 references: cis: 3.1.2 cjis: 5.10.1.1 cui: 3.1.20 disa: 366 nist: AC-4,CM-7,SC-5,SC-7 srg: SRG-OS-000480-GPOS-00227 stigid@rhel7: "040650" ocil: '' sysctl_net_ipv4_ip_forward.rule000066400000000000000000000014401327242345500411570ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/network/network-kernel/network_host_parametersdocumentation_complete: true prodtype: rhel7,fedora title: 'Disable Kernel Parameter for IP Forwarding' description: '' rationale: |- Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this capability is used when not required, system network information may be unnecessarily transmitted across the network. severity: medium identifiers: cce@rhel7: 80157-1 references: cis: 3.1.1 cui: 3.1.20 disa: 366 nist: CM-7,SC-5,SC-32 srg: SRG-OS-000480-GPOS-00227 stigid@rhel7: "040740" ocil: |- The ability to forward packets is only appropriate for routers. scap-security-guide-0.1.39/shared/guide/system/network/network-uncommon/000077500000000000000000000000001327242345500264035ustar00rootroot00000000000000kernel_module_dccp_disabled.rule000066400000000000000000000011741327242345500346650ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/network/network-uncommondocumentation_complete: true prodtype: rhel7,fedora title: 'Disable DCCP Support' description: |- The Datagram Congestion Control Protocol (DCCP) is a relatively new transport layer protocol, designed to support streaming media and telephony. rationale: |- Disabling DCCP protects the system against exploitation of any flaws in its implementation. severity: medium identifiers: cce@rhel7: 26828-4 references: cis: 3.5.1 cjis: 5.10.1 cui: 3.4.6 disa: 1958 nist: CM-7 stigid: "020101" ocil: '' kernel_module_sctp_disabled.rule000066400000000000000000000012301327242345500347160ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/network/network-uncommondocumentation_complete: true prodtype: rhel7 title: 'Disable SCTP Support' description: |- The Stream Control Transmission Protocol (SCTP) is a transport layer protocol, designed to support the idea of message-oriented communication, with several streams of messages within one connection. rationale: |- Disabling SCTP protects the system against exploitation of any flaws in its implementation. severity: medium identifiers: cce@rhel7: 27106-4 references: cis: 3.5.2 cjis: 5.10.1 cui: 3.4.6 disa: "" nist: CM-7 ocil: '' scap-security-guide-0.1.39/shared/guide/system/network/network-uncommon/network-uncommon.group000066400000000000000000000006651327242345500330120ustar00rootroot00000000000000documentation_complete: true title: 'Uncommon Network Protocols' description: "The system includes support for several network\nprotocols which are not commonly used. Although security vulnerabilities \nin kernel networking code are not frequently\ndiscovered, the consequences can be dramatic. Ensuring uncommon\nnetwork protocols are disabled reduces the system's risk to attacks\ntargeted at its implementation of those protocols." scap-security-guide-0.1.39/shared/guide/system/network/network-wireless/000077500000000000000000000000001327242345500264055ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/network/network-wireless/network-wireless.group000066400000000000000000000015021327242345500330050ustar00rootroot00000000000000documentation_complete: true title: 'Wireless Networking' description: "Wireless networking, such as 802.11\n(WiFi) and Bluetooth, can present a security risk to sensitive or\nclassified systems and networks. Wireless networking hardware is\nmuch more likely to be included in laptop or portable systems than\nin desktops or servers. \n

\nRemoval of hardware provides the greatest assurance that the wireless\ncapability remains disabled. Acquisition policies often include provisions to\nprevent the purchase of equipment that will be used in sensitive spaces and\nincludes wireless capabilities. If it is impractical to remove the wireless\nhardware, and policy permits the device to enter sensitive spaces as long\nas wireless is disabled, efforts should instead focus on disabling wireless capability\nvia software." scap-security-guide-0.1.39/shared/guide/system/network/network-wireless/wireless_software/000077500000000000000000000000001327242345500321545ustar00rootroot00000000000000kernel_module_bluetooth_disabled.rule000066400000000000000000000014531327242345500415320ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/network/network-wireless/wireless_softwaredocumentation_complete: true prodtype: rhel7,fedora title: 'Disable Bluetooth Kernel Modules' description: |- The kernel's module loading system can be configured to prevent loading of the Bluetooth module. Add the following to the appropriate /etc/modprobe.d configuration file to prevent the loading of the Bluetooth module: 
install bluetooth /bin/true
rationale: |- If Bluetooth functionality must be disabled, preventing the kernel from loading the kernel module provides an additional safeguard against its activation. severity: medium identifiers: cce@rhel7: 27327-6 references: cjis: 5.13.1.3 cui: 3.1.16 disa: 85,1551 nist: AC-17(8),AC-18(a),AC-18(d),AC-18(3),CM-7 ocil: '' service_bluetooth_disabled.rule000066400000000000000000000013471327242345500403470ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/network/network-wireless/wireless_softwaredocumentation_complete: true prodtype: rhel7,fedora title: 'Disable Bluetooth Service' description: |- 
$ sudo service bluetooth stop
rationale: |- Disabling the bluetooth service prevents the system from attempting connections to Bluetooth devices, which entails some security risk. Nevertheless, variation in this risk decision may be expected due to the utility of Bluetooth connectivity and its limited range. severity: medium identifiers: cce@rhel7: 27328-4 references: cui: 3.1.16 disa: 85,1551 nist: AC-17(8),AC-18(a),AC-18(d),AC-18(3),CM-7 ocil: '' wireless_disable_in_bios.rule000066400000000000000000000012121327242345500400040ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/network/network-wireless/wireless_softwaredocumentation_complete: true prodtype: rhel7,fedora title: 'Disable WiFi or Bluetooth in BIOS' description: |- Some machines that include built-in wireless support offer the ability to disable the device through the BIOS. This is hardware-specific; consult your hardware manual or explore the BIOS setup during boot. rationale: |- Disabling wireless support in the BIOS prevents easy activation of the wireless interface, generally requiring administrators to reboot the system first. severity: unknown identifiers: cce@rhel7: 27397-9 references: disa: 85 nist: AC-17(8),AC-18(a),AC-18(d),AC-18(3),CM-7 wireless_disable_interfaces.rule000066400000000000000000000026041327242345500405130ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/network/network-wireless/wireless_softwaredocumentation_complete: true prodtype: rhel7,fedora title: 'Deactivate Wireless Network Interfaces' description: |- Deactivating wireless network interfaces should prevent normal usage of the wireless capability.

Configure the system to disable all wireless network interfaces with the following command: 
$ sudo nmcli radio wifi off
rationale: |- The use of wireless networking can introduce many different attack vectors into the organization's network. Common attack vectors such as malicious association and ad hoc networks will allow an attacker to spoof a wireless access point (AP), allowing validated systems to connect to the malicious AP and enabling the attacker to monitor and record network traffic. These malicious APs can also serve to create a man-in-the-middle attack or be used to create a denial of service to valid network resources. severity: unknown identifiers: cce@rhel7: 27358-1 references: cis: 4.3.1 cui: 3.1.16 disa: 85,2418 nist: AC-17(8),AC-18(a),AC-18(d),AC-18(3),CM-7 srg: SRG-OS-000424-GPOS-00188 stigid: "041010" ocil_clause: 'it is not' ocil: |- Verify that there are no wireless interfaces configured on the system with the following command: 
$ sudo nmcli device
The output should contain the following: 
wifi disconnected
wireless_software.group000066400000000000000000000007011327242345500367200ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/network/network-wireless/wireless_softwaredocumentation_complete: true title: 'Disable Wireless Through Software Configuration' description: |- If it is impossible to remove the wireless hardware from the device in question, disable as much of it as possible through software. The following methods can disable software support for wireless networking, but note that these methods do not prevent malicious software or careless users from re-activating the devices. scap-security-guide-0.1.39/shared/guide/system/network/network.group000066400000000000000000000015141327242345500256310ustar00rootroot00000000000000documentation_complete: true title: 'Network Configuration and Firewalls' description: |- Most systems must be connected to a network of some sort, and this brings with it the substantial risk of network attack. This section discusses the security impact of decisions about networking which must be made when configuring a system.

This section also discusses firewalls, network access controls, and other network security frameworks, which allow system-level rules to be written that can limit an attackers' ability to connect to your system. These rules can specify that network traffic should be allowed or denied from certain IP addresses, hosts, and networks. The rules can also specify which of the system's network services are available to particular hosts or networks. scap-security-guide-0.1.39/shared/guide/system/network/network_configure_name_resolution.rule000066400000000000000000000027401327242345500327720ustar00rootroot00000000000000documentation_complete: true prodtype: rhel7 title: 'Configure Multiple DNS Servers in /etc/resolv.conf' description: |- Multiple Domain Name System (DNS) Servers should be configured in /etc/resolv.conf. This provides redundant name resolution services in the event that a domain server crashes. To configure the system to contain as least 2 DNS servers, add a corresponding nameserver ip_address entry in /etc/resolv.conf for each DNS server where ip_address is the IP address of a valid DNS server. For example: 
search example.com
    nameserver 192.168.0.1
    nameserver 192.168.0.2
rationale: |- To provide availability for name resolution services, multiple redundant name servers are mandated. A failure in name resolution could lead to the failure of security functions requiring name resolution, which may include time synchronization, centralized authentication, and remote system logging. severity: unknown identifiers: cce@rhel7: 80438-5 references: disa: 366 nist: SC-22 srg: SRG-OS-000480-GPOS-00227 stigid@rhel7: "040600" ocil_clause: 'it does not exist or is not properly configured or less than 2 ''nameserver'' entries exist' ocil: |- To verify that DNS servers have been configured properly, perform the following: 
$ sudo grep nameserver /etc/resolv.conf
The output should return more than one 
nameserver
entry. scap-security-guide-0.1.39/shared/guide/system/network/network_disable_ddns_interfaces.rule000066400000000000000000000025061327242345500323440ustar00rootroot00000000000000documentation_complete: true prodtype: rhel7 title: 'Disable Client Dynamic DNS Updates' description: |- Dynamic DNS allows clients to dynamically update their own DNS records. The updates are transmitted by unencrypted means which can reveal information to a potential malicious user. If the system does not require Dynamic DNS, remove all DHCP_HOSTNAME references from the /etc/sysconfig/network-scripts/ifcfg-interface scripts. If dhclient is used, remove all send host-name hostname references from the /etc/dhclient.conf configuration file and/or any reference from the /etc/dhcp directory. rationale: |- Dynamic DNS updates transmit unencrypted information about a system including its name and address and should not be used unless needed. severity: medium identifiers: cce@rhel7: 80357-7 references: disa: 366 nist: CM-6(b) srg: SRG-OS-000480-GPOS-00227 ocil_clause: 'client Dynamic DNS updates are not disabled' ocil: |- To verify that clients cannot automatically update DNS records, perform the following: 
$ grep -i dhcp_hostname /etc/sysconfig/network-scripts/ifcfg-*
$ grep -rni "send host-name" /etc/dhclient.conf /etc/dhcp
The output should return no results. scap-security-guide-0.1.39/shared/guide/system/network/network_disable_unused_interfaces/000077500000000000000000000000001327242345500320235ustar00rootroot00000000000000network_disable_unused_interfaces.group000066400000000000000000000013731327242345500417700ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/network/network_disable_unused_interfacesdocumentation_complete: true title: 'Disable Unused Interfaces' description: "Network interfaces expand the attack surface of the \nsystem. Unused interfaces are not monitored or controlled, and \nshould be disabled.\n

\nIf the system does not require network communications but still\nneeds to use the loopback interface, remove all files of the form\nifcfg-interface except for ifcfg-lo from\n/etc/sysconfig/network-scripts:\n
$ sudo rm /etc/sysconfig/network-scripts/ifcfg-interface
\nIf the system is a standalone machine with no need for network access or even\ncommunication over the loopback device, then disable this service.\n" scap-security-guide-0.1.39/shared/guide/system/network/network_disable_zeroconf.rule000066400000000000000000000016521327242345500310370ustar00rootroot00000000000000documentation_complete: true prodtype: rhel7,fedora title: 'Disable Zeroconf Networking' description: |- Zeroconf networking allows the system to assign itself an IP address and engage in IP communication without a statically-assigned address or even a DHCP server. Automatic address assignment via Zeroconf (or DHCP) is not recommended. To disable Zeroconf automatic route assignment in the 169.254.0.0 subnet, add or correct the following line in /etc/sysconfig/network: 
NOZEROCONF=yes
rationale: |- Zeroconf addresses are in the network 169.254.0.0. The networking scripts add entries to the system's routing table for these addresses. Zeroconf address assignment commonly occurs when the system is configured to use DHCP but fails to receive an address assignment from the DHCP server. severity: unknown identifiers: cce@rhel7: 80173-8 references: nist: CM-7 scap-security-guide-0.1.39/shared/guide/system/network/network_sniffer_disabled.rule000066400000000000000000000024621327242345500310120ustar00rootroot00000000000000documentation_complete: true prodtype: rhel7,fedora title: 'Ensure System is Not Acting as a Network Sniffer' description: |- The system should not be acting as a network sniffer, which can capture all traffic on the network to which it is connected. Run the following to determine if any interface is running in promiscuous mode: 
$ ip link | grep PROMISC
rationale: |- Network interfaces in promiscuous mode allow for the capture of all network traffic visible to the system. If unauthorized individuals can access these applications, it may allow them to collect information such as logon IDs, passwords, and key exchanges between systems.

If the system is being used to perform a network troubleshooting function, the use of these tools must be documented with the Information Systems Security Manager (ISSM) and restricted to only authorized personnel. severity: medium identifiers: cce@rhel7: 80174-6 references: disa: 366 nist: CM-7,CM-7(2).1(i),,MA-3 srg: SRG-OS-000480-GPOS-00227 stigid@rhel7: "040670" ocil_clause: 'any network device is in promiscuous mode' ocil: |- Promiscuous mode of an interface can be disabled with the following command: 
$ sudo ip link set dev device_name promisc off
scap-security-guide-0.1.39/shared/guide/system/network/network_ssl/000077500000000000000000000000001327242345500254335ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/network/network_ssl/network_ssl.group000066400000000000000000000021251327242345500310630ustar00rootroot00000000000000documentation_complete: true title: 'Transport Layer Security Support' description: |- Support for Transport Layer Security (TLS), and its predecessor, the Secure Sockets Layer (SSL), is included in Red Hat Enterprise Linux in the OpenSSL software (RPM package openssl). TLS provides encrypted and authenticated network communications, and many network services include support for it. TLS or SSL can be leveraged to avoid any plaintext transmission of sensitive data.
For information on how to use OpenSSL, see . Information on FIPS validation of OpenSSL is available at and . For information on how to use and implement OpenSSL on Red Hat Enterprise Linux, see scap-security-guide-0.1.39/shared/guide/system/permissions/000077500000000000000000000000001327242345500237435ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/permissions/files/000077500000000000000000000000001327242345500250455ustar00rootroot00000000000000dir_perms_world_writable_sticky_bits.rule000066400000000000000000000033521327242345500353550ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/permissions/filesdocumentation_complete: true prodtype: rhel7,fedora,ol7 title: 'Verify that All World-Writable Directories Have Sticky Bits Set' description: |- When the so-called 'sticky bit' is set on a directory, only the owner of a given file may remove that file from the directory. Without the sticky bit, any user with write access to a directory may remove any file in the directory. Setting the sticky bit prevents users from removing each other's files. In cases where there is no reason for a directory to be world-writable, a better solution is to remove that permission rather than to set the sticky bit. However, if a directory is used by a particular application, consult that application's documentation instead of blindly changing modes.
To set the sticky bit on a world-writable directory DIR, run the following command: 
$ sudo chmod +t DIR
rationale: "Failing to set the sticky bit on public directories allows unauthorized users to delete files in the directory structure.\n

\nThe only authorized public directories are those temporary directories supplied with the system, \nor those designed to be temporary file repositories. The setting is normally reserved for directories \nused by the system, by users for temporary file storage (such as /tmp), and for directories \nrequiring global read/write access." severity: unknown identifiers: cce@rhel7: 80130-8 references: cis: 1.1.21 nist: AC-6 ocil_clause: 'any world-writable directories are missing the sticky bit' ocil: |- To find world-writable directories that lack the sticky bit, run the following command: 
$ sudo find / -xdev -type d -perm 002 ! -perm 1000
dir_perms_world_writable_system_owned.rule000066400000000000000000000023161327242345500355450ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/permissions/filesdocumentation_complete: true prodtype: rhel7,fedora title: 'Ensure All World-Writable Directories Are Owned by a System Account' description: |- All directories in local partitions which are world-writable should be owned by root or another system account. If any world-writable directories are not owned by a system account, this should be investigated. Following this, the files should be deleted or assigned to an appropriate group. rationale: |- Allowing a user account to own a world-writable directory is undesirable because it allows the owner of that directory to remove or replace any files that may be placed in the directory by other users. severity: unknown identifiers: cce@rhel7: 80136-5 references: disa: 366 nist: AC-6 srg: SRG-OS-000480-GPOS-00227 stigid@rhel7: "021030" ocil_clause: 'there is output' ocil: |- The following command will discover and print world-writable directories that are not owned by a system account, given the assumption that only system accounts have a uid lower than 500. Run it once for each local partition PART: 
$ sudo find PART -xdev -type d -perm -0002 -uid +499 -print
file_permissions_unauthorized_sgid.rule000066400000000000000000000017651327242345500350510ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/permissions/filesdocumentation_complete: true prodtype: rhel7,fedora,ol7 title: 'Ensure All SGID Executables Are Authorized' description: |- The SGID (set group id) bit should be set only on files that were installed via authorized means. A straightforward means of identifying unauthorized SGID files is determine if any were not installed as part of an RPM package, which is cryptographically verified. Investigate the origin of any unpackaged SGID files. rationale: |- Executable files with the SGID permission run with the privileges of the owner of the file. SGID files of uncertain provenance could allow for unprivileged users to elevate privileges. The presence of these files should be strictly controlled on the system. severity: unknown identifiers: cce@rhel7: 80132-4 references: cis: 6.1.14 nist: AC-6(1) ocil_clause: 'there is output' ocil: |- To find world-writable files, run the following command: 
$ sudo find / -xdev -type f -perm -002
file_permissions_unauthorized_suid.rule000066400000000000000000000017241327242345500350620ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/permissions/filesdocumentation_complete: true prodtype: rhel7,fedora,ol7 title: 'Ensure All SUID Executables Are Authorized' description: |- The SUID (set user id) bit should be set only on files that were installed via authorized means. A straightforward means of identifying unauthorized SGID files is determine if any were not installed as part of an RPM package, which is cryptographically verified. Investigate the origin of any unpackaged SUID files. rationale: |- Executable files with the SUID permission run with the privileges of the owner of the file. SUID files of uncertain provenance could allow for unprivileged users to elevate privileges. The presence of these files should be strictly controlled on the system. severity: unknown identifiers: cce@rhel7: 80133-2 references: cis: 6.1.13 nist: AC-6(1) ocil: |- To find world-writable files, run the following command: 
$ sudo find / -xdev -type f -perm -002
file_permissions_unauthorized_world_writable.rule000066400000000000000000000022161327242345500371330ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/permissions/filesdocumentation_complete: true prodtype: rhel7,opensuse,fedora,ol7 title: 'Ensure No World-Writable Files Exist' description: |- It is generally a good idea to remove global (other) write access to a file when it is discovered. However, check with documentation for specific applications before making changes. Also, monitor for recurring world-writable files, as these may be symptoms of a misconfigured application or user account. Finally, this applies to real files and not virtual files that are a part of pseudo file systems such as sysfs or procfs. rationale: |- Data in world-writable files can be modified by any user on the system. In almost all circumstances, files can be configured using a combination of user and group permissions to support whatever legitimate access is needed without the risk caused by world-writable files. severity: medium identifiers: cce@rhel7: 80131-6 references: cis: 6.1.10 nist: AC-6 ocil_clause: 'there is output' ocil: |- To find world-writable files, run the following command: 
$ sudo find / -xdev -type f -perm -002
scap-security-guide-0.1.39/shared/guide/system/permissions/files/file_permissions_ungroupowned.rule000066400000000000000000000026101327242345500341230ustar00rootroot00000000000000documentation_complete: true prodtype: rhel7,fedora title: 'Ensure All Files Are Owned by a Group' description: |- If any files are not owned by a group, then the cause of their lack of group-ownership should be investigated. Following this, the files should be deleted or assigned to an appropriate group. rationale: |- Unowned files do not directly imply a security problem, but they are generally a sign that something is amiss. They may be caused by an intruder, by incorrect software installation or draft software removal, or by failure to remove all files belonging to a deleted account. The files should be repaired so they will not cause problems when accounts are created in the future, and the cause should be discovered and addressed. severity: medium identifiers: cce@rhel7: 80135-7 references: cis: 6.1.12 disa: "02165" nist: AC-3(4),AC-6,IA-2 srg: SRG-OS-000480-GPOS-00227 stigid@rhel7: "020330" ocil_clause: 'there is output' ocil: |- The following command will discover and print any files on local partitions which do not belong to a valid group. 
$ sudo find / -xdev -fstype local -nogroup

Either remove all files and directories from the system that do not have a valid group, or assign a valid group with the chgrp command: 
$ sudo chgrp group file
scap-security-guide-0.1.39/shared/guide/system/permissions/files/files.group000066400000000000000000000006131327242345500272250ustar00rootroot00000000000000documentation_complete: true title: |- Verify Permissions on Important Files and Directories description: |- Permissions for many files on a system must be set restrictively to ensure sensitive information is properly protected. This section discusses important permission restrictions which can be verified to ensure that no harmful discrepancies have arisen. scap-security-guide-0.1.39/shared/guide/system/permissions/files/no_files_unowned_by_user.rule000066400000000000000000000027471327242345500330350ustar00rootroot00000000000000documentation_complete: true prodtype: rhel7,fedora title: 'Ensure All Files Are Owned by a User' description: |- If any files are not owned by a user, then the cause of their lack of ownership should be investigated. Following this, the files should be deleted or assigned to an appropriate user. rationale: |- Unowned files do not directly imply a security problem, but they are generally a sign that something is amiss. They may be caused by an intruder, by incorrect software installation or draft software removal, or by failure to remove all files belonging to a deleted account. The files should be repaired so they will not cause problems when accounts are created in the future, and the cause should be discovered and addressed. severity: medium identifiers: cce@rhel7: 80134-0 references: cis: 6.1.11 disa: "002165" nist: AC-3(4),AC-6,CM-6(b) srg: SRG-OS-000480-GPOS-00227 stigid@rhel7: "020320" ocil_clause: 'files exist that are not owned by a valid user' ocil: |- The following command will discover and print any files on local partitions which do not belong to a valid user. 
$ sudo find / -xdev -fstype local -nouser


Either remove all files and directories from the system that do not have a valid user, or assign a valid user to all unowned files and directories on the system with the chown command: 
$ sudo chown user file
permissions_important_account_files/000077500000000000000000000000001327242345500343345ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/permissions/filesfile_groupowner_etc_group.rule000066400000000000000000000011131327242345500424760ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/permissions/files/permissions_important_account_filesdocumentation_complete: true prodtype: rhel7,fedora title: 'Verify Group Who Owns group File' description: '' rationale: |- The /etc/group file contains information regarding groups that are configured on the system. Protection of this file is important for system security. severity: medium identifiers: cce@rhel7: 27037-1 references: cis: 6.1.4 cjis: 5.5.2.2 disa: "" nist: AC-6 pcidss: Req-8.7.c ocil: '' file_groupowner_etc_gshadow.rule000066400000000000000000000010011327242345500427720ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/permissions/files/permissions_important_account_filesdocumentation_complete: true prodtype: rhel7,fedora title: 'Verify Group Who Owns gshadow File' description: '' rationale: |- The /etc/gshadow file contains group password hashes. Protection of this file is critical for system security. severity: medium identifiers: cce@rhel7: 26840-9 references: cis: 6.1.5 disa: "" nist: AC-6 ocil: '' file_groupowner_etc_passwd.rule000066400000000000000000000011421327242345500426450ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/permissions/files/permissions_important_account_filesdocumentation_complete: true prodtype: rhel7,opensuse,sle11,sle12,fedora title: 'Verify Group Who Owns passwd File' description: '' rationale: |- The /etc/passwd file contains information about the users that are configured on the system. Protection of this file is critical for system security. severity: medium identifiers: cce@rhel7: 26639-5 references: cis: 6.1.2 cjis: 5.5.2.2 disa: "" nist: AC-6 pcidss: Req-8.7.c ocil: '' file_owner_etc_group.rule000066400000000000000000000010631327242345500414250ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/permissions/files/permissions_important_account_filesdocumentation_complete: true prodtype: rhel7,fedora title: 'Verify User Who Owns group File' description: '' rationale: |- The /etc/group file contains information regarding groups that are configured on the system. Protection of this file is important for system security. severity: medium identifiers: cce@rhel7: 26933-2 references: cis: 6.1.4 cjis: 5.5.2.2 nist: AC-6 pcidss: Req-8.7.c ocil: '' file_owner_etc_gshadow.rule000066400000000000000000000007661327242345500417360ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/permissions/files/permissions_important_account_filesdocumentation_complete: true prodtype: rhel7,fedora title: 'Verify User Who Owns gshadow File' description: '' rationale: |- The /etc/gshadow file contains group password hashes. Protection of this file is critical for system security. severity: medium identifiers: cce@rhel7: 27161-9 references: cis: 6.1.5 disa: "" nist: AC-6 ocil: '' file_owner_etc_passwd.rule000066400000000000000000000011271327242345500415730ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/permissions/files/permissions_important_account_filesdocumentation_complete: true prodtype: rhel7,opensuse,sle11,sle12,fedora title: 'Verify User Who Owns passwd File' description: '' rationale: |- The /etc/passwd file contains information about the users that are configured on the system. Protection of this file is critical for system security. severity: medium identifiers: cce@rhel7: 27138-7 references: cis: 6.1.2 cjis: 5.5.2.2 disa: "" nist: AC-6 pcidss: Req-8.7.c ocil: '' file_permissions_etc_group.rule000066400000000000000000000011061327242345500426440ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/permissions/files/permissions_important_account_filesdocumentation_complete: true prodtype: rhel7,fedora title: 'Verify Permissions on group File' description: '' rationale: |- The /etc/group file contains information regarding groups that are configured on the system. Protection of this file is important for system security. severity: medium identifiers: cce@rhel7: 26949-8 references: cis: 6.1.4 cjis: 5.5.2.2 disa: "" nist: AC-6 pcidss: Req-8.7.c ocil: '' file_permissions_etc_gshadow.rule000066400000000000000000000007751327242345500431570ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/permissions/files/permissions_important_account_filesdocumentation_complete: true prodtype: rhel7,fedora title: 'Verify Permissions on gshadow File' description: '' rationale: |- The /etc/gshadow file contains group password hashes. Protection of this file is critical for system security. severity: medium identifiers: cce@rhel7: 27162-7 references: cis: 6.1.5 disa: "" nist: AC-6 ocil: '' file_permissions_etc_passwd.rule000066400000000000000000000013111327242345500430070ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/permissions/files/permissions_important_account_filesdocumentation_complete: true prodtype: rhel7,opensuse,sle11,sle12,fedora title: 'Verify Permissions on passwd File' description: '' rationale: |- If the /etc/passwd file is writable by a group-owner or the world the risk of its compromise is increased. The file contains the list of accounts on the system and associated information, and protection of this file is critical for system security. severity: medium identifiers: cce@rhel7: 26887-0 references: cis: 6.1.2 cjis: 5.5.2.2 disa: "" nist: AC-6 pcidss: Req-8.7.c ocil: '' file_permissions_etc_shadow.rule000066400000000000000000000013721327242345500430020ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/permissions/files/permissions_important_account_filesdocumentation_complete: true prodtype: rhel7,fedora,ol7 title: 'Verify Permissions on shadow File' description: '' rationale: |- The /etc/shadow file contains the list of local system accounts and stores password hashes. Protection of this file is critical for system security. Failure to give ownership of this file to root provides the designated owner with access to sensitive information which could weaken the system security posture. severity: medium identifiers: cce@rhel7: 27100-7 references: cis: 6.1.3 cjis: 5.5.2.2 disa: "" nist: AC-6 pcidss: Req-8.7.c ocil: '' groupowner_shadow_file.rule000066400000000000000000000010351327242345500417770ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/permissions/files/permissions_important_account_filesdocumentation_complete: true prodtype: rhel7,fedora title: 'Verify Group Who Owns shadow File' description: '' rationale: |- The /etc/shadow file stores password hashes. Protection of this file is critical for system security. severity: medium identifiers: cce@rhel7: 27125-4 references: cis: 6.1.3 cjis: 5.5.2.2 disa: "" nist: AC-6 pcidss: Req-8.7.c ocil: '' permissions_important_account_files.group000066400000000000000000000010641327242345500447610ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/permissions/files/permissions_important_account_filesdocumentation_complete: true title: 'Verify Permissions on Files with Local Account Information and Credentials' description: |- The default restrictive permissions for files which act as important security databases such as passwd, shadow, group, and gshadow files must be maintained. Many utilities need read access to the passwd file in order to function properly, but read access to the shadow file allows malicious attacks against system passwords, and should never be enabled. userowner_shadow_file.rule000066400000000000000000000013571327242345500416300ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/permissions/files/permissions_important_account_filesdocumentation_complete: true prodtype: rhel7,fedora title: 'Verify User Who Owns shadow File' description: '' rationale: |- The /etc/shadow file contains the list of local system accounts and stores password hashes. Protection of this file is critical for system security. Failure to give ownership of this file to root provides the designated owner with access to sensitive information which could weaken the system security posture. severity: medium identifiers: cce@rhel7: 26795-5 references: cis: 6.1.3 cjis: 5.5.2.2 disa: "" nist: AC-6 pcidss: Req-8.7.c ocil: '' scap-security-guide-0.1.39/shared/guide/system/permissions/files/permissions_within_important_dirs/000077500000000000000000000000001327242345500341205ustar00rootroot00000000000000file_ownership_binary_dirs.rule000066400000000000000000000025631327242345500423420ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/permissions/files/permissions_within_important_dirsdocumentation_complete: true prodtype: rhel7,fedora title: 'Verify that System Executables Have Root Ownership' description: |- System executables are stored in the following directories by default: 
/bin
    /sbin
    /usr/bin
    /usr/libexec
    /usr/local/bin
    /usr/local/sbin
    /usr/sbin
All files in these directories should be owned by the root user. If any file FILE in these directories is found to be owned by a user other than root, correct its ownership with the following command: 
$ sudo chown root FILE
rationale: |- System binaries are executed by privileged users as well as system services, and restrictive permissions are necessary to ensure that their execution of these programs cannot be co-opted. severity: medium identifiers: cce@rhel7: 27119-7 references: disa: "" nist: AC-6 ocil_clause: 'any system executables are found to not be owned by root' ocil: |- System executables are stored in the following directories by default: 
/bin
    /sbin
    /usr/bin
    /usr/libexec
    /usr/local/bin
    /usr/local/sbin
    /usr/sbin
To find system executables that are not owned by root, run the following command for each directory DIR which contains system executables: 
$ sudo find DIR/ \! -user root
file_ownership_library_dirs.rule000066400000000000000000000026461327242345500425240ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/permissions/files/permissions_within_important_dirsdocumentation_complete: true prodtype: rhel7,fedora title: 'Verify that Shared Library Files Have Root Ownership' description: |- System-wide shared library files, which are linked to executables during process load time or run time, are stored in the following directories by default: 
/lib
    /lib64
    /usr/lib
    /usr/lib64
Kernel modules, which can be added to the kernel during runtime, are also stored in /lib/modules. All files in these directories should be owned by the root user. If the directory, or any file in these directories, is found to be owned by a user other than root correct its ownership with the following command: 
$ sudo chown root FILE
rationale: |- Files from shared library directories are loaded into the address space of processes (including privileged ones) or of the kernel itself at runtime. Proper ownership is necessary to protect the integrity of the system. severity: medium identifiers: cce@rhel7: 26648-6 references: disa: "" nist: AC-6 ocil_clause: 'any of these files are not owned by root' ocil: "Shared libraries are stored in the following directories:\n
/lib\n/lib64\n/usr/lib\n/usr/lib64\n
\nFor each of these directories, run the following command to find files not \nowned by root:\n
$ sudo find -L $DIR \\! -user root -exec chown root {} \\;
" file_permissions_binary_dirs.rule000066400000000000000000000026141327242345500426740ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/permissions/files/permissions_within_important_dirsdocumentation_complete: true prodtype: rhel7,fedora title: 'Verify that System Executables Have Restrictive Permissions' description: |- System executables are stored in the following directories by default: 
/bin
    /sbin
    /usr/bin
    /usr/libexec
    /usr/local/bin
    /usr/local/sbin
    /usr/sbin
All files in these directories should not be group-writable or world-writable. If any file FILE in these directories is found to be group-writable or world-writable, correct its permission with the following command: 
$ sudo chmod go-w FILE
rationale: |- System binaries are executed by privileged users, as well as system services, and restrictive permissions are necessary to ensure execution of these programs cannot be co-opted. severity: medium identifiers: cce@rhel7: 27075-1 references: disa: "" nist: AC-6 ocil_clause: 'any system executables are found to be group or world writable' ocil: |- System executables are stored in the following directories by default: 
/bin
    /sbin
    /usr/bin
    /usr/libexec
    /usr/local/bin
    /usr/local/sbin
    /usr/sbin
To find system executables that are group-writable or world-writable, run the following command for each directory DIR which contains system executables: 
$ sudo find -L DIR -perm /022 -type f
file_permissions_library_dirs.rule000066400000000000000000000030001327242345500430420ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/permissions/files/permissions_within_important_dirsdocumentation_complete: true prodtype: rhel7,fedora title: 'Verify that Shared Library Files Have Restrictive Permissions' description: |- System-wide shared library files, which are linked to executables during process load time or run time, are stored in the following directories by default: 
/lib
    /lib64
    /usr/lib
    /usr/lib64
Kernel modules, which can be added to the kernel during runtime, are stored in /lib/modules. All files in these directories should not be group-writable or world-writable. If any file in these directories is found to be group-writable or world-writable, correct its permission with the following command: 
$ sudo chmod go-w FILE
rationale: |- Files from shared library directories are loaded into the address space of processes (including privileged ones) or of the kernel itself at runtime. Restrictive permissions are necessary to protect the integrity of the system. severity: medium identifiers: cce@rhel7: 26966-2 references: disa: "" nist: AC-6 ocil_clause: 'any of these files are group-writable or world-writable' ocil: |- Shared libraries are stored in the following directories: 
/lib
    /lib64
    /usr/lib
    /usr/lib64
To find shared libraries that are group-writable or world-writable, run the following command for each directory DIR which contains shared libraries: 
$ sudo find -L DIR -perm /022 -type f
permissions_within_important_dirs.group000066400000000000000000000007201327242345500441710ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/permissions/files/permissions_within_important_dirsdocumentation_complete: true title: 'Verify File Permissions Within Some Important Directories' description: |- Some directories contain files whose confidentiality or integrity is notably important and may also be susceptible to misconfiguration over time, particularly if unpackaged software is installed. As such, an argument exists to verify that files' permissions within these directories remain configured correctly and restrictively. scap-security-guide-0.1.39/shared/guide/system/permissions/mounting/000077500000000000000000000000001327242345500256035ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/permissions/mounting/bios_assign_password.rule000066400000000000000000000015151327242345500327200ustar00rootroot00000000000000documentation_complete: true prodtype: rhel7,fedora title: 'Assign Password to Prevent Changes to Boot Firmware Configuration' description: |- Assign a password to the system boot firmware (historically called BIOS on PC systems) to require a password for any configuration changes. rationale: |- Assigning a password to the system boot firmware prevents anyone with physical access from configuring the system to boot from local media and circumvent the operating system's access controls. For systems in physically secure locations, such as a data center or Sensitive Compartmented Information Facility (SCIF), this risk must be weighed against the risk of administrative personnel being unable to conduct recovery operations in a timely fashion. severity: unknown identifiers: cce@rhel7: 27194-0 scap-security-guide-0.1.39/shared/guide/system/permissions/mounting/bios_disable_usb_boot.rule000066400000000000000000000011311327242345500330030ustar00rootroot00000000000000documentation_complete: true prodtype: rhel7,fedora title: 'Disable Booting from USB Devices in Boot Firmware' description: |- Configure the system boot firmware (historically called BIOS on PC systems) to disallow booting from USB drives. rationale: |- Booting a system from a USB device would allow an attacker to circumvent any security measures provided by the operating system. Attackers could mount partitions and modify the configuration of the OS. severity: unknown identifiers: cce@rhel7: 26960-5 references: disa: 1250 nist: AC-19(a),AC-19(d),AC-19(e) scap-security-guide-0.1.39/shared/guide/system/permissions/mounting/bootloader_nousb_argument.rule000066400000000000000000000021601327242345500337350ustar00rootroot00000000000000documentation_complete: true prodtype: rhel7,fedora title: 'Disable Kernel Support for USB via Bootloader Configuration' description: |- All USB support can be disabled by adding the nousb argument to the kernel's boot loader configuration. To do so, append "nousb" to the kernel line in /etc/default/grub as shown: 
kernel /vmlinuz-VERSION ro vga=ext root=/dev/VolGroup00/LogVol00 rhgb quiet nousb
WARNING: Disabling all kernel support for USB will cause problems for systems with USB-based keyboards, mice, or printers. This configuration is infeasible for systems which require USB devices, which is common. rationale: |- Disabling the USB subsystem within the Linux kernel at system boot will protect against potentially malicious USB devices, although it is only practical in specialized systems. severity: unknown identifiers: cce@rhel7: 26548-8 references: disa: 1250 hipaa: 164.308(a)(3)(i),164.308(a)(3)(ii)(A),164.310(d)(1),164.310(d)(2),164.312(a)(1),164.312(a)(2)(iv),164.312(b) nist: AC-19(a),AC-19(d),AC-19(e) kernel_module_cramfs_disabled.rule000066400000000000000000000007261327242345500344310ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/permissions/mountingdocumentation_complete: true prodtype: rhel7,fedora title: 'Disable Mounting of cramfs' description: |- This effectively prevents usage of this uncommon filesystem. rationale: |- Linux kernel modules which implement filesystems that are not needed by the local system should be disabled. severity: low identifiers: cce@rhel7: 80137-3 references: cis: 1.1.1.1 cui: 3.4.6 nist: CM-7 kernel_module_freevxfs_disabled.rule000066400000000000000000000007321327242345500350030ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/permissions/mountingdocumentation_complete: true prodtype: rhel7,fedora title: 'Disable Mounting of freevxfs' description: |- This effectively prevents usage of this uncommon filesystem. rationale: |- Linux kernel modules which implement filesystems that are not needed by the local system should be disabled. severity: low identifiers: cce@rhel7: 80138-1 references: cis: 1.1.1.2 cui: 3.4.6 nist: CM-7 scap-security-guide-0.1.39/shared/guide/system/permissions/mounting/kernel_module_hfs_disabled.rule000066400000000000000000000007201327242345500340070ustar00rootroot00000000000000documentation_complete: true prodtype: rhel7,fedora title: 'Disable Mounting of hfs' description: |- This effectively prevents usage of this uncommon filesystem. rationale: |- Linux kernel modules which implement filesystems that are not needed by the local system should be disabled. severity: low identifiers: cce@rhel7: 80140-7 references: cis: 1.1.1.4 cui: 3.4.6 nist: CM-7 kernel_module_hfsplus_disabled.rule000066400000000000000000000007301327242345500346350ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/permissions/mountingdocumentation_complete: true prodtype: rhel7,fedora title: 'Disable Mounting of hfsplus' description: |- This effectively prevents usage of this uncommon filesystem. rationale: |- Linux kernel modules which implement filesystems that are not needed by the local system should be disabled. severity: low identifiers: cce@rhel7: 80141-5 references: cis: 1.1.1.5 cui: 3.4.6 nist: CM-7 kernel_module_jffs2_disabled.rule000066400000000000000000000007241327242345500341660ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/permissions/mountingdocumentation_complete: true prodtype: rhel7,fedora title: 'Disable Mounting of jffs2' description: |- This effectively prevents usage of this uncommon filesystem. rationale: |- Linux kernel modules which implement filesystems that are not needed by the local system should be disabled. severity: low identifiers: cce@rhel7: 80139-9 references: cis: 1.1.1.3 cui: 3.4.6 nist: CM-7 kernel_module_squashfs_disabled.rule000066400000000000000000000007321327242345500350100ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/permissions/mountingdocumentation_complete: true prodtype: rhel7,fedora title: 'Disable Mounting of squashfs' description: |- This effectively prevents usage of this uncommon filesystem. rationale: |- Linux kernel modules which implement filesystems that are not needed by the local system should be disabled. severity: low identifiers: cce@rhel7: 80142-3 references: cis: 1.1.1.6 cui: 3.4.6 nist: CM-7 scap-security-guide-0.1.39/shared/guide/system/permissions/mounting/kernel_module_udf_disabled.rule000066400000000000000000000007201327242345500340050ustar00rootroot00000000000000documentation_complete: true prodtype: rhel7,fedora title: 'Disable Mounting of udf' description: |- This effectively prevents usage of this uncommon filesystem. rationale: |- Linux kernel modules which implement filesystems that are not needed by the local system should be disabled. severity: low identifiers: cce@rhel7: 80143-1 references: cis: 1.1.1.7 cui: 3.4.6 nist: CM-7 kernel_module_usb-storage_disabled.rule000066400000000000000000000021321327242345500354020ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/permissions/mountingdocumentation_complete: true prodtype: rhel7,fedora title: 'Disable Modprobe Loading of USB Storage Driver' description: |- To prevent USB storage devices from being used, configure the kernel module loading system to prevent automatic loading of the USB storage driver. This will prevent the modprobe program from loading the usb-storage module, but will not prevent an administrator (or another program) from using the insmod program to load the module manually. rationale: |- USB storage devices such as thumb drives can be used to introduce malicious software. severity: medium identifiers: cce@rhel7: 27277-3 references: cui: 3.1.21 disa: 366,778,1958 hipaa: 164.308(a)(3)(i),164.308(a)(3)(ii)(A),164.310(d)(1),164.310(d)(2),164.312(a)(1),164.312(a)(2)(iv),164.312(b) nist: AC-19(a),AC-19(d),AC-19(e),IA-3 srg: SRG-OS-000114-GPOS-00059,SRG-OS-000378-GPOS-0016,SRG-OS-000480-GPOS-00227 stigid@rhel7: "020100" ocil: '' scap-security-guide-0.1.39/shared/guide/system/permissions/mounting/mounting.group000066400000000000000000000016101327242345500305170ustar00rootroot00000000000000documentation_complete: true title: |- Restrict Dynamic Mounting and Unmounting of Filesystems description: |- Linux includes a number of facilities for the automated addition and removal of filesystems on a running system. These facilities may be necessary in many environments, but this capability also carries some risk -- whether direct risk from allowing users to introduce arbitrary filesystems, or risk that software flaws in the automated mount facility itself could allow an attacker to compromise the system.

This command can be used to list the types of filesystems that are available to the currently executing kernel: 
$ find /lib/modules/`uname -r`/kernel/fs -type f -name '*.ko'
If these filesystems are not required then they can be explicitly disabled in a configuratio file in /etc/modprobe.d. scap-security-guide-0.1.39/shared/guide/system/permissions/mounting/service_autofs_disabled.rule000066400000000000000000000027661327242345500333570ustar00rootroot00000000000000documentation_complete: true prodtype: rhel7,fedora title: 'Disable the Automounter' description: |- The autofs daemon mounts and unmounts filesystems, such as user home directories shared via NFS, on demand. In addition, autofs can be used to handle removable media, and the default configuration provides the cdrom device as /misc/cd. However, this method of providing access to removable media is not common, so autofs can almost always be disabled if NFS is not in use. Even if NFS is required, it may be possible to configure filesystem mounts statically by editing /etc/fstab rather than relying on the automounter.

rationale: |- Disabling the automounter permits the administrator to statically control filesystem mounting through /etc/fstab.

Additionally, automatically mounting filesystems permits easy introduction of unknown devices, thereby facilitating malicious activity. severity: medium identifiers: cce@rhel7: 27498-5 references: cis: 1.1.22 cui: 3.4.6 disa: 366,778,1958 hipaa: 164.308(a)(3)(i),164.308(a)(3)(ii)(A),164.310(d)(1),164.310(d)(2),164.312(a)(1),164.312(a)(2)(iv),164.312(b) nist: AC-19(a),AC-19(d),AC-19(e),IA-3 srg: SRG-OS-000114-GPOS-00059,SRG-OS-000378-GPOS-00163,SRG-OS-000480-GPOS-00227 stigid@rhel7: "020110" ocil: '' scap-security-guide-0.1.39/shared/guide/system/permissions/partitions/000077500000000000000000000000001327242345500261375ustar00rootroot00000000000000mount_option_dev_shm_nodev.rule000066400000000000000000000012301327242345500343770ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/permissions/partitionsdocumentation_complete: true prodtype: rhel7,fedora,ol7 title: 'Add nodev Option to /dev/shm' description: "The nodev mount option can be used to prevent creation\nof device files in /dev/shm.\nLegitimate character and block devices should not exist\nwithin temporary directories like /dev/shm. \n" rationale: |- The only legitimate location for device files is the /dev directory located on the root partition. The only exception to this is chroot jails. severity: unknown identifiers: cce@rhel7: 80152-2 references: cis: 1.1.15 nist: CM-7,MP-2 mount_option_dev_shm_noexec.rule000066400000000000000000000012661327242345500345560ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/permissions/partitionsdocumentation_complete: true prodtype: rhel7,fedora title: 'Add noexec Option to /dev/shm' description: |- The noexec mount option can be used to prevent binaries from being executed out of /dev/shm. It can be dangerous to allow the execution of binaries from world-writable temporary storage directories such as /dev/shm. rationale: |- Allowing users to execute binaries from world-writable directories such as /dev/shm can expose the system to potential compromise. severity: unknown identifiers: cce@rhel7: 80153-0 references: cis: 1.1.17 nist: CM-7,MP-2 mount_option_dev_shm_nosuid.rule000066400000000000000000000012421327242345500345700ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/permissions/partitionsdocumentation_complete: true prodtype: rhel7,fedora,ol7 title: 'Add nosuid Option to /dev/shm' description: |- The nosuid mount option can be used to prevent execution of setuid programs in /dev/shm. The SUID and SGID permissions should not be required in these world-writable directories. rationale: |- The presence of SUID and SGID executables should be tightly controlled. Users should not be able to execute SUID or SGID binaries from temporary storage partitions. severity: unknown identifiers: cce@rhel7: 80154-8 references: cis: 1.1.16 nist: CM-7,MP-2 scap-security-guide-0.1.39/shared/guide/system/permissions/partitions/mount_option_home_nodev.rule000066400000000000000000000012661327242345500337720ustar00rootroot00000000000000documentation_complete: true prodtype: rhel7 title: 'Add nodev Option to /home' description: |- The nodev mount option can be used to prevent device files from being created in /home. Legitimate character and block devices should exist only in the /dev directory on the root partition or within chroot jails built for system services. rationale: |- The only legitimate location for device files is the /dev directory located on the root partition. The only exception to this is chroot jails. severity: unknown identifiers: cce@rhel7: TBD references: cis: 1.1.14 scap-security-guide-0.1.39/shared/guide/system/permissions/partitions/mount_option_home_nosuid.rule000066400000000000000000000012441327242345500341540ustar00rootroot00000000000000documentation_complete: true prodtype: rhel7 title: 'Add nosuid Option to /home' description: |- The nosuid mount option can be used to prevent execution of setuid programs in /home. The SUID and SGID permissions should not be required in these user data directories. rationale: |- The presence of SUID and SGID executables should be tightly controlled. Users should not be able to execute SUID or SGID binaries from user home directory partitions. severity: unknown identifiers: cce@rhel7: 81153-9 references: cis: 1.1.3 nist: CM-7,MP-2 stigid@rhel7: "021000" mount_option_nodev_nonroot_local_partitions.rule000066400000000000000000000016411327242345500401040ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/permissions/partitionsdocumentation_complete: true prodtype: rhel7,fedora title: 'Add nodev Option to Non-Root Local Partitions' description: "The nodev mount option prevents files from being\ninterpreted as character or block devices. \nLegitimate character and block devices should exist only in\nthe /dev directory on the root partition or within chroot\njails built for system services.\n" rationale: |- The nodev mount option prevents files from being interpreted as character or block devices. The only legitimate location for device files is the /dev directory located on the root partition. The only exception to this is chroot jails, for which it is not advised to set nodev on these filesystems. severity: unknown identifiers: cce@rhel7: 80145-6 references: cis: 1.1.11 nist: CM-7 mount_option_nodev_removable_partitions.rule000066400000000000000000000015731327242345500372140ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/permissions/partitionsdocumentation_complete: true prodtype: rhel7,fedora title: 'Add nodev Option to Removable Media Partitions' description: |- The nodev mount option prevents files from being interpreted as character or block devices. Legitimate character and block devices should exist only in the /dev directory on the root partition or within chroot jails built for system services. rationale: |- The only legitimate location for device files is the /dev directory located on the root partition. An exception to this is chroot jails, and it is not advised to set nodev on partitions which contain their root filesystems. severity: unknown identifiers: cce@rhel7: 80146-4 references: cis: 1.1.18 nist: AC-19(a),AC-19(d),AC-19(e),CM-7,MP-2 mount_option_noexec_removable_partitions.rule000066400000000000000000000021671327242345500373620ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/permissions/partitionsdocumentation_complete: true prodtype: rhel7,fedora title: 'Add noexec Option to Removable Media Partitions' description: "The noexec mount option prevents the direct\nexecution of binaries on the mounted filesystem. \nPreventing the direct execution of binaries from removable media (such as a USB\nkey) provides a defense against malicious software that may be present on such\nuntrusted media.\n" rationale: |- Allowing users to execute binaries from removable media such as USB keys exposes the system to potential compromise. severity: unknown identifiers: cce@rhel7: 80147-2 references: cis: 1.1.20 disa: 87 nist: AC-19(a),AC-19(d),AC-19(e),CM-7,MP-2 ocil_clause: 'removable media partitions are present' ocil: |- To verify that binaries cannot be directly executed from removable media, run the following command: 
$ grep -v noexec /etc/fstab
The resulting output will show partitions which do not have the noexec flag. Verify all partitions in the output are not removable media. mount_option_nosuid_removable_partitions.rule000066400000000000000000000020741327242345500373770ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/permissions/partitionsdocumentation_complete: true prodtype: rhel7,fedora title: 'Add nosuid Option to Removable Media Partitions' description: |- The nosuid mount option prevents set-user-identifier (SUID) and set-group-identifier (SGID) permissions from taking effect. These permissions allow users to execute binaries with the same permissions as the owner and group of the file respectively. Users should not be allowed to introduce SUID and SGID files into the system via partitions mounted from removeable media. rationale: |- The presence of SUID and SGID executables should be tightly controlled. Allowing users to introduce SUID or SGID binaries from partitions mounted off of removable media would allow them to introduce their own highly-privileged programs. severity: unknown identifiers: cce@rhel7: 80148-0 references: cis: 1.1.19 disa: 366 nist: AC-6,AC-19(a),AC-19(d),AC-19(e),CM-7,MP-2 srg: SRG-OS-000480-GPOS-00227 stigid@rhel7: "021010" scap-security-guide-0.1.39/shared/guide/system/permissions/partitions/mount_option_tmp_nodev.rule000066400000000000000000000012121327242345500336310ustar00rootroot00000000000000documentation_complete: true prodtype: rhel7,fedora title: 'Add nodev Option to /tmp' description: "The nodev mount option can be used to prevent device files from\nbeing created in /tmp.\nLegitimate character and block devices should not exist\nwithin temporary directories like /tmp. \n" rationale: |- The only legitimate location for device files is the /dev directory located on the root partition. The only exception to this is chroot jails. severity: unknown identifiers: cce@rhel7: 80149-8 references: cis: 1.1.3 nist: CM-7,MP-2 scap-security-guide-0.1.39/shared/guide/system/permissions/partitions/mount_option_tmp_noexec.rule000066400000000000000000000011171327242345500340030ustar00rootroot00000000000000documentation_complete: true prodtype: rhel7,fedora title: 'Add noexec Option to /tmp' description: |- The noexec mount option can be used to prevent binaries from being executed out of /tmp. rationale: |- Allowing users to execute binaries from world-writable directories such as /tmp should never be necessary in normal operation and can expose the system to potential compromise. severity: unknown identifiers: cce@rhel7: 80150-6 references: cis: 1.1.5 nist: CM-7,MP-2 scap-security-guide-0.1.39/shared/guide/system/permissions/partitions/mount_option_tmp_nosuid.rule000066400000000000000000000012201327242345500340160ustar00rootroot00000000000000documentation_complete: true prodtype: rhel7,fedora title: 'Add nosuid Option to /tmp' description: |- The nosuid mount option can be used to prevent execution of setuid programs in /tmp. The SUID and SGID permissions should not be required in these world-writable directories. rationale: |- The presence of SUID and SGID executables should be tightly controlled. Users should not be able to execute SUID or SGID binaries from temporary storage partitions. severity: unknown identifiers: cce@rhel7: 80151-4 references: cis: 1.1.4 nist: CM-7,MP-2 scap-security-guide-0.1.39/shared/guide/system/permissions/partitions/mount_option_var_tmp_bind.rule000066400000000000000000000015771327242345500343200ustar00rootroot00000000000000documentation_complete: true prodtype: rhel7,fedora title: 'Bind Mount /var/tmp To /tmp' description: "The /var/tmp directory is a world-writable directory. \nBind-mount it to /tmp in order to consolidate temporary storage into\none location protected by the same techniques as /tmp. To do so, edit\n/etc/fstab and add the following line:\n
/tmp     /var/tmp     none     rw,nodev,noexec,nosuid,bind     0 0
\nSee the mount(8) man page for further explanation of bind mounting." rationale: |- Having multiple locations for temporary storage is not required. Unless absolutely necessary to meet requirements, the storage location /var/tmp should be bind mounted to /tmp and thus share the same protections. severity: unknown identifiers: cce@rhel7: 80155-5 references: cis: 1.1.6 nist: CM-7 mount_option_var_tmp_nodev.rule000066400000000000000000000011731327242345500344300ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/permissions/partitionsdocumentation_complete: true prodtype: rhel7 title: 'Add nodev Option to /var/tmp' description: "The nodev mount option can be used to prevent device files from\nbeing created in /var/tmp.\nLegitimate character and block devices should not exist\nwithin temporary directories like /var/tmp. \n" rationale: |- The only legitimate location for device files is the /dev directory located on the root partition. The only exception to this is chroot jails. severity: unknown identifiers: cce@rhel7: TBD references: cis: 1.1.8 mount_option_var_tmp_noexec.rule000066400000000000000000000011011327242345500345650ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/permissions/partitionsdocumentation_complete: true prodtype: rhel7 title: 'Add noexec Option to /var/tmp' description: |- The noexec mount option can be used to prevent binaries from being executed out of /var/tmp. rationale: |- Allowing users to execute binaries from world-writable directories such as /var/tmp should never be necessary in normal operation and can expose the system to potential compromise. severity: unknown identifiers: cce@rhel7: TBD references: cis: 1.1.10 mount_option_var_tmp_nosuid.rule000066400000000000000000000011751327242345500346200ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/permissions/partitionsdocumentation_complete: true prodtype: rhel7 title: 'Add nosuid Option to /var/tmp' description: |- The nosuid mount option can be used to prevent execution of setuid programs in /var/tmp. The SUID and SGID permissions should not be required in these world-writable directories. rationale: |- The presence of SUID and SGID executables should be tightly controlled. Users should not be able to execute SUID or SGID binaries from temporary storage partitions. severity: unknown identifiers: cce@rhel7: TBD references: cis: 1.1.9 scap-security-guide-0.1.39/shared/guide/system/permissions/partitions/partitions.group000066400000000000000000000005421327242345500314120ustar00rootroot00000000000000documentation_complete: true title: 'Restrict Partition Mount Options' description: |- System partitions can be mounted with certain options that limit what files on those partitions can do. These options are set in the /etc/fstab configuration file, and can be used to make certain types of malicious behavior more difficult. scap-security-guide-0.1.39/shared/guide/system/permissions/partitions/var_removable_partition.var000066400000000000000000000011061327242345500335640ustar00rootroot00000000000000documentation_complete: true title: 'Removable Partition' description: |- This value is used by the checks mount_option_nodev_removable_partitions, mount_option_nodev_removable_partitions, and mount_option_nodev_removable_partitions to ensure that the correct mount options are set on partitions mounted from removable media such as CD-ROMs, USB keys, and floppy drives. This value should be modified to reflect any removable partitions that are required on the local system. type: string operator: equals interactive: false options: dev_cdrom: /dev/cdrom scap-security-guide-0.1.39/shared/guide/system/permissions/permissions.group000066400000000000000000000017321327242345500273770ustar00rootroot00000000000000documentation_complete: true title: 'File Permissions and Masks' description: "Traditional Unix security relies heavily on file and\ndirectory permissions to prevent unauthorized users from reading or\nmodifying files to which they should not have access. \n

\nSeveral of the commands in this section search filesystems\nfor files or directories with certain characteristics, and are\nintended to be run on every local partition on a given system.\nWhen the variable PART appears in one of the commands below,\nit means that the command is intended to be run repeatedly, with the\nname of each local partition substituted for PART in turn.\n

\nThe following command prints a list of all xfs partitions on the local\nsystem, which is the default filesystem for Red Hat Enterprise Linux\n7 installations:\n
$ mount -t xfs | awk '{print $3}'
\nFor any systems that use a different\nlocal filesystem type, modify this command as appropriate." scap-security-guide-0.1.39/shared/guide/system/permissions/restrictions/000077500000000000000000000000001327242345500264735ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/permissions/restrictions/coredumps/000077500000000000000000000000001327242345500304745ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/permissions/restrictions/coredumps/coredumps.group000066400000000000000000000017561327242345500335640ustar00rootroot00000000000000documentation_complete: true title: 'Disable Core Dumps' description: |- A core dump file is the memory image of an executable program when it was terminated by the operating system due to errant behavior. In most cases, only software developers legitimately need to access these files. The core dump files may also contain sensitive information, or unnecessarily occupy large amounts of disk space.

Once a hard limit is set in /etc/security/limits.conf, a user cannot increase that limit within his or her own session. If access to core dumps is required, consider restricting them to only certain users or groups. See the limits.conf man page for more information.

The core dumps of setuid programs are further protected. The sysctl variable fs.suid_dumpable controls whether the kernel allows core dumps from these programs at all. The default value of 0 is recommended. disable_users_coredumps.rule000066400000000000000000000015101327242345500362100ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/permissions/restrictions/coredumpsdocumentation_complete: true prodtype: rhel7,fedora title: 'Disable Core Dumps for All Users' description: |- To disable core dumps for all users, add the following line to /etc/security/limits.conf: 
*     hard   core    0
rationale: |- A core dump includes a memory image taken at the time the operating system terminates an application. The memory image could contain sensitive data and is generally useful only for developers trying to debug problems. severity: unknown identifiers: cce@rhel7: 80169-6 references: cis: 1.5.1 nist: SC-5 ocil_clause: 'it is not' ocil: |- To verify that core dumps are disabled for all users, run the following command: 
$ grep core /etc/security/limits.conf
The output should be: 
*     hard   core    0
sysctl_fs_suid_dumpable.rule000066400000000000000000000014211327242345500362120ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/permissions/restrictions/coredumpsdocumentation_complete: true prodtype: rhel7,fedora title: 'Disable Core Dumps for SUID programs' description: '' rationale: |- The core dump of a setuid program is more likely to contain sensitive data, as the program itself runs with greater privileges than the user who initiated execution of the program. Disabling the ability for any setuid program to write a core file decreases the risk of unauthorized access of such data. severity: unknown identifiers: cce@rhel7: 26900-1 references: cis: 1.5.1 hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3),164.308(a)(4),164.310(b),164.310(c),164.312(a),164.312(e) nist: SI-11 ocil: '' scap-security-guide-0.1.39/shared/guide/system/permissions/restrictions/daemon_umask/000077500000000000000000000000001327242345500311365ustar00rootroot00000000000000daemon_umask.group000066400000000000000000000004431327242345500346010ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/permissions/restrictions/daemon_umaskdocumentation_complete: true title: 'Daemon Umask' description: |- The umask is a per-process setting which limits the default permissions for creation of new files and directories. The system includes initialization scripts which set the default umask for system daemons. umask_for_daemons.rule000066400000000000000000000023211327242345500354420ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/permissions/restrictions/daemon_umaskdocumentation_complete: true prodtype: rhel7,fedora title: 'Set Daemon Umask' description: |- The file /etc/init.d/functions includes initialization parameters for most or all daemons started at boot time. The default umask of 022 prevents creation of group- or world-writable files. To set the default umask for daemons, edit the following line, inserting 022 or 027 for UMASK appropriately: 
umask
Setting the umask to too restrictive a setting can cause serious errors at runtime. Many daemons on the system already individually restrict themselves to a umask of 077 in their own init scripts. rationale: |- The umask influences the permissions assigned to files created by a process at run time. An unnecessarily permissive umask could result in files being created with insecure permissions. severity: unknown identifiers: cce@rhel7: 27068-6 references: nist: AC-6 ocil_clause: 'it does not' ocil: |- To check the value of the umask, run the following command: 
$ grep umask /etc/init.d/functions
The output should show either 022 or 027. var_umask_for_daemons.var000066400000000000000000000003171327242345500361360ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/permissions/restrictions/daemon_umaskdocumentation_complete: true title: 'daemon umask' description: 'Enter umask for daemons' type: string operator: equals interactive: false options: "022": "022" "027": "027" default: "022" scap-security-guide-0.1.39/shared/guide/system/permissions/restrictions/enable_execshield_settings/000077500000000000000000000000001327242345500340365ustar00rootroot00000000000000enable_execshield_settings.group000066400000000000000000000012541327242345500424020ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/permissions/restrictions/enable_execshield_settingsdocumentation_complete: true title: 'Enable ExecShield' description: "ExecShield describes kernel features that provide\nprotection against exploitation of memory corruption errors such as buffer\noverflows. These features include random placement of the stack and other\nmemory regions, prevention of execution in memory that should only hold data,\nand special handling of text buffers. These protections are enabled by default\non 32-bit systems and controlled through sysctl variables \nkernel.exec-shield and kernel.randomize_va_space. On the latest\n64-bit systems, kernel.exec-shield cannot be enabled or disabled with \nsysctl." sysctl_kernel_exec_shield.rule000066400000000000000000000036751327242345500421000ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/permissions/restrictions/enable_execshield_settingsdocumentation_complete: true prodtype: rhel7,fedora title: 'Enable ExecShield' description: "By default on Red Hat Enterprise Linux 7 64-bit systems, ExecShield\nis enabled and can only be disabled if the hardware does not support ExecShield\nor is disabled in /etc/default/grub. For Red Hat Enterprise Linux 7 \n32-bit systems, sysctl can be used to enable ExecShield." rationale: "ExecShield uses the segmentation feature on all x86 systems\nto prevent execution in memory higher than a certain address. It\nwrites an address as a limit in the code segment descriptor, to\ncontrol where code can be executed, on a per-process basis. When\nthe kernel places a process's memory regions such as the stack and\nheap higher than this address, the hardware prevents execution in that\naddress range. This is enabled by default on the latest Red Hat and Fedora \nsystems if supported by the hardware." severity: medium identifiers: cce@rhel7: 27211-2 references: cis: 1.5.2 cui: 3.1.7 disa: 2530 hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3),164.308(a)(4),164.310(b),164.310(c),164.312(a),164.312(e) nist: SC-39 ocil_clause: 'ExecShield is not supported by the hardware, is not enabled, or has been disabled by the kernel configuration.' ocil: |- To verify ExecShield is enabled on 64-bit Red Hat Enterprise Linux 7 systems, run the following command: 
$ dmesg | grep '[NX|DX]*protection'
The output should not contain 'disabled by kernel command line option'. To verify that ExecShield has not been disabled in the kernel configuration, run the following command: 
$ sudo grep noexec /boot/grub2/grub.cfg
The output should not return noexec=off. For 32-bit Red Hat Enterprise Linux 7 systems, run the following command: 
$ sysctl kernel.exec-shield
The output should be:
sysctl_kernel_randomize_va_space.rule000066400000000000000000000017061327242345500434460ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/permissions/restrictions/enable_execshield_settingsdocumentation_complete: true prodtype: rhel7,fedora title: 'Enable Randomized Layout of Virtual Address Space' description: '' rationale: "Address space layout randomization (ASLR) makes it more difficult\nfor an attacker to predict the location of attack code they have introduced\ninto a process's address space during an attempt at exploitation. Additionally, ASLR \nmakes it more difficult for an attacker to know the location of existing code\nin order to re-purpose it using return oriented programming (ROP) techniques." severity: medium identifiers: cce@rhel7: 27127-0 references: cis: 1.5.1 cui: 3.1.7 disa: 366 hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3),164.308(a)(4),164.310(b),164.310(c),164.312(a),164.312(e) nist: SC-30(2) srg: SRG-OS-000480-GPOS-00227 stigid: "040201" ocil: '' scap-security-guide-0.1.39/shared/guide/system/permissions/restrictions/enable_nx/000077500000000000000000000000001327242345500304265ustar00rootroot00000000000000bios_enable_execution_restrictions.rule000066400000000000000000000013121327242345500403720ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/permissions/restrictions/enable_nxdocumentation_complete: true prodtype: rhel7,fedora title: 'Enable NX or XD Support in the BIOS' description: |- Reboot the system and enter the BIOS or Setup configuration menu. Navigate the BIOS configuration menu and make sure that the option is enabled. The setting may be located under a Security section. Look for Execute Disable (XD) on Intel-based systems and No Execute (NX) on AMD-based systems. rationale: |- Computers with the ability to prevent this type of code execution frequently put an option in the BIOS that will allow users to turn the feature on or off at will. severity: unknown identifiers: cce@rhel7: 27099-1 references: cui: 3.1.7 nist: CM-6(b) scap-security-guide-0.1.39/shared/guide/system/permissions/restrictions/enable_nx/enable_nx.group000066400000000000000000000015461327242345500334450ustar00rootroot00000000000000documentation_complete: true title: |- Enable Execute Disable (XD) or No Execute (NX) Support on x86 Systems description: "Recent processors in the x86 family support the\nability to prevent code execution on a per memory page basis.\nGenerically and on AMD processors, this ability is called No\nExecute (NX), while on Intel processors it is called Execute\nDisable (XD). This ability can help prevent exploitation of buffer\noverflow vulnerabilities and should be activated whenever possible.\nExtra steps must be taken to ensure that this protection is\nenabled, particularly on 32-bit x86 systems. Other processors, such\nas Itanium and POWER, have included such support since inception\nand the standard kernel for those platforms supports the\nfeature. This is enabled by default on the latest Red Hat and \nFedora systems if supported by the hardware." install_PAE_kernel_on_x86-32.rule000066400000000000000000000017661327242345500363700ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/permissions/restrictions/enable_nxdocumentation_complete: true prodtype: rhel7,fedora title: 'Install PAE Kernel on Supported 32-bit x86 Systems' description: |- Systems that are using the 64-bit x86 kernel package do not need to install the kernel-PAE package because the 64-bit x86 kernel already includes this support. However, if the system is 32-bit and also supports the PAE and NX features as determined in the previous section, the kernel-PAE package should be installed to enable XD or NX support: 
$ sudo yum install kernel-PAE
The installation process should also have configured the bootloader to load the new kernel at boot. Verify this at reboot and modify /etc/default/grub if necessary. rationale: |- On 32-bit systems that support the XD or NX bit, the vendor-supplied PAE kernel is required to enable either Execute Disable (XD) or No Execute (NX) support. severity: unknown identifiers: cce@rhel7: 27116-3 references: cui: 3.1.7 nist: CM-6(b) scap-security-guide-0.1.39/shared/guide/system/permissions/restrictions/restrictions.group000066400000000000000000000006761327242345500323120ustar00rootroot00000000000000documentation_complete: true title: 'Restrict Programs from Dangerous Execution Patterns' description: |- The recommendations in this section are designed to ensure that the system's features to protect against potentially dangerous program execution are activated. These protections are applied at the system initialization or kernel level, and defend against certain types of badly-configured or compromised programs. sysctl_kernel_dmesg_restrict.rule000066400000000000000000000011051327242345500352610ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/permissions/restrictionsdocumentation_complete: true prodtype: rhel7,fedora title: 'Restrict Access to Kernel Message Buffer' description: '' rationale: "Unprivileged access to the kernel syslog can expose sensitive kernel \naddress information." severity: unknown identifiers: cce@rhel7: 27050-4 references: cui: 3.1.5 disa: 1314 hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3),164.308(a)(4),164.310(b),164.310(c),164.312(a),164.312(e) nist: SI-11 ocil: '' scap-security-guide-0.1.39/shared/guide/system/selinux/000077500000000000000000000000001327242345500230575ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/docker_selinux_enabled.rule000066400000000000000000000017141327242345500304430ustar00rootroot00000000000000documentation_complete: true prodtype: rhel7 title: 'Ensure SELinux support is enabled in Docker' description: |- To enable the SELinux for the Docker service, the Docker service must be configured to run the Docker daemon with --selinux-enabled option. In /etc/sysconfig/docker configuration file, add or correct the following line to enable SELinux support in the Docker daemon: 
OPTIONS='--selinux-enabled'
rationale: |- If SELinux is not explicitely enabled in the Docker daemon configuration, Docker does not use SELinux which means Docker runs unconfined, and SELinux will not provide security separation for Docker container processes. However enabling SELinux for the Docker service prevents an attacker or rogue container from attacking other container processes and content as well as prevents taking over the host operating system. severity: high identifiers: cce@rhel7: 80442-7 scap-security-guide-0.1.39/shared/guide/system/selinux/enable_selinux_bootloader.rule000066400000000000000000000021601327242345500311560ustar00rootroot00000000000000documentation_complete: true prodtype: rhel7,fedora title: 'Ensure SELinux Not Disabled in /etc/default/grub' description: |- SELinux can be disabled at boot time by an argument in /etc/default/grub. Remove any instances of selinux=0 from the kernel arguments in that file to prevent SELinux from being disabled at boot. rationale: |- Disabling a major host protection feature, such as SELinux, at boot time prevents it from confining system services at boot time. Further, it increases the chances that it will remain off during system operation. severity: medium identifiers: cce@rhel7: 26961-3 references: cis: 1.6.1.1 cui: 3.1.2,3.7.2 disa: 22,32 hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3),164.308(a)(4),164.310(b),164.310(c),164.312(a),164.312(e) nist: AC-3,AC-3(3),AC-3(4),AC-4,AC-6,AU-9,SI-6(a) ocil_clause: 'SELinux is disabled at boot time' ocil: |- Inspect /etc/default/grub for any instances of selinux=0 in the kernel boot arguments. Presence of selinux=0 indicates that SELinux is disabled at boot time. scap-security-guide-0.1.39/shared/guide/system/selinux/package_mcstrans_removed.rule000066400000000000000000000013711327242345500310000ustar00rootroot00000000000000documentation_complete: true prodtype: rhel7,fedora title: 'Uninstall mcstrans Package' description: |- The mcstransd daemon provides category label information to client processes requesting information. The label translations are defined in /etc/selinux/targeted/setrans.conf. rationale: |- Since this service is not used very often, disable it to reduce the amount of potentially vulnerable code running on the system. NOTE: This rule was added in support of the CIS RHEL6 v1.2.0 benchmark. Please note that Red Hat does not feel this rule is security relevant. severity: unknown identifiers: cce@rhel7: 80445-0 references: cis@rhel7: 1.6.1.5 scap-security-guide-0.1.39/shared/guide/system/selinux/package_setroubleshoot_removed.rule000066400000000000000000000010561327242345500322270ustar00rootroot00000000000000documentation_complete: true prodtype: rhel7,fedora title: 'Uninstall setroubleshoot Package' description: |- The SETroubleshoot service notifies desktop users of SELinux denials. The service provides information around configuration errors, unauthorized intrusions, and other potential errors. rationale: |- The SETroubleshoot service is an unnecessary daemon to have running on a server severity: unknown identifiers: cce@rhel7: 80444-3 references: cis: 1.6.1.4 scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleans/000077500000000000000000000000001327242345500263465ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleans/sebool_abrt_anon_write.rule000066400000000000000000000011141327242345500337540ustar00rootroot00000000000000documentation_complete: true prodtype: rhel7 title: 'Disable the abrt_anon_write SELinux Boolean' description: |- By default, the SELinux boolean abrt_anon_write is disabled. If this setting is enabled, it should be disabled. rationale: "" severity: medium identifiers: cce@rhel7: 80419-5 references: cui: 3.7.2 disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'abrt_anon_write is not disabled' ocil: '' sebool_abrt_handle_event.rule000066400000000000000000000011261327242345500341670ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true prodtype: rhel7 title: 'Disable the abrt_handle_event SELinux Boolean' description: |- By default, the SELinux boolean abrt_handle_event is disabled. If this setting is enabled, it should be disabled. rationale: "" severity: medium identifiers: cce@rhel7: 80420-3 references: cui: 3.7.2 disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'abrt_handle_event is not disabled' ocil: '' sebool_abrt_upload_watch_anon_write.rule000066400000000000000000000013561327242345500364370ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true prodtype: rhel7 title: 'Disable the abrt_upload_watch_anon_write SELinux Boolean' description: |- By default, the SELinux boolean abrt_upload_watch_anon_write is enabled. This setting should be disabled as it allows the Automatic Bug Report Tool (ABRT) to modify public files used for public file transfer services. rationale: "" severity: medium identifiers: cce@rhel7: 80421-1 references: cui: 3.7.2 disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'abrt_upload_watch_anon_write is not disabled' ocil: '' sebool_antivirus_can_scan_system.rule000066400000000000000000000012621327242345500360010ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true prodtype: rhel7 title: 'Enable the antivirus_can_scan_system SELinux Boolean' description: |- By default, the SELinux boolean antivirus_can_scan_system is disabled. This setting should be enabled as it allows antivirus programs to read non-security files on a system. rationale: "" severity: medium identifiers: cce@rhel7: 80422-9 references: cui: 3.7.2 disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'antivirus_can_scan_system is not enabled' ocil: '' sebool_antivirus_use_jit.rule000066400000000000000000000011261327242345500342710ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true prodtype: rhel7 title: 'Disable the antivirus_use_jit SELinux Boolean' description: |- By default, the SELinux boolean antivirus_use_jit is disabled. If this setting is enabled, it should be disabled. rationale: "" severity: medium identifiers: cce@rhel7: 80423-7 references: cui: 3.7.2 disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'antivirus_use_jit is not disabled' ocil: '' sebool_auditadm_exec_content.rule000066400000000000000000000011471327242345500350540ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true prodtype: rhel7 title: 'Enable the auditadm_exec_content SELinux Boolean' description: |- By default, the SELinux boolean auditadm_exec_content is enabled. If this setting is disabled, it should be enabled. rationale: "" severity: medium identifiers: cce@rhel7: 80424-5 references: cui: 80424-5 disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'auditadm_exec_content is not enabled' ocil: '' sebool_authlogin_nsswitch_use_ldap.rule000066400000000000000000000012101327242345500363050ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true prodtype: rhel7 title: 'Disable the authlogin_nsswitch_use_ldap SELinux Boolean' description: |- By default, the SELinux boolean authlogin_nsswitch_use_ldap is disabled. If this setting is enabled, it should be disabled. rationale: "" severity: medium identifiers: cce@rhel7: 80425-2 references: cui: 3.7.2 disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'authlogin_nsswitch_use_ldap is not disabled' ocil: '' scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleans/sebool_authlogin_radius.rule000066400000000000000000000011211327242345500341360ustar00rootroot00000000000000documentation_complete: true prodtype: rhel7 title: 'Disable the authlogin_radius SELinux Boolean' description: |- By default, the SELinux boolean authlogin_radius is disabled. If this setting is enabled, it should be disabled. rationale: "" severity: medium identifiers: cce@rhel7: 80426-0 references: cui: 3.7.2 disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'authlogin_radius is not disabled' ocil: '' sebool_authlogin_yubikey.rule000066400000000000000000000011261327242345500342560ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true prodtype: rhel7 title: 'Disable the authlogin_yubikey SELinux Boolean' description: |- By default, the SELinux boolean authlogin_yubikey is disabled. If this setting is enabled, it should be disabled. rationale: "" severity: medium identifiers: cce@rhel7: 80427-8 references: cui: 3.7.2 disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'authlogin_yubikey is not disabled' ocil: '' sebool_awstats_purge_apache_log_files.rule000066400000000000000000000012271327242345500367410ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true prodtype: rhel7 title: 'Disable the awstats_purge_apache_log_files SELinux Boolean' description: |- By default, the SELinux boolean awstats_purge_apache_log_files is disabled. If this setting is enabled, it should be disabled. rationale: "" severity: medium identifiers: cce@rhel7: 80428-6 references: cui: 3.7.2 disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'awstats_purge_apache_log_files is not disabled' ocil: '' scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleans/sebool_boinc_execmem.rule000066400000000000000000000010571327242345500334020ustar00rootroot00000000000000documentation_complete: true prodtype: rhel7 title: 'Disable the boinc_execmem SELinux Boolean' description: |- By default, the SELinux boolean boinc_execmem is enabled. This setting should be disabled. rationale: "" severity: medium identifiers: cce@rhel7: 80429-4 references: cui: 3.7.2 disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'boinc_execmem is not disabled' ocil: '' sebool_cdrecord_read_content.rule000066400000000000000000000011411327242345500350320ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true prodtype: rhel7 title: 'Disable the cdrecord_read_content SELinux Boolean' description: |- By default, the SELinux boolean cdrecord_read_content is disabled. If this setting is enabled, it should be disabled. rationale: "" severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'cdrecord_read_content is not disabled' ocil: '' sebool_cluster_can_network_connect.rule000066400000000000000000000011771327242345500363150ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true prodtype: rhel7 title: 'Disable the cluster_can_network_connect SELinux Boolean' description: |- By default, the SELinux boolean cluster_can_network_connect is disabled. If this setting is enabled, it should be disabled. rationale: "" severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'cluster_can_network_connect is not disabled' ocil: '' sebool_cluster_manage_all_files.rule000066400000000000000000000011601327242345500355240ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true prodtype: rhel7 title: 'Disable the cluster_manage_all_files SELinux Boolean' description: |- By default, the SELinux boolean cluster_manage_all_files is disabled. If this setting is enabled, it should be disabled. rationale: "" severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'cluster_manage_all_files is not disabled' ocil: '' sebool_cluster_use_execmem.rule000066400000000000000000000011271327242345500345640ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true prodtype: rhel7 title: 'Disable the cluster_use_execmem SELinux Boolean' description: |- By default, the SELinux boolean cluster_use_execmem is disabled. If this setting is enabled, it should be disabled. rationale: "" severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'cluster_use_execmem is not disabled' ocil: '' sebool_cobbler_anon_write.rule000066400000000000000000000011221327242345500343540ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true prodtype: rhel7 title: 'Disable the cobbler_anon_write SELinux Boolean' description: |- By default, the SELinux boolean cobbler_anon_write is disabled. If this setting is enabled, it should be disabled. rationale: "" severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'cobbler_anon_write is not disabled' ocil: '' sebool_cobbler_can_network_connect.rule000066400000000000000000000011771327242345500362440ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true prodtype: rhel7 title: 'Disable the cobbler_can_network_connect SELinux Boolean' description: |- By default, the SELinux boolean cobbler_can_network_connect is disabled. If this setting is enabled, it should be disabled. rationale: "" severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'cobbler_can_network_connect is not disabled' ocil: '' scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleans/sebool_cobbler_use_cifs.rule000066400000000000000000000011101327242345500340630ustar00rootroot00000000000000documentation_complete: true prodtype: rhel7 title: 'Disable the cobbler_use_cifs SELinux Boolean' description: |- By default, the SELinux boolean cobbler_use_cifs is disabled. If this setting is enabled, it should be disabled. rationale: "" severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'cobbler_use_cifs is not disabled' ocil: '' scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleans/sebool_cobbler_use_nfs.rule000066400000000000000000000011031327242345500337270ustar00rootroot00000000000000documentation_complete: true prodtype: rhel7 title: 'Disable the cobbler_use_nfs SELinux Boolean' description: |- By default, the SELinux boolean cobbler_use_nfs is disabled. If this setting is enabled, it should be disabled. rationale: "" severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'cobbler_use_nfs is not disabled' ocil: '' sebool_collectd_tcp_network_connect.rule000066400000000000000000000012041327242345500364410ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true prodtype: rhel7 title: 'Disable the collectd_tcp_network_connect SELinux Boolean' description: |- By default, the SELinux boolean collectd_tcp_network_connect is disabled. If this setting is enabled, it should be disabled. rationale: "" severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'collectd_tcp_network_connect is not disabled' ocil: '' sebool_condor_tcp_network_connect.rule000066400000000000000000000011721327242345500361400ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true prodtype: rhel7 title: 'Disable the condor_tcp_network_connect SELinux Boolean' description: |- By default, the SELinux boolean condor_tcp_network_connect is disabled. If this setting is enabled, it should be disabled. rationale: "" severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'condor_tcp_network_connect is not disabled' ocil: '' sebool_conman_can_network.rule000066400000000000000000000011221327242345500343640ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true prodtype: rhel7 title: 'Disable the conman_can_network SELinux Boolean' description: |- By default, the SELinux boolean conman_can_network is disabled. If this setting is enabled, it should be disabled. rationale: "" severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'conman_can_network is not disabled' ocil: '' scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleans/sebool_cron_can_relabel.rule000066400000000000000000000011101327242345500340430ustar00rootroot00000000000000documentation_complete: true prodtype: rhel7 title: 'Disable the cron_can_relabel SELinux Boolean' description: |- By default, the SELinux boolean cron_can_relabel is disabled. If this setting is enabled, it should be disabled. rationale: "" severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'cron_can_relabel is not disabled' ocil: '' sebool_cron_system_cronjob_use_shares.rule000066400000000000000000000012161327242345500370250ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true prodtype: rhel7 title: 'Disable the cron_system_cronjob_use_shares SELinux Boolean' description: |- By default, the SELinux boolean cron_system_cronjob_use_shares is disabled. If this setting is enabled, it should be disabled. rationale: "" severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'cron_system_cronjob_use_shares is not disabled' ocil: '' sebool_cron_userdomain_transition.rule000066400000000000000000000013211327242345500361610ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true prodtype: rhel7 title: 'Enable the cron_userdomain_transition SELinux Boolean' description: |- By default, the SELinux boolean cron_userdomain_transition is enabled. This setting should be enabled as end user cron jobs run in their default associated user domain(s) instead of the general cronjob domain. rationale: "" severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'cron_userdomain_transition is not enabled' ocil: '' scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleans/sebool_cups_execmem.rule000066400000000000000000000010641327242345500332600ustar00rootroot00000000000000documentation_complete: true prodtype: rhel7 title: 'Disable the cups_execmem SELinux Boolean' description: |- By default, the SELinux boolean cups_execmem is disabled. If this setting is enabled, it should be disabled. rationale: "" severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'cups_execmem is not disabled' ocil: '' scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleans/sebool_cvs_read_shadow.rule000066400000000000000000000011031327242345500337300ustar00rootroot00000000000000documentation_complete: true prodtype: rhel7 title: 'Disable the cvs_read_shadow SELinux Boolean' description: |- By default, the SELinux boolean cvs_read_shadow is disabled. If this setting is enabled, it should be disabled. rationale: "" severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'cvs_read_shadow is not disabled' ocil: '' sebool_daemons_dump_core.rule000066400000000000000000000011151327242345500342040ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true prodtype: rhel7 title: 'Disable the daemons_dump_core SELinux Boolean' description: |- By default, the SELinux boolean daemons_dump_core is disabled. If this setting is enabled, it should be disabled. rationale: "" severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'daemons_dump_core is not disabled' ocil: '' sebool_daemons_enable_cluster_mode.rule000066400000000000000000000011771327242345500362320ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true prodtype: rhel7 title: 'Disable the daemons_enable_cluster_mode SELinux Boolean' description: |- By default, the SELinux boolean daemons_enable_cluster_mode is disabled. If this setting is enabled, it should be disabled. rationale: "" severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'daemons_enable_cluster_mode is not disabled' ocil: '' sebool_daemons_use_tcp_wrapper.rule000066400000000000000000000011531327242345500354330ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true prodtype: rhel7 title: 'Disable the daemons_use_tcp_wrapper SELinux Boolean' description: |- By default, the SELinux boolean daemons_use_tcp_wrapper is disabled. If this setting is enabled, it should be disabled. rationale: "" severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'daemons_use_tcp_wrapper is not disabled' ocil: '' scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleans/sebool_daemons_use_tty.rule000066400000000000000000000011031327242345500337770ustar00rootroot00000000000000documentation_complete: true prodtype: rhel7 title: 'Disable the daemons_use_tty SELinux Boolean' description: |- By default, the SELinux boolean daemons_use_tty is disabled. If this setting is enabled, it should be disabled. rationale: "" severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'daemons_use_tty is not disabled' ocil: '' sebool_dbadm_exec_content.rule000066400000000000000000000011151327242345500343260ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true prodtype: rhel7 title: 'Enable the dbadm_exec_content SELinux Boolean' description: |- By default, the SELinux boolean dbadm_exec_content is enabled. If this setting is disabled, it should be enabled. rationale: "" severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'dbadm_exec_content is not enabled' ocil: '' sebool_dbadm_manage_user_files.rule000066400000000000000000000011531327242345500353220ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true prodtype: rhel7 title: 'Disable the dbadm_manage_user_files SELinux Boolean' description: |- By default, the SELinux boolean dbadm_manage_user_files is disabled. If this setting is enabled, it should be disabled. rationale: "" severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'dbadm_manage_user_files is not disabled' ocil: '' sebool_dbadm_read_user_files.rule000066400000000000000000000011411327242345500350020ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true prodtype: rhel7 title: 'Disable the dbadm_read_user_files SELinux Boolean' description: |- By default, the SELinux boolean dbadm_read_user_files is disabled. If this setting is enabled, it should be disabled. rationale: "" severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'dbadm_read_user_files is not disabled' ocil: '' scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleans/sebool_deny_execmem.rule000066400000000000000000000010641327242345500332450ustar00rootroot00000000000000documentation_complete: true prodtype: rhel7 title: 'Disable the deny_execmem SELinux Boolean' description: |- By default, the SELinux boolean deny_execmem is disabled. If this setting is enabled, it should be disabled. rationale: "" severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'deny_execmem is not disabled' ocil: '' scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleans/sebool_deny_ptrace.rule000066400000000000000000000010571327242345500331020ustar00rootroot00000000000000documentation_complete: true prodtype: rhel7 title: 'Disable the deny_ptrace SELinux Boolean' description: |- By default, the SELinux boolean deny_ptrace is disabled. If this setting is enabled, it should be disabled. rationale: "" severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'deny_ptrace is not disabled' ocil: '' sebool_dhcpc_exec_iptables.rule000066400000000000000000000011271327242345500344740ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true prodtype: rhel7 title: 'Disable the dhcpc_exec_iptables SELinux Boolean' description: |- By default, the SELinux boolean dhcpc_exec_iptables is disabled. If this setting is enabled, it should be disabled. rationale: "" severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'dhcpc_exec_iptables is not disabled' ocil: '' scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleans/sebool_dhcpd_use_ldap.rule000066400000000000000000000010761327242345500335440ustar00rootroot00000000000000documentation_complete: true prodtype: rhel7 title: 'Disable the dhcpd_use_ldap SELinux Boolean' description: |- By default, the SELinux boolean dhcpd_use_ldap is disabled. If this setting is enabled, it should be disabled. rationale: "" severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'dhcpd_use_ldap is not disabled' ocil: '' sebool_docker_connect_any.rule000066400000000000000000000011221327242345500343460ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true prodtype: rhel7 title: 'Disable the docker_connect_any SELinux Boolean' description: |- By default, the SELinux boolean docker_connect_any is disabled. If this setting is enabled, it should be disabled. rationale: "" severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'docker_connect_any is not disabled' ocil: '' sebool_docker_transition_unconfined.rule000066400000000000000000000011771327242345500364620ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true prodtype: rhel7 title: 'Enable the docker_transition_unconfined SELinux Boolean' description: |- By default, the SELinux boolean docker_transition_unconfined is enabled. If this setting is disabled, it should be enabled. rationale: "" severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'docker_transition_unconfined is not enabled' ocil: '' scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleans/sebool_domain_fd_use.rule000066400000000000000000000010641327242345500333770ustar00rootroot00000000000000documentation_complete: true prodtype: rhel7 title: 'Enable the domain_fd_use SELinux Boolean' description: |- By default, the SELinux boolean domain_fd_use is enabled. If this setting is disabled, it should be enabled. rationale: "" severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'domain_fd_use is not enabled' ocil: '' sebool_domain_kernel_load_modules.rule000066400000000000000000000011721327242345500360620ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true prodtype: rhel7 title: 'Disable the domain_kernel_load_modules SELinux Boolean' description: |- By default, the SELinux boolean domain_kernel_load_modules is disabled. If this setting is enabled, it should be disabled. rationale: "" severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'domain_kernel_load_modules is not disabled' ocil: '' sebool_entropyd_use_audio.rule000066400000000000000000000011521327242345500344230ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true prodtype: rhel7 title: 'Disable the entropyd_use_audio SELinux Boolean' description: |- By default, the SELinux boolean entropyd_use_audio is enabled. This setting should be disabled as it uses audit input to generate entropy. rationale: "" severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'entropyd_use_audio is not disabled' ocil: '' sebool_exim_can_connect_db.rule000066400000000000000000000011271327242345500344650ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true prodtype: rhel7 title: 'Disable the exim_can_connect_db SELinux Boolean' description: |- By default, the SELinux boolean exim_can_connect_db is disabled. If this setting is enabled, it should be disabled. rationale: "" severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'exim_can_connect_db is not disabled' ocil: '' sebool_exim_manage_user_files.rule000066400000000000000000000011461327242345500352170ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true prodtype: rhel7 title: 'Disable the exim_manage_user_files SELinux Boolean' description: |- By default, the SELinux boolean exim_manage_user_files is disabled. If this setting is enabled, it should be disabled. rationale: "" severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'exim_manage_user_files is not disabled' ocil: '' sebool_exim_read_user_files.rule000066400000000000000000000011341327242345500346770ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true prodtype: rhel7 title: 'Disable the exim_read_user_files SELinux Boolean' description: |- By default, the SELinux boolean exim_read_user_files is disabled. If this setting is enabled, it should be disabled. rationale: "" severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'exim_read_user_files is not disabled' ocil: '' scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleans/sebool_fcron_crond.rule000066400000000000000000000010571327242345500331010ustar00rootroot00000000000000documentation_complete: true prodtype: rhel7 title: 'Disable the fcron_crond SELinux Boolean' description: |- By default, the SELinux boolean fcron_crond is disabled. If this setting is enabled, it should be disabled. rationale: "" severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'fcron_crond is not disabled' ocil: '' sebool_fenced_can_network_connect.rule000066400000000000000000000011721327242345500360530ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true prodtype: rhel7 title: 'Disable the fenced_can_network_connect SELinux Boolean' description: |- By default, the SELinux boolean fenced_can_network_connect is disabled. If this setting is enabled, it should be disabled. rationale: "" severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'fenced_can_network_connect is not disabled' ocil: '' scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleans/sebool_fenced_can_ssh.rule000066400000000000000000000010761327242345500335300ustar00rootroot00000000000000documentation_complete: true prodtype: rhel7 title: 'Disable the fenced_can_ssh SELinux Boolean' description: |- By default, the SELinux boolean fenced_can_ssh is disabled. If this setting is enabled, it should be disabled. rationale: "" severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'fenced_can_ssh is not disabled' ocil: '' scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleans/sebool_fips_mode.rule000066400000000000000000000011631327242345500325500ustar00rootroot00000000000000documentation_complete: true prodtype: rhel7 title: 'Enable the fips_mode SELinux Boolean' description: |- By default, the SELinux boolean fips_mode is enabled. This allows all SELinux domains to execute in fips_mode. If this setting is disabled, it should be enabled. rationale: "" severity: medium identifiers: cce@rhel7: 80418-7 references: cui: 3.13.11 disa: TBD nist: SC-13 srg: TBD stigid@rhel7: TBD ocil_clause: 'fips_mode is not enabled' ocil: '' scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleans/sebool_ftp_home_dir.rule000066400000000000000000000010641327242345500332420ustar00rootroot00000000000000documentation_complete: true prodtype: rhel7 title: 'Disable the ftp_home_dir SELinux Boolean' description: |- By default, the SELinux boolean ftp_home_dir is disabled. If this setting is enabled, it should be disabled. rationale: "" severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'ftp_home_dir is not disabled' ocil: '' scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleans/sebool_ftpd_anon_write.rule000066400000000000000000000011031327242345500337570ustar00rootroot00000000000000documentation_complete: true prodtype: rhel7 title: 'Disable the ftpd_anon_write SELinux Boolean' description: |- By default, the SELinux boolean ftpd_anon_write is disabled. If this setting is enabled, it should be disabled. rationale: "" severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'ftpd_anon_write is not disabled' ocil: '' sebool_ftpd_connect_all_unreserved.rule000066400000000000000000000011771327242345500362710ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true prodtype: rhel7 title: 'Disable the ftpd_connect_all_unreserved SELinux Boolean' description: |- By default, the SELinux boolean ftpd_connect_all_unreserved is disabled. If this setting is enabled, it should be disabled. rationale: "" severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'ftpd_connect_all_unreserved is not disabled' ocil: '' scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleans/sebool_ftpd_connect_db.rule000066400000000000000000000011031327242345500337100ustar00rootroot00000000000000documentation_complete: true prodtype: rhel7 title: 'Disable the ftpd_connect_db SELinux Boolean' description: |- By default, the SELinux boolean ftpd_connect_db is disabled. If this setting is enabled, it should be disabled. rationale: "" severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'ftpd_connect_db is not disabled' ocil: '' scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleans/sebool_ftpd_full_access.rule000066400000000000000000000011101327242345500340730ustar00rootroot00000000000000documentation_complete: true prodtype: rhel7 title: 'Disable the ftpd_full_access SELinux Boolean' description: |- By default, the SELinux boolean ftpd_full_access is disabled. If this setting is enabled, it should be disabled. rationale: "" severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'ftpd_full_access is not disabled' ocil: '' scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleans/sebool_ftpd_use_cifs.rule000066400000000000000000000010711327242345500334160ustar00rootroot00000000000000documentation_complete: true prodtype: rhel7 title: 'Disable the ftpd_use_cifs SELinux Boolean' description: |- By default, the SELinux boolean ftpd_use_cifs is disabled. If this setting is enabled, it should be disabled. rationale: "" severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'ftpd_use_cifs is not disabled' ocil: '' scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleans/sebool_ftpd_use_fusefs.rule000066400000000000000000000011031327242345500337610ustar00rootroot00000000000000documentation_complete: true prodtype: rhel7 title: 'Disable the ftpd_use_fusefs SELinux Boolean' description: |- By default, the SELinux boolean ftpd_use_fusefs is disabled. If this setting is enabled, it should be disabled. rationale: "" severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'ftpd_use_fusefs is not disabled' ocil: '' scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleans/sebool_ftpd_use_nfs.rule000066400000000000000000000010641327242345500332620ustar00rootroot00000000000000documentation_complete: true prodtype: rhel7 title: 'Disable the ftpd_use_nfs SELinux Boolean' description: |- By default, the SELinux boolean ftpd_use_nfs is disabled. If this setting is enabled, it should be disabled. rationale: "" severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'ftpd_use_nfs is not disabled' ocil: '' sebool_ftpd_use_passive_mode.rule000066400000000000000000000011411327242345500350670ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true prodtype: rhel7 title: 'Disable the ftpd_use_passive_mode SELinux Boolean' description: |- By default, the SELinux boolean ftpd_use_passive_mode is disabled. If this setting is enabled, it should be disabled. rationale: "" severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'ftpd_use_passive_mode is not disabled' ocil: '' sebool_git_cgi_enable_homedirs.rule000066400000000000000000000011531327242345500353300ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true prodtype: rhel7 title: 'Disable the git_cgi_enable_homedirs SELinux Boolean' description: |- By default, the SELinux boolean git_cgi_enable_homedirs is disabled. If this setting is enabled, it should be disabled. rationale: "" severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'git_cgi_enable_homedirs is not disabled' ocil: '' scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleans/sebool_git_cgi_use_cifs.rule000066400000000000000000000011101327242345500340600ustar00rootroot00000000000000documentation_complete: true prodtype: rhel7 title: 'Disable the git_cgi_use_cifs SELinux Boolean' description: |- By default, the SELinux boolean git_cgi_use_cifs is disabled. If this setting is enabled, it should be disabled. rationale: "" severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'git_cgi_use_cifs is not disabled' ocil: '' scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleans/sebool_git_cgi_use_nfs.rule000066400000000000000000000011031327242345500337240ustar00rootroot00000000000000documentation_complete: true prodtype: rhel7 title: 'Disable the git_cgi_use_nfs SELinux Boolean' description: |- By default, the SELinux boolean git_cgi_use_nfs is disabled. If this setting is enabled, it should be disabled. rationale: "" severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'git_cgi_use_nfs is not disabled' ocil: '' sebool_git_session_bind_all_unreserved_ports.rule000066400000000000000000000012611327242345500403660ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true prodtype: rhel7 title: 'Disable the git_session_bind_all_unreserved_ports SELinux Boolean' description: |- By default, the SELinux boolean git_session_bind_all_unreserved_ports is disabled. If this setting is enabled, it should be disabled. rationale: "" severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'git_session_bind_all_unreserved_ports is not disabled' ocil: '' sebool_git_session_users.rule000066400000000000000000000011151327242345500342700ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true prodtype: rhel7 title: 'Disable the git_session_users SELinux Boolean' description: |- By default, the SELinux boolean git_session_users is disabled. If this setting is enabled, it should be disabled. rationale: "" severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'git_session_users is not disabled' ocil: '' sebool_git_system_enable_homedirs.rule000066400000000000000000000011721327242345500361130ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true prodtype: rhel7 title: 'Disable the git_system_enable_homedirs SELinux Boolean' description: |- By default, the SELinux boolean git_system_enable_homedirs is disabled. If this setting is enabled, it should be disabled. rationale: "" severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'git_system_enable_homedirs is not disabled' ocil: '' sebool_git_system_use_cifs.rule000066400000000000000000000011271327242345500345730ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true prodtype: rhel7 title: 'Disable the git_system_use_cifs SELinux Boolean' description: |- By default, the SELinux boolean git_system_use_cifs is disabled. If this setting is enabled, it should be disabled. rationale: "" severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'git_system_use_cifs is not disabled' ocil: '' sebool_git_system_use_nfs.rule000066400000000000000000000011221327242345500344300ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true prodtype: rhel7 title: 'Disable the git_system_use_nfs SELinux Boolean' description: |- By default, the SELinux boolean git_system_use_nfs is disabled. If this setting is enabled, it should be disabled. rationale: "" severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'git_system_use_nfs is not disabled' ocil: '' sebool_gitosis_can_sendmail.rule000066400000000000000000000011341327242345500347000ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true prodtype: rhel7 title: 'Disable the gitosis_can_sendmail SELinux Boolean' description: |- By default, the SELinux boolean gitosis_can_sendmail is disabled. If this setting is enabled, it should be disabled. rationale: "" severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'gitosis_can_sendmail is not disabled' ocil: '' sebool_glance_api_can_network.rule000066400000000000000000000011461327242345500352010ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true prodtype: rhel7 title: 'Disable the glance_api_can_network SELinux Boolean' description: |- By default, the SELinux boolean glance_api_can_network is disabled. If this setting is enabled, it should be disabled. rationale: "" severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'glance_api_can_network is not disabled' ocil: '' sebool_glance_use_execmem.rule000066400000000000000000000011221327242345500343270ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true prodtype: rhel7 title: 'Disable the glance_use_execmem SELinux Boolean' description: |- By default, the SELinux boolean glance_use_execmem is disabled. If this setting is enabled, it should be disabled. rationale: "" severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'glance_use_execmem is not disabled' ocil: '' sebool_glance_use_fusefs.rule000066400000000000000000000011151327242345500342010ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true prodtype: rhel7 title: 'Disable the glance_use_fusefs SELinux Boolean' description: |- By default, the SELinux boolean glance_use_fusefs is disabled. If this setting is enabled, it should be disabled. rationale: "" severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'glance_use_fusefs is not disabled' ocil: '' scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleans/sebool_global_ssp.rule000066400000000000000000000010521327242345500327250ustar00rootroot00000000000000documentation_complete: true prodtype: rhel7 title: 'Disable the global_ssp SELinux Boolean' description: |- By default, the SELinux boolean global_ssp is disabled. If this setting is enabled, it should be disabled. rationale: "" severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'global_ssp is not disabled' ocil: '' sebool_gluster_anon_write.rule000066400000000000000000000011221327242345500344310ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true prodtype: rhel7 title: 'Disable the gluster_anon_write SELinux Boolean' description: |- By default, the SELinux boolean gluster_anon_write is disabled. If this setting is enabled, it should be disabled. rationale: "" severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'gluster_anon_write is not disabled' ocil: '' sebool_gluster_export_all_ro.rule000066400000000000000000000011411327242345500351360ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true prodtype: rhel7 title: 'Disable the gluster_export_all_ro SELinux Boolean' description: |- By default, the SELinux boolean gluster_export_all_ro is disabled. If this setting is enabled, it should be disabled. rationale: "" severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'gluster_export_all_ro is not disabled' ocil: '' sebool_gluster_export_all_rw.rule000066400000000000000000000012411327242345500351470ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true prodtype: rhel7 title: 'Configure the gluster_export_all_rw SELinux Boolean' description: |- By default, the SELinux boolean gluster_export_all_rw is enabled. If GlusterFS is in use, this setting should be enabled. Otherwise, disable it. rationale: "" severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'gluster is in user or gluster_export_all_rw is not disabled' ocil: '' sebool_gpg_web_anon_write.rule000066400000000000000000000011221327242345500343560ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true prodtype: rhel7 title: 'Disable the gpg_web_anon_write SELinux Boolean' description: |- By default, the SELinux boolean gpg_web_anon_write is disabled. If this setting is enabled, it should be disabled. rationale: "" severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'gpg_web_anon_write is not disabled' ocil: '' scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleans/sebool_gssd_read_tmp.rule000066400000000000000000000012371327242345500334200ustar00rootroot00000000000000documentation_complete: true prodtype: rhel7 title: 'Enable the gssd_read_tmp SELinux Boolean' description: |- By default, the SELinux boolean gssd_read_tmp is enabled. This setting allows gssd processes to access Kerberos to read TGTs in the temp directory. If this setting is disabled, it should be enabled. rationale: "" severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'gssd_read_tmp is not enabled' ocil: '' sebool_guest_exec_content.rule000066400000000000000000000011471327242345500344130ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true prodtype: rhel7 title: 'Disable the guest_exec_content SELinux Boolean' description: |- By default, the SELinux boolean guest_exec_content is enabled. This setting should be disabled as no guest accounts should be used. rationale: "" severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'guest_exec_content is not disabled' ocil: '' sebool_haproxy_connect_any.rule000066400000000000000000000011271327242345500345760ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true prodtype: rhel7 title: 'Disable the haproxy_connect_any SELinux Boolean' description: |- By default, the SELinux boolean haproxy_connect_any is disabled. If this setting is enabled, it should be disabled. rationale: "" severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'haproxy_connect_any is not disabled' ocil: '' scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleans/sebool_httpd_anon_write.rule000066400000000000000000000011101327242345500341430ustar00rootroot00000000000000documentation_complete: true prodtype: rhel7 title: 'Disable the httpd_anon_write SELinux Boolean' description: |- By default, the SELinux boolean httpd_anon_write is disabled. If this setting is enabled, it should be disabled. rationale: "" severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'httpd_anon_write is not disabled' ocil: '' sebool_httpd_builtin_scripting.rule000066400000000000000000000012571327242345500354630ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true prodtype: rhel7 title: 'Configure the httpd_builtin_scripting SELinux Boolean' description: |- By default, the SELinux boolean httpd_builtin_scripting is enabled. This setting should be disabled if httpd is not running php or some similary scripting language. rationale: "" severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'httpd_builtin_scripting is not enabled' ocil: '' sebool_httpd_can_check_spam.rule000066400000000000000000000011341327242345500346430ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true prodtype: rhel7 title: 'Disable the httpd_can_check_spam SELinux Boolean' description: |- By default, the SELinux boolean httpd_can_check_spam is disabled. If this setting is enabled, it should be disabled. rationale: "" severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'httpd_can_check_spam is not disabled' ocil: '' sebool_httpd_can_connect_ftp.rule000066400000000000000000000011411327242345500350460ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true prodtype: rhel7 title: 'Disable the httpd_can_connect_ftp SELinux Boolean' description: |- By default, the SELinux boolean httpd_can_connect_ftp is disabled. If this setting is enabled, it should be disabled. rationale: "" severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'httpd_can_connect_ftp is not disabled' ocil: '' sebool_httpd_can_connect_ldap.rule000066400000000000000000000011461327242345500352020ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true prodtype: rhel7 title: 'Disable the httpd_can_connect_ldap SELinux Boolean' description: |- By default, the SELinux boolean httpd_can_connect_ldap is disabled. If this setting is enabled, it should be disabled. rationale: "" severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'httpd_can_connect_ldap is not disabled' ocil: '' sebool_httpd_can_connect_mythtv.rule000066400000000000000000000011601327242345500356110ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true prodtype: rhel7 title: 'Disable the httpd_can_connect_mythtv SELinux Boolean' description: |- By default, the SELinux boolean httpd_can_connect_mythtv is disabled. If this setting is enabled, it should be disabled. rationale: "" severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'httpd_can_connect_mythtv is not disabled' ocil: '' sebool_httpd_can_connect_zabbix.rule000066400000000000000000000011601327242345500355350ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true prodtype: rhel7 title: 'Disable the httpd_can_connect_zabbix SELinux Boolean' description: |- By default, the SELinux boolean httpd_can_connect_zabbix is disabled. If this setting is enabled, it should be disabled. rationale: "" severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'httpd_can_connect_zabbix is not disabled' ocil: '' sebool_httpd_can_network_connect.rule000066400000000000000000000011651327242345500357540ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true prodtype: rhel7 title: 'Disable the httpd_can_network_connect SELinux Boolean' description: |- By default, the SELinux boolean httpd_can_network_connect is disabled. If this setting is enabled, it should be disabled. rationale: "" severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'httpd_can_network_connect is not disabled' ocil: '' sebool_httpd_can_network_connect_cobbler.rule000066400000000000000000000012351327242345500374420ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true prodtype: rhel7 title: 'Disable the httpd_can_network_connect_cobbler SELinux Boolean' description: |- By default, the SELinux boolean httpd_can_network_connect_cobbler is disabled. If this setting is enabled, it should be disabled. rationale: "" severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'httpd_can_network_connect_cobbler is not disabled' ocil: '' sebool_httpd_can_network_connect_db.rule000066400000000000000000000012041327242345500364130ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true prodtype: rhel7 title: 'Disable the httpd_can_network_connect_db SELinux Boolean' description: |- By default, the SELinux boolean httpd_can_network_connect_db is disabled. If this setting is enabled, it should be disabled. rationale: "" severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'httpd_can_network_connect_db is not disabled' ocil: '' sebool_httpd_can_network_memcache.rule000066400000000000000000000011721327242345500360630ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true prodtype: rhel7 title: 'Disable the httpd_can_network_memcache SELinux Boolean' description: |- By default, the SELinux boolean httpd_can_network_memcache is disabled. If this setting is enabled, it should be disabled. rationale: "" severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'httpd_can_network_memcache is not disabled' ocil: '' sebool_httpd_can_network_relay.rule000066400000000000000000000011531327242345500354340ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true prodtype: rhel7 title: 'Disable the httpd_can_network_relay SELinux Boolean' description: |- By default, the SELinux boolean httpd_can_network_relay is disabled. If this setting is enabled, it should be disabled. rationale: "" severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'httpd_can_network_relay is not disabled' ocil: '' sebool_httpd_can_sendmail.rule000066400000000000000000000011221327242345500343370ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true prodtype: rhel7 title: 'Disable the httpd_can_sendmail SELinux Boolean' description: |- By default, the SELinux boolean httpd_can_sendmail is disabled. If this setting is enabled, it should be disabled. rationale: "" severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'httpd_can_sendmail is not disabled' ocil: '' scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleans/sebool_httpd_dbus_avahi.rule000066400000000000000000000011101327242345500341030ustar00rootroot00000000000000documentation_complete: true prodtype: rhel7 title: 'Disable the httpd_dbus_avahi SELinux Boolean' description: |- By default, the SELinux boolean httpd_dbus_avahi is disabled. If this setting is enabled, it should be disabled. rationale: "" severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'httpd_dbus_avahi is not disabled' ocil: '' scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleans/sebool_httpd_dbus_sssd.rule000066400000000000000000000011031327242345500337710ustar00rootroot00000000000000documentation_complete: true prodtype: rhel7 title: 'Disable the httpd_dbus_sssd SELinux Boolean' description: |- By default, the SELinux boolean httpd_dbus_sssd is disabled. If this setting is enabled, it should be disabled. rationale: "" severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'httpd_dbus_sssd is not disabled' ocil: '' sebool_httpd_dontaudit_search_dirs.rule000066400000000000000000000011771327242345500362750ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true prodtype: rhel7 title: 'Disable the httpd_dontaudit_search_dirs SELinux Boolean' description: |- By default, the SELinux boolean httpd_dontaudit_search_dirs is disabled. If this setting is enabled, it should be disabled. rationale: "" severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'httpd_dontaudit_search_dirs is not disabled' ocil: '' scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleans/sebool_httpd_enable_cgi.rule000066400000000000000000000012171327242345500340560ustar00rootroot00000000000000documentation_complete: true prodtype: rhel7 title: 'Configure the httpd_enable_cgi SELinux Boolean' description: |- By default, the SELinux boolean httpd_enable_cgi is enabled. This setting should be disabled unless httpd is used with CGI scripting. rationale: "" severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'CGI is used with HTTPD or httpd_enable_cgi is not disabled' ocil: '' sebool_httpd_enable_ftp_server.rule000066400000000000000000000011531327242345500354130ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true prodtype: rhel7 title: 'Disable the httpd_enable_ftp_server SELinux Boolean' description: |- By default, the SELinux boolean httpd_enable_ftp_server is disabled. If this setting is enabled, it should be disabled. rationale: "" severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'httpd_enable_ftp_server is not disabled' ocil: '' sebool_httpd_enable_homedirs.rule000066400000000000000000000011411327242345500350430ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true prodtype: rhel7 title: 'Disable the httpd_enable_homedirs SELinux Boolean' description: |- By default, the SELinux boolean httpd_enable_homedirs is disabled. If this setting is enabled, it should be disabled. rationale: "" severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'httpd_enable_homedirs is not disabled' ocil: '' scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleans/sebool_httpd_execmem.rule000066400000000000000000000010711327242345500334270ustar00rootroot00000000000000documentation_complete: true prodtype: rhel7 title: 'Disable the httpd_execmem SELinux Boolean' description: |- By default, the SELinux boolean httpd_execmem is disabled. If this setting is enabled, it should be disabled. rationale: "" severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'httpd_execmem is not disabled' ocil: '' sebool_httpd_graceful_shutdown.rule000066400000000000000000000011461327242345500354530ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true prodtype: rhel7 title: 'Enable the httpd_graceful_shutdown SELinux Boolean' description: |- By default, the SELinux boolean httpd_graceful_shutdown is enabled. If this setting is disabled, it should be enabled. rationale: "" severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'httpd_graceful_shutdown is not enabled' ocil: '' scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleans/sebool_httpd_manage_ipa.rule000066400000000000000000000011101327242345500340570ustar00rootroot00000000000000documentation_complete: true prodtype: rhel7 title: 'Disable the httpd_manage_ipa SELinux Boolean' description: |- By default, the SELinux boolean httpd_manage_ipa is disabled. If this setting is enabled, it should be disabled. rationale: "" severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'httpd_manage_ipa is not disabled' ocil: '' sebool_httpd_mod_auth_ntlm_winbind.rule000066400000000000000000000011771327242345500363000ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true prodtype: rhel7 title: 'Disable the httpd_mod_auth_ntlm_winbind SELinux Boolean' description: |- By default, the SELinux boolean httpd_mod_auth_ntlm_winbind is disabled. If this setting is enabled, it should be disabled. rationale: "" severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'httpd_mod_auth_ntlm_winbind is not disabled' ocil: '' sebool_httpd_mod_auth_pam.rule000066400000000000000000000011221327242345500343570ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true prodtype: rhel7 title: 'Disable the httpd_mod_auth_pam SELinux Boolean' description: |- By default, the SELinux boolean httpd_mod_auth_pam is disabled. If this setting is enabled, it should be disabled. rationale: "" severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'httpd_mod_auth_pam is not disabled' ocil: '' sebool_httpd_read_user_content.rule000066400000000000000000000011531327242345500354310ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true prodtype: rhel7 title: 'Disable the httpd_read_user_content SELinux Boolean' description: |- By default, the SELinux boolean httpd_read_user_content is disabled. If this setting is enabled, it should be disabled. rationale: "" severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'httpd_read_user_content is not disabled' ocil: '' scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleans/sebool_httpd_run_ipa.rule000066400000000000000000000010711327242345500334410ustar00rootroot00000000000000documentation_complete: true prodtype: rhel7 title: 'Disable the httpd_run_ipa SELinux Boolean' description: |- By default, the SELinux boolean httpd_run_ipa is disabled. If this setting is enabled, it should be disabled. rationale: "" severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'httpd_run_ipa is not disabled' ocil: '' sebool_httpd_run_preupgrade.rule000066400000000000000000000011341327242345500347470ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true prodtype: rhel7 title: 'Disable the httpd_run_preupgrade SELinux Boolean' description: |- By default, the SELinux boolean httpd_run_preupgrade is disabled. If this setting is enabled, it should be disabled. rationale: "" severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'httpd_run_preupgrade is not disabled' ocil: '' sebool_httpd_run_stickshift.rule000066400000000000000000000011341327242345500347640ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true prodtype: rhel7 title: 'Disable the httpd_run_stickshift SELinux Boolean' description: |- By default, the SELinux boolean httpd_run_stickshift is disabled. If this setting is enabled, it should be disabled. rationale: "" severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'httpd_run_stickshift is not disabled' ocil: '' sebool_httpd_serve_cobbler_files.rule000066400000000000000000000011651327242345500357270ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true prodtype: rhel7 title: 'Disable the httpd_serve_cobbler_files SELinux Boolean' description: |- By default, the SELinux boolean httpd_serve_cobbler_files is disabled. If this setting is enabled, it should be disabled. rationale: "" severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'httpd_serve_cobbler_files is not disabled' ocil: '' scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleans/sebool_httpd_setrlimit.rule000066400000000000000000000011031327242345500340140ustar00rootroot00000000000000documentation_complete: true prodtype: rhel7 title: 'Disable the httpd_setrlimit SELinux Boolean' description: |- By default, the SELinux boolean httpd_setrlimit is disabled. If this setting is enabled, it should be disabled. rationale: "" severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'httpd_setrlimit is not disabled' ocil: '' scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleans/sebool_httpd_ssi_exec.rule000066400000000000000000000010761327242345500336130ustar00rootroot00000000000000documentation_complete: true prodtype: rhel7 title: 'Disable the httpd_ssi_exec SELinux Boolean' description: |- By default, the SELinux boolean httpd_ssi_exec is disabled. If this setting is enabled, it should be disabled. rationale: "" severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'httpd_ssi_exec is not disabled' ocil: '' sebool_httpd_sys_script_anon_write.rule000066400000000000000000000011771327242345500363630ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true prodtype: rhel7 title: 'Disable the httpd_sys_script_anon_write SELinux Boolean' description: |- By default, the SELinux boolean httpd_sys_script_anon_write is disabled. If this setting is enabled, it should be disabled. rationale: "" severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'httpd_sys_script_anon_write is not disabled' ocil: '' scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleans/sebool_httpd_tmp_exec.rule000066400000000000000000000010761327242345500336150ustar00rootroot00000000000000documentation_complete: true prodtype: rhel7 title: 'Disable the httpd_tmp_exec SELinux Boolean' description: |- By default, the SELinux boolean httpd_tmp_exec is disabled. If this setting is enabled, it should be disabled. rationale: "" severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'httpd_tmp_exec is not disabled' ocil: '' scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleans/sebool_httpd_tty_comm.rule000066400000000000000000000010761327242345500336440ustar00rootroot00000000000000documentation_complete: true prodtype: rhel7 title: 'Disable the httpd_tty_comm SELinux Boolean' description: |- By default, the SELinux boolean httpd_tty_comm is disabled. If this setting is enabled, it should be disabled. rationale: "" severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'httpd_tty_comm is not disabled' ocil: '' scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleans/sebool_httpd_unified.rule000066400000000000000000000010711327242345500334270ustar00rootroot00000000000000documentation_complete: true prodtype: rhel7 title: 'Disable the httpd_unified SELinux Boolean' description: |- By default, the SELinux boolean httpd_unified is disabled. If this setting is enabled, it should be disabled. rationale: "" severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'httpd_unified is not disabled' ocil: '' scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleans/sebool_httpd_use_cifs.rule000066400000000000000000000010761327242345500336110ustar00rootroot00000000000000documentation_complete: true prodtype: rhel7 title: 'Disable the httpd_use_cifs SELinux Boolean' description: |- By default, the SELinux boolean httpd_use_cifs is disabled. If this setting is enabled, it should be disabled. rationale: "" severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'httpd_use_cifs is not disabled' ocil: '' scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleans/sebool_httpd_use_fusefs.rule000066400000000000000000000011101327242345500341450ustar00rootroot00000000000000documentation_complete: true prodtype: rhel7 title: 'Disable the httpd_use_fusefs SELinux Boolean' description: |- By default, the SELinux boolean httpd_use_fusefs is disabled. If this setting is enabled, it should be disabled. rationale: "" severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'httpd_use_fusefs is not disabled' ocil: '' scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleans/sebool_httpd_use_gpg.rule000066400000000000000000000010711327242345500334350ustar00rootroot00000000000000documentation_complete: true prodtype: rhel7 title: 'Disable the httpd_use_gpg SELinux Boolean' description: |- By default, the SELinux boolean httpd_use_gpg is disabled. If this setting is enabled, it should be disabled. rationale: "" severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'httpd_use_gpg is not disabled' ocil: '' scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleans/sebool_httpd_use_nfs.rule000066400000000000000000000010711327242345500334460ustar00rootroot00000000000000documentation_complete: true prodtype: rhel7 title: 'Disable the httpd_use_nfs SELinux Boolean' description: |- By default, the SELinux boolean httpd_use_nfs is disabled. If this setting is enabled, it should be disabled. rationale: "" severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'httpd_use_nfs is not disabled' ocil: '' sebool_httpd_use_openstack.rule000066400000000000000000000011271327242345500345720ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true prodtype: rhel7 title: 'Disable the httpd_use_openstack SELinux Boolean' description: |- By default, the SELinux boolean httpd_use_openstack is disabled. If this setting is enabled, it should be disabled. rationale: "" severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'httpd_use_openstack is not disabled' ocil: '' scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleans/sebool_httpd_use_sasl.rule000066400000000000000000000010761327242345500336270ustar00rootroot00000000000000documentation_complete: true prodtype: rhel7 title: 'Disable the httpd_use_sasl SELinux Boolean' description: |- By default, the SELinux boolean httpd_use_sasl is disabled. If this setting is enabled, it should be disabled. rationale: "" severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'httpd_use_sasl is not disabled' ocil: '' scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleans/sebool_httpd_verify_dns.rule000066400000000000000000000011101327242345500341460ustar00rootroot00000000000000documentation_complete: true prodtype: rhel7 title: 'Disable the httpd_verify_dns SELinux Boolean' description: |- By default, the SELinux boolean httpd_verify_dns is disabled. If this setting is enabled, it should be disabled. rationale: "" severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'httpd_verify_dns is not disabled' ocil: '' sebool_icecast_use_any_tcp_ports.rule000066400000000000000000000011651327242345500357610ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true prodtype: rhel7 title: 'Disable the icecast_use_any_tcp_ports SELinux Boolean' description: |- By default, the SELinux boolean icecast_use_any_tcp_ports is disabled. If this setting is enabled, it should be disabled. rationale: "" severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'icecast_use_any_tcp_ports is not disabled' ocil: '' sebool_irc_use_any_tcp_ports.rule000066400000000000000000000011411327242345500351150ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true prodtype: rhel7 title: 'Disable the irc_use_any_tcp_ports SELinux Boolean' description: |- By default, the SELinux boolean irc_use_any_tcp_ports is disabled. If this setting is enabled, it should be disabled. rationale: "" severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'irc_use_any_tcp_ports is not disabled' ocil: '' sebool_irssi_use_full_network.rule000066400000000000000000000011461327242345500353250ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true prodtype: rhel7 title: 'Disable the irssi_use_full_network SELinux Boolean' description: |- By default, the SELinux boolean irssi_use_full_network is disabled. If this setting is enabled, it should be disabled. rationale: "" severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'irssi_use_full_network is not disabled' ocil: '' sebool_kdumpgui_run_bootloader.rule000066400000000000000000000011531327242345500354460ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true prodtype: rhel7 title: 'Disable the kdumpgui_run_bootloader SELinux Boolean' description: |- By default, the SELinux boolean kdumpgui_run_bootloader is disabled. If this setting is enabled, it should be disabled. rationale: "" severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'kdumpgui_run_bootloader is not disabled' ocil: '' scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleans/sebool_kerberos_enabled.rule000066400000000000000000000011731327242345500340720ustar00rootroot00000000000000documentation_complete: true prodtype: rhel7 title: 'Enable the kerberos_enabled SELinux Boolean' description: |- By default, the SELinux boolean kerberos_enabled is enabled. If this setting is disabled, it should be enabled to allow confined applications to run with Kerberos. rationale: "" severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'kerberos_enabled is not enabled' ocil: '' sebool_ksmtuned_use_cifs.rule000066400000000000000000000011151327242345500342330ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true prodtype: rhel7 title: 'Disable the ksmtuned_use_cifs SELinux Boolean' description: |- By default, the SELinux boolean ksmtuned_use_cifs is disabled. If this setting is enabled, it should be disabled. rationale: "" severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'ksmtuned_use_cifs is not disabled' ocil: '' scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleans/sebool_ksmtuned_use_nfs.rule000066400000000000000000000011101327242345500341470ustar00rootroot00000000000000documentation_complete: true prodtype: rhel7 title: 'Disable the ksmtuned_use_nfs SELinux Boolean' description: |- By default, the SELinux boolean ksmtuned_use_nfs is disabled. If this setting is enabled, it should be disabled. rationale: "" severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'ksmtuned_use_nfs is not disabled' ocil: '' sebool_logadm_exec_content.rule000066400000000000000000000011221327242345500345200ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true prodtype: rhel7 title: 'Enable the logadm_exec_content SELinux Boolean' description: |- By default, the SELinux boolean logadm_exec_content is enabled. If this setting is disabled, it should be enabled. rationale: "" severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'logadm_exec_content is not enabled' ocil: '' sebool_logging_syslogd_can_sendmail.rule000066400000000000000000000012041327242345500364070ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true prodtype: rhel7 title: 'Disable the logging_syslogd_can_sendmail SELinux Boolean' description: |- By default, the SELinux boolean logging_syslogd_can_sendmail is disabled. If this setting is enabled, it should be disabled. rationale: "" severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'logging_syslogd_can_sendmail is not disabled' ocil: '' sebool_logging_syslogd_run_nagios_plugins.rule000066400000000000000000000012421327242345500377010ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true prodtype: rhel7 title: 'Disable the logging_syslogd_run_nagios_plugins SELinux Boolean' description: |- By default, the SELinux boolean logging_syslogd_run_nagios_plugins is disabled. If this setting is enabled, it should be disabled. rationale: "" severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'logging_syslogd_run_nagios_plugins is not disabled' ocil: '' sebool_logging_syslogd_use_tty.rule000066400000000000000000000012551327242345500354740ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true prodtype: rhel7 title: 'Enable the logging_syslogd_use_tty SELinux Boolean' description: |- By default, the SELinux boolean logging_syslogd_use_tty is enabled. If this setting is disabled, it should be enabled as it allows syslog the ability to read/write to terminal. rationale: "" severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'logging_syslogd_use_tty is not enabled' ocil: '' sebool_login_console_enabled.rule000066400000000000000000000012431327242345500350270ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true prodtype: rhel7 title: 'Enable the login_console_enabled SELinux Boolean' description: |- By default, the SELinux boolean login_console_enabled is enabled. If this setting is disabled, it should be enabled as it allows login from /dev/console to a console session. rationale: "" severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'login_console_enabled is not enabled' ocil: '' sebool_logrotate_use_nfs.rule000066400000000000000000000011151327242345500342430ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true prodtype: rhel7 title: 'Disable the logrotate_use_nfs SELinux Boolean' description: |- By default, the SELinux boolean logrotate_use_nfs is disabled. If this setting is enabled, it should be disabled. rationale: "" severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'logrotate_use_nfs is not disabled' ocil: '' sebool_logwatch_can_network_connect_mail.rule000066400000000000000000000012351327242345500374410ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true prodtype: rhel7 title: 'Disable the logwatch_can_network_connect_mail SELinux Boolean' description: |- By default, the SELinux boolean logwatch_can_network_connect_mail is disabled. If this setting is enabled, it should be disabled. rationale: "" severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'logwatch_can_network_connect_mail is not disabled' ocil: '' sebool_lsmd_plugin_connect_any.rule000066400000000000000000000011531327242345500354200ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true prodtype: rhel7 title: 'Disable the lsmd_plugin_connect_any SELinux Boolean' description: |- By default, the SELinux boolean lsmd_plugin_connect_any is disabled. If this setting is enabled, it should be disabled. rationale: "" severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'lsmd_plugin_connect_any is not disabled' ocil: '' sebool_mailman_use_fusefs.rule000066400000000000000000000011221327242345500343640ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true prodtype: rhel7 title: 'Disable the mailman_use_fusefs SELinux Boolean' description: |- By default, the SELinux boolean mailman_use_fusefs is disabled. If this setting is enabled, it should be disabled. rationale: "" severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'mailman_use_fusefs is not disabled' ocil: '' scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleans/sebool_mcelog_client.rule000066400000000000000000000010711327242345500334050ustar00rootroot00000000000000documentation_complete: true prodtype: rhel7 title: 'Disable the mcelog_client SELinux Boolean' description: |- By default, the SELinux boolean mcelog_client is disabled. If this setting is enabled, it should be disabled. rationale: "" severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'mcelog_client is not disabled' ocil: '' sebool_mcelog_exec_scripts.rule000066400000000000000000000011221327242345500345400ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true prodtype: rhel7 title: 'Enable the mcelog_exec_scripts SELinux Boolean' description: |- By default, the SELinux boolean mcelog_exec_scripts is enabled. If this setting is disabled, it should be enabled. rationale: "" severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'mcelog_exec_scripts is not enabled' ocil: '' sebool_mcelog_foreground.rule000066400000000000000000000011151327242345500342210ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true prodtype: rhel7 title: 'Disable the mcelog_foreground SELinux Boolean' description: |- By default, the SELinux boolean mcelog_foreground is disabled. If this setting is enabled, it should be disabled. rationale: "" severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'mcelog_foreground is not disabled' ocil: '' scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleans/sebool_mcelog_server.rule000066400000000000000000000010711327242345500334350ustar00rootroot00000000000000documentation_complete: true prodtype: rhel7 title: 'Disable the mcelog_server SELinux Boolean' description: |- By default, the SELinux boolean mcelog_server is disabled. If this setting is enabled, it should be disabled. rationale: "" severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'mcelog_server is not disabled' ocil: '' sebool_minidlna_read_generic_user_content.rule000066400000000000000000000012421327242345500375740ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true prodtype: rhel7 title: 'Disable the minidlna_read_generic_user_content SELinux Boolean' description: |- By default, the SELinux boolean minidlna_read_generic_user_content is disabled. If this setting is enabled, it should be disabled. rationale: "" severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'minidlna_read_generic_user_content is not disabled' ocil: '' scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleans/sebool_mmap_low_allowed.rule000066400000000000000000000011101327242345500341150ustar00rootroot00000000000000documentation_complete: true prodtype: rhel7 title: 'Disable the mmap_low_allowed SELinux Boolean' description: |- By default, the SELinux boolean mmap_low_allowed is disabled. If this setting is enabled, it should be disabled. rationale: "" severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'mmap_low_allowed is not disabled' ocil: '' sebool_mock_enable_homedirs.rule000066400000000000000000000011341327242345500346530ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true prodtype: rhel7 title: 'Disable the mock_enable_homedirs SELinux Boolean' description: |- By default, the SELinux boolean mock_enable_homedirs is disabled. If this setting is enabled, it should be disabled. rationale: "" severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'mock_enable_homedirs is not disabled' ocil: '' scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleans/sebool_mount_anyfile.rule000066400000000000000000000011451327242345500334540ustar00rootroot00000000000000documentation_complete: true prodtype: rhel7 title: 'Enable the mount_anyfile SELinux Boolean' description: |- By default, the SELinux boolean mount_anyfile is enabled. If this setting is disabled, it should be enabled to allow any file or directory to be mounted. rationale: "" severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'mount_anyfile is not enabled' ocil: '' sebool_mozilla_plugin_bind_unreserved_ports.rule000066400000000000000000000012541327242345500402370ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true prodtype: rhel7 title: 'Disable the mozilla_plugin_bind_unreserved_ports SELinux Boolean' description: |- By default, the SELinux boolean mozilla_plugin_bind_unreserved_ports is disabled. If this setting is enabled, it should be disabled. rationale: "" severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'mozilla_plugin_bind_unreserved_ports is not disabled' ocil: '' sebool_mozilla_plugin_can_network_connect.rule000066400000000000000000000012421327242345500376520ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true prodtype: rhel7 title: 'Disable the mozilla_plugin_can_network_connect SELinux Boolean' description: |- By default, the SELinux boolean mozilla_plugin_can_network_connect is disabled. If this setting is enabled, it should be disabled. rationale: "" severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'mozilla_plugin_can_network_connect is not disabled' ocil: '' sebool_mozilla_plugin_use_bluejeans.rule000066400000000000000000000012041327242345500364510ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true prodtype: rhel7 title: 'Disable the mozilla_plugin_use_bluejeans SELinux Boolean' description: |- By default, the SELinux boolean mozilla_plugin_use_bluejeans is disabled. If this setting is enabled, it should be disabled. rationale: "" severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'mozilla_plugin_use_bluejeans is not disabled' ocil: '' sebool_mozilla_plugin_use_gps.rule000066400000000000000000000011461327242345500352770ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true prodtype: rhel7 title: 'Disable the mozilla_plugin_use_gps SELinux Boolean' description: |- By default, the SELinux boolean mozilla_plugin_use_gps is disabled. If this setting is enabled, it should be disabled. rationale: "" severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'mozilla_plugin_use_gps is not disabled' ocil: '' sebool_mozilla_plugin_use_spice.rule000066400000000000000000000011601327242345500356050ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true prodtype: rhel7 title: 'Disable the mozilla_plugin_use_spice SELinux Boolean' description: |- By default, the SELinux boolean mozilla_plugin_use_spice is disabled. If this setting is enabled, it should be disabled. rationale: "" severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'mozilla_plugin_use_spice is not disabled' ocil: '' sebool_mozilla_read_content.rule000066400000000000000000000011341327242345500347160ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true prodtype: rhel7 title: 'Disable the mozilla_read_content SELinux Boolean' description: |- By default, the SELinux boolean mozilla_read_content is disabled. If this setting is enabled, it should be disabled. rationale: "" severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'mozilla_read_content is not disabled' ocil: '' sebool_mpd_enable_homedirs.rule000066400000000000000000000011271327242345500345040ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true prodtype: rhel7 title: 'Disable the mpd_enable_homedirs SELinux Boolean' description: |- By default, the SELinux boolean mpd_enable_homedirs is disabled. If this setting is enabled, it should be disabled. rationale: "" severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'mpd_enable_homedirs is not disabled' ocil: '' scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleans/sebool_mpd_use_cifs.rule000066400000000000000000000010641327242345500332430ustar00rootroot00000000000000documentation_complete: true prodtype: rhel7 title: 'Disable the mpd_use_cifs SELinux Boolean' description: |- By default, the SELinux boolean mpd_use_cifs is disabled. If this setting is enabled, it should be disabled. rationale: "" severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'mpd_use_cifs is not disabled' ocil: '' scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleans/sebool_mpd_use_nfs.rule000066400000000000000000000010571327242345500331070ustar00rootroot00000000000000documentation_complete: true prodtype: rhel7 title: 'Disable the mpd_use_nfs SELinux Boolean' description: |- By default, the SELinux boolean mpd_use_nfs is disabled. If this setting is enabled, it should be disabled. rationale: "" severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'mpd_use_nfs is not disabled' ocil: '' sebool_mplayer_execstack.rule000066400000000000000000000011151327242345500342240ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true prodtype: rhel7 title: 'Disable the mplayer_execstack SELinux Boolean' description: |- By default, the SELinux boolean mplayer_execstack is disabled. If this setting is enabled, it should be disabled. rationale: "" severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'mplayer_execstack is not disabled' ocil: '' sebool_mysql_connect_any.rule000066400000000000000000000011151327242345500342460ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true prodtype: rhel7 title: 'Disable the mysql_connect_any SELinux Boolean' description: |- By default, the SELinux boolean mysql_connect_any is disabled. If this setting is enabled, it should be disabled. rationale: "" severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'mysql_connect_any is not disabled' ocil: '' sebool_nagios_run_pnp4nagios.rule000066400000000000000000000011411327242345500350260ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true prodtype: rhel7 title: 'Disable the nagios_run_pnp4nagios SELinux Boolean' description: |- By default, the SELinux boolean nagios_run_pnp4nagios is disabled. If this setting is enabled, it should be disabled. rationale: "" severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'nagios_run_pnp4nagios is not disabled' ocil: '' scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleans/sebool_nagios_run_sudo.rule000066400000000000000000000011031327242345500337730ustar00rootroot00000000000000documentation_complete: true prodtype: rhel7 title: 'Disable the nagios_run_sudo SELinux Boolean' description: |- By default, the SELinux boolean nagios_run_sudo is disabled. If this setting is enabled, it should be disabled. rationale: "" severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'nagios_run_sudo is not disabled' ocil: '' sebool_named_tcp_bind_http_port.rule000066400000000000000000000011601327242345500355520ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true prodtype: rhel7 title: 'Disable the named_tcp_bind_http_port SELinux Boolean' description: |- By default, the SELinux boolean named_tcp_bind_http_port is disabled. If this setting is enabled, it should be disabled. rationale: "" severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'named_tcp_bind_http_port is not disabled' ocil: '' sebool_named_write_master_zones.rule000066400000000000000000000011601327242345500356100ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true prodtype: rhel7 title: 'Disable the named_write_master_zones SELinux Boolean' description: |- By default, the SELinux boolean named_write_master_zones is disabled. If this setting is enabled, it should be disabled. rationale: "" severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'named_write_master_zones is not disabled' ocil: '' sebool_neutron_can_network.rule000066400000000000000000000011271327242345500346100ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true prodtype: rhel7 title: 'Disable the neutron_can_network SELinux Boolean' description: |- By default, the SELinux boolean neutron_can_network is disabled. If this setting is enabled, it should be disabled. rationale: "" severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'neutron_can_network is not disabled' ocil: '' sebool_nfs_export_all_ro.rule000066400000000000000000000011701327242345500342410ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true prodtype: rhel7 title: 'Enable the nfs_export_all_ro SELinux Boolean' description: |- By default, the SELinux boolean nfs_export_all_ro is enabled. If this setting is disabled, it should be enabled as it allows NFS to export read-only mounts. rationale: "" severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'nfs_export_all_ro is not enabled' ocil: '' sebool_nfs_export_all_rw.rule000066400000000000000000000011711327242345500342520ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true prodtype: rhel7 title: 'Enable the nfs_export_all_rw SELinux Boolean' description: |- By default, the SELinux boolean nfs_export_all_rw is enabled. If this setting is disabled, it should be enabled as it allows NFS to export read/write mounts. rationale: "" severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'nfs_export_all_rw is not enabled' ocil: '' scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleans/sebool_nfsd_anon_write.rule000066400000000000000000000011031327242345500337540ustar00rootroot00000000000000documentation_complete: true prodtype: rhel7 title: 'Disable the nfsd_anon_write SELinux Boolean' description: |- By default, the SELinux boolean nfsd_anon_write is disabled. If this setting is enabled, it should be disabled. rationale: "" severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'nfsd_anon_write is not disabled' ocil: '' scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleans/sebool_nis_enabled.rule000066400000000000000000000010571327242345500330500ustar00rootroot00000000000000documentation_complete: true prodtype: rhel7 title: 'Disable the nis_enabled SELinux Boolean' description: |- By default, the SELinux boolean nis_enabled is disabled. If this setting is enabled, it should be disabled. rationale: "" severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'nis_enabled is not disabled' ocil: '' scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleans/sebool_nscd_use_shm.rule000066400000000000000000000011371327242345500332560ustar00rootroot00000000000000documentation_complete: true prodtype: rhel7 title: 'Enable the nscd_use_shm SELinux Boolean' description: |- By default, the SELinux boolean nscd_use_shm is enabled. If this setting is disabled, it should be enabled to allow nscd to use shared memory. rationale: "" severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'nscd_use_shm is not enabled' ocil: '' sebool_openshift_use_nfs.rule000066400000000000000000000011151327242345500342420ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true prodtype: rhel7 title: 'Disable the openshift_use_nfs SELinux Boolean' description: |- By default, the SELinux boolean openshift_use_nfs is disabled. If this setting is enabled, it should be disabled. rationale: "" severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'openshift_use_nfs is not disabled' ocil: '' sebool_openvpn_can_network_connect.rule000066400000000000000000000011541327242345500363140ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true prodtype: rhel7 title: 'Disable the openvpn_can_network_connect SELinux Boolean' description: |- By default, the SELinux boolean openvpn_can_network_connect is enabled. This setting should be disabled. rationale: "" severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'openvpn_can_network_connect is not disabled' ocil: '' sebool_openvpn_enable_homedirs.rule000066400000000000000000000011301327242345500354030ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true prodtype: rhel7 title: 'Disable the openvpn_enable_homedirs SELinux Boolean' description: |- By default, the SELinux boolean openvpn_enable_homedirs is enabled. This setting should be disabled. rationale: "" severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'openvpn_enable_homedirs is not disabled' ocil: '' sebool_openvpn_run_unconfined.rule000066400000000000000000000011461327242345500353060ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true prodtype: rhel7 title: 'Disable the openvpn_run_unconfined SELinux Boolean' description: |- By default, the SELinux boolean openvpn_run_unconfined is disabled. If this setting is enabled, it should be disabled. rationale: "" severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'openvpn_run_unconfined is not disabled' ocil: '' sebool_pcp_bind_all_unreserved_ports.rule000066400000000000000000000012111327242345500366150ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true prodtype: rhel7 title: 'Disable the pcp_bind_all_unreserved_ports SELinux Boolean' description: |- By default, the SELinux boolean pcp_bind_all_unreserved_ports is disabled. If this setting is enabled, it should be disabled. rationale: "" severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'pcp_bind_all_unreserved_ports is not disabled' ocil: '' sebool_pcp_read_generic_logs.rule000066400000000000000000000011411327242345500350150ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true prodtype: rhel7 title: 'Disable the pcp_read_generic_logs SELinux Boolean' description: |- By default, the SELinux boolean pcp_read_generic_logs is disabled. If this setting is enabled, it should be disabled. rationale: "" severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'pcp_read_generic_logs is not disabled' ocil: '' sebool_piranha_lvs_can_network_connect.rule000066400000000000000000000012231327242345500371320ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true prodtype: rhel7 title: 'Disable the piranha_lvs_can_network_connect SELinux Boolean' description: |- By default, the SELinux boolean piranha_lvs_can_network_connect is disabled. If this setting is enabled, it should be disabled. rationale: "" severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'piranha_lvs_can_network_connect is not disabled' ocil: '' sebool_polipo_connect_all_unreserved.rule000066400000000000000000000012111327242345500366230ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true prodtype: rhel7 title: 'Disable the polipo_connect_all_unreserved SELinux Boolean' description: |- By default, the SELinux boolean polipo_connect_all_unreserved is disabled. If this setting is enabled, it should be disabled. rationale: "" severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'polipo_connect_all_unreserved is not disabled' ocil: '' sebool_polipo_session_bind_all_unreserved_ports.rule000066400000000000000000000013001327242345500410770ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true prodtype: rhel7 title: 'Disable the polipo_session_bind_all_unreserved_ports SELinux Boolean' description: |- By default, the SELinux boolean polipo_session_bind_all_unreserved_ports is disabled. If this setting is enabled, it should be disabled. rationale: "" severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'polipo_session_bind_all_unreserved_ports is not disabled' ocil: '' sebool_polipo_session_users.rule000066400000000000000000000011341327242345500350100ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true prodtype: rhel7 title: 'Disable the polipo_session_users SELinux Boolean' description: |- By default, the SELinux boolean polipo_session_users is disabled. If this setting is enabled, it should be disabled. rationale: "" severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'polipo_session_users is not disabled' ocil: '' scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleans/sebool_polipo_use_cifs.rule000066400000000000000000000011031327242345500337570ustar00rootroot00000000000000documentation_complete: true prodtype: rhel7 title: 'Disable the polipo_use_cifs SELinux Boolean' description: |- By default, the SELinux boolean polipo_use_cifs is disabled. If this setting is enabled, it should be disabled. rationale: "" severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'polipo_use_cifs is not disabled' ocil: '' scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleans/sebool_polipo_use_nfs.rule000066400000000000000000000010761327242345500336320ustar00rootroot00000000000000documentation_complete: true prodtype: rhel7 title: 'Disable the polipo_use_nfs SELinux Boolean' description: |- By default, the SELinux boolean polipo_use_nfs is disabled. If this setting is enabled, it should be disabled. rationale: "" severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'polipo_use_nfs is not disabled' ocil: '' sebool_polyinstantiation_enabled.rule000066400000000000000000000011651327242345500357700ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true prodtype: rhel7 title: 'Disable the polyinstantiation_enabled SELinux Boolean' description: |- By default, the SELinux boolean polyinstantiation_enabled is disabled. If this setting is enabled, it should be disabled. rationale: "" severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'polyinstantiation_enabled is not disabled' ocil: '' sebool_postfix_local_write_mail_spool.rule000066400000000000000000000013111327242345500370150ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true prodtype: rhel7 title: 'Enable the postfix_local_write_mail_spool SELinux Boolean' description: |- By default, the SELinux boolean postfix_local_write_mail_spool is enabled. If this setting is disabled, it should be enabled as it allows Postfix to write to the mail spool directories. rationale: "" severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'postfix_local_write_mail_spool is not enabled' ocil: '' sebool_postgresql_can_rsync.rule000066400000000000000000000011341327242345500347640ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true prodtype: rhel7 title: 'Disable the postgresql_can_rsync SELinux Boolean' description: |- By default, the SELinux boolean postgresql_can_rsync is disabled. If this setting is enabled, it should be disabled. rationale: "" severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'postgresql_can_rsync is not disabled' ocil: '' sebool_postgresql_selinux_transmit_client_label.rule000066400000000000000000000013001327242345500411050ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true prodtype: rhel7 title: 'Disable the postgresql_selinux_transmit_client_label SELinux Boolean' description: |- By default, the SELinux boolean postgresql_selinux_transmit_client_label is disabled. If this setting is enabled, it should be disabled. rationale: "" severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'postgresql_selinux_transmit_client_label is not disabled' ocil: '' sebool_postgresql_selinux_unconfined_dbadm.rule000066400000000000000000000014021327242345500400310ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true prodtype: rhel7 title: 'Enable the postgresql_selinux_unconfined_dbadm SELinux Boolean' description: |- By default, the SELinux boolean postgresql_selinux_unconfined_dbadm is enabled. If this setting is disabled, it should be enabled as it allows Database Administrators to execute Data Manipulation Language (DML) statements. rationale: "" severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'postgresql_selinux_unconfined_dbadm is not enabled' ocil: '' sebool_postgresql_selinux_users_ddl.rule000066400000000000000000000013351327242345500365430ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true prodtype: rhel7 title: 'Enable the postgresql_selinux_users_ddl SELinux Boolean' description: |- By default, the SELinux boolean postgresql_selinux_users_ddl is enabled. If this setting is disabled, it should be enabled as it allows Database Administrators to execute Data Definition Language (DDL) statements. rationale: "" severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'postgresql_selinux_users_ddl is not enabled' ocil: '' scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleans/sebool_pppd_can_insmod.rule000066400000000000000000000011031327242345500337320ustar00rootroot00000000000000documentation_complete: true prodtype: rhel7 title: 'Disable the pppd_can_insmod SELinux Boolean' description: |- By default, the SELinux boolean pppd_can_insmod is disabled. If this setting is enabled, it should be disabled. rationale: "" severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'pppd_can_insmod is not disabled' ocil: '' scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleans/sebool_pppd_for_user.rule000066400000000000000000000010711327242345500334500ustar00rootroot00000000000000documentation_complete: true prodtype: rhel7 title: 'Disable the pppd_for_user SELinux Boolean' description: |- By default, the SELinux boolean pppd_for_user is disabled. If this setting is enabled, it should be disabled. rationale: "" severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'pppd_for_user is not disabled' ocil: '' sebool_privoxy_connect_any.rule000066400000000000000000000011041327242345500346170ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true prodtype: rhel7 title: 'Disable the privoxy_connect_any SELinux Boolean' description: |- By default, the SELinux boolean privoxy_connect_any is enabled. This setting should be disabled. rationale: "" severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'privoxy_connect_any is not disabled' ocil: '' sebool_prosody_bind_http_port.rule000066400000000000000000000011461327242345500353230ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true prodtype: rhel7 title: 'Disable the prosody_bind_http_port SELinux Boolean' description: |- By default, the SELinux boolean prosody_bind_http_port is disabled. If this setting is enabled, it should be disabled. rationale: "" severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'prosody_bind_http_port is not disabled' ocil: '' sebool_puppetagent_manage_all_files.rule000066400000000000000000000012041327242345500363760ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true prodtype: rhel7 title: 'Disable the puppetagent_manage_all_files SELinux Boolean' description: |- By default, the SELinux boolean puppetagent_manage_all_files is disabled. If this setting is enabled, it should be disabled. rationale: "" severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'puppetagent_manage_all_files is not disabled' ocil: '' sebool_puppetmaster_use_db.rule000066400000000000000000000011271327242345500345760ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true prodtype: rhel7 title: 'Disable the puppetmaster_use_db SELinux Boolean' description: |- By default, the SELinux boolean puppetmaster_use_db is disabled. If this setting is enabled, it should be disabled. rationale: "" severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'puppetmaster_use_db is not disabled' ocil: '' sebool_racoon_read_shadow.rule000066400000000000000000000011221327242345500343400ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true prodtype: rhel7 title: 'Disable the racoon_read_shadow SELinux Boolean' description: |- By default, the SELinux boolean racoon_read_shadow is disabled. If this setting is enabled, it should be disabled. rationale: "" severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'racoon_read_shadow is not disabled' ocil: '' scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleans/sebool_rsync_anon_write.rule000066400000000000000000000011101327242345500341560ustar00rootroot00000000000000documentation_complete: true prodtype: rhel7 title: 'Disable the rsync_anon_write SELinux Boolean' description: |- By default, the SELinux boolean rsync_anon_write is disabled. If this setting is enabled, it should be disabled. rationale: "" severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'rsync_anon_write is not disabled' ocil: '' scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleans/sebool_rsync_client.rule000066400000000000000000000010641327242345500332770ustar00rootroot00000000000000documentation_complete: true prodtype: rhel7 title: 'Disable the rsync_client SELinux Boolean' description: |- By default, the SELinux boolean rsync_client is disabled. If this setting is enabled, it should be disabled. rationale: "" severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'rsync_client is not disabled' ocil: '' sebool_rsync_export_all_ro.rule000066400000000000000000000011271327242345500346130ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true prodtype: rhel7 title: 'Disable the rsync_export_all_ro SELinux Boolean' description: |- By default, the SELinux boolean rsync_export_all_ro is disabled. If this setting is enabled, it should be disabled. rationale: "" severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'rsync_export_all_ro is not disabled' ocil: '' sebool_rsync_full_access.rule000066400000000000000000000011151327242345500342220ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true prodtype: rhel7 title: 'Disable the rsync_full_access SELinux Boolean' description: |- By default, the SELinux boolean rsync_full_access is disabled. If this setting is enabled, it should be disabled. rationale: "" severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'rsync_full_access is not disabled' ocil: '' sebool_samba_create_home_dirs.rule000066400000000000000000000011461327242345500351640ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true prodtype: rhel7 title: 'Disable the samba_create_home_dirs SELinux Boolean' description: |- By default, the SELinux boolean samba_create_home_dirs is disabled. If this setting is enabled, it should be disabled. rationale: "" severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'samba_create_home_dirs is not disabled' ocil: '' sebool_samba_domain_controller.rule000066400000000000000000000011531327242345500354000ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true prodtype: rhel7 title: 'Disable the samba_domain_controller SELinux Boolean' description: |- By default, the SELinux boolean samba_domain_controller is disabled. If this setting is enabled, it should be disabled. rationale: "" severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'samba_domain_controller is not disabled' ocil: '' sebool_samba_enable_home_dirs.rule000066400000000000000000000011461327242345500351470ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true prodtype: rhel7 title: 'Disable the samba_enable_home_dirs SELinux Boolean' description: |- By default, the SELinux boolean samba_enable_home_dirs is disabled. If this setting is enabled, it should be disabled. rationale: "" severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'samba_enable_home_dirs is not disabled' ocil: '' sebool_samba_export_all_ro.rule000066400000000000000000000011271327242345500345400ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true prodtype: rhel7 title: 'Disable the samba_export_all_ro SELinux Boolean' description: |- By default, the SELinux boolean samba_export_all_ro is disabled. If this setting is enabled, it should be disabled. rationale: "" severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'samba_export_all_ro is not disabled' ocil: '' sebool_samba_export_all_rw.rule000066400000000000000000000011271327242345500345500ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true prodtype: rhel7 title: 'Disable the samba_export_all_rw SELinux Boolean' description: |- By default, the SELinux boolean samba_export_all_rw is disabled. If this setting is enabled, it should be disabled. rationale: "" severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'samba_export_all_rw is not disabled' ocil: '' sebool_samba_load_libgfapi.rule000066400000000000000000000011271327242345500344430ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true prodtype: rhel7 title: 'Disable the samba_load_libgfapi SELinux Boolean' description: |- By default, the SELinux boolean samba_load_libgfapi is disabled. If this setting is enabled, it should be disabled. rationale: "" severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'samba_load_libgfapi is not disabled' ocil: '' scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleans/sebool_samba_portmapper.rule000066400000000000000000000011101327242345500341270ustar00rootroot00000000000000documentation_complete: true prodtype: rhel7 title: 'Disable the samba_portmapper SELinux Boolean' description: |- By default, the SELinux boolean samba_portmapper is disabled. If this setting is enabled, it should be disabled. rationale: "" severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'samba_portmapper is not disabled' ocil: '' sebool_samba_run_unconfined.rule000066400000000000000000000011341327242345500347010ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true prodtype: rhel7 title: 'Disable the samba_run_unconfined SELinux Boolean' description: |- By default, the SELinux boolean samba_run_unconfined is disabled. If this setting is enabled, it should be disabled. rationale: "" severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'samba_run_unconfined is not disabled' ocil: '' sebool_samba_share_fusefs.rule000066400000000000000000000011221327242345500343370ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true prodtype: rhel7 title: 'Disable the samba_share_fusefs SELinux Boolean' description: |- By default, the SELinux boolean samba_share_fusefs is disabled. If this setting is enabled, it should be disabled. rationale: "" severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'samba_share_fusefs is not disabled' ocil: '' scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleans/sebool_samba_share_nfs.rule000066400000000000000000000011031327242345500337100ustar00rootroot00000000000000documentation_complete: true prodtype: rhel7 title: 'Disable the samba_share_nfs SELinux Boolean' description: |- By default, the SELinux boolean samba_share_nfs is disabled. If this setting is enabled, it should be disabled. rationale: "" severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'samba_share_nfs is not disabled' ocil: '' sebool_sanlock_use_fusefs.rule000066400000000000000000000011221327242345500344000ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true prodtype: rhel7 title: 'Disable the sanlock_use_fusefs SELinux Boolean' description: |- By default, the SELinux boolean sanlock_use_fusefs is disabled. If this setting is enabled, it should be disabled. rationale: "" severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'sanlock_use_fusefs is not disabled' ocil: '' scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleans/sebool_sanlock_use_nfs.rule000066400000000000000000000011031327242345500337510ustar00rootroot00000000000000documentation_complete: true prodtype: rhel7 title: 'Disable the sanlock_use_nfs SELinux Boolean' description: |- By default, the SELinux boolean sanlock_use_nfs is disabled. If this setting is enabled, it should be disabled. rationale: "" severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'sanlock_use_nfs is not disabled' ocil: '' sebool_sanlock_use_samba.rule000066400000000000000000000011151327242345500341720ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true prodtype: rhel7 title: 'Disable the sanlock_use_samba SELinux Boolean' description: |- By default, the SELinux boolean sanlock_use_samba is disabled. If this setting is enabled, it should be disabled. rationale: "" severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'sanlock_use_samba is not disabled' ocil: '' sebool_saslauthd_read_shadow.rule000066400000000000000000000011411327242345500350500ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true prodtype: rhel7 title: 'Disable the saslauthd_read_shadow SELinux Boolean' description: |- By default, the SELinux boolean saslauthd_read_shadow is disabled. If this setting is enabled, it should be disabled. rationale: "" severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'saslauthd_read_shadow is not disabled' ocil: '' sebool_secadm_exec_content.rule000066400000000000000000000011221327242345500345110ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true prodtype: rhel7 title: 'Enable the secadm_exec_content SELinux Boolean' description: |- By default, the SELinux boolean secadm_exec_content is enabled. If this setting is disabled, it should be enabled. rationale: "" severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'secadm_exec_content is not enabled' ocil: '' scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleans/sebool_secure_mode.rule000066400000000000000000000010571327242345500330770ustar00rootroot00000000000000documentation_complete: true prodtype: rhel7 title: 'Disable the secure_mode SELinux Boolean' description: |- By default, the SELinux boolean secure_mode is disabled. If this setting is enabled, it should be disabled. rationale: "" severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'secure_mode is not disabled' ocil: '' sebool_secure_mode_insmod.rule000066400000000000000000000011221327242345500343620ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true prodtype: rhel7 title: 'Disable the secure_mode_insmod SELinux Boolean' description: |- By default, the SELinux boolean secure_mode_insmod is disabled. If this setting is enabled, it should be disabled. rationale: "" severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'secure_mode_insmod is not disabled' ocil: '' sebool_secure_mode_policyload.rule000066400000000000000000000011461327242345500352360ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true prodtype: rhel7 title: 'Disable the secure_mode_policyload SELinux Boolean' description: |- By default, the SELinux boolean secure_mode_policyload is disabled. If this setting is enabled, it should be disabled. rationale: "" severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'secure_mode_policyload is not disabled' ocil: '' sebool_selinuxuser_direct_dri_enabled.rule000066400000000000000000000013411327242345500367520ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true prodtype: rhel7 title: 'Configure the selinuxuser_direct_dri_enabled SELinux Boolean' description: |- By default, the SELinux boolean selinuxuser_direct_dri_enabled is enabled. If XWindows is not installed or used on the system, this setting should be disabled. Otherwise, enable it. rationale: "" severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'XWindows is in use or selinuxuser_direct_dri_enabled is not disabled' ocil: '' sebool_selinuxuser_execheap.rule000066400000000000000000000012331327242345500347520ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true prodtype: rhel7 title: 'Disable the selinuxuser_execheap SELinux Boolean' description: |- By default, the SELinux boolean selinuxuser_execheap is disabled. If this setting is enabled, it should be disabled. rationale: "" severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3),164.308(a)(4),164.310(b),164.310(c),164.312(a),164.312(e) stigid@rhel7: TBD ocil_clause: 'selinuxuser_execheap is not disabled' ocil: '' sebool_selinuxuser_execmod.rule000066400000000000000000000012211327242345500346110ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true prodtype: rhel7 title: 'Enable the selinuxuser_execmod SELinux Boolean' description: |- By default, the SELinux boolean selinuxuser_execmod is enabled. If this setting is disabled, it should be enabled. rationale: "" severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3),164.308(a)(4),164.310(b),164.310(c),164.312(a),164.312(e) stigid@rhel7: TBD ocil_clause: 'selinuxuser_execmod is not enabled' ocil: '' sebool_selinuxuser_execstack.rule000066400000000000000000000013351327242345500351450ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true prodtype: rhel7 title: 'disable the selinuxuser_execstack SELinux Boolean' description: |- By default, the SELinux boolean selinuxuser_execstack is enabled. This setting should be disabled as unconfined executables should not be able to make their stack executable. rationale: "" severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3),164.308(a)(4),164.310(b),164.310(c),164.312(a),164.312(e) stigid@rhel7: TBD ocil_clause: 'selinuxuser_execstack is not disabled' ocil: '' sebool_selinuxuser_mysql_connect_enabled.rule000066400000000000000000000012351327242345500375220ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true prodtype: rhel7 title: 'Disable the selinuxuser_mysql_connect_enabled SELinux Boolean' description: |- By default, the SELinux boolean selinuxuser_mysql_connect_enabled is disabled. If this setting is enabled, it should be disabled. rationale: "" severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'selinuxuser_mysql_connect_enabled is not disabled' ocil: '' scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleans/sebool_selinuxuser_ping.rule000066400000000000000000000012531327242345500342060ustar00rootroot00000000000000documentation_complete: true prodtype: rhel7 title: 'Enable the selinuxuser_ping SELinux Boolean' description: |- By default, the SELinux boolean selinuxuser_ping is enabled. If this setting is disabled, it should be enabled as it allows confined users to use ping and traceroute which is helpful for network troubleshooting. rationale: "" severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'selinuxuser_ping is not enabled' ocil: '' sebool_selinuxuser_postgresql_connect_enabled.rule000066400000000000000000000012661327242345500405640ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true prodtype: rhel7 title: 'Disable the selinuxuser_postgresql_connect_enabled SELinux Boolean' description: |- By default, the SELinux boolean selinuxuser_postgresql_connect_enabled is disabled. If this setting is enabled, it should be disabled. rationale: "" severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'selinuxuser_postgresql_connect_enabled is not disabled' ocil: '' sebool_selinuxuser_rw_noexattrfile.rule000066400000000000000000000013601327242345500364050ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true prodtype: rhel7 title: 'Disable the selinuxuser_rw_noexattrfile SELinux Boolean' description: |- By default, the SELinux boolean selinuxuser_rw_noexattrfile is enabled. This setting should be disabled as users should not be able to read/write files on filesystems that do not have extended attributes e.g. FAT, CDROM, FLOPPY, etc. rationale: "" severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'selinuxuser_rw_noexattrfile is not enabled' ocil: '' sebool_selinuxuser_share_music.rule000066400000000000000000000011531327242345500354730ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true prodtype: rhel7 title: 'Disable the selinuxuser_share_music SELinux Boolean' description: |- By default, the SELinux boolean selinuxuser_share_music is disabled. If this setting is enabled, it should be disabled. rationale: "" severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'selinuxuser_share_music is not disabled' ocil: '' sebool_selinuxuser_tcp_server.rule000066400000000000000000000011461327242345500353470ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true prodtype: rhel7 title: 'Disable the selinuxuser_tcp_server SELinux Boolean' description: |- By default, the SELinux boolean selinuxuser_tcp_server is disabled. If this setting is enabled, it should be disabled. rationale: "" severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'selinuxuser_tcp_server is not disabled' ocil: '' sebool_selinuxuser_udp_server.rule000066400000000000000000000011461327242345500353510ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true prodtype: rhel7 title: 'Disable the selinuxuser_udp_server SELinux Boolean' description: |- By default, the SELinux boolean selinuxuser_udp_server is disabled. If this setting is enabled, it should be disabled. rationale: "" severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'selinuxuser_udp_server is not disabled' ocil: '' sebool_selinuxuser_use_ssh_chroot.rule000066400000000000000000000011721327242345500362210ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true prodtype: rhel7 title: 'Disable the selinuxuser_use_ssh_chroot SELinux Boolean' description: |- By default, the SELinux boolean selinuxuser_use_ssh_chroot is disabled. If this setting is enabled, it should be disabled. rationale: "" severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'selinuxuser_use_ssh_chroot is not disabled' ocil: '' scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleans/sebool_sftpd_anon_write.rule000066400000000000000000000011101327242345500341400ustar00rootroot00000000000000documentation_complete: true prodtype: rhel7 title: 'Disable the sftpd_anon_write SELinux Boolean' description: |- By default, the SELinux boolean sftpd_anon_write is disabled. If this setting is enabled, it should be disabled. rationale: "" severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'sftpd_anon_write is not disabled' ocil: '' sebool_sftpd_enable_homedirs.rule000066400000000000000000000011411327242345500350400ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true prodtype: rhel7 title: 'Disable the sftpd_enable_homedirs SELinux Boolean' description: |- By default, the SELinux boolean sftpd_enable_homedirs is disabled. If this setting is enabled, it should be disabled. rationale: "" severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'sftpd_enable_homedirs is not disabled' ocil: '' sebool_sftpd_full_access.rule000066400000000000000000000011151327242345500342040ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true prodtype: rhel7 title: 'Disable the sftpd_full_access SELinux Boolean' description: |- By default, the SELinux boolean sftpd_full_access is disabled. If this setting is enabled, it should be disabled. rationale: "" severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'sftpd_full_access is not disabled' ocil: '' sebool_sftpd_write_ssh_home.rule000066400000000000000000000011341327242345500347410ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true prodtype: rhel7 title: 'Disable the sftpd_write_ssh_home SELinux Boolean' description: |- By default, the SELinux boolean sftpd_write_ssh_home is disabled. If this setting is enabled, it should be disabled. rationale: "" severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'sftpd_write_ssh_home is not disabled' ocil: '' sebool_sge_domain_can_network_connect.rule000066400000000000000000000012161327242345500367330ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true prodtype: rhel7 title: 'Disable the sge_domain_can_network_connect SELinux Boolean' description: |- By default, the SELinux boolean sge_domain_can_network_connect is disabled. If this setting is enabled, it should be disabled. rationale: "" severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'sge_domain_can_network_connect is not disabled' ocil: '' scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleans/sebool_sge_use_nfs.rule000066400000000000000000000010571327242345500331050ustar00rootroot00000000000000documentation_complete: true prodtype: rhel7 title: 'Disable the sge_use_nfs SELinux Boolean' description: |- By default, the SELinux boolean sge_use_nfs is disabled. If this setting is enabled, it should be disabled. rationale: "" severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'sge_use_nfs is not disabled' ocil: '' scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleans/sebool_smartmon_3ware.rule000066400000000000000000000010761327242345500335470ustar00rootroot00000000000000documentation_complete: true prodtype: rhel7 title: 'Disable the smartmon_3ware SELinux Boolean' description: |- By default, the SELinux boolean smartmon_3ware is disabled. If this setting is enabled, it should be disabled. rationale: "" severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'smartmon_3ware is not disabled' ocil: '' scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleans/sebool_smbd_anon_write.rule000066400000000000000000000011031327242345500337470ustar00rootroot00000000000000documentation_complete: true prodtype: rhel7 title: 'Disable the smbd_anon_write SELinux Boolean' description: |- By default, the SELinux boolean smbd_anon_write is disabled. If this setting is enabled, it should be disabled. rationale: "" severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'smbd_anon_write is not disabled' ocil: '' sebool_spamassassin_can_network.rule000066400000000000000000000011601327242345500356200ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true prodtype: rhel7 title: 'Disable the spamassassin_can_network SELinux Boolean' description: |- By default, the SELinux boolean spamassassin_can_network is disabled. If this setting is enabled, it should be disabled. rationale: "" severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'spamassassin_can_network is not disabled' ocil: '' sebool_spamd_enable_home_dirs.rule000066400000000000000000000011411327242345500351630ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true prodtype: rhel7 title: 'Enable the spamd_enable_home_dirs SELinux Boolean' description: |- By default, the SELinux boolean spamd_enable_home_dirs is enabled. If this setting is disabled, it should be enabled. rationale: "" severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'spamd_enable_home_dirs is not enabled' ocil: '' sebool_squid_connect_any.rule000066400000000000000000000011561327242345500342330ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true prodtype: rhel7 title: 'Disable the squid_connect_any SELinux Boolean' description: |- By default, the SELinux boolean squid_connect_any is enabled. This setting should be disabled as squid should only connect on specified ports. rationale: "" severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'squid_connect_any is not disabled' ocil: '' scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleans/sebool_squid_use_tproxy.rule000066400000000000000000000011101327242345500342210ustar00rootroot00000000000000documentation_complete: true prodtype: rhel7 title: 'Disable the squid_use_tproxy SELinux Boolean' description: |- By default, the SELinux boolean squid_use_tproxy is disabled. If this setting is enabled, it should be disabled. rationale: "" severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'squid_use_tproxy is not disabled' ocil: '' sebool_ssh_chroot_rw_homedirs.rule000066400000000000000000000011461327242345500353020ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true prodtype: rhel7 title: 'Disable the ssh_chroot_rw_homedirs SELinux Boolean' description: |- By default, the SELinux boolean ssh_chroot_rw_homedirs is disabled. If this setting is enabled, it should be disabled. rationale: "" severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'ssh_chroot_rw_homedirs is not disabled' ocil: '' scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleans/sebool_ssh_keysign.rule000066400000000000000000000010571327242345500331330ustar00rootroot00000000000000documentation_complete: true prodtype: rhel7 title: 'Disable the ssh_keysign SELinux Boolean' description: |- By default, the SELinux boolean ssh_keysign is disabled. If this setting is enabled, it should be disabled. rationale: "" severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'ssh_keysign is not disabled' ocil: '' scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleans/sebool_ssh_sysadm_login.rule000066400000000000000000000011101327242345500341400ustar00rootroot00000000000000documentation_complete: true prodtype: rhel7 title: 'Disable the ssh_sysadm_login SELinux Boolean' description: |- By default, the SELinux boolean ssh_sysadm_login is disabled. If this setting is enabled, it should be disabled. rationale: "" severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'ssh_sysadm_login is not disabled' ocil: '' sebool_staff_exec_content.rule000066400000000000000000000011151327242345500343620ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true prodtype: rhel7 title: 'Enable the staff_exec_content SELinux Boolean' description: |- By default, the SELinux boolean staff_exec_content is enabled. If this setting is disabled, it should be enabled. rationale: "" severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'staff_exec_content is not enabled' ocil: '' scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleans/sebool_staff_use_svirt.rule000066400000000000000000000011031327242345500340030ustar00rootroot00000000000000documentation_complete: true prodtype: rhel7 title: 'Disable the staff_use_svirt SELinux Boolean' description: |- By default, the SELinux boolean staff_use_svirt is disabled. If this setting is enabled, it should be disabled. rationale: "" severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'staff_use_svirt is not disabled' ocil: '' sebool_swift_can_network.rule000066400000000000000000000011151327242345500342470ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true prodtype: rhel7 title: 'Disable the swift_can_network SELinux Boolean' description: |- By default, the SELinux boolean swift_can_network is disabled. If this setting is enabled, it should be disabled. rationale: "" severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'swift_can_network is not disabled' ocil: '' sebool_sysadm_exec_content.rule000066400000000000000000000011221327242345500345550ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true prodtype: rhel7 title: 'Enable the sysadm_exec_content SELinux Boolean' description: |- By default, the SELinux boolean sysadm_exec_content is enabled. If this setting is disabled, it should be enabled. rationale: "" severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'sysadm_exec_content is not enabled' ocil: '' sebool_telepathy_connect_all_ports.rule000066400000000000000000000011771327242345500363200ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true prodtype: rhel7 title: 'Disable the telepathy_connect_all_ports SELinux Boolean' description: |- By default, the SELinux boolean telepathy_connect_all_ports is disabled. If this setting is enabled, it should be disabled. rationale: "" severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'telepathy_connect_all_ports is not disabled' ocil: '' sebool_telepathy_tcp_connect_generic_network_ports.rule000066400000000000000000000014061327242345500415760ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true prodtype: rhel7 title: 'Disable the telepathy_tcp_connect_generic_network_ports SELinux Boolean' description: |- By default, the SELinux boolean telepathy_tcp_connect_generic_network_ports is enabled. This setting should be disabled as telepathy should not connect to any generic network ports. rationale: "" severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'telepathy_tcp_connect_generic_network_ports is not disabled' ocil: '' scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleans/sebool_tftp_anon_write.rule000066400000000000000000000011031327242345500337770ustar00rootroot00000000000000documentation_complete: true prodtype: rhel7 title: 'Disable the tftp_anon_write SELinux Boolean' description: |- By default, the SELinux boolean tftp_anon_write is disabled. If this setting is enabled, it should be disabled. rationale: "" severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'tftp_anon_write is not disabled' ocil: '' scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleans/sebool_tftp_home_dir.rule000066400000000000000000000010711327242345500334240ustar00rootroot00000000000000documentation_complete: true prodtype: rhel7 title: 'Disable the tftp_home_dir SELinux Boolean' description: |- By default, the SELinux boolean tftp_home_dir is disabled. If this setting is enabled, it should be disabled. rationale: "" severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'tftp_home_dir is not disabled' ocil: '' sebool_tmpreaper_use_nfs.rule000066400000000000000000000011151327242345500342420ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true prodtype: rhel7 title: 'Disable the tmpreaper_use_nfs SELinux Boolean' description: |- By default, the SELinux boolean tmpreaper_use_nfs is disabled. If this setting is enabled, it should be disabled. rationale: "" severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'tmpreaper_use_nfs is not disabled' ocil: '' sebool_tmpreaper_use_samba.rule000066400000000000000000000011271327242345500345420ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true prodtype: rhel7 title: 'Disable the tmpreaper_use_samba SELinux Boolean' description: |- By default, the SELinux boolean tmpreaper_use_samba is disabled. If this setting is enabled, it should be disabled. rationale: "" severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'tmpreaper_use_samba is not disabled' ocil: '' sebool_tor_bind_all_unreserved_ports.rule000066400000000000000000000012111327242345500366370ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true prodtype: rhel7 title: 'Disable the tor_bind_all_unreserved_ports SELinux Boolean' description: |- By default, the SELinux boolean tor_bind_all_unreserved_ports is disabled. If this setting is enabled, it should be disabled. rationale: "" severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'tor_bind_all_unreserved_ports is not disabled' ocil: '' sebool_tor_can_network_relay.rule000066400000000000000000000011411327242345500351120ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true prodtype: rhel7 title: 'Disable the tor_can_network_relay SELinux Boolean' description: |- By default, the SELinux boolean tor_can_network_relay is disabled. If this setting is enabled, it should be disabled. rationale: "" severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'tor_can_network_relay is not disabled' ocil: '' sebool_unconfined_chrome_sandbox_transition.rule000066400000000000000000000012471327242345500402040ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true prodtype: rhel7 title: 'Enable the unconfined_chrome_sandbox_transition SELinux Boolean' description: |- By default, the SELinux boolean unconfined_chrome_sandbox_transition is enabled. If this setting is disabled, it should be enabled. rationale: "" severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'unconfined_chrome_sandbox_transition is not enabled' ocil: '' scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleans/sebool_unconfined_login.rule000066400000000000000000000011031327242345500341150ustar00rootroot00000000000000documentation_complete: true prodtype: rhel7 title: 'Enable the unconfined_login SELinux Boolean' description: |- By default, the SELinux boolean unconfined_login is enabled. If this setting is disabled, it should be enabled. rationale: "" severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'unconfined_login is not enabled' ocil: '' sebool_unconfined_mozilla_plugin_transition.rule000066400000000000000000000012471327242345500402360ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true prodtype: rhel7 title: 'Enable the unconfined_mozilla_plugin_transition SELinux Boolean' description: |- By default, the SELinux boolean unconfined_mozilla_plugin_transition is enabled. If this setting is disabled, it should be enabled. rationale: "" severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'unconfined_mozilla_plugin_transition is not enabled' ocil: '' sebool_unprivuser_use_svirt.rule000066400000000000000000000011341327242345500350470ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true prodtype: rhel7 title: 'Disable the unprivuser_use_svirt SELinux Boolean' description: |- By default, the SELinux boolean unprivuser_use_svirt is disabled. If this setting is enabled, it should be disabled. rationale: "" severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'unprivuser_use_svirt is not disabled' ocil: '' sebool_use_ecryptfs_home_dirs.rule000066400000000000000000000011461327242345500352710ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true prodtype: rhel7 title: 'Disable the use_ecryptfs_home_dirs SELinux Boolean' description: |- By default, the SELinux boolean use_ecryptfs_home_dirs is disabled. If this setting is enabled, it should be disabled. rationale: "" severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'use_ecryptfs_home_dirs is not disabled' ocil: '' sebool_use_fusefs_home_dirs.rule000066400000000000000000000011341327242345500347220ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true prodtype: rhel7 title: 'Disable the use_fusefs_home_dirs SELinux Boolean' description: |- By default, the SELinux boolean use_fusefs_home_dirs is disabled. If this setting is enabled, it should be disabled. rationale: "" severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'use_fusefs_home_dirs is not disabled' ocil: '' scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleans/sebool_use_lpd_server.rule000066400000000000000000000010761327242345500336270ustar00rootroot00000000000000documentation_complete: true prodtype: rhel7 title: 'Disable the use_lpd_server SELinux Boolean' description: |- By default, the SELinux boolean use_lpd_server is disabled. If this setting is enabled, it should be disabled. rationale: "" severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'use_lpd_server is not disabled' ocil: '' sebool_use_nfs_home_dirs.rule000066400000000000000000000011151327242345500342140ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true prodtype: rhel7 title: 'Disable the use_nfs_home_dirs SELinux Boolean' description: |- By default, the SELinux boolean use_nfs_home_dirs is disabled. If this setting is enabled, it should be disabled. rationale: "" severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'use_nfs_home_dirs is not disabled' ocil: '' sebool_use_samba_home_dirs.rule000066400000000000000000000011271327242345500345140ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true prodtype: rhel7 title: 'Disable the use_samba_home_dirs SELinux Boolean' description: |- By default, the SELinux boolean use_samba_home_dirs is disabled. If this setting is enabled, it should be disabled. rationale: "" severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'use_samba_home_dirs is not disabled' ocil: '' sebool_user_exec_content.rule000066400000000000000000000011101327242345500342300ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true prodtype: rhel7 title: 'Enable the user_exec_content SELinux Boolean' description: |- By default, the SELinux boolean user_exec_content is enabled. If this setting is disabled, it should be enabled. rationale: "" severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'user_exec_content is not enabled' ocil: '' sebool_varnishd_connect_any.rule000066400000000000000000000011341327242345500347200ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true prodtype: rhel7 title: 'Disable the varnishd_connect_any SELinux Boolean' description: |- By default, the SELinux boolean varnishd_connect_any is disabled. If this setting is enabled, it should be disabled. rationale: "" severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'varnishd_connect_any is not disabled' ocil: '' sebool_virt_read_qemu_ga_data.rule000066400000000000000000000011461327242345500351730ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true prodtype: rhel7 title: 'Disable the virt_read_qemu_ga_data SELinux Boolean' description: |- By default, the SELinux boolean virt_read_qemu_ga_data is disabled. If this setting is enabled, it should be disabled. rationale: "" severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'virt_read_qemu_ga_data is not disabled' ocil: '' sebool_virt_rw_qemu_ga_data.rule000066400000000000000000000011341327242345500347050ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true prodtype: rhel7 title: 'Disable the virt_rw_qemu_ga_data SELinux Boolean' description: |- By default, the SELinux boolean virt_rw_qemu_ga_data is disabled. If this setting is enabled, it should be disabled. rationale: "" severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'virt_rw_qemu_ga_data is not disabled' ocil: '' sebool_virt_sandbox_use_all_caps.rule000066400000000000000000000012101327242345500357310ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true prodtype: rhel7 title: 'Disable the virt_sandbox_use_all_caps SELinux Boolean' description: |- By default, the SELinux boolean virt_sandbox_use_all_caps is enabled. This setting is disabled as containers should not run with privileges. rationale: "" severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'virt_sandbox_use_all_caps is not disabled' ocil: '' sebool_virt_sandbox_use_audit.rule000066400000000000000000000012321327242345500352650ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true prodtype: rhel7 title: 'Enable the virt_sandbox_use_audit SELinux Boolean' description: |- By default, the SELinux boolean virt_sandbox_use_audit is enabled. If this setting is disabled, it should be enabled to allow sandboxed containers to send audit messages. rationale: "" severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'virt_sandbox_use_audit is not enabled' ocil: '' sebool_virt_sandbox_use_mknod.rule000066400000000000000000000011461327242345500352730ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true prodtype: rhel7 title: 'Disable the virt_sandbox_use_mknod SELinux Boolean' description: |- By default, the SELinux boolean virt_sandbox_use_mknod is disabled. If this setting is enabled, it should be disabled. rationale: "" severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'virt_sandbox_use_mknod is not disabled' ocil: '' sebool_virt_sandbox_use_netlink.rule000066400000000000000000000011601327242345500356230ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true prodtype: rhel7 title: 'Disable the virt_sandbox_use_netlink SELinux Boolean' description: |- By default, the SELinux boolean virt_sandbox_use_netlink is disabled. If this setting is enabled, it should be disabled. rationale: "" severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'virt_sandbox_use_netlink is not disabled' ocil: '' sebool_virt_sandbox_use_nfs.rule000066400000000000000000000011341327242345500347460ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true prodtype: rhel7 title: 'Disable the virt_sandbox_use_nfs SELinux Boolean' description: |- By default, the SELinux boolean virt_sandbox_use_nfs is disabled. If this setting is enabled, it should be disabled. rationale: "" severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'virt_sandbox_use_nfs is not disabled' ocil: '' sebool_virt_sandbox_use_samba.rule000066400000000000000000000011461327242345500352460ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true prodtype: rhel7 title: 'Disable the virt_sandbox_use_samba SELinux Boolean' description: |- By default, the SELinux boolean virt_sandbox_use_samba is disabled. If this setting is enabled, it should be disabled. rationale: "" severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'virt_sandbox_use_samba is not disabled' ocil: '' sebool_virt_sandbox_use_sys_admin.rule000066400000000000000000000011721327242345500361500ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true prodtype: rhel7 title: 'Disable the virt_sandbox_use_sys_admin SELinux Boolean' description: |- By default, the SELinux boolean virt_sandbox_use_sys_admin is disabled. If this setting is enabled, it should be disabled. rationale: "" severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'virt_sandbox_use_sys_admin is not disabled' ocil: '' sebool_virt_transition_userdomain.rule000066400000000000000000000011721327242345500362100ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true prodtype: rhel7 title: 'Disable the virt_transition_userdomain SELinux Boolean' description: |- By default, the SELinux boolean virt_transition_userdomain is disabled. If this setting is enabled, it should be disabled. rationale: "" severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'virt_transition_userdomain is not disabled' ocil: '' scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleans/sebool_virt_use_comm.rule000066400000000000000000000010711327242345500334540ustar00rootroot00000000000000documentation_complete: true prodtype: rhel7 title: 'Disable the virt_use_comm SELinux Boolean' description: |- By default, the SELinux boolean virt_use_comm is disabled. If this setting is enabled, it should be disabled. rationale: "" severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'virt_use_comm is not disabled' ocil: '' scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleans/sebool_virt_use_execmem.rule000066400000000000000000000011101327242345500341360ustar00rootroot00000000000000documentation_complete: true prodtype: rhel7 title: 'Disable the virt_use_execmem SELinux Boolean' description: |- By default, the SELinux boolean virt_use_execmem is disabled. If this setting is enabled, it should be disabled. rationale: "" severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'virt_use_execmem is not disabled' ocil: '' scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleans/sebool_virt_use_fusefs.rule000066400000000000000000000011031327242345500340100ustar00rootroot00000000000000documentation_complete: true prodtype: rhel7 title: 'Disable the virt_use_fusefs SELinux Boolean' description: |- By default, the SELinux boolean virt_use_fusefs is disabled. If this setting is enabled, it should be disabled. rationale: "" severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'virt_use_fusefs is not disabled' ocil: '' scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleans/sebool_virt_use_nfs.rule000066400000000000000000000010641327242345500333110ustar00rootroot00000000000000documentation_complete: true prodtype: rhel7 title: 'Disable the virt_use_nfs SELinux Boolean' description: |- By default, the SELinux boolean virt_use_nfs is disabled. If this setting is enabled, it should be disabled. rationale: "" severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'virt_use_nfs is not disabled' ocil: '' scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleans/sebool_virt_use_rawip.rule000066400000000000000000000010761327242345500336500ustar00rootroot00000000000000documentation_complete: true prodtype: rhel7 title: 'Disable the virt_use_rawip SELinux Boolean' description: |- By default, the SELinux boolean virt_use_rawip is disabled. If this setting is enabled, it should be disabled. rationale: "" severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'virt_use_rawip is not disabled' ocil: '' scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleans/sebool_virt_use_samba.rule000066400000000000000000000010761327242345500336110ustar00rootroot00000000000000documentation_complete: true prodtype: rhel7 title: 'Disable the virt_use_samba SELinux Boolean' description: |- By default, the SELinux boolean virt_use_samba is disabled. If this setting is enabled, it should be disabled. rationale: "" severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'virt_use_samba is not disabled' ocil: '' scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleans/sebool_virt_use_sanlock.rule000066400000000000000000000011101327242345500341450ustar00rootroot00000000000000documentation_complete: true prodtype: rhel7 title: 'Disable the virt_use_sanlock SELinux Boolean' description: |- By default, the SELinux boolean virt_use_sanlock is disabled. If this setting is enabled, it should be disabled. rationale: "" severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'virt_use_sanlock is not disabled' ocil: '' scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleans/sebool_virt_use_usb.rule000066400000000000000000000010411327242345500333070ustar00rootroot00000000000000documentation_complete: true prodtype: rhel7 title: 'Disable the virt_use_usb SELinux Boolean' description: |- By default, the SELinux boolean virt_use_usb is enabled. This setting should be disabled. rationale: "" severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'virt_use_usb is not disabled' ocil: '' scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleans/sebool_virt_use_xserver.rule000066400000000000000000000011101327242345500342110ustar00rootroot00000000000000documentation_complete: true prodtype: rhel7 title: 'Disable the virt_use_xserver SELinux Boolean' description: |- By default, the SELinux boolean virt_use_xserver is disabled. If this setting is enabled, it should be disabled. rationale: "" severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'virt_use_xserver is not disabled' ocil: '' sebool_webadm_manage_user_files.rule000066400000000000000000000011601327242345500355100ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true prodtype: rhel7 title: 'Disable the webadm_manage_user_files SELinux Boolean' description: |- By default, the SELinux boolean webadm_manage_user_files is disabled. If this setting is enabled, it should be disabled. rationale: "" severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'webadm_manage_user_files is not disabled' ocil: '' sebool_webadm_read_user_files.rule000066400000000000000000000011461327242345500351770ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true prodtype: rhel7 title: 'Disable the webadm_read_user_files SELinux Boolean' description: |- By default, the SELinux boolean webadm_read_user_files is disabled. If this setting is enabled, it should be disabled. rationale: "" severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'webadm_read_user_files is not disabled' ocil: '' sebool_wine_mmap_zero_ignore.rule000066400000000000000000000011411327242345500350760ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true prodtype: rhel7 title: 'Disable the wine_mmap_zero_ignore SELinux Boolean' description: |- By default, the SELinux boolean wine_mmap_zero_ignore is disabled. If this setting is enabled, it should be disabled. rationale: "" severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'wine_mmap_zero_ignore is not disabled' ocil: '' sebool_xdm_bind_vnc_tcp_port.rule000066400000000000000000000011411327242345500350640ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true prodtype: rhel7 title: 'Disable the xdm_bind_vnc_tcp_port SELinux Boolean' description: |- By default, the SELinux boolean xdm_bind_vnc_tcp_port is disabled. If this setting is enabled, it should be disabled. rationale: "" severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'xdm_bind_vnc_tcp_port is not disabled' ocil: '' sebool_xdm_exec_bootloader.rule000066400000000000000000000011271327242345500345320ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true prodtype: rhel7 title: 'Disable the xdm_exec_bootloader SELinux Boolean' description: |- By default, the SELinux boolean xdm_exec_bootloader is disabled. If this setting is enabled, it should be disabled. rationale: "" severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'xdm_exec_bootloader is not disabled' ocil: '' scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleans/sebool_xdm_sysadm_login.rule000066400000000000000000000011101327242345500341330ustar00rootroot00000000000000documentation_complete: true prodtype: rhel7 title: 'Disable the xdm_sysadm_login SELinux Boolean' description: |- By default, the SELinux boolean xdm_sysadm_login is disabled. If this setting is enabled, it should be disabled. rationale: "" severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'xdm_sysadm_login is not disabled' ocil: '' scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleans/sebool_xdm_write_home.rule000066400000000000000000000010761327242345500336200ustar00rootroot00000000000000documentation_complete: true prodtype: rhel7 title: 'Disable the xdm_write_home SELinux Boolean' description: |- By default, the SELinux boolean xdm_write_home is disabled. If this setting is enabled, it should be disabled. rationale: "" severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'xdm_write_home is not disabled' ocil: '' scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleans/sebool_xen_use_nfs.rule000066400000000000000000000010571327242345500331210ustar00rootroot00000000000000documentation_complete: true prodtype: rhel7 title: 'Disable the xen_use_nfs SELinux Boolean' description: |- By default, the SELinux boolean xen_use_nfs is disabled. If this setting is enabled, it should be disabled. rationale: "" severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'xen_use_nfs is not disabled' ocil: '' scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleans/sebool_xend_run_blktap.rule000066400000000000000000000010761327242345500337650ustar00rootroot00000000000000documentation_complete: true prodtype: rhel7 title: 'Enable the xend_run_blktap SELinux Boolean' description: |- By default, the SELinux boolean xend_run_blktap is enabled. If this setting is disabled, it should be enabled. rationale: "" severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'xend_run_blktap is not enabled' ocil: '' scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleans/sebool_xend_run_qemu.rule000066400000000000000000000010641327242345500334540ustar00rootroot00000000000000documentation_complete: true prodtype: rhel7 title: 'Enable the xend_run_qemu SELinux Boolean' description: |- By default, the SELinux boolean xend_run_qemu is enabled. If this setting is disabled, it should be enabled. rationale: "" severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'xend_run_qemu is not enabled' ocil: '' sebool_xguest_connect_network.rule000066400000000000000000000012361327242345500353260ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true prodtype: rhel7 title: 'Disable the xguest_connect_network SELinux Boolean' description: |- By default, the SELinux boolean xguest_connect_network is enabled. This setting should be disabled as guest users should not be able to configure NetworkManager. rationale: "" severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'xguest_connect_network is not disabled' ocil: '' sebool_xguest_exec_content.rule000066400000000000000000000011751327242345500346040ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true prodtype: rhel7 title: 'Disable the xguest_exec_content SELinux Boolean' description: |- By default, the SELinux boolean xguest_exec_content is enabled. This setting should be disabled as guest users should not be able to run executables. rationale: "" severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'xguest_exec_content is not disabled' ocil: '' sebool_xguest_mount_media.rule000066400000000000000000000011701327242345500344220ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true prodtype: rhel7 title: 'Disable the xguest_mount_media SELinux Boolean' description: |- By default, the SELinux boolean xguest_mount_media is enabled. This setting should be disabled as guest users should not be able to mount any media. rationale: "" severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'xguest_mount_media is not disabled' ocil: '' sebool_xguest_use_bluetooth.rule000066400000000000000000000012121327242345500347770ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true prodtype: rhel7 title: 'Disable the xguest_use_bluetooth SELinux Boolean' description: |- By default, the SELinux boolean xguest_use_bluetooth is enabled. This setting should be disabled as guests users should not be able to access or use bluetooth. rationale: "" severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'xguest_use_bluetooth is not enabled' ocil: '' sebool_xserver_clients_write_xshm.rule000066400000000000000000000011721327242345500362140ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true prodtype: rhel7 title: 'Disable the xserver_clients_write_xshm SELinux Boolean' description: |- By default, the SELinux boolean xserver_clients_write_xshm is disabled. If this setting is enabled, it should be disabled. rationale: "" severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'xserver_clients_write_xshm is not disabled' ocil: '' scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleans/sebool_xserver_execmem.rule000066400000000000000000000011031327242345500337760ustar00rootroot00000000000000documentation_complete: true prodtype: rhel7 title: 'Disable the xserver_execmem SELinux Boolean' description: |- By default, the SELinux boolean xserver_execmem is disabled. If this setting is enabled, it should be disabled. rationale: "" severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'xserver_execmem is not disabled' ocil: '' sebool_xserver_object_manager.rule000066400000000000000000000011461327242345500352430ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true prodtype: rhel7 title: 'Disable the xserver_object_manager SELinux Boolean' description: |- By default, the SELinux boolean xserver_object_manager is disabled. If this setting is enabled, it should be disabled. rationale: "" severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'xserver_object_manager is not disabled' ocil: '' sebool_zabbix_can_network.rule000066400000000000000000000011221327242345500343700ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true prodtype: rhel7 title: 'Disable the zabbix_can_network SELinux Boolean' description: |- By default, the SELinux boolean zabbix_can_network is disabled. If this setting is enabled, it should be disabled. rationale: "" severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'zabbix_can_network is not disabled' ocil: '' scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleans/sebool_zarafa_setrlimit.rule000066400000000000000000000011101327242345500341330ustar00rootroot00000000000000documentation_complete: true prodtype: rhel7 title: 'Disable the zarafa_setrlimit SELinux Boolean' description: |- By default, the SELinux boolean zarafa_setrlimit is disabled. If this setting is enabled, it should be disabled. rationale: "" severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'zarafa_setrlimit is not disabled' ocil: '' sebool_zebra_write_config.rule000066400000000000000000000011221327242345500343610ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true prodtype: rhel7 title: 'Disable the zebra_write_config SELinux Boolean' description: |- By default, the SELinux boolean zebra_write_config is disabled. If this setting is enabled, it should be disabled. rationale: "" severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'zebra_write_config is not disabled' ocil: '' sebool_zoneminder_anon_write.rule000066400000000000000000000011411327242345500351170ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true prodtype: rhel7 title: 'Disable the zoneminder_anon_write SELinux Boolean' description: |- By default, the SELinux boolean zoneminder_anon_write is disabled. If this setting is enabled, it should be disabled. rationale: "" severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'zoneminder_anon_write is not disabled' ocil: '' sebool_zoneminder_run_sudo.rule000066400000000000000000000011271327242345500346140ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true prodtype: rhel7 title: 'Disable the zoneminder_run_sudo SELinux Boolean' description: |- By default, the SELinux boolean zoneminder_run_sudo is disabled. If this setting is enabled, it should be disabled. rationale: "" severity: medium identifiers: cce@rhel7: RHEL7-CCE-TBD references: disa: TBD nist: TBD srg: TBD stigid@rhel7: TBD ocil_clause: 'zoneminder_run_sudo is not disabled' ocil: '' scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleans/selinux-booleans.group000066400000000000000000000003201327242345500327060ustar00rootroot00000000000000documentation_complete: true title: 'SELinux - Booleans' description: |- Enable or Disable runtime customization of SELinux system policies without having to reload or recompile the SELinux policy. scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleans/var_abrt_anon_write.var000066400000000000000000000005151327242345500331060ustar00rootroot00000000000000documentation_complete: true title: 'abrt_anon_write SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: false off: false on: true scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleans/var_abrt_handle_event.var000066400000000000000000000005171327242345500333770ustar00rootroot00000000000000documentation_complete: true title: 'abrt_handle_event SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: false off: false on: true var_abrt_upload_watch_anon_write.var000066400000000000000000000005311327242345500355570ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true title: 'abrt_upload_watch_anon_write SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: true off: false on: true var_antivirus_can_scan_system.var000066400000000000000000000005271327242345500351320ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true title: 'antivirus_can_scan_system SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: false off: false on: true scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleans/var_antivirus_use_jit.var000066400000000000000000000005171327242345500335010ustar00rootroot00000000000000documentation_complete: true title: 'antivirus_use_jit SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: false off: false on: true var_auditadm_exec_content.var000066400000000000000000000005221327242345500341760ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true title: 'auditadm_exec_content SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: true off: false on: true var_authlogin_nsswitch_use_ldap.var000066400000000000000000000005311327242345500354400ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true title: 'authlogin_nsswitch_use_ldap SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: false off: false on: true scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleans/var_authlogin_radius.var000066400000000000000000000005161327242345500332730ustar00rootroot00000000000000documentation_complete: true title: 'authlogin_radius SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: false off: false on: true scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleans/var_authlogin_yubikey.var000066400000000000000000000005171327242345500334660ustar00rootroot00000000000000documentation_complete: true title: 'authlogin_yubikey SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: false off: false on: true var_awstats_purge_apache_log_files.var000066400000000000000000000005341327242345500360670ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true title: 'awstats_purge_apache_log_files SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: false off: false on: true scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleans/var_boinc_execmem.var000066400000000000000000000005121327242345500325230ustar00rootroot00000000000000documentation_complete: true title: 'boinc_execmem SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: true off: false on: true var_cdrecord_read_content.var000066400000000000000000000005231327242345500341630ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true title: 'cdrecord_read_content SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: false off: false on: true var_cluster_can_network_connect.var000066400000000000000000000005311327242345500354340ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true title: 'cluster_can_network_connect SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: false off: false on: true var_cluster_manage_all_files.var000066400000000000000000000005261327242345500346570ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true title: 'cluster_manage_all_files SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: false off: false on: true scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleans/var_cluster_use_execmem.var000066400000000000000000000005211327242345500337660ustar00rootroot00000000000000documentation_complete: true title: 'cluster_use_execmem SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: false off: false on: true scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleans/var_cobbler_anon_write.var000066400000000000000000000005201327242345500335620ustar00rootroot00000000000000documentation_complete: true title: 'cobbler_anon_write SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: false off: false on: true var_cobbler_can_network_connect.var000066400000000000000000000005311327242345500353630ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true title: 'cobbler_can_network_connect SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: false off: false on: true scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleans/var_cobbler_use_cifs.var000066400000000000000000000005161327242345500332220ustar00rootroot00000000000000documentation_complete: true title: 'cobbler_use_cifs SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: false off: false on: true scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleans/var_cobbler_use_nfs.var000066400000000000000000000005151327242345500330630ustar00rootroot00000000000000documentation_complete: true title: 'cobbler_use_nfs SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: false off: false on: true var_collectd_tcp_network_connect.var000066400000000000000000000005321327242345500355720ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true title: 'collectd_tcp_network_connect SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: false off: false on: true var_condor_tcp_network_connect.var000066400000000000000000000005301327242345500352630ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true title: 'condor_tcp_network_connect SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: false off: false on: true scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleans/var_conman_can_network.var000066400000000000000000000005201327242345500335720ustar00rootroot00000000000000documentation_complete: true title: 'conman_can_network SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: false off: false on: true scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleans/var_cron_can_relabel.var000066400000000000000000000005161327242345500332020ustar00rootroot00000000000000documentation_complete: true title: 'cron_can_relabel SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: false off: false on: true var_cron_system_cronjob_use_shares.var000066400000000000000000000005341327242345500361550ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true title: 'cron_system_cronjob_use_shares SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: false off: false on: true var_cron_userdomain_transition.var000066400000000000000000000005271327242345500353160ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true title: 'cron_userdomain_transition SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: true off: false on: true scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleans/var_cups_execmem.var000066400000000000000000000005121327242345500324030ustar00rootroot00000000000000documentation_complete: true title: 'cups_execmem SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: false off: false on: true scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleans/var_cvs_read_shadow.var000066400000000000000000000005151327242345500330640ustar00rootroot00000000000000documentation_complete: true title: 'cvs_read_shadow SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: false off: false on: true scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleans/var_daemons_dump_core.var000066400000000000000000000005171327242345500334160ustar00rootroot00000000000000documentation_complete: true title: 'daemons_dump_core SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: false off: false on: true var_daemons_enable_cluster_mode.var000066400000000000000000000005311327242345500353510ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true title: 'daemons_enable_cluster_mode SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: false off: false on: true var_daemons_use_tcp_wrapper.var000066400000000000000000000005251327242345500345630ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true title: 'daemons_use_tcp_wrapper SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: false off: false on: true scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleans/var_daemons_use_tty.var000066400000000000000000000005151327242345500331330ustar00rootroot00000000000000documentation_complete: true title: 'daemons_use_tty SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: false off: false on: true scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleans/var_dbadm_exec_content.var000066400000000000000000000005171327242345500335400ustar00rootroot00000000000000documentation_complete: true title: 'dbadm_exec_content SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: true off: false on: true var_dbadm_manage_user_files.var000066400000000000000000000005251327242345500344520ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true title: 'dbadm_manage_user_files SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: false off: false on: true var_dbadm_read_user_files.var000066400000000000000000000005231327242345500341330ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true title: 'dbadm_read_user_files SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: false off: false on: true scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleans/var_deny_execmem.var000066400000000000000000000005121327242345500323700ustar00rootroot00000000000000documentation_complete: true title: 'deny_execmem SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: false off: false on: true scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleans/var_deny_ptrace.var000066400000000000000000000005111327242345500322220ustar00rootroot00000000000000documentation_complete: true title: 'deny_ptrace SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: false off: false on: true scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleans/var_dhcpc_exec_iptables.var000066400000000000000000000005211327242345500336760ustar00rootroot00000000000000documentation_complete: true title: 'dhcpc_exec_iptables SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: false off: false on: true scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleans/var_dhcpd_use_ldap.var000066400000000000000000000005141327242345500326660ustar00rootroot00000000000000documentation_complete: true title: 'dhcpd_use_ldap SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: false off: false on: true scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleans/var_docker_connect_any.var000066400000000000000000000005201327242345500335540ustar00rootroot00000000000000documentation_complete: true title: 'docker_connect_any SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: false off: false on: true var_docker_transition_unconfined.var000066400000000000000000000005311327242345500356010ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true title: 'docker_transition_unconfined SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: true off: false on: true scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleans/var_domain_fd_use.var000066400000000000000000000005121327242345500325220ustar00rootroot00000000000000documentation_complete: true title: 'domain_fd_use SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: true off: false on: true var_domain_kernel_load_modules.var000066400000000000000000000005301327242345500352050ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true title: 'domain_kernel_load_modules SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: false off: false on: true scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleans/var_entropyd_use_audio.var000066400000000000000000000005171327242345500336340ustar00rootroot00000000000000documentation_complete: true title: 'entropyd_use_audio SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: true off: false on: true scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleans/var_exim_can_connect_db.var000066400000000000000000000005211327242345500336670ustar00rootroot00000000000000documentation_complete: true title: 'exim_can_connect_db SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: false off: false on: true var_exim_manage_user_files.var000066400000000000000000000005241327242345500343440ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true title: 'exim_manage_user_files SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: false off: false on: true scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleans/var_exim_read_user_files.var000066400000000000000000000005221327242345500341040ustar00rootroot00000000000000documentation_complete: true title: 'exim_read_user_files SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: false off: false on: true scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleans/var_fcron_crond.var000066400000000000000000000005111327242345500322210ustar00rootroot00000000000000documentation_complete: true title: 'fcron_crond SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: false off: false on: true var_fenced_can_network_connect.var000066400000000000000000000005301327242345500351760ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true title: 'fenced_can_network_connect SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: false off: false on: true scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleans/var_fenced_can_ssh.var000066400000000000000000000005141327242345500326520ustar00rootroot00000000000000documentation_complete: true title: 'fenced_can_ssh SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: false off: false on: true scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleans/var_fips_mode.var000066400000000000000000000005061327242345500316760ustar00rootroot00000000000000documentation_complete: true title: 'fips_mode SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: true off: false on: true scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleans/var_ftp_home_dir.var000066400000000000000000000005121327242345500323650ustar00rootroot00000000000000documentation_complete: true title: 'ftp_home_dir SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: false off: false on: true scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleans/var_ftpd_anon_write.var000066400000000000000000000005151327242345500331130ustar00rootroot00000000000000documentation_complete: true title: 'ftpd_anon_write SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: false off: false on: true var_ftpd_connect_all_unreserved.var000066400000000000000000000005311327242345500354100ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true title: 'ftpd_connect_all_unreserved SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: false off: false on: true scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleans/var_ftpd_connect_db.var000066400000000000000000000005151327242345500330440ustar00rootroot00000000000000documentation_complete: true title: 'ftpd_connect_db SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: false off: false on: true scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleans/var_ftpd_full_access.var000066400000000000000000000005161327242345500332320ustar00rootroot00000000000000documentation_complete: true title: 'ftpd_full_access SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: false off: false on: true scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleans/var_ftpd_use_cifs.var000066400000000000000000000005131327242345500325440ustar00rootroot00000000000000documentation_complete: true title: 'ftpd_use_cifs SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: false off: false on: true scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleans/var_ftpd_use_fusefs.var000066400000000000000000000005151327242345500331150ustar00rootroot00000000000000documentation_complete: true title: 'ftpd_use_fusefs SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: false off: false on: true scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleans/var_ftpd_use_nfs.var000066400000000000000000000005121327242345500324050ustar00rootroot00000000000000documentation_complete: true title: 'ftpd_use_nfs SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: false off: false on: true var_ftpd_use_passive_mode.var000066400000000000000000000005231327242345500342200ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true title: 'ftpd_use_passive_mode SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: false off: false on: true var_git_cgi_enable_homedirs.var000066400000000000000000000005251327242345500344600ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true title: 'git_cgi_enable_homedirs SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: false off: false on: true scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleans/var_git_cgi_use_cifs.var000066400000000000000000000005161327242345500332170ustar00rootroot00000000000000documentation_complete: true title: 'git_cgi_use_cifs SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: false off: false on: true scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleans/var_git_cgi_use_nfs.var000066400000000000000000000005151327242345500330600ustar00rootroot00000000000000documentation_complete: true title: 'git_cgi_use_nfs SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: false off: false on: true var_git_session_bind_all_unreserved_ports.var000066400000000000000000000005431327242345500375160ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true title: 'git_session_bind_all_unreserved_ports SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: false off: false on: true scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleans/var_git_session_users.var000066400000000000000000000005171327242345500335020ustar00rootroot00000000000000documentation_complete: true title: 'git_session_users SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: false off: false on: true var_git_system_enable_homedirs.var000066400000000000000000000005301327242345500352360ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true title: 'git_system_enable_homedirs SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: false off: false on: true scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleans/var_git_system_use_cifs.var000066400000000000000000000005211327242345500337750ustar00rootroot00000000000000documentation_complete: true title: 'git_system_use_cifs SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: false off: false on: true scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleans/var_git_system_use_nfs.var000066400000000000000000000005201327242345500336360ustar00rootroot00000000000000documentation_complete: true title: 'git_system_use_nfs SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: false off: false on: true scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleans/var_gitosis_can_sendmail.var000066400000000000000000000005221327242345500341050ustar00rootroot00000000000000documentation_complete: true title: 'gitosis_can_sendmail SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: false off: false on: true var_glance_api_can_network.var000066400000000000000000000005241327242345500343260ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true title: 'glance_api_can_network SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: false off: false on: true scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleans/var_glance_use_execmem.var000066400000000000000000000005201327242345500335350ustar00rootroot00000000000000documentation_complete: true title: 'glance_use_execmem SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: false off: false on: true scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleans/var_glance_use_fusefs.var000066400000000000000000000005171327242345500334130ustar00rootroot00000000000000documentation_complete: true title: 'glance_use_fusefs SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: false off: false on: true scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleans/var_global_ssp.var000066400000000000000000000005101327242345500320510ustar00rootroot00000000000000documentation_complete: true title: 'global_ssp SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: false off: false on: true scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleans/var_gluster_anon_write.var000066400000000000000000000005201327242345500336370ustar00rootroot00000000000000documentation_complete: true title: 'gluster_anon_write SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: false off: false on: true var_gluster_export_all_ro.var000066400000000000000000000005231327242345500342670ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true title: 'gluster_export_all_ro SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: false off: false on: true var_gluster_export_all_rw.var000066400000000000000000000005221327242345500342760ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true title: 'gluster_export_all_rw SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: true off: false on: true scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleans/var_gpg_web_anon_write.var000066400000000000000000000005201327242345500335640ustar00rootroot00000000000000documentation_complete: true title: 'gpg_web_anon_write SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: false off: false on: true scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleans/var_gssd_read_tmp.var000066400000000000000000000005121327242345500325410ustar00rootroot00000000000000documentation_complete: true title: 'gssd_read_tmp SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: true off: false on: true scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleans/var_guest_exec_content.var000066400000000000000000000005171327242345500336200ustar00rootroot00000000000000documentation_complete: true title: 'guest_exec_content SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: true off: false on: true scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleans/var_haproxy_connect_any.var000066400000000000000000000005211327242345500340000ustar00rootroot00000000000000documentation_complete: true title: 'haproxy_connect_any SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: false off: false on: true scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleans/var_httpd_anon_write.var000066400000000000000000000005161327242345500333020ustar00rootroot00000000000000documentation_complete: true title: 'httpd_anon_write SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: false off: false on: true var_httpd_builtin_scripting.var000066400000000000000000000005241327242345500346050ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true title: 'httpd_builtin_scripting SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: true off: false on: true scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleans/var_httpd_can_check_spam.var000066400000000000000000000005221327242345500340500ustar00rootroot00000000000000documentation_complete: true title: 'httpd_can_check_spam SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: false off: false on: true var_httpd_can_connect_ftp.var000066400000000000000000000005231327242345500341770ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true title: 'httpd_can_connect_ftp SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: false off: false on: true var_httpd_can_connect_ldap.var000066400000000000000000000005241327242345500343270ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true title: 'httpd_can_connect_ldap SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: false off: false on: true var_httpd_can_connect_mythtv.var000066400000000000000000000005261327242345500347440ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true title: 'httpd_can_connect_mythtv SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: false off: false on: true var_httpd_can_connect_zabbix.var000066400000000000000000000005261327242345500346700ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true title: 'httpd_can_connect_zabbix SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: false off: false on: true var_httpd_can_network_connect.var000066400000000000000000000005271327242345500351030ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true title: 'httpd_can_network_connect SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: false off: false on: true var_httpd_can_network_connect_cobbler.var000066400000000000000000000005371327242345500365740ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true title: 'httpd_can_network_connect_cobbler SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: false off: false on: true var_httpd_can_network_connect_db.var000066400000000000000000000005321327242345500355440ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true title: 'httpd_can_network_connect_db SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: false off: false on: true var_httpd_can_network_memcache.var000066400000000000000000000005301327242345500352060ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true title: 'httpd_can_network_memcache SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: false off: false on: true var_httpd_can_network_relay.var000066400000000000000000000005251327242345500345640ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true title: 'httpd_can_network_relay SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: false off: false on: true scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleans/var_httpd_can_sendmail.var000066400000000000000000000005201327242345500335450ustar00rootroot00000000000000documentation_complete: true title: 'httpd_can_sendmail SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: false off: false on: true scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleans/var_httpd_dbus_avahi.var000066400000000000000000000005161327242345500332420ustar00rootroot00000000000000documentation_complete: true title: 'httpd_dbus_avahi SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: false off: false on: true scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleans/var_httpd_dbus_sssd.var000066400000000000000000000005151327242345500331250ustar00rootroot00000000000000documentation_complete: true title: 'httpd_dbus_sssd SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: false off: false on: true var_httpd_dontaudit_search_dirs.var000066400000000000000000000005311327242345500354140ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true title: 'httpd_dontaudit_search_dirs SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: false off: false on: true scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleans/var_httpd_enable_cgi.var000066400000000000000000000005151327242345500332040ustar00rootroot00000000000000documentation_complete: true title: 'httpd_enable_cgi SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: true off: false on: true var_httpd_enable_ftp_server.var000066400000000000000000000005251327242345500345430ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true title: 'httpd_enable_ftp_server SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: false off: false on: true var_httpd_enable_homedirs.var000066400000000000000000000005231327242345500341740ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true title: 'httpd_enable_homedirs SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: false off: false on: true scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleans/var_httpd_execmem.var000066400000000000000000000005131327242345500325550ustar00rootroot00000000000000documentation_complete: true title: 'httpd_execmem SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: false off: false on: true var_httpd_graceful_shutdown.var000066400000000000000000000005241327242345500346000ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true title: 'httpd_graceful_shutdown SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: true off: false on: true scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleans/var_httpd_manage_ipa.var000066400000000000000000000005161327242345500332160ustar00rootroot00000000000000documentation_complete: true title: 'httpd_manage_ipa SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: false off: false on: true var_httpd_mod_auth_ntlm_winbind.var000066400000000000000000000005311327242345500354170ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true title: 'httpd_mod_auth_ntlm_winbind SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: false off: false on: true scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleans/var_httpd_mod_auth_pam.var000066400000000000000000000005201327242345500335650ustar00rootroot00000000000000documentation_complete: true title: 'httpd_mod_auth_pam SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: false off: false on: true var_httpd_read_user_content.var000066400000000000000000000005251327242345500345610ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true title: 'httpd_read_user_content SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: false off: false on: true scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleans/var_httpd_run_ipa.var000066400000000000000000000005131327242345500325670ustar00rootroot00000000000000documentation_complete: true title: 'httpd_run_ipa SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: false off: false on: true scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleans/var_httpd_run_preupgrade.var000066400000000000000000000005221327242345500341540ustar00rootroot00000000000000documentation_complete: true title: 'httpd_run_preupgrade SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: false off: false on: true scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleans/var_httpd_run_stickshift.var000066400000000000000000000005221327242345500341710ustar00rootroot00000000000000documentation_complete: true title: 'httpd_run_stickshift SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: false off: false on: true var_httpd_serve_cobbler_files.var000066400000000000000000000005271327242345500350560ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true title: 'httpd_serve_cobbler_files SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: false off: false on: true scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleans/var_httpd_setrlimit.var000066400000000000000000000005151327242345500331500ustar00rootroot00000000000000documentation_complete: true title: 'httpd_setrlimit SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: false off: false on: true scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleans/var_httpd_ssi_exec.var000066400000000000000000000005141327242345500327350ustar00rootroot00000000000000documentation_complete: true title: 'httpd_ssi_exec SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: false off: false on: true var_httpd_sys_script_anon_write.var000066400000000000000000000005311327242345500355020ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true title: 'httpd_sys_script_anon_write SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: false off: false on: true scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleans/var_httpd_tmp_exec.var000066400000000000000000000005141327242345500327370ustar00rootroot00000000000000documentation_complete: true title: 'httpd_tmp_exec SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: false off: false on: true scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleans/var_httpd_tty_comm.var000066400000000000000000000005141327242345500327660ustar00rootroot00000000000000documentation_complete: true title: 'httpd_tty_comm SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: false off: false on: true scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleans/var_httpd_unified.var000066400000000000000000000005131327242345500325550ustar00rootroot00000000000000documentation_complete: true title: 'httpd_unified SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: false off: false on: true scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleans/var_httpd_use_cifs.var000066400000000000000000000005141327242345500327330ustar00rootroot00000000000000documentation_complete: true title: 'httpd_use_cifs SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: false off: false on: true scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleans/var_httpd_use_fusefs.var000066400000000000000000000005161327242345500333040ustar00rootroot00000000000000documentation_complete: true title: 'httpd_use_fusefs SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: false off: false on: true scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleans/var_httpd_use_gpg.var000066400000000000000000000005131327242345500325630ustar00rootroot00000000000000documentation_complete: true title: 'httpd_use_gpg SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: false off: false on: true scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleans/var_httpd_use_nfs.var000066400000000000000000000005131327242345500325740ustar00rootroot00000000000000documentation_complete: true title: 'httpd_use_nfs SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: false off: false on: true scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleans/var_httpd_use_openstack.var000066400000000000000000000005211327242345500337740ustar00rootroot00000000000000documentation_complete: true title: 'httpd_use_openstack SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: false off: false on: true scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleans/var_httpd_use_sasl.var000066400000000000000000000005141327242345500327510ustar00rootroot00000000000000documentation_complete: true title: 'httpd_use_sasl SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: false off: false on: true scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleans/var_httpd_verify_dns.var000066400000000000000000000005161327242345500333050ustar00rootroot00000000000000documentation_complete: true title: 'httpd_verify_dns SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: false off: false on: true var_icecast_use_any_tcp_ports.var000066400000000000000000000005271327242345500351100ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true title: 'icecast_use_any_tcp_ports SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: false off: false on: true var_irc_use_any_tcp_ports.var000066400000000000000000000005231327242345500342460ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true title: 'irc_use_any_tcp_ports SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: false off: false on: true var_irssi_use_full_network.var000066400000000000000000000005241327242345500344520ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true title: 'irssi_use_full_network SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: false off: false on: true var_kdumpgui_run_bootloader.var000066400000000000000000000005251327242345500345760ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true title: 'kdumpgui_run_bootloader SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: false off: false on: true scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleans/var_kerberos_enabled.var000066400000000000000000000005151327242345500332170ustar00rootroot00000000000000documentation_complete: true title: 'kerberos_enabled SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: true off: false on: true scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleans/var_ksmtuned_use_cifs.var000066400000000000000000000005171327242345500334450ustar00rootroot00000000000000documentation_complete: true title: 'ksmtuned_use_cifs SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: false off: false on: true scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleans/var_ksmtuned_use_nfs.var000066400000000000000000000005161327242345500333060ustar00rootroot00000000000000documentation_complete: true title: 'ksmtuned_use_nfs SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: false off: false on: true scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleans/var_logadm_exec_content.var000066400000000000000000000005201327242345500337260ustar00rootroot00000000000000documentation_complete: true title: 'logadm_exec_content SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: true off: false on: true var_logging_syslogd_can_sendmail.var000066400000000000000000000005321327242345500355400ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true title: 'logging_syslogd_can_sendmail SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: false off: false on: true var_logging_syslogd_run_nagios_plugins.var000066400000000000000000000005401327242345500370270ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true title: 'logging_syslogd_run_nagios_plugins SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: false off: false on: true var_logging_syslogd_use_tty.var000066400000000000000000000005241327242345500346200ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true title: 'logging_syslogd_use_tty SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: true off: false on: true var_login_console_enabled.var000066400000000000000000000005221327242345500341540ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true title: 'login_console_enabled SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: true off: false on: true scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleans/var_logrotate_use_nfs.var000066400000000000000000000005171327242345500334550ustar00rootroot00000000000000documentation_complete: true title: 'logrotate_use_nfs SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: false off: false on: true var_logwatch_can_network_connect_mail.var000066400000000000000000000005371327242345500365730ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true title: 'logwatch_can_network_connect_mail SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: false off: false on: true var_lsmd_plugin_connect_any.var000066400000000000000000000005251327242345500345500ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true title: 'lsmd_plugin_connect_any SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: false off: false on: true scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleans/var_mailman_use_fusefs.var000066400000000000000000000005201327242345500335720ustar00rootroot00000000000000documentation_complete: true title: 'mailman_use_fusefs SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: false off: false on: true scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleans/var_mcelog_client.var000066400000000000000000000005131327242345500325330ustar00rootroot00000000000000documentation_complete: true title: 'mcelog_client SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: false off: false on: true scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleans/var_mcelog_exec_scripts.var000066400000000000000000000005201327242345500337460ustar00rootroot00000000000000documentation_complete: true title: 'mcelog_exec_scripts SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: true off: false on: true scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleans/var_mcelog_foreground.var000066400000000000000000000005171327242345500334330ustar00rootroot00000000000000documentation_complete: true title: 'mcelog_foreground SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: false off: false on: true scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleans/var_mcelog_server.var000066400000000000000000000005131327242345500325630ustar00rootroot00000000000000documentation_complete: true title: 'mcelog_server SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: false off: false on: true var_minidlna_read_generic_user_content.var000066400000000000000000000005401327242345500367220ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true title: 'minidlna_read_generic_user_content SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: false off: false on: true scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleans/var_mmap_low_allowed.var000066400000000000000000000005161327242345500332540ustar00rootroot00000000000000documentation_complete: true title: 'mmap_low_allowed SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: false off: false on: true scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleans/var_mock_enable_homedirs.var000066400000000000000000000005221327242345500340600ustar00rootroot00000000000000documentation_complete: true title: 'mock_enable_homedirs SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: false off: false on: true scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleans/var_mount_anyfile.var000066400000000000000000000005121327242345500325770ustar00rootroot00000000000000documentation_complete: true title: 'mount_anyfile SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: true off: false on: true var_mozilla_plugin_bind_unreserved_ports.var000066400000000000000000000005421327242345500373640ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true title: 'mozilla_plugin_bind_unreserved_ports SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: false off: false on: true var_mozilla_plugin_can_network_connect.var000066400000000000000000000005401327242345500370000ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true title: 'mozilla_plugin_can_network_connect SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: false off: false on: true var_mozilla_plugin_use_bluejeans.var000066400000000000000000000005321327242345500356020ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true title: 'mozilla_plugin_use_bluejeans SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: false off: false on: true var_mozilla_plugin_use_gps.var000066400000000000000000000005241327242345500344240ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true title: 'mozilla_plugin_use_gps SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: false off: false on: true var_mozilla_plugin_use_spice.var000066400000000000000000000005261327242345500347400ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true title: 'mozilla_plugin_use_spice SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: false off: false on: true scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleans/var_mozilla_read_content.var000066400000000000000000000005221327242345500341230ustar00rootroot00000000000000documentation_complete: true title: 'mozilla_read_content SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: false off: false on: true scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleans/var_mpd_enable_homedirs.var000066400000000000000000000005211327242345500337060ustar00rootroot00000000000000documentation_complete: true title: 'mpd_enable_homedirs SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: false off: false on: true scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleans/var_mpd_use_cifs.var000066400000000000000000000005121327242345500323660ustar00rootroot00000000000000documentation_complete: true title: 'mpd_use_cifs SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: false off: false on: true scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleans/var_mpd_use_nfs.var000066400000000000000000000005111327242345500322270ustar00rootroot00000000000000documentation_complete: true title: 'mpd_use_nfs SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: false off: false on: true scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleans/var_mplayer_execstack.var000066400000000000000000000005171327242345500334360ustar00rootroot00000000000000documentation_complete: true title: 'mplayer_execstack SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: false off: false on: true scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleans/var_mysql_connect_any.var000066400000000000000000000005171327242345500334600ustar00rootroot00000000000000documentation_complete: true title: 'mysql_connect_any SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: false off: false on: true var_nagios_run_pnp4nagios.var000066400000000000000000000005231327242345500341570ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true title: 'nagios_run_pnp4nagios SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: false off: false on: true scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleans/var_nagios_run_sudo.var000066400000000000000000000005151327242345500331270ustar00rootroot00000000000000documentation_complete: true title: 'nagios_run_sudo SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: false off: false on: true var_named_tcp_bind_http_port.var000066400000000000000000000005261327242345500347050ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true title: 'named_tcp_bind_http_port SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: false off: false on: true var_named_write_master_zones.var000066400000000000000000000005261327242345500347430ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true title: 'named_write_master_zones SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: false off: false on: true scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleans/var_neutron_can_network.var000066400000000000000000000005211327242345500340120ustar00rootroot00000000000000documentation_complete: true title: 'neutron_can_network SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: false off: false on: true scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleans/var_nfs_export_all_ro.var000066400000000000000000000005161327242345500334510ustar00rootroot00000000000000documentation_complete: true title: 'nfs_export_all_ro SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: true off: false on: true scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleans/var_nfs_export_all_rw.var000066400000000000000000000005161327242345500334610ustar00rootroot00000000000000documentation_complete: true title: 'nfs_export_all_rw SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: true off: false on: true scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleans/var_nfsd_anon_write.var000066400000000000000000000005151327242345500331100ustar00rootroot00000000000000documentation_complete: true title: 'nfsd_anon_write SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: false off: false on: true scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleans/var_nis_enabled.var000066400000000000000000000005111327242345500321700ustar00rootroot00000000000000documentation_complete: true title: 'nis_enabled SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: false off: false on: true scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleans/var_nscd_use_shm.var000066400000000000000000000005111327242345500323770ustar00rootroot00000000000000documentation_complete: true title: 'nscd_use_shm SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: true off: false on: true scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleans/var_openshift_use_nfs.var000066400000000000000000000005171327242345500334540ustar00rootroot00000000000000documentation_complete: true title: 'openshift_use_nfs SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: false off: false on: true var_openvpn_can_network_connect.var000066400000000000000000000005301327242345500354370ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true title: 'openvpn_can_network_connect SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: true off: false on: true var_openvpn_enable_homedirs.var000066400000000000000000000005241327242345500345370ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true title: 'openvpn_enable_homedirs SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: true off: false on: true var_openvpn_run_unconfined.var000066400000000000000000000005241327242345500344330ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true title: 'openvpn_run_unconfined SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: false off: false on: true var_pcp_bind_all_unreserved_ports.var000066400000000000000000000005331327242345500357510ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true title: 'pcp_bind_all_unreserved_ports SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: false off: false on: true var_pcp_read_generic_logs.var000066400000000000000000000005231327242345500341460ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true title: 'pcp_read_generic_logs SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: false off: false on: true var_piranha_lvs_can_network_connect.var000066400000000000000000000005351327242345500362650ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true title: 'piranha_lvs_can_network_connect SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: false off: false on: true var_polipo_connect_all_unreserved.var000066400000000000000000000005331327242345500357570ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true title: 'polipo_connect_all_unreserved SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: false off: false on: true var_polipo_session_bind_all_unreserved_ports.var000066400000000000000000000005461327242345500402400ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true title: 'polipo_session_bind_all_unreserved_ports SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: false off: false on: true scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleans/var_polipo_session_users.var000066400000000000000000000005221327242345500342150ustar00rootroot00000000000000documentation_complete: true title: 'polipo_session_users SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: false off: false on: true scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleans/var_polipo_use_cifs.var000066400000000000000000000005151327242345500331130ustar00rootroot00000000000000documentation_complete: true title: 'polipo_use_cifs SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: false off: false on: true scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleans/var_polipo_use_nfs.var000066400000000000000000000005141327242345500327540ustar00rootroot00000000000000documentation_complete: true title: 'polipo_use_nfs SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: false off: false on: true var_polyinstantiation_enabled.var000066400000000000000000000005271327242345500351170ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true title: 'polyinstantiation_enabled SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: false off: false on: true var_postfix_local_write_mail_spool.var000066400000000000000000000005331327242345500361500ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true title: 'postfix_local_write_mail_spool SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: true off: false on: true scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleans/var_postgresql_can_rsync.var000066400000000000000000000005221327242345500341710ustar00rootroot00000000000000documentation_complete: true title: 'postgresql_can_rsync SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: false off: false on: true var_postgresql_selinux_transmit_client_label.var000066400000000000000000000005461327242345500402460ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true title: 'postgresql_selinux_transmit_client_label SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: false off: false on: true var_postgresql_selinux_unconfined_dbadm.var000066400000000000000000000005401327242345500371610ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true title: 'postgresql_selinux_unconfined_dbadm SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: true off: false on: true var_postgresql_selinux_users_ddl.var000066400000000000000000000005311327242345500356660ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true title: 'postgresql_selinux_users_ddl SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: true off: false on: true scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleans/var_pppd_can_insmod.var000066400000000000000000000005151327242345500330660ustar00rootroot00000000000000documentation_complete: true title: 'pppd_can_insmod SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: false off: false on: true scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleans/var_pppd_for_user.var000066400000000000000000000005131327242345500325760ustar00rootroot00000000000000documentation_complete: true title: 'pppd_for_user SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: false off: false on: true scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleans/var_privoxy_connect_any.var000066400000000000000000000005201327242345500340250ustar00rootroot00000000000000documentation_complete: true title: 'privoxy_connect_any SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: true off: false on: true var_prosody_bind_http_port.var000066400000000000000000000005241327242345500344500ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true title: 'prosody_bind_http_port SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: false off: false on: true var_puppetagent_manage_all_files.var000066400000000000000000000005321327242345500355270ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true title: 'puppetagent_manage_all_files SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: false off: false on: true scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleans/var_puppetmaster_use_db.var000066400000000000000000000005211327242345500340000ustar00rootroot00000000000000documentation_complete: true title: 'puppetmaster_use_db SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: false off: false on: true scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleans/var_racoon_read_shadow.var000066400000000000000000000005201327242345500335460ustar00rootroot00000000000000documentation_complete: true title: 'racoon_read_shadow SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: false off: false on: true scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleans/var_rsync_anon_write.var000066400000000000000000000005161327242345500333150ustar00rootroot00000000000000documentation_complete: true title: 'rsync_anon_write SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: false off: false on: true scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleans/var_rsync_client.var000066400000000000000000000005121327242345500324220ustar00rootroot00000000000000documentation_complete: true title: 'rsync_client SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: false off: false on: true scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleans/var_rsync_export_all_ro.var000066400000000000000000000005211327242345500340150ustar00rootroot00000000000000documentation_complete: true title: 'rsync_export_all_ro SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: false off: false on: true scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleans/var_rsync_full_access.var000066400000000000000000000005171327242345500334340ustar00rootroot00000000000000documentation_complete: true title: 'rsync_full_access SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: false off: false on: true var_samba_create_home_dirs.var000066400000000000000000000005241327242345500343110ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true title: 'samba_create_home_dirs SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: false off: false on: true var_samba_domain_controller.var000066400000000000000000000005251327242345500345300ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true title: 'samba_domain_controller SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: false off: false on: true var_samba_enable_home_dirs.var000066400000000000000000000005241327242345500342740ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true title: 'samba_enable_home_dirs SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: false off: false on: true scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleans/var_samba_export_all_ro.var000066400000000000000000000005211327242345500337420ustar00rootroot00000000000000documentation_complete: true title: 'samba_export_all_ro SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: false off: false on: true scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleans/var_samba_export_all_rw.var000066400000000000000000000005211327242345500337520ustar00rootroot00000000000000documentation_complete: true title: 'samba_export_all_rw SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: false off: false on: true scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleans/var_samba_load_libgfapi.var000066400000000000000000000005211327242345500336450ustar00rootroot00000000000000documentation_complete: true title: 'samba_load_libgfapi SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: false off: false on: true scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleans/var_samba_portmapper.var000066400000000000000000000005161327242345500332660ustar00rootroot00000000000000documentation_complete: true title: 'samba_portmapper SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: false off: false on: true scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleans/var_samba_run_unconfined.var000066400000000000000000000005221327242345500341060ustar00rootroot00000000000000documentation_complete: true title: 'samba_run_unconfined SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: false off: false on: true scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleans/var_samba_share_fusefs.var000066400000000000000000000005201327242345500335450ustar00rootroot00000000000000documentation_complete: true title: 'samba_share_fusefs SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: false off: false on: true scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleans/var_samba_share_nfs.var000066400000000000000000000005151327242345500330440ustar00rootroot00000000000000documentation_complete: true title: 'samba_share_nfs SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: false off: false on: true scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleans/var_sanlock_use_fusefs.var000066400000000000000000000005201327242345500336060ustar00rootroot00000000000000documentation_complete: true title: 'sanlock_use_fusefs SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: false off: false on: true scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleans/var_sanlock_use_nfs.var000066400000000000000000000005151327242345500331050ustar00rootroot00000000000000documentation_complete: true title: 'sanlock_use_nfs SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: false off: false on: true scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleans/var_sanlock_use_samba.var000066400000000000000000000005171327242345500334040ustar00rootroot00000000000000documentation_complete: true title: 'sanlock_use_samba SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: false off: false on: true var_saslauthd_read_shadow.var000066400000000000000000000005231327242345500342010ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true title: 'saslauthd_read_shadow SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: false off: false on: true scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleans/var_secadm_exec_content.var000066400000000000000000000005201327242345500337170ustar00rootroot00000000000000documentation_complete: true title: 'secadm_exec_content SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: true off: false on: true scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleans/var_secure_mode.var000066400000000000000000000005111327242345500322170ustar00rootroot00000000000000documentation_complete: true title: 'secure_mode SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: false off: false on: true scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleans/var_secure_mode_insmod.var000066400000000000000000000005201327242345500335700ustar00rootroot00000000000000documentation_complete: true title: 'secure_mode_insmod SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: false off: false on: true var_secure_mode_policyload.var000066400000000000000000000005241327242345500343630ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true title: 'secure_mode_policyload SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: false off: false on: true var_selinuxuser_direct_dri_enabled.var000066400000000000000000000005331327242345500361020ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true title: 'selinuxuser_direct_dri_enabled SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: true off: false on: true scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleans/var_selinuxuser_execheap.var000066400000000000000000000005221327242345500341570ustar00rootroot00000000000000documentation_complete: true title: 'selinuxuser_execheap SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: false off: false on: true scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleans/var_selinuxuser_execmod.var000066400000000000000000000005201327242345500340170ustar00rootroot00000000000000documentation_complete: true title: 'selinuxuser_execmod SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: true off: false on: true var_selinuxuser_execstack.var000066400000000000000000000005221327242345500342700ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true title: 'selinuxuser_execstack SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: true off: false on: true var_selinuxuser_mysql_connect_enabled.var000066400000000000000000000005371327242345500366540ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true title: 'selinuxuser_mysql_connect_enabled SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: false off: false on: true scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleans/var_selinuxuser_ping.var000066400000000000000000000005151327242345500333340ustar00rootroot00000000000000documentation_complete: true title: 'selinuxuser_ping SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: true off: false on: true var_selinuxuser_postgresql_connect_enabled.var000066400000000000000000000005441327242345500377100ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true title: 'selinuxuser_postgresql_connect_enabled SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: false off: false on: true var_selinuxuser_rw_noexattrfile.var000066400000000000000000000005301327242345500355310ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true title: 'selinuxuser_rw_noexattrfile SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: true off: false on: true var_selinuxuser_share_music.var000066400000000000000000000005251327242345500346230ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true title: 'selinuxuser_share_music SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: false off: false on: true var_selinuxuser_tcp_server.var000066400000000000000000000005241327242345500344740ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true title: 'selinuxuser_tcp_server SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: false off: false on: true var_selinuxuser_udp_server.var000066400000000000000000000005241327242345500344760ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true title: 'selinuxuser_udp_server SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: false off: false on: true var_selinuxuser_use_ssh_chroot.var000066400000000000000000000005301327242345500353440ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true title: 'selinuxuser_use_ssh_chroot SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: false off: false on: true scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleans/var_sftpd_anon_write.var000066400000000000000000000005161327242345500332770ustar00rootroot00000000000000documentation_complete: true title: 'sftpd_anon_write SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: false off: false on: true var_sftpd_enable_homedirs.var000066400000000000000000000005231327242345500341710ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true title: 'sftpd_enable_homedirs SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: false off: false on: true scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleans/var_sftpd_full_access.var000066400000000000000000000005171327242345500334160ustar00rootroot00000000000000documentation_complete: true title: 'sftpd_full_access SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: false off: false on: true scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleans/var_sftpd_write_ssh_home.var000066400000000000000000000005221327242345500341460ustar00rootroot00000000000000documentation_complete: true title: 'sftpd_write_ssh_home SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: false off: false on: true var_sge_domain_can_network_connect.var000066400000000000000000000005341327242345500360630ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true title: 'sge_domain_can_network_connect SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: false off: false on: true scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleans/var_sge_use_nfs.var000066400000000000000000000005111327242345500322250ustar00rootroot00000000000000documentation_complete: true title: 'sge_use_nfs SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: false off: false on: true scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleans/var_smartmon_3ware.var000066400000000000000000000005141327242345500326710ustar00rootroot00000000000000documentation_complete: true title: 'smartmon_3ware SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: false off: false on: true scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleans/var_smbd_anon_write.var000066400000000000000000000005151327242345500331030ustar00rootroot00000000000000documentation_complete: true title: 'smbd_anon_write SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: false off: false on: true var_spamassassin_can_network.var000066400000000000000000000005261327242345500347530ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true title: 'spamassassin_can_network SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: false off: false on: true var_spamd_enable_home_dirs.var000066400000000000000000000005231327242345500343140ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true title: 'spamd_enable_home_dirs SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: true off: false on: true scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleans/var_squid_connect_any.var000066400000000000000000000005161327242345500334370ustar00rootroot00000000000000documentation_complete: true title: 'squid_connect_any SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: true off: false on: true scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleans/var_squid_use_tproxy.var000066400000000000000000000005161327242345500333600ustar00rootroot00000000000000documentation_complete: true title: 'squid_use_tproxy SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: false off: false on: true var_ssh_chroot_rw_homedirs.var000066400000000000000000000005241327242345500344270ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true title: 'ssh_chroot_rw_homedirs SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: false off: false on: true scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleans/var_ssh_keysign.var000066400000000000000000000005111327242345500322530ustar00rootroot00000000000000documentation_complete: true title: 'ssh_keysign SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: false off: false on: true scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleans/var_ssh_sysadm_login.var000066400000000000000000000005161327242345500332770ustar00rootroot00000000000000documentation_complete: true title: 'ssh_sysadm_login SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: false off: false on: true scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleans/var_staff_exec_content.var000066400000000000000000000005171327242345500335740ustar00rootroot00000000000000documentation_complete: true title: 'staff_exec_content SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: true off: false on: true scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleans/var_staff_use_svirt.var000066400000000000000000000005151327242345500331370ustar00rootroot00000000000000documentation_complete: true title: 'staff_use_svirt SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: false off: false on: true scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleans/var_swift_can_network.var000066400000000000000000000005171327242345500334610ustar00rootroot00000000000000documentation_complete: true title: 'swift_can_network SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: false off: false on: true scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleans/var_sysadm_exec_content.var000066400000000000000000000005201327242345500337630ustar00rootroot00000000000000documentation_complete: true title: 'sysadm_exec_content SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: true off: false on: true var_telepathy_connect_all_ports.var000066400000000000000000000005311327242345500354370ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true title: 'telepathy_connect_all_ports SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: false off: false on: true var_telepathy_tcp_connect_generic_network_ports.var000066400000000000000000000005501327242345500407230ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true title: 'telepathy_tcp_connect_generic_network_ports SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: true off: false on: true scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleans/var_tftp_anon_write.var000066400000000000000000000005151327242345500331330ustar00rootroot00000000000000documentation_complete: true title: 'tftp_anon_write SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: false off: false on: true scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleans/var_tftp_home_dir.var000066400000000000000000000005131327242345500325520ustar00rootroot00000000000000documentation_complete: true title: 'tftp_home_dir SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: false off: false on: true scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleans/var_tmpreaper_use_nfs.var000066400000000000000000000005171327242345500334540ustar00rootroot00000000000000documentation_complete: true title: 'tmpreaper_use_nfs SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: false off: false on: true scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleans/var_tmpreaper_use_samba.var000066400000000000000000000005211327242345500337440ustar00rootroot00000000000000documentation_complete: true title: 'tmpreaper_use_samba SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: false off: false on: true var_tor_bind_all_unreserved_ports.var000066400000000000000000000005331327242345500357730ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true title: 'tor_bind_all_unreserved_ports SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: false off: false on: true var_tor_can_network_relay.var000066400000000000000000000005231327242345500342430ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true title: 'tor_can_network_relay SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: false off: false on: true var_unconfined_chrome_sandbox_transition.var000066400000000000000000000005411327242345500373260ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true title: 'unconfined_chrome_sandbox_transition SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: true off: false on: true scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleans/var_unconfined_login.var000066400000000000000000000005151327242345500332510ustar00rootroot00000000000000documentation_complete: true title: 'unconfined_login SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: true off: false on: true var_unconfined_mozilla_plugin_transition.var000066400000000000000000000005411327242345500373600ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true title: 'unconfined_mozilla_plugin_transition SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: true off: false on: true scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleans/var_unprivuser_use_svirt.var000066400000000000000000000005221327242345500342540ustar00rootroot00000000000000documentation_complete: true title: 'unprivuser_use_svirt SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: false off: false on: true var_use_ecryptfs_home_dirs.var000066400000000000000000000005241327242345500344160ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true title: 'use_ecryptfs_home_dirs SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: false off: false on: true scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleans/var_use_fusefs_home_dirs.var000066400000000000000000000005221327242345500341270ustar00rootroot00000000000000documentation_complete: true title: 'use_fusefs_home_dirs SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: false off: false on: true scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleans/var_use_lpd_server.var000066400000000000000000000005141327242345500327510ustar00rootroot00000000000000documentation_complete: true title: 'use_lpd_server SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: false off: false on: true scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleans/var_use_nfs_home_dirs.var000066400000000000000000000005171327242345500334260ustar00rootroot00000000000000documentation_complete: true title: 'use_nfs_home_dirs SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: false off: false on: true scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleans/var_use_samba_home_dirs.var000066400000000000000000000005211327242345500337160ustar00rootroot00000000000000documentation_complete: true title: 'use_samba_home_dirs SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: false off: false on: true scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleans/var_user_exec_content.var000066400000000000000000000005161327242345500334460ustar00rootroot00000000000000documentation_complete: true title: 'user_exec_content SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: true off: false on: true scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleans/var_varnishd_connect_any.var000066400000000000000000000005221327242345500341250ustar00rootroot00000000000000documentation_complete: true title: 'varnishd_connect_any SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: false off: false on: true var_virt_read_qemu_ga_data.var000066400000000000000000000005241327242345500343200ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true title: 'virt_read_qemu_ga_data SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: false off: false on: true scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleans/var_virt_rw_qemu_ga_data.var000066400000000000000000000005221327242345500341120ustar00rootroot00000000000000documentation_complete: true title: 'virt_rw_qemu_ga_data SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: false off: false on: true var_virt_sandbox_use_all_caps.var000066400000000000000000000005261327242345500350700ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true title: 'virt_sandbox_use_all_caps SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: true off: false on: true var_virt_sandbox_use_audit.var000066400000000000000000000005231327242345500344150ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true title: 'virt_sandbox_use_audit SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: true off: false on: true var_virt_sandbox_use_mknod.var000066400000000000000000000005241327242345500344200ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true title: 'virt_sandbox_use_mknod SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: false off: false on: true var_virt_sandbox_use_netlink.var000066400000000000000000000005261327242345500347560ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true title: 'virt_sandbox_use_netlink SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: false off: false on: true scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleans/var_virt_sandbox_use_nfs.var000066400000000000000000000005221327242345500341530ustar00rootroot00000000000000documentation_complete: true title: 'virt_sandbox_use_nfs SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: false off: false on: true var_virt_sandbox_use_samba.var000066400000000000000000000005241327242345500343730ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true title: 'virt_sandbox_use_samba SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: false off: false on: true var_virt_sandbox_use_sys_admin.var000066400000000000000000000005301327242345500352730ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true title: 'virt_sandbox_use_sys_admin SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: false off: false on: true var_virt_transition_userdomain.var000066400000000000000000000005301327242345500353330ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true title: 'virt_transition_userdomain SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: false off: false on: true scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleans/var_virt_use_comm.var000066400000000000000000000005131327242345500326020ustar00rootroot00000000000000documentation_complete: true title: 'virt_use_comm SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: false off: false on: true scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleans/var_virt_use_execmem.var000066400000000000000000000005161327242345500332750ustar00rootroot00000000000000documentation_complete: true title: 'virt_use_execmem SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: false off: false on: true scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleans/var_virt_use_fusefs.var000066400000000000000000000005151327242345500331440ustar00rootroot00000000000000documentation_complete: true title: 'virt_use_fusefs SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: false off: false on: true scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleans/var_virt_use_nfs.var000066400000000000000000000005121327242345500324340ustar00rootroot00000000000000documentation_complete: true title: 'virt_use_nfs SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: false off: false on: true scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleans/var_virt_use_rawip.var000066400000000000000000000005141327242345500327720ustar00rootroot00000000000000documentation_complete: true title: 'virt_use_rawip SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: false off: false on: true scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleans/var_virt_use_samba.var000066400000000000000000000005141327242345500327330ustar00rootroot00000000000000documentation_complete: true title: 'virt_use_samba SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: false off: false on: true scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleans/var_virt_use_sanlock.var000066400000000000000000000005161327242345500333040ustar00rootroot00000000000000documentation_complete: true title: 'virt_use_sanlock SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: false off: false on: true scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleans/var_virt_use_usb.var000066400000000000000000000005111327242345500324360ustar00rootroot00000000000000documentation_complete: true title: 'virt_use_usb SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: true off: false on: true scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleans/var_virt_use_xserver.var000066400000000000000000000005161327242345500333500ustar00rootroot00000000000000documentation_complete: true title: 'virt_use_xserver SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: false off: false on: true var_webadm_manage_user_files.var000066400000000000000000000005261327242345500346430ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true title: 'webadm_manage_user_files SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: false off: false on: true var_webadm_read_user_files.var000066400000000000000000000005241327242345500343240ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true title: 'webadm_read_user_files SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: false off: false on: true var_wine_mmap_zero_ignore.var000066400000000000000000000005231327242345500342270ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true title: 'wine_mmap_zero_ignore SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: false off: false on: true var_xdm_bind_vnc_tcp_port.var000066400000000000000000000005231327242345500342150ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true title: 'xdm_bind_vnc_tcp_port SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: false off: false on: true scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleans/var_xdm_exec_bootloader.var000066400000000000000000000005211327242345500337340ustar00rootroot00000000000000documentation_complete: true title: 'xdm_exec_bootloader SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: false off: false on: true scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleans/var_xdm_sysadm_login.var000066400000000000000000000005161327242345500332720ustar00rootroot00000000000000documentation_complete: true title: 'xdm_sysadm_login SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: false off: false on: true scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleans/var_xdm_write_home.var000066400000000000000000000005141327242345500327420ustar00rootroot00000000000000documentation_complete: true title: 'xdm_write_home SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: false off: false on: true scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleans/var_xen_use_nfs.var000066400000000000000000000005111327242345500322410ustar00rootroot00000000000000documentation_complete: true title: 'xen_use_nfs SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: false off: false on: true scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleans/var_xend_run_blktap.var000066400000000000000000000005141327242345500331070ustar00rootroot00000000000000documentation_complete: true title: 'xend_run_blktap SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: true off: false on: true scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleans/var_xend_run_qemu.var000066400000000000000000000005121327242345500325770ustar00rootroot00000000000000documentation_complete: true title: 'xend_run_qemu SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: true off: false on: true var_xguest_connect_network.var000066400000000000000000000005231327242345500344520ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true title: 'xguest_connect_network SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: true off: false on: true scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleans/var_xguest_exec_content.var000066400000000000000000000005201327242345500340020ustar00rootroot00000000000000documentation_complete: true title: 'xguest_exec_content SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: true off: false on: true scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleans/var_xguest_mount_media.var000066400000000000000000000005171327242345500336330ustar00rootroot00000000000000documentation_complete: true title: 'xguest_mount_media SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: true off: false on: true scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleans/var_xguest_use_bluetooth.var000066400000000000000000000005211327242345500342060ustar00rootroot00000000000000documentation_complete: true title: 'xguest_use_bluetooth SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: true off: false on: true var_xserver_clients_write_xshm.var000066400000000000000000000005301327242345500353370ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true title: 'xserver_clients_write_xshm SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: false off: false on: true scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleans/var_xserver_execmem.var000066400000000000000000000005151327242345500331320ustar00rootroot00000000000000documentation_complete: true title: 'xserver_execmem SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: false off: false on: true var_xserver_object_manager.var000066400000000000000000000005241327242345500343700ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true title: 'xserver_object_manager SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: false off: false on: true scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleans/var_zabbix_can_network.var000066400000000000000000000005201327242345500335760ustar00rootroot00000000000000documentation_complete: true title: 'zabbix_can_network SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: false off: false on: true scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleans/var_zarafa_setrlimit.var000066400000000000000000000005161327242345500332720ustar00rootroot00000000000000documentation_complete: true title: 'zarafa_setrlimit SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: false off: false on: true scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleans/var_zebra_write_config.var000066400000000000000000000005201327242345500335670ustar00rootroot00000000000000documentation_complete: true title: 'zebra_write_config SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: false off: false on: true var_zoneminder_anon_write.var000066400000000000000000000005231327242345500342500ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleansdocumentation_complete: true title: 'zoneminder_anon_write SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: false off: false on: true scap-security-guide-0.1.39/shared/guide/system/selinux/selinux-booleans/var_zoneminder_run_sudo.var000066400000000000000000000005211327242345500340160ustar00rootroot00000000000000documentation_complete: true title: 'zoneminder_run_sudo SELinux Boolean' description: |- default - Default SELinux boolean setting.
on - SELinux boolean is enabled.
off - SELinux boolean is disabled. type: boolean operator: equals interactive: false options: default: false off: false on: true scap-security-guide-0.1.39/shared/guide/system/selinux/selinux.group000066400000000000000000000026041327242345500256260ustar00rootroot00000000000000documentation_complete: true title: SELinux description: |- SELinux is a feature of the Linux kernel which can be used to guard against misconfigured or compromised programs. SELinux enforces the idea that programs should be limited in what files they can access and what actions they can take.

The default SELinux policy, as configured on Red Hat Enterprise Linux 7, has been sufficiently developed and debugged that it should be usable on almost any Red Hat system with minimal configuration and a small amount of system administrator training. This policy prevents system services - including most of the common network-visible services such as mail servers, FTP servers, and DNS servers - from accessing files which those services have no valid reason to access. This action alone prevents a huge amount of possible damage from network attacks against services, from trojaned software, and so forth.

This guide recommends that SELinux be enabled using the default (targeted) policy on every Red Hat system, unless that system has unusual requirements which make a stronger policy appropriate.

For more information on SELinux, see scap-security-guide-0.1.39/shared/guide/system/selinux/selinux_all_devicefiles_labeled.rule000066400000000000000000000024601327242345500323030ustar00rootroot00000000000000documentation_complete: true prodtype: rhel7,fedora title: 'Ensure No Device Files are Unlabeled by SELinux' description: "Device files, which are used for communication with important\nsystem resources, should be labeled with proper SELinux types. If any device\nfiles do not carry the SELinux type device_t, report the bug so \nthat policy can be corrected. Supply information about what the device is\nand what programs use it.\n

\nTo check for unlabeled device files, run the following command:\n
$ sudo find /dev -context *:device_t:* \\( -type c -o -type b \\) -printf \"%p %Z\\n\"
\nIt should produce no output in a well-configured system." rationale: |- If a device file carries the SELinux type device_t, then SELinux cannot properly restrict access to the device file. severity: medium identifiers: cce@rhel7: 27326-8 references: cui: '3.1.2, 3.1.5,3.7.2' disa: 22,32,368,318,1812,1813,1814 nist: AC-6,AU-9,CM-3(f),CM-7 srg: SRG-OS-000480-GPOS-00227 stigid@rhel7: "020900" ocil_clause: 'there is output' ocil: |- To check for unlabeled device files, run the following command: 
$ sudo find /dev -context *:device_t:* \( -type c -o -type b \) -printf "%p %Z\n"
It should produce no output in a well-configured system. scap-security-guide-0.1.39/shared/guide/system/selinux/selinux_confinement_of_daemons.rule000066400000000000000000000020111327242345500322100ustar00rootroot00000000000000documentation_complete: true prodtype: rhel7,fedora title: 'Ensure No Daemons are Unconfined by SELinux' description: |- Daemons for which the SELinux policy does not contain rules will inherit the context of the parent process. Because daemons are launched during startup and descend from the init process, they inherit the initrc_t context.

To check for unconfined daemons, run the following command: 
$ sudo ps -eZ | egrep "initrc" | egrep -vw "tr|ps|egrep|bash|awk" | tr ':' ' ' | awk '{ print $NF }'
It should produce no output in a well-configured system. rationale: |- Daemons which run with the initrc_t context may cause AVC denials, or allow privileges that the daemon does not require. severity: medium identifiers: cce@rhel7: 27288-0 references: cis: 1.6.1.6 cui: 3.1.2,3.1.5,3.7.2 hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3),164.308(a)(4),164.310(b),164.310(c),164.312(a),164.312(e) nist: AC-6,AU-9,CM-7 scap-security-guide-0.1.39/shared/guide/system/selinux/selinux_policytype.rule000066400000000000000000000033001327242345500277140ustar00rootroot00000000000000documentation_complete: true prodtype: rhel7,fedora title: 'Configure SELinux Policy' description: |- The SELinux targeted policy is appropriate for general-purpose desktops and servers, as well as systems in many other roles. To configure the system to use this policy, add or correct the following line in /etc/selinux/config: 
SELINUXTYPE=
Other policies, such as mls, provide additional security labeling and greater confinement but are not compatible with many general-purpose use cases. rationale: |- Setting the SELinux policy to targeted or a more specialized policy ensures the system will confine processes that are likely to be targeted for exploitation, such as network or system services.

Note: During the development or debugging of SELinux modules, it is common to temporarily place non-production systems in permissive mode. In such temporary cases, SELinux policies should be developed, and once work is completed, the system should be reconfigured to . severity: high identifiers: cce@rhel7: 27279-9 references: cis: 1.6.1.3 cui: 3.1.2,3.7.2 disa: 2696 hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3),164.308(a)(4),164.310(b),164.310(c),164.312(a),164.312(e) nist: AC-3,AC-3(3),AC-3(4),AC-4,AC-6,AU-9,SI-6(a) srg: SRG-OS-000445-GPOS-00199 stigid@rhel7: "020220" ocil_clause: 'it does not' ocil: |- Check the file /etc/selinux/config and ensure the following line appears: 
SELINUXTYPE=
scap-security-guide-0.1.39/shared/guide/system/selinux/selinux_state.rule000066400000000000000000000023131327242345500266360ustar00rootroot00000000000000documentation_complete: true prodtype: rhel7,fedora title: 'Ensure SELinux State is Enforcing' description: |- The SELinux state should be set to at system boot time. In the file /etc/selinux/config, add or correct the following line to configure the system to boot into enforcing mode: 
SELINUX=
rationale: |- Setting the SELinux state to enforcing ensures SELinux is able to confine potentially compromised processes to the security policy, which is designed to prevent them from causing damage to the system or further elevating their privileges. severity: high identifiers: cce@rhel7: 27334-2 references: cis: 1.6.1.2 cui: 3.1.2,3.7.2 disa: 2165,2696 hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3),164.308(a)(4),164.310(b),164.310(c),164.312(a),164.312(e) nist: AC-3,AC-3(3),AC-3(4),AC-4,AC-6,AU-9,SI-6(a) srg: SRG-OS-000445-GPOS-00199 stigid@rhel7: "020210" ocil_clause: 'SELINUX is not set to enforcing' ocil: |- Check the file /etc/selinux/config and ensure the following line appears: 
SELINUX=
scap-security-guide-0.1.39/shared/guide/system/selinux/selinux_user_login_roles.rule000066400000000000000000000044271327242345500311000ustar00rootroot00000000000000documentation_complete: true prodtype: rhel7 title: 'Map System Users To The Appropriate SELinux Role' description: |- Configure the operating system to prevent non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures. All administrators must be mapped to the sysadm_u or staff_u users with the appropriate domains (sysadm_t and staff_t). 
$ sudo semanage login -m -s sysadm_u USER
or 
$ sudo semanage login -m -s staff_u USER


All authorized non-administrative users must be mapped to the user_u role or the appropriate domain (user_t). 
$ sudo semanage login -m -s user_u USER
rationale: |- Preventing non-privileged users from executing privileged functions mitigates the risk that unauthorized individuals or processes may gain unnecessary access to information or privileges.

Privileged functions include, for example, establishing accounts, performing system integrity checks, or administering cryptographic key management activities. Non-privileged users are individuals who do not possess appropriate authorizations. Circumventing intrusion detection and prevention mechanisms or malicious code protection mechanisms are examples of privileged functions that require protection from non-privileged users. severity: medium identifiers: cce: 80543-2 references: disa: 2235 nist: "" srg: SRG-OS-000324-GPOS-00125 stigid: "020020" ocil_clause: 'non-admin users are not confined correctly' ocil: |- To verify the operating system prevents non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures, run the following command: 
$ sudo semanage login -l
All administrators must be mapped to the sysadm_u or staff_u users with the appropriate domains (sysadm_t and staff_t).

All authorized non-administrative users must be mapped to the user_u role or the appropriate domain (user_t). scap-security-guide-0.1.39/shared/guide/system/selinux/var_selinux_policy_name.var000066400000000000000000000006111327242345500305050ustar00rootroot00000000000000documentation_complete: true title: 'SELinux policy' description: |- Type of policy in use. Possible values are:
targeted - Only targeted network daemons are protected.
strict - Full SELinux protection.
mls - Multiple levels of security type: string operator: equals interactive: false options: default: targeted mls: mls targeted: targeted scap-security-guide-0.1.39/shared/guide/system/selinux/var_selinux_state.var000066400000000000000000000006201327242345500273260ustar00rootroot00000000000000documentation_complete: true title: 'SELinux state' description: |- enforcing - SELinux security policy is enforced.
permissive - SELinux prints warnings instead of enforcing.
disabled - SELinux is fully disabled. type: string operator: equals interactive: false options: default: enforcing disabled: disabled enforcing: enforcing permissive: permissive scap-security-guide-0.1.39/shared/guide/system/software/000077500000000000000000000000001327242345500232225ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/software/disk_partitioning/000077500000000000000000000000001327242345500267435ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/software/disk_partitioning/disk_partitioning.group000066400000000000000000000025461327242345500335510ustar00rootroot00000000000000documentation_complete: true title: 'Disk Partitioning' description: "To ensure separation and protection of data, there\nare top-level system directories which should be placed on their\nown physical partition or logical volume. The installer's default\npartitioning scheme creates separate logical volumes for \n/, /boot, and swap.\n
    \n
  • If starting with any of the default layouts, check the box to\n\"Review and modify partitioning.\" This allows for the easy creation\nof additional logical volumes inside the volume group already\ncreated, though it may require making /'s logical volume smaller to\ncreate space. In general, using logical volumes is preferable to\nusing partitions because they can be more easily adjusted\nlater.
    • \n
  • If creating a custom layout, create the partitions mentioned in\nthe previous paragraph (which the installer will require anyway),\nas well as separate ones described in the following sections.
    • \n
\nIf a system has already been installed, and the default\npartitioning\ \ scheme was used, it is possible but nontrivial to\nmodify it to create separate logical volumes for the directories\nlisted above. The Logical Volume Manager (LVM) makes this possible.\nSee the LVM HOWTO at \nfor more detailed information on LVM." scap-security-guide-0.1.39/shared/guide/system/software/disk_partitioning/encrypt_partitions.rule000066400000000000000000000055601327242345500336020ustar00rootroot00000000000000documentation_complete: true prodtype: rhel7 title: 'Encrypt Partitions' description: "Red Hat Enterprise Linux 7 natively supports partition encryption through the\nLinux Unified Key Setup-on-disk-format (LUKS) technology. The easiest way to \nencrypt a partition is during installation time.\n

\nFor manual installations, select the Encrypt checkbox during\npartition creation to encrypt the partition. When this\noption is selected the system will prompt for a passphrase to use in\ndecrypting the partition. The passphrase will subsequently need to be entered manually\nevery time the system boots.\n

\nFor automated/unattended installations, it is possible to use Kickstart by adding\nthe --encrypted and --passphrase= options to the definition of each partition to be\nencrypted. For example, the following line would encrypt the root partition:\n
part / --fstype=ext4 --size=100 --onpart=hda1 --encrypted --passphrase=PASSPHRASE
\nAny PASSPHRASE is stored in the Kickstart in plaintext, and the Kickstart\ \ must then be protected accordingly.\nOmitting the --passphrase= option from the partition definition will cause the\ninstaller to pause and interactively ask for the passphrase during installation.\n

\nBy default, the Anaconda installer uses aes-xts-plain64 cipher\nwith a minimum 512 bit key size which should be compatible with FIPS enabled.\n

\nDetailed information on encrypting partitions using LUKS or LUKS ciphers can be found on\nthe Red Hat Documentation web site:
\n" rationale: |- The risk of a system's physical compromise, particularly mobile systems such as laptops, places its data at risk of compromise. Encrypting this data mitigates the risk of its loss if the system is lost. severity: high identifiers: cce@rhel7: 27128-8 references: cui: 3.13.16 disa: 1199,2476 hipaa: 164.308(a)(1)(ii)(D),164.308(b)(1),164.310(d),164.312(a)(1),164.312(a)(2)(iii),164.312(a)(2)(iv),164.312(b),164.312(c),164.314(b)(2)(i),164.312(d) iso27001-2013: A.8.2.3 nist: SC-13,SC-28(1) srg: SRG-OS-000405-GPOS-00184,SRG-OS-000185-GPOS-00079 ocil_clause: 'partitions do not have a type of crypto_LUKS' ocil: |- Check the system partitions to determine if they are encrypted with the following command: 
blkid


Output will be similar to: 
/dev/sda1: UUID=" ab12c3de-4f56-789a-8f33-3850cc8ce3a2
    " TYPE="crypto_LUKS"
    /dev/sda2: UUID=" bc98d7ef-6g54-321h-1d24-9870de2ge1a2
    " TYPE="crypto_LUKS"


Pseudo-file systems, such as /proc, /sys, and tmpfs, are not required to use disk encryption and are not a finding. scap-security-guide-0.1.39/shared/guide/system/software/disk_partitioning/partition_for_home.rule000066400000000000000000000017031327242345500335240ustar00rootroot00000000000000documentation_complete: true prodtype: rhel7 title: 'Ensure /home Located On Separate Partition' description: |- If user home directories will be stored locally, create a separate partition for /home at installation time (or migrate it later using LVM). If /home will be mounted from another system such as an NFS server, then creating a separate partition is not necessary at installation time, and the mountpoint can instead be configured later. rationale: |- Ensuring that /home is mounted on its own partition enables the setting of more restrictive mount options, and also helps ensure that users cannot trivially fill partitions used for log or audit data storage. severity: low identifiers: cce@rhel7: 80144-9 references: cis: 1.1.13 disa: 366,1208 nist: SC-32(1) srg: SRG-OS-000480-GPOS-00227 stigid@rhel7: "021310" ocil: '' scap-security-guide-0.1.39/shared/guide/system/software/disk_partitioning/partition_for_tmp.rule000066400000000000000000000014171327242345500333760ustar00rootroot00000000000000documentation_complete: true prodtype: rhel7 title: 'Ensure /tmp Located On Separate Partition' description: |- The /tmp directory is a world-writable directory used for temporary file storage. Ensure it has its own partition or logical volume at installation time, or migrate it using LVM. rationale: |- The /tmp partition is used as temporary storage by many programs. Placing /tmp in its own partition enables the setting of more restrictive mount options, which can help protect programs which use it. severity: low identifiers: cce@rhel7: 27173-4 references: cis: 1.1.2 disa: 366 nist: SC-32(1) srg: SRG-OS-000480-GPOS-00227 stigid@rhel7: "021340" ocil: '' scap-security-guide-0.1.39/shared/guide/system/software/disk_partitioning/partition_for_var.rule000066400000000000000000000016421327242345500333660ustar00rootroot00000000000000documentation_complete: true prodtype: rhel7 title: 'Ensure /var Located On Separate Partition' description: |- The /var directory is used by daemons and other system services to store frequently-changing data. Ensure that /var has its own partition or logical volume at installation time, or migrate it using LVM. rationale: |- Ensuring that /var is mounted on its own partition enables the setting of more restrictive mount options. This helps protect system services such as daemons or other programs which use it. It is not uncommon for the /var directory to contain world-writable directories installed by other software packages. severity: low identifiers: cce@rhel7: 26404-4 references: cis: 1.1.6 disa: 366 nist: SC-32(1) srg: SRG-OS-000480-GPOS-00227 stigid@rhel7: "021320" ocil: '' scap-security-guide-0.1.39/shared/guide/system/software/disk_partitioning/partition_for_var_log.rule000066400000000000000000000011501327242345500342210ustar00rootroot00000000000000documentation_complete: true prodtype: rhel7 title: 'Ensure /var/log Located On Separate Partition' description: |- System logs are stored in the /var/log directory. Ensure that it has its own partition or logical volume at installation time, or migrate it using LVM. rationale: |- Placing /var/log in its own partition enables better separation between log files and other files in /var/. severity: unknown identifiers: cce@rhel7: 26967-0 references: cis: 1.1.11 disa: "" nist: AU-9,SC-32 ocil: '' partition_for_var_log_audit.rule000066400000000000000000000017151327242345500353370ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/software/disk_partitioningdocumentation_complete: true prodtype: rhel7 title: 'Ensure /var/log/audit Located On Separate Partition' description: |- Audit logs are stored in the /var/log/audit directory. Ensure that it has its own partition or logical volume at installation time, or migrate it later using LVM. Make absolutely certain that it is large enough to store all audit logs that will be created by the auditing daemon. rationale: |- Placing /var/log/audit in its own partition enables better separation between audit files and other files, and helps ensure that auditing cannot be halted due to the partition running out of space. severity: low identifiers: cce@rhel7: 26971-2 references: cis: 1.1.12 disa: 366 hipaa: 164.312(a)(2)(ii) iso27001-2013: A.12.3.1 nist: AU-4,AU-9,SC-32(1) srg: SRG-OS-000480-GPOS-00227 stigid@rhel7: "021330" ocil: '' scap-security-guide-0.1.39/shared/guide/system/software/disk_partitioning/partition_for_var_tmp.rule000066400000000000000000000013011327242345500342360ustar00rootroot00000000000000documentation_complete: true prodtype: rhel7 title: 'Ensure /var/tmp Located On Separate Partition' description: |- The /var/tmp directory is a world-writable directory used for temporary file storage. Ensure it has its own partition or logical volume at installation time, or migrate it using LVM. rationale: |- The /var/tmp partition is used as temporary storage by many programs. Placing /var/tmp in its own partition enables the setting of more restrictive mount options, which can help protect programs which use it. severity: low identifiers: cce@rhel7: TBD references: cis: 1.1.7 ocil: '' scap-security-guide-0.1.39/shared/guide/system/software/gnome/000077500000000000000000000000001327242345500243275ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/software/gnome/enable_dconf_user_profile.rule000066400000000000000000000022411327242345500323740ustar00rootroot00000000000000documentation_complete: true prodtype: rhel7,fedora title: 'Configure GNOME3 DConf User Profile' description: "By default, DConf provides a standard user profile. This profile contains a list\nof DConf configuration databases. The user profile and database always take the\nhighest priority. As such the DConf User profile should always exist and be\nconfigured correctly. \n

\nTo make sure that the user profile is configured correctly, the /etc/dconf/profile/user should be set as follows:\n
user-db:user\nsystem-db:local\nsystem-db:site\nsystem-db:distro\n
" rationale: |- Failure to have a functional DConf profile prevents GNOME3 configuration settings from being enforced for all users and allows various security risks. severity: high identifiers: cce@rhel7: 27446-4 ocil_clause: 'DConf User profile does not exist or is not configured correctly' ocil: |- To verify that the DConf User profile is configured correctly, run the following command: 
$ cat /etc/dconf/profile/user
The output should show the following: 
user-db:user
    system-db:local
    system-db:site
    system-db:distro
scap-security-guide-0.1.39/shared/guide/system/software/gnome/gnome.group000066400000000000000000000012301327242345500265060ustar00rootroot00000000000000documentation_complete: true title: 'GNOME Desktop Environment' description: |- GNOME is a graphical desktop environment bundled with many Linux distributions that allow users to easily interact with the operating system graphically rather than textually. The GNOME Graphical Display Manager (GDM) provides login, logout, and user switching contexts as well as display server management.

GNOME is developed by the GNOME Project and is considered the default Red Hat Graphical environment.

For more information on GNOME and the GNOME Project, see scap-security-guide-0.1.39/shared/guide/system/software/gnome/gnome_login_screen/000077500000000000000000000000001327242345500301635ustar00rootroot00000000000000dconf_gnome_disable_restart_shutdown.rule000066400000000000000000000035771327242345500404510ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/software/gnome/gnome_login_screendocumentation_complete: true prodtype: rhel7,fedora title: 'Disable the GNOME3 Login Restart and Shutdown Buttons' description: "In the default graphical environment, users logging\ndirectly into the system are greeted with a login screen that allows\nany user, known or unknown, the ability the ability to shutdown or restart\nthe system. This functionality should be disabled by setting \ndisable-restart-buttons to true.\n

\nTo disable, add or edit disable-restart-buttons to\n/etc/dconf/db/gdm.d/00-security-settings. For example:\n
[org/gnome/login-screen]\ndisable-restart-buttons=true
\nOnce the setting has been added, add a lock to\n/etc/dconf/db/gdm.d/locks/00-security-settings-lock to prevent user modification.\nFor example:\n
/org/gnome/login-screen/disable-restart-buttons
\nAfter the settings have been set, run dconf update." rationale: |- A user who is at the console can reboot the system at the login screen. If restart or shutdown buttons are pressed at the login screen, this can create the risk of short-term loss of availability of systems due to reboot. severity: high identifiers: cce@rhel7: 80107-6 references: cui: 3.1.2 disa: 366 nist: AC-6 srg: SRG-OS-000480-GPOS-00227 stigid@rhel7: TBD ocil_clause: 'disable-restart-buttons has not been configured or is not disabled' ocil: |- To ensure disable and restart on the login screen are disabled, run the following command: 
$ grep disable-restart-buttons /etc/dconf/db/gdm.d/*
The output should be true. To ensure that users cannot enable disable and restart on the login screen, run the following: 
$ grep disable-restart-buttons /etc/dconf/db/gdm.d/locks/*
If properly configured, the output should be /org/gnome/login-screen/disable-restart-buttons dconf_gnome_disable_user_list.rule000066400000000000000000000031051327242345500370260ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/software/gnome/gnome_login_screendocumentation_complete: true prodtype: rhel7,fedora title: 'Disable the GNOME3 Login User List' description: "In the default graphical environment, users logging\ndirectly into the system are greeted with a login screen that displays\nall known users. This functionality should be disabled by setting\ndisable-user-list to true.\n

\nTo disable, add or edit disable-user-list to \n/etc/dconf/db/gdm.d/00-security-settings. For example:\n
[org/gnome/login-screen]\ndisable-user-list=true
\nOnce the setting has been added, add a lock to\n/etc/dconf/db/gdm.d/locks/00-security-settings-lock to prevent user modification.\nFor example:\n
/org/gnome/login-screen/disable-user-list
\nAfter the settings have been set, run dconf update." rationale: |- Leaving the user list enabled is a security risk since it allows anyone with physical access to the system to quickly enumerate known user accounts without logging in. severity: medium identifiers: cce@rhel7: 80106-8 references: nist: AC-23 ocil_clause: 'disable-user-list has not been configured or is not disabled' ocil: |- To ensure the user list is disabled, run the following command: 
$ grep disable-user-list /etc/dconf/db/gdm.d/*
The output should be true. To ensure that users cannot enable displaying the user list, run the following: 
$ grep disable-user-list /etc/dconf/db/gdm.d/locks/*
If properly configured, the output should be /org/gnome/login-screen/disable-user-list dconf_gnome_enable_smartcard_auth.rule000066400000000000000000000035421327242345500376460ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/software/gnome/gnome_login_screendocumentation_complete: true prodtype: rhel7,fedora title: 'Enable the GNOME3 Login Smartcard Authentication' description: |- In the default graphical environment, smart card authentication can be enabled on the login screen by setting enable-smartcard-authentication to true.

To enable, add or edit enable-smartcard-authentication to /etc/dconf/db/gdm.d/00-security-settings. For example: 
[org/gnome/login-screen]
    enable-smartcard-authentication=true
Once the setting has been added, add a lock to /etc/dconf/db/gdm.d/locks/00-security-settings-lock to prevent user modification. For example: 
/org/gnome/login-screen/enable-smartcard-authentication
After the settings have been set, run dconf update. rationale: |- Smart card login provides two-factor authentication stronger than that provided by a username and password combination. Smart cards leverage PKI (public key infrastructure) in order to provide and verify credentials. severity: medium identifiers: cce@rhel7: 80108-4 references: disa: 765,766,767,768,771,772,884,1954 pcidss: Req-8.3 srg: SRG-OS-000375-GPOS-00160 stigid: "010061" ocil_clause: 'enable-smartcard-authentication has not been configured or is disabled' ocil: |- To ensure smart card authentication on the login screen is enabled, run the following command: 
$ grep enable-smartcard-authentication /etc/dconf/db/gdm.d/*
The output should be true. To ensure that users cannot disable smart card authentication on the login screen, run the following: 
$ grep enable-smartcard-authentication /etc/dconf/db/gdm.d/locks/*
If properly configured, the output should be /org/gnome/login-screen/enable-smartcard-authentication dconf_gnome_login_retries.rule000066400000000000000000000034251327242345500362040ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/software/gnome/gnome_login_screendocumentation_complete: true prodtype: rhel7,fedora title: 'Set the GNOME3 Login Number of Failures' description: "In the default graphical environment, the GNOME3 login \nscreen and be configured to restart the authentication process after \na configured number of attempts. This can be configured by setting\nallowed-failures to 3 or less.\n

\nTo enable, add or edit allowed-failures to\n/etc/dconf/db/gdm.d/00-security-settings. For example:\n
[org/gnome/login-screen]\nallowed-failures=3
\nOnce the setting has been added, add a lock to\n/etc/dconf/db/gdm.d/locks/00-security-settings-lock to prevent user modification.\nFor example:\n
/org/gnome/login-screen/allowed-failures
\nAfter the settings have been set, run dconf update." rationale: |- Setting the password retry prompts that are permitted on a per-session basis to a low value requires some software, such as SSH, to re-connect. This can slow down and draw additional attention to some types of password-guessing attacks. severity: medium identifiers: cce@rhel7: 80109-2 references: cui: 3.1.8 ospp@rhel7: FMT_MOF_EXT.1 ocil_clause: 'allowed-failures is not equal to or less than the expected value' ocil: |- To ensure the login screen resets after a specified number of failures, run the following command: 
$ grep allowed-failures /etc/dconf/db/gdm.d/*
The output should be 3 or less. To ensure that users cannot change or configure the resets after a specified number of failures on the login screen, run the following: 
$ grep allowed-failures /etc/dconf/db/gdm.d/locks/*
If properly configured, the output should be /org/gnome/login-screen/allowed-failures gnome_gdm_disable_automatic_login.rule000066400000000000000000000023351327242345500376550ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/software/gnome/gnome_login_screendocumentation_complete: true prodtype: rhel7,fedora title: 'Disable GDM Automatic Login' description: |- The GNOME Display Manager (GDM) can allow users to automatically login without user interaction or credentials. User should always be required to authenticate themselves to the system that they are authorized to use. To disable user ability to automatically login to the system, set the AutomaticLoginEnable to false in the [daemon] section in /etc/gdm/custom.conf. For example: 
[daemon]
    AutomaticLoginEnable=false
rationale: |- Failure to restrict system access to authenticated users negatively impacts operating system security. severity: high identifiers: cce@rhel7: 80104-3 references: cui: 3.1.1 disa: 366 nist: CM-6(b) ospp@rhel7: FIA_AFL.1 srg: SRG-OS-000480-GPOS-00229 stigid@rhel7: "010440" ocil_clause: 'GDM allows users to automatically login' ocil: |- To verify that automatic logins are disabled, run the following command: 
$ grep -Pzoi "^\[daemon]\\nautomaticlogin.*" /etc/gdm/custom.conf
The output should show the following: 
[daemon]
    AutomaticLoginEnable=false
gnome_gdm_disable_guest_login.rule000066400000000000000000000023411327242345500370130ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/software/gnome/gnome_login_screendocumentation_complete: true prodtype: rhel7,fedora title: 'Disable GDM Guest Login' description: |- The GNOME Display Manager (GDM) can allow users to login without credentials which can be useful for public kiosk scenarios. Allowing users to login without credentials or "guest" account access has inherent security risks and should be disabled. To do disable timed logins or guest account access, set the TimedLoginEnable to false in the [daemon] section in /etc/gdm/custom.conf. For example: 
[daemon]
    TimedLoginEnable=false
rationale: |- Failure to restrict system access to authenticated users negatively impacts operating system security. severity: high identifiers: cce@rhel7: 80105-0 references: cui: 3.1.1 disa: 366 nist: CM-6(b) ospp@rhel7: FIA_AFL.1 srg: SRG-OS-000480-GPOS-00229 stigid@rhel7: "010450" ocil_clause: 'GDM allows a guest to login without credentials' ocil: |- To verify that timed logins are disabled, run the following command: 
$ grep -Pzoi "^\[daemon]\\ntimedlogin.*" /etc/gdm/custom.conf
The output should show the following: 
[daemon]
    TimedLoginEnable=false
gnome_login_screen.group000066400000000000000000000013101327242345500350110ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/software/gnome/gnome_login_screendocumentation_complete: true title: 'Configure GNOME Login Screen' description: |- In the default GNOME3 desktop, the login is displayed after system boot and can display user accounts, allow users to reboot the system, and allow users to login automatically and/or with a guest account. The login screen should be configured to prevent such behavior.

For more information about enforcing preferences in the GNOME3 environment using the DConf configuration system, see and the man page dconf(1). scap-security-guide-0.1.39/shared/guide/system/software/gnome/gnome_media_settings/000077500000000000000000000000001327242345500305135ustar00rootroot00000000000000dconf_gnome_disable_automount.rule000066400000000000000000000050041327242345500374000ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/software/gnome/gnome_media_settingsdocumentation_complete: true prodtype: rhel7,fedora title: 'Disable GNOME3 Automounting' description: |- The system's default desktop environment, GNOME3, will mount devices and removable media (such as DVDs, CDs and USB flash drives) whenever they are inserted into the system. To disable automount and autorun within GNOME3, add or set automount to false, automount-open to false, and autorun-never to true in /etc/dconf/db/local.d/00-security-settings. For example: 
[org/gnome/desktop/media-handling]
    automount=false
    automount-open=false
    autorun-never=true
Once the settings have been added, add a lock to /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification. For example: 
/org/gnome/desktop/media-handling/automount
    /org/gnome/desktop/media-handling/automount-open
    /org/gnome/desktop/media-handling/autorun-never
After the settings have been set, run dconf update. rationale: |- Disabling automatic mounting in GNOME3 can prevent the introduction of malware via removable media. It will, however, also prevent desktop users from legitimate use of removable media. severity: unknown identifiers: cce@rhel7: 80122-5 references: cui: 3.1.7 nist: AC-19(a),AC-19(d),AC-19(e) ocil_clause: 'GNOME automounting is not disabled' ocil: |- These settings can be verified by running the following: 
$ gsettings get org.gnome.desktop.media-handling automount
    $ gsettings get org.gnome.desktop.media-handling automount-open
    $ gsettings get org.gnome.desktop.media-handling autorun-never
If properly configured, the output for automount should be false. If properly configured, the output for automount-openshould be false. If properly configured, the output for autorun-never should be true. To ensure that users cannot enable automount and autorun in GNOME3, run the following: 
$ grep 'automount\|autorun' /etc/dconf/db/local.d/locks/*
If properly configured, the output for automount should be /org/gnome/desktop/media-handling/automount If properly configured, the output for automount-open should be /org/gnome/desktop/media-handling/auto-open If properly configured, the output for autorun-never should be /org/gnome/desktop/media-handling/autorun-never dconf_gnome_disable_thumbnailers.rule000066400000000000000000000040651327242345500400500ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/software/gnome/gnome_media_settingsdocumentation_complete: true prodtype: rhel7,fedora title: 'Disable All GNOME3 Thumbnailers' description: |- The system's default desktop environment, GNOME3, uses a number of different thumbnailer programs to generate thumbnails for any new or modified content in an opened folder. To disable the execution of these thumbnail applications, add or set disable-all to true in /etc/dconf/db/local.d/00-security-settings. For example: 
[org/gnome/desktop/thumbnailers]
    disable-all=true
Once the settings have been added, add a lock to /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification. For example: 
/org/gnome/desktop/thumbnailers/disable-all
After the settings have been set, run dconf update. This effectively prevents an attacker from gaining access to a system through a flaw in GNOME3's Nautilus thumbnail creators. rationale: |- An attacker with knowledge of a flaw in a GNOME3 thumbnailer application could craft a malicious file to exploit this flaw. Assuming the attacker could place the malicious file on the local filesystem (via a web upload for example) and assuming a user browses the same location using Nautilus, the malicious file would exploit the thumbnailer with the potential for malicious code execution. It is best to disable these thumbnailer applications unless they are explicitly required. severity: unknown identifiers: cce@rhel7: 80123-3 references: nist: CM-7 ocil_clause: 'GNOME thumbnailers are not disabled' ocil: |- These settings can be verified by running the following: 
$ gsettings get org.gnome.desktop.thumbnailers disable-all
If properly configured, the output should be true. To ensure that users cannot how long until the the screensaver locks, run the following: 
$ grep disable-all /etc/dconf/db/local.d/locks/*
If properly configured, the output should be /org/gnome/desktop/thumbnailers/disable-all gnome_media_settings.group000066400000000000000000000002101327242345500356670ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/software/gnome/gnome_media_settingsdocumentation_complete: true title: 'GNOME Media Settings' description: 'GNOME media settings that apply to the graphical interface.' scap-security-guide-0.1.39/shared/guide/system/software/gnome/gnome_network_settings/000077500000000000000000000000001327242345500311255ustar00rootroot00000000000000dconf_gnome_disable_wifi_create.rule000066400000000000000000000030671327242345500402470ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/software/gnome/gnome_network_settingsdocumentation_complete: true prodtype: rhel7,fedora title: 'Disable WIFI Network Connection Creation in GNOME3' description: |- GNOME allows users to create ad-hoc wireless connections through the NetworkManager applet. Wireless connections should be disabled by adding or setting disable-wifi-create to true in /etc/dconf/db/local.d/00-security-settings. For example: 
[org/gnome/nm-applet]
    disable-wifi-create=true
Once the settings have been added, add a lock to /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification. For example: 
/org/gnome/nm-applet/disable-wifi-create
After the settings have been set, run dconf update. rationale: |- Wireless network connections should not be allowed to be configured by general users on a given system as it could open the system to backdoor attacks. severity: medium identifiers: cce@rhel7: 80118-3 references: cui: 3.1.16 ocil_clause: 'WIFI connections can be created through GNOME' ocil: |- To ensure that WIFI connections caanot be created, run the following command: 
$ gsettings get org.gnome.nm-applet disable-wifi-create
If properly configured, the output should be true. To ensure that users cannot enable WIFI connection creation, run the following: 
$ grep wifi-create /etc/dconf/db/local.d/locks/*
If properly configured, the output should be /org/gnome/nm-applet/disable-wifi-create dconf_gnome_disable_wifi_notification.rule000066400000000000000000000035011327242345500414630ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/software/gnome/gnome_network_settingsdocumentation_complete: true prodtype: rhel7,fedora title: 'Disable WIFI Network Notification in GNOME3' description: |- By default, GNOME disables WIFI notification. This should be permanently set so that users do not connect to a wireless network when the system finds one. While useful for mobile devices, this setting should be disabled for all other systems. To configure the system to disable the WIFI notication, add or set suppress-wireless-networks-available to true in /etc/dconf/db/local.d/00-security-settings. For example: 
[org/gnome/nm-applet]
    suppress-wireless-networks-available=true
Once the settings have been added, add a lock to /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification. For example: 
/org/gnome/nm-applet/suppress-wireless-networks-available
After the settings have been set, run dconf update. rationale: |- Wireless network connections should not be allowed to be configured by general users on a given system as it could open the system to backdoor attacks. severity: medium identifiers: cce@rhel7: 80119-1 references: cui: 3.1.16 ocil_clause: 'wireless network notification is enabled and not disabled' ocil: |- To ensure that wireless network notification is disabled, run the following command: 
$ gsettings get org.gnome.nm-applet suppress-wireless-networks-available
If properly configured, the output should be true. To ensure that users cannot enable wireless notification, run the following: 
$ grep wireless-networks-available /etc/dconf/db/local.d/locks/*
If properly configured, the output should be /org/gnome/nm-applet/suppress-wireless-networks-available gnome_network_settings.group000066400000000000000000000002141327242345500367170ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/software/gnome/gnome_network_settingsdocumentation_complete: true title: 'GNOME Network Settings' description: 'GNOME network settings that apply to the graphical interface.' scap-security-guide-0.1.39/shared/guide/system/software/gnome/gnome_remote_access_settings/000077500000000000000000000000001327242345500322505ustar00rootroot00000000000000dconf_gnome_remote_access_credential_prompt.rule000066400000000000000000000032551327242345500440340ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/software/gnome/gnome_remote_access_settingsdocumentation_complete: true prodtype: rhel7,fedora title: 'Require Credential Prompting for Remote Access in GNOME3' description: |- By default, GNOME does not require credentials when using Vino for remote access. To configure the system to require remote credentials, add or set authentication-methods to ['vnc'] in /etc/dconf/db/local.d/00-security-settings. For example: 
[org/gnome/Vino]
    authentication-methods=['vnc']
Once the settings have been added, add a lock to /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification. For example: 
/org/gnome/Vino/authentication-methods
After the settings have been set, run dconf update. rationale: |- Username and password prompting is required for remote access. Otherwise, non-authorized and nefarious users can access the system freely. severity: medium identifiers: cce@rhel7: 80120-9 references: cui: 3.1.12 hipaa: 164.308(a)(4)(i),164.308(b)(1),164.308(b)(3),164.310(b),164.312(e)(1),164.312(e)(2)(ii) ocil_clause: 'wireless network notification is enabled and not disabled' ocil: |- To ensure that remote access requires credentials, run the following command: 
$ gsettings get org.gnome.Vino authentication-methods
If properly configured, the output should be false. To ensure that users cannot disable credentials for remote access, run the following: 
$ grep authentication-methods /etc/dconf/db/local.d/locks/*
If properly configured, the output should be /org/gnome/Vino/authentication-methods dconf_gnome_remote_access_encryption.rule000066400000000000000000000032351327242345500425110ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/software/gnome/gnome_remote_access_settingsdocumentation_complete: true prodtype: rhel7,fedora title: 'Require Encryption for Remote Access in GNOME3' description: |- By default, GNOME requires encryption when using Vino for remote access. To prevent remote access encryption from being disabled, add or set require-encryption to true in /etc/dconf/db/local.d/00-security-settings. For example: 
[org/gnome/Vino]
    require-encryption=true
Once the settings have been added, add a lock to /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification. For example: 
/org/gnome/Vino/require-encryption
After the settings have been set, run dconf update. rationale: |- Open X displays allow an attacker to capture keystrokes and to execute commands remotely. severity: medium identifiers: cce@rhel7: 80121-7 references: cui: 3.1.13 disa: 366 hipaa: 164.308(a)(4)(i),164.308(b)(1),164.308(b)(3),164.310(b),164.312(e)(1),164.312(e)(2)(ii) nist: CM-2(1)(b) srg: SRG-OS-000480-GPOS-00227 stigid@rhel7: TBD ocil_clause: 'remote access connections are not encrypted' ocil: |- To ensure that remote access connections are encrypted, run the following command: 
$ gsettings get org.gnome.Vino require-encrpytion
If properly configured, the output should be true. To ensure that users cannot disable encrypted remote connections, run the following: 
$ grep require-encryption /etc/dconf/db/local.d/locks/*
If properly configured, the output should be /org/gnome/Vino/require-encryption gnome_remote_access_settings.group000066400000000000000000000002301327242345500411630ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/software/gnome/gnome_remote_access_settingsdocumentation_complete: true title: 'GNOME Remote Access Settings' description: 'GNOME remote access settings that apply to the graphical interface.' scap-security-guide-0.1.39/shared/guide/system/software/gnome/gnome_screen_locking/000077500000000000000000000000001327242345500305015ustar00rootroot00000000000000dconf_gnome_screensaver_idle_activation_enabled.rule000066400000000000000000000045311327242345500430640ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/software/gnome/gnome_screen_lockingdocumentation_complete: true prodtype: rhel7,fedora title: 'Enable GNOME3 Screensaver Idle Activation' description: "To activate the screensaver in the GNOME3 desktop after a period of inactivity,\nadd or set idle-activation-enabled to true in \n/etc/dconf/db/local.d/00-security-settings. For example:\n
[org/gnome/desktop/screensaver]\nidle_activation_enabled=true
\nOnce the setting has been added, add a lock to\n/etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification.\nFor example:\n
/org/gnome/desktop/screensaver/idle-activation-enabled
\nAfter the settings have been set, run dconf update." rationale: |- A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not logout because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, GNOME desktops can be configured to identify when a user's session has idled and take action to initiate the session lock.

Enabling idle activation of the screensaver ensures the screensaver will be activated after the idle delay. Applications requiring continuous, real-time screen display (such as network management products) require the login session does not have administrator rights and the display station is located in a controlled-access area. severity: medium identifiers: cce@rhel7: 80111-8 references: cjis: 5.5.5 cui: 3.1.10 disa: 57 nist: AC-11(a) ospp@rhel7: FMT_MOF_EXT.1 pcidss: Req-8.1.8 srg: SRG-OS-000029-GPOS-00010 stigid@rhel7: "010100" ocil_clause: 'idle_activation_enabled is not enabled or configured' ocil: |- To check the screensaver mandatory use status, run the following command: 
$ gsettings get org.gnome.desktop.screensaver idle-activation-enabled
If properly configured, the output should be true. To ensure that users cannot disable the screensaver idle inactivity setting, run the following: 
$ grep idle-activation-enabled /etc/dconf/db/local.d/locks/*
If properly configured, the output should be /org/gnome/desktop/screensaver/idle-activation-enabled dconf_gnome_screensaver_idle_activation_locked.rule000066400000000000000000000025331327242345500427330ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/software/gnome/gnome_screen_lockingdocumentation_complete: true prodtype: rhel7,fedora title: 'Ensure Users Cannot Change GNOME3 Screensaver Idle Activation' description: |- If not already configured, ensure that users cannot change GNOME3 screensaver lock settings by adding 
/org/gnome/desktop/screensaver/idle-activation-enabled
to /etc/dconf/db/local.d/00-security-settings. For example: 
/org/gnome/desktop/screensaver/idle-activation-enabled
After the settings have been set, run dconf update. rationale: |- A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to logout because of the temporary nature of the absense. severity: medium identifiers: cce@rhel7: 80564-8 references: cjis: 5.5.5 cui: 3.1.10 disa: 57 nist: AC-11(a) ospp@rhel7: FMT_MOF_EXT.1 pcidss: Req-8.1.8 srg: SRG-OS-000029-GPOS-00010 stigid@rhel7: "010101" ocil_clause: 'idle_activation_enabled is not locked' ocil: |- To ensure that users cannot disable the screensaver idle inactivity setting, run the following: 
$ grep idle-activation-enabled /etc/dconf/db/local.d/locks/*
If properly configured, the output should be /org/gnome/desktop/screensaver/idle-activation-enabled dconf_gnome_screensaver_idle_delay.rule000066400000000000000000000043421327242345500403470ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/software/gnome/gnome_screen_lockingdocumentation_complete: true prodtype: rhel7,fedora title: 'Set GNOME3 Screensaver Inactivity Timeout' description: |- The idle time-out value for inactivity in the GNOME3 desktop is configured via the idle-delay setting must be set under an appropriate configuration file(s) in the /etc/dconf/db/local.d directory and locked in /etc/dconf/db/local.d/locks directory to prevent user modification.

For example, to configure the system for a 15 minute delay, add the following to /etc/dconf/db/local.d/00-security-settings: 
[org/gnome/desktop/session]
    idle-delay='uint32 900'
Once the setting has been added, add a lock to /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification. For example: 
/org/gnome/desktop/session/idle-delay
After the settings have been set, run dconf update. rationale: |- A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not logout because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, GNOME3 can be configured to identify when a user's session has idled and take action to initiate a session lock. severity: medium identifiers: cce@rhel7: 80110-0 references: cjis: 5.5.5 cui: 3.1.10 disa: 57 nist: AC-11(a) ospp@rhel7: FMT_MOF_EXT.1 pcidss: Req-8.1.8 srg: SRG-OS-000029-GPOS-00010 stigid@rhel7: "010070" ocil_clause: 'idle-delay is not equal to or less than the expected value' ocil: |- To check the current idle time-out value, run the following command: 
$ gsettings get org.gnome.desktop.session idle-delay
If properly configured, the output should be 'uint32 '. To ensure that users cannot change the screensaver inactivity timeout setting, run the following: 
$ grep idle-delay /etc/dconf/db/local.d/locks/*
If properly configured, the output should be /org/gnome/desktop/session/idle-delay dconf_gnome_screensaver_lock_delay.rule000066400000000000000000000036171327242345500403660ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/software/gnome/gnome_screen_lockingdocumentation_complete: true prodtype: rhel7 title: 'Set GNOME3 Screensaver Lock Delay After Activation Period' description: "To activate the locking delay of the screensaver in the GNOME3 desktop when \nthe screensaver is activated, add or set lock-delay to uint32 in\n/etc/dconf/db/local.d/00-security-settings. For example:\n
[org/gnome/desktop/screensaver]\nlock-delay=uint32 \n
\nOnce the setting has been added, add a lock to\n/etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification.\nFor example:\n
/org/gnome/desktop/screensaver/lock-delay
\nAfter the settings have been set, run dconf update." rationale: |- A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to logout because of the temporary nature of the absense. severity: medium identifiers: cce@rhel7: 80370-0 references: cui: 3.1.10 disa: 56 nist: AC-11(a) ospp@rhel7: FMT_MOF_EXT.1 pcidss: Req-8.1.8 srg: OS-SRG-000029-GPOS-00010 stigid@rhel7: "010110" ocil_clause: 'the screensaver lock delay is missing, or is set to a value greater than 5' ocil: |- To check that the screen locks immediately when activated, run the following command: 
$ gsettings get org.gnome.desktop.screensaver lock-delay
If properly configured, the output should be 'uint32 '.

To ensure that users cannot change how long until the the screensaver locks, run the following: 
$ grep lock-delay /etc/dconf/db/local.d/locks/*
If properly configured, the output for lock-delay should be /org/gnome/desktop/screensaver/lock-delay dconf_gnome_screensaver_lock_enabled.rule000066400000000000000000000034701327242345500406570ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/software/gnome/gnome_screen_lockingdocumentation_complete: true prodtype: rhel7,fedora title: 'Enable GNOME3 Screensaver Lock After Idle Period' description: |- To activate locking of the screensaver in the GNOME3 desktop when it is activated, add or set lock-enabled to true in /etc/dconf/db/local.d/00-security-settings. For example: 
[org/gnome/desktop/screensaver]
    lock-enabled=true
Once the settings have been added, add a lock to /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification. For example: 
/org/gnome/desktop/screensaver/lock-enabled
After the settings have been set, run dconf update. rationale: |- A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to logout because of the temporary nature of the absense. severity: medium identifiers: cce@rhel7: 80112-6 references: cjis: 5.5.5 cui: 3.1.10 disa: 56 nist: AC-11(b) ospp@rhel7: FMT_MOF_EXT.1 pcidss: Req-8.1.8 srg: SRG-OS-000028-GPOS-00009,OS-SRG-000030-GPOS-00011 stigid@rhel7: "010060" ocil_clause: 'screensaver locking is not enabled and/or has not been set or configured correctly' ocil: |- To check the status of the idle screen lock activation, run the following command: 
$ gsettings get org.gnome.desktop.screensaver lock-enabled
If properly configured, the output should be true. To ensure that users cannot change how long until the the screensaver locks, run the following: 
$ grep lock-enabled /etc/dconf/db/local.d/locks/*
If properly configured, the output for lock-enabled should be /org/gnome/desktop/screensaver/lock-enabled dconf_gnome_screensaver_lock_locked.rule000066400000000000000000000025141327242345500405240ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/software/gnome/gnome_screen_lockingdocumentation_complete: true prodtype: rhel7,fedora title: 'Ensure Users Cannot Change GNOME3 Screensaver Lock After Idle Period' description: |- If not already configured, ensure that users cannot change GNOME3 screensaver lock settings by adding 
/org/gnome/desktop/screensaver/lock-enabled
to /etc/dconf/db/local.d/00-security-settings. For example: 
/org/gnome/desktop/screensaver/lock-enabled
After the settings have been set, run dconf update. rationale: |- A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to logout because of the temporary nature of the absense. severity: medium identifiers: cce@rhel7: 80563-0 references: cjis: 5.5.5 cui: 3.1.10 disa: 56 nist: AC-11(b) ospp@rhel7: FMT_MOF_EXT.1 pcidss: Req-8.1.8 srg: SRG-OS-000029-GPOS-00010 stigid@rhel7: "010062" ocil_clause: 'screensaver locking is not locked' ocil: |- To ensure that users cannot change how long until the the screensaver locks, run the following: 
$ grep lock-enabled /etc/dconf/db/local.d/locks/*
If properly configured, the output for lock-enabled should be /org/gnome/desktop/screensaver/lock-enabled dconf_gnome_screensaver_mode_blank.rule000066400000000000000000000027531327242345500403530ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/software/gnome/gnome_screen_lockingdocumentation_complete: true prodtype: rhel7,fedora title: 'Implement Blank Screensaver' description: |- To set the screensaver mode in the GNOME3 desktop to a blank screen, add or set picture-uri to string '' in /etc/dconf/db/local.d/00-security-settings. For example: 
[org/gnome/desktop/screensaver]
    picture-uri=string ''
Once the settings have been added, add a lock to /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification. For example: 
/org/gnome/desktop/screensaver/picture-uri
After the settings have been set, run dconf update. rationale: |- Setting the screensaver mode to blank-only conceals the contents of the display from passersby. severity: unknown identifiers: cce@rhel7: 80113-4 references: cjis: 5.5.5 cui: 3.1.10 disa: 60 nist: AC-11(b) ospp@rhel7: FMT_MOF_EXT.1 pcidss: Req-8.1.8 ocil_clause: 'it is not set or configured properly' ocil: |- To ensure the screensaver is configured to be blank, run the following command: 
$ gsettings get org.gnome.desktop.screensaver picture-uri
If properly configured, the output should be ''. To ensure that users cannot set the screensaver background, run the following: 
$ grep picture-uri /etc/dconf/db/local.d/locks/*
If properly configured, the output should be /org/gnome/desktop/screensaver/picture-uri dconf_gnome_screensaver_user_info.rule000066400000000000000000000032601327242345500402430ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/software/gnome/gnome_screen_lockingdocumentation_complete: true prodtype: rhel7,fedora title: 'Disable Full User Name on Splash Shield' description: |- By default when the screen is locked, the splash shield will show the user's full name. This should be disabled to prevent casual observers from seeing who has access to the system. This can be disabled by adding or setting show-full-name-in-top-bar to false in /etc/dconf/db/local.d/00-security-settings. For example: 
[org/gnome/desktop/screensaver]
    show-full-name-in-top-bar=false
Once the settings have been added, add a lock to /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification. For example: 
/org/gnome/desktop/screensaver/show-full-name-in-top-bar
After the settings have been set, run dconf update. rationale: |- Setting the splash screen to not reveal the logged in user's name conceals who has access to the system from passersby. severity: unknown identifiers: cce@rhel7: 80114-2 references: ospp@rhel7: FMT_MOF_EXT.1 ocil_clause: 'it is not set or configured properly' ocil: |- To ensure the splash screen is configured not to show user name, run the following command: 
$ gsettings get org.gnome.desktop.screensaver show-full-name-in-top-bar
If properly configured, the output should be false. To ensure that users cannot enable user name on the lock screen, run the following: 
$ grep show-full-name-in-top-bar /etc/dconf/db/local.d/locks/*
If properly configured, the output should be /org/gnome/desktop/screensaver/show-full-name-in-top-bar dconf_gnome_screensaver_user_locks.rule000066400000000000000000000031511327242345500404220ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/software/gnome/gnome_screen_lockingdocumentation_complete: true prodtype: rhel7 title: 'Ensure Users Cannot Change GNOME3 Screensaver Settings' description: |- If not already configured, ensure that users cannot change GNOME3 screensaver lock settings by adding /org/gnome/desktop/screensaver/lock-delay to /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification. For example: 
/org/gnome/desktop/screensaver/lock-delay
After the settings have been set, run dconf update. rationale: |- A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not logout because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, GNOME desktops can be configured to identify when a user's session has idled and take action to initiate the session lock. As such, users should not be allowed to change session settings. severity: medium identifiers: cce@rhel7: 80371-8 references: cui: 3.1.10 disa: 57 nist: AC-11(a) ospp@rhel7: FMT_MOF_EXT.1 srg: SRG-OS-00029-GPOS-0010 stigid@rhel7: "010081" ocil_clause: 'GNOME3 session settings are not locked or configured properly' ocil: |- To ensure that users cannot change session idle and lock settings, run the following: 
$ grep 'lock-delay' /etc/dconf/db/local.d/locks/*
If properly configured, the output should return: /org/gnome/desktop/screensaver/lock-delay dconf_gnome_session_idle_user_locks.rule000066400000000000000000000031321327242345500405610ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/software/gnome/gnome_screen_lockingdocumentation_complete: true prodtype: rhel7 title: 'Ensure Users Cannot Change GNOME3 Session Idle Settings' description: |- If not already configured, ensure that users cannot change GNOME3 session idle settings by adding /org/gnome/desktop/session/idle-delay to /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification. For example: 
/org/gnome/desktop/session/idle-delay
After the settings have been set, run dconf update. rationale: |- A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not logout because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, GNOME desktops can be configured to identify when a user's session has idled and take action to initiate the session lock. As such, users should not be allowed to change session settings. severity: medium identifiers: cce@rhel7: 80544-0 references: cui: 3.1.10 disa: 57 nist: AC-11(a) ospp@rhel7: FMT_MOF_EXT.1 srg: SRG-OS-00029-GPOS-0010 stigid@rhel7: "010082" ocil_clause: 'GNOME3 session settings are not locked or configured properly' ocil: |- To ensure that users cannot change session idle and lock settings, run the following: 
$ grep 'idle-delay' /etc/dconf/db/local.d/locks/*
If properly configured, the output should return: /org/gnome/desktop/session/idle-delay gnome_screen_locking.group000066400000000000000000000025241327242345500356550ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/software/gnome/gnome_screen_lockingdocumentation_complete: true title: 'Configure GNOME Screen Locking' description: |- In the default GNOME3 desktop, the screen can be locked by selecting the user name in the far right corner of the main panel and selecting Lock.

The following sections detail commands to enforce idle activation of the screensaver, screen locking, a blank-screen screensaver, and an idle activation time.

Because users should be trained to lock the screen when they step away from the computer, the automatic locking feature is only meant as a backup.

The root account can be screen-locked; however, the root account should never be used to log into an X Windows environment and should only be used to for direct login via console in emergency circumstances.

For more information about enforcing preferences in the GNOME3 environment using the DConf configuration system, see and the man page dconf(1). For Red Hat specific information on configuring DConf settings, see inactivity_timeout_value.var000066400000000000000000000004711327242345500362630ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/software/gnome/gnome_screen_lockingdocumentation_complete: true title: 'Screensaver Inactivity timeout' description: 'Choose allowed duration (in seconds) of inactive graphical sessions' type: number operator: equals interactive: false options: 10_minutes: 600 15_minutes: 900 30_minutes: 1800 5_minutes: 300 default: 900 var_screensaver_lock_delay.var000066400000000000000000000005071327242345500365140ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/software/gnome/gnome_screen_lockingdocumentation_complete: true title: 'Screensaver Lock Delay' description: 'Choose allowed duration (in seconds) after a screensaver becomes active before displaying an authentication prompt' type: number operator: equals interactive: false options: 10_seconds: 10 5_seconds: 5 default: "0" immediate: "0" scap-security-guide-0.1.39/shared/guide/system/software/gnome/gnome_system_settings/000077500000000000000000000000001327242345500307605ustar00rootroot00000000000000dconf_gnome_disable_ctrlaltdel_reboot.rule000066400000000000000000000036351327242345500413260ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/software/gnome/gnome_system_settingsdocumentation_complete: true prodtype: rhel7,fedora title: 'Disable Ctrl-Alt-Del Reboot Key Sequence in GNOME3' description: "By default, GNOME will reboot the system if the Ctrl-Alt-Del\nkey sequence is pressed.\n

\nTo configure the system to ignore the Ctrl-Alt-Del key sequence from the\nGraphical User Interface (GUI) instead of rebooting the system, add or set \nlogout to string '' in\n/etc/dconf/db/local.d/00-security-settings. For example:\n
[org/gnome/settings-daemon/plugins/media-keys]\nlogout=string ''\n
\nOnce the settings have been added, add a lock to\n/etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification.\nFor example:\n
/org/gnome/settings-daemon/plugins/media-keys/logout
\nAfter the settings have been set, run dconf update." rationale: |- A locally logged-in user who presses Ctrl-Alt-Del, when at the console, can reboot the system. If accidentally pressed, as could happen in the case of mixed OS environment, this can create the risk of short-term loss of availability of systems due to unintentional reboot. severity: high identifiers: cce@rhel7: 80124-1 references: cui: 3.1.2 disa: 366 nist: AC-6 srg: SRG-OS-000480-GPOS-00227 stigid@rhel7: TBD ocil_clause: 'GNOME3 is configured to reboot when Ctrl-Alt-Del is pressed' ocil: |- To ensure the system is configured to ignore the Ctrl-Alt-Del sequence, run the following command: 
$ gsettings get org.gnome.settings-daemon.plugins.media-keys logout
If properly configured, the output should be ''. To ensure that users cannot enable the Ctrl-Alt-Del sequence, run the following: 
$ grep logout /etc/dconf/db/local.d/locks/*
If properly configured, the output should be /org/gnome/settings-daemon/plugins/media-keys/logout dconf_gnome_disable_geolocation.rule000066400000000000000000000036071327242345500401240ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/software/gnome/gnome_system_settingsdocumentation_complete: true prodtype: rhel7,fedora title: 'Disable Geolocation in GNOME3' description: "GNOME allows the clock and applications to track and access location \ninformation. This setting should be disabled as applications should not track\nsystem location. To configure the system to disable location tracking, add or set\nenabled to false in\n/etc/dconf/db/local.d/00-security-settings. For example:\n
[org/gnome/system/location]\nenabled=false\n
\nTo configure the clock to disable location tracking, add or set\ngeolocation to false in\n/etc/dconf/db/local.d/00-security-settings. For example:\n
[org/gnome/clocks]\ngeolocation=false\n
\nOnce the settings have been added, add a lock to\n/etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification.\nFor example:\n
/org/gnome/system/location/enabled\n/org/gnome/clocks/geolocation
\nAfter the settings have been set, run dconf update." rationale: |- Power settings should not be enabled on systems that are not mobile devices. Enabling power settings on non-mobile devices could have unintended processing consequences on standard systems. severity: medium identifiers: cce@rhel7: 80117-5 ocil_clause: 'geolocation is enabled and not disabled' ocil: |- To ensure that system location tracking is not active, run the following command: 
$ gsettings get org.gnome.system.location enabled
    $ gsettings get org.gnome.clocks geolocation
If properly configured, the output should be false. To ensure that users cannot enable system location tracking, run the following: 
$ grep location /etc/dconf/db/local.d/locks/*
If properly configured, the output should be /org/gnome/system/location/enabled and /org/gnome/clocks/geolocation. dconf_gnome_disable_power_settings.rule000066400000000000000000000032131327242345500406660ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/software/gnome/gnome_system_settingsdocumentation_complete: true prodtype: rhel7,fedora title: 'Disable Power Settings in GNOME3' description: |- By default, GNOME enables a power profile designed for mobile devices with battery usage. While useful for mobile devices, this setting should be disabled for all other systems. To configure the system to disable the power setting, add or set active to false in /etc/dconf/db/local.d/00-security-settings. For example: 
[org/gnome/settings-daemon/plugins/power]
    active=false
Once the settings have been added, add a lock to /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification. For example: 
/org/gnome/settings-daemon/plugins/power
After the settings have been set, run dconf update. rationale: |- Power settings should not be enabled on systems that are not mobile devices. Enabling power settings on non-mobile devices could have unintended processing consequences on standard systems. severity: medium identifiers: cce@rhel7: 80116-7 ocil_clause: 'power settings are enabled and are not disabled' ocil: |- To ensure that the GUI power settings are not active, run the following command: 
$ gsettings get org.gnome.settings-daemon.plugins.power active
If properly configured, the output should be false. To ensure that users cannot enable the power settings, run the following: 
$ grep power /etc/dconf/db/local.d/locks/*
If properly configured, the output should be /org/gnome/settings-daemon/plugins/power/active dconf_gnome_disable_user_admin.rule000066400000000000000000000037011327242345500377420ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/software/gnome/gnome_system_settingsdocumentation_complete: true prodtype: rhel7,fedora title: 'Disable User Administration in GNOME3' description: |- By default, GNOME will allow all users to have some administratrion capability. This should be disabled so that non-administrative users are not making configuration changes. To configure the system to disable user administration capability in the Graphical User Interface (GUI), add or set user-administration-disabled to true in /etc/dconf/db/local.d/00-security-settings. For example: 
[org/gnome/desktop/lockdown]
    user-administration-disabled=true
Once the settings have been added, add a lock to /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification. For example: 
/org/gnome/desktop/lockdown/user-administration-disabled
After the settings have been set, run dconf update. rationale: |- Allowing all users to have some administratrive capabilities to the system through the Graphical User Interface (GUI) when they would not have them otherwise could allow unintended configuration changes as well as a nefarious user the capability to make system changes such as adding new accounts, etc. severity: high identifiers: cce@rhel7: 80115-9 references: cui: 3.1.5 ocil_clause: 'user administration is not configured or disabled' ocil: |- To ensure the GUI does not allow user administratrion capabilities to all users, run the following command: 
$ gsettings get org.gnome.desktop.lockdown user-administration-disabled
If properly configured, the output should be true. To ensure that users cannot enable user administration, run the following: 
$ grep user-administration /etc/dconf/db/local.d/locks/*
If properly configured, the output should be /org/gnome/desktop/lockdown/user-administration-disabled gnome_system_settings.group000066400000000000000000000010021327242345500364010ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/software/gnome/gnome_system_settingsdocumentation_complete: true title: 'GNOME System Settings' description: |- GNOME provides configuration and functionality to a graphical desktop environment that changes grahical configurations or allow a user to perform actions that users normally would not be able to do in non-graphical mode such as remote access configuration, power policies, Geo-location, etc. Configuring such settings in GNOME will prevent accidential graphical configuration changes by users from taking place. scap-security-guide-0.1.39/shared/guide/system/software/integrity/000077500000000000000000000000001327242345500252405ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/software/integrity/certified-vendor/000077500000000000000000000000001327242345500304715ustar00rootroot00000000000000certified-vendor.group000066400000000000000000000010751327242345500347240ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/software/integrity/certified-vendordocumentation_complete: true title: 'Operating System Vendor Support and Certification' description: |- The assurance of a vendor to provide operating system support and maintenance for their product is an important criterion to ensure product stability and security over the life of the product. A certified product that follows the necessary standards and government certification requirements guarantees that known software vulnerabilities will be remediated, and proper guidance for protecting and securing the operating system will be given. installed_OS_is_certified.rule000066400000000000000000000024751327242345500364040ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/software/integrity/certified-vendordocumentation_complete: true prodtype: rhel7 title: 'The Installed Operating System Is Vendor Supported and Certified' description: |- The installed operating system must be maintained and certified by a vendor. Red Hat Enterprise Linux is supported by Red Hat, Inc. As the Red Hat Enterprise Linux vendor, Red Hat, Inc. is responsible for providing security patches as well as meeting and maintaining goverment certifications and standards. rationale: |- An operating system is considered "supported" if the vendor continues to provide security patches for the product as well as maintain government certification requirements. With an unsupported release, it will not be possible to resolve security issue discovered in the system software as well as meet government certifications. severity: high identifiers: cce@rhel7: 80349-4 references: disa: 366 nist: SI-2(c) srg: SRG-OS-000480-GPOS-00227 stigid@rhel7: "020250" ocil_clause: 'the installed operating system is not supported or certified' ocil: |- To verify that the installed operating system is supported or certified, run the following command: 
$ grep -i "red hat" /etc/redhat-release
The output should contain something similar to: 
Red Hat Enterprise Linux Server 7.3 (Maipo)
scap-security-guide-0.1.39/shared/guide/system/software/integrity/disable_prelink.rule000066400000000000000000000014541327242345500312640ustar00rootroot00000000000000documentation_complete: true prodtype: rhel7,fedora title: 'Disable Prelinking' description: |- The prelinking feature changes binaries in an attempt to decrease their startup time. In order to disable it, change or add the following line inside the file /etc/sysconfig/prelink: 
PRELINKING=no
Next, run the following command to return binaries to a normal, non-prelinked state: 
$ sudo /usr/sbin/prelink -ua
rationale: |- Because the prelinking feature changes binaries, it can interfere with the operation of certain software and/or modes such as AIDE, FIPS, etc. severity: unknown identifiers: cce@rhel7: 27078-5 references: cis: 1.5.4 cjis: 5.10.1.3 cui: 3.13.11 nist: 'CM-6(d),CM-6(3),SC-28, SI-7' pcidss: Req-11.5 scap-security-guide-0.1.39/shared/guide/system/software/integrity/endpoint_security_software/000077500000000000000000000000001327242345500327215ustar00rootroot00000000000000endpoint_security_software.group000066400000000000000000000005651327242345500414070ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/software/integrity/endpoint_security_softwaredocumentation_complete: true title: 'Endpoint Protection Software' description: |- Endpoint protection security software that is not provided or supported by Red Hat can be installed to provide complementary or duplicative security capabilities to those provided by the base platform. Add-on software may not be appropriate for some specialized systems. install_antivirus.rule000066400000000000000000000027561327242345500373170ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/software/integrity/endpoint_security_softwaredocumentation_complete: true prodtype: rhel7,fedora title: 'Install Virus Scanning Software' description: |- Install virus scanning software, which uses signatures to search for the presence of viruses on the filesystem. Ensure virus definition files are no older than 7 days, or their last release. Configure the virus scanning software to perform scans dynamically on all accessed files. If this is not possible, configure the system to scan all altered files on the system on a daily basis. If the system processes inbound SMTP mail, configure the virus scanner to scan all received mail. rationale: |- Virus scanning software can be used to detect if a system has been compromised by computer viruses, as well as to limit their spread to other systems. severity: high identifiers: cce@rhel7: 27140-3 references: disa: 1239,1668 nist: 'SC-28, SI-3' ocil_clause: 'virus scanning software does not run continuously, or at least daily, or has signatures that are out of date' ocil: |- Inspect the system for a cron job or system service which executes a virus scanning tool regularly.
To verify the McAfee VSEL system service is operational, run the following command: 
$ sudo /sbin/service nails status

To check on the age of uvscan virus definition files, run the following command: 
$ sudo cd /opt/NAI/LinuxShield/engine/dat
    $ sudo ls -la avvscan.dat avvnames.dat avvclean.dat
install_hids.rule000066400000000000000000000015721327242345500362150ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/software/integrity/endpoint_security_softwaredocumentation_complete: true prodtype: rhel7,fedora title: 'Install Intrusion Detection Software' description: |- The base Red Hat platform already includes a sophisticated auditing system that can detect intruder activity, as well as SELinux, which provides host-based intrusion prevention capabilities by confining privileged programs and user sessions which may become compromised. rationale: |- Host-based intrusion detection tools provide a system-level defense when an intruder gains access to a system or network. severity: high identifiers: cce@rhel7: 26818-5 references: disa: 1263 nist: SC-7 pcidss: Req-11.4 ocil_clause: 'no host-based intrusion detection tools are installed' ocil: |- Inspect the system to determine if intrusion detection software has been installed. Verify this intrusion detection software is active. mcafee_security_software/000077500000000000000000000000001327242345500377235ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/software/integrity/endpoint_security_softwareinstall_mcafee_antivirus.rule000066400000000000000000000016541327242345500456740ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/software/integrity/endpoint_security_software/mcafee_security_softwaredocumentation_complete: true prodtype: rhel7 title: 'Install McAfee Virus Scanning Software' description: |- Install McAfee VirusScan Enterprise for Linux antivirus software which is provided for DoD systems and uses signatures to search for the presence of viruses on the filesystem. rationale: |- Virus scanning software can be used to detect if a system has been compromised by computer viruses, as well as to limit their spread to other systems. severity: high identifiers: cce@rhel7: 80127-4 references: disa: 366,1239,1668 nist: SC-28,SI-3,SI-3(1)(ii) srg: SRG-OS-000480-GPOS-00227 stigid@rhel7: "032000" ocil_clause: 'virus scanning software is not installed or running' ocil: |- To verify that McAfee VirusScan Enterprise for Linux is installed and running, run the following command(s): 
$ sudo systemctl status nails
$ rpm -q McAfeeVSEForLinux
install_mcafee_cma_rt.rule000066400000000000000000000012701327242345500451070ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/software/integrity/endpoint_security_software/mcafee_security_softwaredocumentation_complete: true prodtype: rhel7 title: 'Install the McAfee Runtime Libraries and Linux Agent' description: 'Install the McAfee Runtime Libraries (MFErt) and Linux Agent (MFEcma).' rationale: |- The McAfee Runtime Libraries (MFErt) and Linux Agent (MFEcma) are dependencies for VirusScan Enterprise for Linux (VSEL) and Host-based Security System (HBSS) to run. severity: medium identifiers: cce@rhel7: 80367-6 ocil_clause: 'the HBSS HIPS module is not installed' ocil: |- To verify that McAfee Runtime Libraries (MFErt) and Linux Agent (MFEcma) are installed, run the following command(s): 
$ rpm -q MFEcma
$ rpm -q MFErt
mcafee_antivirus_definitions_updated.rule000066400000000000000000000014511327242345500502420ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/software/integrity/endpoint_security_software/mcafee_security_softwaredocumentation_complete: true prodtype: rhel7 title: 'Virus Scanning Software Definitions Are Updated' description: 'Ensure virus definition files are no older than 7 days or their last release.' rationale: |- Virus scanning software can be used to detect if a system has been compromised by computer viruses, as well as to limit their spread to other systems. severity: medium identifiers: cce@rhel7: 80129-0 references: disa: 366,1239,1668 nist: SC-28,SI-3,SI-3(1)(ii) srg: SRG-OS-000480-GPOS-00227 stigid@rhel7: "032010" ocil_clause: 'signatures are out of date' ocil: |- To check on the age of McAfee virus definition files, run the following command: 
$ sudo cd /opt/NAI/LinuxShield/engine/dat
    $ sudo ls -la avvscan.dat avvnames.dat avvclean.dat
mcafee_hbss_software/000077500000000000000000000000001327242345500440745ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/software/integrity/endpoint_security_software/mcafee_security_softwareinstall_mcafee_hbss_accm.rule000066400000000000000000000015011327242345500517320ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/software/integrity/endpoint_security_software/mcafee_security_software/mcafee_hbss_softwaredocumentation_complete: true prodtype: rhel7 title: 'Install the Asset Configuration Compliance Module (ACCM)' description: 'Install the Asset Configuration Compliance Module (ACCM).' rationale: |- Without a host-based intrusion detection tool, there is no system-level defense when an intruder gains access to a system or network. Additionally, a host-based intrusion prevention tool can provide methods to immediately lock out detected intrusion attempts. severity: medium identifiers: cce@rhel7: 80126-6 references: disa: 366,1263 nist: SC-7,SI-4(1).1 pcidss: Req-11.4 srg: STG-OS-000480-GPOS-00227 ocil_clause: 'the HBSS ACCM module is not installed' ocil: |- To verify that HBSS ACCM is installed, run the following command(s): 
$ sudo ls /opt/McAfee/accm/bin/accm
install_mcafee_hbss_hips.rule000066400000000000000000000016411327242345500517770ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/software/integrity/endpoint_security_software/mcafee_security_software/mcafee_hbss_softwaredocumentation_complete: true prodtype: rhel7 title: 'Install the Host Intrusion Prevention System (HIPS) Module' description: |- Install the McAfee Host Intrusion Prevention System (HIPS) Module if it is absolutely necessary. If SELinux is enabled, do not install or enable this module. rationale: |- Without a host-based intrusion detection tool, there is no system-level defense when an intruder gains access to a system or network. Additionally, a host-based intrusion prevention tool can provide methods to immediately lock out detected intrusion attempts. severity: medium identifiers: cce@rhel7: 80368-4 references: disa: 366,1263 nist: SC-7,SI-4(1).1 pcidss: Req-11.4 srg: STG-OS-000480-GPOS-00227 ocil_clause: 'the HBSS HIPS module is not installed' ocil: |- To verify that McAfee HIPS is installed, run the following command(s): 
$ rpm -q MFEhiplsm
install_mcafee_hbss_pa.rule000066400000000000000000000014501327242345500514320ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/software/integrity/endpoint_security_software/mcafee_security_software/mcafee_hbss_softwaredocumentation_complete: true prodtype: rhel7 title: 'Install the Policy Auditor (PA) Module' description: 'Install the Policy Auditor (PA) Module.' rationale: |- Without a host-based intrusion detection tool, there is no system-level defense when an intruder gains access to a system or network. Additionally, a host-based intrusion prevention tool can provide methods to immediately lock out detected intrusion attempts. severity: medium identifiers: cce@rhel7: 80369-2 references: disa: 366,1263 nist: SC-7,SI-4(1).1 pcidss: Req-11.4 srg: STG-OS-000480-GPOS-00227 ocil_clause: 'the HBSS PA module is not installed' ocil: |- To verify that HBSS PA is installed, run the following command(s): 
$ sudo ls /opt/McAfee/auditengine/bin/auditmanager
mcafee_hbss_software.group000066400000000000000000000004061327242345500513230ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/software/integrity/endpoint_security_software/mcafee_security_software/mcafee_hbss_softwaredocumentation_complete: true title: 'McAfee Host-Based Intrusion Detection Software (HBSS)' description: |- McAfee Host-based Security System (HBSS) is a suite of software applications used to monitor, detect, and defend computer networks and systems. mcafee_security_software.group000066400000000000000000000003661327242345500460670ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/software/integrity/endpoint_security_software/mcafee_security_softwaredocumentation_complete: true title: 'McAfee Endpoint Security Software' description: |- In DoD environments, McAfee Host-based Security System (HBSS) and VirusScan Enterprise for Linux (VSEL) is required to be installed on all systems. service_nails_enabled.rule000066400000000000000000000012651327242345500451200ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/software/integrity/endpoint_security_software/mcafee_security_softwaredocumentation_complete: true prodtype: rhel7 title: 'Enable nails Service' description: |- The nails service is used to run McAfee VirusScan Enterprise for Linux and McAfee Host-based Security System (HBSS) services. rationale: |- Virus scanning software can be used to detect if a system has been compromised by computer viruses, as well as to limit their spread to other systems. severity: medium identifiers: cce@rhel7: 80128-2 references: disa: 366,1239,1668 nist: SC-28,SI-3,SI-3(1)(ii) srg: SRG-OS-000480-GPOS-00227 ocil: '' scap-security-guide-0.1.39/shared/guide/system/software/integrity/fips/000077500000000000000000000000001327242345500262015ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/software/integrity/fips/fips.group000066400000000000000000000016611327242345500302240ustar00rootroot00000000000000documentation_complete: true title: 'Federal Information Processing Standard (FIPS)' description: |- The Federal Information Processing Standard (FIPS) is a computer security standard which is developed by the U.S. Government and industry working groups to validate the quality of cryptographic modules. The FIPS standard provides four security levels to ensure adequate coverage of different industries, implementation of cryptographic modules, and organizational sizes and requirements.

FIPS 140-2 is the current standard for validating that mechanisms used to access cryptographic modules utilize authentication that meets industry and government requirements. For government systems, this allows Security Levels 1, 2, 3, or 4 for use on Red Hat Enterprise Linux.

See for more information. scap-security-guide-0.1.39/shared/guide/system/software/integrity/fips/grub2_enable_fips_mode.rule000066400000000000000000000034271327242345500334540ustar00rootroot00000000000000documentation_complete: true prodtype: rhel7 title: 'Enable FIPS Mode in GRUB2' description: |- To ensure FIPS mode is enabled, rebuild initramfs by running the following command: 
dracut -f
After the dracut command has been run, add the argument fips=1 to the default GRUB 2 command line for the Linux operating system in /etc/default/grub, in the manner below: 
GRUB_CMDLINE_LINUX="crashkernel=auto rd.lvm.lv=VolGroup/LogVol06 rd.lvm.lv=VolGroup/lv_swap rhgb quiet rd.shell=0 fips=1"
Finally, rebuild the grub.cfg file by using the 
grub2-mkconfig -o
command as follows:
  • On BIOS-based machines, issue the following command as root: 
    ~]# grub2-mkconfig -o /boot/grub2/grub.cfg
  • On UEFI-based machines, issue the following command as root: 
    ~]# grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfg
rationale: |- Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. The operating system must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides assurance they have been tested and validated. severity: high identifiers: cce@rhel7: 80359-3 references: cjis: 5.10.1.2 cui: 3.13.8,3.13.11 disa: 68,2450 nist: AC-17(2) srg: SRG-OS-000033-GPOS-00014,SRG-OS-000396-GPOS-00176,SRG-OS-000478-GPOS-00223 stigid@rhel7: "021350" ocil_clause: 'FIPS is not configured or enabled in grub' ocil: |- To verify that FIPS is enabled properly in grub, run the following command: 
$ grep fips /etc/default/grub
The output should contain fips=1 package_dracut-fips_installed.rule000066400000000000000000000016331327242345500347510ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/software/integrity/fipsdocumentation_complete: true prodtype: rhel7 title: 'Install the dracut-fips Package' description: |- To enable FIPS, the system requires that the dracut-fips package be installed. rationale: |- Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. The operating system must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides assurance they have been tested and validated. severity: medium identifiers: cce@rhel7: 80358-5 references: cjis: 5.10.1.2 cui: 3.13.11,3.13.8 disa: 68,2450 nist: AC-17(2) srg: SRG-OS-000033-GPOS-00014,SRG-OS-000396-GPOS-00176,SRG-OS-000478-GPOS-00223 ocil_clause: 'the package is not installed' ocil: '' scap-security-guide-0.1.39/shared/guide/system/software/integrity/integrity.group000066400000000000000000000013031327242345500303310ustar00rootroot00000000000000documentation_complete: true title: 'System and Software Integrity' description: |- System and software integrity can be gained by installing antivirus, increasing system encryption strength with FIPS, verifying installed software, enabling SELinux, installing an Intrusion Prevention System, etc. However, installing or enabling integrity checking tools cannot prevent intrusions, but they can detect that an intrusion may have occurred. Requirements for integrity checking may be highly dependent on the environment in which the system will be used. Snapshot-based approaches such as AIDE may induce considerable overhead in the presence of frequent software updates. scap-security-guide-0.1.39/shared/guide/system/software/integrity/software-integrity/000077500000000000000000000000001327242345500311065ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/software/integrity/software-integrity/aide/000077500000000000000000000000001327242345500320105ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/software/integrity/software-integrity/aide/aide.group000066400000000000000000000007161327242345500337740ustar00rootroot00000000000000documentation_complete: true title: 'Verify Integrity with AIDE' description: |- AIDE conducts integrity checks by comparing information about files with previously-gathered information. Ideally, the AIDE database is created immediately after initial system configuration, and then again after any software update. AIDE is highly configurable, with further configuration information located in /usr/share/doc/aide-VERSION. aide_build_database.rule000066400000000000000000000026051327242345500365320ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/software/integrity/software-integrity/aidedocumentation_complete: true prodtype: rhel7,fedora title: 'Build and Test AIDE Database' description: |- Run the following command to generate a new database: 
$ sudo /usr/sbin/aide --init
By default, the database will be written to the file /var/lib/aide/aide.db.new.gz. Storing the database, the configuration file /etc/aide.conf, and the binary /usr/sbin/aide (or hashes of these files), in a secure location (such as on read-only media) provides additional assurance about their integrity. The newly-generated database can be installed as follows: 
$ sudo cp /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz
To initiate a manual check, run the following command: 
$ sudo /usr/sbin/aide --check
If this check produces any unexpected output, investigate. rationale: |- For AIDE to be effective, an initial database of "known-good" information about files must be captured and it should be able to be verified against the installed files. severity: medium identifiers: cce@rhel7: 27220-3 references: cjis: 5.10.1.3 nist: CM-3(d),CM-3(e),CM-6(d),CM-6(3),SC-28,SI-7 pcidss: Req-11.5 ocil_clause: 'there is no database file' ocil: |- To find the location of the AIDE databse file, run the following command: 
$ sudo ls -l DBDIR/database_file_name
aide_periodic_cron_checking.rule000066400000000000000000000044621327242345500402640ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/software/integrity/software-integrity/aidedocumentation_complete: true prodtype: rhel7,fedora title: 'Configure Periodic Execution of AIDE' description: |- At a minimum, AIDE should be configured to run a weekly scan. At most, AIDE should be run daily. To implement a daily execution of AIDE at 4:05am using cron, add the following line to /etc/crontab: 
05 4 * * * root /usr/sbin/aide --check
To implement a weekly execution of AIDE at 4:05am using cron, add the following line to /etc/crontab: 
05 4 * * 0 root /usr/sbin/aide --check
AIDE can be executed periodically through other means; this is merely one example. The usage of cron's special time codes, such as @daily and @weekly is acceptable. rationale: |- By default, AIDE does not install itself for periodic execution. Periodically running AIDE is necessary to reveal unexpected changes in installed files.

Unauthorized changes to the baseline configuration could make the system vulnerable to various attacks or allow unauthorized access to the operating system. Changes to operating system configurations can have unintended side effects, some of which may be relevant to security.

Detecting such changes and providing an automated response can help avoid unintended, negative consequences that could ultimately affect the security state of the operating system. The operating system's Information Management Officer (IMO)/Information System Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or monitoring system trap when there is an unauthorized modification of a configuration item. severity: medium identifiers: cce@rhel7: 26952-2 references: cis: 1.3.2 cjis: 5.10.1.3 disa: 1744 nist: CM-3(d),CM-3(e),CM-3(5),CM-6(d),CM-6(3),SC-28,SI-7 pcidss: Req-11.5 srg: SRG-OS-000363-GPOS-00150 stigid@rhel7: "020030" ocil_clause: 'there is no output' ocil: |- To determine that periodic AIDE execution has been scheduled, run the following command: 
$ grep aide /etc/crontab
The output should return some similiar to the following: 
05 4 * * * root /usr/sbin/aide --check
NOTE: The usage of special cron times, such as @daily or @weekly, is acceptable. aide_scan_notification.rule000066400000000000000000000040731327242345500373020ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/software/integrity/software-integrity/aidedocumentation_complete: true prodtype: rhel7 title: 'Configure Notification of Post-AIDE Scan Details' description: |- AIDE should notify appropriate personnel of the details of a scan after the scan has been run. If AIDE has already been configured for periodic execution in /etc/crontab, append the following line to the existing AIDE line: 
 | /bin/mail -s "$(hostname) - AIDE Integrity Check" root@localhost
Otherwise, add the following line to /etc/crontab: 
05 4 * * * root /usr/sbin/aide --check | /bin/mail -s "$(hostname) - AIDE Integrity Check" root@localhost
AIDE can be executed periodically through other means; this is merely one example. rationale: |- Unauthorized changes to the baseline configuration could make the system vulnerable to various attacks or allow unauthorized access to the operating system. Changes to operating system configurations can have unintended side effects, some of which may be relevant to security.

Detecting such changes and providing an automated response can help avoid unintended, negative consequences that could ultimately affect the security state of the operating system. The operating system's Information Management Officer (IMO)/Information System Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or monitoring system trap when there is an unauthorized modification of a configuration item. severity: medium identifiers: cce@rhel7: 80374-2 references: disa: 1744 nist: CM-3(5) srg: SRG-OS-000363-GPOS-00150 stigid@rhel7: "020040" ocil_clause: 'AIDE has not been configured or has not been configured to notify personnel of scan details' ocil: |- To determine that periodic AIDE execution has been scheduled, run the following command: 
$ grep aide /etc/crontab
The output should return something similar to the following: 
05 4 * * * root /usr/sbin/aide --check | /bin/mail -s "$(hostname) - AIDE Integrity Check" root@localhost
aide_use_fips_hashes.rule000066400000000000000000000023721327242345500367600ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/software/integrity/software-integrity/aidedocumentation_complete: true prodtype: rhel7 title: 'Configure AIDE to Use FIPS 140-2 for Validating Hashes' description: |- By default, the sha512 option is added to the NORMAL ruleset in AIDE. If using a custom ruleset or the sha512 option is missing, add sha512 to the appropriate ruleset. For example, add sha512 to the following line in /etc/aide.conf: 
NORMAL = FIPSR+sha512
AIDE rules can be configured in multiple ways; this is merely one example that is already configured by default. rationale: |- File integrity tools use cryptographic hashes for verifying file contents and directories have not been altered. These hashes must be FIPS 140-2 approved cryptographic hashes. severity: medium identifiers: cce@rhel7: 80377-5 references: cui: 3.13.11 disa: 366 nist: SI-7(1) srg: SRG-OS-000480-GPOS-00227 stigid@rhel7: "021620" ocil_clause: 'the sha512 option is missing or not added to the correct ruleset' ocil: |- To determine that AIDE is configured for FIPS 140-2 file hashing, run the following command: 
$ grep sha512 /etc/aide.conf
Verify that the sha512 option is added to the correct ruleset. aide_verify_acls.rule000066400000000000000000000022401327242345500361100ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/software/integrity/software-integrity/aidedocumentation_complete: true prodtype: rhel7 title: 'Configure AIDE to Verify Access Control Lists (ACLs)' description: |- By default, the acl option is added to the FIPSR ruleset in AIDE. If using a custom ruleset or the acl option is missing, add acl to the appropriate ruleset. For example, add acl to the following line in /etc/aide.conf: 
FIPSR = p+i+n+u+g+s+m+c+acl+selinux+xattrs+sha256
AIDE rules can be configured in multiple ways; this is merely one example that is already configured by default. rationale: |- ACLs can provide permissions beyond those permitted through the file mode and must be verified by the file integrity tools. severity: medium identifiers: cce@rhel7: 80375-9 references: disa: 366 nist: SI-7.1 srg: SRG-OS-000480-GPOS-00227 stigid@rhel7: "021600" ocil_clause: 'the acl option is missing or not added to the correct ruleset' ocil: |- To determine that AIDE is verifying ACLs, run the following command: 
$ grep acl /etc/aide.conf
Verify that the acl option is added to the correct ruleset. aide_verify_ext_attributes.rule000066400000000000000000000022721327242345500402410ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/software/integrity/software-integrity/aidedocumentation_complete: true prodtype: rhel7 title: 'Configure AIDE to Verify Extended Attributes' description: |- By default, the xattrs option is added to the FIPSR ruleset in AIDE. If using a custom ruleset or the xattrs option is missing, add xattrs to the appropriate ruleset. For example, add xattrs to the following line in /etc/aide.conf: 
FIPSR = p+i+n+u+g+s+m+c+acl+selinux+xattrs+sha256
AIDE rules can be configured in multiple ways; this is merely one example that is already configured by default. rationale: |- Extended attributes in file systems are used to contain arbitrary data and file metadata with security implications. severity: medium identifiers: cce@rhel7: 80376-7 references: disa: 366 nist: SI-7.1 srg: SRG-OS-000480-GPOS-00227 stigid@rhel7: "021610" ocil_clause: 'the xattrs option is missing or not added to the correct ruleset' ocil: |- To determine that AIDE is verifying extended file attributes, run the following command: 
$ grep xattrs /etc/aide.conf
Verify that the xattrs option is added to the correct ruleset. package_aide_installed.rule000066400000000000000000000010571327242345500372410ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/software/integrity/software-integrity/aidedocumentation_complete: true prodtype: rhel7,fedora title: 'Install AIDE' description: |- Install the AIDE package with the command: 
$ sudo yum install aide
rationale: 'The AIDE package must be installed if it is to be available for integrity checking.' severity: medium identifiers: cce@rhel7: 27096-7 references: cis: 1.3.1 cjis: 5.10.1.3 disa: "" nist: CM-3(d),CM-3(e),CM-6(d),CM-6(3),SC-28,SI-7 pcidss: Req-11.5 ocil_clause: 'the package is not installed' ocil: '' rpm_verification/000077500000000000000000000000001327242345500343675ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/software/integrity/software-integrityrpm_verification.group000066400000000000000000000013031327242345500410020ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/software/integrity/software-integrity/rpm_verificationdocumentation_complete: true title: 'Verify Integrity with RPM' description: |- The RPM package management system includes the ability to verify the integrity of installed packages by comparing the installed files with information about the files taken from the package metadata stored in the RPM database. Although an attacker could corrupt the RPM database (analogous to attacking the AIDE database as described above), this check can still reveal modification of important files. To list which files on the system differ from what is expected by the RPM database: 
$ rpm -qVa
See the man page for rpm to see a complete explanation of each column. rpm_verify_hashes.rule000066400000000000000000000041651327242345500410030ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/software/integrity/software-integrity/rpm_verificationdocumentation_complete: true prodtype: rhel7,fedora,ol7 title: 'Verify File Hashes with RPM' description: |- Without cryptographic integrity protections, system executables and files can be altered by unauthorized users without detection. The RPM package management system can check the hashes of installed software packages, including many that are important to system security. To verify that the cryptographic hash of system files and commands match vendor values, run the following command to list which files on the system have hashes that differ from what is expected by the RPM database: 
$ rpm -Va | grep '^..5'
A "c" in the second column indicates that a file is a configuration file, which may appropriately be expected to change. If the file was not expected to change, investigate the cause of the change using audit logs or other means. The package can then be reinstalled to restore the file. Run the following command to determine which package owns the file: 
$ rpm -qf FILENAME
The package can be reinstalled from a yum repository using the command: 
$ sudo yum reinstall PACKAGENAME
Alternatively, the package can be reinstalled from trusted media using the command: 
$ sudo rpm -Uvh PACKAGENAME
rationale: |- The hashes of important files like system executables should match the information given by the RPM database. Executables with erroneous hashes could be a sign of nefarious activity on the system. severity: high identifiers: cce@rhel7: 27157-7 references: cis: 1.2.6 cjis: 5.10.4.1 cui: 3.3.8,3.4.1 disa: 663 hipaa: 164.308(a)(1)(ii)(D),164.312(b),164.312(c)(1),164.312(c)(2),164.312(e)(2)(i) nist: CM-6(d),CM-6(3),SI-7(1) pcidss: Req-11.5 srg: SRG-OS-000480-GPOS-00227 stigid@rhel7: "010020" ocil_clause: 'there is output' ocil: |- The following command will list which files on the system have file hashes different from what is expected by the RPM database. 
$ rpm -Va | awk '$1 ~ /..5/ && $2 != "c"'
rpm_verify_ownership.rule000066400000000000000000000027431327242345500415460ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/software/integrity/software-integrity/rpm_verificationdocumentation_complete: true prodtype: rhel7 title: 'Verify and Correct Ownership with RPM' description: |- The RPM package management system can check file ownership permissions of installed software packages, including many that are important to system security. After locating a file with incorrect permissions, which can be found with 
rpm -Va | grep "^.....\(U\|.G\)"
run the following command to determine which package owns it: 
$ rpm -qf FILENAME
Next, run the following command to reset its permissions to the correct values: 
$ sudo rpm --setugids PACKAGENAME
rationale: |- Ownership of binaries and configuration files that is incorrect could allow an unauthorized user to gain privileges that they should not have. The ownership set by the vendor should be maintained. Any deviations from this baseline should be investigated. severity: high identifiers: cce@rhel7: 80545-7 references: cis: 1.2.6,6.1.3,6.1.4,6.1.5,6.1.6,6.1.7,6.1.8,6.1.9,6.2.3 cjis: 5.10.4.1 cui: 3.3.8,3.4.1 disa: 1494,1496 nist: AC-6,AU-9(1),AU-9(3),CM-6(d),CM-6(3) pcidss: Req-11.5 srg: SRG-OS-000257-GPOS-00098,SRG-OS-000278-GPOS-00108 stigid@rhel7: TBD ocil_clause: 'there is output' ocil: |- The following command will list which files on the system have ownership different from what is expected by the RPM database: 
$ rpm -Va | grep "^.....\(U\|.G\)"
rpm_verify_permissions.rule000066400000000000000000000034261327242345500421020ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/software/integrity/software-integrity/rpm_verificationdocumentation_complete: true prodtype: rhel7,fedora,ol7 title: 'Verify and Correct File Permissions with RPM' description: |- The RPM package management system can check file access permissions of installed software packages, including many that are important to system security. Verify that the file permissions of system files and commands match vendor values. Check the file permissions with the following command: 
$ sudo rpm -Va | grep '^.M'
Output indicates files that do not match vendor defaults. After locating a file with incorrect permissions, run the following command to determine which package owns it: 
$ rpm -qf FILENAME

Next, run the following command to reset its permissions to the correct values: 
$ sudo rpm --setperms PACKAGENAME
rationale: |- Permissions on system binaries and configuration files that are too generous could allow an unauthorized user to gain privileges that they should not have. The permissions set by the vendor should be maintained. Any deviations from this baseline should be investigated. severity: high identifiers: cce@rhel7: 27209-6 references: cis: 1.2.6,6.1.3,6.1.4,6.1.5,6.1.6,6.1.7,6.1.8,6.1.9,6.2.3 cjis: 5.10.4.1 cui: 3.3.8,3.4.1 disa: 1494,1496 hipaa: 164.308(a)(1)(ii)(D),164.312(b),164.312(c)(1),164.312(c)(2),164.312(e)(2)(i) nist: AC-6,AU-9(1),AU-9(3),CM-6(d),CM-6(3) pcidss: Req-11.5 srg: SRG-OS-000257-GPOS-00098,SRG-OS-000278-GPOS-00108 stigid@rhel7: "010010" ocil_clause: 'there is output' ocil: |- The following command will list which files on the system have permissions different from what is expected by the RPM database: 
$ rpm -Va | grep '^.M'
software-integrity.group000066400000000000000000000011051327242345500357500ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/software/integrity/software-integritydocumentation_complete: true title: 'Software Integrity Checking' description: |- Both the AIDE (Advanced Intrusion Detection Environment) software and the RPM package management system provide mechanisms for verifying the integrity of installed software. AIDE uses snapshots of file metadata (such as hashes) and compares these to current system files in order to detect changes.

The RPM package management system can conduct integrity checks by comparing information in its metadata database with files installed on the system. scap-security-guide-0.1.39/shared/guide/system/software/sap/000077500000000000000000000000001327242345500240055ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/software/sap/package_glibc_installed.rule000066400000000000000000000015661327242345500315000ustar00rootroot00000000000000documentation_complete: true prodtype: ol7 title: 'Package glibc Installed' description: |- The package glibc is installed on Linux by default, but the glibc version might not be sufficient for SAP. Please refer to SAP note of your Linux version for the minimum requirement on glibc. Use the following command to install and/or update the package: 
$ sudo yum install glibc
rationale: |- The glibc package contains standard C and math libraries used by multiple programs on Linux. The glibc shipped with first release of each major Linux version is often not sufficient for SAP. An update is required after the first OS installation. severity: medium references: ocil_clause: 'the minimum required glibc version is not installed' ocil: '' scap-security-guide-0.1.39/shared/guide/system/software/sap/package_uuidd_installed.rule000066400000000000000000000016211327242345500315220ustar00rootroot00000000000000documentation_complete: true prodtype: ol7 title: 'Package uuidd Installed' description: |- The package uuidd is not installed on normal Linux distribution by default. Applications require this package to avoid database inconsistences caused by duplicated UUIDs. Especially in banking services with SAP where massive UUIDs are created in a short time period, it is important to install the package uuidd. More information can be found in SAP note 1391070. Using the following command to install and/or update the package: 
$ sudo yum install uuidd
rationale: |- The uuidd package contains a userspace daemon (uuidd) which is used to generate unique identifiers even at very high rates on SMP systems. severity: medium references: ocil_clause: 'the package is not installed' ocil: '' scap-security-guide-0.1.39/shared/guide/system/software/sap/sap.group000066400000000000000000000005251327242345500256500ustar00rootroot00000000000000documentation_complete: true title: 'SAP Specific Requirement' description: |- SAP (Systems, Applications and Products in Data Processing) is enterprise software to manage business operations and customer relations. The following section contains SAP specific requirement that is not part of standard or common OS setting. scap-security-guide-0.1.39/shared/guide/system/software/software.group000066400000000000000000000004201327242345500261260ustar00rootroot00000000000000documentation_complete: true title: 'Installing and Maintaining Software' description: |- The following sections contain information on security-relevant choices during the initial operating system installation process and the setup of software updates. scap-security-guide-0.1.39/shared/guide/system/software/sudo/000077500000000000000000000000001327242345500241745ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/software/sudo/sudo.group000066400000000000000000000010441327242345500262230ustar00rootroot00000000000000documentation_complete: true title: Sudo description: "Sudo, which stands for \"su 'do'\", provides the ability to delegate authority\nto certain users, groups of users, or system administrators. When configured for system \nusers and/or groups, Sudo can allow a user or group to execute privileged commands\nthat normally only root is allowed to execute.\n

\nFor more information on Sudo and addition Sudo configuration options, see\n" scap-security-guide-0.1.39/shared/guide/system/software/sudo/sudo_remove_no_authenticate.rule000066400000000000000000000024201327242345500326440ustar00rootroot00000000000000documentation_complete: true prodtype: rhel7 title: 'Ensure Users Re-Authenticate for Privilege Escalation - sudo !authenticate' description: |- The sudo !authenticate option, when specified, allows a user to execute commands using sudo without having to authenticate. This should be disabled by making sure that the !authenticate option does not exist in /etc/sudoers configuration file or any sudo configuration snippets in /etc/sudoers.d/. rationale: |- Without re-authentication, users may access resources or perform tasks for which they do not have authorization.

When operating systems provide the capability to escalate a functional capability, it is critical that the user re-authenticate. severity: medium identifiers: cce@rhel7: 80350-2 references: anssi: NT28(R5) disa: 2038 nist: IA-11 srg: SRG-OS-000373-GPOS-00156,SRG-OS-000373-GPOS-00157,SRG-OS-000373-GPOS-00158 stigid@rhel7: "010350" ocil_clause: "!authenticate is enabled in sudo" ocil: |- To determine if !authenticate has not been configured for sudo, run the following command: 
$ sudo grep -r \!authenticate /etc/sudoers /etc/sudoers.d/
The command should return no output. scap-security-guide-0.1.39/shared/guide/system/software/sudo/sudo_remove_nopasswd.rule000066400000000000000000000023331327242345500313330ustar00rootroot00000000000000documentation_complete: true prodtype: rhel7 title: 'Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD' description: "The sudo NOPASSWD tag, when specified, allows a user to execute commands using\nsudo without having to authenticate. This should be disabled by making sure that the\nNOPASSWD tag does not exist in /etc/sudoers configuration file or \nany sudo configuration snippets in /etc/sudoers.d/." rationale: |- Without re-authentication, users may access resources or perform tasks for which they do not have authorization.

When operating systems provide the capability to escalate a functional capability, it is critical that the user re-authenticate. severity: medium identifiers: cce@rhel7: 80351-0 references: anssi: NT28(R5) disa: 2038 nist: IA-11 srg: SRG-OS-000373-GPOS-00156,SRG-OS-000373-GPOS-00157,SRG-OS-000373-GPOS-00158 stigid@rhel7: "010340" ocil_clause: 'nopasswd is enabled in sudo' ocil: |- To determine if NOPASSWD has been configured for sudo, run the following command: 
$ sudo grep -ri nopasswd /etc/sudoers /etc/sudoers.d/
The command should return no output. scap-security-guide-0.1.39/shared/guide/system/software/updating/000077500000000000000000000000001327242345500250355ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/software/updating/clean_components_post_updating.rule000066400000000000000000000022031327242345500342120ustar00rootroot00000000000000documentation_complete: true prodtype: rhel7 title: 'Ensure YUM Removes Previous Package Versions' description: |- Yum should be configured to remove previous software components after previous versions have been installed. To configure yum to remove the previous software components after updating, set the clean_requirements_on_remove to 1 in /etc/yum.conf. rationale: |- Previous versions of software components that are not removed from the information system after updates have been installed may be exploited by some adversaries. severity: low identifiers: cce@rhel7: CCE-80346-0 references: cui: 3.4.8 disa: 2617 nist: SI-2(6) srg: SRG-OS-000437-GPOS-00194 stigid@rhel7: "020200" ocil_clause: 'clean_requirements_on_remove is not enabled or configured correctly' ocil: |- To verify that clean_requirements_on_remove is configured properly, run the following command: 
$ grep clean_requirements_on_remove /etc/yum.conf
The output should return something similar to: 
clean_requirements_on_remove=1
ensure_gpgcheck_globally_activated.rule000066400000000000000000000040371327242345500347200ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/guide/system/software/updatingdocumentation_complete: true prodtype: rhel7,fedora,ol7 title: 'Ensure gpgcheck Enabled In Main Yum Configuration' description: |- The gpgcheck option controls whether RPM packages' signatures are always checked prior to installation. To configure yum to check package signatures before installing them, ensure the following line appears in /etc/yum.conf in the [main] section: 
gpgcheck=1
rationale: "Changes to any software components can have significant effects on the overall security \nof the operating system. This requirement ensures the software has not been tampered with\nand that it has been provided by a trusted vendor.\n
\nAccordingly, patches, service packs, device drivers, or operating system components must\nbe signed with a certificate recognized and approved by the organization.\n
\nVerifying the authenticity of the software prior to installation\nvalidates the integrity of the patch or upgrade received from\na vendor. This ensures the software has not been tampered with and\nthat it has been provided by a trusted vendor. Self-signed\ncertificates are disallowed by this requirement. Certificates\nused to verify the software must be from an approved Certificate\nAuthority (CA)." severity: high identifiers: cce@rhel7: 26989-4 references: cis: 1.2.2 cjis: 5.10.4.1 cui: 3.4.8 disa: 1749 hipaa: 164.308(a)(1)(ii)(D),164.312(b),164.312(c)(1),164.312(c)(2),164.312(e)(2)(i) nist: CM-5(3),SI-7,MA-1(b) ospp@rhel7: FAU_GEN.1.1.c pcidss: Req-6.2 srg: SRG-OS-000366-GPOS-00153 stigid@rhel7: "020050" ocil_clause: 'GPG checking is not enabled' ocil: |- To determine whether yum is configured to use gpgcheck, inspect /etc/yum.conf and ensure the following appears in the [main] section: 
gpgcheck=1
A value of 1 indicates that gpgcheck is enabled. Absence of a gpgcheck line or a setting of 0 indicates that it is disabled. scap-security-guide-0.1.39/shared/guide/system/software/updating/ensure_gpgcheck_local_packages.rule000066400000000000000000000026401327242345500340740ustar00rootroot00000000000000documentation_complete: true prodtype: rhel7 title: 'Ensure gpgcheck Enabled for Local Packages' description: |- Yum should be configured to verify the signature(s) of local packages prior to installation. To configure yum to verify signatures of local packages, set the localpkg_gpgcheck to 1 in /etc/yum.conf. rationale: |- Changes to any software components can have significant effects to the overall security of the operating system. This requirement ensures the software has not been tampered and has been provided by a trusted vendor.

Accordingly, patches, service packs, device drivers, or operating system components must be signed with a certificate recognized and approved by the organization. severity: high identifiers: cce@rhel7: CCE-80347-8 references: cui: 3.4.8 disa: 1749 hipaa: 164.308(a)(1)(ii)(D),164.312(b),164.312(c)(1),164.312(c)(2),164.312(e)(2)(i) nist: CM-5(3) ospp@rhel7: FAU_GEN.1.1.c srg: SRG-OS-000366-GPOS-00153 stigid@rhel7: "020060" ocil_clause: 'gpgcheck is not enabled or configured correctly to verify local packages' ocil: |- To verify that localpkg_gpgcheck is configured properly, run the following command: 
$ grep localpkg_gpgcheck /etc/yum.conf
The output should return something similar to: 
localpkg_gpgcheck=1
scap-security-guide-0.1.39/shared/guide/system/software/updating/ensure_gpgcheck_never_disabled.rule000066400000000000000000000025741327242345500341200ustar00rootroot00000000000000documentation_complete: true prodtype: rhel7,fedora title: 'Ensure gpgcheck Enabled For All Yum Package Repositories' description: |- To ensure signature checking is not disabled for any repos, remove any lines from files in /etc/yum.repos.d of the form: 
gpgcheck=0
rationale: "Verifying the authenticity of the software prior to installation\nvalidates the integrity of the patch or upgrade received from\na vendor. This ensures the software has not been tampered with and\nthat it has been provided by a trusted vendor. Self-signed \ncertificates are disallowed by this requirement. Certificates\nused to verify the software must be from an approved Certificate\nAuthority (CA)." severity: high identifiers: cce@rhel7: 26876-3 references: cjis: 5.10.4.1 cui: 3.4.8 disa: 1749 hipaa: 164.308(a)(1)(ii)(D),164.312(b),164.312(c)(1),164.312(c)(2),164.312(e)(2)(i) nist: CM-5(3),SI-7,MA-1(b) ospp@rhel7: FAU_GEN.1.1.c pcidss: Req-6.2 srg: 366 ocil_clause: 'GPG checking is disabled' ocil: |- To determine whether yum has been configured to disable gpgcheck for any repos, inspect all files in /etc/yum.repos.d and ensure the following does not appear in any sections: 
gpgcheck=0
A value of 0 indicates that gpgcheck has been disabled for that repo. scap-security-guide-0.1.39/shared/guide/system/software/updating/ensure_gpgcheck_repo_metadata.rule000066400000000000000000000041461327242345500337540ustar00rootroot00000000000000documentation_complete: true prodtype: rhel7 title: 'Ensure gpgcheck Enabled for Repository Metadata' description: "Verify the operating system prevents the installation of patches, service packs, device\ndrivers, or operating system components of local packages without verification of the \nrepository metadata.\n

\nCheck that yum verifies the repository metadata prior to install with the\nfollowing command. This should be configured by setting repo_gpgcheck to 1\nin /etc/yum.conf." rationale: "Changes to any software components can have significant effects to the overall security\nof the operating system. This requirement ensures the software has not been tampered and\nhas been provided by a trusted vendor.\n

\nAccordingly, patches, service packs, device drivers, or operating system components must\nbe signed with a certificate recognized and approved by the organization.\n

\nVerifying the authenticity of the software prior to installation validates the integrity\nof the patch or upgrade received from a vendor. This ensures the software has not been\ntampered with and that it has been provided by a trusted vendor. Self-signed certificates\nare disallowed by this requirement. The operating system should not have to verify the software\nagain.\n

\nNOTE: For U.S. Military systems, this requirement does not mandate DoD certificates for\nthis purpose; however, the certificate used to verify the software must be from an \napproved Certificate\ \ Authority." severity: high identifiers: cce@rhel7: CCE-80348-6 references: disa: 1749 hipaa: 164.308(a)(1)(ii)(D),164.312(b),164.312(c)(1),164.312(c)(2),164.312(e)(2)(i) nist: CM-5(3) srg: SRG-OS-000366-GPOS-00153 stigid@rhel7: "020070" ocil_clause: 'gpgcheck is not enabled or configured correctly to verify repository metadata' ocil: |- To verify that repo_gpgcheck is configured properly, run the following command: 
$ grep repo_gpgcheck /etc/yum.conf
The output should return something similar to: 
repo_gpgcheck=1
scap-security-guide-0.1.39/shared/guide/system/software/updating/ensure_oracle_gpgkey_installed.rule000066400000000000000000000030101327242345500341530ustar00rootroot00000000000000documentation_complete: true prodtype: ol7 title: 'Ensure Oracle Linux GPG Key Installed' description: |- To ensure the system can cryptographically verify base software packages come from Oracle (and to connect to the Unbreakable Linux Network to receive them), the Oracle GPG key must properly be installed. To install the Oracle GPG key, run: 
$ sudo uln_register
If the system is not connected to the Internet, then install the Oracle GPG key from trusted media such as the Oracle installation CD-ROM or DVD. Assuming the disc is mounted in /media/cdrom, use the following command as the root user to import it into the keyring: 
$ sudo rpm --import /media/cdrom/RPM-GPG-KEY
rationale: |- Changes to software components can have significant effects on the overall security of the operating system. This requirement ensures the software has not been tampered with and that it has been provided by a trusted vendor. The Oracle GPG key is necessary to cryptographically verify packages are from Oracle. severity: high references: cis: 1.2.2 disa: 1749 nist: CM-5(3),SI-7,MA-1(b) ossrg: 366 pcidss: Req-6.2 ocil_clause: 'the Oracle GPG Key is not installed' ocil: |- To ensure that the GPG key is installed, run: 
$ rpm -q --queryformat "%{SUMMARY}\n" gpg-pubkey
The command should return the string below: 
gpg(Oracle OSS group (Open Source Software group) <build@oss.oracle.com>
scap-security-guide-0.1.39/shared/guide/system/software/updating/ensure_redhat_gpgkey_installed.rule000066400000000000000000000032431327242345500341650ustar00rootroot00000000000000documentation_complete: true prodtype: rhel7 title: 'Ensure Red Hat GPG Key Installed' description: "To ensure the system can cryptographically verify base software\npackages come from Red Hat (and to connect to the Red Hat Network to\nreceive them), the Red Hat GPG key must properly be installed. \nTo install the Red Hat GPG key, run:\n
$ sudo subscription-manager register
\nIf the system is not connected to the Internet or an RHN Satellite,\nthen install the Red Hat GPG key from trusted media such as\nthe Red Hat installation CD-ROM or DVD. Assuming the disc is mounted\nin /media/cdrom, use the following command as the root user to import\nit into the keyring:\n
$ sudo rpm --import /media/cdrom/RPM-GPG-KEY
" rationale: "Changes to software components can have significant effects on the\noverall security of the operating system. This requirement ensures\nthe software has not been tampered with and that it has been provided \nby a trusted vendor. The Red Hat GPG key is necessary to \ncryptographically verify packages are from Red Hat." severity: high identifiers: cce@rhel7: 26957-1 references: cis: 1.2.3 cjis: 5.10.4.1 cui: 3.4.8 disa: 1749 hipaa: 164.308(a)(1)(ii)(D),164.312(b),164.312(c)(1),164.312(c)(2),164.312(e)(2)(i) nist: CM-5(3),SI-7,MA-1(b) ospp@rhel7: FAU_GEN.1.1.c pcidss: Req-6.2 srg: 366 ocil_clause: 'the Red Hat GPG Key is not installed' ocil: |- To ensure that the GPG key is installed, run: 
$ rpm -q --queryformat "%{SUMMARY}\n" gpg-pubkey
The command should return the string below: 
gpg(Red Hat, Inc. (release key 2)  <security@redhat.com>
scap-security-guide-0.1.39/shared/guide/system/software/updating/security_patches_up_to_date.rule000066400000000000000000000072761327242345500335230ustar00rootroot00000000000000documentation_complete: true prodtype: rhel6,rhel7,ubuntu1404,ubuntu1604,ol7 title: 'Ensure Software Patches Installed' description: |- {{% if product in ["rhel6", "rhel7"] %}} If the system is joined to the Red Hat Network, a Red Hat Satellite Server, or a yum server, run the following command to install updates: 
$ sudo yum update
If the system is not configured to use one of these sources, updates (in the form of RPM packages) can be manually downloaded from the Red Hat Network and installed using rpm. {{% elif product == "ol7" %}} If the system is joined to the ULN or a yum server, run the following command to install updates: 
$ sudo yum update
If the system is not configured to use one of these sources, updates (in the form of RPM packages) can be manually downloaded from the ULN and installed using rpm. {{% endif %}}

NOTE: U.S. Defense systems are required to be patched within 30 days or sooner as local policy dictates. rationale: |- Installing software updates is a fundamental mitigation against the exploitation of publicly-known vulnerabilities. If the most recent security patches and updates are not installed, unauthorized users may take advantage of weaknesses in the unpatched software. The lack of prompt attention to patching could result in a system compromise. severity: high identifiers: cce@rhel7: 26895-3 references: cis: 1.8 cjis: 5.10.4.1 disa: 366 nist: SI-2,SI-2(c),MA-1(b) ospp@rhel7: FMT_MOF_EXT.1 pcidss: Req-6.2 srg: SRG-OS-000480-GPOS-00227 stigid@rhel7: "020260" {{# Make sure all the external OVAL content links are secured via TLS! #}} {{% if product == "rhel6" %}} oval_external_content: "https://www.redhat.com/security/data/oval/com.redhat.rhsa-RHEL6.xml.bz2" {{% elif product == "rhel7" %}} oval_external_content: "https://www.redhat.com/security/data/oval/com.redhat.rhsa-RHEL7.xml.bz2" {{% elif product == "ubuntu1404" %}} oval_external_content: "https://people.canonical.com/~ubuntu-security/oval/com.ubuntu.trusty.cve.oval.xml" {{% elif product == "ubuntu1604" %}} oval_external_content: "https://people.canonical.com/~ubuntu-security/oval/com.ubuntu.xenial.cve.oval.xml" {{% elif product == "ol7" %}} oval_external_content: "https://linux.oracle.com/security/oval/com.oracle.elsa-all.xml.bz2" {{% else %}} {{# The rule will be "notchecked" #}} {{% endif %}} ocil_clause: 'updates are not installed' {{# TODO: What about non-rpm systems? #}} ocil: |- {{% if product in ["rhel6", "rhel7"] %}} If the system is joined to the Red Hat Network, a Red Hat Satellite Server, or a yum server which provides updates, invoking the following command will indicate if updates are available: 
$ sudo yum check-update
{{% elif product == "ol7" %}} If the system is joined to the ULN or a yum server which provides updates, invoking the following command will indicate if updates are available: {{% endif %}}

If the system is not configured to update from one of these sources, run the following command to list when each package was last updated: 
$ rpm -qa -last


{{% if product in ["rhel6", "rhel7"] %}} Compare this to Red Hat Security Advisories (RHSA) listed at to determine if the system is missing applicable updates. {{% elif product == "ol7" %}} Compare this to Oracle Linux Security Advisories (ELSA) listed at to determine if the system is missing applicable updates. {{% endif %}} scap-security-guide-0.1.39/shared/guide/system/software/updating/updating.group000066400000000000000000000020131327242345500277220ustar00rootroot00000000000000documentation_complete: true title: 'Updating Software' description: |- The yum command line tool is used to install and update software packages. The system also provides a graphical software update tool in the System menu, in the Administration submenu, called Software Update.

Red Hat Enterprise Linux systems contain an installed software catalog called the RPM database, which records metadata of installed packages. Consistently using yum or the graphical Software Update for all software installation allows for insight into the current inventory of installed software on the system.

Oracle Linux system contain an installed software catalog called the RPM database, which records metadata of installed packages. Consistently using yum or the graphical Software Update for all software installation allows for insight into the current inventory of installed software on the system. scap-security-guide-0.1.39/shared/guide/system/system.group000066400000000000000000000001721327242345500237720ustar00rootroot00000000000000documentation_complete: true title: 'System Settings' description: 'Contains rules that check correct system settings.' scap-security-guide-0.1.39/shared/images/000077500000000000000000000000001327242345500202145ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/images/collapsed.png000066400000000000000000000013461327242345500226740ustar00rootroot00000000000000PNG  IHDR((msRGBbKGD pHYsT<tIME @M7fIDATXKNagh`$EMH, B2XR,dk!)5EV)QB R(Iq3<_Do|sc:^yxԣFxncfbp^Fw d@ 04`9fc"2c̵t,|L[<N7`80 fLO8EF_bc%K 9wE ,FSDNŨX & Mؙ6Ld( ñ-:ڌ)7hlRu02cY)Ӳz\Pϰ>'PVM芉:0 ZSxbN D!`E¬-&::b 6RE+\0p{N9j1,22S!Pr.LZG{¨ c'!%C*Dđ؈K'h Q{KhP+ۨ٨ Vk{7-8\t`_d_ZДcgEkLgu)u-׸beK%F[; +'0%zkEC+IENDB`scap-security-guide-0.1.39/shared/images/expanded.png000066400000000000000000000022661327242345500225200ustar00rootroot00000000000000PNG  IHDR--:sRGBbKGD pHYsT<tIME 316IDATXOTeJ7o-*HBP,ED`E+6!h1 \0p^̅fbi4tӦϱaay><=y |?Q>{ .MV"2?`c?`qo#<+ 80g{(aɸؔL/w8c`)ƁIk"Os"8{lp޵ؚu(B\Dž$l.ΎJǖ%c{,;8K"xcw{,˲Nӓ5l'x.k,kZ)XXq>`꾅!L\68H-X%̇nL/4|;PīE?\͠'E b#PKp07X7hY=uOF{9.ۋQT+xD|Qa>K6byec}oǜUĢV9nHmsbG|['Uǡf4nvZ)`u4ըrf#byuX70'5 { #twH i>O/ 8l84n lX/t5{kU\-Vvf'Q ÑG C{Tg8N兽ZxT+x}|:le|phX[QNʧ1#lgzT,֦ : ?I؎0Vrg3T+ W-}3fE݂#Z)պTZhy '#0,R8{#nCߌըҩ)VT2vFCL ^@U7rKU &T%7*&]Lętnus?%j#O3s_'n^COJU%&*4슧`ZoTv:ɭJVLV*͊2ucr,v3e&_ݖ7կn&2tnJ-wF= wK{z_CϜ2jEIENDB`scap-security-guide-0.1.39/shared/misc/000077500000000000000000000000001327242345500177025ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/misc/ansible_galaxy_meta_template.yml000066400000000000000000000007761327242345500263220ustar00rootroot00000000000000galaxy_info: author: SCAP Security Guide development team description: @DESCRIPTION@ issue_tracker_url: https://github.com/OpenSCAP/scap-security-guide/issues license: BSD-3-Clause min_ansible_version: @MIN_ANSIBLE_VERSION@ platforms: - name: GenericBSD versions: - any - name: GenericLinux versions: - any - name: GenericUNIX versions: - any galaxy_tags: - hardening - openscap - ssg - scap-security-guide - security - compliance dependencies: [] scap-security-guide-0.1.39/shared/misc/ansible_galaxy_readme_template.md000066400000000000000000000021671327242345500264240ustar00rootroot00000000000000@TITLE@ ========= @DESCRIPTION@ Requirements ------------ - Ansible version @MIN_ANSIBLE_VERSION@ or higher Role Variables -------------- To customize the role to your liking, check out the [list of variables](vars/main.yml). Dependencies ------------ N/A Example Playbook ---------------- Run `ansible-galaxy install Ansible-Security-Compliance.@ROLE_NAME@` to download and install the role. Then you can use the following playbook snippet. - hosts: all roles: - { role: Ansible-Security-Compliance.@ROLE_NAME@ } Then first check the playbook using (on the localhost): ansible-playbook -i "localhost," -c local --check playbook.yml To deploy it, use (this may change configuration of your local machine!): ansible-playbook -i "localhost," -c local playbook.yml License ------- BSD-3-Clause Author Information ------------------ This Ansible remediation role has been generated from the body of security policies developed by the SCAP Security Guide project. Please see https://github.com/OpenSCAP/scap-security-guide/blob/master/Contributors.md for an updated list of authors and contributors. scap-security-guide-0.1.39/shared/misc/cce_extract.py000077500000000000000000000030121327242345500225370ustar00rootroot00000000000000#!/usr/bin/env python2 import sys import lxml.etree as ET # This script requires two arguments: an OVAL file and a CPE dictionary file. # It is designed to extract any inventory definitions and the tests, states, # objects and variables it references and then write them into a standalone # OVAL CPE file, along with a synchronized CPE dictionary file. cpe_ns = "http://cpe.mitre.org/dictionary/2.0" cce_ns = 'http://cce.mitre.org' def parse_xml_file(xmlfile): with open(xmlfile, 'r') as xml_file: filestring = xml_file.read() tree = ET.fromstring(filestring) # print filestring return tree def main(): if len(sys.argv) < 3: print ("Provide a CCE file and the name of the platform " + "whose CCEs to extract.") print "This script extracts those CCEs and writes them to STDOUT." sys.exit(1) ccefile = sys.argv[1] platform = sys.argv[2] # parse cce file ccetree = parse_xml_file(ccefile) # extract cces that match the platform name platform_cces = ccetree.findall(".//{%s}cce[@platform='%s']" % (cce_ns, platform)) cces = ccetree.find("./{%s}cces" % cce_ns) resources = ccetree.find("./{%s}resources" % cce_ns) cces.clear() resources.clear() # could include resources that are referenced, if we wanted to bother [cces.append(platform_cce) for platform_cce in platform_cces] ET.ElementTree(ccetree).write(sys.stdout) sys.exit(0) if __name__ == "__main__": main() scap-security-guide-0.1.39/shared/misc/compare_remediations.sh000077500000000000000000000030571327242345500244370ustar00rootroot00000000000000#!/bin/bash if [ "$#" -lt 2 ]; then echo "Usage:" echo -e "\t$0 [meld]" echo "" echo -e "\tBoth repositories have to be already compiled! (make)" echo -e "\tCompare elements from original DS with fixes in updated DSs" echo -e "\t[meld]\tUse meld tool to show differences" exit 1 fi originalRepo="$1/" updatedRepo="$2/" meld="$3" [ "$meld" == "meld" ] && { rpm --quiet -q meld || { echo "Please install \"meld\" package" >&2 } } # Get list of remediations in pretty & sorted xml function extractRemediations() { xsltproc $(dirname "$0")/../transforms/xccdf-get-only-remediations-sorted.xslt "$1" | tee /tmp/res.xml | \ xmllint --c14n11 /dev/stdin | \ xmllint -format /dev/stdin | \ sed 's;^\s*#.*$;;g' | \ sed '/^\s*$/d' # remove bash comments from output # remove empty lines } function compareFile() { local originalFile="$1" toCompare=$(sed "s;^$originalRepo;$updatedRepo;" <<< "$originalFile") echo "-----------------------------------------------------------------" echo "$originalFile <=> $toCompare" echo "-----------------------------------------------------------------" extractRemediations "$originalFile" > /tmp/original extractRemediations "$toCompare" > /tmp/new if [ "$meld" == "meld" ]; then diff /tmp/original /tmp/new -q || { meld /tmp/original /tmp/new } else diff /tmp/original /tmp/new fi } #compareFile ./original/Fedora/output/ssg-fedora-ds.xml #exit find "$originalRepo" -name "*-ds.xml" | grep output | while read originalFile; do compareFile "$originalFile" done scap-security-guide-0.1.39/shared/misc/count_oval_objects.py000077500000000000000000000101301327242345500241340ustar00rootroot00000000000000#!/usr/bin/env python2 ''' count_oval_objects.py Shows OVAL objects used by XCCDF rules. Author: Jan Cerny ''' import xml.etree.ElementTree as ET import sys import os.path oval_files = dict() xccdf_dir = None help_text = '''Shows OVAL objects used by XCCDF rules. Usage: ./count_oval_objects.py xccdf_file.xml''' def get_args(): ''' Parses program arguments. ''' if len(sys.argv) == 2: if sys.argv[1] == "--help" or sys.argv[1] == "-h": print(help_text) exit(0) else: return sys.argv[1] else: sys.stderr.write("Bad argument. For more information, try --help.\n") exit(-1) def load_xml(file_name): ''' Loads XML files to memory and parses it into element tree ''' try: it = ET.iterparse(file_name) for _, el in it: el.tag = el.tag.split('}', 1)[1] # strip all namespaces root = it.root return root except: sys.stderr.write("Error while loading file " + file_name + ".\n") exit(-1) def find_oval_objects(oval_refs): ''' Finds OVAL objects according to definitions ID ''' tests = [] object_refs = [] objects = [] # find tests in definitions for def_id, oval_file in oval_refs: if oval_file not in oval_files: oval_file_path = os.path.join(xccdf_dir, oval_file) oval_files[oval_file] = load_xml(oval_file_path) oval_root = oval_files[oval_file] definition = None for d in oval_root.findall(".//definition"): if d.attrib.get('id') == def_id: definition = d break if definition is not None: for criterion in definition.findall(".//criterion"): test_ref = criterion.attrib["test_ref"] tests.append(test_ref) # find references to objects in tests for test in tests: test_element = None for t in oval_root.findall("tests/*"): if t.attrib.get('id') == test: test_element = t break if test_element is not None: for object_element in test_element.findall(".//*"): if 'object_ref' in object_element.attrib: object_ref = object_element.attrib['object_ref'] object_refs.append(object_ref) # find objects for r in object_refs: for obj in oval_root.findall("objects/*"): if obj.attrib.get('id') == r: objects.append(obj.tag) break return set(objects) def print_stats(stats): ''' Print statistic of most used objects in input''' print("") print("Count of used OVAL objects:") print("=" * 50) stats = stats.items() for key, value in reversed(sorted(stats, key=lambda obj: obj[1])): print(key.ljust(40) + str(value).rjust(10)) def main(): stats = {} global xccdf_dir xccdf_file_name = get_args() xccdf_root = load_xml(xccdf_file_name) xccdf_dir = os.path.dirname(xccdf_file_name) for rule in xccdf_root.findall(".//Rule"): rule_id = rule.attrib['id'] oval_refs = [] for ref in rule.findall(".//check-content-ref"): # Skip remotely referenced OVAL checks since they won't have the # 'name' attribute set (just 'href' would be set in that case) try: oval_name = ref.attrib['name'] except KeyError: if 'href' in ref.attrib: print("\nInfo: Skipping remotely referenced OVAL:") continue else: print("\nError: Invalid OVAL check detected! Exiting..") sys.exit(1) oval_file = ref.attrib['href'] oval_refs.append((oval_name, oval_file)) if oval_refs: objects = find_oval_objects(oval_refs) print(rule_id + ": " + ", ".join(objects)) for o in objects: stats[o] = stats.get(o, 0) + 1 else: print(rule_id + ":") print_stats(stats) if __name__ == "__main__": main() scap-security-guide-0.1.39/shared/misc/find_duplicates.py000077500000000000000000000140431327242345500234160ustar00rootroot00000000000000#!/usr/bin/env python2 """ This script should find duplicates e.g. specific template is same as shared one """ import sys import os import re import glob def recursive_globi(mask): """ Simple replacement of glob.globi(mask, recursive=true) Reason: Older Python versions support """ parts = mask.split("**/") if not len(parts) == 2: raise NotImplementedError search_root = parts[0] # instead of '*' use regex '.*' path_mask = parts[1].replace("*", ".*") re_path_mask = re.compile(path_mask + "$") for root, dirnames, filenames in os.walk(search_root): paths = filenames + dirnames for path in paths: full_path = os.path.join(root, path) if re_path_mask.search(full_path): yield full_path class DuplicatesFinder(object): def __init__(self, root_dir, specific_dirs_mask, shared_dir, shared_files_mask): self._root_dir = root_dir self._specific_dirs_mask = os.path.join(root_dir, specific_dirs_mask) self._shared_dir = os.path.join(root_dir, shared_dir) self._clear_normalized() self._shared_files_mask = shared_files_mask def _clear_normalized(self): self._normalized = {} def _get_normalized(self, file_path): """ Return cached normalized content of file :param file_path: :return: """ if file_path in self._normalized: return self._normalized[file_path] with open(file_path, 'r') as content_file: content = content_file.read() normalized = self._normalize_content(content) self._normalized[file_path] = normalized return normalized def _compare_files(self, shared_filename, specific_filename): if not os.path.isfile(specific_filename): return False shared_normalized = self._get_normalized(shared_filename) specific_normalized = self._get_normalized(specific_filename) return shared_normalized == specific_normalized def _print_match(self, first_filename, second_filename): print("Duplicate found! {}\t=>\t{}".format(first_filename, second_filename)) def search(self): """ :return: True if any duplicate found """ found = False self._clear_normalized() specific_dirs = list(self._specific_dirs()) # Walk all shared files shared_files_mask = os.path.join(self._shared_dir, self._shared_files_mask) for shared_filename in glob.glob(shared_files_mask): basename = os.path.basename(shared_filename) # Walk all specific dirs for specific_dir in specific_dirs: # Get file to compare specific_filename = os.path.join(specific_dir, basename) # Compare if self._compare_files(shared_filename, specific_filename): found = True self._print_match(shared_filename, specific_filename) return found def _specific_dirs(self): for static_path in recursive_globi(self._specific_dirs_mask): if not static_path.startswith(self._shared_dir): yield static_path def _normalize_content(self, content): return content class BashDuplicatesFinder(DuplicatesFinder): def __init__(self, root_dir, specific_dirs_mask, shared_dir, shared_files_mask="*.sh"): DuplicatesFinder.__init__(self, root_dir, specific_dirs_mask, shared_dir, shared_files_mask) def _normalize_content(self, content): # remove comments # naive implementation (todo) content = re.sub(r"^\s*#.*", "", content) # remove empty lines content = "\n".join([s for s in content.split("\n") if s]) return content class OvalDuplicatesFinder(DuplicatesFinder): def __init__(self, root_dir, specific_dirs_mask, shared_dir, shared_files_mask="*.xml"): DuplicatesFinder.__init__(self, root_dir, specific_dirs_mask, shared_dir, shared_files_mask) def _normalize_content(self, content): # remove comments # naive implementation (todo) content = re.sub(r"^\s*#.*", "", content) # bash style comments - due to #platform content = re.sub('', "", content, flags=re.DOTALL) # xml comments # remove empty lines content = "\n".join([s for s in content.split("\n") if s]) return content def main(): ''' main function ''' if len(sys.argv) < 2: print("Usage : ./find_duplicates root_ssg_directory") sys.exit(1) root_dir = sys.argv[1] without_duplicates = True # Static bash scripts print("Static bash files:") static_bash_finder = BashDuplicatesFinder( root_dir, os.path.join("**", "fixes", "bash"), os.path.join("shared", "fixes", "bash") ) if static_bash_finder.search(): without_duplicates = False # Templates bash scripts print("Bash templates:") template_bash_finder = BashDuplicatesFinder( root_dir, os.path.join("**", "templates"), os.path.join("shared", "templates"), "template_BASH_*" ) if template_bash_finder.search(): without_duplicates = False # Static oval files print("Static oval files:") static_oval_finder = OvalDuplicatesFinder( root_dir, os.path.join("**", "checks", "oval"), os.path.join("shared", "checks", "oval") ) if static_oval_finder.search(): without_duplicates = False # Templates oval files print("Templates oval files:") templates_oval_finder = OvalDuplicatesFinder( root_dir, os.path.join("**", "templates"), os.path.join("shared", "templates"), "template_OVAL_*" ) if templates_oval_finder.search(): without_duplicates = False # Scan results if without_duplicates: print("No duplicates found") sys.exit(0) else: print("Duplicates found!") sys.exit(1) if __name__ == "__main__": main() scap-security-guide-0.1.39/shared/misc/find_orphans.py000077500000000000000000000046711327242345500227410ustar00rootroot00000000000000#!/usr/bin/env python2 """ This script lists all oval files made for all platforms (set as multi_platform_all) , and check orphan oval files by parsing the XCCDF content. This allows newly added distributions to support shared oval and multi-platform oval without having a complete XCCDF checklist written, avoiding errors in validate target. This script is only a helper script, and should be used only while the XCCDF files are being written, giving some time to the authors. This is not for indefinite usage. Author: Jean-Baptiste Donnette updated by: Philippe Thierry """ import sys import os from lxml import etree def find_xccdf_files(folder_name, xccdf_list): ''' This fonction find every xccdf file that are in the input/xccdf/ ''' for element in os.listdir(folder_name): if element.endswith('.xml'): find_oval_def(folder_name + '/' + element, xccdf_list) else: find_xccdf_files(folder_name + '/' + element, xccdf_list) def find_oval_def(file_xccdf, xccdf_list): ''' This fonction find every oval definition countainin the file_xccdf and add it into the xccdf_list ''' tree = etree.parse(file_xccdf) for element in tree.iter(): if element.tag == "oval": xccdf_list.append(element.get("id")) def find_build_oval(folder_name, oval_list): ''' This fonction find every oval files that are in the build directory and add it into the xccdf_list ''' for element in os.listdir(folder_name): if element.endswith('.xml'): file_open = open(folder_name + '/' + element) for line in file_open: if "multi_platform_all" in line: oval_list.append(element) file_open.close() def main(): ''' main fonction ''' if len(sys.argv) < 2: print "Usage : ./find_orphans name_of distribution target" sys.exit(1) oval_list = [] xccdf_list = [] build_dir = "build/" + sys.argv[1] + '_oval/' xccdf_directory = "input/xccdf/" find_build_oval(build_dir, oval_list) find_xccdf_files(xccdf_directory, xccdf_list) for element_build in oval_list: find = False for element_xccdf in xccdf_list: if element_build == element_xccdf + ".xml": find = True if not find: print build_dir + element_build if __name__ == "__main__": main() scap-security-guide-0.1.39/shared/misc/generate-contributors.py000077500000000000000000000100571327242345500246070ustar00rootroot00000000000000#!/usr/bin/env python2 import subprocess import re import os.path import codecs import datetime MANUAL_EDIT_WARNING = \ """ This file is generated using the %s script. DO NOT MANUALLY EDIT!!!! Last Modified: %s """ % (os.path.basename(__file__), datetime.datetime.now().strftime("%Y-%m-%d %H:%M")) email_mappings = { # Dave / David Smith "dsmith@secure-innovations.net": "dsmith@eclipse.ncsc.mil", "dsmith@fornax.eclipse.ncsc.mil": "dsmith@eclipse.ncsc.mil", # Firas AlShafei "firas.alshafei@gmail.com": "firas.alshafei@us.abb.com", # Frank Caviggia "fcaviggia@users.noreply.github.com": "fcaviggi@ra.iad.redhat.com", # Greg Elin "greg@fotonotes.net": "gregelin@gitmachines.com", # Jean-Baptiste Donnette "donnet_j@epita.fr": "jean-baptiste.donnette@epita.fr", # Marek Haicman "dahaic@users.noreply.github.com": "mhaicman@redhat.com", # Martin Preisler "martin@preisler.me": "mpreisle@redhat.com", # Nathan Peters "nathan@nathanpeters.com": "Nathaniel.Peters@ca.com", "petna01@ca.com": "Nathaniel.Peters@ca.com", # Philippe Thierry "phil@internal.reseau-libre.net": "phil@reseau-libre.net", "philippe.thierry@reseau-libre.net": "phil@reseau-libre.net", "philippe.thierry@thalesgroup.com": "phil@reseau-libre.net", # Robin Price II "rprice@users.noreply.github.com": "robin@redhat.com", "rprice@redhat.com": "robin@redhat.com", # Zbynek Moravec "ybznek@users.noreply.github.com": "zmoravec@redhat.com", "moraveczbynek@gmail.com": "zmoravec@redhat.com", # Jeff Blank "jeff@t440.local": "blank@eclipse.ncsc.mil", # Shawn Wells "shawn@localhost.localdomain": "shawn@redhat.com", "shawnw@localhost.localdomain": "shawn@redhat.com", # Simon Lukasik "isimluk@fedoraproject.org": "slukasik@redhat.com", # Andrew Gilmore "agilmore@ecahdb2.bor.doi.net": "agilmore2@gmail.com", # No idea / ignore "lyd@chippy.(none)": "", "nick@null.net": "", "root@localhost.localdomain": "", "root@rhel6.(none)": "", } name_mappings = { "Gabe": "Gabe Alford", "Olivier": "Olivier Bonhomme", "OnceUponALoop": "Firas AlShafei", } def main(): emails = {} output = subprocess.check_output(["git", "shortlog", "-se"]).decode("utf-8") for line in output.split("\n"): match = re.match(r"[\s]*([0-9]+)[\s+](.+)[\s]+\<(.+)\>", line) if match is None: continue commits, name, email = match.groups() if email in email_mappings: email = email_mappings[email] if email == "": continue # ignored if email not in emails: emails[email] = [] emails[email].append((int(commits), name)) contributors = {} # We will use the most used full name for email in emails: _, name = sorted(emails[email], reverse=True)[0] if name in name_mappings: name = name_mappings[name] contributors[name] = email contributors_md = "\n\n" % MANUAL_EDIT_WARNING contributors_md += \ "The following people have contributed to the SCAP Security Guide project\n" contributors_md += "(listed in alphabetical order):\n\n" contributors_xml = "\n\n" % MANUAL_EDIT_WARNING contributors_xml += "\n" for name in sorted(contributors.keys(), key=lambda x: x.split(" ")[-1].upper()): email = contributors[name] contributors_md += "* %s <%s>\n" % (name, email) contributors_xml += "%s <%s>\n" % (name, email) contributors_xml += "\n" root_dir = os.path.dirname(os.path.dirname(os.path.dirname(__file__))) with codecs.open(os.path.join(root_dir, "Contributors.md"), mode="w", encoding="utf-8") as f: f.write(contributors_md) with codecs.open(os.path.join(root_dir, "Contributors.xml"), mode="w", encoding="utf-8") as f: f.write(contributors_xml) print("Don't forget to commit Contributors.md and Contributors.xml!") if __name__ == "__main__": main() scap-security-guide-0.1.39/shared/misc/upload_ansible_roles_to_galaxy.py000077500000000000000000000216331327242345500265200ustar00rootroot00000000000000#!/usr/bin/env python2 from __future__ import print_function from tempfile import mkdtemp import os import os.path import sys import shutil import re import argparse import getpass import yaml try: from github import Github, InputGitAuthor except ImportError: sys.stderr.write("Please install PyGithub, on Fedora it's in the " "python-PyGithub package.\n") sys.exit(1) # Put shared python modules in path sys.path.insert(0, os.path.join( os.path.dirname(os.path.dirname(os.path.realpath(__file__))), "modules")) import ssgcommon ORGANIZATION_NAME = "Ansible-Security-Compliance" GIT_COMMIT_AUTHOR_NAME = "SCAP Security Guide development team" GIT_COMMIT_AUTHOR_EMAIL = "scap-security-guide@lists.fedorahosted.org" META_TEMPLATE_PATH = os.path.join( os.path.dirname(os.path.abspath(__file__)), "ansible_galaxy_meta_template.yml" ) README_TEMPLATE_PATH = os.path.join( os.path.dirname(os.path.abspath(__file__)), "ansible_galaxy_readme_template.md" ) def create_empty_repositories(github_new_repos, github_org): for github_new_repo in github_new_repos: print("Creating new Github repository: %s" % github_new_repo) github_org.create_repo( github_new_repo, description="Role generated from SCAP Security Guide", homepage="https://www.open-scap.org/", private=False, has_issues=False, has_wiki=False, has_downloads=False) def clone_and_init_repository(parent_dir, repo): os.system( "git clone git@github.com:%s/%s.git" % (ORGANIZATION_NAME, repo)) os.system("ansible-galaxy init " + repo + " --force") os.chdir(repo) try: os.system('git add .') os.system('git commit -a -m "Initial commit" --author "%s <%s>"' % (GIT_COMMIT_AUTHOR_NAME, GIT_COMMIT_AUTHOR_EMAIL)) os.system('git push origin master') finally: os.chdir("..") def update_repository(repository, local_file_path): print("Processing %s..." % repository.name) with open(local_file_path, 'r') as f: filedata = f.read() role_data = yaml.load(filedata) vars_data = [] if "vars" in role_data[0]: vars_data = role_data[0]["vars"] tasks_data = [] if "tasks" in role_data[0]: tasks_data = role_data[0]["tasks"] # ansible language doesn't allow pre_tasks for roles, if the only pre task # is the ansible version check we can ignore it because the minimal version # is in role metadata if "pre_tasks" in role_data[0]: pre_tasks_data = role_data[0]["pre_tasks"] if len(pre_tasks_data) == 1 and \ pre_tasks_data[0]["name"] == \ ssgcommon.ansible_version_requirement_pre_task_name: pass else: sys.stderr.write( "%s contains pre_tasks other than the version check. pre_tasks " "are not supported for ansible roles and will be skipped!.\n") tasks_local_content = yaml.dump(tasks_data, width=120, indent=4, default_flow_style=False) tasks_remote_content = repository.get_file_contents("/tasks/main.yml") if tasks_local_content != tasks_remote_content.decoded_content: repository.update_file( "/tasks/main.yml", "Updates tasks/main.yml", tasks_local_content, tasks_remote_content.sha, author=InputGitAuthor( GIT_COMMIT_AUTHOR_NAME, GIT_COMMIT_AUTHOR_EMAIL) ) print("Updating tasks/main.yml in %s" % repository.name) vars_local_content = yaml.dump(vars_data, width=120, indent=4, default_flow_style=False) vars_remote_content = repository.get_file_contents("/vars/main.yml") if vars_local_content != vars_remote_content.decoded_content: repository.update_file( "/vars/main.yml", "Updates vars/main.yml", vars_local_content, vars_remote_content.sha, author=InputGitAuthor( GIT_COMMIT_AUTHOR_NAME, GIT_COMMIT_AUTHOR_EMAIL) ) print("Updating vars/main.yml in %s" % repository.name) separator = "#" * 79 first_separator_pos = filedata.find(separator) second_separator_pos = filedata.find(separator, first_separator_pos + len(separator)) description = filedata[first_separator_pos + len(separator) + 3: second_separator_pos - 3] description = description.replace('# ', '') description = description.replace('#', '') title = re.search('Profile Title:\s+(.+)$', description, re.MULTILINE).group(1) description = description.replace('\n', ' \n') repository.edit( repository.name, description="%s - Ansible role generated from the SCAP Security Guide " "project" % (title), homepage="https://www.open-scap.org/", ) with open(README_TEMPLATE_PATH, 'r') as f: readme_template = f.read() local_readme_content = readme_template.replace("@DESCRIPTION@", description) local_readme_content = local_readme_content.replace("@TITLE@", title) local_readme_content = local_readme_content.replace( "@MIN_ANSIBLE_VERSION@", ssgcommon.min_ansible_version) local_readme_content = local_readme_content.replace("@ROLE_NAME@", repository.name) remote_readme_file = repository.get_file_contents("/README.md") if local_readme_content != remote_readme_file.decoded_content: print("Updating README.md in %s" % repository.name) repository.update_file( "/README.md", "Updates README.md", local_readme_content, remote_readme_file.sha, author=InputGitAuthor( GIT_COMMIT_AUTHOR_NAME, GIT_COMMIT_AUTHOR_EMAIL) ) with open(META_TEMPLATE_PATH, 'r') as f: meta_template = f.read() local_meta_content = meta_template.replace("@DESCRIPTION@", title) local_meta_content = local_meta_content.replace( "@MIN_ANSIBLE_VERSION@", ssgcommon.min_ansible_version) remote_meta_file = repository.get_file_contents("/meta/main.yml") if local_meta_content != remote_meta_file.decoded_content: print("Updating meta/main.yml in %s" % repository.name) repository.update_file( "/meta/main.yml", "Updates meta/main.yml", local_meta_content, remote_meta_file.sha, author=InputGitAuthor( GIT_COMMIT_AUTHOR_NAME, GIT_COMMIT_AUTHOR_EMAIL) ) def main(): parser = argparse.ArgumentParser( description='Updates SSG Galaxy Ansible Roles') parser.add_argument( "--build-roles-dir", required=True, help="Path to directory containing the ssg generated roles. Most " "likely this is going to be scap-security-guide/build/roles", dest="build_roles_dir") args = parser.parse_args() role_whitelist = set([ "rhel7-role-C2S", "rhel7-role-hipaa", "rhel7-role-nist-800-171-cui", "rhel7-role-ospp", "rhel7-role-pci-dss", "rhel7-role-rht-ccp", "rhel7-role-stig-rhel7-disa" ]) # the first 4 cut chars are for "ssg-" # the last 4 cut chars are for ".yml" available_roles = set( [f[4:-4] for f in os.listdir(args.build_roles_dir) if f.endswith(".yml")] ) # print(available_roles) roles = available_roles.intersection(role_whitelist) print("Input your GitHub credentials:") username = raw_input("username or token: ") password = getpass.getpass("password (or empty for token): ") github = Github(username, password) github_org = github.get_organization(ORGANIZATION_NAME) github_repositories = [repo.name for repo in github_org.get_repos()] # Create empty repositories github_new_repos = sorted(list(set(roles) - set(github_repositories))) if github_new_repos: create_empty_repositories(github_new_repos, github_org) github_repositories = [repo.name for repo in github_org.get_repos()] # Locally clone and init repositories temp_dir = mkdtemp() current_dir = os.getcwd() os.chdir(temp_dir) try: for repo in github_new_repos: clone_and_init_repository(temp_dir, repo) finally: os.chdir(current_dir) shutil.rmtree(temp_dir) # Update repositories for repo in sorted(github_org.get_repos(), key=lambda repo: repo.name): if repo.name in roles: update_repository( repo, os.path.join(args.build_roles_dir, "ssg-" + repo.name + ".yml") ) else: print("Repo %s should be deleted, please verify and do that " "manually!" % repo.name) if __name__ == "__main__": main() scap-security-guide-0.1.39/shared/modules/000077500000000000000000000000001327242345500204175ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/modules/__init__.py000066400000000000000000000000001327242345500225160ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/modules/idtranslate_module.py000066400000000000000000000103321327242345500246470ustar00rootroot00000000000000try: from xml.etree import cElementTree as ElementTree except ImportError: import cElementTree as ElementTree import ssgcommon oval_ns = ssgcommon.oval_namespace ocil_ns = ssgcommon.ocil_namespace ovaltag_to_abbrev = { 'definition': 'def', 'criteria': 'crit', 'test': 'tst', 'object': 'obj', 'state': 'ste', 'variable': 'var', } ociltag_to_abbrev = { 'questionnaire': 'questionnaire', 'action': 'testaction', 'question': 'question', 'artifact': 'artifact', 'variable': 'variable', } ovalrefattr_to_tag = { "definition_ref": "definition", "test_ref": "test", "object_ref": "object", "state_ref": "state", "var_ref": "variable", } ocilrefattr_to_tag = { "question_ref": "question", } ocilrefchild_to_tag = { "test_action_ref": "action", } def split_namespace(tag): """returns a tuple of (namespace,name) removing any fragment id from namespace""" if tag[0] == "{": namespace, name = tag[1:].split("}", 1) return namespace.split("#")[0], name else: return (None, tag) def namespace_to_prefix(tag): namespace, _ = split_namespace(tag) if namespace == ocil_ns: return "ocil" if namespace == oval_ns: return "oval" raise RuntimeError( "Error: unknown checksystem referenced in tag : %s" % tag ) def tagname_to_abbrev(tag): namespace, tag = split_namespace(tag) if tag == "extend_definition": return tag # grab the last part of the tag name to determine its type tag = tag.rsplit("_", 1)[-1] if namespace == ocil_ns: return ociltag_to_abbrev[tag] if namespace == oval_ns: return ovaltag_to_abbrev[tag] raise RuntimeError( "Error: unknown checksystem referenced in tag : %s" % tag ) class IDTranslator(object): """This class is designed to handle the mapping of meaningful, human-readable names to IDs in the formats required by the SCAP checking systems, such as OVAL and OCIL.""" def __init__(self, content_id): self.content_id = content_id def generate_id(self, tagname, name): return "%s:%s-%s:%s:1" % ( namespace_to_prefix(tagname), self.content_id, name, tagname_to_abbrev(tagname) ) def translate(self, tree, store_defname=False): for element in tree.getiterator(): idname = element.get("id") if idname: # store the old name if requested (for OVAL definitions) if store_defname and \ element.tag == "{%s}definition" % oval_ns: metadata = element.find("{%s}metadata" % oval_ns) if metadata is None: metadata = ElementTree.SubElement(element, "metadata") defnam = ElementTree.Element( "reference", ref_id=idname, source=self.content_id) metadata.append(defnam) # set the element to the new identifier element.set("id", self.generate_id(element.tag, idname)) # continue if element.tag == "{%s}filter" % oval_ns: element.text = self.generate_id("{%s}state" % oval_ns, element.text) continue if element.tag == "{%s#independent}var_ref" % oval_ns: element.text = self.generate_id("{%s}variable" % oval_ns, element.text) continue for attr in element.keys(): if attr in ovalrefattr_to_tag.keys(): element.set(attr, self.generate_id( "{%s}%s" % (oval_ns, ovalrefattr_to_tag[attr]), element.get(attr))) if attr in ocilrefattr_to_tag.keys(): element.set(attr, self.generate_id( "{%s}%s" % (ocil_ns, ocilrefattr_to_tag[attr]), element.get(attr))) if element.tag == "{%s}test_action_ref" % ocil_ns: element.text = self.generate_id("{%s}action" % ocil_ns, element.text) return tree scap-security-guide-0.1.39/shared/modules/map_product_module.py000066400000000000000000000045251327242345500246610ustar00rootroot00000000000000import re # SSG Makefile to official product name mapping CHROMIUM = 'Google Chromium Browser' FEDORA = 'Fedora' FIREFOX = 'Mozilla Firefox' JRE = 'Java Runtime Environment' RHEL = 'Red Hat Enterprise Linux' DEBIAN = 'Debian' UBUNTU = 'Ubuntu' EAP = 'JBoss Enterprise Application Platform' FUSE = 'JBoss Fuse' OPENSUSE = 'openSUSE' SUSE = 'SUSE Linux Enterprise' WRLINUX = 'Wind River Linux' OL = 'Oracle Linux' multi_product_list = ["rhel", "fedora", "rhel-osp", "debian", "ubuntu", "wrlinux", "opensuse", "sle", "ol"] PRODUCT_NAME_PARSER = re.compile("([a-zA-Z\-]+)([0-9]+)") def parse_product_name(product): product_version = None match = PRODUCT_NAME_PARSER.match(product) if match is not None: if isinstance(match.group(1), str) or \ isinstance(match.group(1), unicode): product = match.group(1) if match.group(2).isdigit(): product_version = match.group(2) return product, product_version def map_product(version): """Maps SSG Makefile internal product name to official product name""" if version.startswith("multi_platform_"): trimmed_version = version[len("multi_platform_"):] if trimmed_version not in multi_product_list: raise RuntimeError( "%s is an invalid product version. If it's multi_platform the " "suffix has to be from (%s)." % (version, ", ".join(multi_product_list)) ) return map_product(trimmed_version) if version.startswith("chromium"): return CHROMIUM if version.startswith("fedora"): return FEDORA if version.startswith("firefox"): return FIREFOX if version.startswith("jre"): return JRE if version.startswith("rhel"): return RHEL if version.startswith("debian"): return DEBIAN if version.startswith("ubuntu"): return UBUNTU if version.startswith("eap"): return EAP if version.startswith("fuse"): return FUSE if version.startswith("opensuse"): return OPENSUSE if version.startswith("sle"): return SUSE if version.startswith("wrlinux"): return WRLINUX if version.startswith("ol"): return OL raise RuntimeError("Can't map version '%s' to any known product!" % (version)) scap-security-guide-0.1.39/shared/modules/parse_oval.py000066400000000000000000000102311327242345500231210ustar00rootroot00000000000000 from __future__ import print_function import xml.etree.ElementTree as ET REFERENCE_TO_GROUP = dict( var_ref="variables", test_ref="tests", object_ref="objects", state_ref="states", ) CONTAINER_GROUPS = set(( "definitions", "objects", "states", "tests", "variables", )) class ElementFinder(object): def __init__(self, oval_groups): self.oval_groups = oval_groups self.target = None self.attrib = None self.result = set() def find_element(self, start_element, target_element_name, sought_attrib): self.target = target_element_name self.attrib = sought_attrib self.result = set() self._recurse(start_element) def _recurse(self, element): if element.tag.endswith(self.target): self.result.add(element.attrib[self.attrib]) return self._examine_element(element) for child in element: self._recurse(child) def _examine_element(self, element): name = strip_ns_from_tag(element.tag) new_root = None if name in REFERENCE_TO_GROUP: reference_target = REFERENCE_TO_GROUP[name] new_root = self.oval_groups[reference_target][element.text] else: x = search_element_for_reference_attributes(element) if x is not None: ref_attribute_name, entity_id = x reference_target = REFERENCE_TO_GROUP[ref_attribute_name] new_root = self.oval_groups[reference_target][entity_id] if new_root is not None: self._recurse(new_root) def sort_by_id(elements): ret = dict() for el in elements: ret[el.attrib["id"]] = el return ret def search_dict_for_items_that_end_with(dic, what_to_look_for): for it in dic: if it.endswith(what_to_look_for): return dic[it] return None def search_element_for_reference_attributes(element): for ref_attribute_name in REFERENCE_TO_GROUP: occurence = search_dict_for_items_that_end_with(element.attrib, ref_attribute_name) if occurence is not None: return ref_attribute_name, occurence return None def resolve_definition(oval_groups, defn): finder = ElementFinder(oval_groups) finder.find_element(defn, "external_variable", "id") return finder.result def find_extending_defs(oval_groups, defn): finder = ElementFinder(oval_groups) finder.find_element(defn, "extend_definition", "definition_ref") return finder.result def get_container_oval_groups(fname): et = ET.parse(fname) return get_container_oval_groups_from_tree(et) def strip_ns_from_tag(tag_name): return tag_name.split("}", 1)[1] def get_container_oval_groups_from_tree(et): root = et.getroot() oval_groups = {} for child in root: group_name = strip_ns_from_tag(child.tag) if group_name in CONTAINER_GROUPS: oval_groups[group_name] = sort_by_id(child) return oval_groups def get_resolved_definitions(oval_groups): def_id_to_vars_ids = {} for def_id, def_el in oval_groups["definitions"].items(): def_id_to_vars_ids[def_id] = resolve_definition(oval_groups, def_el) return def_id_to_vars_ids def check_sanity(oval_groups, resolved_defns): all_external_variables = set() for var_id, var_el in oval_groups["variables"].items(): if var_el.tag.endswith("external_variable"): all_external_variables.add(var_id) all_caught_variables = set() for var in resolved_defns.values(): all_caught_variables.update(var) skipped_variables = all_external_variables.difference(all_caught_variables) if skipped_variables: print("These variables managed to slip past:", skipped_variables) strange_variables = all_caught_variables.difference(all_external_variables) assert not strange_variables, \ ("There were unexpected caught variables: {}" .format(str(strange_variables))) def check_sanity_on_file(fname): oval_groups = get_container_oval_groups(fname) resolved_defns = get_resolved_definitions(oval_groups) check_sanity(oval_groups, resolved_defns) scap-security-guide-0.1.39/shared/modules/ssgcommon.py000066400000000000000000000213171327242345500230020ustar00rootroot00000000000000import datetime import platform import subprocess import re import yaml import codecs import jinja2 import os.path def bool_constructor(self, node): return self.construct_scalar(node) # Don't follow python bool case yaml.SafeLoader.add_constructor(u'tag:yaml.org,2002:bool', bool_constructor) try: from xml.etree import cElementTree as ElementTree except ImportError: import cElementTree as ElementTree xml_version = """""" datastream_namespace = "http://scap.nist.gov/schema/scap/source/1.2" ocil_namespace = "http://scap.nist.gov/schema/ocil/2.0" oval_footer = "" oval_namespace = "http://oval.mitre.org/XMLSchema/oval-definitions-5" ocil_cs = "http://scap.nist.gov/schema/ocil/2" xccdf_header = xml_version + "" xccdf_footer = "" bash_system = "urn:xccdf:fix:script:sh" ansible_system = "urn:xccdf:fix:script:ansible" puppet_system = "urn:xccdf:fix:script:puppet" anaconda_system = "urn:redhat:anaconda:pre" cce_system = "https://nvd.nist.gov/cce/index.cfm" cce_uri = "http://cce.mitre.org" stig_ns = "http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx" ssg_version_uri = \ "https://github.com/OpenSCAP/scap-security-guide/releases/latest" OSCAP_VENDOR = "org.ssgproject" OSCAP_DS_STRING = "xccdf_%s.content_benchmark_" % OSCAP_VENDOR OSCAP_GROUP = "xccdf_%s.content_group_" % OSCAP_VENDOR OSCAP_GROUP_PCIDSS = "xccdf_%s.content_group_pcidss-req" % OSCAP_VENDOR OSCAP_GROUP_VAL = "xccdf_%s.content_group_values" % OSCAP_VENDOR OSCAP_GROUP_NON_PCI = "xccdf_%s.content_group_non-pci-dss" % OSCAP_VENDOR XCCDF11_NS = "http://checklists.nist.gov/xccdf/1.1" XCCDF12_NS = "http://checklists.nist.gov/xccdf/1.2" min_ansible_version = "2.3" ansible_version_requirement_pre_task_name = \ "Verify Ansible meets SCAP-Security-Guide version requirements." oval_header = ( """ """ .format(oval_namespace)) timestamp = datetime.datetime.utcnow().strftime("%Y-%m-%dT%H:%M:%S") class SSGError(RuntimeError): pass def oval_generated_header(product_name, schema_version, ssg_version): return xml_version + oval_header + \ """ %s from SCAP Security Guide ssg: %s, python: %s %s %s """ % (product_name, ssg_version, platform.python_version(), schema_version, timestamp) def subprocess_check_output(*popenargs, **kwargs): # Backport of subprocess.check_output taken from # https://gist.github.com/edufelipe/1027906 # # Originally from Python 2.7 stdlib under PSF, compatible with BSD-3 # Copyright (c) 2003-2005 by Peter Astrand # Changes by Eduardo Felipe process = subprocess.Popen(stdout=subprocess.PIPE, *popenargs, **kwargs) output, unused_err = process.communicate() retcode = process.poll() if retcode: cmd = kwargs.get("args") if cmd is None: cmd = popenargs[0] error = subprocess.CalledProcessError(retcode, cmd) error.output = output raise error return output if hasattr(subprocess, "check_output"): # if available we just use the real function subprocess_check_output = subprocess.check_output def get_check_content_ref_if_exists_and_not_remote(check): """ Given an OVAL check element, examine the ``xccdf_ns:check-content-ref`` If it exists and it isn't remote, pass it as the return value. Otherwise, return None. ..see-also:: check_content_href_is_remote """ checkcontentref = check.find("./{%s}check-content-ref" % XCCDF11_NS) if checkcontentref is None: return None if check_content_href_is_remote(checkcontentref): return None else: return checkcontentref def check_content_href_is_remote(check_content_ref): """ Given an OVAL check-content-ref element, examine the 'href' attribute. If it starts with 'http://' or 'https://', return True, otherwise return False. Raises RuntimeError if the ``href`` element doesn't exist. """ hrefattr = check_content_ref.get("href") if hrefattr is None: # @href attribute of is required by XCCDF standard msg = "Invalid OVAL detected - missing the 'href' attribute!" raise RuntimeError(msg) return hrefattr.startswith("http://") or hrefattr.startswith("https://") def parse_xml_file(filename): """ Given a filename, return the corresponding ElementTree """ with open(filename, 'r') as xml_file: filestring = xml_file.read() tree = ElementTree.fromstring(filestring) return tree def cce_is_valid(cceid): """ IF CCE ID IS IN VALID FORM (either 'CCE-XXXX-X' or 'CCE-XXXXX-X' where each X is a digit, and the final X is a check-digit) based on Requirement A17: http://people.redhat.com/swells/nist-scap-validation/scap-val-requirements-1.2.html """ match = re.search(r'CCE-\d{4,5}-\d', cceid) return match is not None def map_elements_to_their_ids(tree, xpath_expr): """ Given an ElementTree and an XPath expression, iterate through matching elements and create 1:1 id->element mapping. Raises AssertionError if a matching element doesn't have the ``id`` attribute. Returns mapping as a dictionary """ aggregated = {} for element in tree.findall(xpath_expr): element_id = element.get("id") assert element_id is not None aggregated[element_id] = element return aggregated class AbsolutePathFileSystemLoader(jinja2.BaseLoader): """Loads templates from the file system. This loader insists on absolute paths and fails if a relative path is provided. >>> loader = AbsolutePathFileSystemLoader() Per default the template encoding is ``'utf-8'`` which can be changed by setting the `encoding` parameter to something else. """ def __init__(self, encoding='utf-8'): self.encoding = encoding def get_source(self, environment, template): if not os.path.isabs(template): raise jinja2.TemplateNotFound(template) f = jinja2.utils.open_if_exists(template) if f is None: raise jinja2.TemplateNotFound(template) try: contents = f.read().decode(self.encoding) finally: f.close() mtime = os.path.getmtime(template) def uptodate(): try: return os.path.getmtime(template) == mtime except OSError: return False return contents, template, uptodate def get_jinja_environment(): if get_jinja_environment.env is None: # TODO: Choose better syntax? get_jinja_environment.env = jinja2.Environment( block_start_string="{{%", block_end_string="%}}", variable_start_string="{{{", variable_end_string="}}}", comment_start_string="{{#", comment_end_string="#}}", loader=AbsolutePathFileSystemLoader() ) return get_jinja_environment.env get_jinja_environment.env = None def process_file_with_jinja(filepath, product_yaml): template = get_jinja_environment().get_template(filepath) return template.render(product_yaml) def open_yaml(yaml_file, product_yaml=None): """Open given file and parse it as YAML. if product_yaml is also given this function will process the yaml with jinja2, using product_yaml as input. """ yaml_contents = None if product_yaml is None: with codecs.open(yaml_file, "r", "utf8") as stream: yaml_contents = yaml.safe_load(stream) else: yaml_contents = yaml.safe_load( process_file_with_jinja(yaml_file, product_yaml) ) if "documentation_complete" in yaml_contents and \ yaml_contents["documentation_complete"] == "false": return None return yaml_contents def required_yaml_key(yaml_contents, key): if key in yaml_contents: return yaml_contents[key] raise ValueError("%s is required but was not found in:\n%s" % (key, repr(yaml_contents))) scap-security-guide-0.1.39/shared/modules/testoval_module.py000066400000000000000000000165671327242345500242160ustar00rootroot00000000000000import sys import os import re import argparse import tempfile import subprocess import ssgcommon import lxml.etree as ET from ConfigParser import SafeConfigParser import idtranslate_module as idtranslate SHARED_OVAL = re.sub('shared.*', 'shared', __file__) + '/checks/oval/' timestamp = ssgcommon.timestamp footer = ssgcommon.oval_footer ovalns = ssgcommon.oval_namespace try: from openscap import oscap_get_version if oscap_get_version() < 1.2: oval_version = "5.10" else: oval_version = "5.11" except ImportError: oval_version = "5.10" # globals, to make recursion easier in case we encounter extend_definition definitions = ET.Element("definitions") tests = ET.Element("tests") objects = ET.Element("objects") states = ET.Element("states") variables = ET.Element("variables") # append new child ONLY if it's not a duplicate def append(element, newchild): newid = newchild.get("id") existing = element.find(".//*[@id='" + newid + "']") if existing is not None: if not silent_mode: sys.stderr.write("Notification: this ID is used more than once " + "and should represent equivalent elements: " + newid + "\n") else: element.append(newchild) def add_oval_elements(body, header): """Add oval elements to the global Elements defined above""" tree = ET.fromstring(header + body + footer) tree = replace_external_vars(tree) # parse new file(string) as an etree, so we can arrange elements # appropriately for childnode in tree.findall("./{%s}def-group/*" % ovalns): # print "childnode.tag is " + childnode.tag if childnode.tag is ET.Comment: continue if childnode.tag == ("{%s}definition" % ovalns): append(definitions, childnode) defname = childnode.get("id") # extend_definition is a special case: must include a whole other # definition for defchild in childnode.findall(".//{%s}extend_definition" % ovalns): defid = defchild.get("definition_ref") extend_ref = find_testfile(defid+".xml") includedbody = read_ovaldefgroup_file(extend_ref) # recursively add the elements in the other file add_oval_elements(includedbody, header) if childnode.tag.endswith("_test"): append(tests, childnode) if childnode.tag.endswith("_object"): append(objects, childnode) if childnode.tag.endswith("_state"): append(states, childnode) if childnode.tag.endswith("_variable"): append(variables, childnode) return defname def replace_external_vars(tree): """Replace external_variables with local_variables, so the definition can be tested independently of an XCCDF file""" # external_variable is a special case: we turn it into a local_variable so # we can test for node in tree.findall(".//{%s}external_variable" % ovalns): print ("External_variable with id : " + node.get("id")) extvar_id = node.get("id") # for envkey, envval in os.environ.iteritems(): # print envkey + " = " + envval # sys.exit() if extvar_id not in os.environ.keys(): print ("External_variable specified, but no value provided via " \ "environment variable") sys.exit(2) # replace tag name: external -> local node.tag = "{%s}local_variable" % ovalns literal = ET.Element("literal_component") literal.text = os.environ[extvar_id] node.append(literal) # TODO: assignment of external_variable via environment vars, for # testing return tree def find_testfile(testfile): """Find OVAL files in CWD or shared/oval""" for path in ['.', SHARED_OVAL]: for root, folder, files in os.walk(path): searchfile = root + '/' + testfile if not os.path.isfile(searchfile): searchfile = "" else: testfile = searchfile.strip() # Most likely found file, exit this loop break if not os.path.isfile(testfile): print ("ERROR: %s does not exist! Please specify a valid OVAL file.") % testfile sys.exit(1) return testfile def read_ovaldefgroup_file(testfile): """Read oval files""" with open(testfile, 'r') as test_file: body = test_file.read() return body def parse_options(): usage = "usage: %(prog)s [options] definition_file.xml" parser = argparse.ArgumentParser(usage=usage, version="%(prog)s ") # only some options are on by default parser.add_argument("--oval_version", default=oval_version, dest="oval_version", action="store", help="OVAL version to use. Example: 5.11, 5.10, ... \ [Default: %(default)s]") parser.add_argument("-q", "--quiet", "--silent", default=False, action="store_true", dest="silent_mode", help="Don't show any output when testing OVAL files") parser.add_argument("xmlfile", metavar="XMLFILE", help="OVAL XML file") args = parser.parse_args() return args def main(): global definitions global tests global objects global states global variables global silent_mode args = parse_options() silent_mode = args.silent_mode oval_version = args.oval_version testfile = args.xmlfile header = ssgcommon.oval_generated_header("testoval.py", oval_version, "0.0.1") testfile = find_testfile(testfile) body = read_ovaldefgroup_file(testfile) defname = add_oval_elements(body, header) ovaltree = ET.fromstring(header + footer) # append each major element type, if it has subelements for element in [definitions, tests, objects, states, variables]: if element.getchildren(): ovaltree.append(element) # re-map all the element ids from meaningful names to meaningless # numbers testtranslator = idtranslate.IDTranslator("scap-security-guide.testing") ovaltree = testtranslator.translate(ovaltree) (ovalfile, fname) = tempfile.mkstemp(prefix=defname, suffix=".xml") os.write(ovalfile, ET.tostring(ovaltree)) os.close(ovalfile) if not silent_mode: print ("Evaluating with OVAL tempfile: " + fname) print ("OVAL Schema Version: %s" % oval_version) print ("Writing results to: " + fname + "-results") cmd = "oscap oval eval --results " + fname + "-results " + fname oscap_child = subprocess.Popen(cmd, stdout=subprocess.PIPE, shell=True) cmd_out = oscap_child.communicate()[0] if not silent_mode: print cmd_out if oscap_child.returncode != 0: if not silent_mode: print ("Error launching 'oscap' command: \n\t" + cmd) sys.exit(2) if 'false' in cmd_out: # at least one from the evaluated OVAL definitions evaluated to # 'false' result, exit with '1' to indicate OVAL scan FAIL result sys.exit(1) # perhaps delete tempfile? definitions = ET.Element("definitions") tests = ET.Element("tests") objects = ET.Element("objects") states = ET.Element("states") variables = ET.Element("variables") # 'false' keyword wasn't found in oscap's command output # exit with '0' to indicate OVAL scan TRUE result sys.exit(0) scap-security-guide-0.1.39/shared/modules/verify_cce_module.py000066400000000000000000000034031327242345500244540ustar00rootroot00000000000000#!/usr/bin/env python2 import sys import platform from lxml import etree # This script checks the validity of assigned CCEs, lists granted and remaining # available CCEs, and checks for duplicates. release = '%.0f' % float(platform.linux_distribution()[1]) xccdf_ns = "http://checklists.nist.gov/xccdf/1.1" tree = etree.parse('../output/unlinked-rhel' + str(release) + '-xccdf.xml') cces_assigned = tree.findall("//{%s}ident[@system='http://cce.mitre.org']" % xccdf_ns) assigned_ids = [] granted_ids = [] # print the list of assigned CCEs print "Assigned CCEs:" for item in cces_assigned: print item.text assigned_ids.append(item.text) print "-------------" # check for duplicates in the assigned CCE list dup_assigned_ids = [item for item in cces_assigned if cces_assigned.count(item) > 1] for item in dup_assigned_ids: print "Duplicate assignment of CCE: %s" % item # open the available CCE file with open('../references/cce-rhel' + int(release) + '-avail.txt', 'r') as txt_file: for line in txt_file: granted_ids = [line.rstrip('\n') for line in txt_file] # print CCEs that are available (i.e. in granted but not assigned) for item in granted_ids: if item not in assigned_ids: print "Available CCE: %s" % item for rule in tree.findall("//{%s}Rule" % xccdf_ns): # print "rule is " + rule.get("id") items = rule.findall("{%s}ident[@system='http://cce.mitre.org']" % xccdf_ns) if len(items) > 1: print "Rule with multiple CCEs assigned: %s" % rule.get("id") if len(items) == 0: print "Rule without CCE: %s" % rule.get("id") for item in items: if item.text not in granted_ids: print "Invalid CCE: %s in %s" % (item.text, rule.get("id")) sys.exit() scap-security-guide-0.1.39/shared/modules/xccdf2csv_stig_module.py000066400000000000000000000035401327242345500252530ustar00rootroot00000000000000#!/usr/bin/env python2 import sys import csv import lxml.etree as ET # This script creates a CSV file from an XCCDF file formatted in the # structure of a STIG. This should enable its ingestion into VMS, # as well as its comparison with VMS output. xccdf_ns = "http://checklists.nist.gov/xccdf/1.1" disa_cciuri = "http://iase.disa.mil/stigs/cci/Pages/index.aspx" disa_srguri = "http://iase.disa.mil/stigs/srgs/Pages/index.aspx" def parse_xml_file(xmlfile): with open(xmlfile, 'r') as xml_file: filestring = xml_file.read() tree = ET.fromstring(filestring) return tree def reflist(refs): refstring = ', '.join(refs) return refstring def node_to_text(node): textslist = node.xpath(".//text()") return ''.join(textslist) def main(): if len(sys.argv) < 2: print "Provide an XCCDF file to convert into a CSV file." sys.exit(1) xccdffile = sys.argv[1] xccdftree = parse_xml_file(xccdffile) rules = xccdftree.findall(".//{%s}Rule" % xccdf_ns) rulewriter = csv.writer(sys.stdout, quoting=csv.QUOTE_ALL) for rule in rules: cci_refs = [ref.text for ref in rule.findall("{%s}ident[@system='%s']" % (xccdf_ns, disa_cciuri))] srg_refs = [ref.text for ref in rule.findall("{%s}ident[@system='%s']" % (xccdf_ns, disa_srguri))] title = rule.find("{%s}title" % xccdf_ns).text description = node_to_text(rule.find("{%s}description" % xccdf_ns)) fixtext = node_to_text(rule.find("{%s}fixtext" % xccdf_ns)) checktext = node_to_text(rule.find(".//{%s}check-content" % xccdf_ns)) row = [reflist(cci_refs), reflist(srg_refs), title, description, fixtext, checktext] rulewriter.writerow(row) sys.exit(0) if __name__ == "__main__": main() scap-security-guide-0.1.39/shared/modules/xccdf_utils.py000066400000000000000000000061021327242345500232770ustar00rootroot00000000000000""" A couple generic XCCDF utilities used by build-all-guides.py and build-all-remediation-roles.py Author: Martin Preisler """ import re import ssgcommon XCCDF11_NS = ssgcommon.XCCDF11_NS XCCDF12_NS = ssgcommon.XCCDF12_NS # if a profile ID ends with a string listed here we skip it PROFILE_ID_BLACKLIST = ["test", "index", "default"] # filler XCCDF 1.2 prefix which we will strip to avoid very long filenames PROFILE_ID_PREFIX = ("^xccdf_org.*content_profile_") def get_benchmark_ids_titles_for_input(input_tree): ret = {} def scrape_benchmarks(root_element, namespace, dest): candidates = \ list(root_element.findall(".//{%s}Benchmark" % (namespace))) if root_element.tag == "{%s}Benchmark" % (namespace): candidates.append(root_element) for elem in candidates: id_ = elem.get("id") if id_ is None: continue title = "" for element in elem.findall("{%s}title" % (namespace)): title = element.text break dest[id_] = title input_root = input_tree.getroot() scrape_benchmarks( input_root, XCCDF11_NS, ret ) scrape_benchmarks( input_root, XCCDF12_NS, ret ) return ret def get_profile_choices_for_input(input_tree, benchmark_id, tailoring_tree): """Returns a dictionary that maps profile_ids to their respective titles. """ # Ideally oscap would have a command line to do this, but as of now it # doesn't so we have to implement it ourselves. Importing openscap Python # bindings is nasty and overkill for this. ret = {} def scrape_profiles(root_element, namespace, dest): candidates = \ list(root_element.findall(".//{%s}Benchmark" % (namespace))) if root_element.tag == "{%s}Benchmark" % (namespace): candidates.append(root_element) for benchmark in candidates: if benchmark.get("id") != benchmark_id: continue for elem in benchmark.findall(".//{%s}Profile" % (namespace)): id_ = elem.get("id") if id_ is None: continue title = "" for element in elem.findall("{%s}title" % (namespace)): title = element.text break dest[id_] = title input_root = input_tree.getroot() scrape_profiles( input_root, XCCDF11_NS, ret ) scrape_profiles( input_root, XCCDF12_NS, ret ) if tailoring_tree is not None: tailoring_root = tailoring_tree.getroot() scrape_profiles( tailoring_root, XCCDF11_NS, ret ) scrape_profiles( tailoring_root, XCCDF12_NS, ret ) return ret def get_profile_short_id(long_id): """If given profile ID is the XCCDF 1.2 long ID this function shortens it """ if re.search(PROFILE_ID_PREFIX, long_id): return long_id[re.search(PROFILE_ID_PREFIX, long_id).end():] return long_id scap-security-guide-0.1.39/shared/references/000077500000000000000000000000001327242345500210705ustar00rootroot00000000000000scap-security-guide-0.1.39/shared/references/FedRAMP_HHH_Baseline_DraftForPublicRelease_v1-0.xml000066400000000000000000057750571327242345500323050ustar00rootroot00000000000000 Microsoft Office User 2015-11-19T18:37:37Z 15.0 96 17540 28720 80 460 False False ACCESS CONTROL AC-1 ACCESS CONTROL POLICY AND PROCEDURES ü The organization: a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: 1. An access control policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and 2. Procedures to facilitate the implementation of the access control policy and associated access controls; and b. Reviews and updates the current: 1. Access control policy [Assignment: organization-defined frequency]; and 2. Access control procedures [Assignment: organization-defined frequency]. Supplemental Guidance: This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the AC family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. Control Enhancements: None. References: NIST Special Publications 800-12, 800-100. ü ü AC-1.b.1 [at least every 3 years] AC-1.b.2 [at least annually] ü Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 AC-1.b.1 [at least annually] AC-1.b.2 [at least every six months] ACCESS CONTROL AC-2 ACCOUNT MANAGEMENT ü The organization: a. Identifies and selects the following types of information system accounts to support organizational missions/business functions: [Assignment 1: organization-defined information system account types]; b. Assigns account managers for information system accounts; c. Establishes conditions for group and role membership; d. Specifies authorized users of the information system, group and role membership, and access authorizations (i.e., privileges) and other attributes (as required) for each account; e. Requires approvals by [Assignment 2: organization-defined personnel or roles] for requests to create information system accounts; f. Creates, enables, modifies, disables, and removes information system accounts in accordance with [Assignment 3: organization-defined procedures or conditions]; g. Monitors the use of, information system accounts; h. Notifies account managers: 1. When accounts are no longer required; 2. When users are terminated or transferred; and 3. When individual information system usage or need-to-know changes; i. Authorizes access to the information system based on: 1. A valid access authorization; 2. Intended system usage; and 3. Other attributes as required by the organization or associated missions/business functions; j. Reviews accounts for compliance with account management requirements [Assignment: organization-defined frequency]; and k. Establishes a process for reissuing shared/group account credentials (if deployed) when individuals are removed from the group. Supplemental Guidance: Information system account types include, for example, individual, shared, group, system, guest/anonymous, emergency, developer/manufacturer/vendor, temporary, and service. Some of the account management requirements listed above can be implemented by organizational information systems. The identification of authorized users of the information system and the specification of access privileges reflects the requirements in other security controls in the security plan. Users requiring administrative privileges on information system accounts receive additional scrutiny by appropriate organizational personnel (e.g., system owner, mission/business owner, or chief information security officer) responsible for approving such accounts and privileged access. Organizations may choose to define access privileges or other attributes by account, by type of account, or a combination of both. Other attributes required for authorizing access include, for example, restrictions on time-of-day, day-of-week, and point-of-origin. In defining other account attributes, organizations consider system-related requirements (e.g., scheduled maintenance, system upgrades) and mission/business requirements, (e.g., time zone differences, customer requirements, remote access to support travel requirements). Failure to consider these factors could affect information system availability. Temporary and emergency accounts are accounts intended for short-term use. Organizations establish temporary accounts as a part of normal account activation procedures when there is a need for short-term accounts without the demand for immediacy in account activation. Organizations establish emergency accounts in response to crisis situations and with the need for rapid account activation. Therefore, emergency account activation may bypass normal account authorization processes. Emergency and temporary accounts are not to be confused with infrequently used accounts (e.g., local logon accounts used for special tasks defined by organizations or when network resources are unavailable). Such accounts remain available and are not subject to automatic disabling or removal dates. Conditions for disabling or deactivating accounts include, for example: (i) when shared/group, emergency, or temporary accounts are no longer required; or (ii) when individuals are transferred or terminated. Some types of information system accounts may require specialized training. Rela ü ü AC-2.j [at least annually] ü Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 ACCESS CONTROL AC-2 (1) ACCOUNT MANAGEMENT | AUTOMATED SYSTEM ACCOUNT MANAGEMENT The organization employs automated mechanisms to support the management of information system accounts. Supplemental Guidance: The use of automated mechanisms can include, for example: using email or text messaging to automatically notify account managers when users are terminated or transferred; using the information system to monitor account usage; and using telephonic notification to report atypical system account usage. ü ü Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 ACCESS CONTROL AC-2 (2) ACCOUNT MANAGEMENT | REMOVAL OF TEMPORARY / EMERGENCY ACCOUNTS ü The information system automatically [Selection: removes; disables] temporary and emergency accounts after [Assignment: organization-defined time period for each type of account]. Supplemental Guidance: This control enhancement requires the removal of both temporary and emergency accounts automatically after a predefined period of time has elapsed, rather than at the convenience of the systems administrator. ü [no more than 30 days for temporary and emergency account types] ü Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 [no more than 15 days for temporary and emergency account types] ACCESS CONTROL AC-2 (3) ACCOUNT MANAGEMENT | DISABLE INACTIVE ACCOUNTS ü The information system automatically disables inactive accounts after [Assignment: organization-defined time period]. ü [90 days for user accounts] Requirement: The service provider defines the time period for non-user accounts (e.g., accounts associated with devices). The time periods are approved and accepted by the Authorizing Official. ü Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 [35 days for user accounts] Requirement: The service provider defines the time period for non-user accounts (e.g., accounts associated with devices). The time periods are approved and accepted by the Authorizing Official. Where user management is a funtion of the service, reports of activity of consumer users shall be made available. ACCESS CONTROL AC-2 (4) ACCOUNT MANAGEMENT | AUTOMATED AUDIT ACTIONS ü The information system automatically audits account creation, modification, enabling, disabling, and removal actions, and notifies [Assignment: organization-defined personnel or roles]. Supplemental Guidance: Related controls: AU-2, AU-12. ü ü Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 [organization and/or service provider system owner] ACCESS CONTROL AC-2 (5) ACCOUNT MANAGEMENT | INACTIVITY LOGOUT ü The organization requires that users log out when [Assignment: organization-defined time-period of expected inactivity or description of when to log out]. Supplemental Guidance: Related control: SC-23. ü ü Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 [organization and service provider-defined time-period/description of when to log out] ACCESS CONTROL AC-2 (7) ACCOUNT MANAGEMENT | ROLE-BASED SCHEMES ü The organization: (a) Establishes and administers privileged user accounts in accordance with a role-based access scheme that organizes allowed information system access and privileges into roles; (b) Monitors privileged role assignments; and (c) Takes [Assignment: organization-defined actions] when privileged role assignments are no longer appropriate. Supplemental Guidance: Privileged roles are organization-defined roles assigned to individuals that allow those individuals to perform certain security-relevant functions that ordinary users are not authorized to perform. These privileged roles include, for example, key management, account management, network and system administration, database administration, and web administration. ü ü Included in FedRAMP Moderate Baseline, Rev 4 [Disable/remove access within a organization-specified timeframe] c. Disables (or revokes) privileged user account ACCESS CONTROL AC-2 (9) ACCOUNT MANAGEMENT | RESTRICTIONS ON USE OF SHARED GROUPS / ACCOUNTS ü The organization only permits the use of shared/group accounts that meet [Assignment: organization-defined conditions for establishing shared/group accounts]. ü Required if shared/group accounts are deployed ü Included in FedRAMP Moderate Baseline, Rev 4 ACCESS CONTROL AC-2 (10) ACCOUNT MANAGEMENT | SHARED / GROUP ACCOUNT CREDENTIAL TERMINATION The information system terminates shared/group account credentials when members leave the group. ü Required if shared/group accounts are deployed ü Included in FedRAMP Moderate Baseline, Rev 4 ACCESS CONTROL AC-2 (12) ACCOUNT MANAGEMENT | ACCOUNT MONITORING / ATYPICAL USAGE ü The organization: (a) Monitors information system accounts for [Assignment: organization-defined atypical use]; and (b) Reports atypical usage of information system accounts to [Assignment: organization-defined personnel or roles]. Supplemental Guidance: Atypical usage includes, for example, accessing information systems at certain times of the day and from locations that are not consistent with the normal usage patterns of individuals working in organizations. Related control: CA-7. ü AC-2 (12)(a) and AC-2 (12)(b) Additional FedRAMP Requirements and Guidance: Required for privileged accounts. ü Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 ACCESS CONTROL AC-2 (13) ACCOUNT MANAGEMENT | DISABLE ACCOUNTS FOR HIGH-RISK INDIVIDUALS ü The organization disables accounts of users posing a significant risk within [Assignment: organization-defined time period] of discovery of the risk. Supplemental Guidance: Users posing a significant risk to organizations include individuals for whom reliable evidence or intelligence indicates either the intention to use authorized access to information systems to cause harm or through whom adversaries will cause harm. Harm includes potential adverse impacts to organizational operations and assets, individuals, other organizations, or the Nation. Close coordination between authorizing officials, information system administrators, and human resource managers is essential in order for timely execution of this control enhancement. Related control: PS-4. References: None. ü Included in NIST High Baseline, Rev 4 [one hour] ACCESS CONTROL AC-3 ACCESS ENFORCEMENT The information system enforces approved authorizations for logical access to information and system resources in accordance with applicable access control policies. Supplemental Guidance: Access control policies (e.g., identity-based policies, role-based policies, attribute-based policies) and access enforcement mechanisms (e.g., access control lists, access control matrices, cryptography) control access between active entities or subjects (i.e., users or processes acting on behalf of users) and passive entities or objects (e.g., devices, files, records, domains) in information systems. In addition to enforcing authorized access at the information system level and recognizing that information systems can host many applications and services in support of organizational missions and business operations, access enforcement mechanisms can also be employed at the application and service level to provide increased information security. Related controls: AC-2, AC-4, AC-5, AC-6, AC-16, AC-17, AC-18, AC-19, AC-20, AC-21, AC-22, AU-9, CM-5, CM-6, CM-11, MA-3, MA-4, MA-5, PE-3. ü ü ü Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 ACCESS CONTROL AC-4 INFORMATION FLOW ENFORCEMENT ü The information system enforces approved authorizations for controlling the flow of information within the system and between interconnected systems based on [Assignment: organization-defined information flow control policies]. Supplemental Guidance: Information flow control regulates where information is allowed to travel within an information system and between information systems (as opposed to who is allowed to access the information) and without explicit regard to subsequent accesses to that information. Flow control restrictions include, for example, keeping export-controlled information from being transmitted in the clear to the Internet, blocking outside traffic that claims to be from within the organization, restricting web requests to the Internet that are not from the internal web proxy server, and limiting information transfers between organizations based on data structures and content. Transferring information between information systems representing different security domains with different security policies introduces risk that such transfers violate one or more domain security policies. In such situations, information owners/stewards provide guidance at designated policy enforcement points between interconnected systems. Organizations consider mandating specific architectural solutions when required to enforce specific security policies. Enforcement includes, for example: (i) prohibiting information transfers between interconnected systems (i.e., allowing access only); (ii) employing hardware mechanisms to enforce one-way information flows; and (iii) implementing trustworthy regarding mechanisms to reassign security attributes and security labels. Organizations commonly employ information flow control policies and enforcement mechanisms to control the flow of information between designated sources and destinations (e.g., networks, individuals, and devices) within information systems and between interconnected systems. Flow control is based on the characteristics of the information and/or the information path. Enforcement occurs, for example, in boundary protection devices (e.g., gateways, routers, guards, encrypted tunnels, firewalls) that employ rule sets or establish configuration settings that restrict information system services, provide a packet-filtering capability based on header information, or message- filtering capability based on message content (e.g., implementing key word searches or using document characteristics). Organizations also consider the trustworthiness of filtering/inspection mechanisms (i.e., hardware, firmware, and software components) that are critical to information flow enforcement. Control enhancements 3 through 22 primarily address cross-domain solution needs which focus on more advanced filtering techniques, in-depth analysis, and stronger flow enforcement mechanisms implemented in cross-domain products, for example, high-assurance guards. Such capabilities are generally not available in commercial off-the-shelf information technology products. Related controls: AC-3, AC-17, AC-19, AC-21, CM-6, CM-7, SA-8, SC-2, SC-5, SC-7, SC-18. ü ü Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 ACCESS CONTROL AC-4 (8) INFORMATION FLOW ENFORCEMENT | SECURITY POLICY FILTERS ü The information system enforces information flow control using [Assignment: organization-defined security policy filters] as a basis for flow control decisions for [Assignment: organization-defined information flows]. Supplemental Guidance: Organization-defined security policy filters can address data structures and content. For example, security policy filters for data structures can check for maximum file lengths, maximum field sizes, and data/file types (for structured and unstructured data). Security policy filters for data content can check for specific words (e.g., dirty/clean word filters), enumerated values or data value ranges, and hidden content. Structured data permits the interpretation of data content by applications. Unstructured data typically refers to digital information without a particular data structure or with a data structure that does not facilitate the development of rule sets to address the particular sensitivity of the information conveyed by the data or the associated flow enforcement decisions. Unstructured data consists of: (i) bitmap objects that are inherently non language-based (i.e., image, video, or audio files); and (ii) textual objects that are based on written or printed languages (e.g., commercial off-the- shelf word processing documents, spreadsheets, or emails). Organizations can implement more than one security policy filter to meet information flow control objectives (e.g., employing clean word lists in conjunction with dirty word lists may help to reduce false positives). ü NEED. If there is a significant high-impact risk of inadvertent or intentional data leakage with a system deployed in a shared-service environment, this control is justified to mitigate that risk. Similar justification applies when an organization needs to ensure data isolation between different types of information enclaves within the organization. ANALYSIS. Although this control is usually employed to control flows between different classified enclaves, it can also apply to non-classified scenarios (e.g., the need to isolate legal, personnel, health-related, financial, or other information or files deemed sensitive. SAMPLE THREAT VECTORS. Sensitive free-text information passes from the personnel department to the rest of the organization. Law-enforcement sensitive information is inadvertently pulled from the organization's general counsel case management system and passed outside the department to users without authorization to view that information. HIPAA-protected health information flows freely from the HR department to all employees. Privacy-Act information flows from an HR system into a publicly released report. RELEVANT SECURITY CONTROL ATTRIBUTES. Integrity-Assured, Adaptive, Manageable, Assessed, Auditable, Regulated, Controlled, Monitored, Providing Good Data Stewardship, Assured, Competent, Confidential, Data Controllable, Access-Controlled. [security policy filters inherent in boundary protection devices such as gateways, routers, guards, encrypted tunnels, firewalls] [information containing PII or organization-sensitive information types] ACCESS CONTROL AC-4 (21) INFORMATION FLOW ENFORCEMENT | PHYSICAL / LOGICAL SEPARATION OF INFORMATION FLOWS ü The information system separates information flows logically or physically using [Assignment: organization-defined mechanisms and/or techniques] to accomplish [Assignment: organization- defined required separations by types of information]. Supplemental Guidance: Enforcing the separation of information flows by type can enhance protection by ensuring that information is not commingled while in transit and by enabling flow control by transmission paths perhaps not otherwise achievable. Types of separable information include, for example, inbound and outbound communications traffic, service requests and responses, and information of differing security categories. ü ü Included in FedRAMP Moderate Baseline, Rev 4 ACCESS CONTROL AC-5 SEPARATION OF DUTIES ü The organization: a. Separates [Assignment: organization-defined duties of individuals]; b. Documents separation of duties of individuals; and c. Defines information system access authorizations to support separation of duties. Supplemental Guidance: Separation of duties addresses the potential for abuse of authorized privileges and helps to reduce the risk of malevolent activity without collusion. Separation of duties includes, for example: (i) dividing mission functions and information system support functions among different individuals and/or roles; (ii) conducting information system support functions with different individuals (e.g., system management, programming, configuration management, quality assurance and testing, and network security); and (iii) ensuring security personnel administering access control functions do not also administer audit functions. Related controls: AC-3, AC-6, PE-3, PE-4, PS-2. Control Enhancements: None. References: None. ü ü Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 ACCESS CONTROL AC-6 LEAST PRIVILEGE The organization employs the principle of least privilege, allowing only authorized accesses for users (or processes acting on behalf of users) which are necessary to accomplish assigned tasks in accordance with organizational missions and business functions. Supplemental Guidance: Organizations employ least privilege for specific duties and information systems. The principle of least privilege is also applied to information system processes, ensuring that the processes operate at privilege levels no higher than necessary to accomplish required organizational missions/business functions. Organizations consider the creation of additional processes, roles, and information system accounts as necessary, to achieve least privilege. Organizations also apply least privilege to the development, implementation, and operation of organizational information systems. Related controls: AC-2, AC-3, AC-5, CM-6, CM-7, PL-2. ü ü Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 ACCESS CONTROL AC-6 (1) LEAST PRIVILEGE | AUTHORIZE ACCESS TO SECURITY FUNCTIONS ü The organization explicitly authorizes access to [Assignment: organization-defined security functions (deployed in hardware, software, and firmware) and security-relevant information]. Supplemental Guidance: Security functions include, for example, establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters. Security-relevant information includes, for example, filtering rules for routers/firewalls, cryptographic key management information, configuration parameters for security services, and access control lists. Explicitly authorized personnel include, for example, security administrators, system and network administrators, system security officers, system maintenance personnel, system programmers, and other privileged users. Related controls: AC-17, AC-18, AC-19. ü ü Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 [all functions not publicly accessible and all security-relevant information not publicly available] ACCESS CONTROL AC-6 (2) LEAST PRIVILEGE | NON-PRIVILEGED ACCESS FOR NONSECURITY FUNCTIONS ü The organization requires that users of information system accounts, or roles, with access to [Assignment: organization-defined security functions or security-relevant information], use non- privileged accounts or roles, when accessing nonsecurity functions. Supplemental Guidance: This control enhancement limits exposure when operating from within privileged accounts or roles. The inclusion of roles addresses situations where organizations implement access control policies such as role-based access control and where a change of role provides the same degree of assurance in the change of access authorizations for both the user and all processes acting on behalf of the user as would be provided by a change between a privileged and non-privileged account. Related control: PL-4. ü [all security functions] AC-6 (2). Guidance: Examples of security functions include but are not limited to: establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters, system programming, system and security administration, other privileged functions. ü Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 ACCESS CONTROL AC-6 (3) LEAST PRIVILEGE | NETWORK ACCESS TO PRIVILEGED COMMANDS ü The organization authorizes network access to [Assignment: organization-defined privileged commands] only for [Assignment: organization-defined compelling operational needs] and documents the rationale for such access in the security plan for the information system. Supplemental Guidance: Network access is any access across a network connection in lieu of local access (i.e., user being physically present at the device). Related control: AC-17. ü Included in NIST High Baseline, Rev 4 [privileged commands used to change/configure network devices] [compelling operational needs as defined by organization policy] ACCESS CONTROL AC-6 (5) LEAST PRIVILEGE | PRIVILEGED ACCOUNTS ü The organization restricts privileged accounts on the information system to [Assignment: organization-defined personnel or roles]. Supplemental Guidance: Privileged accounts, including super user accounts, are typically described as system administrator for various types of commercial off-the-shelf operating systems. Restricting privileged accounts to specific personnel or roles prevents day-to-day users from having access to privileged information/functions. Organizations may differentiate in the application of this control enhancement between allowed privileges for local accounts and for domain accounts provided organizations retain the ability to control information system configurations for key security parameters and as otherwise necessary to sufficiently mitigate risk. Related control: CM-6. ü ü Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 ACCESS CONTROL AC-6 (9) LEAST PRIVILEGE | AUDITING USE OF PRIVILEGED FUNCTIONS The information system audits the execution of privileged functions. Supplemental Guidance: Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised information system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse, and in doing so, help mitigate the risk from insider threats and the advanced persistent threat (APT). Related control: AU-2. ü ü Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 ACCESS CONTROL AC-6 (10) LEAST PRIVILEGE | PROHIBIT NON-PRIVILEGED USERS FROM EXECUTING PRIVILEGED FUNCTIONS The information system prevents non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures. Supplemental Guidance: Privileged functions include, for example, establishing information system accounts, performing system integrity checks, or administering cryptographic key management activities. Non-privileged users are individuals that do not possess appropriate authorizations. Circumventing intrusion detection and prevention mechanisms or malicious code protection mechanisms are examples of privileged functions that require protection from non-privileged users. References: None. ü ü Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 ACCESS CONTROL AC-7 UNSUCCESSFUL LOGON ATTEMPTS ü The information system: a. Enforces a limit of [Assignment: organization-defined number] consecutive invalid logon attempts by a user during a [Assignment: organization-defined time period]; and b. Automatically [Selection: locks the account/node for an [Assignment: organization-defined time period]; locks the account/node until released by an administrator; delays next logon prompt according to [Assignment: organization-defined delay algorithm]] when the maximum number of unsuccessful attempts is exceeded. Supplemental Guidance: This control applies regardless of whether the logon occurs via a local or network connection. Due to the potential for denial of service, automatic lockouts initiated by information systems are usually temporary and automatically release after a predetermined time period established by organizations. If a delay algorithm is selected, organizations may choose to employ different algorithms for different information system components based on the capabilities of those components. Responses to unsuccessful logon attempts may be implemented at both the operating system and the application levels. Related controls: AC-2, AC-9, AC-14, IA-5. ü ü AC-7a [not more than three] [fifteen minutes] AC-7b [locks the account/node for thirty minutes] ü Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 AC-7a [not more than three] [fifteen minutes] AC-7b [locks the account/node for a minimum of 3 hours or until unlocked by an administrator] ACCESS CONTROL AC-7 (2) UNSUCCESSFUL LOGON ATTEMPTS | PURGE / WIPE MOBILE DEVICE ü The information system purges/wipes information from [Assignment: organization-defined mobile devices] based on [Assignment: organization-defined purging/wiping requirements/techniques] after [Assignment: organization-defined number] consecutive, unsuccessful device logon attempts. Supplemental Guidance: This control enhancement applies only to mobile devices for which a logon occurs (e.g., personal digital assistants, smart phones, tablets). The logon is to the mobile device, not to any one account on the device. Therefore, successful logons to any accounts on mobile devices reset the unsuccessful logon count to zero. Organizations define information to be purged/wiped carefully in order to avoid over purging/wiping which may result in devices becoming unusable. Purging/wiping may be unnecessary if the information on the device is protected with sufficiently strong encryption mechanisms. Related controls: AC-19, MP-5, MP-6, SC-13. ü NEED. If an organization’s mobile devices carry information whose loss would have a high impact, this control is warranted in order to mitigate the risk of such loss. ANALYSIS. The technologies associated with this control are well established COTS hardware and software. SAMPLE THREAT VECTORS. Mobile device is lost, falls into the hands of people without authorization to view the information contained on the device. RELEVANT SECURITY CONTROL ATTRIBUTES. Integrity-Assured, Usable, Adaptive, Manageable, Agile, Supported, Assessed, Auditable, Regulated, Controlled, Monitored, Providing Good Data Stewardship, Assured, Confidential, Data Controllable, Access-Controlled, Mission Assured [mobile devices as defined by organization policy] [Organization-defined purging/wiping requirements/techniques] [three] ACCESS CONTROL AC-8 SYSTEM USE NOTIFICATION ü The information system: a. Displays to users [Assignment: organization-defined system use notification message or banner] before granting access to the system that provides privacy and security notices consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance and states that: 1. Users are accessing a U.S. Government information system; 2. Information system usage may be monitored, recorded, and subject to audit; 3. Unauthorized use of the information system is prohibited and subject to criminal and civil penalties; and 4. Use of the information system indicates consent to monitoring and recording; b. Retains the notification message or banner on the screen until users acknowledge the usage conditions and take explicit actions to log on to or further access the information system; and c. For publicly accessible systems: 1. Displays system use information [Assignment: organization-defined conditions], before granting further access; 2. Displays references, if any, to monitoring, recording, or auditing that are consistent with privacy accommodations for such systems that generally prohibit those activities; and 3. Includes a description of the authorized uses of the system. Supplemental Guidance: System use notifications can be implemented using messages or warning banners displayed before individuals log in to information systems. System use notifications are used only for access via logon interfaces with human users and are not required when such human interfaces do not exist. Organizations consider system use notification messages/banners displayed in multiple languages based on specific organizational needs and the demographics of information system users. Organizations also consult with the Office of the General Counsel for legal review and approval of warning banner content. Control Enhancements: None. References: None. ü ü Parameter: See Additional Requirements and Guidance. Requirement: The service provider shall determine elements of the cloud environment that require the System Use Notification control. The elements of the cloud environment that require System Use Notification are approved and accepted by the Authorizing Official (AO).Requirement: The service provider shall determine how System Use Notification is going to be verified and provide appropriate periodicity of the check. The System Use Notification verification and periodicity are approved and accepted by the AO.Guidance: If performed as part of a Configuration Baseline check, then the % of items requiring setting that are checked and that pass (or fail) check can be provided. Requirement: If not performed as part of a Configuration Baseline check, then there must be documented agreement on how to provide results of verification and the necessary periodicity of the verification by the service provider. The documented agreement on how to provide verification of the results are approved and accepted by the AO. ü Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 ACCESS CONTROL AC-10 CONCURRENT SESSION CONTROL ü The information system limits the number of concurrent sessions for each [Assignment: organization-defined account and/or account type] to [Assignment: organization-defined number]. Supplemental Guidance: Organizations may define the maximum number of concurrent sessions for information system accounts globally, by account type (e.g., privileged user, non-privileged user, domain, specific application), by account, or a combination. For example, organizations may limit the number of concurrent sessions for system administrators or individuals working in particularly sensitive domains or mission-critical applications. This control addresses concurrent sessions for information system accounts and does not address concurrent sessions by single users via multiple system accounts. Control Enhancements: None. References: None. ü [three (3) sessions for privileged access and two (2) sessions for non-privileged access] ü Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 ACCESS CONTROL AC-11 SESSION LOCK ü The information system: a. Prevents further access to the system by initiating a session lock after [Assignment: organization-defined time period] of inactivity or upon receiving a request from a user; and b. Retains the session lock until the user reestablishes access using established identification and authentication procedures. Supplemental Guidance: Session locks are temporary actions taken when users stop work and move away from the immediate vicinity of information systems but do not want to log out because of the temporary nature of their absences. Session locks are implemented where session activities can be determined. This is typically at the operating system level, but can also be at the application level. Session locks are not an acceptable substitute for logging out of information systems, for example, if organizations require users to log out at the end of workdays. Related control: AC-7. ü AC-11a. [fifteen minutes] ü Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 ACCESS CONTROL AC-11 (1) SESSION LOCK | PATTERN-HIDING DISPLAYS The information system conceals, via the session lock, information previously visible on the display with a publicly viewable image. Supplemental Guidance: Publicly viewable images can include static or dynamic images, for example, patterns used with screen savers, photographic images, solid colors, clock, battery life indicator, or a blank screen, with the additional caveat that none of the images convey sensitive information. References: OMB Memorandum 06-16. ü ü Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 ACCESS CONTROL AC-12 SESSION TERMINATION ü The information system automatically terminates a user session after [Assignment: organization-defined conditions or trigger events requiring session disconnect]. Supplemental Guidance: This control addresses the termination of user-initiated logical sessions in contrast to SC-10 which addresses the termination of network connections that are associated with communications sessions (i.e., network disconnect). A logical session (for local, network, and remote access) is initiated whenever a user (or process acting on behalf of a user) accesses an organizational information system. Such user sessions can be terminated (and thus terminate user access) without terminating network sessions. Session termination terminates all processes associated with a user’s logical session except those processes that are specifically created by the user (i.e., session owner) to continue after the session is terminated. Conditions or trigger events requiring automatic session termination can include, for example, organization-defined periods of user inactivity, targeted responses to certain types of incidents, time-of-day restrictions on information system use. Related controls: SC-10, SC-23. ü ü Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 ACCESS CONTROL AC-14 PERMITTED ACTIONS WITHOUT IDENTIFICATION OR AUTHENTICATION ü The organization: a. Identifies [Assignment: organization-defined user actions] that can be performed on the information system without identification or authentication consistent with organizational missions/business functions; and b. Documents and provides supporting rationale in the security plan for the information system, user actions not requiring identification or authentication. Supplemental Guidance: This control addresses situations in which organizations determine that no identification or authentication is required in organizational information systems. Organizations may allow a limited number of user actions without identification or authentication including, for example, when individuals access public websites or other publicly accessible federal information systems, when individuals use mobile phones to receive calls, or when facsimiles are received. Organizations also identify actions that normally require identification or authentication but may under certain circumstances (e.g., emergencies), allow identification or authentication mechanisms to be bypassed. Such bypasses may occur, for example, via a software-readable physical switch that commands bypass of the logon functionality and is protected from accidental or unmonitored use. This control does not apply to situations where identification and authentication have already occurred and are not repeated, but rather to situations where identification and authentication have not yet occurred. Organizations may decide that there are no user actions that can be performed on organizational information systems without identification and authentication and thus, the values for assignment statements can be none. Related controls: CP-2, IA-2. Control Enhancements: None. (1) PERMITTED ACTIONS WITHOUT IDENTIFICATION OR AUTHENTICATION | NECESSARY USES [Withdrawn: Incorporated into AC-14]. References: None. ü ü ü Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 ACCESS CONTROL AC-17 REMOTE ACCESS The organization: a. Establishes and documents usage restrictions, configuration/connection requirements, and implementation guidance for each type of remote access allowed; and b. Authorizes remote access to the information system prior to allowing such connections. Supplemental Guidance: Remote access is access to organizational information systems by users (or processes acting on behalf of users) communicating through external networks (e.g., the Internet). Remote access methods include, for example, dial-up, broadband, and wireless. Organizations often employ encrypted virtual private networks (VPNs) to enhance confidentiality and integrity over remote connections. The use of encrypted VPNs does not make the access non-remote; however, the use of VPNs, when adequately provisioned with appropriate security controls (e.g., employing appropriate encryption techniques for confidentiality and integrity protection) may provide sufficient assurance to the organization that it can effectively treat such connections as internal networks. Still, VPN connections traverse external networks, and the encrypted VPN does not enhance the availability of remote connections. Also, VPNs with encrypted tunnels can affect the organizational capability to adequately monitor network communications traffic for malicious code. Remote access controls apply to information systems other than public web servers or systems designed for public access. This control addresses authorization prior to allowing remote access without specifying the formats for such authorization. While organizations may use interconnection security agreements to authorize remote access connections, such agreements are not required by this control. Enforcing access restrictions for remote connections is addressed in AC-3. Related controls: AC-2, AC-3, AC-18, AC-19, AC-20, CA-3, CA-7, CM-8, IA-2, IA-3, IA-8, MA-4, PE-17, PL-4, SC-10, SI-4. ü ü ü Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 System-to-system remote access via Application Program Interfaces or other protocols or technologies is also included ACCESS CONTROL AC-17 (1) REMOTE ACCESS | AUTOMATED MONITORING / CONTROL The information system monitors and controls remote access methods. Supplemental Guidance: Automated monitoring and control of remote access sessions allows organizations to detect cyber attacks and also ensure ongoing compliance with remote access policies by auditing connection activities of remote users on a variety of information system components (e.g., servers, workstations, notebook computers, smart phones, and tablets). Related controls: AU-2, AU-12. ü ü Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 ACCESS CONTROL AC-17 (2) REMOTE ACCESS | PROTECTION OF CONFIDENTIALITY / INTEGRITY USING ENCRYPTION The information system implements cryptographic mechanisms to protect the confidentiality and integrity of remote access sessions. Supplemental Guidance: The encryption strength of mechanism is selected based on the security categorization of the information. Related controls: SC-8, SC-12, SC-13. ü ü Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 ACCESS CONTROL AC-17 (3) REMOTE ACCESS | MANAGED ACCESS CONTROL POINTS ü The information system routes all remote accesses through [Assignment: organization-defined number] managed network access control points. Supplemental Guidance: Limiting the number of access control points for remote accesses reduces the attack surface for organizations. Organizations consider the Trusted Internet Connections (TIC) initiative requirements for external network connections. Related control: SC-7. ü ü Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 ACCESS CONTROL AC-17 (4) REMOTE ACCESS | PRIVILEGED COMMANDS / ACCESS ü The organization: (a) Authorizes the execution of privileged commands and access to security-relevant information via remote access only for [Assignment: organization-defined needs]; and (b) Documents the rationale for such access in the security plan for the information system. Supplemental Guidance: Related control: AC-6. ü ü Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 ACCESS CONTROL AC-17 (9) REMOTE ACCESS | DISCONNECT / DISABLE ACCESS ü The organization provides the capability to expeditiously disconnect or disable remote access to the information system within [Assignment: organization-defined time period]. Supplemental Guidance: This control enhancement requires organizations to have the capability to rapidly disconnect current users remotely accessing the information system and/or disable further remote access. The speed of disconnect or disablement varies based on the criticality of missions/business functions and the need to eliminate immediate or future remote access to organizational information systems. ü [no greater than 15 minutes] ü Included in FedRAMP Moderate Baseline, Rev 4 [immediately] ACCESS CONTROL AC-18 WIRELESS ACCESS The organization: a. Establishes usage restrictions, configuration/connection requirements, and implementation guidance for wireless access; and b. Authorizes wireless access to the information system prior to allowing such connections. Supplemental Guidance: Wireless technologies include, for example, microwave, packet radio (UHF/VHF), 802.11x, and Bluetooth. Wireless networks use authentication protocols (e.g., EAP/TLS, PEAP), which provide credential protection and mutual authentication. Related controls: AC-2, AC-3, AC-17, AC-19, CA-3, CA-7, CM-8, IA-2, IA-3, IA-8, PL-4, SI-4. ü ü ü Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 ACCESS CONTROL AC-18 (1) WIRELESS ACCESS | AUTHENTICATION AND ENCRYPTION ü The information system protects wireless access to the system using authentication of [Selection (one or more): users; devices] and encryption. Supplemental Guidance: Related controls: SC-8, SC-13. ü ü Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 ACCESS CONTROL AC-18 (4) WIRELESS ACCESS | RESTRICT CONFIGURATIONS BY USERS The organization identifies and explicitly authorizes users allowed to independently configure wireless networking capabilities. Supplemental Guidance: Organizational authorizations to allow selected users to configure wireless networking capability are enforced in part, by the access enforcement mechanisms employed within organizational information systems. Related controls: AC-3, SC-15. ü Included in NIST High Baseline, Rev 4 ACCESS CONTROL AC-18 (5) WIRELESS ACCESS | ANTENNAS / TRANSMISSION POWER LEVELS The organization selects radio antennas and calibrates transmission power levels to reduce the probability that usable signals can be received outside of organization-controlled boundaries. Supplemental Guidance: Actions that may be taken by organizations to limit unauthorized use of wireless communications outside of organization-controlled boundaries include, for example: (i) reducing the power of wireless transmissions so that the transmissions are less likely to emit a signal that can be used by adversaries outside of the physical perimeters of organizations; (ii) employing measures such as TEMPEST to control wireless emanations; and (iii) using directional/beam forming antennas that reduce the likelihood that unintended receivers will be able to intercept signals. Prior to taking such actions, organizations can conduct periodic wireless surveys to understand the radio frequency profile of organizational information systems as well as other systems that may be operating in the area. Related control: PE-19. References: NIST Special Publications 800-48, 800-94, 800-97. ü Included in NIST High Baseline, Rev 4 ACCESS CONTROL AC-19 ACCESS CONTROL FOR MOBILE DEVICES The organization: a. Establishes usage restrictions, configuration requirements, connection requirements, and implementation guidance for organization-controlled mobile devices; and b. Authorizes the connection of mobile devices to organizational information systems. Supplemental Guidance: A mobile device is a computing device that: (i) has a small form factor such that it can easily be carried by a single individual; (ii) is designed to operate without a physical connection (e.g., wirelessly transmit or receive information); (iii) possesses local, non- removable or removable data storage; and (iv) includes a self-contained power source. Mobile devices may also include voice communication capabilities, on-board sensors that allow the device to capture information, and/or built-in features for synchronizing local data with remote locations. Examples include smart phones, E-readers, and tablets. Mobile devices are typically associated with a single individual and the device is usually in close proximity to the individual; however, the degree of proximity can vary depending upon on the form factor and size of the device. The processing, storage, and transmission capability of the mobile device may be comparable to or merely a subset of desktop systems, depending upon the nature and intended purpose of the device. Due to the large variety of mobile devices with different technical characteristics and capabilities, organizational restrictions may vary for the different classes/types of such devices. Usage restrictions and specific implementation guidance for mobile devices include, for example, configuration management, device identification and authentication, implementation of mandatory protective software (e.g., malicious code detection, firewall), scanning devices for malicious code, updating virus protection software, scanning for critical software updates and patches, conducting primary operating system (and possibly other resident software) integrity checks, and disabling unnecessary hardware (e.g., wireless, infrared). Organizations are cautioned that the need to provide adequate security for mobile devices goes beyond the requirements in this control. Many safeguards and countermeasures for mobile devices are reflected in other security controls in the catalog allocated in the initial control baselines as starting points for the development of security plans and overlays using the tailoring process. There may also be some degree of overlap in the requirements articulated by the security controls within the different families of controls. AC-20 addresses mobile devices that are not organization-controlled. Related controls: AC-3, AC-7, AC- 18, AC-20, CA-9, CM-2, IA-2, IA-3, MP-2, MP-4, MP-5, PL-4, SC-7, SC-43, SI-3, SI-4. ü ü ü Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 ACCESS CONTROL AC-19 (5) ACCESS CONTROL FOR MOBILE DEVICES | FULL DEVICE / CONTAINER-BASED ENCRYPTION ü The organization employs [Selection: full-device encryption; container encryption] to protect the confidentiality and integrity of information on [Assignment: organization-defined mobile devices]. Supplemental Guidance: Container-based encryption provides a more fine-grained approach to the encryption of data/information on mobile devices, including for example, encrypting selected data structures such as files, records, or fields. Related controls: MP-5, SC-13, SC- 28. References: OMB Memorandum 06-16; NIST Special Publications 800-114, 800-124, 800-164. ü ü Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 AC-20 USE OF EXTERNAL INFORMATION SYSTEMS The organization establishes terms and conditions, consistent with any trust relationships established with other organizations owning, operating, and/or maintaining external information systems, allowing authorized individuals to: a. Access the information system from external information systems; and b. Process, store, or transmit organization-controlled information using external information systems. Supplemental Guidance: External information systems are information systems or components of information systems that are outside of the authorization boundary established by organizations and for which organizations typically have no direct supervision and authority over the application of required security controls or the assessment of control effectiveness. External information systems include, for example: (i) personally owned information systems/devices (e.g., notebook computers, smart phones, tablets, personal digital assistants); (ii) privately owned computing and communications devices resident in commercial or public facilities (e.g., hotels, train stations, convention centers, shopping malls, or airports); (iii) information systems owned or controlled by nonfederal governmental organizations; and (iv) federal information systems that are not owned by, operated by, or under the direct supervision and authority of organizations. This control also addresses the use of external information systems for the processing, storage, or transmission of organizational information, including, for example, accessing cloud services (e.g., infrastructure as a service, platform as a service, or software as a service) from organizational information systems. For some external information systems (i.e., information systems operated by other federal agencies, including organizations subordinate to those agencies), the trust relationships that have been established between those organizations and the originating organization may be such, that no explicit terms and conditions are required. Information systems within these organizations would not be considered external. These situations occur when, for example, there are pre-existing sharing/trust agreements (either implicit or explicit) established between federal agencies or organizations subordinate to those agencies, or when such trust agreements are specified by applicable laws, Executive Orders, directives, or policies. Authorized individuals include, for example, organizational personnel, contractors, or other individuals with authorized access to organizational information systems and over which organizations have the authority to impose rules of behavior with regard to system access. Restrictions that organizations impose on authorized individuals need not be uniform, as those restrictions may vary depending upon the trust relationships between organizations. Therefore, organizations may choose to impose different security restrictions on contractors than on state, local, or tribal governments. This control does not apply to the use of external information systems to access public interfaces to organizational information systems (e.g., individuals accessing federal information through www.usa.gov). Organizations establish terms and conditions for the use of external information systems in accordance with organizational security policies and procedures. Terms and conditions address as a minimum: types of applications that can be accessed on organizational information systems from external information systems; and the highest security category of information that can be processed, stored, or transmitted on external information systems. If terms and conditions with the owners of external information systems cannot be established, organizations may impose restrictions on organizational personnel using those external systems. Related controls: AC-3, AC- 17, AC-19, CA-3, PL-4, SA-9. ü ü ü Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 ACCESS CONTROL AC-20 (1) USE OF EXTERNAL INFORMATION SYSTEMS | LIMITS ON AUTHORIZED USE The organization permits authorized individuals to use an external information system to access the information system or to process, store, or transmit organization-controlled information only when the organization: (a) Verifies the implementation of required security controls on the external system as specified in the organization’s information security policy and security plan; or (b) Retains approved information system connection or processing agreements with the organizational entity hosting the external information system. Supplemental Guidance: This control enhancement recognizes that there are circumstances where individuals using external information systems (e.g., contractors, coalition partners) need to access organizational information systems. In those situations, organizations need confidence that the external information systems contain the necessary security safeguards (i.e., security controls), so as not to compromise, damage, or otherwise harm organizational information systems. Verification that the required security controls have been implemented can be achieved, for example, by third-party, independent assessments, attestations, or other means, depending on the confidence level required by organizations. Related control: CA-2. ü ü Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 ACCESS CONTROL AC-20 (2) USE OF EXTERNAL INFORMATION SYSTEMS | PORTABLE STORAGE DEVICES ü The organization [Selection: restricts; prohibits] the use of organization-controlled portable storage devices by authorized individuals on external information systems. Supplemental Guidance: Limits on the use of organization-controlled portable storage devices in external information systems include, for example, complete prohibition of the use of such devices or restrictions on how the devices may be used and under what conditions the devices may be used. ü ü Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 ACCESS CONTROL AC-21 INFORMATION SHARING ü The organization [Selection: restricts; prohibits] the use of organization-controlled portable storage devices by authorized individuals on external information systems. Supplemental Guidance: Limits on the use of organization-controlled portable storage devices in external information systems include, for example, complete prohibition of the use of such devices or restrictions on how the devices may be used and under what conditions the devices may be used. ü ü Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 ACCESS CONTROL AC-22 PUBLICLY ACCESSIBLE CONTENT ü The organization: a. Designates individuals authorized to post information onto a publicly accessible information system; b. Trains authorized individuals to ensure that publicly accessible information does not contain nonpublic information; c. Reviews the proposed content of information prior to posting onto the publicly accessible information system to ensure that nonpublic information is not included; and d. Reviews the content on the publicly accessible information system for nonpublic information [Assignment: organization-defined frequency] and removes such information, if discovered. Supplemental Guidance: In accordance with federal laws, Executive Orders, directives, policies, regulations, standards, and/or guidance, the general public is not authorized access to nonpublic information (e.g., information protected under the Privacy Act and proprietary information). This control addresses information systems that are controlled by the organization and accessible to the general public, typically without identification or authentication. The posting of information on non-organization information systems is covered by organizational policy. Related controls: AC-3, AC-4, AT-2, AT-3, AU-13. ü ü AC-22d. [at least quarterly] ü Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 AWARENESS AND TRAINING AT-1 SECURITY AWARENESS AND TRAINING POLICY ANDPROCEDURES ü The organization: a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: 1. A security awareness and training policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and 2. Procedures to facilitate the implementation of the security awareness and training policy and associated security awareness and training controls; and b. Reviews and updates the current: 1. Security awareness and training policy [Assignment: organization-defined frequency]; and 2. Security awareness and training procedures [Assignment: organization-defined frequency]. Supplemental Guidance: This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the AT family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. Control Enhancements: None. References: NIST Special Publications 800-12, 800-16, 800-50, 800-100. ü ü AT-1.b.1 [at least every 3 years] AT-1.b.2 [at least annually] ü Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 AWARENESS AND TRAINING AT-2 SECURITY AWARENESS TRAINING The organization provides basic security awareness training to information system users (including managers, senior executives, and contractors): a. As part of initial training for new users; b. When required by information system changes; and c. [Assignment: organization-defined frequency] thereafter. Supplemental Guidance: Organizations determine the appropriate content of security awareness training and security awareness techniques based on the specific organizational requirements and the information systems to which personnel have authorized access. The content includes a basic understanding of the need for information security and user actions to maintain security and to respond to suspected security incidents. The content also addresses awareness of the need for operations security. Security awareness techniques can include, for example, displaying posters, offering supplies inscribed with security reminders, generating email advisories/notices from senior organizational officials, displaying logon screen messages, and conducting information security awareness events. Related controls: AT-3, AT-4, PL-4. ü ü AT-2. [Assignment: organization-defined frequency] Parameter: [at least annually] ü Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 AWARENESS AND TRAINING AT-2 (2) SECURITY AWARENESS | INSIDER THREAT The organization includes security awareness training on recognizing and reporting potential indicators of insider threat. Supplemental Guidance: Potential indicators and possible precursors of insider threat can include behaviors such as inordinate, long-term job dissatisfaction, attempts to gain access to information not required for job performance, unexplained access to financial resources, bullying or sexual harassment of fellow employees, workplace violence, and other serious violations of organizational policies, procedures, directives, rules, or practices. Security awareness training includes how to communicate employee and management concerns regarding potential indicators of insider threat through appropriate organizational channels in accordance with established organizational policies and procedures. Related controls: PL-4, PM-12, PS-3, PS-6. References: C.F.R. Part 5 Subpart C (5 C.F.R 930.301); Executive Order 13587; NIST Special Publication 800-50. ü ü Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 AWARENESS AND TRAINING AT-3 ROLE-BASED SECURITY TRAINING ü The organization provides role-based security training to personnel with assigned security roles and responsibilities: a. Before authorizing access to the information system or performing assigned duties; b. When required by information system changes; and c. [Assignment: organization-defined frequency] thereafter. Supplemental Guidance: Organizations determine the appropriate content of security training based on the assigned roles and responsibilities of individuals and the specific security requirements of organizations and the information systems to which personnel have authorized access. In addition, organizations provide enterprise architects, information system developers, software developers, acquisition/procurement officials, information system managers, system/network administrators, personnel conducting configuration management and auditing activities, personnel performing independent verification and validation activities, security control assessors, and other personnel having access to system-level software, adequate security-related technical training specifically tailored for their assigned duties. Comprehensive role-based training addresses management, operational, and technical roles and responsibilities covering physical, personnel, and technical safeguards and countermeasures. Such training can include for example, policies, procedures, tools, and artifacts for the organizational security roles defined. Organizations also provide the training necessary for individuals to carry out their responsibilities related to operations and supply chain security within the context of organizational information security programs. Role-based security training also applies to contractors providing services to federal agencies. Related controls: AT-2, AT-4, PL-4, PS-7, SA-3, SA-12, SA-16. ü ü AT-3c. [Assignment: organization-defined frequency] Parameter: [at least annually] ü Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 AWARENESS AND TRAINING AT-3 (3) SECURITY TRAINING | PRACTICAL EXERCISES The organization includes practical exercises in security training that reinforce training objectives. Supplemental Guidance: Practical exercises may include, for example, security training for software developers that includes simulated cyber attacks exploiting common software vulnerabilities (e.g., buffer overflows), or spear/whale phishing attacks targeted at senior leaders/executives. These types of practical exercises help developers better understand the effects of such vulnerabilities and appreciate the need for security coding standards and processes. ü NEED. High-impact systems warrant significantly elevated protection; one of these elevated protections is provided through simulated no-notice attacks that exercise users’ ability to detect and respond correctly to attempts to steal internal information in their possession. ANALYSIS. These controls are well understood and widely installed; COTS components keep implementation time and cost low. SAMPLE THREAT VECTORS. Cybersecurity staff do not know how to monitor, respond, and manage complex enforcement systems and subsystems. Cybersecurity staff is not properly trained to understand how the controls are to operate. Staff does not understand the event alarms/logs. Staff is not able to protect from unauthorized disclosure. Staff is careless with handling data, or unwilling to follow the established security protocols, or willing to cut corners to save time. RELEVANT SECURITY CONTROL ATTRIBUTES. Integrity-Assured, Assessed, Auditable, Controlled, Monitored, Providing Good Data Stewardship, Assured, Competent, Confidential AWARENESS AND TRAINING AT-3 (4) SECURITY TRAINING | SUSPICIOUS COMMUNICATIONS AND ANOMALOUS SYSTEM BEHAVIOR ü The organization provides training to its personnel on [Assignment: organization-defined indicators of malicious code] to recognize suspicious communications and anomalous behavior in organizational information systems. Supplemental Guidance: A well-trained workforce provides another organizational safeguard that can be employed as part of a defense-in-depth strategy to protect organizations against malicious code coming in to organizations via email or the web applications. Personnel are trained to look for indications of potentially suspicious email (e.g., receiving an unexpected email, receiving an email containing strange or poor grammar, or receiving an email from an unfamiliar sender but who appears to be from a known sponsor or contractor). Personnel are also trained on how to respond to such suspicious email or web communications (e.g., not opening attachments, not clicking on embedded web links, and checking the source of email addresses). For this process to work effectively, all organizational personnel are trained and made aware of what constitutes suspicious communications. Training personnel on how to recognize anomalous behaviors in organizational information systems can potentially provide early warning for the presence of malicious code. Recognition of such anomalous behavior by organizational personnel can supplement automated malicious code detection and protection tools and systems employed by organizations. ü NEED. High-impact systems warrant significantly elevated protection; one of these elevated protections is provided through simulated no-notice attacks that exercise users’ ability to detect and respond correctly to attempts to steal internal information in their possession. ANALYSIS. These controls are well understood and widely installed; COTS components keep implementation time and cost low. THREAT VECTORS ADDRESSED. Staff does not know how to monitor or manage complex systems in a way that supports effective management decision or control. Malicious actors manipulate the system to appear as if functioning normally when in reality, it is not. People fail to review event logs. People make unauthorized changes to event logger. RELEVANT SECURITY CONTROL ATTRIBUTES. Integrity-Assured, Assessed, Auditable, Controlled, Monitored, Providing Good Data Stewardship, Assured, Competent, Confidential. [malicious code indicators as defined by organization incident policy/capability] AWARENESS AND TRAINING AT-4 SECURITY TRAINING RECORDS ü The organization: a. Documents and monitors individual information system security training activities including basic security awareness training and specific information system security training; and b. Retains individual training records for [Assignment: organization-defined time period]. Supplemental Guidance: Documentation for specialized training may be maintained by individual supervisors at the option of the organization. Related controls: AT-2, AT-3, PM-14. Control Enhancements: None. References: None. ü ü AT-4b. [Assignment: organization-defined frequency] Parameter: [At least one year] ü Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 AUDIT AND ACCOUNTABILITY AU-1 AUDIT AND ACCOUNTABILITY POLICY AND PROCEDURES ü The organization: a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: 1. An audit and accountability policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and 2. Procedures to facilitate the implementation of the audit and accountability policy and associated audit and accountability controls; and b. Reviews and updates the current: 1. Audit and accountability policy [Assignment: organization-defined frequency]; and 2. Audit and accountability procedures [Assignment: organization-defined frequency]. Supplemental Guidance: This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the AU family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. Control Enhancements: None. References: NIST Special Publications 800-12, 800-100. ü ü AU-1.b.1 [at least every 3 years] AU-1.b.2 [at least annually] ü Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 AU-1.b.1 [at least annually] AU-1.b.2 [at least annually] AUDIT AND ACCOUNTABILITY AU-2 AUDIT EVENTS ü The organization: a. Determines that the information system is capable of auditing the following events: [Assignment: organization-defined auditable events]; b. Coordinates the security audit function with other organizational entities requiring audit- related information to enhance mutual support and to help guide the selection of auditable events; c. Provides a rationale for why the auditable events are deemed to be adequate to support after- the-fact investigations of security incidents; and d. Determines that the following events are to be audited within the information system: [Assignment: organization-defined audited events (the subset of the auditable events defined in AU-2 a.) along with the frequency of (or situation requiring) auditing for each identified event]. Supplemental Guidance: An event is any observable occurrence in an organizational information system. Organizations identify audit events as those events which are significant and relevant to the security of information systems and the environments in which those systems operate in order to meet specific and ongoing audit needs. Audit events can include, for example, password changes, failed logons, or failed accesses related to information systems, administrative privilege usage, PIV credential usage, or third-party credential usage. In determining the set of auditable events, organizations consider the auditing appropriate for each of the security controls to be implemented. To balance auditing requirements with other information system needs, this control also requires identifying that subset of auditable events that are audited at a given point in time. For example, organizations may determine that information systems must have the capability to log every file access both successful and unsuccessful, but not activate that capability except for specific circumstances due to the potential burden on system performance. Auditing requirements, including the need for auditable events, may be referenced in other security controls and control enhancements. Organizations also include auditable events that are required by applicable federal laws, Executive Orders, directives, policies, regulations, and standards. Audit records can be generated at various levels of abstraction, including at the packet level as information traverses the network. Selecting the appropriate level of abstraction is a critical aspect of an audit capability and can facilitate the identification of root causes to problems. Organizations consider in the definition of auditable events, the auditing necessary to cover related events such as the steps in distributed, transaction-based processes (e.g., processes that are distributed across multiple organizations) and actions that occur in service-oriented architectures. Related controls: AC-6, AC-17, AU-3, AU-12, MA-4, MP-2, MP-4, SI-4. ü ü AU-2a. [Successful and unsuccessful account logon events, account management events, object access, policy change, privilege functions, process tracking, and system events. For Web applications: all administrator activity, authentication checks, authorization checks, data deletions, data access, data changes, and permission changes] AU-2d. [organization-defined subset of the auditable events defined in AU-2 a. to be audited continually for each identified event]. ü Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 Coordination between service provider and consumer shall be documented and accepted by the Authorizing Official AUDIT AND ACCOUNTABILITY AU-2 (3) AUDIT EVENTS | REVIEWS AND UPDATES ü The organization reviews and updates the audited events [Assignment: organization-defined frequency]. Supplemental Guidance: Over time, the events that organizations believe should be audited may change. Reviewing and updating the set of audited events periodically is necessary to ensure that the current set is still necessary and sufficient. ü AU-2 (3). [Assignment: organization-defined frequency] Parameter: [annually or whenever there is a change in the threat environment] Guidance: Annually or whenever changes in the threat environment are communicated to the service provider by the Authorizing Official. ü Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 AUDIT AND ACCOUNTABILITY AU-3 CONTENT OF AUDIT RECORDS The information system generates audit records containing information that establishes what type of event occurred, when the event occurred, where the event occurred, the source of the event, the outcome of the event, and the identity of any individuals or subjects associated with the event. Supplemental Guidance: Audit record content that may be necessary to satisfy the requirement of this control, includes, for example, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked. Event outcomes can include indicators of event success or failure and event-specific results (e.g., the security state of the information system after the event occurred). Related controls: AU-2, AU-8, AU-12, SI-11. ü ü ü Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 AUDIT AND ACCOUNTABILITY AU-3 (1) CONTENT OF AUDIT RECORDS | ADDITIONAL AUDIT INFORMATION ü The information system generates audit records containing the following additional information: [Assignment: organization-defined additional, more detailed information]. Supplemental Guidance: Detailed information that organizations may consider in audit records includes, for example, full text recording of privileged commands or the individual identities of group account users. Organizations consider limiting the additional audit information to only that information explicitly needed for specific audit requirements. This facilitates the use of audit trails and audit logs by not including information that could potentially be misleading or could make it more difficult to locate information of interest. ü AU-3 (1). [Assignment: organization-defined additional, more detailed information] Parameter: [session, connection, transaction, or activity duration; for client-server transactions, the number of bytes received and bytes sent; additional informational messages to diagnose or identify the event; characteristics that describe or identify the object or resource being acted upon] AU-3 (1). Requirement: The service provider defines audit record types. The audit record types are approved and accepted by the Authorizing Official. Guidance: For client-server transactions, the number of bytes sent and received gives bidirectional transfer information that can be helpful during an investigation or inquiry. ü Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 AU-3 (1). [Assignment: organization-defined additional, more detailed information] Parameter: [session, connection, transaction, or activity duration; for client-server transactions, the number of bytes received and bytes sent; additional informational messages to diagnose or identify the event; characteristics that describe or identify the object or resource being acted upon; individual identities of group account users; full-text of privileged commands] AUDIT AND ACCOUNTABILITY AU-3 (2) CONTENT OF AUDIT RECORDS | CENTRALIZED MANAGEMENT OF PLANNED AUDIT RECORD CONTENT ü The information system provides centralized management and configuration of the content to be captured in audit records generated by [Assignment: organization-defined information system components]. Supplemental Guidance: This control enhancement requires that the content to be captured in audit records be configured from a central location (necessitating automation). Organizations coordinate the selection of required audit content to support the centralized management and configuration capability provided by the information system. Related controls: AU-6, AU-7. References: None. ü Included in NIST High Baseline, Rev 4 [all network, data storage, and computing devices] AUDIT AND ACCOUNTABILITY AU-4 AUDIT STORAGE CAPACITY ü The organization allocates audit record storage capacity in accordance with [Assignment: organization-defined audit record storage requirements]. Supplemental Guidance: Organizations consider the types of auditing to be performed and the audit processing requirements when allocating audit storage capacity. Allocating sufficient audit storage capacity reduces the likelihood of such capacity being exceeded and resulting in the potential loss or reduction of auditing capability. Related controls: AU-2, AU-5, AU-6, AU-7, AU-11, SI-4. ü ü ü Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 AUDIT AND ACCOUNTABILITY AU-5 RESPONSE TO AUDIT PROCESSING FAILURES ü The information system: a. Alerts [Assignment: organization-defined personnel or roles] in the event of an audit processing failure; and b. Takes the following additional actions: [Assignment: organization-defined actions to be taken (e.g., shut down information system, overwrite oldest audit records, stop generating audit records)]. Supplemental Guidance: Audit processing failures include, for example, software/hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded. Organizations may choose to define additional actions for different audit processing failures (e.g., by type, by location, by severity, or a combination of such factors). This control applies to each audit data storage repository (i.e., distinct information system component where audit records are stored), the total audit storage capacity of organizations (i.e., all audit data storage repositories combined), or both. Related controls: AU-4, SI-12. ü ü AU-5b. [Assignment: Organization-defined actions to be taken] Parameter: [low-impact: overwrite oldest audit records; moderate-impact: shut down] ü Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 AU-5b. [Assignment: Organization-defined actions to be taken] Parameter: [high impact: shut down] AUDIT AND ACCOUNTABILITY AU-5 (1) RESPONSE TO AUDIT PROCESSING FAILURES | AUDIT STORAGE CAPACITY ü The information system provides a warning to [Assignment: organization-defined personnel, roles, and/or locations] within [Assignment: organization-defined time period] when allocated audit record storage volume reaches [Assignment: organization-defined percentage] of repository maximum audit record storage capacity. Supplemental Guidance: Organizations may have multiple audit data storage repositories distributed across multiple information system components, with each repository having different storage volume capacities. ü Included in NIST High Baseline, Rev 4 [service provider personnel with authority to address audit storage capacity planning] [24 hours] [in accordance with organization auditing policy] AUDIT AND ACCOUNTABILITY AU-5 (2) RESPONSE TO AUDIT PROCESSING FAILURES | REAL-TIME ALERTS ü The information system provides an alert in [Assignment: organization-defined real-time period] to [Assignment: organization-defined personnel, roles, and/or locations] when the following audit failure events occur: [Assignment: organization-defined audit failure events requiring real-time alerts]. Supplemental Guidance: Alerts provide organizations with urgent messages. Real-time alerts provide these messages at information technology speed (i.e., the time from event detection to alert occurs in seconds or less). ü Included in NIST High Baseline, Rev 4 [real-time] [service provider personnel with authority to address failed audit events] [audit failure events requiring real-time alerts, as defined by organization audit policy]. AUDIT AND ACCOUNTABILITY AU-6 AUDIT REVIEW, ANALYSIS, AND REPORTING ü The organization: a. Reviews and analyzes information system audit records [Assignment: organization-defined frequency] for indications of [Assignment: organization-defined inappropriate or unusual activity]; and b. Reports findings to [Assignment: organization-defined personnel or roles]. Supplemental Guidance: Audit review, analysis, and reporting covers information security-related auditing performed by organizations including, for example, auditing that results from monitoring of account usage, remote access, wireless connectivity, mobile device connection, configuration settings, system component inventory, use of maintenance tools and nonlocal maintenance, physical access, temperature and humidity, equipment delivery and removal, communications at the information system boundaries, use of mobile code, and use of VoIP. Findings can be reported to organizational entities that include, for example, incident response team, help desk, information security group/department. If organizations are prohibited from reviewing and analyzing audit information or unable to conduct such activities (e.g., in certain national security applications or systems), the review/analysis may be carried out by other organizations granted such authority. Related controls: AC-2, AC-3, AC-6, AC-17, AT-3, AU-7, AU-16, CA-7, CM-5, CM-10, CM-11, IA-3, IA-5, IR-5, IR-6, MA-4, MP-4, PE-3, PE-6, PE-14, PE-16, RA-5, SC-7, SC-18, SC-19, SI-3, SI-4, SI-7. ü ü AU-6a. [Assignment: organization-defined frequency] Parameter: [at least weekly] ü Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 Coordination between service provider and consumer shall be documented and accepted by the Authorizing Official. In multi-tennant environments, capability and means for providing review, analysis, and reporting to consumer for data pertaining to consumer shall be documented. AUDIT AND ACCOUNTABILITY AU-6 (1) AUDIT REVIEW, ANALYSIS, AND REPORTING | PROCESS INTEGRATION The organization employs automated mechanisms to integrate audit review, analysis, and reporting processes to support organizational processes for investigation and response to suspicious activities. Supplemental Guidance: Organizational processes benefiting from integrated audit review, analysis, and reporting include, for example, incident response, continuous monitoring, contingency planning, and Inspector General audits. Related controls: AU-12, PM-7. ü ü Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 AUDIT AND ACCOUNTABILITY AU-6 (3) AUDIT REVIEW, ANALYSIS, AND REPORTING | CORRELATE AUDIT REPOSITORIES The organization analyzes and correlates audit records across different repositories to gain organization-wide situational awareness. Supplemental Guidance: Organization-wide situational awareness includes awareness across all three tiers of risk management (i.e., organizational, mission/business process, and information system) and supports cross-organization awareness. Related controls: AU-12, IR-4. ü ü Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 AUDIT AND ACCOUNTABILITY AU-6 (4) AUDIT REVIEW, ANALYSIS, AND REPORTING | CENTRAL REVIEW AND ANALYSIS The information system provides the capability to centrally review and analyze audit records from multiple components within the system. Supplemental Guidance: Automated mechanisms for centralized reviews and analyses include, for example, Security Information Management products. Related controls: AU-2, AU-12. ü NEED. Due to the complexity of independent systems exchanging security-related monitoring data, and high-impact systems implemented in shared-service environments, the responsible organization needs a centralized capability that integrates these various data sources into a unified whole permitting central review and analysis of diverse log data relevant to security audits. ANALYSIS. This control permits analysts and auditors to focus on their primary duty of analyzing log data, and relieves them of the usual burden of discovery, collection, validation, aggregation, and indexing of large log datasets relevant to system security. Since these latter collection tasks have been automated under this control, less time and funding will be required to execute this core audit/analysis activity. SAMPLE THREAT VECTORS. Staff does not know how to monitor or manage complex systems in a way that supports effective management decision or control. Malicious actors manipulate the system to appear as if functioning normally, when it is not. People fail to review event logs. People make unauthorized changes to event logger." RELEVANT SECURITY CONTROL ATTRIBUTES. Monitored. AUDIT AND ACCOUNTABILITY AU-6 (5) AUDIT REVIEW, ANALYSIS, AND REPORTING | INTEGRATION / SCANNING AND MONITORING CAPABILITIES ü The organization integrates analysis of audit records with analysis of [Selection (one or more): vulnerability scanning information; performance data; information system monitoring information; [Assignment: organization-defined data/information collected from other sources]] to further enhance the ability to identify inappropriate or unusual activity. Supplemental Guidance: This control enhancement does not require vulnerability scanning, the generation of performance data, or information system monitoring. Rather, the enhancement requires that the analysis of information being otherwise produced in these areas is integrated with the analysis of audit information. Security Event and Information Management System tools can facilitate audit record aggregation/consolidation from multiple information system components as well as audit record correlation and analysis. The use of standardized audit record analysis scripts developed by organizations (with localized script adjustments, as necessary) provides more cost-effective approaches for analyzing audit record information collected. The correlation of audit record information with vulnerability scanning information is important in determining the veracity of vulnerability scans and correlating attack detection events with scanning results. Correlation with performance data can help uncover denial of service attacks or cyber attacks resulting in unauthorized use of resources. Correlation with system monitoring information can assist in uncovering attacks and in better relating audit information to operational situations. Related controls: AU-12, IR-4, RA-5. ü Included in NIST High Baseline, Rev 4 [vulnerability scanning information; performance data; information system monitoring information; penetration test data; [Organization -defined data/information collected from other sources]] AUDIT AND ACCOUNTABILITY AU-6 (6) AUDIT REVIEW, ANALYSIS, AND REPORTING | CORRELATION WITH PHYSICAL MONITORING The organization correlates information from audit records with information obtained from monitoring physical access to further enhance the ability to identify suspicious, inappropriate, unusual, or malevolent activity. Supplemental Guidance: The correlation of physical audit information and audit logs from information systems may assist organizations in identifying examples of suspicious behavior or supporting evidence of such behavior. For example, the correlation of an individual’s identify for logical access to certain information systems with the additional physical security information that the individual was actually present at the facility when the logical access occurred, may prove to be useful in investigations. ü Included in NIST High Baseline, Rev 4 AUDIT AND ACCOUNTABILITY AU-6 (7) AUDIT REVIEW, ANALYSIS, AND REPORTING | PERMITTED ACTIONS ü The organization specifies the permitted actions for each [Selection (one or more): information system process; role; user] associated with the review, analysis, and reporting of audit information. Supplemental Guidance: Organizations specify permitted actions for information system processes, roles, and/or users associated with the review, analysis, and reporting of audit records through account management techniques. Specifying permitted actions on audit information is a way to enforce the principle of least privilege. Permitted actions are enforced by the information system and include, for example, read, write, execute, append, and delete. ü Included in NIST High Baseline, Rev 4 [information system process; role; user] AUDIT AND ACCOUNTABILITY AU-7 AUDIT REDUCTION AND REPORT GENERATION The information system provides an audit reduction and report generation capability that: a. Supports on-demand audit review, analysis, and reporting requirements and after-the-fact investigations of security incidents; and b. Does not alter the original content or time ordering of audit records. Supplemental Guidance: Audit reduction is a process that manipulates collected audit information and organizes such information in a summary format that is more meaningful to analysts. Audit reduction and report generation capabilities do not always emanate from the same information system or from the same organizational entities conducting auditing activities. Audit reduction capability can include, for example, modern data mining techniques with advanced data filters to identify anomalous behavior in audit records. The report generation capability provided by the information system can generate customizable reports. Time ordering of audit records can be a significant issue if the granularity of the timestamp in the record is insufficient. Related control: AU-6. ü ü Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 AUDIT AND ACCOUNTABILITY AU-7 (1) AUDIT REDUCTION AND REPORT GENERATION | AUTOMATIC PROCESSING ü The information system provides the capability to process audit records for events of interest based on [Assignment: organization-defined audit fields within audit records]. Supplemental Guidance: Events of interest can be identified by the content of specific audit record fields including, for example, identities of individuals, event types, event locations, event times, event dates, system resources involved, IP addresses involved, or information objects accessed. Organizations may define audit event criteria to any degree of granularity required, for example, locations selectable by general networking location (e.g., by network or subnetwork) or selectable by specific information system component. Related controls: AU-2, AU-12. ü ü Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 AUDIT AND ACCOUNTABILITY AU-8 TIME STAMPS ü The information system: a. Uses internal system clocks to generate time stamps for audit records; and b. Records time stamps for audit records that can be mapped to Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT) and meets [Assignment: organization-defined granularity of time measurement]. Supplemental Guidance: Time stamps generated by the information system include date and time. Time is commonly expressed in Coordinated Universal Time (UTC), a modern continuation of Greenwich Mean Time (GMT), or local time with an offset from UTC. Granularity of time measurements refers to the degree of synchronization between information system clocks and reference clocks, for example, clocks synchronizing within hundreds of milliseconds or within tens of milliseconds. Organizations may define different time granularities for different system components. Time service can also be critical to other security capabilities such as access control and identification and authentication, depending on the nature of the mechanisms used to support those capabilities. Related controls: AU-3, AU-12. ü ü ü Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 AUDIT AND ACCOUNTABILITY AU-8 (1) TIME STAMPS | SYNCHRONIZATION WITH AUTHORITATIVE TIME SOURCE ü The information system: (a) Compares the internal information system clocks [Assignment: organization-defined frequency] with [Assignment: organization-defined authoritative time source]; and (b) Synchronizes the internal system clocks to the authoritative time source when the time difference is greater than [Assignment: organization-defined time period]. Supplemental Guidance: This control enhancement provides uniformity of time stamps for information systems with multiple system clocks and systems connected over a network. ü AU-8 (1). [http://tf.nist.gov/tf-cgi/servers.cgi] <At least hourly> AU-8 (1). Requirement: The service provider selects primary and secondary time servers used by the NIST Internet time service. The secondary server is selected from a different geographic region than the primary server. Requirement: The service provider synchronizes the system clocks of network computers that run operating systems other than Windows to the Windows Server Domain Controller emulator or to the same time source for that server. Guidance: Synchronization of system clocks improves the accuracy of log analysis. ü Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 AUDIT AND ACCOUNTABILITY AU-9 PROTECTION OF AUDIT INFORMATION The information system protects audit information and audit tools from unauthorized access, modification, and deletion. Supplemental Guidance: Audit information includes all information (e.g., audit records, audit settings, and audit reports) needed to successfully audit information system activity. This control focuses on technical protection of audit information. Physical protection of audit information is addressed by media protection controls and physical and environmental protection controls. Related controls: AC-3, AC-6, MP-2, MP-4, PE-2, PE-3, PE-6. ü ü ü Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 AUDIT AND ACCOUNTABILITY AU-9 (2) PROTECTION OF AUDIT INFORMATION | AUDIT BACKUP ON SEPARATE PHYSICAL SYSTEMS / COMPONENTS ü The information system backs up audit records [Assignment: organization-defined frequency] onto a physically different system or system component than the system or component being audited. Supplemental Guidance: This control enhancement helps to ensure that a compromise of the information system being audited does not also result in a compromise of the audit records. Related controls: AU-4, AU-5, AU-11. ü AU-9 (2). [at least weekly] ü Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 AUDIT AND ACCOUNTABILITY AU-9 (3) PROTECTION OF AUDIT INFORMATION | CRYPTOGRAPHIC PROTECTION The information system implements cryptographic mechanisms to protect the integrity of audit information and audit tools. Supplemental Guidance: Cryptographic mechanisms used for protecting the integrity of audit information include, for example, signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the secret key used to generate the hash. Related controls: AU-10, SC-12, SC-13. ü Included in NIST High Baseline, Rev 4 AUDIT AND ACCOUNTABILITY AU-9 (4) PROTECTION OF AUDIT INFORMATION | ACCESS BY SUBSET OF PRIVILEGED USERS ü The organization authorizes access to management of audit functionality to only [Assignment: organization-defined subset of privileged users]. Supplemental Guidance: Individuals with privileged access to an information system and who are also the subject of an audit by that system, may affect the reliability of audit information by inhibiting audit activities or modifying audit records. This control enhancement requires that privileged access be further defined between audit-related privileges and other privileges, thus limiting the users with audit-related privileges. Related control: AC-5. ü ü Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 AUDIT AND ACCOUNTABILITY AU-10 NON-REPUDIATION ü The information system protects against an individual (or process acting on behalf of an individual) falsely denying having performed [Assignment: organization-defined actions to be covered by non-repudiation]. Supplemental Guidance: Types of individual actions covered by non-repudiation include, for example, creating information, sending and receiving messages, approving information (e.g., indicating concurrence or signing a contract). Non-repudiation protects individuals against later claims by: (i) authors of not having authored particular documents; (ii) senders of not having transmitted messages; (iii) receivers of not having received messages; or (iv) signatories of not having signed documents. Non-repudiation services can be used to determine if information originated from a particular individual, or if an individual took specific actions (e.g., sending an email, signing a contract, approving a procurement request) or received specific information. Organizations obtain non-repudiation services by employing various techniques or mechanisms (e.g., digital signatures, digital message receipts). Related controls: SC-12, SC-8, SC-13, SC-16, SC-17, SC-23. ü Included in NIST High Baseline, Rev 4 [actions including the addition, modification, deletion, approval, sending, or receiving of data] AUDIT AND ACCOUNTABILITY AU-11 AUDIT RECORD RETENTION ü The organization retains audit records for [Assignment: organization-defined time period consistent with records retention policy] to provide support for after-the-fact investigations of security incidents and to meet regulatory and organizational information retention requirements. Supplemental Guidance: Organizations retain audit records until it is determined that they are no longer needed for administrative, legal, audit, or other operational purposes. This includes, for example, retention and availability of audit records relative to Freedom of Information Act (FOIA) requests, subpoenas, and law enforcement actions. Organizations develop standard categories of audit records relative to such types of actions and standard response processes for each type of action. The National Archives and Records Administration (NARA) General Records Schedules provide federal policy on record retention. Related controls: AU-4, AU-5, AU-9, MP-6. ü ü AU-11. [at least ninety days] AU-11. Requirement: The service provider retains audit records on-line for at least ninety days and further preserves audit records off-line for a period that is in accordance with NARA requirements. ü Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 AU-11. [at least 1 year] AUDIT AND ACCOUNTABILITY AU-12 AUDIT GENERATION ü The information system: a. Provides audit record generation capability for the auditable events defined in AU-2 a. at [Assignment: organization-defined information system components]; b. Allows [Assignment: organization-defined personnel or roles] to select which auditable events are to be audited by specific components of the information system; and c. Generates audit records for the events defined in AU-2 d. with the content defined in AU-3. Supplemental Guidance: Audit records can be generated from many different information system components. The list of audited events is the set of events for which audits are to be generated. These events are typically a subset of all events for which the information system is capable of generating audit records. Related controls: AC-3, AU-2, AU-3, AU-6, AU-7. ü ü AU-12a. [all information system and network components where audit capability is deployed/available] ü Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 AUDIT AND ACCOUNTABILITY AU-12 (1) AUDIT GENERATION | SYSTEM-WIDE / TIME-CORRELATED AUDIT TRAIL ü The information system compiles audit records from [Assignment: organization-defined information system components] into a system-wide (logical or physical) audit trail that is time- correlated to within [Assignment: organization-defined level of tolerance for relationship between time stamps of individual records in the audit trail]. Supplemental Guidance: Audit trails are time-correlated if the time stamps in the individual audit records can be reliably related to the time stamps in other audit records to achieve a time ordering of the records within organizational tolerances. Related controls: AU-8, AU-12. ü Included in NIST High Baseline, Rev 4 [all network, data storage, and computing devices] [organization -defined level of tolerance for relationship between time stamps of individual records in the audit trail] AUDIT AND ACCOUNTABILITY AU-12 (3) AUDIT GENERATION | CHANGES BY AUTHORIZED INDIVIDUALS ü The information system provides the capability for [Assignment: organization-defined individuals or roles] to change the auditing to be performed on [Assignment: organization-defined information system components] based on [Assignment: organization-defined selectable event criteria] within [Assignment: organization-defined time thresholds]. Supplemental Guidance: This control enhancement enables organizations to extend or limit auditing as necessary to meet organizational requirements. Auditing that is limited to conserve information system resources may be extended to address certain threat situations. In addition, auditing may be limited to a specific set of events to facilitate audit reduction, analysis, and reporting. Organizations can establish time thresholds in which audit actions are changed, for example, near real-time, within minutes, or within hours. Related control: AU-7. References: None. ü Included in NIST High Baseline, Rev 4 [service provider-defined individuals or roles with audit configuration responsibilities] [all network, data storage, and computing devices] [organization -defined threat situations] [organization -defined time thresholds]. SECURITY ASSESSMENT AND AUTHORIZATION CA-1 SECURITY ASSESSMENT AND AUTHORIZATION POLICIES AND PROCEDURES ü The organization: a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: 1. A security assessment and authorization policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and 2. Procedures to facilitate the implementation of the security assessment and authorization policy and associated security assessment and authorization controls; and b. Reviews and updates the current: 1. Security assessment and authorization policy [Assignment: organization-defined frequency]; and 2. Security assessment and authorization procedures [Assignment: organization-defined frequency]. Supplemental Guidance: This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the CA family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. Control Enhancements: None. References: NIST Special Publications 800-12, 800-37, 800-53A, 800-100. ü ü CA-1.b.1 [at least every 3 years] CA-1.b.2 [at least annually] ü Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 CA-1.b.1 [at least annually] CA-1.b.2 [at least every six months] SECURITY ASSESSMENT AND AUTHORIZATION CA-2 SECURITY ASSESSMENTS ü The organization: a. Develops a security assessment plan that describes the scope of the assessment including: 1. Security controls and control enhancements under assessment; 2. Assessment procedures to be used to determine security control effectiveness; and 3. Assessment environment, assessment team, and assessment roles and responsibilities; b. Assesses the security controls in the information system and its environment of operation [Assignment: organization-defined frequency] to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established security requirements; c. Produces a security assessment report that documents the results of the assessment; and d. Provides the results of the security control assessment to [Assignment: organization-defined individuals or roles]. Supplemental Guidance: Organizations assess security controls in organizational information systems and the environments in which those systems operate as part of: (i) initial and ongoing security authorizations; (ii) FISMA annual assessments; (iii) continuous monitoring; and (iv) system development life cycle activities. Security assessments: (i) ensure that information security is built into organizational information systems; (ii) identify weaknesses and deficiencies early in the development process; (iii) provide essential information needed to make risk-based decisions as part of security authorization processes; and (iv) ensure compliance to vulnerability mitigation procedures. Assessments are conducted on the implemented security controls from Appendix F (main catalog) and Appendix G (Program Management controls) as documented in System Security Plans and Information Security Program Plans. Organizations can use other types of assessment activities such as vulnerability scanning and system monitoring to maintain the security posture of information systems during the entire life cycle. Security assessment reports document assessment results in sufficient detail as deemed necessary by organizations, to determine the accuracy and completeness of the reports and whether the security controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting security requirements. The FISMA requirement for assessing security controls at least annually does not require additional assessment activities to those activities already in place in organizational security authorization processes. Security assessment results are provided to the individuals or roles appropriate for the types of assessments being conducted. For example, assessments conducted in support of security authorization decisions are provided to authorizing officials or authorizing official designated representatives. To satisfy annual assessment requirements, organizations can use assessment results from the following sources: (i) initial or ongoing information system authorizations; (ii) continuous monitoring; or (iii) system development life cycle activities. Organizations ensure that security assessment results are current, relevant to the determination of security control effectiveness, and obtained with the appropriate level of assessor independence. Existing security control assessment results can be reused to the extent that the results are still valid and can also be supplemented with additional assessments as needed. Subsequent to initial authorizations and in accordance with OMB policy, organizations assess security controls during continuous monitoring. Organizations establish the frequency for ongoing security control assessments in accordance with organizational continuous monitoring strategies. Information Assurance Vulnerability Alerts provide useful examples of vulnerability mitigation procedures. External audits (e.g., audits by external entities such as regulatory agencies) are outside the scope of this control. Rela ü ü CA-2b. [at least annually] CA-2d. [individuals or roles to include FedRAMP PMO] ü Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 SECURITY ASSESSMENT AND AUTHORIZATION CA-2 (1) SECURITY ASSESSMENTS | INDEPENDENT ASSESSORS ü The organization employs assessors or assessment teams with [Assignment: organization-defined level of independence] to conduct security control assessments. Supplemental Guidance: Independent assessors or assessment teams are individuals or groups who conduct impartial assessments of organizational information systems. Impartiality implies that assessors are free from any perceived or actual conflicts of interest with regard to the development, operation, or management of the organizational information systems under assessment or to the determination of security control effectiveness. To achieve impartiality, assessors should not: (i) create a mutual or conflicting interest with the organizations where the assessments are being conducted; (ii) assess their own work; (iii) act as management or employees of the organizations they are serving; or (iv) place themselves in positions of advocacy for the organizations acquiring their services. Independent assessments can be obtained from elements within organizations or can be contracted to public or private sector entities outside of organizations. Authorizing officials determine the required level of independence based on the security categories of information systems and/or the ultimate risk to organizational operations, organizational assets, or individuals. Authorizing officials also determine if the level of assessor independence provides sufficient assurance that the results are sound and can be used to make credible, risk-based decisions. This includes determining whether contracted security assessment services have sufficient independence, for example, when information system owners are not directly involved in contracting processes or cannot unduly influence the impartiality of assessors conducting assessments. In special situations, for example, when organizations that own the information systems are small or organizational structures require that assessments are conducted by individuals that are in the developmental, operational, or management chain of system owners, independence in assessment processes can be achieved by ensuring that assessment results are carefully reviewed and analyzed by independent teams of experts to validate the completeness, accuracy, integrity, and reliability of the results. Organizations recognize that assessments performed for purposes other than direct support to authorization decisions are, when performed by assessors with sufficient independence, more likely to be useable for such decisions, thereby reducing the need to repeat assessments. ü ü Added to NIST Baseline for "Low" FedRAMP baseline. For JAB Authorization, must be an accredited 3PAO ü Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 SECURITY ASSESSMENT AND AUTHORIZATION CA-2 (2) SECURITY ASSESSMENTS | SPECIALIZED ASSESSMENTS ü The organization includes as part of security control assessments, [Assignment: organization- defined frequency], [Selection: announced; unannounced], [Selection (one or more): in-depth monitoring; vulnerability scanning; malicious user testing; insider threat assessment; performance/load testing; [Assignment: organization-defined other forms of security assessment]]. Supplemental Guidance: Organizations can employ information system monitoring, insider threat assessments, malicious user testing, and other forms of testing (e.g., verification and validation) to improve readiness by exercising organizational capabilities and indicating current performance levels as a means of focusing actions to improve security. Organizations conduct assessment activities in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards. Authorizing officials approve the assessment methods in coordination with the organizational risk executive function. Organizations can incorporate vulnerabilities uncovered during assessments into vulnerability remediation processes. Related controls: PE-3, SI-2. ü [at least annually] Requirement: To include 'announced', 'vulnerability scanning' ü Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 SECURITY ASSESSMENT AND AUTHORIZATION CA-2 (3) SECURITY ASSESSMENTS | EXTERNAL ORGANIZATIONS ü The organization accepts the results of an assessment of [Assignment: organization-defined information system] performed by [Assignment: organization-defined external organization] when the assessment meets [Assignment: organization-defined requirements]. Supplemental Guidance: Organizations may often rely on assessments of specific information systems by other (external) organizations. Utilizing such existing assessments (i.e., reusing existing assessment evidence) can significantly decrease the time and resources required for organizational assessments by limiting the amount of independent assessment activities that organizations need to perform. The factors that organizations may consider in determining whether to accept assessment results from external organizations can vary. Determinations for accepting assessment results can be based on, for example, past assessment experiences one organization has had with another organization, the reputation that organizations have with regard to assessments, the level of detail of supporting assessment documentation provided, or mandates imposed upon organizations by federal legislation, policies, or directives. ü [Any FedRAMP Accredited 3PAO] [the conditions of a P-ATO in the FedRAMP Repository] ü Included in FedRAMP Moderate Baseline, Rev 4 SECURITY ASSESSMENT AND AUTHORIZATION CA-3 SYSTEM INTERCONNECTIONS ü The organization: a. Authorizes connections from the information system to other information systems through the use of Interconnection Security Agreements; b. Documents, for each interconnection, the interface characteristics, security requirements, and the nature of the information communicated; and c. Reviews and updates Interconnection Security Agreements [Assignment: organization-defined frequency]. Supplemental Guidance: This control applies to dedicated connections between information systems (i.e., system interconnections) and does not apply to transitory, user-controlled connections such as email and website browsing. Organizations carefully consider the risks that may be introduced when information systems are connected to other systems with different security requirements and security controls, both within organizations and external to organizations. Authorizing officials determine the risk associated with information system connections and the appropriate controls employed. If interconnecting systems have the same authorizing official, organizations do not need to develop Interconnection Security Agreements. Instead, organizations can describe the interface characteristics between those interconnecting systems in their respective security plans. If interconnecting systems have different authorizing officials within the same organization, organizations can either develop Interconnection Security Agreements or describe the interface characteristics between systems in the security plans for the respective systems. Organizations may also incorporate Interconnection Security Agreement information into formal contracts, especially for interconnections established between federal agencies and nonfederal (i.e., private sector) organizations. Risk considerations also include information systems sharing the same networks. For certain technologies (e.g., space, unmanned aerial vehicles, and medical devices), there may be specialized connections in place during preoperational testing. Such connections may require Interconnection Security Agreements and be subject to additional security controls. Related controls: AC-3, AC-4, AC-20, AU-2, AU-12, AU-16, CA-7, IA-3, SA-9, SC-7, SI-4. ü ü CA-3c. 3 Years / Annually and on input from FedRAMP ü Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 CA-3c. At least annually and on input from FedRAMP SECURITY ASSESSMENT AND AUTHORIZATION CA-3 (3) SYSTEM INTERCONNECTIONS | UNCLASSIFIED NON-NATIONAL SECURITY SYSTEM CONNECTIONS ü The organization prohibits the direct connection of an [Assignment: organization-defined unclassified, non-national security system] to an external network without the use of [Assignment; organization-defined boundary protection device]. Supplemental Guidance: Organizations typically do not have control over external networks (e.g., the Internet). Approved boundary protection devices (e.g., routers, firewalls) mediate communications (i.e., information flows) between unclassified non-national security systems and external networks. This control enhancement is required for organizations processing, storing, or transmitting Controlled Unclassified Information (CUI). ü Boundary Protections which meet the Trusted Internet Connection (TIC) requirements CA-3(3) Guidance: Refer to Appendix H – Cloud Considerations of the TIC 2.0 Reference Architecture document. ü Included in FedRAMP Moderate Baseline, Rev 4 SECURITY ASSESSMENT AND AUTHORIZATION CA-3 (5) SYSTEM INTERCONNECTIONS | RESTRICTIONS ON EXTERNAL SYSTEM CONNECTIONS ü The organization employs [Selection: allow-all, deny-by-exception; deny-all, permit-by-exception] policy for allowing [Assignment: organization-defined information systems] to connect to external information systems. Supplemental Guidance: Organizations can constrain information system connectivity to external domains (e.g., websites) by employing one of two policies with regard to such connectivity: (i) allow-all, deny by exception, also known as blacklisting (the weaker of the two policies); or (ii) deny-all, allow by exception, also known as whitelisting (the stronger of the two policies). For either policy, organizations determine what exceptions, if any, are acceptable. Related control: CM-7. References: FIPS Publication 199; NIST Special Publication 800-47. ü For JAB Authorization, CSPs shall include details of this control in their Architecture Briefing ü Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 [deny-all, permit by exception] [any systems] SECURITY ASSESSMENT AND AUTHORIZATION CA-5 PLAN OF ACTION AND MILESTONES ü The organization: a. Develops a plan of action and milestones for the information system to document the organization’s planned remedial actions to correct weaknesses or deficiencies noted during the assessment of the security controls and to reduce or eliminate known vulnerabilities in the system; and b. Updates existing plan of action and milestones [Assignment: organization-defined frequency] based on the findings from security controls assessments, security impact analyses, and continuous monitoring activities. Supplemental Guidance: Plans of action and milestones are key documents in security authorization packages and are subject to federal reporting requirements established by OMB. Related controls: CA-2, CA-7, CM-4, PM-4. References: OMB Memorandum 02-01; NIST Special Publication 800-37. ü ü CA-5b. [at least monthly] CA-5 Guidance: Requirement: POA&Ms must be provided at least monthly. ü Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 SECURITY ASSESSMENT AND AUTHORIZATION CA-6 SECURITY AUTHORIZATION ü The organization: a. Assigns a senior-level executive or manager as the authorizing official for the information system; b. Ensures that the authorizing official authorizes the information system for processing before commencing operations; and c. Updates the security authorization [Assignment: organization-defined frequency]. Supplemental Guidance: Security authorizations are official management decisions, conveyed through authorization decision documents, by senior organizational officials or executives (i.e., authorizing officials) to authorize operation of information systems and to explicitly accept the risk to organizational operations and assets, individuals, other organizations, and the Nation based on the implementation of agreed-upon security controls. Authorizing officials provide budgetary oversight for organizational information systems or assume responsibility for the mission/business operations supported by those systems. The security authorization process is an inherently federal responsibility and therefore, authorizing officials must be federal employees. Through the security authorization process, authorizing officials assume responsibility and are accountable for security risks associated with the operation and use of organizational information systems. Accordingly, authorizing officials are in positions with levels of authority commensurate with understanding and accepting such information security-related risks. OMB policy requires that organizations conduct ongoing authorizations of information systems by implementing continuous monitoring programs. Continuous monitoring programs can satisfy three-year reauthorization requirements, so separate reauthorization processes are not necessary. Through the employment of comprehensive continuous monitoring processes, critical information contained in authorization packages (i.e., security plans, security assessment reports, and plans of action and milestones) is updated on an ongoing basis, providing authorizing officials and information system owners with an up-to-date status of the security state of organizational information systems and environments of operation. To reduce the administrative cost of security reauthorization, authorizing officials use the results of continuous monitoring processes to the maximum extent possible as the basis for rendering reauthorization decisions. Related controls: CA-2, CA-7, PM-9, PM-10. Control Enhancements: None. References: OMB Circular A-130; OMB Memorandum 11-33; NIST Special Publications 800-37, 800-137. ü ü CA-6c. [at least every three years or when a significant change occurs] CA-6c. Guidance: Significant change is defined in NIST Special Publication 800-37 Revision 1, Appendix F. The service provider describes the types of changes to the information system or the environment of operations that would impact the risk posture. The types of changes are approved and accepted by the Authorizing Official. ü Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 SECURITY ASSESSMENT AND AUTHORIZATION CA-7 CONTINUOUS MONITORING ü The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes: a. Establishment of [Assignment: organization-defined metrics] to be monitored; b. Establishment of [Assignment: organization-defined frequencies] for monitoring and [Assignment: organization-defined frequencies] for assessments supporting such monitoring; c. Ongoing security control assessments in accordance with the organizational continuous monitoring strategy; d. Ongoing security status monitoring of organization-defined metrics in accordance with the organizational continuous monitoring strategy; e. Correlation and analysis of security-related information generated by assessments and monitoring; f. Response actions to address results of the analysis of security-related information; and g. Reporting the security status of organization and the information system to [Assignment: organization-defined personnel or roles] [Assignment: organization-defined frequency]. Supplemental Guidance: Continuous monitoring programs facilitate ongoing awareness of threats, vulnerabilities, and information security to support organizational risk management decisions. The terms continuous and ongoing imply that organizations assess/analyze security controls and information security-related risks at a frequency sufficient to support organizational risk-based decisions. The results of continuous monitoring programs generate appropriate risk response actions by organizations. Continuous monitoring programs also allow organizations to maintain the security authorizations of information systems and common controls over time in highly dynamic environments of operation with changing mission/business needs, threats, vulnerabilities, and technologies. Having access to security-related information on a continuing basis through reports/dashboards gives organizational officials the capability to make more effective and timely risk management decisions, including ongoing security authorization decisions. Automation supports more frequent updates to security authorization packages, hardware/software/firmware inventories, and other system information. Effectiveness is further enhanced when continuous monitoring outputs are formatted to provide information that is specific, measurable, actionable, relevant, and timely. Continuous monitoring activities are scaled in accordance with the security categories of information systems. Related controls: CA-2, CA-5, CA-6, CM-3, CM-4, PM-6, PM- 9, RA-5, SA-11, SA-12, SI-2, SI-4. ü ü CA-7d. [To meet Federal and FedRAMP requirements] Operating System Scans: at least monthly Database and Web Application Scans: at least monthly All scans performed by Independent Assessor: at least annually CA-7 Guidance: CSPs must provide evidence of closure and remediation of high vulnerabilities within the timeframe for standard POA&M updates. ü Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 SECURITY ASSESSMENT AND AUTHORIZATION CA-7 (1) CONTINUOUS MONITORING | INDEPENDENT ASSESSMENT ü The organization employs assessors or assessment teams with [Assignment: organization-defined level of independence] to monitor the security controls in the information system on an ongoing basis. Supplemental Guidance: Organizations can maximize the value of assessments of security controls during the continuous monitoring process by requiring that such assessments be conducted by assessors or assessment teams with appropriate levels of independence based on continuous monitoring strategies. Assessor independence provides a degree of impartiality to the monitoring process. To achieve such impartiality, assessors should not: (i) create a mutual or conflicting interest with the organizations where the assessments are being conducted; (ii) assess their own work; (iii) act as management or employees of the organizations they are serving; or (iv) place themselves in advocacy positions for the organizations acquiring their services. ü ü Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 SECURITY ASSESSMENT AND AUTHORIZATION CA-7 (3) CONTINUOUS MONITORING | TREND ANALYSES The organization employs trend analyses to determine if security control implementations, the frequency of continuous monitoring activities, and/or the types of activities used in the continuous monitoring process need to be modified based on empirical data. Supplemental Guidance: Trend analyses can include, for example, examining recent threat information regarding the types of threat events that have occurred within the organization or across the federal government, success rates of certain types of cyber attacks, emerging vulnerabilities in information technologies, evolving social engineering techniques, results from multiple security control assessments, the effectiveness of configuration settings, and findings from Inspectors General or auditors. ü NEED. Organization requires independent data to validate that current security monitoring continues to target the right data, and that no gaps have opened between what is currently measured and what needs to be measured given the constantly evolving threat environment. In particular, the organization determines that security management will need trend analytics tuned to the current security climate to ensure the organization’s security officials maintain general situational awareness of larger security trends that may pose a threat to the organization’s high-impact systems fielded in shared-service environments. ANALYSIS. Implementation of this control should provide security management with a technical advantage by forcing them to maintain continual current awareness of the larger security threat-scape, rather than become lost in the lower-level details of specific security metrics. Though the control is unlikely to have cost impacts, it is likely to involve implementation challenges related to validation of independent trend data sources, and reinforcement training of management to use the analyses efficiently. SAMPLE THREAT VECTORS ADDRESSED. Stakeholders do not have the information they need to make sound decisions due to technology capability. System fails to send alarms, logs, and other pertinent data to the event manager. Control processes involve too many layers of review, concurrence, and revision to support effective and timely conveyance of relevant information to decision-makers. Monitoring not effectively linked to control processes. RELEVANT SECURITY CONTROL ATTRIBUTES. Monitored, Controlled SECURITY ASSESSMENT AND AUTHORIZATION CA-8 PENETRATION TESTING ü The organization conducts penetration testing [Assignment: organization-defined frequency] on [Assignment: organization-defined information systems or system components]. Supplemental Guidance: Penetration testing is a specialized type of assessment conducted on information systems or individual system components to identify vulnerabilities that could be exploited by adversaries. Such testing can be used to either validate vulnerabilities or determine the degree of resistance organizational information systems have to adversaries within a set of specified constraints (e.g., time, resources, and/or skills). Penetration testing attempts to duplicate the actions of adversaries in carrying out hostile cyber attacks against organizations and provides a more in-depth analysis of security-related weaknesses/deficiencies. Organizations can also use the results of vulnerability analyses to support penetration testing activities. Penetration testing can be conducted on the hardware, software, or firmware components of an information system and can exercise both physical and technical security controls. A standard method for penetration testing includes, for example: (i) pretest analysis based on full knowledge of the target system; (ii) pretest identification of potential vulnerabilities based on pretest analysis; and (iii) testing designed to determine exploitability of identified vulnerabilities. All parties agree to the rules of engagement before the commencement of penetration testing scenarios. Organizations correlate the penetration testing rules of engagement with the tools, techniques, and procedures that are anticipated to be employed by adversaries carrying out attacks. Organizational risk assessments guide decisions on the level of independence required for personnel conducting penetration testing. Related control: SA-12. ü [at least annually] ü Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 SECURITY ASSESSMENT AND AUTHORIZATION CA-8 (1) PENETRATION TESTING | INDEPENDENT PENETRATION AGENT OR TEAM The organization employs an independent penetration agent or penetration team to perform penetration testing on the information system or system components. Supplemental Guidance: Independent penetration agents or teams are individuals or groups who conduct impartial penetration testing of organizational information systems. Impartiality implies that penetration agents or teams are free from any perceived or actual conflicts of interest with regard to the development, operation, or management of the information systems that are the targets of the penetration testing. Supplemental guidance for CA-2 (1) provides additional information regarding independent assessments that can be applied to penetration testing. Related control: CA-2. ü ü Included in FedRAMP Moderate Baseline, Rev 4 SECURITY ASSESSMENT AND AUTHORIZATION CA-9 INTERNAL SYSTEM CONNECTIONS ü The organization: a. Authorizes internal connections of [Assignment: organization-defined information system components or classes of components] to the information system; andb. Documents, for each internal connection, the interface characteristics, security requirements, and the nature of the information communicated.Supplemental Guidance: This control applies to connections between organizational information systems and (separate) constituent system components (i.e., intra-system connections) including, for example, system connections with mobile devices, notebook/desktop computers, printers, copiers, facsimile machines, scanners, sensors, and servers. Instead of authorizing each individual internal connection, organizations can authorize internal connections for a class of components with common characteristics and/or configurations, for example, all digital printers, scanners, and copiers with a specified processing, storage, and transmission capability or all smart phones with a specific baseline configuration. Related controls: AC-3, AC-4, AC-18, AC-19, AU-2, AU-12, CA- 7, CM-2, IA-3, SC-7, SI-4. ü ü ü Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 CONFIGURATION MANAGEMENT CM-1 CONFIGURATION MANAGEMENT POLICY AND PROCEDURES ü The organization: a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: 1. A configuration management policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and 2. Procedures to facilitate the implementation of the configuration management policy and associated configuration management controls; and b. Reviews and updates the current: 1. Configuration management policy [Assignment: organization-defined frequency]; and 2. Configuration management procedures [Assignment: organization-defined frequency]. Supplemental Guidance: This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the CM family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. Control Enhancements: None. References: NIST Special Publications 800-12, 800-100. ü ü CM-1.b.1 [at least every 3 years] CM-1.b.2 [at least annually] ü Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 CM-1.b.1 [at least annually] CM-1.b.2 [at least every six months] CONFIGURATION MANAGEMENT CM-2 BASELINE CONFIGURATION The organization develops, documents, and maintains under configuration control, a current baseline configuration of the information system. Supplemental Guidance: This control establishes baseline configurations for information systems and system components including communications and connectivity-related aspects of systems. Baseline configurations are documented, formally reviewed and agreed-upon sets of specifications for information systems or configuration items within those systems. Baseline configurations serve as a basis for future builds, releases, and/or changes to information systems. Baseline configurations include information about information system components (e.g., standard software packages installed on workstations, notebook computers, servers, network components, or mobile devices; current version numbers and patch information on operating systems and applications; and configuration settings/parameters), network topology, and the logical placement of those components within the system architecture. Maintaining baseline configurations requires creating new baselines as organizational information systems change over time. Baseline configurations of information systems reflect the current enterprise architecture. Related controls: CM-3, CM-6, CM-8, CM-9, SA-10, PM-5, PM-7. ü ü ü Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 CONFIGURATION MANAGEMENT CM-2 (1) BASELINE CONFIGURATION | REVIEWS AND UPDATES ü The organization reviews and updates the baseline configuration of the information system: (a) [Assignment: organization-defined frequency]; (b) When required due to [Assignment organization-defined circumstances]; and (c) As an integral part of information system component installations and upgrades. Supplemental Guidance: Related control: CM-5. ü CM-2 (1) (a). [at least annually] CM-2 (1) (b). [to include when directed by Authorizing Official] ü Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 CM-2 (1) (a). [at least annually or when a significant change occurs] CM-2 (1) (b). [to include when directed by Authorizing Official] CONFIGURATION MANAGEMENT CM-2 (2) BASELINE CONFIGURATION | AUTOMATION SUPPORT FOR ACCURACY / CURRENCY The organization employs automated mechanisms to maintain an up-to-date, complete, accurate, and readily available baseline configuration of the information system. Supplemental Guidance: Automated mechanisms that help organizations maintain consistent baseline configurations for information systems include, for example, hardware and software inventory tools, configuration management tools, and network management tools. Such tools can be deployed and/or allocated as common controls, at the information system level, or at the operating system or component level (e.g., on workstations, servers, notebook computers, network components, or mobile devices). Tools can be used, for example, to track version numbers on operating system applications, types of software installed, and current patch levels. This control enhancement can be satisfied by the implementation of CM-8 (2) for organizations that choose to combine information system component inventory and baseline configuration activities. Related controls: CM-7, RA-5. ü ü Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 CONFIGURATION MANAGEMENT CM-2 (3) BASELINE CONFIGURATION | RETENTION OF PREVIOUS CONFIGURATIONS ü The organization retains [Assignment: organization-defined previous versions of baseline configurations of the information system] to support rollback. Supplemental Guidance: Retaining previous versions of baseline configurations to support rollback may include, for example, hardware, software, firmware, configuration files, and configuration records. ü ü Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 CONFIGURATION MANAGEMENT CM-2 (7) BASELINE CONFIGURATION | CONFIGURE SYSTEMS, COMPONENTS, OR DEVICES FOR HIGH-RISK AREAS ü The organization: (a) Issues [Assignment: organization-defined information systems, system components, or devices] with [Assignment: organization-defined configurations] to individuals traveling to locations that the organization deems to be of significant risk; and (b) Applies [Assignment: organization-defined security safeguards] to the devices when the individuals return. Supplemental Guidance: When it is known that information systems, system components, or devices (e.g., notebook computers, mobile devices) will be located in high-risk areas, additional security controls may be implemented to counter the greater threat in such areas coupled with the lack of physical security relative to organizational-controlled areas. For example, organizational policies and procedures for notebook computers used by individuals departing on and returning from travel include, for example, determining which locations are of concern, defining required configurations for the devices, ensuring that the devices are configured as intended before travel is initiated, and applying specific safeguards to the device after travel is completed. Specially configured notebook computers include, for example, computers with sanitized hard drives, limited applications, and additional hardening (e.g., more stringent configuration settings). Specified safeguards applied to mobile devices upon return from travel include, for example, examining the device for signs of physical tampering and purging/reimaging the hard disk drive. Protecting information residing on mobile devices is covered in the media protection family.. References: NIST Special Publication 800-128. ü ü Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 CONFIGURATION MANAGEMENT CM-3 CONFIGURATION CHANGE CONTROL ü The organization: a. Determines the types of changes to the information system that are configuration-controlled; b. Reviews proposed configuration-controlled changes to the information system and approves or disapproves such changes with explicit consideration for security impact analyses; c. Documents configuration change decisions associated with the information system; d. Implements approved configuration-controlled changes to the information system; e. Retains records of configuration-controlled changes to the information system for [Assignment: organization-defined time period]; f. Audits and reviews activities associated with configuration-controlled changes to the information system; and g. Coordinates and provides oversight for configuration change control activities through [Assignment: organization-defined configuration change control element (e.g., committee, board] that convenes [Selection (one or more): [Assignment: organization-defined frequency]; [Assignment: organization-defined configuration change conditions]]. Supplemental Guidance: Configuration change controls for organizational information systems involve the systematic proposal, justification, implementation, testing, review, and disposition of changes to the systems, including system upgrades and modifications. Configuration change control includes changes to baseline configurations for components and configuration items of information systems, changes to configuration settings for information technology products (e.g., operating systems, applications, firewalls, routers, and mobile devices), unscheduled/unauthorized changes, and changes to remediate vulnerabilities. Typical processes for managing configuration changes to information systems include, for example, Configuration Control Boards that approve proposed changes to systems. For new development information systems or systems undergoing major upgrades, organizations consider including representatives from development organizations on the Configuration Control Boards. Auditing of changes includes activities before and after changes are made to organizational information systems and the auditing activities required to implement such changes. Related controls: CM-2, CM-4, CM-5, CM-6, CM-9, SA-10, SI-2, SI- 12. ü Requirement: The service provider establishes a central means of communicating major changes to or developments in the information system or environment of operations that may affect its services to the federal government and associated service consumers (e.g., electronic bulletin board, web status page). The means of communication are approved and accepted by the Authorizing Official. CM-3e Guidance: In accordance with record retention policies and procedures. ü Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 CONFIGURATION MANAGEMENT CM-3 (1) CONFIGURATION CHANGE CONTROL | AUTOMATED DOCUMENT / NOTIFICATION / PROHIBITION OF CHANGES ü The organization employs automated mechanisms to: (a) Document proposed changes to the information system; (b) Notify [Assignment: organized-defined approval authorities] of proposed changes to the information system and request change approval; (c) Highlight proposed changes to the information system that have not been approved or disapproved by [Assignment: organization-defined time period]; (d) Prohibit changes to the information system until designated approvals are received; (e) Document all changes to the information system; and (f) Notify [Assignment: organization-defined personnel] when approved changes to the information system are completed. ü Included in NIST High Baseline, Rev 4 [service provider-defined configuration management approval authorities] [Organization and service provider-agreed upon time period] [service provider-defined configuration management approval authorities] CONFIGURATION MANAGEMENT CM-3 (2) CONFIGURATION CHANGE CONTROL | TEST / VALIDATE / DOCUMENT CHANGES The organization tests, validates, and documents changes to the information system before implementing the changes on the operational system. Supplemental Guidance: Changes to information systems include modifications to hardware, software, or firmware components and configuration settings defined in CM-6. Organizations ensure that testing does not interfere with information system operations. Individuals/groups conducting tests understand organizational security policies and procedures, information system security policies and procedures, and the specific health, safety, and environmental risks associated with particular facilities/processes. Operational systems may need to be taken off-line, or replicated to the extent feasible, before testing can be conducted. If information systems must be taken off-line for testing, the tests are scheduled to occur during planned system outages whenever possible. If testing cannot be conducted on operational systems, organizations employ compensating controls (e.g., testing on replicated systems). ü Included in NIST High Baseline, Rev 4 CONFIGURATION MANAGEMENT CM-4 SECURITY IMPACT ANALYSIS The organization analyzes changes to the information system to determine potential security impacts prior to change implementation. Supplemental Guidance: Organizational personnel with information security responsibilities (e.g., Information System Administrators, Information System Security Officers, Information System Security Managers, and Information System Security Engineers) conduct security impact analyses. Individuals conducting security impact analyses possess the necessary skills/technical expertise to analyze the changes to information systems and the associated security ramifications. Security impact analysis may include, for example, reviewing security plans to understand security control requirements and reviewing system design documentation to understand control implementation and how specific changes might affect the controls. Security impact analyses may also include assessments of risk to better understand the impact of the changes and to determine if additional security controls are required. Security impact analyses are scaled in accordance with the security categories of the information systems. Related controls: CA-2, CA-7, CM-3, CM-9, SA-4, SA-5, SA-10, SI-2. ü ü ü Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 CONFIGURATION MANAGEMENT CM-4 (1) SECURITY IMPACT ANALYSIS | SEPARATE TEST ENVIRONMENTS The organization analyzes changes to the information system in a separate test environment before implementation in an operational environment, looking for security impacts due to flaws, weaknesses, incompatibility, or intentional malice. Supplemental Guidance: Separate test environment in this context means an environment that is physically or logically isolated and distinct from the operational environment. The separation is sufficient to ensure that activities in the test environment do not impact activities in the operational environment, and information in the operational environment is not inadvertently transmitted to the test environment. Separate environments can be achieved by physical or logical means. If physically separate test environments are not used, organizations determine the strength of mechanism required when implementing logical separation (e.g., separation achieved through virtual machines). Related controls: SA-11, SC-3, SC-7. ü Included in NIST High Baseline, Rev 4 CONFIGURATION MANAGEMENT CM-5 ACCESS RESTRICTIONS FOR CHANGE The organization defines, documents, approves, and enforces physical and logical access restrictions associated with changes to the information system. Supplemental Guidance: Any changes to the hardware, software, and/or firmware components of information systems can potentially have significant effects on the overall security of the systems. Therefore, organizations permit only qualified and authorized individuals to access information systems for purposes of initiating changes, including upgrades and modifications. Organizations maintain records of access to ensure that configuration change control is implemented and to support after-the-fact actions should organizations discover any unauthorized changes. Access restrictions for change also include software libraries. Access restrictions include, for example, physical and logical access controls (see AC-3 and PE-3), workflow automation, media libraries, abstract layers (e.g., changes implemented into third-party interfaces rather than directly into information systems), and change windows (e.g., changes occur only during specified times, making unauthorized changes easy to discover). Related controls: AC-3, AC-6, PE-3. ü ü Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 CONFIGURATION MANAGEMENT CM-5 (1) ACCESS RESTRICTIONS FOR CHANGE | AUTOMATED ACCESS ENFORCEMENT / AUDITING The information system enforces access restrictions and supports auditing of the enforcement actions. Supplemental Guidance: Related controls: AU-2, AU-12, AU-6, CM-3, CM-6. ü ü Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 CONFIGURATION MANAGEMENT CM-5 (2) ACCESS RESTRICTIONS FOR CHANGE | REVIEW SYSTEM CHANGES ü The organization reviews information system changes [Assignment: organization-defined frequency] and [Assignment: organization-defined circumstances] to determine whether unauthorized changes have occurred. Supplemental Guidance: Indications that warrant review of information system changes and the specific circumstances justifying such reviews may be obtained from activities carried out by organizations during the configuration change process. Related controls: AU-6, AU-7, CM-3, CM-5, PE-6, PE-8. ü Included in NIST High Baseline, Rev 4 [at least every 90 days] [any change that affects the defined security posture] CONFIGURATION MANAGEMENT CM-5 (3) ACCESS RESTRICTIONS FOR CHANGE | SIGNED COMPONENTS ü The information system prevents the installation of [Assignment: organization-defined software and firmware components] without verification that the component has been digitally signed using a certificate that is recognized and approved by the organization. Supplemental Guidance: Software and firmware components prevented from installation unless signed with recognized and approved certificates include, for example, software and firmware version updates, patches, service packs, device drivers, and basic input output system (BIOS) updates. Organizations can identify applicable software and firmware components by type, by specific items, or a combination of both. Digital signatures and organizational verification of such signatures, is a method of code authentication. Related controls: CM-7, SC-13, SI-7. ü Guidance: If digital signatures/certificates are unavailable, alternative cryptographic integrity checks (hashes, self-signed certs, etc.) can be utilized. ü Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 CONFIGURATION MANAGEMENT CM-5 (5) ACCESS RESTRICTIONS FOR CHANGE | LIMIT PRODUCTION / OPERATIONAL PRIVILEGES ü The organization: (a) Limits privileges to change information system components and system-related information within a production or operational environment; and (b) Reviews and reevaluates privileges [Assignment: organization-defined frequency]. Supplemental Guidance: In many organizations, information systems support multiple core missions/business functions. Limiting privileges to change information system components with respect to operational systems is necessary because changes to a particular information system component may have far-reaching effects on mission/business processes supported by the system where the component resides. The complex, many-to-many relationships between systems and mission/business processes are in some cases, unknown to developers. Related control: AC-2. ü CM-5 (5) (b). [at least quarterly] ü Included in FedRAMP Moderate Baseline, Rev 4 CONFIGURATION MANAGEMENT CM-6 CONFIGURATION SETTINGS ü The organization: a. Establishes and documents configuration settings for information technology products employed within the information system using [Assignment: organization-defined security configuration checklists] that reflect the most restrictive mode consistent with operational requirements; b. Implements the configuration settings; c. Identifies, documents, and approves any deviations from established configuration settings for [Assignment: organization-defined information system components] based on [Assignment: organization-defined operational requirements]; and d. Monitors and controls changes to the configuration settings in accordance with organizational policies and procedures. Supplemental Guidance: Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the information system that affect the security posture and/or functionality of the system. Information technology products for which security- related configuration settings can be defined include, for example, mainframe computers, servers (e.g., database, electronic mail, authentication, web, proxy, file, domain name), workstations, input/output devices (e.g., scanners, copiers, and printers), network components (e.g., firewalls, routers, gateways, voice and data switches, wireless access points, network appliances, sensors), operating systems, middleware, and applications. Security-related parameters are those parameters impacting the security state of information systems including the parameters required to satisfy other security control requirements. Security-related parameters include, for example: (i) registry settings; (ii) account, file, directory permission settings; and (iii) settings for functions, ports, protocols, services, and remote connections. Organizations establish organization-wide configuration settings and subsequently derive specific settings for information systems. The established settings become part of the systems configuration baseline. Common secure configurations (also referred to as security configuration checklists, lockdown and hardening guides, security reference guides, security technical implementation guides) provide recognized, standardized, and established benchmarks that stipulate secure configuration settings for specific information technology platforms/products and instructions for configuring those information system components to meet operational requirements. Common secure configurations can be developed by a variety of organizations including, for example, information technology product developers, manufacturers, vendors, consortia, academia, industry, federal agencies, and other organizations in the public and private sectors. Common secure configurations include the United States Government Configuration Baseline (USGCB) which affects the implementation of CM-6 and other controls such as AC-19 and CM-7. The Security Content Automation Protocol (SCAP) and the defined standards within the protocol (e.g., Common Configuration Enumeration) provide an effective method to uniquely identify, track, and control configuration settings. OMB establishes federal policy on configuration requirements for federal information systems. Related controls: AC-19, CM-2, CM-3, CM-7, SI-4. ü ü CM-6a. [United States Government Configuration Baseline (USGCB)] CM-6a. Requirement: The service provider shall use the Center for Internet Security guidelines (Level 1) to establish configuration settings or establishes its own configuration settings if USGCB is not available. CM-6a. Requirement: The service provider shall ensure that checklists for configuration settings are Security Content Automation Protocol (SCAP) validated or SCAP compatible (if validated checklists are not available). CM-6a. Guidance: Information on the USGCB checklists can be found at: http://usgcb.nist.gov/usgcb_faq.html#usgcbfaq_usgcbfdcc ü Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 CONFIGURATION MANAGEMENT CM-6 (1) CONFIGURATION SETTINGS | AUTOMATED CENTRAL MANAGEMENT / APPLICATION / VERIFICATION ü The organization employs automated mechanisms to centrally manage, apply, and verify configuration settings for [Assignment: organization-defined information system components]. Supplemental Guidance: Related controls: CA-7, CM-4. ü ü Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 CONFIGURATION MANAGEMENT CM-6 (2) CONFIGURATION SETTINGS | RESPOND TO UNAUTHORIZED CHANGES ü The organization employs [Assignment: organization-defined security safeguards] to respond to unauthorized changes to [Assignment: organization-defined configuration settings]. Supplemental Guidance: Responses to unauthorized changes to configuration settings can include, for example, alerting designated organizational personnel, restoring established configuration settings, or in extreme cases, halting affected information system processing. Related controls: IR-4, SI-7. ü Included in NIST High Baseline, Rev 4 [service provider-defined security safeguards] [service provider-defined configuration settings]. CONFIGURATION MANAGEMENT CM-7 LEAST FUNCTIONALITY ü The organization: a. Configures the information system to provide only essential capabilities; and b. Prohibits or restricts the use of the following functions, ports, protocols, and/or services: [Assignment: organization-defined prohibited or restricted functions, ports, protocols, and/or services]. Supplemental Guidance: Information systems can provide a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). Additionally, it is sometimes convenient to provide multiple services from single information system components, but doing so increases risk over limiting the services provided by any one component. Where feasible, organizations limit component functionality to a single function per device (e.g., email servers or web servers, but not both). Organizations review functions and services provided by information systems or individual components of information systems, to determine which functions and services are candidates for elimination (e.g., Voice Over Internet Protocol, Instant Messaging, auto-execute, and file sharing). Organizations consider disabling unused or unnecessary physical and logical ports/protocols (e.g., Universal Serial Bus, File Transfer Protocol, and Hyper Text Transfer Protocol) on information systems to prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling. Organizations can utilize network scanning tools, intrusion detection and prevention systems, and end-point protections such as firewalls and host-based intrusion detection systems to identify and prevent the use of prohibited functions, ports, protocols, and services. Related controls: AC-6, CM-2, RA-5, SA-5, SC-7. ü ü CM-7. [United States Government Configuration Baseline (USGCB)] Requirement: The service provider shall use the Center for Internet Security guidelines (Level 1) to establish list of prohibited or restricted functions, ports, protocols, and/or services or establishes its own list of prohibited or restricted functions, ports, protocols, and/or services if USGCB is not available. CM-7. Guidance: Information on the USGCB checklists can be found at: http://usgcb.nist.gov/usgcb_faq.html#usgcbfaq_usgcbfdcc. (Partially derived from AC-17(8).) ü Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 CONFIGURATION MANAGEMENT CM-7 (1) LEAST FUNCTIONALITY | PERIODIC REVIEW ü The organization: (a) Reviews the information system [Assignment: organization-defined frequency] to identify unnecessary and/or nonsecure functions, ports, protocols, and services; and (b) Disables [Assignment: organization-defined functions, ports, protocols, and services within the information system deemed to be unnecessary and/or nonsecure]. Supplemental Guidance: The organization can either make a determination of the relative security of the function, port, protocol, and/or service or base the security decision on the assessment of other entities. Bluetooth, FTP, and peer-to-peer networking are examples of less than secure protocols. Related controls: AC-18, CM-7, IA-2. ü CM-7 (1). [at least monthly] ü Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 CONFIGURATION MANAGEMENT CM-7 (2) LEAST FUNCTIONALITY | PREVENT PROGRAM EXECUTION ü The information system prevents program execution in accordance with [Selection (one or more): [Assignment: organization-defined policies regarding software program usage and restrictions]; rules authorizing the terms and conditions of software program usage]. Supplemental Guidance: Related controls: CM-8, PM-5. ü CM-7(2) Guidance: This control shall be implemented in a technical manner on the information system to only allow programs to run that adhere to the policy (i.e. white listing). This control is not to be based off of strictly written policy on what is allowed or not allowed to run. ü Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 CONFIGURATION MANAGEMENT CM-7 (5) LEAST FUNCTIONALITY | AUTHORIZED SOFTWARE / WHITELISTING ü The organization: (a) Identifies [Assignment: organization-defined software programs authorized to execute on the information system]; (b) Employs a deny-all, permit-by-exception policy to allow the execution of authorized software programs on the information system; and (c) Reviews and updates the list of authorized software programs [Assignment: organization- defined frequency]. Supplemental Guidance: The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting. In addition to whitelisting, organizations consider verifying the integrity of white-listed software programs using, for example, cryptographic checksums, digital signatures, or hash functions. Verification of white-listed software can occur either prior to execution or at system startup. Related controls: CM-2, CM-6, CM-8, PM-5, SA-10, SC-34, SI-7. References: DoD Instruction 8551.01. ü CM-7(5)[ at least Annually or when there is a change.] ü Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 [at least quarterly or when there is a change] CONFIGURATION MANAGEMENT CM-8 INFORMATION SYSTEM COMPONENT INVENTORY ü The organization: a. Develops and documents an inventory of information system components that: 1. Accurately reflects the current information system; 2. Includes all components within the authorization boundary of the information system; 3. Is at the level of granularity deemed necessary for tracking and reporting; and 4. Includes [Assignment: organization-defined information deemed necessary to achieve effective information system component accountability]; and b. Reviews and updates the information system component inventory [Assignment: organization-defined frequency]. Supplemental Guidance: Organizations may choose to implement centralized information system component inventories that include components from all organizational information systems. In such situations, organizations ensure that the resulting inventories include system-specific information required for proper component accountability (e.g., information system association, information system owner). Information deemed necessary for effective accountability of information system components includes, for example, hardware inventory specifications, software license information, software version numbers, component owners, and for networked components or devices, machine names and network addresses. Inventory specifications include, for example, manufacturer, device type, model, serial number, and physical location. Related controls: CM-2, CM-6, PM-5. ü ü CM-8b. [at least monthly] CM-8 Requirement: must be provided at least monthly or when there is a change. ü Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 CONFIGURATION MANAGEMENT CM-8 (1) INFORMATION SYSTEM COMPONENT INVENTORY | UPDATES DURING INSTALLATIONS / REMOVALS The organization updates the inventory of information system components as an integral part of component installations, removals, and information system updates. ü ü Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 CONFIGURATION MANAGEMENT CM-8 (2) INFORMATION SYSTEM COMPONENT INVENTORY | AUTOMATED MAINTENANCE The organization employs automated mechanisms to help maintain an up-to-date, complete, accurate, and readily available inventory of information system components. Supplemental Guidance: Organizations maintain information system inventories to the extent feasible. Virtual machines, for example, can be difficult to monitor because such machines are not visible to the network when not in use. In such cases, organizations maintain as up-to- date, complete, and accurate an inventory as is deemed reasonable. This control enhancement can be satisfied by the implementation of CM-2 (2) for organizations that choose to combine information system component inventory and baseline configuration activities. Related control: SI-7. ü Included in NIST High Baseline, Rev 4 CONFIGURATION MANAGEMENT CM-8 (3) INFORMATION SYSTEM COMPONENT INVENTORY | AUTOMATED UNAUTHORIZED COMPONENT DETECTION ü The organization: (a) Employs automated mechanisms [Assignment: organization-defined frequency] to detect the presence of unauthorized hardware, software, and firmware components within the information system; and (b) Takes the following actions when unauthorized components are detected: [Selection (one or more): disables network access by such components; isolates the components; notifies [Assignment: organization-defined personnel or roles]]. Supplemental Guidance: This control enhancement is applied in addition to the monitoring for unauthorized remote connections and mobile devices. Monitoring for unauthorized system components may be accomplished on an ongoing basis or by the periodic scanning of systems for that purpose. Automated mechanisms can be implemented within information systems or in other separate devices. Isolation can be achieved, for example, by placing unauthorized information system components in separate domains or subnets or otherwise quarantining such components. This type of component isolation is commonly referred to as sandboxing. Related controls: AC-17, AC-18, AC-19, CA-7, SI-3, SI-4, SI-7, RA-5. ü CM-8 (3) (a). [Continuously, using automated mechanisms with a maximum five-minute delay in detection.] ü Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 CONFIGURATION MANAGEMENT CM-8 (4) INFORMATION SYSTEM COMPONENT INVENTORY | ACCOUNTABILITY INFORMATION ü The organization includes in the information system component inventory information, a means for identifying by [Selection (one or more): name; position; role], individuals responsible/accountable for administering those components. Supplemental Guidance: Identifying individuals who are both responsible and accountable for administering information system components helps to ensure that the assigned components are properly administered and organizations can contact those individuals if some action is required (e.g., component is determined to be the source of a breach/compromise, component needs to be recalled/replaced, or component needs to be relocated). ü Included in NIST High Baseline, Rev 4 [position and role] CONFIGURATION MANAGEMENT CM-8 (5) INFORMATION SYSTEM COMPONENT INVENTORY | NO DUPLICATE ACCOUNTING OF COMPONENTS The organization verifies that all components within the authorization boundary of the information system are not duplicated in other information system inventories. Supplemental Guidance: This control enhancement addresses the potential problem of duplicate accounting of information system components in large or complex interconnected systems. ü ü Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 CONFIGURATION MANAGEMENT CM-9 CONFIGURATION MANAGEMENT PLAN The organization develops, documents, and implements a configuration management plan for the information system that: a. Addresses roles, responsibilities, and configuration management processes and procedures; b. Establishes a process for identifying configuration items throughout the system development life cycle and for managing the configuration of the configuration items; c. Defines the configuration items for the information system and places the configuration items under configuration management; and d. Protects the configuration management plan from unauthorized disclosure and modification. Supplemental Guidance: Configuration management plans satisfy the requirements in configuration management policies while being tailored to individual information systems. Such plans define detailed processes and procedures for how configuration management is used to support system development life cycle activities at the information system level. Configuration management plans are typically developed during the development/acquisition phase of the system development life cycle. The plans describe how to move changes through change management processes, how to update configuration settings and baselines, how to maintain information system component inventories, how to control development, test, and operational environments, and how to develop, release, and update key documents. Organizations can employ templates to help ensure consistent and timely development and implementation of configuration management plans. Such templates can represent a master configuration management plan for the organization at large with subsets of the plan implemented on a system by system basis. Configuration management approval processes include designation of key management stakeholders responsible for reviewing and approving proposed changes to information systems, and personnel that conduct security impact analyses prior to the implementation of changes to the systems. Configuration items are the information system items (hardware, software, firmware, and documentation) to be configuration-managed. As information systems continue through the system development life cycle, new configuration items may be identified and some existing configuration items may no longer need to be under configuration control. Related controls: CM-2, CM-3, CM-4, CM-5, CM-8, SA-10. ü ü Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 CONFIGURATION MANAGEMENT CM-10 SOFTWARE USAGE RESTRICTIONS The organization: a. Uses software and associated documentation in accordance with contract agreements and copyright laws; b. Tracks the use of software and associated documentation protected by quantity licenses to control copying and distribution; and c. Controls and documents the use of peer-to-peer file sharing technology to ensure that this capability is not used for the unauthorized distribution, display, performance, or reproduction of copyrighted work. Supplemental Guidance: Software license tracking can be accomplished by manual methods (e.g., simple spreadsheets) or automated methods (e.g., specialized tracking applications) depending on organizational needs. Related controls: AC-17, CM-8, SC-7. Supplemental Guidance: Open source software refers to software that is available in source code form. Certain software rights normally reserved for copyright holders are routinely provided under software license agreements that permit individuals to study, change, and improve the software. From a security perspective, the major advantage of open source software is that it provides organizations with the ability to examine the source code. However, there are also various licensing issues associated with open source software including, for example, the constraints on derivative use of such software. References: None. ü ü ü Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 CONFIGURATION MANAGEMENT CM-10 (1) SOFTWARE USAGE RESTRICTIONS | OPEN SOURCE SOFTWARE ü The organization establishes the following restrictions on the use of open source software: [Assignment: organization-defined restrictions]. Supplemental Guidance: Open source software refers to software that is available in source code form. Certain software rights normally reserved for copyright holders are routinely provided under software license agreements that permit individuals to study, change, and improve the software. From a security perspective, the major advantage of open source software is that it provides organizations with the ability to examine the source code. However, there are also various licensing issues associated with open source software including, for example, the constraints on derivative use of such software. ü ü Included in FedRAMP Moderate Baseline, Rev 4 CONFIGURATION MANAGEMENT CM-11 USER-INSTALLED SOFTWARE ü The organization: a. Establishes [Assignment: organization-defined policies] governing the installation of software by users; b. Enforces software installation policies through [Assignment: organization-defined methods]; and c. Monitors policy compliance at [Assignment: organization-defined frequency]. Supplemental Guidance: If provided the necessary privileges, users have the ability to install software in organizational information systems. To maintain control over the types of software installed, organizations identify permitted and prohibited actions regarding software installation. Permitted software installations may include, for example, updates and security patches to existing software and downloading applications from organization-approved “app stores.” Prohibited software installations may include, for example, software with unknown or suspect pedigrees or software that organizations consider potentially malicious. The policies organizations select governing user-installed software may be organization-developed or provided by some external entity. Policy enforcement methods include procedural methods (e.g., periodic examination of user accounts), automated methods (e.g., configuration settings implemented on organizational information systems), or both. Related controls: AC-3, CM-2, CM-3, CM-5, CM-6, CM-7, PL-4. ü ü CM-11.c. [Continuously (via CM-7 (5))] ü Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 CONFIGURATION MANAGEMENT CM-11 (1) USER-INSTALLED SOFTWARE | ALERTS FOR UNAUTHORIZED INSTALLATIONS ü The information system alerts [Assignment: organization-defined personnel or roles] when the unauthorized installation of software is detected. Supplemental Guidance: Related controls: CA-7, SI-4. ü NEED. High-impact systems will require special measures to ensure users cannot place the overall system at risk by installing unauthorized software. This control supports that need. ANALYSIS. Implementation of these controls is well understood, and relies on capabilities provided in COTS operating systems. SAMPLE THREAT VECTORS. The system executes malicious and harmful software. Software updates could render the system unstable or cause it to function incorrectly. Software is not designed with adequate safeguards to protect PII and other sensitive information. Users could make mistakes in following policy. Users could intentionally install unapproved/unvetted software. RELEVANT SECURITY CONTROL ATTRIBUTES. Quality Assured, Substantiated Integrity, Maintainable, Testable, Configuration Managed, Change Managed, Supported, Assessed, Auditable, Authorized, Regulated, Enforcement, Controlled, Reliable, Providing Good Data Stewardship, Assured, Confidential, Access-Controlled [service provider-defined personnel or roles] CONTINGENCY PLANNING CP-1 CONTINGENCY PLANNING POLICY AND PROCEDURES ü The organization: a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: 1. A contingency planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and 2. Procedures to facilitate the implementation of the contingency planning policy and associated contingency planning controls; and b. Reviews and updates the current: 1. Contingency planning policy [Assignment: organization-defined frequency]; and 2. Contingency planning procedures [Assignment: organization-defined frequency]. Supplemental Guidance: This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the CP family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. Control Enhancements: None. References: Federal Continuity Directive 1; NIST Special Publications 800-12, 800-34, 800-100. ü ü CP-1.b.1 [at least every 3 years] CP-1.b.2 [at least annually] ü Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 CP-1.b.1 [at least annually] CP-1.b.2 [at least annually] CONTINGENCY PLANNING CP-2 CONTINGENCY PLAN ü The organization: a. Develops a contingency plan for the information system that: 1. Identifies essential missions and business functions and associated contingency requirements; 2. Provides recovery objectives, restoration priorities, and metrics; 3. Addresses contingency roles, responsibilities, assigned individuals with contact information; 4. Addresses maintaining essential missions and business functions despite an information system disruption, compromise, or failure; 5. Addresses eventual, full information system restoration without deterioration of the security safeguards originally planned and implemented; and 6. Is reviewed and approved by [Assignment: organization-defined personnel or roles]; b. Distributes copies of the contingency plan to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements]; c. Coordinates contingency planning activities with incident handling activities; d. Reviews the contingency plan for the information system [Assignment: organization-defined frequency]; e. Updates the contingency plan to address changes to the organization, information system, or environment of operation and problems encountered during contingency plan implementation, execution, or testing; f. Communicates contingency plan changes to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements]; and g. Protects the contingency plan from unauthorized disclosure and modification. Supplemental Guidance: Contingency planning for information systems is part of an overall organizational program for achieving continuity of operations for mission/business functions. Contingency planning addresses both information system restoration and implementation of alternative mission/business processes when systems are compromised. The effectiveness of contingency planning is maximized by considering such planning throughout the phases of the system development life cycle. Performing contingency planning on hardware, software, and firmware development can be an effective means of achieving information system resiliency. Contingency plans reflect the degree of restoration required for organizational information systems since not all systems may need to fully recover to achieve the level of continuity of operations desired. Information system recovery objectives reflect applicable laws, Executive Orders, directives, policies, standards, regulations, and guidelines. In addition to information system availability, contingency plans also address other security-related events resulting in a reduction in mission and/or business effectiveness, such as malicious attacks compromising the confidentiality or integrity of information systems. Actions addressed in contingency plans include, for example, orderly/graceful degradation, information system shutdown, fallback to a manual mode, alternate information flows, and operating in modes reserved for when systems are under attack. By closely coordinating contingency planning with incident handling activities, organizations can ensure that the necessary contingency planning activities are in place and activated in the event of a security incident. Related controls: AC-14, CP-6, CP-7, CP-8, CP-9, CP-10, IR-4, IR-8, MP-2, MP-4, MP-5, PM-8, PM-11. ü ü CP-2d. [at least annually] Requirement: For JAB authorizations the contingency lists include designated FedRAMP personnel. ü Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 CONTINGENCY PLANNING CP-9 (1) INFORMATION SYSTEM BACKUP | TESTING FOR RELIABILITY / INTEGRITY ü The organization tests backup information [Assignment: organization-defined frequency] to verify media reliability and information integrity. Supplemental Guidance: Related control: CP-4. ü CP-9 (1). [at least annually] ü Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 CP-9 (1). [at least monthly] CONTINGENCY PLANNING CP-9 (2) INFORMATION SYSTEM BACKUP | TEST RESTORATION USING SAMPLING The organization uses a sample of backup information in the restoration of selected information system functions as part of contingency plan testing. Supplemental Guidance: Related control: CP-4. ü Included in NIST High Baseline, Rev 4 CONTINGENCY PLANNING CP-9 (3) INFORMATION SYSTEM BACKUP | SEPARATE STORAGE FOR CRITICAL INFORMATION ü The organization stores backup copies of [Assignment: organization-defined critical information system software and other security-related information] in a separate facility or in a fire-rated container that is not collocated with the operational system. Supplemental Guidance: Critical information system software includes, for example, operating systems, cryptographic key management systems, and intrusion detection/prevention systems. Security-related information includes, for example, organizational inventories of hardware, software, and firmware components. Alternate storage sites typically serve as separate storage facilities for organizations. Related controls: CM-2, CM-8. ü ü Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 CONTINGENCY PLANNING CP-9 (5) INFORMATION SYSTEM BACKUP | TRANSFER TO ALTERNATE STORAGE SITE ü The organization transfers information system backup information to the alternate storage site [Assignment: organization-defined time period and transfer rate consistent with the recovery time and recovery point objectives]. Supplemental Guidance: Information system backup information can be transferred to alternate storage sites either electronically or by physical shipment of storage media. ü Included in NIST High Baseline, Rev 4 [time period and transfer rate consistent with the recovery time and recovery point objectives defined in the service provider and organization SLA]. CONTINGENCY PLANNING CP-10 INFORMATION SYSTEM RECOVERY AND RECONSTITUTION The organization provides for the recovery and reconstitution of the information system to a known state after a disruption, compromise, or failure. Supplemental Guidance: Recovery is executing information system contingency plan activities to restore organizational missions/business functions. Reconstitution takes place following recovery and includes activities for returning organizational information systems to fully operational states. Recovery and reconstitution operations reflect mission and business priorities, recovery point/time and reconstitution objectives, and established organizational metrics consistent with contingency plan requirements. Reconstitution includes the deactivation of any interim information system capabilities that may have been needed during recovery operations. Reconstitution also includes assessments of fully restored information system capabilities, reestablishment of continuous monitoring activities, potential information system reauthorizations, and activities to prepare the systems against future disruptions, compromises, or failures. Recovery/reconstitution capabilities employed by organizations can include both automated mechanisms and manual procedures. Related controls: CA-2, CA-6, CA-7, CP-2, CP-6, CP-7, CP-9, SC-24. ü ü ü Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 CONTINGENCY PLANNING CP-10 (2) INFORMATION SYSTEM RECOVERY AND RECONSTITUTION | TRANSACTION RECOVERY The information system implements transaction recovery for systems that are transaction-based. Supplemental Guidance: Transaction-based information systems include, for example, database management systems and transaction processing systems. Mechanisms supporting transaction recovery include, for example, transaction rollback and transaction journaling. ü ü Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 CONTINGENCY PLANNING CP-10 (4) INFORMATION SYSTEM RECOVERY AND RECONSTITUTION | RESTORE WITHIN TIME PERIOD ü The organization provides the capability to restore information system components within [Assignment: organization-defined restoration time-periods] from configuration-controlled and integrity-protected information representing a known, operational state for the components. Supplemental Guidance: Restoration of information system components includes, for example, reimaging which restores components to known, operational states. Related control: CM-2. ü Included in NIST High Baseline, Rev 4 [time period consistent with the restoration time-periods defined in the service provider and organization SLA] IDENTIFICATION AND AUTHENTICATION IA-1 IDENTIFICATION AND AUTHENTICATION POLICY AND PROCEDURES ü The organization: a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: 1. An identification and authentication policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and 2. Procedures to facilitate the implementation of the identification and authentication policy and associated identification and authentication controls; and b. Reviews and updates the current: 1. Identification and authentication policy [Assignment: organization-defined frequency]; and 2. Identification and authentication procedures [Assignment: organization-defined frequency]. Supplemental Guidance: This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the IA family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. Control Enhancements: None. References: FIPS Publication 201; NIST Special Publications 800-12, 800-63, 800-73, 800-76, 800-78, 800-100. ü ü IA-1.b.1 [at least every 3 years] IA-1.b.2 [at least annually] ü Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 IA-1.b.1 [at least annually] IA-1.b.2 [at least every six months] IDENTIFICATION AND AUTHENTICATION IA-2 IDENTIFICATION AND AUTHENTICATION (ORGANIZATIONAL USERS) The information system uniquely identifies and authenticates organizational users (or processes acting on behalf of organizational users). Supplemental Guidance: Organizational users include employees or individuals that organizations deem to have equivalent status of employees (e.g., contractors, guest researchers). This control applies to all accesses other than: (i) accesses that are explicitly identified and documented in AC- 14; and (ii) accesses that occur through authorized use of group authenticators without individual authentication. Organizations may require unique identification of individuals in group accounts (e.g., shared privilege accounts) or for detailed accountability of individual activity. Organizations employ passwords, tokens, or biometrics to authenticate user identities, or in the case multifactor authentication, or some combination thereof. Access to organizational information systems is defined as either local access or network access. Local access is any access to organizational information systems by users (or processes acting on behalf of users) where such access is obtained by direct connections without the use of networks. Network access is access to organizational information systems by users (or processes acting on behalf of users) where such access is obtained through network connections (i.e., nonlocal accesses). Remote access is a type of network access that involves communication through external networks (e.g., the Internet). Internal networks include local area networks and wide area networks. In addition, the use of encrypted virtual private networks (VPNs) for network connections between organization- controlled endpoints and non-organization controlled endpoints may be treated as internal networks from the perspective of protecting the confidentiality and integrity of information traversing the network. Organizations can satisfy the identification and authentication requirements in this control by complying with the requirements in Homeland Security Presidential Directive 12 consistent with the specific organizational implementation plans. Multifactor authentication requires the use of two or more different factors to achieve authentication. The factors are defined as: (i) something you know (e.g., password, personal identification number [PIN]); (ii) something you have (e.g., cryptographic identification device, token); or (iii) something you are (e.g., biometric). Multifactor solutions that require devices separate from information systems gaining access include, for example, hardware tokens providing time-based or challenge-response authenticators and smart cards such as the U.S. Government Personal Identity Verification card and the DoD common access card. In addition to identifying and authenticating users at the information system level (i.e., at logon), organizations also employ identification and authentication mechanisms at the application level, when necessary, to provide increased information security. Identification and authentication requirements for other than organizational users are described in IA-8. Related controls: AC-2, AC-3, AC-14, AC-17, AC-18, IA-4, IA-5, IA-8. ü ü ü Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 IDENTIFICATION AND AUTHENTICATION IA-2 (1) IDENTIFICATION AND AUTHENTICATION | NETWORK ACCESS TO PRIVILEGED ACCOUNTS The information system implements multifactor authentication for network access to privileged accounts. Supplemental Guidance: Related control: AC-6. ü ü ü Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 IDENTIFICATION AND AUTHENTICATION IA-2 (2) IDENTIFICATION AND AUTHENTICATION | NETWORK ACCESS TO NON-PRIVILEGED ACCOUNTS The information system implements multifactor authentication for network access to non- privileged accounts. ü ü Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 IDENTIFICATION AND AUTHENTICATION IA-2 (3) IDENTIFICATION AND AUTHENTICATION | LOCAL ACCESS TO PRIVILEGED ACCOUNTS The information system implements multifactor authentication for local access to privileged accounts. Supplemental Guidance: Related control: AC-6. ü ü Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 IDENTIFICATION AND AUTHENTICATION IA-2 (4) IDENTIFICATION AND AUTHENTICATION | LOCAL ACCESS TO NON-PRIVILEGED ACCOUNTS The information system implements multifactor authentication for local access to non-privileged accounts. ü Included in NIST High Baseline, Rev 4 IDENTIFICATION AND AUTHENTICATION IA-2 (5) IDENTIFICATION AND AUTHENTICATION (ORGANIZATIONAL USERS) | GROUP AUTHENTICATION The organization requires individuals to be authenticated with an individual authenticator when a group authenticator is employed. Supplemental Guidance: Requiring individuals to use individual authenticators as a second level of authentication helps organizations to mitigate the risk of using group authenticators. ü ü Included in FedRAMP Moderate Baseline, Rev 4 IDENTIFICATION AND AUTHENTICATION IA-2 (8) IDENTIFICATION AND AUTHENTICATION | NETWORK ACCESS TO PRIVILEGED ACCOUNTS - REPLAY RESISTANT The information system implements replay-resistant authentication mechanisms for network access to privileged accounts. Supplemental Guidance: Authentication processes resist replay attacks if it is impractical to achieve successful authentications by replaying previous authentication messages. Replay- resistant techniques include, for example, protocols that use nonces or challenges such as Transport Layer Security (TLS) and time synchronous or challenge-response one-time authenticators. ü ü Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 IDENTIFICATION AND AUTHENTICATION IA-2 (9) IDENTIFICATION AND AUTHENTICATION | NETWORK ACCESS TO NON-PRIVILEGED ACCOUNTS - REPLAY RESISTANT The information system implements replay-resistant authentication mechanisms for network access to non-privileged accounts. Supplemental Guidance: Authentication processes resist replay attacks if it is impractical to achieve successful authentications by recording/replaying previous authentication messages. Replay-resistant techniques include, for example, protocols that use nonces or challenges such as Transport Layer Security (TLS) and time synchronous or challenge-response one-time authenticators. ü Included in NIST High Baseline, Rev 4 IDENTIFICATION AND AUTHENTICATION IA-2 (11) IDENTIFICATION AND AUTHENTICATION | REMOTE ACCESS - SEPARATE DEVICE ü The information system implements multifactor authentication for remote access to privileged and non-privileged accounts such that one of the factors is provided by a device separate from the system gaining access and the device meets [Assignment: organization-defined strength of mechanism requirements]. Supplemental Guidance: For remote access to privileged/non-privileged accounts, the purpose of requiring a device that is separate from the information system gaining access for one of the factors during multifactor authentication is to reduce the likelihood of compromising authentication credentials stored on the system. For example, adversaries deploying malicious code on organizational information systems can potentially compromise such credentials resident on the system and subsequently impersonate authorized users. Related control: AC-6. ü The information system implements multifactor authentication for remote access to privileged and non-privileged accounts such that one of the factors is provided by a device separate from the system gaining access and the device meets [Assignment: organization-defined strength of mechanism requirements]. PIV = separate device ü Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 [FIPS 140-2, NIAP Certification, or NSA approval] IDENTIFICATION AND AUTHENTICATION IA-2 (12) IDENTIFICATION AND AUTHENTICATION | ACCEPTANCE OF PIV CREDENTIALS The information system accepts and electronically verifies Personal Identity Verification (PIV) credentials. Supplemental Guidance: This control enhancement applies to organizations implementing logical access control systems (LACS) and physical access control systems (PACS). Personal Identity Verification (PIV) credentials are those credentials issued by federal agencies that conform to FIPS Publication 201 and supporting guidance documents. OMB Memorandum 11-11 requires federal agencies to continue implementing the requirements specified in HSPD-12 to enable agency-wide use of PIV credentials. Related controls: AU-2, PE-3, SA-4. ü ü Guidance: Include Common Access Card (CAC), i.e., the DoD technical implementation of PIV/FIPS 201/HSPD-12. ü Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 IDENTIFICATION AND AUTHENTICATION IA-3 DEVICE IDENTIFICATION AND AUTHENTICATION ü The information system uniquely identifies and authenticates [Assignment: organization- defined specific and/or types of devices] before establishing a [Selection (one or more): local; remote; network] connection. Supplemental Guidance: Organizational devices requiring unique device-to-device identification and authentication may be defined by type, by device, or by a combination of type/device. Information systems typically use either shared known information (e.g., Media Access Control [MAC] or Transmission Control Protocol/Internet Protocol [TCP/IP] addresses) for device identification or organizational authentication solutions (e.g., IEEE 802.1x and Extensible Authentication Protocol [EAP], Radius server with EAP-Transport Layer Security [TLS] authentication, Kerberos) to identify/authenticate devices on local and/or wide area networks. Organizations determine the required strength of authentication mechanisms by the security categories of information systems. Because of the challenges of applying this control on large scale, organizations are encouraged to only apply the control to those limited number (and type) of devices that truly need to support this capability. Related controls: AC-17, AC-18, AC-19, CA-3, IA-4, IA-5. ü ü Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 IDENTIFICATION AND AUTHENTICATION IA-4 IDENTIFIER MANAGEMENT ü The organization manages information system identifiers by: a. Receiving authorization from [Assignment: organization-defined personnel or roles] to assign an individual, group, role, or device identifier; b. Selecting an identifier that identifies an individual, group, role, or device; c. Assigning the identifier to the intended individual, group, role, or device; d. Preventing reuse of identifiers for [Assignment: organization-defined time period]; and e. Disabling the identifier after [Assignment: organization-defined time period of inactivity]. Supplemental Guidance: Common device identifiers include, for example, media access control (MAC), Internet protocol (IP) addresses, or device-unique token identifiers. Management of individual identifiers is not applicable to shared information system accounts (e.g., guest and anonymous accounts). Typically, individual identifiers are the user names of the information system accounts assigned to those individuals. In such instances, the account management activities of AC-2 use account names provided by IA-4. This control also addresses individual identifiers not necessarily associated with information system accounts (e.g., identifiers used in physical security control databases accessed by badge reader systems for access to information systems). Preventing reuse of identifiers implies preventing the assignment of previously used individual, group, role, or device identifiers to different individuals, groups, roles, or devices. Related controls: AC-2, IA-2, IA-3, IA-5, IA-8, SC-37. ü ü IA-4d. [at least two years] IA-4e. [ninety days for user identifiers] (See additional requirements and guidance.) IA-4e. Requirement: The service provider defines time period of inactivity for device identifiers. ü Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 IDENTIFICATION AND AUTHENTICATION IA-4 (4) IDENTIFIER MANAGEMENT | IDENTIFY USER STATUS ü The organization manages individual identifiers by uniquely identifying each individual as [Assignment: organization-defined characteristic identifying individual status]. Supplemental Guidance: Characteristics identifying the status of individuals include, for example, contractors and foreign nationals. Identifying the status of individuals by specific characteristics provides additional information about the people with whom organizational personnel are communicating. For example, it might be useful for a government employee to know that one of the individuals on an email message is a contractor. Related control: AT-2. ü IA-4 (4). [contractors; foreign nationals] ü Included in FedRAMP Moderate Baseline, Rev 4 IDENTIFICATION AND AUTHENTICATION IA-5 AUTHENTICATOR MANAGEMENT ü The organization manages information system authenticators by: a. Verifying, as part of the initial authenticator distribution, the identity of the individual, group, role, or device receiving the authenticator; b. Establishing initial authenticator content for authenticators defined by the organization; c. Ensuring that authenticators have sufficient strength of mechanism for their intended use; d. Establishing and implementing administrative procedures for initial authenticator distribution, for lost/compromised or damaged authenticators, and for revoking authenticators; e. Changing default content of authenticators prior to information system installation; f. Establishing minimum and maximum lifetime restrictions and reuse conditions for authenticators; g. Changing/refreshing authenticators [Assignment: organization-defined time period by authenticator type]; h. Protecting authenticator content from unauthorized disclosure and modification; i. Requiring individuals to take, and having devices implement, specific security safeguards to protect authenticators; and j. Changing authenticators for group/role accounts when membership to those accounts changes. Supplemental Guidance: Individual authenticators include, for example, passwords, tokens, biometrics, PKI certificates, and key cards. Initial authenticator content is the actual content (e.g., the initial password) as opposed to requirements about authenticator content (e.g., minimum password length). In many cases, developers ship information system components with factory default authentication credentials to allow for initial installation and configuration. Default authentication credentials are often well known, easily discoverable, and present a significant security risk. The requirement to protect individual authenticators may be implemented via control PL-4 or PS-6 for authenticators in the possession of individuals and by controls AC-3, AC-6, and SC-28 for authenticators stored within organizational information systems (e.g., passwords stored in hashed or encrypted formats, files containing encrypted or hashed passwords accessible with administrator privileges). Information systems support individual authenticator management by organization-defined settings and restrictions for various authenticator characteristics including, for example, minimum password length, password composition, validation time window for time synchronous one-time tokens, and number of allowed rejections during the verification stage of biometric authentication. Specific actions that can be taken to safeguard authenticators include, for example, maintaining possession of individual authenticators, not loaning or sharing individual authenticators with others, and reporting lost, stolen, or compromised authenticators immediately. Authenticator management includes issuing and revoking, when no longer needed, authenticators for temporary access such as that required for remote maintenance. Device authenticators include, for example, certificates and passwords. Related controls: AC-2, AC-3, AC-6, CM-6, IA-2, IA-4, IA-8, PL-4, PS-5, PS-6, SC-12, SC-13, SC-17, SC-28. ü ü IA-5g. [to include sixty days for passwords] ü Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 IDENTIFICATION AND AUTHENTICATION IA-5 (1) AUTHENTICATOR MANAGEMENT | PASSWORD-BASED AUTHENTICATION ü The information system, for password-based authentication: (a) Enforces minimum password complexity of [Assignment: organization-defined requirements for case sensitivity, number of characters, mix of upper-case letters, lower-case letters, numbers, and special characters, including minimum requirements for each type]; (b) Enforces at least the following number of changed characters when new passwords are created: [Assignment: organization-defined number]; (c) Stores and transmits only encrypted representations of passwords; (d) Enforces password minimum and maximum lifetime restrictions of [Assignment: organization- defined numbers for lifetime minimum, lifetime maximum]; (e) Prohibits password reuse for [Assignment: organization-defined number] generations; and (f) Allows the use of a temporary password for system logons with an immediate change to a permanent password. Supplemental Guidance: This control enhancement applies to single-factor authentication of individuals using passwords as individual or group authenticators, and in a similar manner, when passwords are part of multifactor authenticators. This control enhancement does not apply when passwords are used to unlock hardware authenticators (e.g., Personal Identity Verification cards). The implementation of such password mechanisms may not meet all of the requirements in the enhancement. Encrypted representations of passwords include, for example, encrypted versions of passwords and one-way cryptographic hashes of passwords. The number of changed characters refers to the number of changes required with respect to the total number of positions in the current password. Password lifetime restrictions do not apply to temporary passwords. Related control: IA-6. ü ü "IA-5 (1) (a). [case sensitive, minimum of twelve characters, and at least one each of upper-case letters, lower-case letters, numbers, and special characters] IA-5 (1) (b). [at least one] IA-5 (1) (d). [one day minimum, sixty day maximum] IA-5 (1) (e). [twenty four]" ü Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 "IA-5 (1) (a). [case sensitive, minimum of fifteen characters, and at least one each of upper-case letters, lower-case letters, numbers, and special characters] IA-5 (1) (b). [at least 50%] IA-5 (1) (d). [one day minimum, sixty day maximum] IA-5 (1) (e). [twenty four]" IDENTIFICATION AND AUTHENTICATION IA-5 (2) AUTHENTICATOR MANAGEMENT | PKI-BASED AUTHENTICATION The information system, for PKI-based authentication: (a) Validates certifications by constructing and verifying a certification path to an accepted trust anchor including checking certificate status information; (b) Enforces authorized access to the corresponding private key; (c) Maps the authenticated identity to the account of the individual or group; and (d) Implements a local cache of revocation data to support path discovery and validation in case of inability to access revocation information via the network. Supplemental Guidance: Status information for certification paths includes, for example, certificate revocation lists or certificate status protocol responses. For PIV cards, validation of certifications involves the construction and verification of a certification path to the Common Policy Root trust anchor including certificate policy processing. Related control: IA-6. ü ü Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 IDENTIFICATION AND AUTHENTICATION IA-5 (3) AUTHENTICATOR MANAGEMENT | IN-PERSON OR TRUSTED THIRD-PARTY REGISTRATION ü The organization requires that the registration process to receive [Assignment: organization- defined types of and/or specific authenticators] be conducted [Selection: in person; by a trusted third party] before [Assignment: organization-defined registration authority] with authorization by [Assignment: organization-defined personnel or roles]. ü IA-5 (3). [All hardware/biometric (multifactor authenticators] [in person] ü Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 IDENTIFICATION AND AUTHENTICATION IA-5 (4) AUTHENTICATOR MANAGEMENT | AUTOMATED SUPPORT FOR PASSWORD STRENGTH DETERMINATION ü The organization employs automated tools to determine if password authenticators are sufficiently strong to satisfy [Assignment: organization-defined requirements]. Supplemental Guidance: This control enhancement focuses on the creation of strong passwords and the characteristics of such passwords (e.g., complexity) prior to use, the enforcement of which is carried out by organizational information systems in IA-5 (1). Related controls: CA- 2, CA-7, RA-5. ü IA-4e Additional FedRAMP Requirements and Guidance: Guidance: If automated mechanisms which enforce password authenticator strength at creation are not used, automated mechanisms must be used to audit strength of created password authenticators ü Included in FedRAMP Moderate Baseline, Rev 4 IDENTIFICATION AND AUTHENTICATION IA-5 (6) AUTHENTICATOR MANAGEMENT | PROTECTION OF AUTHENTICATORS The organization protects authenticators commensurate with the security category of the information to which use of the authenticator permits access. Supplemental Guidance: For information systems containing multiple security categories of information without reliable physical or logical separation between categories, authenticators used to grant access to the systems are protected commensurate with the highest security category of information on the systems. ü ü Included in FedRAMP Moderate Baseline, Rev 4 IDENTIFICATION AND AUTHENTICATION IA-5 (7) AUTHENTICATOR MANAGEMENT | NO EMBEDDED UNENCRYPTED STATIC AUTHENTICATORS The organization ensures that unencrypted static authenticators are not embedded in applications or access scripts or stored on function keys. Supplemental Guidance: Organizations exercise caution in determining whether embedded or stored authenticators are in encrypted or unencrypted form. If authenticators are used in the manner stored, then those representations are considered unencrypted authenticators. This is irrespective of whether that representation is perhaps an encrypted version of something else (e.g., a password). ü ü Included in FedRAMP Moderate Baseline, Rev 4 IDENTIFICATION AND AUTHENTICATION IA-5 (8) AUTHENTICATOR MANAGEMENT | MULTIPLE INFORMATION SYSTEM ACCOUNTS ü The organization implements [Assignment: organization-defined security safeguards] to manage the risk of compromise due to individuals having accounts on multiple information systems. Supplemental Guidance: When individuals have accounts on multiple information systems, there is the risk that the compromise of one account may lead to the compromise of other accounts if individuals use the same authenticators. Possible alternatives include, for example: (i) having different authenticators on all systems; (ii) employing some form of single sign-on mechanism; or (iii) including some form of one-time passwords on all systems. ü NEED. In those cases where an organization’s user accounts authenticate to more than one system, and at least one of those systems is a high-impact system implemented in a shared-service environment, then this control is warranted as a baseline capability to guard against loss of high-impact, sensitive information. ANALYSIS. Organizations can use COTS tools and techniques to implement this control in many ways. Agencies should be prepared to document their plan and approach to this control technique. THREAT VECTORS ADDRESSED. A user’s account password is cracked, permitting attackers to identify all systems to which the user has access, and to gain access to the information in those systems. RELEVANT SECURITY CONTROL ATTRIBUTES. Monitored, Assessed [different authenticators on all system] IDENTIFICATION AND AUTHENTICATION IA-5 (11) AUTHENTICATOR MANAGEMENT | HARDWARE TOKEN-BASED AUTHENTICATION ü The information system, for hardware token-based authentication, employs mechanisms that satisfy [Assignment: organization-defined token quality requirements]. Supplemental Guidance: Hardware token-based authentication typically refers to the use of PKI-based tokens, such as the U.S. Government Personal Identity Verification (PIV) card. Organizations define specific requirements for tokens, such as working with a particular PKI. ü ü ü Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 IDENTIFICATION AND AUTHENTICATION IA-6 AUTHENTICATOR FEEDBACK The information system obscures feedback of authentication information during the authentication process to protect the information from possible exploitation/use by unauthorized individuals. Supplemental Guidance: The feedback from information systems does not provide information that would allow unauthorized individuals to compromise authentication mechanisms. For some types of information systems or system components, for example, desktops/notebooks with relatively large monitors, the threat (often referred to as shoulder surfing) may be significant. For other types of systems or components, for example, mobile devices with 2-4 inch screens, this threat may be less significant, and may need to be balanced against the increased likelihood of typographic input errors due to the small keyboards. Therefore, the means for obscuring the authenticator feedback is selected accordingly. Obscuring the feedback of authentication information includes, for example, displaying asterisks when users type passwords into input devices, or displaying feedback for a very limited time before fully obscuring it. Related control: PE-18. Control Enhancements: None. References: None. ü ü ü Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 IDENTIFICATION AND AUTHENTICATION IA-7 CRYPTOGRAPHIC MODULE AUTHENTICATION The information system implements mechanisms for authentication to a cryptographic module that meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for such authentication. Supplemental Guidance: Authentication mechanisms may be required within a cryptographic module to authenticate an operator accessing the module and to verify that the operator is authorized to assume the requested role and perform services within that role. Related controls: SC-12, SC-13. Control Enhancements: None. References: FIPS Publication 140; Web: csrc.nist.gov/groups/STM/cmvp/index.html. ü ü ü Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 IDENTIFICATION AND AUTHENTICATION IA-8 IDENTIFICATION AND AUTHENTICATION (NON- ORGANIZATIONAL USERS) The information system uniquely identifies and authenticates non-organizational users (or processes acting on behalf of non-organizational users). Supplemental Guidance: Non-organizational users include information system users other than organizational users explicitly covered by IA-2. These individuals are uniquely identified and authenticated for accesses other than those accesses explicitly identified and documented in AC- 14. In accordance with the E-Authentication E-Government initiative, authentication of non- organizational users accessing federal information systems may be required to protect federal, proprietary, or privacy-related information (with exceptions noted for national security systems). Organizations use risk assessments to determine authentication needs and consider scalability, practicality, and security in balancing the need to ensure ease of use for access to federal information and information systems with the need to protect and adequately mitigate risk. IA-2 addresses identification and authentication requirements for access to information systems by organizational users. Related controls: AC-2, AC-14, AC-17, AC-18, IA-2, IA-4, IA-5, MA-4, RA-3, SA-12, SC-8. ü ü PMO guidance on (1,2,3,4) supported, but not requirement to implement (CIS/CTW) ü Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 IDENTIFICATION AND AUTHENTICATION IA-8 (1) IDENTIFICATION AND AUTHENTICATION | ACCEPTANCE OF PIV CREDENTIALS FROM OTHER AGENCIES The information system accepts and electronically verifies Personal Identity Verification (PIV) credentials from other federal agencies. Supplemental Guidance: This control enhancement applies to logical access control systems (LACS) and physical access control systems (PACS). Personal Identity Verification (PIV) credentials are those credentials issued by federal agencies that conform to FIPS Publication 201 and supporting guidance documents. OMB Memorandum 11-11 requires federal agencies to continue implementing the requirements specified in HSPD-12 to enable agency-wide use of PIV credentials. Related controls: AU-2, PE-3, SA-4. ü ü ü Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 IDENTIFICATION AND AUTHENTICATION IA-8 (2) IDENTIFICATION AND AUTHENTICATION | ACCEPTANCE OF THIRD-PARTY CREDENTIALS The information system accepts only FICAM-approved third-party credentials. Supplemental Guidance: This control enhancement typically applies to organizational information systems that are accessible to the general public, for example, public-facing websites. Third-party credentials are those credentials issued by nonfederal government entities approved by the Federal Identity, Credential, and Access Management (FICAM) Trust Framework Solutions initiative. Approved third-party credentials meet or exceed the set of minimum federal government-wide technical, security, privacy, and organizational maturity requirements. This allows federal government relying parties to trust such credentials at their approved assurance levels. Related control: AU-2. ü ü ü Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 IDENTIFICATION AND AUTHENTICATION IA-8 (3) IDENTIFICATION AND AUTHENTICATION | USE OF FICAM-APPROVED PRODUCTS ü The organization employs only FICAM-approved information system components in [Assignment: organization-defined information systems] to accept third-party credentials. Supplemental Guidance: This control enhancement typically applies to information systems that are accessible to the general public, for example, public-facing websites. FICAM-approved information system components include, for example, information technology products and software libraries that have been approved by the Federal Identity, Credential, and Access Management conformance program. Related control: SA-4. ü ü ü Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 IDENTIFICATION AND AUTHENTICATION IA-8 (4) IDENTIFICATION AND AUTHENTICATION | USE OF FICAM-ISSUED PROFILES The information system conforms to FICAM-issued profiles. Supplemental Guidance: This control enhancement addresses open identity management standards. To ensure that these standards are viable, robust, reliable, sustainable (e.g., available in commercial information technology products), and interoperable as documented, the United States Government assesses and scopes identity management standards and technology implementations against applicable federal legislation, directives, policies, and requirements. The result is FICAM-issued implementation profiles of approved protocols (e.g., FICAM authentication protocols such as SAML 2.0 and OpenID 2.0, as well as other protocols such as the FICAM Backend Attribute Exchange). Related control: SA-4. ü ü ü Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 INCIDENT RESPONSE IR-1 INCIDENT RESPONSE POLICY AND PROCEDURES ü The organization: a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: 1. An incident response policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and 2. Procedures to facilitate the implementation of the incident response policy and associated incident response controls; and b. Reviews and updates the current: 1. Incident response policy [Assignment: organization-defined frequency]; and 2. Incident response procedures [Assignment: organization-defined frequency]. Supplemental Guidance: This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the IR family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. Control Enhancements: None. References: NIST Special Publications 800-12, 800-61, 800-83, 800-100. ü ü "IR-1.b.1 [at least every 3 years] IR-1.b.2 [at least annually]" ü Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 IR-1.b.1 [at least annually] IR-1.b.2 [at least every six months] INCIDENT RESPONSE IR-2 INCIDENT RESPONSE TRAINING ü The organization provides incident response training to information system users consistent with assigned roles and responsibilities: a. Within [Assignment: organization-defined time period] of assuming an incident response role or responsibility; b. When required by information system changes; and c. [Assignment: organization-defined frequency] thereafter. Supplemental Guidance: Incident response training provided by organizations is linked to the assigned roles and responsibilities of organizational personnel to ensure the appropriate content and level of detail is included in such training. For example, regular users may only need to know who to call or how to recognize an incident on the information system; system administrators may require additional training on how to handle/remediate incidents; and incident responders may receive more specific training on forensics, reporting, system recovery, and restoration. Incident response training includes user training in the identification and reporting of suspicious activities, both from external and internal sources. Related controls: AT-3, CP-3, IR-8. ü ü IR-2b. [at least annually] ü Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 IR-2a. [within 10 days] IR-2c. [at least annually] INCIDENT RESPONSE IR-2 (1) INCIDENT RESPONSE TRAINING | SIMULATED EVENTS The organization incorporates simulated events into incident response training to facilitate effective response by personnel in crisis situations. ü Included in NIST High Baseline, Rev 4 INCIDENT RESPONSE IR-2 (2) INCIDENT RESPONSE TRAINING | AUTOMATED TRAINING ENVIRONMENTS The organization employs automated mechanisms to provide a more thorough and realistic incident response training environment. References: NIST Special Publications 800-16, 800-50. ü Included in NIST High Baseline, Rev 4 INCIDENT RESPONSE IR-3 INCIDENT RESPONSE TESTING ü The organization tests the incident response capability for the information system [Assignment: organization-defined frequency] using [Assignment: organization-defined tests] to determine the incident response effectiveness and documents the results. Supplemental Guidance: Organizations test incident response capabilities to determine the overall effectiveness of the capabilities and to identify potential weaknesses or deficiencies. Incident response testing includes, for example, the use of checklists, walk-through or tabletop exercises, simulations (parallel/full interrupt), and comprehensive exercises. Incident response testing can also include a determination of the effects on organizational operations (e.g., reduction in mission capabilities), organizational assets, and individuals due to incident response. Related controls: CP- 4, IR-8. ü IR-3. [at least annually] IR-3. Requirement: The service provider defines tests and/or exercises in accordance with NIST Special Publication 800-61 (as amended). Requirement: For JAB Authorization, the service provider provides test plans to the Authorizing Official (AO) annually. Requirement: Test plans are approved and accepted by the Authorizing Official prior to test commencing. ü Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 INCIDENT RESPONSE IR-3 (2) INCIDENT RESPONSE TESTING | COORDINATION WITH RELATED PLANS The organization coordinates incident response testing with organizational elements responsible for related plans. Supplemental Guidance: Organizational plans related to incident response testing include, for example, Business Continuity Plans, Contingency Plans, Disaster Recovery Plans, Continuity of Operations Plans, Crisis Communications Plans, Critical Infrastructure Plans, and Occupant Emergency Plans. References: NIST Special Publications 800-84, 800-115. ü ü Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 INCIDENT RESPONSE IR-4 INCIDENT HANDLING The organization: a. Implements an incident handling capability for security incidents that includes preparation, detection and analysis, containment, eradication, and recovery; b. Coordinates incident handling activities with contingency planning activities; and c. Incorporates lessons learned from ongoing incident handling activities into incident response procedures, training, and testing/exercises, and implements the resulting changes accordingly. Supplemental Guidance: Organizations recognize that incident response capability is dependent on the capabilities of organizational information systems and the mission/business processes being supported by those systems. Therefore, organizations consider incident response as part of the definition, design, and development of mission/business processes and information systems. Incident-related information can be obtained from a variety of sources including, for example, audit monitoring, network monitoring, physical access monitoring, user/administrator reports, and reported supply chain events. Effective incident handling capability includes coordination among many organizational entities including, for example, mission/business owners, information system owners, authorizing officials, human resources offices, physical and personnel security offices, legal departments, operations personnel, procurement offices, and the risk executive (function). Related controls: AU-6, CM-6, CP-2, CP-4, IR-2, IR-3, IR-8, PE-6, SC-5, SC-7, SI-3, SI-4, SI-7. ü ü IR-4/A13. Requirement: The service provider ensures that individuals conducting incident handling meet personnel security requirements commensurate with the criticality/sensitivity of the information being processed, stored, and transmitted by the information system. ü Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 INCIDENT RESPONSE IR-4 (1) INCIDENT HANDLING | AUTOMATED INCIDENT HANDLING PROCESSES The organization employs automated mechanisms to support the incident handling process. Supplemental Guidance: Automated mechanisms supporting incident handling processes include, for example, online incident management systems. ü ü Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 INCIDENT RESPONSE IR-4 (2) INCIDENT HANDLING | DYNAMIC RECONFIGURATION ü The organization includes dynamic reconfiguration of [Assignment: organization-defined information system components] as part of the incident response capability. Supplemental Guidance: Dynamic reconfiguration includes, for example, changes to router rules, access control lists, intrusion detection/prevention system parameters, and filter rules for firewalls and gateways. Organizations perform dynamic reconfiguration of information systems, for example, to stop attacks, to misdirect attackers, and to isolate components of systems, thus limiting the extent of the damage from breaches or compromises. Organizations include time frames for achieving the reconfiguration of information systems in the definition of the reconfiguration capability, considering the potential need for rapid response in order to effectively address sophisticated cyber threats. Related controls: AC-2, AC-4, AC-16, CM-2, CM-3, CM-4. ü NEED. Organization requires near real-time subsystem reconfiguration for high-impact systems, especially those deployed wholly or partially into shared-service environments. This dynamic reconfiguration is required for core infrastructure components such as routers, firewalls, messaging gateways, or access control/authentication servers, especially when these core components are under cyber-attack. ANALYSIS. These critical cyber controls are well understood, and to some extent their automated capability has been established. Other aspects still require human decisions. The implementation time and cost depend on the degree of automation required by the organization. Since this technology area is rapidly changing to meet new cyber-threat scenarios, it is expected that implementation of this control will be subject to significant change for the foreseeable future. Even so, its technology advantages are clear, especially for high-impact systems infrastructure. SAMPLE THREAT VECTORS. System does not have error-correcting or self-recovery capabilities. The system is not designed to allow for quick remediation of threats that will impact the system. RELEVANT SECURITY CONTROL ATTRIBUTES. Survivability, Absorptive, Adaptive, Restorative [all network, data storage, and computing devices] INCIDENT RESPONSE IR-4 (3) INCIDENT HANDLING | CONTINUITY OF OPERATIONS ü The organization identifies [Assignment: organization-defined classes of incidents] and [Assignment: organization-defined actions to take in response to classes of incidents] to ensure continuation of organizational missions and business functions. Supplemental Guidance: Classes of incidents include, for example, malfunctions due to design/implementation errors and omissions, targeted malicious attacks, and untargeted malicious attacks. Appropriate incident response actions include, for example, graceful degradation, information system shutdown, fall back to manual mode/alternative technology whereby the system operates differently, employing deceptive measures, alternate information flows, or operating in a mode that is reserved solely for when systems are under attack. ü NEED. Due to the direct connection between system function and critical mission/business capability, the organization determines that the system requires Continuity-of-Operations (COOP) controls or basic Disaster-Recovery (DR) defensive controls. ANALYSIS. These critical cyber controls are well understood, and to some extent their automated capability has been established. Other aspects still require human decisions. The implementation time and cost depend on the degree of automation required by the organization. Since this technology area is rapidly changing to meet new cyber-threat scenarios and also changes in subsystem technology, it is expected that implementation of this control will be subject to significant change for the foreseeable future. Even so, its technology advantages are fundamental, especially for high-impact systems infrastructure. SAMPLE THREAT VECTORS. The system does not have error-correcting or self-recovery capabilities. The system is not designed to allow for quick remediation of threats that will impact the system. Time does not allow for the design in error handling, self-recovery, or to capitalize on system diversity to restore a system. Also, the organization lacks the expertise to develop or implement a plan for restoring system. A malicious change may be implemented to counter the ability to restore the system. RELEVANT SECURITY CONTROL ATTRIBUTES. Survivability, Absorptive, Adaptive, Restorative [organization and service provider-defined classes of incidents] [organization and service provider-defined actions to take in response to classes of incidents] INCIDENT RESPONSE IR-4 (4) INCIDENT HANDLING | INFORMATION CORRELATION The organization correlates incident information and individual incident responses to achieve an organization-wide perspective on incident awareness and response. Supplemental Guidance: Sometimes the nature of a threat event, for example, a hostile cyber attack, is such that it can only be observed by bringing together information from different sources including various reports and reporting procedures established by organizations. ü Included in NIST High Baseline, Rev 4 INCIDENT RESPONSE IR-4 (6) INCIDENT HANDLING | INSIDER THREATS - SPECIFIC CAPABILITIES The organization implements incident handling capability for insider threats. Supplemental Guidance: While many organizations address insider threat incidents as an inherent part of their organizational incident response capability, this control enhancement provides additional emphasis on this type of threat and the need for specific incident handling capabilities (as defined within organizations) to provide appropriate and timely responses. ü NEED. High-impact systems will require special measures to ensure security incidents are correctly and effectively handled in a timely manner. This high-level control supports that need, and is therefore warranted as a baseline for high-impact systems in shared-service environments. ANALYSIS. Implementation of this general control is well understood among Departments and Agencies. However, it may require special funding and time to implement in a shared service environment, where response roles and responsibilities demand vigilant analysis and definition. SAMPLE THREAT VECTORS. Insiders gain access to information for which they have no authorization. Insiders push sensitive information to outside networks not authorized to receive it. Insiders violate agency information-security policies. Insider actions are not monitored. RELEVANT SECURITY CONTROL ATTRIBUTES. Agile, Owned, Enforcement INCIDENT RESPONSE IR-5 INCIDENT MONITORING The organization tracks and documents information system security incidents. Supplemental Guidance: Documenting information system security incidents includes, for example, maintaining records about each incident, the status of the incident, and other pertinent information necessary for forensics, evaluating incident details, trends, and handling. Incident information can be obtained from a variety of sources including, for example, incident reports, incident response teams, audit monitoring, network monitoring, physical access monitoring, and user/administrator reports. Related controls: AU-6, IR-8, PE-6, SC-5, SC-7, SI-3, SI-4, SI-7. ü ü ü Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 INCIDENT RESPONSE IR-5 (1) INCIDENT MONITORING | AUTOMATED TRACKING / DATA COLLECTION / ANALYSIS The organization employs automated mechanisms to assist in the tracking of security incidents and in the collection and analysis of incident information. Supplemental Guidance: Automated mechanisms for tracking security incidents and collecting/analyzing incident information include, for example, the Einstein network monitoring device and monitoring online Computer Incident Response Centers (CIRCs) or other electronic databases of incidents. Related controls: AU-7, IR-4. References: NIST Special Publication 800-61. ü Included in NIST High Baseline, Rev 4 INCIDENT RESPONSE IR-6 INCIDENT REPORTING ü The organization: a. Requires personnel to report suspected security incidents to the organizational incident response capability within [Assignment: organization-defined time period]; and b. Reports security incident information to [Assignment: organization-defined authorities]. Supplemental Guidance: The intent of this control is to address both specific incident reporting requirements within an organization and the formal incident reporting requirements for federal agencies and their subordinate organizations. Suspected security incidents include, for example, the receipt of suspicious email communications that can potentially contain malicious code. The types of security incidents reported, the content and timeliness of the reports, and the designated reporting authorities reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Current federal policy requires that all federal agencies (unless specifically exempted from such requirements) report security incidents to the United States Computer Emergency Readiness Team (US-CERT) within specified time frames designated in the US-CERT Concept of Operations for Federal Cyber Security Incident Handling. Related controls: IR-4, IR-5, IR-8. ü ü IR-6a. [US-CERT incident reporting timelines as specified in NIST Special Publication 800-61 (as amended)] Requirement: Reports security incident information according to FedRAMP Incident Communications Procedure. ü Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 INCIDENT RESPONSE IR-6 (1) INCIDENT REPORTING | AUTOMATED REPORTING The organization employs automated mechanisms to assist in the reporting of security incidents. Supplemental Guidance: Related control: IR-7. ü ü Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 INCIDENT RESPONSE IR-7 INCIDENT RESPONSE ASSISTANCE The organization provides an incident response support resource, integral to the organizational incident response capability that offers advice and assistance to users of the information system for the handling and reporting of security incidents. Supplemental Guidance: Incident response support resources provided by organizations include, for example, help desks, assistance groups, and access to forensics services, when required. Related controls: AT-2, IR-4, IR-6, IR-8, SA-9. ü ü ü Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 INCIDENT RESPONSE IR-7 (1) INCIDENT RESPONSE ASSISTANCE | AUTOMATION SUPPORT FOR AVAILABILITY OF INFORMATION / SUPPORT The organization employs automated mechanisms to increase the availability of incident response- related information and support. Supplemental Guidance: Automated mechanisms can provide a push and/or pull capability for users to obtain incident response assistance. For example, individuals might have access to a website to query the assistance capability, or conversely, the assistance capability may have the ability to proactively send information to users (general distribution or targeted) as part of increasing understanding of current response capabilities and support. ü ü Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 INCIDENT RESPONSE IR-7 (2) INCIDENT RESPONSE ASSISTANCE | COORDINATION WITH EXTERNAL PROVIDERS The organization: (a) Establishes a direct, cooperative relationship between its incident response capability and external providers of information system protection capability; and (b) Identifies organizational incident response team members to the external providers. Supplemental Guidance: External providers of information system protection capability include, for example, the Computer Network Defense program within the U.S. Department of Defense. External providers help to protect, monitor, analyze, detect, and respond to unauthorized activity within organizational information systems and networks. ü ü Included in FedRAMP Moderate Baseline, Rev 4 INCIDENT RESPONSE IR-8 INCIDENT RESPONSE PLAN ü The organization: a. Develops an incident response plan that: 1. Provides the organization with a roadmap for implementing its incident response capability; 2. Describes the structure and organization of the incident response capability; 3. Provides a high-level approach for how the incident response capability fits into the overall organization; 4. Meets the unique requirements of the organization, which relate to mission, size, structure, and functions; 5. Defines reportable incidents; 6. Provides metrics for measuring the incident response capability within the organization; 7. Defines the resources and management support needed to effectively maintain and mature an incident response capability; and 8. Is reviewed and approved by [Assignment: organization-defined personnel or roles]; b. Distributes copies of the incident response plan to [Assignment: organization-defined incident response personnel (identified by name and/or by role) and organizational elements]; c. Reviews the incident response plan [Assignment: organization-defined frequency]; d. Updates the incident response plan to address system/organizational changes or problems encountered during plan implementation, execution, or testing; e. Communicates incident response plan changes to [Assignment: organization-defined incident response personnel (identified by name and/or by role) and organizational elements]; and f. Protects the incident response plan from unauthorized disclosure and modification. Supplemental Guidance: It is important that organizations develop and implement a coordinated approach to incident response. Organizational missions, business functions, strategies, goals, and objectives for incident response help to determine the structure of incident response capabilities. As part of a comprehensive incident response capability, organizations consider the coordination and sharing of information with external organizations, including, for example, external service providers and organizations involved in the supply chain for organizational information systems. Related controls: MP-2, MP-4, MP-5. Control Enhancements: None. References: NIST Special Publication 800-61. ü ü IR-8c. [at least annually] IR-8(b) Additional FedRAMP Requirements and Guidance: The service provider defines a list of incident response personnel (identified by name and/or by role) and organizational elements. The incident response list includes designated FedRAMP personnel. IR-8(e) Additional FedRAMP Requirements and Guidance: The service provider defines a list of incident response personnel (identified by name and/or by role) and organizational elements. The incident response list includes designated FedRAMP personnel. ü Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 INCIDENT RESPONSE IR-9 INFORMATION SPILLAGE RESPONSE ü The organization: a. Develops an incident response plan that: 1. Provides the organization with a roadmap for implementing its incident response capability; 2. Describes the structure and organization of the incident response capability; 3. Provides a high-level approach for how the incident response capability fits into the overall organization; 4. Meets the unique requirements of the organization, which relate to mission, size, structure, and functions; 5. Defines reportable incidents; 6. Provides metrics for measuring the incident response capability within the organization; 7. Defines the resources and management support needed to effectively maintain and mature an incident response capability; and 8. Is reviewed and approved by [Assignment: organization-defined personnel or roles]; b. Distributes copies of the incident response plan to [Assignment: organization-defined incident response personnel (identified by name and/or by role) and organizational elements]; c. Reviews the incident response plan [Assignment: organization-defined frequency]; d. Updates the incident response plan to address system/organizational changes or problems encountered during plan implementation, execution, or testing; e. Communicates incident response plan changes to [Assignment: organization-defined incident response personnel (identified by name and/or by role) and organizational elements]; and f. Protects the incident response plan from unauthorized disclosure and modification. Supplemental Guidance: It is important that organizations develop and implement a coordinated approach to incident response. Organizational missions, business functions, strategies, goals, and objectives for incident response help to determine the structure of incident response capabilities. As part of a comprehensive incident response capability, organizations consider the coordination and sharing of information with external organizations, including, for example, external service providers and organizations involved in the supply chain for organizational information systems. Related controls: MP-2, MP-4, MP-5. Control Enhancements: None. References: NIST Special Publication 800-61. ü ü Included in FedRAMP Moderate Baseline, Rev 4 INCIDENT RESPONSE IR-9 (1) INFORMATION SPILLAGE RESPONSE | RESPONSIBLE PERSONNEL ü The organization assigns [Assignment: organization-defined personnel or roles] with responsibility for responding to information spills. ü ü Included in FedRAMP Moderate Baseline, Rev 4 INCIDENT RESPONSE IR-9 (2) INFORMATION SPILLAGE RESPONSE | TRAINING ü The organization provides information spillage response training [Assignment: organization- defined frequency]. ü ü Included in FedRAMP Moderate Baseline, Rev 4 [at least annually] INCIDENT RESPONSE IR-9 (3) INFORMATION SPILLAGE RESPONSE | POST-SPILL OPERATIONS ü The organization implements [Assignment: organization-defined procedures] to ensure that organizational personnel impacted by information spills can continue to carry out assigned tasks while contaminated systems are undergoing corrective actions. Supplemental Guidance: Correction actions for information systems contaminated due to information spillages may be very time-consuming. During those periods, personnel may not have access to the contaminated systems, which may potentially affect their ability to conduct organizational business. ü ü Included in FedRAMP Moderate Baseline, Rev 4 INCIDENT RESPONSE IR-9 (4) INFORMATION SPILLAGE RESPONSE | EXPOSURE TO UNAUTHORIZED PERSONNEL ü The organization employs [Assignment: organization-defined security safeguards] for personnel exposed to information not within assigned access authorizations. Supplemental Guidance: Security safeguards include, for example, making personnel exposed to spilled information aware of the federal laws, directives, policies, and/or regulations regarding the information and the restrictions imposed based on exposure to such information. ü ü Included in FedRAMP Moderate Baseline, Rev 4 MAINTENANCE MA-1 SYSTEM MAINTENANCE POLICY AND PROCEDURES ü The organization: a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: 1. A system maintenance policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and 2. Procedures to facilitate the implementation of the system maintenance policy and associated system maintenance controls; and b. Reviews and updates the current: 1. System maintenance policy [Assignment: organization-defined frequency]; and 2. System maintenance procedures [Assignment: organization-defined frequency]. Supplemental Guidance: This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the MA family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. Control Enhancements: None. References: NIST Special Publications 800-12, 800-100. ü ü MA-1.b.1 [at least every 3 years] MA-1.b.2 [at least annually] ü Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 MA-1.b.1 [at least annually] MA-1.b.2 [at least every six months] MAINTENANCE MA-2 CONTROLLED MAINTENANCE ü The organization: a. Schedules, performs, documents, and reviews records of maintenance and repairs on information system components in accordance with manufacturer or vendor specifications and/or organizational requirements; b. Approves and monitors all maintenance activities, whether performed on site or remotely and whether the equipment is serviced on site or removed to another location; c. Requires that [Assignment: organization-defined personnel or roles] explicitly approve the removal of the information system or system components from organizational facilities for off-site maintenance or repairs; d. Sanitizes equipment to remove all information from associated media prior to removal from organizational facilities for off-site maintenance or repairs; e. Checks all potentially impacted security controls to verify that the controls are still functioning properly following maintenance or repair actions; and f. Includes [Assignment: organization-defined maintenance-related information] in organizational maintenance records. Supplemental Guidance: This control addresses the information security aspects of the information system maintenance program and applies to all types of maintenance to any system component (including applications) conducted by any local or nonlocal entity (e.g., in-contract, warranty, in- house, software maintenance agreement). System maintenance also includes those components not directly associated with information processing and/or data/information retention such as scanners, copiers, and printers. Information necessary for creating effective maintenance records includes, for example: (i) date and time of maintenance; (ii) name of individuals or group performing the maintenance; (iii) name of escort, if necessary; (iv) a description of the maintenance performed; and (v) information system components/equipment removed or replaced (including identification numbers, if applicable). The level of detail included in maintenance records can be informed by the security categories of organizational information systems. Organizations consider supply chain issues associated with replacement components for information systems. Related controls: CM-3, CM-4, MA-4, MP-6, PE-16, SA-12, SI-2. ü ü ü Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 MAINTENANCE MA-2 (2) CONTROLLED MAINTENANCE | AUTOMATED MAINTENANCE ACTIVITIES The organization: (a) Employs automated mechanisms to schedule, conduct, and document maintenance and repairs; and (b) Produces up-to date, accurate, and complete records of all maintenance and repair actions requested, scheduled, in process, and completed. Supplemental Guidance: Related controls: CA-7, MA-3. References: None. ü Included in NIST High Baseline, Rev 4 MAINTENANCE MA-3 MAINTENANCE TOOLS The organization approves, controls, and monitors information system maintenance tools. Supplemental Guidance: This control addresses security-related issues associated with maintenance tools used specifically for diagnostic and repair actions on organizational information systems. Maintenance tools can include hardware, software, and firmware items. Maintenance tools are potential vehicles for transporting malicious code, either intentionally or unintentionally, into a facility and subsequently into organizational information systems. Maintenance tools can include, for example, hardware/software diagnostic test equipment and hardware/software packet sniffers. This control does not cover hardware/software components that may support information system maintenance, yet are a part of the system, for example, the software implementing “ping,” “ls,” “ipconfig,” or the hardware and software implementing the monitoring port of an Ethernet switch. Related controls: MA-2, MA-5, MP-6. ü ü Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 MAINTENANCE MA-3 (1) MAINTENANCE TOOLS | INSPECT TOOLS The organization inspects the maintenance tools carried into a facility by maintenance personnel for improper or unauthorized modifications. Supplemental Guidance: If, upon inspection of maintenance tools, organizations determine that the tools have been modified in an improper/unauthorized manner or contain malicious code, the incident is handled consistent with organizational policies and procedures for incident handling. Related control: SI-7. ü ü Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 MAINTENANCE MA-3 (2) MAINTENANCE TOOLS | INSPECT MEDIA The organization checks media containing diagnostic and test programs for malicious code before the media are used in the information system. Supplemental Guidance: If, upon inspection of media containing maintenance diagnostic and test programs, organizations determine that the media contain malicious code, the incident is handled consistent with organizational incident handling policies and procedures. Related control: SI-3. ü ü Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 MAINTENANCE MA-3 (3) MAINTENANCE TOOLS | PREVENT UNAUTHORIZED REMOVAL ü The organization prevents the unauthorized removal of maintenance equipment containing organizational information by: (a) Verifying that there is no organizational information contained on the equipment; (b) Sanitizing or destroying the equipment; (c) Retaining the equipment within the facility; or (d) Obtaining an exemption from [Assignment: organization-defined personnel or roles] explicitly authorizing removal of the equipment from the facility. Supplemental Guidance: Organizational information includes all information specifically owned by organizations and information provided to organizations in which organizations serve as information stewards. ü MA-3 (3) (d). [the information owner explicitly authorizing removal of the equipment from the facility] ü Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 MAINTENANCE MA-4 NONLOCAL MAINTENANCE The organization: a. Approves and monitors nonlocal maintenance and diagnostic activities; b. Allows the use of nonlocal maintenance and diagnostic tools only as consistent with organizational policy and documented in the security plan for the information system; c. Employs strong authenticators in the establishment of nonlocal maintenance and diagnostic sessions; d. Maintains records for nonlocal maintenance and diagnostic activities; and e. Terminates session and network connections when nonlocal maintenance is completed. Supplemental Guidance: Nonlocal maintenance and diagnostic activities are those activities conducted by individuals communicating through a network, either an external network (e.g., the Internet) or an internal network. Local maintenance and diagnostic activities are those activities carried out by individuals physically present at the information system or information system component and not communicating across a network connection. Authentication techniques used in the establishment of nonlocal maintenance and diagnostic sessions reflect the network access requirements in IA-2. Typically, strong authentication requires authenticators that are resistant to replay attacks and employ multifactor authentication. Strong authenticators include, for example, PKI where certificates are stored on a token protected by a password, passphrase, or biometric. Enforcing requirements in MA-4 is accomplished in part by other controls. Related controls: AC- 2, AC-3, AC-6, AC-17, AU-2, AU-3, IA-2, IA-4, IA-5, IA-8, MA-2, MA-5, MP-6, PL-2, SC-7, SC-10, SC-17. ü ü ü Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 MAINTENANCE MA-4 (2) NONLOCAL MAINTENANCE | DOCUMENT NONLOCAL MAINTENANCE The organization documents in the security plan for the information system, the policies and procedures for the establishment and use of nonlocal maintenance and diagnostic connections. ü ü Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 MAINTENANCE MA-4 (3) NONLOCAL MAINTENANCE | COMPARABLE SECURITY / SANITIZATION The organization: (a) Requires that nonlocal maintenance and diagnostic services be performed from an information system that implements a security capability comparable to the capability implemented on the system being serviced; or (b) Removes the component to be serviced from the information system and prior to nonlocal maintenance or diagnostic services, sanitizes the component (with regard to organizational information) before removal from organizational facilities, and after the service is performed, inspects and sanitizes the component (with regard to potentially malicious software) before reconnecting the component to the information system. Supplemental Guidance: Comparable security capability on information systems, diagnostic tools, and equipment providing maintenance services implies that the implemented security controls on those systems, tools, and equipment are at least as comprehensive as the controls on the information system being serviced. Related controls: MA-3, SA-12, SI-3, SI-7. ü Included in NIST High Baseline, Rev 4 MAINTENANCE MA-5 MAINTENANCE PERSONNEL The organization: a. Establishes a process for maintenance personnel authorization and maintains a list of authorized maintenance organizations or personnel; b. Ensures that non-escorted personnel performing maintenance on the information system have required access authorizations; and c. Designates organizational personnel with required access authorizations and technical competence to supervise the maintenance activities of personnel who do not possess the required access authorizations. Supplemental Guidance: This control applies to individuals performing hardware or software maintenance on organizational information systems, while PE-2 addresses physical access for individuals whose maintenance duties place them within the physical protection perimeter of the systems (e.g., custodial staff, physical plant maintenance personnel). Technical competence of supervising individuals relates to the maintenance performed on the information systems while having required access authorizations refers to maintenance on and near the systems. Individuals not previously identified as authorized maintenance personnel, such as information technology manufacturers, vendors, systems integrators, and consultants, may require privileged access to organizational information systems, for example, when required to conduct maintenance activities with little or no notice. Based on organizational assessments of risk, organizations may issue temporary credentials to these individuals. Temporary credentials may be for one-time use or for very limited time periods. Related controls: AC-2, IA-8, MP-2, PE-2, PE-3, PE-4, RA-3. ü ü ü Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 MAINTENANCE MA-5 (1) MAINTENANCE PERSONNEL | INDIVIDUALS WITHOUT APPROPRIATE ACCESS The organization: (a) Implements procedures for the use of maintenance personnel that lack appropriate security clearances or are not U.S. citizens, that include the following requirements: (1) Maintenance personnel who do not have needed access authorizations, clearances, or formal access approvals are escorted and supervised during the performance of maintenance and diagnostic activities on the information system by approved organizational personnel who are fully cleared, have appropriate access authorizations, and are technically qualified; (2) Prior to initiating maintenance or diagnostic activities by personnel who do not have needed access authorizations, clearances or formal access approvals, all volatile information storage components within the information system are sanitized and all nonvolatile storage media are removed or physically disconnected from the system and secured; and (b) Develops and implements alternate security safeguards in the event an information system component cannot be sanitized, removed, or disconnected from the system. Supplemental Guidance: This control enhancement denies individuals who lack appropriate security clearances (i.e., individuals who do not possess security clearances or possess security clearances at a lower level than required) or who are not U.S. citizens, visual and electronic access to any classified information, Controlled Unclassified Information (CUI), or any other sensitive information contained on organizational information systems. Procedures for the use of maintenance personnel can be documented in security plans for the information systems. Related controls: MP-6, PL-2. ü Requirement: Only MA-5 (1)(a)(1) is required by FedRAMP Moderate Baseline ü Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 MAINTENANCE MA-6 TIMELY MAINTENANCE ü The organization obtains maintenance support and/or spare parts for [Assignment: organization-defined information system components] within [Assignment: organization-defined time period] of failure. Supplemental Guidance: Organizations specify the information system components that result in increased risk to organizational operations and assets, individuals, other organizations, or the Nation when the functionality provided by those components is not operational. Organizational actions to obtain maintenance support typically include having appropriate contracts in place. Related controls: CM-8, CP-2, CP-7, SA-14, SA-15. ü ü Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 MEDIA PROTECTION MP-1 MEDIA PROTECTION POLICY AND PROCEDURES ü The organization: a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: 1. A media protection policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and 2. Procedures to facilitate the implementation of the media protection policy and associated media protection controls; and b. Reviews and updates the current: 1. Media protection policy [Assignment: organization-defined frequency]; and 2. Media protection procedures [Assignment: organization-defined frequency]. Supplemental Guidance: This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the MP family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. Control Enhancements: None. References: NIST Special Publications 800-12, 800-100. ü ü "MP-1.b.1 [at least every 3 years] MP-1.b.2 [at least annually]" ü Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 MP-1.b.1 [at least annually] MP-1.b.2 [at least annually] MEDIA PROTECTION MP-2 MEDIA ACCESS ü The organization restricts access to [Assignment: organization-defined types of digital and/or non-digital media] to [Assignment: organization-defined personnel or roles]. Supplemental Guidance: Information system media includes both digital and non-digital media. Digital media includes, for example, diskettes, magnetic tapes, external/removable hard disk drives, flash drives, compact disks, and digital video disks. Non-digital media includes, for example, paper and microfilm. Restricting non-digital media access includes, for example, denying access to patient medical records in a community hospital unless the individuals seeking access to such records are authorized healthcare providers. Restricting access to digital media includes, for example, limiting access to design specifications stored on compact disks in the media library to the project leader and the individuals on the development team. Related controls: AC-3, IA-2, MP-4, PE-2, PE-3, PL-2. ü ü ü Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 MEDIA PROTECTION MP-3 MEDIA MARKING ü The organization: a. Marks information system media indicating the distribution limitations, handling caveats, and applicable security markings (if any) of the information; and b. Exempts [Assignment: organization-defined types of information system media] from marking as long as the media remain within [Assignment: organization-defined controlled areas]. Supplemental Guidance: The term security marking refers to the application/use of human-readable security attributes. The term security labeling refers to the application/use of security attributes with regard to internal data structures within information systems (see AC-16). Information system media includes both digital and non-digital media. Digital media includes, for example, diskettes, magnetic tapes, external/removable hard disk drives, flash drives, compact disks, and digital video disks. Non-digital media includes, for example, paper and microfilm. Security marking is generally not required for media containing information determined by organizations to be in the public domain or to be publicly releasable. However, some organizations may require markings for public information indicating that the information is publicly releasable. Marking of information system media reflects applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. Related controls: AC-16, PL-2, RA-3. Control Enhancements: None. References: FIPS Publication 199. ü MP-3b. [no removable media types] MP-3b. Guidance: Second parameter not-applicable ü Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 MEDIA PROTECTION MP-4 MEDIA STORAGE ü The organization: a. Physically controls and securely stores [Assignment: organization-defined types of digital and/or non-digital media] within [Assignment: organization-defined controlled areas]; and b. Protects information system media until the media are destroyed or sanitized using approved equipment, techniques, and procedures. Supplemental Guidance: Information system media includes both digital and non-digital media. Digital media includes, for example, diskettes, magnetic tapes, external/removable hard disk drives, flash drives, compact disks, and digital video disks. Non-digital media includes, for example, paper and microfilm. Physically controlling information system media includes, for example, conducting inventories, ensuring procedures are in place to allow individuals to check out and return media to the media library, and maintaining accountability for all stored media. Secure storage includes, for example, a locked drawer, desk, or cabinet, or a controlled media library. The type of media storage is commensurate with the security category and/or classification of the information residing on the media. Controlled areas are areas for which organizations provide sufficient physical and procedural safeguards to meet the requirements established for protecting information and/or information systems. For media containing information determined by organizations to be in the public domain, to be publicly releasable, or to have limited or no adverse impact on organizations or individuals if accessed by other than authorized personnel, fewer safeguards may be needed. In these situations, physical access controls provide adequate protection. Related controls: CP-6, CP-9, MP-2, MP-7, PE-3. ü MP-4a. [all types of digital and non-digital media with sensitive information] within [FedRAMP Assignment: see additional FedRAMP requirements and guidance] MP-4a Additional FedRAMP Requirements and Guidance: Requirement: The service provider defines controlled areas within facilities where the information and information system reside. ü Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 MEDIA PROTECTION MP-5 MEDIA TRANSPORT The organization: a. Protects and controls [Assignment: organization-defined types of information system media] during transport outside of controlled areas using [Assignment: organization-defined security safeguards]; b. Maintains accountability for information system media during transport outside of controlled areas; c. Documents activities associated with the transport of information system media; and d. Restricts the activities associated with the transport of information system media to authorized personnel. Supplemental Guidance: Information system media includes both digital and non-digital media. Digital media includes, for example, diskettes, magnetic tapes, external/removable hard disk drives, flash drives, compact disks, and digital video disks. Non-digital media includes, for example, paper and microfilm. This control also applies to mobile devices with information storage capability (e.g., smart phones, tablets, E-readers), that are transported outside of controlled areas. Controlled areas are areas or spaces for which organizations provide sufficient physical and/or procedural safeguards to meet the requirements established for protecting information and/or information systems. Physical and technical safeguards for media are commensurate with the security category or classification of the information residing on the media. Safeguards to protect media during transport include, for example, locked containers and cryptography. Cryptographic mechanisms can provide confidentiality and integrity protections depending upon the mechanisms used. Activities associated with transport include the actual transport as well as those activities such as releasing media for transport and ensuring that media enters the appropriate transport processes. For the actual transport, authorized transport and courier personnel may include individuals from outside the organization (e.g., U.S. Postal Service or a commercial transport or delivery service). Maintaining accountability of media during transport includes, for example, restricting transport activities to authorized personnel, and tracking and/or obtaining explicit records of transport activities as the media moves through the transportation system to prevent and detect loss, destruction, or tampering. Organizations establish documentation requirements for activities associated with the transport of information system media in accordance with organizational assessments of risk to include the flexibility to define different record-keeping methods for the different types of media transport as part of an overall system of transport-related records. Related controls: AC-19, CP-9, MP-3, MP-4, RA-3, SC-8, SC-13, SC-28. ü MP-5a. [all media with sensitive information] [prior to leaving secure/controlled environment: for digital media, encryption using a FIPS 140-2 validated encryption module; for non-digital media, secured in locked container] ü Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 MEDIA PROTECTION MP-5 (4) MEDIA TRANSPORT | CRYPTOGRAPHIC PROTECTION The information system implements cryptographic mechanisms to protect the confidentiality and integrity of information stored on digital media during transport outside of controlled areas. Supplemental Guidance: This control enhancement applies to both portable storage devices (e.g., USB memory sticks, compact disks, digital video disks, external/removable hard disk drives) and mobile devices with storage capability (e.g., smart phones, tablets, E-readers). Related control: MP-2. References: FIPS Publication 199; NIST Special Publication 800-60. ü ü Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 MEDIA PROTECTION MP-6 MEDIA SANITIZATION ü The organization: a. Sanitizes [Assignment: organization-defined information system media] prior to disposal, release out of organizational control, or release for reuse using [Assignment: organization- defined sanitization techniques and procedures] in accordance with applicable federal and organizational standards and policies; and b. Employs sanitization mechanisms with the strength and integrity commensurate with the security category or classification of the information. Supplemental Guidance: This control applies to all information system media, both digital and non- digital, subject to disposal or reuse, whether or not the media is considered removable. Examples include media found in scanners, copiers, printers, notebook computers, workstations, network components, and mobile devices. The sanitization process removes information from the media such that the information cannot be retrieved or reconstructed. Sanitization techniques, including clearing, purging, cryptographic erase, and destruction, prevent the disclosure of information to unauthorized individuals when such media is reused or released for disposal. Organizations determine the appropriate sanitization methods recognizing that destruction is sometimes necessary when other methods cannot be applied to media requiring sanitization. Organizations use discretion on the employment of approved sanitization techniques and procedures for media containing information deemed to be in the public domain or publicly releasable, or deemed to have no adverse impact on organizations or individuals if released for reuse or disposal. Sanitization of non-digital media includes, for example, removing a classified appendix from an otherwise unclassified document, or redacting selected sections or words from a document by obscuring the redacted sections/words in a manner equivalent in effectiveness to removing them from the document. NSA standards and policies control the sanitization process for media containing classified information. Related controls: MA-2, MA-4, RA-3, SC-4. ü ü MP-6a.1 [Assignment: organization-defined information system media] MP-6a.2 [Assignment: organization-defined sanitization techniques and procedures] ü Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 MEDIA PROTECTION MP-6 (1) MEDIA SANITIZATION | REVIEW / APPROVE / TRACK / DOCUMENT / VERIFY The organization reviews, approves, tracks, documents, and verifies media sanitization and disposal actions. Supplemental Guidance: Organizations review and approve media to be sanitized to ensure compliance with records-retention policies. Tracking/documenting actions include, for example, listing personnel who reviewed and approved sanitization and disposal actions, types of media sanitized, specific files stored on the media, sanitization methods used, date and time of the sanitization actions, personnel who performed the sanitization, verification actions taken, personnel who performed the verification, and disposal action taken. Organizations verify that the sanitization of the media was effective prior to disposal. Related control: SI-12. ü Included in NIST High Baseline, Rev 4 MEDIA PROTECTION MP-6 (2) MEDIA SANITIZATION | EQUIPMENT TESTING ü The organization tests sanitization equipment and procedures [Assignment: organization-defined frequency] to verify that the intended sanitization is being achieved. Supplemental Guidance: Testing of sanitization equipment and procedures may be conducted by qualified and authorized external entities (e.g., other federal agencies or external service providers). ü [At least annually] Guidance: Equipment and procedures may be tested or validated for effectiveness ü Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 MEDIA PROTECTION MP-6 (3) MEDIA SANITIZATION | NONDESTRUCTIVE TECHNIQUES ü The organization applies non-destructive sanitization techniques to portable storage devices prior to connecting such devices to the information system under the following circumstances: [Assignment: organization-defined circumstances requiring sanitization of portable storage devices]. Supplemental Guidance: This control enhancement applies to digital media containing classified information and Controlled Unclassified Information (CUI). Portable storage devices can be the source of malicious code insertions into organizational information systems. Many of these devices are obtained from unknown and potentially untrustworthy sources and may contain malicious code that can be readily transferred to information systems through USB ports or other entry portals. While scanning such storage devices is always recommended, sanitization provides additional assurance that the devices are free of malicious code to include code capable of initiating zero-day attacks. Organizations consider nondestructive sanitization of portable storage devices when such devices are first purchased from the manufacturer or vendor prior to initial use or when organizations lose a positive chain of custody for the devices. Related control: SI-3. ü Included in NIST High Baseline, Rev 4 MEDIA PROTECTION MP-7 MEDIA USE ü The organization [Selection: restricts; prohibits] the use of [Assignment: organization- defined types of information system media] on [Assignment: organization-defined information systems or system components] using [Assignment: organization-defined security safeguards]. Supplemental Guidance: Information system media includes both digital and non-digital media. Digital media includes, for example, diskettes, magnetic tapes, external/removable hard disk drives, flash drives, compact disks, and digital video disks. Non-digital media includes, for example, paper and microfilm. This control also applies to mobile devices with information storage capability (e.g., smart phones, tablets, E-readers). In contrast to MP-2, which restricts user access to media, this control restricts the use of certain types of media on information systems, for example, restricting/prohibiting the use of flash drives or external hard disk drives. Organizations can employ technical and nontechnical safeguards (e.g., policies, procedures, rules of behavior) to restrict the use of information system media. Organizations may restrict the use of portable storage devices, for example, by using physical cages on workstations to prohibit access to certain external ports, or disabling/removing the ability to insert, read or write to such devices. Organizations may also limit the use of portable storage devices to only approved devices including, for example, devices provided by the organization, devices provided by other approved organizations, and devices that are not personally owned. Finally, organizations may restrict the use of portable storage devices based on the type of device, for example, prohibiting the use of writeable, portable storage devices, and implementing this restriction by disabling or removing the capability to write to such devices. Related controls: AC-19, PL-4. ü ü ü Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 MEDIA PROTECTION MP-7 (1) MEDIA USE | PROHIBIT USE WITHOUT OWNER The organization prohibits the use of portable storage devices in organizational information systems when such devices have no identifiable owner. Supplemental Guidance: Requiring identifiable owners (e.g., individuals, organizations, or projects) for portable storage devices reduces the risk of using such technologies by allowing organizations to assign responsibility and accountability for addressing known vulnerabilities in the devices (e.g., malicious code insertion). Related control: PL-4. ü ü Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 PHYSICAL AND ENVIRONMENTAL PROTECTION PE-1 PHYSICAL AND ENVIRONMENTAL PROTECTION POLICY AND PROCEDURES ü The organization: a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: 1. A physical and environmental protection policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and 2. Procedures to facilitate the implementation of the physical and environmental protection policy and associated physical and environmental protection controls; and b. Reviews and updates the current: 1. Physical and environmental protection policy [Assignment: organization-defined frequency]; and 2. Physical and environmental protection procedures [Assignment: organization-defined frequency]. Supplemental Guidance: This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the PE family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. Control Enhancements: None. References: NIST Special Publications 800-12, 800-100. ü ü PE-1.b.1 [at least every 3 years] PE-1.b.2 [at least annually] ü Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 PE-1.b.1 [at least annually] PE-1.b.2 [at least every six months] PHYSICAL AND ENVIRONMENTAL PROTECTION PE-2 PHYSICAL ACCESS AUTHORIZATIONS ü The organization: a. Develops, approves, and maintains a list of individuals with authorized access to the facility where the information system resides; b. Issues authorization credentials for facility access; c. Reviews the access list detailing authorized facility access by individuals [Assignment: organization-defined frequency]; and d. Removes individuals from the facility access list when access is no longer required. Supplemental Guidance: This control applies to organizational employees and visitors. Individuals (e.g., employees, contractors, and others) with permanent physical access authorization credentials are not considered visitors. Authorization credentials include, for example, badges, identification cards, and smart cards. Organizations determine the strength of authorization credentials needed (including level of forge-proof badges, smart cards, or identification cards) consistent with federal standards, policies, and procedures. This control only applies to areas within facilities that have not been designated as publicly accessible. Related controls: PE-3, PE-4, PS-3. ü ü PE-2c. [at least annually] ü Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 c. [at least every 90 days] PHYSICAL AND ENVIRONMENTAL PROTECTION PE-3 PHYSICAL ACCESS CONTROL ü The organization: a. Enforces physical access authorizations at [Assignment: organization-defined entry/exit points to the facility where the information system resides] by; 1. Verifying individual access authorizations before granting access to the facility; and 2. Controlling ingress/egress to the facility using [Selection (one or more): [Assignment: organization-defined physical access control systems/devices]; guards]; b. Maintains physical access audit logs for [Assignment: organization-defined entry/exit points]; c. Provides [Assignment: organization-defined security safeguards] to control access to areas within the facility officially designated as publicly accessible; d. Escorts visitors and monitors visitor activity [Assignment: organization-defined circumstances requiring visitor escorts and monitoring]; e. Secures keys, combinations, and other physical access devices; f. Inventories [Assignment: organization-defined physical access devices] every [Assignment: organization-defined frequency]; and g. Changes combinations and keys [Assignment: organization-defined frequency] and/or when keys are lost, combinations are compromised, or individuals are transferred or terminated. Supplemental Guidance: This control applies to organizational employees and visitors. Individuals (e.g., employees, contractors, and others) with permanent physical access authorization credentials are not considered visitors. Organizations determine the types of facility guards needed including, for example, professional physical security staff or other personnel such as administrative staff or information system users. Physical access devices include, for example, keys, locks, combinations, and card readers. Safeguards for publicly accessible areas within organizational facilities include, for example, cameras, monitoring by guards, and isolating selected information systems and/or system components in secured areas. Physical access control systems comply with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. The Federal Identity, Credential, and Access Management Program provides implementation guidance for identity, credential, and access management capabilities for physical access control systems. Organizations have flexibility in the types of audit logs employed. Audit logs can be procedural (e.g., a written log of individuals accessing the facility and when such access occurred), automated (e.g., capturing ID provided by a PIV card), or some combination thereof. Physical access points can include facility access points, interior access points to information systems and/or components requiring supplemental access controls, or both. Components of organizational information systems (e.g., workstations, terminals) may be located in areas designated as publicly accessible with organizations safeguarding access to such devices. Related controls: AU-2, AU-6, MP-2, MP-4, PE-2, PE-4, PE-5, PS-3, RA-3. ü ü PE-3a.2 [CSP defined physical access control systems/devices AND guards] PE-3d. [in all circumstances within restricted access area where the information system resides] PE-3f. [at least annually] PE-3g. [at least annually] ü Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 PHYSICAL AND ENVIRONMENTAL PROTECTION PE-3 (1) PHYSICAL ACCESS CONTROL | INFORMATION SYSTEM ACCESS ü The organization enforces physical access authorizations to the information system in addition to the physical access controls for the facility at [Assignment: organization-defined physical spaces containing one or more components of the information system]. Supplemental Guidance: This control enhancement provides additional physical security for those areas within facilities where there is a concentration of information system components (e.g., server rooms, media storage areas, data and communications centers). Related control: PS-2. ü Included in NIST High Baseline, Rev 4 [service provider physical spaces containing components that contain organization data] PHYSICAL AND ENVIRONMENTAL PROTECTION PE-4 ACCESS CONTROL FOR TRANSMISSION MEDIUM ü The organization controls physical access to [Assignment: organization-defined information system distribution and transmission lines] within organizational facilities using [Assignment: organization-defined security safeguards]. Supplemental Guidance: Physical security safeguards applied to information system distribution and transmission lines help to prevent accidental damage, disruption, and physical tampering. In addition, physical safeguards may be necessary to help prevent eavesdropping or in transit modification of unencrypted transmissions. Security safeguards to control physical access to system distribution and transmission lines include, for example: (i) locked wiring closets; (ii) disconnected or locked spare jacks; and/or (iii) protection of cabling by conduit or cable trays. Related controls: MP-2, MP-4, PE-2, PE-3, PE-5, SC-7, SC-8. Control Enhancements: None. References: NSTISSI No. 7003. ü ü Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 PHYSICAL AND ENVIRONMENTAL PROTECTION PE-5 ACCESS CONTROL FOR OUTPUT DEVICES The organization controls physical access to information system output devices to prevent unauthorized individuals from obtaining the output. Supplemental Guidance: Controlling physical access to output devices includes, for example, placing output devices in locked rooms or other secured areas and allowing access to authorized individuals only, and placing output devices in locations that can be monitored by organizational personnel. Monitors, printers, copiers, scanners, facsimile machines, and audio devices are examples of information system output devices. Related controls: PE-2, PE-3, PE-4, PE-18. ü ü Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 PHYSICAL AND ENVIRONMENTAL PROTECTION PE-6 MONITORING PHYSICAL ACCESS ü The organization: a. Monitors physical access to the facility where the information system resides to detect and respond to physical security incidents; b. Reviews physical access logs [Assignment: organization-defined frequency] and upon occurrence of [Assignment: organization-defined events or potential indications of events]; and c. Coordinates results of reviews and investigations with the organizational incident response capability. Supplemental Guidance: Organizational incident response capabilities include investigations of and responses to detected physical security incidents. Security incidents include, for example, apparent security violations or suspicious physical access activities. Suspicious physical access activities include, for example: (i) accesses outside of normal work hours; (ii) repeated accesses to areas not normally accessed; (iii) accesses for unusual lengths of time; and (iv) out-of-sequence accesses. Related controls: CA-7, IR-4, IR-8. ü ü PE-6b. [at least monthly] ü Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 PHYSICAL AND ENVIRONMENTAL PROTECTION PE-6 (1) MONITORING PHYSICAL ACCESS | INTRUSION ALARMS / SURVEILLANCE EQUIPMENT The organization monitors physical intrusion alarms and surveillance equipment. ü ü Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 PHYSICAL AND ENVIRONMENTAL PROTECTION PE-6 (4) MONITORING PHYSICAL ACCESS | MONITORING PHYSICAL ACCESS TO INFORMATION SYSTEMS ü The organization monitors physical access to the information system in addition to the physical access monitoring of the facility as [Assignment: organization-defined physical spaces containing one or more components of the information system]. Supplemental Guidance: This control enhancement provides additional monitoring for those areas within facilities where there is a concentration of information system components (e.g., server rooms, media storage areas, communications centers). Related controls: PS-2, PS- ü Included in NIST High Baseline, Rev 4 [service provider physical spaces containing components that contain organization data] PHYSICAL AND ENVIRONMENTAL PROTECTION PE-8 VISITOR ACCESS RECORDS ü The organization: a. Maintains visitor access records to the facility where the information system resides for [Assignment: organization-defined time period]; and b. Reviews visitor access records [Assignment: organization-defined frequency]. Supplemental Guidance: Visitor access records include, for example, names and organizations of persons visiting, visitor signatures, forms of identification, dates of access, entry and departure times, purposes of visits, and names and organizations of persons visited. Visitor access records are not required for publicly accessible areas. ü ü PE-8a. [for a minimum of one year] PE-8b. [at least monthly] ü Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 PHYSICAL AND ENVIRONMENTAL PROTECTION PE-8 (1) VISITOR ACCESS RECORDS | AUTOMATED RECORDS MAINTENANCE / REVIEW The organization employs automated mechanisms to facilitate the maintenance and review of visitor access records. ü Included in NIST High Baseline, Rev 4 PHYSICAL AND ENVIRONMENTAL PROTECTION PE-9 POWER EQUIPMENT AND CABLING The organization protects power equipment and power cabling for the information system from damage and destruction. Supplemental Guidance: Organizations determine the types of protection necessary for power equipment and cabling employed at different locations both internal and external to organizational facilities and environments of operation. This includes, for example, generators and power cabling outside of buildings, internal cabling and uninterruptable power sources within an office or data center, and power sources for self-contained entities such as vehicles and satellites. Related control: PE-4. ü ü Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 PHYSICAL AND ENVIRONMENTAL PROTECTION PE-10 EMERGENCY SHUTOFF ü The organization: a. Provides the capability of shutting off power to the information system or individual system components in emergency situations; b. Places emergency shutoff switches or devices in [Assignment: organization-defined location by information system or system component] to facilitate safe and easy access for personnel; and c. Protects emergency power shutoff capability from unauthorized activation. Supplemental Guidance: This control applies primarily to facilities containing concentrations of information system resources including, for example, data centers, server rooms, and mainframe computer rooms. Related control: PE-15. ü ü Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 PHYSICAL AND ENVIRONMENTAL PROTECTION PE-11 EMERGENCY POWER ü The organization provides a short-term uninterruptible power supply to facilitate [Selection (one or more): an orderly shutdown of the information system; transition of the information system to long-term alternate power] in the event of a primary power source loss. Supplemental Guidance: Related controls: AT-3, CP-2, CP-7. ü ü Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 PHYSICAL AND ENVIRONMENTAL PROTECTION PE-11 (1) EMERGENCY POWER | LONG-TERM ALTERNATE POWER SUPPLY - MINIMAL OPERATIONAL CAPABILITY The organization provides a long-term alternate power supply for the information system that is capable of maintaining minimally required operational capability in the event of an extended loss of the primary power source. Supplemental Guidance: This control enhancement can be satisfied, for example, by the use of a secondary commercial power supply or other external power supply. Long-term alternate power supplies for the information system can be either manually or automatically activated. ü Included in NIST High Baseline, Rev 4 PHYSICAL AND ENVIRONMENTAL PROTECTION PE-12 EMERGENCY LIGHTING The organization employs and maintains automatic emergency lighting for the information system that activates in the event of a power outage or disruption and that covers emergency exits and evacuation routes within the facility. Supplemental Guidance: This control applies primarily to facilities containing concentrations of information system resources including, for example, data centers, server rooms, and mainframe computer rooms. Related controls: CP-2, CP-7. ü ü ü Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 PHYSICAL AND ENVIRONMENTAL PROTECTION PE-13 FIRE PROTECTION The organization employs and maintains fire suppression and detection devices/systems for the information system that are supported by an independent energy source. Supplemental Guidance: This control applies primarily to facilities containing concentrations of information system resources including, for example, data centers, server rooms, and mainframe computer rooms. Fire suppression and detection devices/systems include, for example, sprinkler systems, handheld fire extinguishers, fixed fire hoses, and smoke detectors. ü ü ü Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 PHYSICAL AND ENVIRONMENTAL PROTECTION PE-13 (1) FIRE PROTECTION | DETECTION DEVICES / SYSTEMS ü The organization employs fire detection devices/systems for the information system that activate automatically and notify [Assignment: organization-defined personnel or roles] and [Assignment: organization-defined emergency responders] in the event of a fire. Supplemental Guidance: Organizations can identify specific personnel, roles, and emergency responders in the event that individuals on the notification list must have appropriate access authorizations and/or clearances, for example, to obtain access to facilities where classified operations are taking place or where there are information systems containing classified information. ü Included in NIST High Baseline, Rev 4 [service provider building maintenance/physical security personnel] [service provider emergency responders with incident response responsibilities] PHYSICAL AND ENVIRONMENTAL PROTECTION PE-13 (2) FIRE PROTECTION | SUPPRESSION DEVICES / SYSTEMS ü The organization employs fire suppression devices/systems for the information system that provide automatic notification of any activation to Assignment: organization-defined personnel or roles] and [Assignment: organization-defined emergency responders]. Supplemental Guidance: Organizations can identify specific personnel, roles, and emergency responders in the event that individuals on the notification list must have appropriate access authorizations and/or clearances, for example, to obtain access to facilities where classified operations are taking place or where there are information systems containing classified information. ü ü Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 PHYSICAL AND ENVIRONMENTAL PROTECTION PE-13 (3) FIRE PROTECTION | AUTOMATIC FIRE SUPPRESSION The organization employs an automatic fire suppression capability for the information system when the facility is not staffed on a continuous basis. ü ü Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 PHYSICAL AND ENVIRONMENTAL PROTECTION PE-14 TEMPERATURE AND HUMIDITY CONTROLS ü The organization: a. Maintains temperature and humidity levels within the facility where the information system resides at [Assignment: organization-defined acceptable levels]; and b. Monitors temperature and humidity levels [Assignment: organization-defined frequency]. Supplemental Guidance: This control applies primarily to facilities containing concentrations of information system resources, for example, data centers, server rooms, and mainframe computer rooms. Related control: AT-3. ü ü PE-14a. [consistent with American Society of Heating, Refrigerating and Air-conditioning Engineers (ASHRAE) document entitled Thermal Guidelines for Data Processing Environments] PE-14b. [continuously] PE-14a. Requirements: The service provider measures temperature at server inlets and humidity levels by dew point. ü Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 PHYSICAL AND ENVIRONMENTAL PROTECTION PE-14 (2) TEMPERATURE AND HUMIDITY CONTROLS | MONITORING WITH ALARMS / NOTIFICATIONS The organization employs temperature and humidity monitoring that provides an alarm or notification of changes potentially harmful to personnel or equipment. ü ü Included in FedRAMP Moderate Baseline, Rev 4 PHYSICAL AND ENVIRONMENTAL PROTECTION PE-15 WATER DAMAGE PROTECTION The organization protects the information system from damage resulting from water leakage by providing master shutoff or isolation valves that are accessible, working properly, and known to key personnel. Supplemental Guidance: This control applies primarily to facilities containing concentrations of information system resources including, for example, data centers, server rooms, and mainframe computer rooms. Isolation valves can be employed in addition to or in lieu of master shutoff valves to shut off water supplies in specific areas of concern, without affecting entire organizations. Related control: AT-3. ü ü ü Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 PHYSICAL AND ENVIRONMENTAL PROTECTION PE-15 (1) WATER DAMAGE PROTECTION | AUTOMATION SUPPORT ü The organization employs automated mechanisms to detect the presence of water in the vicinity of the information system and alerts [Assignment: organization-defined personnel or roles]. Supplemental Guidance: Automated mechanisms can include, for example, water detection sensors, alarms, and notification systems. ü Included in NIST High Baseline, Rev 4 [service provider building maintenance/physical security personnel] PHYSICAL AND ENVIRONMENTAL PROTECTION PE-16 DELIVERY AND REMOVAL ü The organization authorizes, monitors, and controls [Assignment: organization-defined types of information system components] entering and exiting the facility and maintains records of those items. Supplemental Guidance: Effectively enforcing authorizations for entry and exit of information system components may require restricting access to delivery areas and possibly isolating the areas from the information system and media libraries. Related controls: CM-3, MA-2, MA-3, MP-5, SA-12. ü ü PE-16. [all information system components] ü Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 PHYSICAL AND ENVIRONMENTAL PROTECTION PE-17 ALTERNATE WORK SITE ü The organization: a. Employs [Assignment: organization-defined security controls] at alternate work sites; b. Assesses as feasible, the effectiveness of security controls at alternate work sites; and c. Provides a means for employees to communicate with information security personnel in case of security incidents or problems. Supplemental Guidance: Alternate work sites may include, for example, government facilities or private residences of employees. While commonly distinct from alternative processing sites, alternate work sites may provide readily available alternate locations as part of contingency operations. Organizations may define different sets of security controls for specific alternate work sites or types of sites depending on the work-related activities conducted at those sites. This control supports the contingency planning activities of organizations and the federal telework initiative. Related controls: AC-17, CP-7. Control Enhancements: None. References: NIST Special Publication 800-46. ü ü Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 PHYSICAL AND ENVIRONMENTAL PROTECTION PE-18 LOCATION OF INFORMATION SYSTEM COMPONENTS ü The organization positions information system components within the facility to minimize potential damage from [Assignment: organization-defined physical and environmental hazards] and to minimize the opportunity for unauthorized access. Supplemental Guidance: Physical and environmental hazards include, for example, flooding, fire, tornados, earthquakes, hurricanes, acts of terrorism, vandalism, electromagnetic pulse, electrical interference, and other forms of incoming electromagnetic radiation. In addition, organizations consider the location of physical entry points where unauthorized individuals, while not being granted access, might nonetheless be in close proximity to information systems and therefore increase the potential for unauthorized access to organizational communications (e.g., through the use of wireless sniffers or microphones). Related controls: CP-2, PE-19, RA-3. ü Included in NIST High Baseline, Rev 4 [physical and environmental hazards identified during threat assessment] PLANNING PL-1 SECURITY PLANNING POLICY AND PROCEDURES ü The organization: a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: 1. A security planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and 2. Procedures to facilitate the implementation of the security planning policy and associated security planning controls; and b. Reviews and updates the current: 1. Security planning policy [Assignment: organization-defined frequency]; and 2. Security planning procedures [Assignment: organization-defined frequency]. Supplemental Guidance: This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the PL family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. Control Enhancements: None. References: NIST Special Publications 800-12, 800-18, 800-100. ü ü PL-1.b.1 [at least every 3 years] PL-1.b.2 [at least annually] ü Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 PL-1.b.1 [at least annually] PL-1.b.2 [at least annually] PLANNING PL-2 SYSTEM SECURITY PLAN ü The organization: a. Develops a security plan for the information system that: 1. Is consistent with the organization’s enterprise architecture; 2. Explicitly defines the authorization boundary for the system; 3. Describes the operational context of the information system in terms of missions and business processes; 4. Provides the security categorization of the information system including supporting rationale; 5. Describes the operational environment for the information system and relationships with or connections to other information systems; 6. Provides an overview of the security requirements for the system; 7. Identifies any relevant overlays, if applicable; 8. Describes the security controls in place or planned for meeting those requirements including a rationale for the tailoring and supplementation decisions; and 9. Is reviewed and approved by the authorizing official or designated representative prior to plan implementation; b. Distributes copies of the security plan and communicates subsequent changes to the plan to [Assignment: organization-defined personnel or roles]; c. Reviews the security plan for the information system [Assignment: organization-defined frequency]; d. Updates the plan to address changes to the information system/environment of operation or problems identified during plan implementation or security control assessments; and e. Protects the security plan from unauthorized disclosure and modification. Supplemental Guidance: Security plans relate security requirements to a set of security controls and control enhancements. Security plans also describe, at a high level, how the security controls and control enhancements meet those security requirements, but do not provide detailed, technical descriptions of the specific design or implementation of the controls/enhancements. Security plans contain sufficient information (including the specification of parameter values for assignment and selection statements either explicitly or by reference) to enable a design and implementation that is unambiguously compliant with the intent of the plans and subsequent determinations of risk to organizational operations and assets, individuals, other organizations, and the Nation if the plan is implemented as intended. Organizations can also apply tailoring guidance to the security control baselines in Appendix D and CNSS Instruction 1253 to develop overlays for community-wide use or to address specialized requirements, technologies, or missions/environments of operation (e.g., DoD-tactical, Federal Public Key Infrastructure, or Federal Identity, Credential, and Access Management, space operations). Appendix I provides guidance on developing overlays. Security plans need not be single documents; the plans can be a collection of various documents including documents that already exist. Effective security plans make extensive use of references to policies, procedures, and additional documents (e.g., design and implementation specifications) where more detailed information can be obtained. This reduces the documentation requirements associated with security programs and maintains security-related information in other established management/operational areas related to enterprise architecture, system development life cycle, systems engineering, and acquisition. For example, security plans do not contain detailed contingency plan or incident response plan information but instead provide explicitly or by reference, sufficient information to define what needs to be accomplished by those plans. Related controls: AC-2, AC-6, AC-14, AC-17, AC-20, CA-2, CA-3, CA-7, CM-9, CP-2, IR-8, MA-4, MA-5, MP-2, MP-4, MP-5, PL-7, PM-1, PM-7, PM-8, PM-9, PM-11, SA-5, SA-17. ü ü PL-2b. [at least annually] ü Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 PLANNING PL-2 (3) SYSTEM SECURITY PLAN | PLAN / COORDINATE WITH OTHER ORGANIZATIONAL ENTITIES ü The organization plans and coordinates security-related activities affecting the information system with [Assignment: organization-defined individuals or groups] before conducting such activities in order to reduce the impact on other organizational entities. Supplemental Guidance: Security-related activities include, for example, security assessments, audits, hardware and software maintenance, patch management, and contingency plan testing. Advance planning and coordination includes emergency and nonemergency (i.e., planned or nonurgent unplanned) situations. The process defined by organizations to plan and coordinate security-related activities can be included in security plans for information systems or other documents, as appropriate. Related controls: CP-4, IR-4. References: NIST Special Publication 800-18. ü ü Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 PLANNING PL-4 RULES OF BEHAVIOR ü The organization: a. Establishes and makes readily available to individuals requiring access to the information system, the rules that describe their responsibilities and expected behavior with regard to information and information system usage; b. Receives a signed acknowledgment from such individuals, indicating that they have read, understand, and agree to abide by the rules of behavior, before authorizing access to information and the information system; c. Reviews and updates the rules of behavior [Assignment: organization-defined frequency]; and d. Requires individuals who have signed a previous version of the rules of behavior to read and resign when the rules of behavior are revised/updated. Supplemental Guidance: This control enhancement applies to organizational users. Organizations consider rules of behavior based on individual user roles and responsibilities, differentiating, for example, between rules that apply to privileged users and rules that apply to general users. Establishing rules of behavior for some types of non-organizational users including, for example, individuals who simply receive data/information from federal information systems, is often not feasible given the large number of such users and the limited nature of their interactions with the systems. Rules of behavior for both organizational and non-organizational users can also be established in AC-8, System Use Notification. PL-4 b. (the signed acknowledgment portion of this control) may be satisfied by the security awareness training and role-based security training programs conducted by organizations if such training includes rules of behavior. Organizations can use electronic signatures for acknowledging rules of behavior. Related controls: AC-2, AC-6, AC-8, AC-9, AC-17, AC-18, AC-19, AC-20, AT-2, AT-3, CM-11, IA-2, IA-4, IA-5, MP-7, PS-6, PS-8, SA-5. ü ü PL-4c. [At least every 3 years] ü Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 PL-4c. [annually] PLANNING PL-4 (1) RULES OF BEHAVIOR | SOCIAL MEDIA AND NETWORKING RESTRICTIONS The organization includes in the rules of behavior, explicit restrictions on the use of social media/networking sites and posting organizational information on public websites. Supplemental Guidance: This control enhancement addresses rules of behavior related to the use of social media/networking sites: (i) when organizational personnel are using such sites for official duties or in the conduct of official business; (ii) when organizational information is involved in social media/networking transactions; and (iii) when personnel are accessing social media/networking sites from organizational information systems. Organizations also address specific rules that prevent unauthorized entities from obtaining and/or inferring non- public organizational information (e.g., system account information, personally identifiable information) from social media/networking sites. References: NIST Publication 800-18. ü ü Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 PLANNING PL-8 INFORMATION SECURITY ARCHITECTURE ü The organization: a. Develops an information security architecture for the information system that: 1. Describes the overall philosophy, requirements, and approach to be taken with regard to protecting the confidentiality, integrity, and availability of organizational information; 2. Describes how the information security architecture is integrated into and supports the enterprise architecture; and 3. Describes any information security assumptions about, and dependencies on, external services; b. Reviews and updates the information security architecture [Assignment: organization-defined frequency] to reflect updates in the enterprise architecture; and c. Ensures that planned information security architecture changes are reflected in the security plan, the security Concept of Operations (CONOPS), and organizational procurements/acquisitions. Supplemental Guidance: This control addresses actions taken by organizations in the design and development of information systems. The information security architecture at the individual information system level is consistent with and complements the more global, organization-wide information security architecture described in PM-7 that is integral to and developed as part of the enterprise architecture. The information security architecture includes an architectural description, the placement/allocation of security functionality (including security controls), security-related information for external interfaces, information being exchanged across the interfaces, and the protection mechanisms associated with each interface. In addition, the security architecture can include other important security-related information, for example, user roles and access privileges assigned to each role, unique security requirements, the types of information processed, stored, and transmitted by the information system, restoration priorities of information and information system services, and any other specific protection needs. In today’s modern architecture, it is becoming less common for organizations to control all information resources. There are going to be key dependencies on external information services and service providers. Describing such dependencies in the information security architecture is important to developing a comprehensive mission/business protection strategy. Establishing, developing, documenting, and maintaining under configuration control, a baseline configuration for organizational information systems is critical to implementing and maintaining an effective information security architecture. The development of the information security architecture is coordinated with the Senior Agency Official for Privacy (SAOP)/Chief Privacy Officer (CPO) to ensure that security controls needed to support privacy requirements are identified and effectively implemented. PL-8 is primarily directed at organizations (i.e., internally focused) to help ensure that organizations develop an information security architecture for the information system, and that the security architecture is integrated with or tightly coupled to the enterprise architecture through the organization-wide information security architecture. In contrast, SA-17 is primarily directed at external information technology product/system developers and integrators (although SA-17 could be used internally within organizations for in-house system development). SA-17, which is complementary to PL-8, is selected when organizations outsource the development of information systems or information system components to external entities, and there is a need to demonstrate/show consistency with the organization’s enterprise architecture and information security architecture. Related controls: CM-2, CM-6, PL-2, PM-7, SA-5, SA-17, Appendix J. ü PL-8b. [At least annually or when a significant change occurs] ü Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 PERSONNEL SECURITY PS-1 PERSONNEL SECURITY POLICY AND PROCEDURES ü The organization: a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: 1. A personnel security policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and 2. Procedures to facilitate the implementation of the personnel security policy and associated personnel security controls; and b. Reviews and updates the current: 1. Personnel security policy [Assignment: organization-defined frequency]; and 2. Personnel security procedures [Assignment: organization-defined frequency]. Supplemental Guidance: This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the PS family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. Control Enhancements: None. References: NIST Special Publications 800-12, 800-100. ü ü PS-1.b.1 [at least every 3 years] PS-1.b.2 [at least annually] ü Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 PS-1.b.1 [at least annually] PS-1.b.2 [at least every six months] PERSONNEL SECURITY PS-2 POSITION RISK DESIGNATION ü The organization: a. Assigns a risk designation to all organizational positions; b. Establishes screening criteria for individuals filling those positions; and c. Reviews and updates position risk designations [Assignment: organization-defined frequency]. Supplemental Guidance: Position risk designations reflect Office of Personnel Management policy and guidance. Risk designations can guide and inform the types of authorizations individuals receive when accessing organizational information and information systems. Position screening criteria include explicit information security role appointment requirements (e.g., training, security clearances). Related controls: AT-3, PL-2, PS-3. Control Enhancements: None. References: 5 C.F.R. 731.106(a). ü ü PS-2c. [at least every three years] ü Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 PS-2c. [at least annually] PERSONNEL SECURITY PS-3 PERSONNEL SCREENING ü The organization: a. Screens individuals prior to authorizing access to the information system; and b. Rescreens individuals according to [Assignment: organization-defined conditions requiring rescreening and, where rescreening is so indicated, the frequency of such rescreening]. Supplemental Guidance: Personnel screening and rescreening activities reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, guidance, and specific criteria established for the risk designations of assigned positions. Organizations may define different rescreening conditions and frequencies for personnel accessing information systems based on types of information processed, stored, or transmitted by the systems. Related controls: AC-2, IA- 4, PE-2, PS-2. ü ü PS-3b. [for national security clearances; a reinvestigation is required during the 5th year for top secret security clearance, the 10th year for secret security clearance, and 15th year for confidential security clearance. For moderate risk law enforcement and high impact public trust level, a reinvestigation is required during the 5th year. There is no reinvestigation for other moderate risk positions or any low risk positions] ü Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 PERSONNEL SECURITY PS-3 (3) PERSONNEL SCREENING | INFORMATION WITH SPECIAL PROTECTION MEASURES ü The organization ensures that individuals accessing an information system processing, storing, or transmitting information requiring special protection: (a) Have valid access authorizations that are demonstrated by assigned official government duties; and (b) Satisfy [Assignment: organization-defined additional personnel screening criteria]. Supplemental Guidance: Organizational information requiring special protection includes, for example, Controlled Unclassified Information (CUI) and Sources and Methods Information (SAMI). Personnel security criteria include, for example, position sensitivity background screening requirements. ü PS-3 (3)(b). [personnel screening criteria – as required by specific information] ü Included in FedRAMP Moderate Baseline, Rev 4 PERSONNEL SECURITY PS-4 PERSONNEL TERMINATION ü The organization, upon termination of individual employment: a. Disables information system access within [Assignment: organization-defined time period]; b. Terminates/revokes any authenticators/credentials associated with the individual; c. Conducts exit interviews that include a discussion of [Assignment: organization-defined information security topics]; d. Retrieves all security-related organizational information system-related property; e. Retains access to organizational information and information systems formerly controlled by terminated individual; and f. Notifies [Assignment: organization-defined personnel or roles] within [Assignment: organization-defined time period]. Supplemental Guidance: Information system-related property includes, for example, hardware authentication tokens, system administration technical manuals, keys, identification cards, and building passes. Exit interviews ensure that terminated individuals understand the security constraints imposed by being former employees and that proper accountability is achieved for information system-related property. Security topics of interest at exit interviews can include, for example, reminding terminated individuals of nondisclosure agreements and potential limitations on future employment. Exit interviews may not be possible for some terminated individuals, for example, in cases related to job abandonment, illnesses, and nonavailability of supervisors. Exit interviews are important for individuals with security clearances. Timely execution of termination actions is essential for individuals terminated for cause. In certain situations, organizations consider disabling the information system accounts of individuals that are being terminated prior to the individuals being notified. Related controls: AC-2, IA-4, PE-2, PS-5, PS-6. ü ü PS-4.a. [same day] ü Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 PS-4.a. [immediately] PERSONNEL SECURITY PS-4 (2) PERSONNEL TERMINATION | AUTOMATED NOTIFICATION ü The organization employs automated mechanisms to notify [Assignment: organization-defined personnel or roles] upon termination of an individual. Supplemental Guidance: In organizations with a large number of employees, not all personnel who need to know about termination actions receive the appropriate notifications—or, if such notifications are received, they may not occur in a timely manner. Automated mechanisms can be used to send automatic alerts or notifications to specific organizational personnel or roles (e.g., management personnel, supervisors, personnel security officers, information security officers, systems administrators, or information technology administrators) when individuals are terminated. Such automatic alerts or notifications can be conveyed in a variety of ways, including, for example, telephonically, via electronic mail, via text message, or via websites. References: None. ü Included in NIST High Baseline, Rev 4 [access control personnel responsible for disabling access to the system] PERSONNEL SECURITY PS-5 PERSONNEL TRANSFER ü The organization: a. Reviews and confirms ongoing operational need for current logical and physical access authorizations to information systems/facilities when individuals are reassigned or transferred to other positions within the organization; b. Initiates [Assignment: organization-defined transfer or reassignment actions] within [Assignment: organization-defined time period following the formal transfer action]; c. Modifies access authorization as needed to correspond with any changes in operational need due to reassignment or transfer; and d. Notifies [Assignment: organization-defined personnel or roles] within [Assignment: organization-defined time period]. Supplemental Guidance: This control applies when reassignments or transfers of individuals are permanent or of such extended durations as to make the actions warranted. Organizations define actions appropriate for the types of reassignments or transfers, whether permanent or extended. Actions that may be required for personnel transfers or reassignments to other positions within organizations include, for example: (i) returning old and issuing new keys, identification cards, and building passes; (ii) closing information system accounts and establishing new accounts; (iii) changing information system access authorizations (i.e., privileges); and (iv) providing for access to official records to which individuals had access at previous work locations and in previous information system accounts. Related controls: AC-2, IA-4, PE-2, PS-4. Control Enhancements: None. References: None. ü ü PS-5. [within five days of the formal transfer action (DoD 24 hours)] ü Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 PS-5b. [within 24 hours] PERSONNEL SECURITY PS-6 ACCESS AGREEMENTS ü The organization: a. Develops and documents access agreements for organizational information systems; b. Reviews and updates the access agreements [Assignment: organization-defined frequency]; and c. Ensures that individuals requiring access to organizational information and information systems: 1. Sign appropriate access agreements prior to being granted access; and 2. Re-sign access agreements to maintain access to organizational information systems when access agreements have been updated or [Assignment: organization-defined frequency]. Supplemental Guidance: Access agreements include, for example, nondisclosure agreements, acceptable use agreements, rules of behavior, and conflict-of-interest agreements. Signed access agreements include an acknowledgement that individuals have read, understand, and agree to abide by the constraints associated with organizational information systems to which access is authorized. Organizations can use electronic signatures to acknowledge access agreements unless specifically prohibited by organizational policy. Related control: PL-4, PS-2, PS-3, PS-4, PS-8. ü ü PS-6b. [at least annually] PS-6c.2. [at least annually] ü Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 PS-6b. [at least annually] PS-6c.2. [at least annually and any time there is a change to the user's level of access] PERSONNEL SECURITY PS-7 THIRD-PARTY PERSONNEL SECURITY ü The organization: a. Establishes personnel security requirements including security roles and responsibilities for third-party providers; b. Requires third-party providers to comply with personnel security policies and procedures established by the organization; c. Documents personnel security requirements; d. Requires third-party providers to notify [Assignment: organization-defined personnel or roles] of any personnel transfers or terminations of third-party personnel who possess organizational credentials and/or badges, or who have information system privileges within [Assignment: organization-defined time period]; and e. Monitors provider compliance. Supplemental Guidance: Third-party providers include, for example, service bureaus, contractors, and other organizations providing information system development, information technology services, outsourced applications, and network and security management. Organizations explicitly include personnel security requirements in acquisition-related documents. Third-party providers may have personnel working at organizational facilities with credentials, badges, or information system privileges issued by organizations. Notifications of third-party personnel changes ensure appropriate termination of privileges and credentials. Organizations define the transfers and terminations deemed reportable by security-related characteristics that include, for example, functions, roles, and nature of credentials/privileges associated with individuals transferred or terminated. Related controls: PS-2, PS-3, PS-4, PS-5, PS-6, SA-9, SA-21. Control Enhancements: None. References: NIST Special Publication 800-35. ü ü PS-7d. organization-defined time period – same day ü Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 [terminations: immediately; transfers: same day] PERSONNEL SECURITY PS-8 PERSONNEL SANCTIONS ü The organization: a. Employs a formal sanctions process for individuals failing to comply with established information security policies and procedures; and b. Notifies [Assignment: organization-defined personnel or roles] within [Assignment: organization-defined time period] when a formal employee sanctions process is initiated, identifying the individual sanctioned and the reason for the sanction. Supplemental Guidance: Organizational sanctions processes reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Sanctions processes are described in access agreements and can be included as part of general personnel policies and procedures for organizations. Organizations consult with the Office of the General Counsel regarding matters of employee sanctions. Related controls: PL-4, PS-6. Control Enhancements: None. References: None. ü ü ü Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 RISK ASSESSMENT RA-1 RISK ASSESSMENT POLICY AND PROCEDURES ü The organization: a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: 1. A risk assessment policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and 2. Procedures to facilitate the implementation of the risk assessment policy and associated risk assessment controls; and b. Reviews and updates the current: 1. Risk assessment policy [Assignment: organization-defined frequency]; and 2. Risk assessment procedures [Assignment: organization-defined frequency]. Supplemental Guidance: This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the RA family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. Control Enhancements: None. References: NIST Special Publications 800-12, 800-30, 800-100. ü ü RA-1.b.1 [at least every 3 years] RA-1.b.2 [at least annually] ü Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 RA-1.b.1 [at least annually] RA-1.b.2 [at least every six months] RISK ASSESSMENT RA-2 SECURITY CATEGORIZATION The organization: a. Categorizes information and the information system in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance; b. Documents the security categorization results (including supporting rationale) in the security plan for the information system; and c. Ensures that the security categorization decision is reviewed and approved by the authorizing official or authorizing official designated representative. Supplemental Guidance: Clearly defined authorization boundaries are a prerequisite for effective security categorization decisions. Security categories describe the potential adverse impacts to organizational operations, organizational assets, and individuals if organizational information and information systems are comprised through a loss of confidentiality, integrity, or availability. Organizations conduct the security categorization process as an organization-wide activity with the involvement of chief information officers, senior information security officers, information system owners, mission/business owners, and information owners/stewards. Organizations also consider the potential adverse impacts to other organizations and, in accordance with the USA PATRIOT Act of 2001 and Homeland Security Presidential Directives, potential national-level adverse impacts. Security categorization processes carried out by organizations facilitate the development of inventories of information assets, and along with CM-8, mappings to specific information system components where information is processed, stored, or transmitted. Related controls: CM-8, MP-4, RA-3, SC-7. Control Enhancements: None. References: FIPS Publication 199; NIST Special Publications 800-30, 800-39, 800-60. ü ü ü Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 RISK ASSESSMENT RA-3 RISK ASSESSMENT ü The organization: a. Conducts an assessment of risk, including the likelihood and magnitude of harm, from the unauthorized access, use, disclosure, disruption, modification, or destruction of the information system and the information it processes, stores, or transmits; b. Documents risk assessment results in [Selection: security plan; risk assessment report; [Assignment: organization-defined document]]; c. Reviews risk assessment results [Assignment: organization-defined frequency]; d. Disseminates risk assessment results to [Assignment: organization-defined personnel or roles]; and e. Updates the risk assessment [Assignment: organization-defined frequency] or whenever there are significant changes to the information system or environment of operation (including the identification of new threats and vulnerabilities), or other conditions that may impact the security state of the system. Supplemental Guidance: Clearly defined authorization boundaries are a prerequisite for effective risk assessments. Risk assessments take into account threats, vulnerabilities, likelihood, and impact to organizational operations and assets, individuals, other organizations, and the Nation based on the operation and use of information systems. Risk assessments also take into account risk from external parties (e.g., service providers, contractors operating information systems on behalf of the organization, individuals accessing organizational information systems, outsourcing entities). In accordance with OMB policy and related E-authentication initiatives, authentication of public users accessing federal information systems may also be required to protect nonpublic or privacy-related information. As such, organizational assessments of risk also address public access to federal information systems. Risk assessments (either formal or informal) can be conducted at all three tiers in the risk management hierarchy (i.e., organization level, mission/business process level, or information system level) and at any phase in the system development life cycle. Risk assessments can also be conducted at various steps in the Risk Management Framework, including categorization, security control selection, security control implementation, security control assessment, information system authorization, and security control monitoring. RA-3 is noteworthy in that the control must be partially implemented prior to the implementation of other controls in order to complete the first two steps in the Risk Management Framework. Risk assessments can play an important role in security control selection processes, particularly during the application of tailoring guidance, which includes security control supplementation. Related controls: RA-2, PM-9. Control Enhancements: None. References: OMB Memorandum 04-04; NIST Special Publication 800-30, 800-39; Web: idmanagement.gov. ü ü RA-3b. [security assessment report] RA-3c. [at least every three years or when a significant change occurs] RA-3d. [at least every three years or when a significant change occurs] Guidance: Significant change is defined in NIST Special Publication 800-37 Revision 1, Appendix F. RA-3d. Requirement: to include the Authorizing Official; for JAB authorizations to include FedRAMP ü Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 RA-3b. [security assessment report] RA-3c. [Refer to CDM requirement] RA-3e. [Refer to CDM requirements] RISK ASSESSMENT RA-5 VULNERABILITY SCANNING ü The organization: a. Scans for vulnerabilities in the information system and hosted applications [Assignment: organization-defined frequency and/or randomly in accordance with organization-defined process] and when new vulnerabilities potentially affecting the system/applications are identified and reported; b. Employs vulnerability scanning tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability management process by using standards for: 1. Enumerating platforms, software flaws, and improper configurations; 2. Formatting checklists and test procedures; and 3. Measuring vulnerability impact; c. Analyzes vulnerability scan reports and results from security control assessments; d. Remediates legitimate vulnerabilities [Assignment: organization-defined response times] in accordance with an organizational assessment of risk; and e. Shares information obtained from the vulnerability scanning process and security control assessments with [Assignment: organization-defined personnel or roles] to help eliminate similar vulnerabilities in other information systems (i.e., systemic weaknesses or deficiencies). Supplemental Guidance: Security categorization of information systems guides the frequency and comprehensiveness of vulnerability scans. Organizations determine the required vulnerability scanning for all information system components, ensuring that potential sources of vulnerabilities such as networked printers, scanners, and copiers are not overlooked. Vulnerability analyses for custom software applications may require additional approaches such as static analysis, dynamic analysis, binary analysis, or a hybrid of the three approaches. Organizations can employ these analysis approaches in a variety of tools (e.g., web-based application scanners, static analysis tools, binary analyzers) and in source code reviews. Vulnerability scanning includes, for example: (i) scanning for patch levels; (ii) scanning for functions, ports, protocols, and services that should not be accessible to users or devices; and (iii) scanning for improperly configured or incorrectly operating information flow control mechanisms. Organizations consider using tools that express vulnerabilities in the Common Vulnerabilities and Exposures (CVE) naming convention and that use the Open Vulnerability Assessment Language (OVAL) to determine/test for the presence of vulnerabilities. Suggested sources for vulnerability information include the Common Weakness Enumeration (CWE) listing and the National Vulnerability Database (NVD). In addition, security control assessments such as red team exercises provide other sources of potential vulnerabilities for which to scan. Organizations also consider using tools that express vulnerability impact by the Common Vulnerability Scoring System (CVSS). Related controls: CA-2, CA-7, CM-4, CM-6, RA-2, RA-3, SA-11, SI-2. ü ü RA-5a. [monthly operating system/infrastructure; monthly web applications and databases] RA-5d. [high-risk vulnerabilities mitigated within thirty days from date of discovery; moderate-risk vulnerabilities mitigated within ninety days from date of discovery] RA-5a. Requirement: an accredited independent assessor scans operating systems/infrastructure, web applications, and databases once annually. RA-5e. Requirement: to include the Risk Executive; for JAB authorizations to include FedRAMP ü Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 RISK ASSESSMENT RA-5 (1) VULNERABILITY SCANNING | UPDATE TOOL CAPABILITY The organization employs vulnerability scanning tools that include the capability to readily update the information system vulnerabilities to be scanned. Supplemental Guidance: The vulnerabilities to be scanned need to be readily updated as new vulnerabilities are discovered, announced, and scanning methods developed. This updating process helps to ensure that potential vulnerabilities in the information system are identified and addressed as quickly as possible. Related controls: SI-3, SI-7. ü ü Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 RISK ASSESSMENT RA-5 (2) VULNERABILITY SCANNING | UPDATE BY FREQUENCY / PRIOR TO NEW SCAN / WHEN IDENTIFIED ü The organization updates the information system vulnerabilities scanned [Selection (one or more): [Assignment: organization-defined frequency]; prior to a new scan; when new vulnerabilities are identified and reported]. Supplemental Guidance: Related controls: SI-3, SI-5. ü RA-5 (2). [prior to a new scan] ü Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 RISK ASSESSMENT RA-5 (3) VULNERABILITY SCANNING | BREADTH / DEPTH OF COVERAGE The organization employs vulnerability scanning procedures that can identify the breadth and depth of coverage (i.e., information system components scanned and vulnerabilities checked). ü ü Included in FedRAMP Moderate Baseline, Rev 4 RISK ASSESSMENT RA-5 (4) VULNERABILITY SCANNING | DISCOVERABLE INFORMATION ü The organization determines what information about the information system is discoverable by adversaries and subsequently takes [Assignment: organization-defined corrective actions]. Supplemental Guidance: Discoverable information includes information that adversaries could obtain without directly compromising or breaching the information system, for example, by collecting information the system is exposing or by conducting extensive searches of the web. Corrective actions can include, for example, notifying appropriate organizational personnel, removing designated information, or changing the information system to make designated information less relevant or attractive to adversaries. Related control: AU-13. ü Included in NIST High Baseline, Rev 4 [notify appropriate service provider personnel and follow procedures for organization and service provider-defined corrective actions] RISK ASSESSMENT RA-5 (5) VULNERABILITY SCANNING | PRIVILEGED ACCESS ü The information system implements privileged access authorization to [Assignment: organization- identified information system components] for selected [Assignment: organization-defined vulnerability scanning activities]. Supplemental Guidance: In certain situations, the nature of the vulnerability scanning may be more intrusive or the information system component that is the subject of the scanning may contain highly sensitive information. Privileged access authorization to selected system components facilitates more thorough vulnerability scanning and also protects the sensitive nature of such scanning. ü RA-5 (5). [operating systems / web applications / databases] [all scans] ü Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 RISK ASSESSMENT RA-5 (6) VULNERABILITY SCANNING | AUTOMATED TREND ANALYSES The organization employs automated mechanisms to compare the results of vulnerability scans over time to determine trends in information system vulnerabilities. Supplemental Guidance: Related controls: IR-4, IR-5, SI-4. ü RA-5(6) Guidance: include in Continuous Monitoring ISSO digest/report to Authorizing Official ü Included in FedRAMP Moderate Baseline, Rev 4 RISK ASSESSMENT RA-5 (8) VULNERABILITY SCANNING | REVIEW HISTORIC AUDIT LOGS The organization reviews historic audit logs to determine if a vulnerability identified in the information system has been previously exploited. Supplemental Guidance: Related control: AU-6. ü RA-5 (8). Requirements: This enhancement is required for all high vulnerability scan findings. Guidance: While scanning tools may label findings as high or critical, the intent of the control is based around NIST's definition of high vulnerability. ü Included in FedRAMP Moderate Baseline, Rev 4 RISK ASSESSMENT RA-5 (10) VULNERABILITY SCANNING | CORRELATE SCANNING INFORMATION The organization correlates the output from vulnerability scanning tools to determine the presence of multi-vulnerability/multi-hop attack vectors. ü NEED. Organizations commonly run vulnerability scanning tools against diverse enterprise systems and subsystems. These tools are often attuned to the specific subsystems, and often provided by different manufacturers. Because there is no single-vendor consolidation of all scanning tools, organizations need to correlate the outputs of these tools in order to triangulate on potential threats that may be related, or identical at their source. When the security impact is high a shared-service environment may increase the number of independent scanning tools, implementation of this control is warranted. ANALYSIS. Although this control is well understood by vendors, its implementation takes many forms, depending on the scanning tools adopted by a particular organization. Depending on the variety of tools and the complexity of systems scanned, cost and time to implementation could become significant factors. SAMPLE THREAT VECTORS. Different scanning tools discover low-impact vulnerabilities in multiple subsystems of a system. Considered individually, none of them warrants immediate action,; yet when considered together, they constitute a significant attack pattern. RELEVANT SECURITY CONTROL ATTRIBUTES. Interoperable, Change Managed, Agile, Supported, Assessed, Monitored SYSTEM AND SERVICES ACQUISITION SA-1 SYSTEM AND SERVICES ACQUISITION POLICY AND PROCEDURES ü The organization: a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: 1. A system and services acquisition policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and 2. Procedures to facilitate the implementation of the system and services acquisition policy and associated system and services acquisition controls; and b. Reviews and updates the current: 1. System and services acquisition policy [Assignment: organization-defined frequency]; and 2. System and services acquisition procedures [Assignment: organization-defined frequency]. Supplemental Guidance: This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the SA family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. Control Enhancements: None. References: NIST Special Publications 800-12, 800-100. ü ü SA-1.b.1 [at least every 3 years] SA-1.b.2 [at least annually] ü Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 SA-1.b.1 [at least annually] SA-1.b.2 [at least annually] SYSTEM AND SERVICES ACQUISITION SA-2 ALLOCATION OF RESOURCES The organization: a. Determines information security requirements for the information system or information system service in mission/business process planning; b. Determines, documents, and allocates the resources required to protect the information system or information system service as part of its capital planning and investment control process; and c. Establishes a discrete line item for information security in organizational programming and budgeting documentation. Supplemental Guidance: Resource allocation for information security includes funding for the initial information system or information system service acquisition and funding for the sustainment of the system/service. Related controls: PM-3, PM-11. Control Enhancements: None. References: NIST Special Publication 800-65. ü ü ü Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 SYSTEM AND SERVICES ACQUISITION SA-3 SYSTEM DEVELOPMENT LIFE CYCLE ü The organization: a. Manages the information system using [Assignment: organization-defined system development life cycle] that incorporates information security considerations; b. Defines and documents information security roles and responsibilities throughout the system development life cycle; c. Identifies individuals having information security roles and responsibilities; and d. Integrates the organizational information security risk management process into system development life cycle activities. Supplemental Guidance: A well-defined system development life cycle provides the foundation for the successful development, implementation, and operation of organizational information systems. To apply the required security controls within the system development life cycle requires a basic understanding of information security, threats, vulnerabilities, adverse impacts, and risk to critical missions/business functions. The security engineering principles in SA-8 cannot be properly applied if individuals that design, code, and test information systems and system components (including information technology products) do not understand security. Therefore, organizations include qualified personnel, for example, chief information security officers, security architects, security engineers, and information system security officers in system development life cycle activities to ensure that security requirements are incorporated into organizational information systems. It is equally important that developers include individuals on the development team that possess the requisite security expertise and skills to ensure that needed security capabilities are effectively integrated into the information system. Security awareness and training programs can help ensure that individuals having key security roles and responsibilities have the appropriate experience, skills, and expertise to conduct assigned system development life cycle activities. The effective integration of security requirements into enterprise architecture also helps to ensure that important security considerations are addressed early in the system development life cycle and that those considerations are directly related to the organizational mission/business processes. This process also facilitates the integration of the information security architecture into the enterprise architecture, consistent with organizational risk management and information security strategies. Related controls: AT-3, PM-7, SA-8. Control Enhancements: None. References: NIST Special Publications 800-37, 800-64. ü ü ü Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 SYSTEM AND SERVICES ACQUISITION SA-4 ACQUISITION PROCESS The organization includes the following requirements, descriptions, and criteria, explicitly or by reference, in the acquisition contract for the information system, system component, or information system service in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, guidelines, and organizational mission/business needs: a. Security functional requirements; b. Security strength requirements; c. Security assurance requirements; d. Security-related documentation requirements; e. Requirements for protecting security-related documentation; f. Description of the information system development environment and environment in which the system is intended to operate; and g. Acceptance criteria. Supplemental Guidance: Information system components are discrete, identifiable information technology assets (e.g., hardware, software, or firmware) that represent the building blocks of an information system. Information system components include commercial information technology products. Security functional requirements include security capabilities, security functions, and security mechanisms. Security strength requirements associated with such capabilities, functions, and mechanisms include degree of correctness, completeness, resistance to direct attack, and resistance to tampering or bypass. Security assurance requirements include: (i) development processes, procedures, practices, and methodologies; and (ii) evidence from development and assessment activities providing grounds for confidence that the required security functionality has been implemented and the required security strength has been achieved. Security documentation requirements address all phases of the system development life cycle. Security functionality, assurance, and documentation requirements are expressed in terms of security controls and control enhancements that have been selected through the tailoring process. The security control tailoring process includes, for example, the specification of parameter values through the use of assignment and selection statements and the specification of platform dependencies and implementation information. Security documentation provides user and administrator guidance regarding the implementation and operation of security controls. The level of detail required in security documentation is based on the security category or classification level of the information system and the degree to which organizations depend on the stated security capability, functions, or mechanisms to meet overall risk response expectations (as defined in the organizational risk management strategy). Security requirements can also include organizationally mandated configuration settings specifying allowed functions, ports, protocols, and services. Acceptance criteria for information systems, information system components, and information system services are defined in the same manner as such criteria for any organizational acquisition or procurement. The Federal Acquisition Regulation (FAR) Section 7.103 contains information security requirements from FISMA. Related controls: CM-6, PL-2, PS-7, SA-3, SA-5, SA-8, SA- 11, SA-12. ü ü "SA-4. Guidance: The use of Common Criteria (ISO/IEC 15408) evaluated products is strongly preferred. See http://www.niap-ccevs.org/vpl or http://www.commoncriteriaportal.org/products.html. " ü Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 SYSTEM AND SERVICES ACQUISITION SA-4 (1) ACQUISITION PROCESS | FUNCTIONAL PROPERTIES OF SECURITY CONTROLS The organization requires the developer of the information system, system component, or information system service to provide a description of the functional properties of the security controls to be employed. Supplemental Guidance: Functional properties of security controls describe the functionality (i.e., security capability, functions, or mechanisms) visible at the interfaces of the controls and specifically exclude functionality and data structures internal to the operation of the controls. Related control: SA-5. ü ü Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 SYSTEM AND SERVICES ACQUISITION SA-4 (2) ACQUISITION PROCESS | DESIGN / IMPLEMENTATION INFORMATION FOR SECURITY CONTROLS ü The organization requires the developer of the information system, system component, or information system service to provide design and implementation information for the security controls to be employed that includes: [Selection (one or more): security-relevant external system interfaces; high-level design; low-level design; source code or hardware schematics; [Assignment: organization-defined design/implementation information]] at [Assignment: organization-defined level of detail]. Supplemental Guidance: Organizations may require different levels of detail in design and implementation documentation for security controls employed in organizational information systems, system components, or information system services based on mission/business requirements, requirements for trustworthiness/resiliency, and requirements for analysis and testing. Information systems can be partitioned into multiple subsystems. Each subsystem within the system can contain one or more modules. The high-level design for the system is expressed in terms of multiple subsystems and the interfaces between subsystems providing security-relevant functionality. The low-level design for the system is expressed in terms of modules with particular emphasis on software and firmware (but not excluding hardware) and the interfaces between modules providing security-relevant functionality. Source code and hardware schematics are typically referred to as the implementation representation of the information system. Related control: SA-5. ü [to include security-relevant external system interfaces and high-level design] ü Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 [to include security-relevant external system interfaces, high-level design, hardware schematics] SYSTEM AND SERVICES ACQUISITION SA-4 (8) ACQUISITION PROCESS | CONTINUOUS MONITORING PLAN ü The organization requires the developer of the information system, system component, or information system service to produce a plan for the continuous monitoring of security control effectiveness that contains [Assignment: organization-defined level of detail]. Supplemental Guidance: The objective of continuous monitoring plans is to determine if the complete set of planned, required, and deployed security controls within the information system, system component, or information system service continue to be effective over time based on the inevitable changes that occur. Developer continuous monitoring plans include a sufficient level of detail such that the information can be incorporated into the continuous monitoring strategies and programs implemented by organizations. Related control: CA-7. ü SA-4 (8). [at least the minimum requirement as defined in control CA-7] SA-4 (8) Guidance: CSP must use the same security standards regardless of where the system component or information system service is acquired. ü Included in FedRAMP Moderate Baseline, Rev 4 SYSTEM AND SERVICES ACQUISITION SA-4 (9) ACQUISITION PROCESS | FUNCTIONS / PORTS / PROTOCOLS / SERVICES IN USE The organization requires the developer of the information system, system component, or information system service to identify early in the system development life cycle, the functions, ports, protocols, and services intended for organizational use. Supplemental Guidance: The identification of functions, ports, protocols, and services early in the system development life cycle (e.g., during the initial requirements definition and design phases) allows organizations to influence the design of the information system, information system component, or information system service. This early involvement in the life cycle helps organizations to avoid or minimize the use of functions, ports, protocols, or services that pose unnecessarily high risks and understand the trade-offs involved in blocking specific ports, protocols, or services (or when requiring information system service providers to do so). Early identification of functions, ports, protocols, and services avoids costly retrofitting of security controls after the information system, system component, or information system service has been implemented. SA-9 describes requirements for external information system services with organizations identifying which functions, ports, protocols, and services are provided from external sources. Related controls: CM-7, SA-9. ü ü Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 SYSTEM AND SERVICES ACQUISITION SA-4 (10) ACQUISITION PROCESS | USE OF APPROVED PIV PRODUCTS The organization employs only information technology products on the FIPS 201-approved products list for Personal Identity Verification (PIV) capability implemented within organizational information systems. Supplemental Guidance: Related controls: IA-2; IA-8. References: HSPD-12; ISO/IEC 15408; FIPS Publications 140-2, 201; NIST Special Publications 800-23, 800-35, 800-36, 800-37, 800-64, 800-70, 800-137; Federal Acquisition Regulation; Web: www.niap-ccevs.org, fips201ep.cio.gov, www.acquisition.gov/far. ü ü Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 SYSTEM AND SERVICES ACQUISITION SA-5 INFORMATION SYSTEM DOCUMENTATION ü The organization: a. Obtains administrator documentation for the information system, system component, or information system service that describes: 1. Secure configuration, installation, and operation of the system, component, or service; 2. Effective use and maintenance of security functions/mechanisms; and 3. Known vulnerabilities regarding configuration and use of administrative (i.e., privileged) functions; b. Obtains user documentation for the information system, system component, or information system service that describes: 1. User-accessible security functions/mechanisms and how to effectively use those security functions/mechanisms; 2. Methods for user interaction, which enables individuals to use the system, component, or service in a more secure manner; and 3. User responsibilities in maintaining the security of the system, component, or service; c. Documents attempts to obtain information system, system component, or information system service documentation when such documentation is either unavailable or nonexistent and [Assignment: organization-defined actions] in response; d. Protects documentation as required, in accordance with the risk management strategy; and e. Distributes documentation to [Assignment: organization-defined personnel or roles]. Supplemental Guidance: This control helps organizational personnel understand the implementation and operation of security controls associated with information systems, system components, and information system services. Organizations consider establishing specific measures to determine the quality/completeness of the content provided. The inability to obtain needed documentation may occur, for example, due to the age of the information system/component or lack of support from developers and contractors. In those situations, organizations may need to recreate selected documentation if such documentation is essential to the effective implementation or operation of security controls. The level of protection provided for selected information system, component, or service documentation is commensurate with the security category or classification of the system. For example, documentation associated with a key DoD weapons system or command and control system would typically require a higher level of protection than a routine administrative system. Documentation that addresses information system vulnerabilities may also require an increased level of protection. Secure operation of the information system, includes, for example, initially starting the system and resuming secure system operation after any lapse in system operation. Related controls: CM-6, CM-8, PL-2, PL-4, PS-2, SA-3, SA-4. ü ü ü Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 SYSTEM AND SERVICES ACQUISITION SA-8 SECURITY ENGINEERING PRINCIPLES The organization applies information system security engineering principles in the specification, design, development, implementation, and modification of the information system. Supplemental Guidance: Organizations apply security engineering principles primarily to new development information systems or systems undergoing major upgrades. For legacy systems, organizations apply security engineering principles to system upgrades and modifications to the extent feasible, given the current state of hardware, software, and firmware within those systems. Security engineering principles include, for example: (i) developing layered protections; (ii) establishing sound security policy, architecture, and controls as the foundation for design; (iii) incorporating security requirements into the system development life cycle; (iv) delineating physical and logical security boundaries; (v) ensuring that system developers are trained on how to build secure software; (vi) tailoring security controls to meet organizational and operational needs; (vii) performing threat modeling to identify use cases, threat agents, attack vectors, and attack patterns as well as compensating controls and design patterns needed to mitigate risk; and (viii) reducing risk to acceptable levels, thus enabling informed risk management decisions. Related controls: PM-7, SA-3, SA-4, SA-17, SC-2, SC-3. Control Enhancements: None. References: NIST Special Publication 800-27. ü ü Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 SYSTEM AND SERVICES ACQUISITION SA-9 EXTERNAL INFORMATION SYSTEM SERVICES ü The organization: a. Requires that providers of external information system services comply with organizational information security requirements and employ [Assignment: organization-defined security controls] in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance; b. Defines and documents government oversight and user roles and responsibilities with regard to external information system services; and c. Employs [Assignment: organization-defined processes, methods, and techniques] to monitor security control compliance by external service providers on an ongoing basis. Supplemental Guidance: External information system services are services that are implemented outside of the authorization boundaries of organizational information systems. This includes services that are used by, but not a part of, organizational information systems. FISMA and OMB policy require that organizations using external service providers that are processing, storing, or transmitting federal information or operating information systems on behalf of the federal government ensure that such providers meet the same security requirements that federal agencies are required to meet. Organizations establish relationships with external service providers in a variety of ways including, for example, through joint ventures, business partnerships, contracts, interagency agreements, lines of business arrangements, licensing agreements, and supply chain exchanges. The responsibility for managing risks from the use of external information system services remains with authorizing officials. For services external to organizations, a chain of trust requires that organizations establish and retain a level of confidence that each participating provider in the potentially complex consumer-provider relationship provides adequate protection for the services rendered. The extent and nature of this chain of trust varies based on the relationships between organizations and the external providers. Organizations document the basis for trust relationships so the relationships can be monitored over time. External information system services documentation includes government, service providers, end user security roles and responsibilities, and service-level agreements. Service-level agreements define expectations of performance for security controls, describe measurable outcomes, and identify remedies and response requirements for identified instances of noncompliance. Related controls: CA-3, IR-7, PS-7. ü ü SA-9a. [FedRAMP Security Controls Baseline(s) if Federal information is processed or stored within the external system] SA-9c. [Federal/FedRAMP Continuous Monitoring requirements must be met for external systems where Federal information is processed or stored] ü Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 SYSTEM AND SERVICES ACQUISITION SA-9 (1) EXTERNAL INFORMATION SYSTEMS | RISK ASSESSMENTS / ORGANIZATIONAL APPROVALS ü The organization: (a) Conducts an organizational assessment of risk prior to the acquisition or outsourcing of dedicated information security services; and (b) Ensures that the acquisition or outsourcing of dedicated information security services is approved by [Assignment: organization-defined personnel or roles]. Supplemental Guidance: Dedicated information security services include, for example, incident monitoring, analysis and response, operation of information security-related devices such as firewalls, or key management services. Related controls: CA-6, RA-3. ü SA-9 (1) see Additional Requirement and Guidance ü Included in FedRAMP Moderate Baseline, Rev 4 SYSTEM AND SERVICES ACQUISITION SA-9 (2) EXTERNAL INFORMATION SYSTEMS | IDENTIFICATION OF FUNCTIONS / PORTS / PROTOCOLS / SERVICES ü The organization requires providers of [Assignment: organization-defined external information system services] to identify the functions, ports, protocols, and other services required for the use of such services. Supplemental Guidance: Information from external service providers regarding the specific functions, ports, protocols, and services used in the provision of such services can be particularly useful when the need arises to understand the trade-offs involved in restricting certain functions/services or blocking certain ports/protocols. Related control: CM-7. ü SA-9 (2). [All external systems where Federal information is processed or stored] ü Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 SYSTEM AND SERVICES ACQUISITION SA-9 (4) EXTERNAL INFORMATION SYSTEMS | CONSISTENT INTERESTS OF CONSUMERS AND PROVIDERS ü The organization employs [Assignment: organization-defined security safeguards] to ensure that the interests of [Assignment: organization-defined external service providers] are consistent with and reflect organizational interests. Supplemental Guidance: As organizations increasingly use external service providers, the possibility exists that the interests of the service providers may diverge from organizational interests. In such situations, simply having the correct technical, procedural, or operational safeguards in place may not be sufficient if the service providers that implement and control those safeguards are not operating in a manner consistent with the interests of the consuming organizations. Possible actions that organizations might take to address such concerns include, for example, requiring background checks for selected service provider personnel, examining ownership records, employing only trustworthy service providers (i.e., providers with which organizations have had positive experiences), and conducting periodic/unscheduled visits to service provider facilities. ü SA-9 (4). [All external systems where Federal information is processed or stored] ü Included in FedRAMP Moderate Baseline, Rev 4 SYSTEM AND SERVICES ACQUISITION SA-9 (5) EXTERNAL INFORMATION SYSTEMS | PROCESSING, STORAGE, AND SERVICE LOCATION ü The organization restricts the location of [Selection (one or more): information processing; information/data; information system services] to [Assignment: organization-defined locations] based on [Assignment: organization-defined requirements or conditions]. Supplemental Guidance: The location of information processing, information/data storage, or information system services that are critical to organizations can have a direct impact on the ability of those organizations to successfully execute their missions/business functions. This situation exists when external providers control the location of processing, storage or services. The criteria external providers use for the selection of processing, storage, or service locations may be different from organizational criteria. For example, organizations may want to ensure that data/information storage locations are restricted to certain locations to facilitate incident response activities (e.g., forensic analyses, after-the-fact investigations) in case of information security breaches/compromises. Such incident response activities may be adversely affected by the governing laws or protocols in the locations where processing and storage occur and/or the locations from which information system services emanate. ü SA-9 (5). [information processing, information data, AND information services] ü Included in FedRAMP Moderate Baseline, Rev 4 SYSTEM AND SERVICES ACQUISITION SA-10 DEVELOPER CONFIGURATION MANAGEMENT ü The organization requires the developer of the information system, system component, or information system service to: a. Perform configuration management during system, component, or service [Selection (one or more): design; development; implementation; operation]; b. Document, manage, and control the integrity of changes to [Assignment: organization-defined configuration items under configuration management]; c. Implement only organization-approved changes to the system, component, or service; d. Document approved changes to the system, component, or service and the potential security impacts of such changes; and e. Track security flaws and flaw resolution within the system, component, or service and report findings to [Assignment: organization-defined personnel]. Supplemental Guidance: This control also applies to organizations conducting internal information systems development and integration. Organizations consider the quality and completeness of the configuration management activities conducted by developers as evidence of applying effective security safeguards. Safeguards include, for example, protecting from unauthorized modification or destruction, the master copies of all material used to generate security-relevant portions of the system hardware, software, and firmware. Maintaining the integrity of changes to the information system, information system component, or information system service requires configuration control throughout the system development life cycle to track authorized changes and prevent unauthorized changes. Configuration items that are placed under configuration management (if existence/use is required by other security controls) include: the formal model; the functional, high-level, and low-level design specifications; other design data; implementation documentation; source code and hardware schematics; the running version of the object code; tools for comparing new versions of security-relevant hardware descriptions and software/firmware source code with previous versions; and test fixtures and documentation. Depending on the mission/business needs of organizations and the nature of the contractual relationships in place, developers may provide configuration management support during the operations and maintenance phases of the life cycle. Related controls: CM-3, CM-4, CM-9, SA-12, SI-2. ü SA-10a. [development, implementation, AND operation] SA-10e. Requirement: for JAB authorizations, track security flaws and flaw resolution within the system, component, or service and report findings to organization-defined personnel, to include FedRAMP. ü Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 SYSTEM AND SERVICES ACQUISITION SA-10 (1) DEVELOPER CONFIGURATION MANAGEMENT | SOFTWARE / FIRMWARE INTEGRITY VERIFICATION The organization requires the developer of the information system, system component, or information system service to enable integrity verification of software and firmware components. Supplemental Guidance: This control enhancement allows organizations to detect unauthorized changes to software and firmware components through the use of tools, techniques, and/or mechanisms provided by developers. Integrity checking mechanisms can also address counterfeiting of software and firmware components. Organizations verify the integrity of software and firmware components, for example, through secure one-way hashes provided by developers. Delivered software and firmware components also include any updates to such components. Related control: SI-7. ü ü Included in FedRAMP Moderate Baseline, Rev 4 SYSTEM AND SERVICES ACQUISITION SA-11 DEVELOPER SECURITY TESTING AND EVALUATION ü The organization requires the developer of the information system, system component, or information system service to: a. Create and implement a security assessment plan; b. Perform [Selection (one or more): unit; integration; system; regression] testing/evaluation at [Assignment: organization-defined depth and coverage]; c. Produce evidence of the execution of the security assessment plan and the results of the security testing/evaluation; d. Implement a verifiable flaw remediation process; and e. Correct flaws identified during security testing/evaluation. Supplemental Guidance: Developmental security testing/evaluation occurs at all post‐design phases of the system development life cycle. Such testing/evaluation confirms that the required security controls are implemented correctly, operating as intended, enforcing the desired security policy, and meeting established security requirements. Security properties of information systems may be affected by the interconnection of system components or changes to those components. These interconnections or changes (e.g., upgrading or replacing applications and operating systems) may adversely affect previously implemented security controls. This control provides additional types of security testing/evaluation that developers can conduct to reduce or eliminate potential flaws. Testing custom software applications may require approaches such as static analysis, dynamic analysis, binary analysis, or a hybrid of the three approaches. Developers can employ these analysis approaches in a variety of tools (e.g., web-based application scanners, static analysis tools, binary analyzers) and in source code reviews. Security assessment plans provide the specific activities that developers plan to carry out including the types of analyses, testing, evaluation, and reviews of software and firmware components, the degree of rigor to be applied, and the types of artifacts produced during those processes. The depth of security testing/evaluation refers to the rigor and level of detail associated with the assessment process (e.g., black box, gray box, or white box testing). The coverage of security testing/evaluation refers to the scope (i.e., number and type) of the artifacts included in the assessment process. Contracts specify the acceptance criteria for security assessment plans, flaw remediation processes, and the evidence that the plans/processes have been diligently applied. Methods for reviewing and protecting assessment plans, evidence, and documentation are commensurate with the security category or classification level of the information system. Contracts may specify documentation protection requirements. Related controls: CA-2, CM-4, SA-3, SA-4, SA-5, SI-2. ü ü Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 SYSTEM AND SERVICES ACQUISITION SA-11 (1) DEVELOPER SECURITY TESTING AND EVALUATION | STATIC CODE ANALYSIS The organization requires the developer of the information system, system component, or information system service to employ static code analysis tools to identify common flaws and document the results of the analysis. Supplemental Guidance: Static code analysis provides a technology and methodology for security reviews. Such analysis can be used to identify security vulnerabilities and enforce security coding practices. Static code analysis is most effective when used early in the development process, when each code change can be automatically scanned for potential weaknesses. Static analysis can provide clear remediation guidance along with defects to enable developers to fix such defects. Evidence of correct implementation of static analysis can include, for example, aggregate defect density for critical defect types, evidence that defects were inspected by developers or security professionals, and evidence that defects were fixed. An excessively high density of ignored findings (commonly referred to as ignored or false positives) indicates a potential problem with the analysis process or tool. In such cases, organizations weigh the validity of the evidence against evidence from other sources. ü Requirement: SA-11 (1) or SA-11 (8) or both Requirement: The service provider documents in the Continuous Monitoring Plan, how newly developed code for the information system is reviewed. ü Included in FedRAMP Moderate Baseline, Rev 4 SYSTEM AND SERVICES ACQUISITION SA-11 (2) DEVELOPER SECURITY TESTING AND EVALUATION | THREAT AND VULNERABILITY ANALYSES The organization requires the developer of the information system, system component, or information system service to perform threat and vulnerability analyses and subsequent testing/evaluation of the as-built system, component, or service. Supplemental Guidance: Applications may deviate significantly from the functional and design specifications created during the requirements and design phases of the system development life cycle. Therefore, threat and vulnerability analyses of information systems, system components, and information system services prior to delivery are critical to the effective operation of those systems, components, and services. Threat and vulnerability analyses at this phase of the life cycle help to ensure that design or implementation changes have been accounted for, and that any new vulnerabilities created as a result of those changes have been reviewed and mitigated. Related controls: PM-15, RA-5. ü ü Included in FedRAMP Moderate Baseline, Rev 4 SYSTEM AND SERVICES ACQUISITION SA-11 (8) DEVELOPER SECURITY TESTING AND EVALUATION | DYNAMIC CODE ANALYSIS The organization requires the developer of the information system, system component, or information system service to employ dynamic code analysis tools to identify common flaws and document the results of the analysis. Supplemental Guidance: Dynamic code analysis provides run-time verification of software programs, using tools capable of monitoring programs for memory corruption, user privilege issues, and other potential security problems. Dynamic code analysis employs run-time tools to help to ensure that security functionality performs in the manner in which it was designed. A specialized type of dynamic analysis, known as fuzz testing, induces program failures by deliberately introducing malformed or random data into software programs. Fuzz testing strategies derive from the intended use of applications and the functional and design specifications for the applications. ü Requirement: SA-11 (1) or SA-11 (8) or both Requirement: The service provider documents in the Continuous Monitoring Plan, how newly developed code for the information system is reviewed. ü Included in FedRAMP Moderate Baseline, Rev 4 SYSTEM AND SERVICES ACQUISITION SA-12 SUPPLY CHAIN PROTECTION ü The organization protects against supply chain threats to the information system, system component, or information system service by employing [Assignment: organization-defined security safeguards] as part of a comprehensive, defense-in-breadth information security strategy. Supplemental Guidance: Information systems (including system components that compose those systems) need to be protected throughout the system development life cycle (i.e., during design, development, manufacturing, packaging, assembly, distribution, system integration, operations, maintenance, and retirement). Protection of organizational information systems is accomplished through threat awareness, by the identification, management, and reduction of vulnerabilities at each phase of the life cycle and the use of complementary, mutually reinforcing strategies to respond to risk. Organizations consider implementing a standardized process to address supply chain risk with respect to information systems and system components, and to educate the acquisition workforce on threats, risk, and required security controls. Organizations use the acquisition/procurement processes to require supply chain entities to implement necessary security safeguards to: (i) reduce the likelihood of unauthorized modifications at each stage in the supply chain; and (ii) protect information systems and information system components, prior to taking delivery of such systems/components. This control enhancement also applies to information system services. Security safeguards include, for example: (i) security controls for development systems, development facilities, and external connections to development systems; (ii) vetting development personnel; and (iii) use of tamper-evident packaging during shipping/warehousing. Methods for reviewing and protecting development plans, evidence, and documentation are commensurate with the security category or classification level of the information system. Contracts may specify documentation protection requirements. Related controls: AT-3, CM-8, IR- 4, PE-16, PL-8, SA-3, SA-4, SA-8, SA-10, SA-14, SA-15, SA-18, SA-19, SC-29, SC-30, SC-38, SI-7. ü Included in NIST High Baseline, Rev 4 [organization and service provider-defined personnel security requirements, approved HW/SW vendor list/process, and secure SDLC procedures] SYSTEM AND SERVICES ACQUISITION SA-15 DEVELOPMENT PROCESS, STANDARDS, AND TOOLS ü The organization: a. Requires the developer of the information system, system component, or information system service to follow a documented development process that: 1. Explicitly addresses security requirements; 2. Identifies the standards and tools used in the development process; 3. Documents the specific tool options and tool configurations used in the development process; and 4. Documents, manages, and ensures the integrity of changes to the process and/or tools used in development; and b. Reviews the development process, standards, tools, and tool options/configurations [Assignment: organization-defined frequency] to determine if the process, standards, tools, and tool options/configurations selected and employed can satisfy [Assignment: organization- defined security requirements]. Supplemental Guidance: Development tools include, for example, programming languages and computer-aided design (CAD) systems. Reviews of development processes can include, for example, the use of maturity models to determine the potential effectiveness of such processes. Maintaining the integrity of changes to tools and processes enables accurate supply chain risk assessment and mitigation, and requires robust configuration control throughout the life cycle (including design, development, transport, delivery, integration, and maintenance) to track authorized changes and prevent unauthorized changes. Related controls: SA-3, SA-8. ü Included in NIST High Baseline, Rev 4 [as needed and as dictated by the current threat posture] [organization and service provider- defined security requirements] SYSTEM AND SERVICES ACQUISITION SA-16 DEVELOPER-PROVIDED TRAINING ü The organization requires the developer of the information system, system component, or information system service to provide [Assignment: organization-defined training] on the correct use and operation of the implemented security functions, controls, and/or mechanisms. Supplemental Guidance: This control applies to external and internal (in-house) developers. Training of personnel is an essential element to ensure the effectiveness of security controls implemented within organizational information systems. Training options include, for example, classroom-style training, web-based/computer-based training, and hands-on training. Organizations can also request sufficient training materials from developers to conduct in-house training or offer self- training to organizational personnel. Organizations determine the type of training necessary and may require different types of training for different security functions, controls, or mechanisms. Related controls: AT-2, AT-3, SA-5. References: None. ü Included in NIST High Baseline, Rev 4 [annually and on an "as-needed" basis] SYSTEM AND SERVICES ACQUISITION SA-17 DEVELOPER SECURITY ARCHITECTURE AND DESIGN The organization requires the developer of the information system, system component, or information system service to produce a design specification and security architecture that: a. Is consistent with and supportive of the organization’s security architecture which is established within and is an integrated part of the organization’s enterprise architecture; b. Accurately and completely describes the required security functionality, and the allocation of security controls among physical and logical components; and c. Expresses how individual security functions, mechanisms, and services work together to provide required security capabilities and a unified approach to protection. Supplemental Guidance: This control is primarily directed at external developers, although it could also be used for internal (in-house) development. In contrast, PL-8 is primarily directed at internal developers to help ensure that organizations develop an information security architecture and such security architecture is integrated or tightly coupled to the enterprise architecture. This distinction is important if/when organizations outsource the development of information systems, information system components, or information system services to external entities, and there is a requirement to demonstrate consistency with the organization’s enterprise architecture and information security architecture. Related controls: PL-8, PM-7, SA-3, SA-8. ü Included in NIST High Baseline, Rev 4 SYSTEM AND COMMUNICATIONS PROTECTION SC-1 SYSTEM AND COMMUNICATIONS PROTECTION POLICY AND PROCEDURES ü The organization: a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: 1. A system and communications protection policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and 2. Procedures to facilitate the implementation of the system and communications protection policy and associated system and communications protection controls; and b. Reviews and updates the current: 1. System and communications protection policy [Assignment: organization-defined frequency]; and 2. System and communications protection procedures [Assignment: organization-defined frequency]. Supplemental Guidance: This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the SC family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. Control Enhancements: None. References: NIST Special Publications 800-12, 800-100. ü ü SC-1.b.1 [at least every 3 years] SC-1.b.2 [at least annually] ü Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 SC-1.b.1 [at least annually] SC-1.b.2 [at least every six months] SYSTEM AND COMMUNICATIONS PROTECTION SC-2 APPLICATION PARTITIONING The information system separates user functionality (including user interface services) from information system management functionality. Supplemental Guidance: Information system management functionality includes, for example, functions necessary to administer databases, network components, workstations, or servers, and typically requires privileged user access. The separation of user functionality from information system management functionality is either physical or logical. Organizations implement separation of system management-related functionality from user functionality by using different computers, different central processing units, different instances of operating systems, different network addresses, virtualization techniques, or combinations of these or other methods, as appropriate. This type of separation includes, for example, web administrative interfaces that use separate authentication methods for users of any other information system resources. Separation of system and user functionality may include isolating administrative interfaces on different domains and with additional access controls. Related controls: SA-4, SA-8, SC-3. ü ü Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 SYSTEM AND COMMUNICATIONS PROTECTION SC-3 SECURITY FUNCTION ISOLATION The information system isolates security functions from nonsecurity functions. Supplemental Guidance: The information system isolates security functions from nonsecurity functions by means of an isolation boundary (implemented via partitions and domains). Such isolation controls access to and protects the integrity of the hardware, software, and firmware that perform those security functions. Information systems implement code separation (i.e., separation of security functions from nonsecurity functions) in a number of ways, including, for example, through the provision of security kernels via processor rings or processor modes. For non-kernel code, security function isolation is often achieved through file system protections that serve to protect the code on disk, and address space protections that protect executing code. Information systems restrict access to security functions through the use of access control mechanisms and by implementing least privilege capabilities. While the ideal is for all of the code within the security function isolation boundary to only contain security-relevant code, it is sometimes necessary to include nonsecurity functions within the isolation boundary as an exception. Related controls: AC- 3, AC-6, SA-4, SA-5, SA-8, SA-13, SC-2, SC-7, SC-39. ü Included in NIST High Baseline, Rev 4 SYSTEM AND COMMUNICATIONS PROTECTION SC-4 INFORMATION IN SHARED RESOURCES The information system prevents unauthorized and unintended information transfer via shared system resources. Supplemental Guidance: This control prevents information, including encrypted representations of information, produced by the actions of prior users/roles (or the actions of processes acting on behalf of prior users/roles) from being available to any current users/roles (or current processes) that obtain access to shared system resources (e.g., registers, main memory, hard disks) after those resources have been released back to information systems. The control of information in shared resources is also commonly referred to as object reuse and residual information protection. This control does not address: (i) information remanence which refers to residual representation of data that has been nominally erased or removed; (ii) covert channels (including storage and/or timing channels) where shared resources are manipulated to violate information flow restrictions; or (iii) components within information systems for which there are only single users/roles. Related controls: AC-3, AC-4, MP-6. ü ü Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 SYSTEM AND COMMUNICATIONS PROTECTION SC-5 DENIAL OF SERVICE PROTECTION ü The information system protects against or limits the effects of the following types of denial of service attacks: [Assignment: organization-defined types of denial of service attacks or reference to source for such information] by employing [Assignment: organization-defined security safeguards]. Supplemental Guidance: A variety of technologies exist to limit, or in some cases, eliminate the effects of denial of service attacks. For example, boundary protection devices can filter certain types of packets to protect information system components on internal organizational networks from being directly affected by denial of service attacks. Employing increased capacity and bandwidth combined with service redundancy may also reduce the susceptibility to denial of service attacks. Related controls: SC-6, SC-7. ü ü ü Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 SYSTEM AND COMMUNICATIONS PROTECTION SC-6 RESOURCE AVAILABILITY ü The information system protects the availability of resources by allocating [Assignment: organization-defined resources] by [Selection (one or more); priority; quota; [Assignment: organization-defined security safeguards]]. Supplemental Guidance: Priority protection helps prevent lower-priority processes from delaying or interfering with the information system servicing any higher-priority processes. Quotas prevent users or processes from obtaining more than predetermined amounts of resources. This control does not apply to information system components for which there are only single users/roles. Control Enhancements: None. References: None. ü ü Included in FedRAMP Moderate Baseline, Rev 4 SYSTEM AND COMMUNICATIONS PROTECTION SC-7 BOUNDARY PROTECTION ü The information system: a. Monitors and controls communications at the external boundary of the system and at key internal boundaries within the system; b. Implements subnetworks for publicly accessible system components that are [Selection: physically; logically] separated from internal organizational networks; and c. Connects to external networks or information systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security architecture. Supplemental Guidance: Managed interfaces include, for example, gateways, routers, firewalls, guards, network-based malicious code analysis and virtualization systems, or encrypted tunnels implemented within a security architecture (e.g., routers protecting firewalls or application gateways residing on protected subnetworks). Subnetworks that are physically or logically separated from internal networks are referred to as demilitarized zones or DMZs. Restricting or prohibiting interfaces within organizational information systems includes, for example, restricting external web traffic to designated web servers within managed interfaces and prohibiting external traffic that appears to be spoofing internal addresses. Organizations consider the shared nature of commercial telecommunications services in the implementation of security controls associated with the use of such services. Commercial telecommunications services are commonly based on network components and consolidated management systems shared by all attached commercial customers, and may also include third party-provided access lines and other service elements. Such transmission services may represent sources of increased risk despite contract security provisions. Related controls: AC-4, AC-17, CA-3, CM-7, CP-8, IR-4, RA-3, SC-5, SC-13. ü ü ü Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 SYSTEM AND COMMUNICATIONS PROTECTION SC-7 (3) BOUNDARY PROTECTION | ACCESS POINTS The organization limits the number of external network connections to the information system. Supplemental Guidance: Limiting the number of external network connections facilitates more comprehensive monitoring of inbound and outbound communications traffic. The Trusted Internet Connection (TIC) initiative is an example of limiting the number of external network connections. ü ü Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 SYSTEM AND COMMUNICATIONS PROTECTION SC-7 (4) BOUNDARY PROTECTION | EXTERNAL TELECOMMUNICATIONS SERVICES ü The organization: (a) Implements a managed interface for each external telecommunication service; (b) Establishes a traffic flow policy for each managed interface; (c) Protects the confidentiality and integrity of the information being transmitted across each interface; (d) Documents each exception to the traffic flow policy with a supporting mission/business need and duration of that need; and (e) Reviews exceptions to the traffic flow policy [Assignment: organization-defined frequency] and removes exceptions that are no longer supported by an explicit mission/business need. Supplemental Guidance: Related control: SC-8. ü SC-7 (4). [at least annually] ü Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 SC-7 (4)e. [at least every 180 days or whenever there is a change in the threat environment that warrants a review of the exceptions] SYSTEM AND COMMUNICATIONS PROTECTION SC-7 (5) BOUNDARY PROTECTION | DENY BY DEFAULT / ALLOW BY EXCEPTION The information system at managed interfaces denies network communications traffic by default and allows network communications traffic by exception (i.e., deny all, permit by exception). Supplemental Guidance: This control enhancement applies to both inbound and outbound network communications traffic. A deny-all, permit-by-exception network communications traffic policy ensures that only those connections which are essential and approved are allowed. ü ü Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 SYSTEM AND COMMUNICATIONS PROTECTION SC-7 (7) BOUNDARY PROTECTION | PREVENT SPLIT TUNNELING FOR REMOTE DEVICES The information system, in conjunction with a remote device, prevents the device from simultaneously establishing non-remote connections with the system and communicating via some other connection to resources in external networks. Supplemental Guidance: This control enhancement is implemented within remote devices (e.g., notebook computers) through configuration settings to disable split tunneling in those devices, and by preventing those configuration settings from being readily configurable by users. This control enhancement is implemented within the information system by the detection of split tunneling (or of configuration settings that allow split tunneling) in the remote device, and by prohibiting the connection if the remote device is using split tunneling. Split tunneling might be desirable by remote users to communicate with local information system resources such as printers/file servers. However, split tunneling would in effect allow unauthorized external connections, making the system more vulnerable to attack and to exfiltration of organizational information. The use of VPNs for remote connections, when adequately provisioned with appropriate security controls, may provide the organization with sufficient assurance that it can effectively treat such connections as non-remote connections from the confidentiality and integrity perspective. VPNs thus provide a means for allowing non-remote communications paths from remote devices. The use of an adequately provisioned VPN does not eliminate the need for preventing split tunneling. ü ü Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 SYSTEM AND COMMUNICATIONS PROTECTION SC-7 (8) BOUNDARY PROTECTION | ROUTE TRAFFIC TO AUTHENTICATED PROXY SERVERS ü The information system routes [Assignment: organization-defined internal communications traffic] to [Assignment: organization-defined external networks] through authenticated proxy servers at managed interfaces. Supplemental Guidance: External networks are networks outside of organizational control. A proxy server is a server (i.e., information system or application) that acts as an intermediary for clients requesting information system resources (e.g., files, connections, web pages, or services) from other organizational servers. Client requests established through an initial connection to the proxy server are evaluated to manage complexity and to provide additional protection by limiting direct connectivity. Web content filtering devices are one of the most common proxy servers providing access to the Internet. Proxy servers support logging individual Transmission Control Protocol (TCP) sessions and blocking specific Uniform Resource Locators (URLs), domain names, and Internet Protocol (IP) addresses. Web proxies can be configured with organization-defined lists of authorized and unauthorized websites. Related controls: AC-3, AU-2. ü ü Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 SYSTEM AND COMMUNICATIONS PROTECTION SC-7 (10) BOUNDARY PROTECTION | PREVENT UNAUTHORIZED EXFILTRATION The organization prevents the unauthorized exfiltration of information across managed interfaces. Supplemental Guidance: Safeguards implemented by organizations to prevent unauthorized exfiltration of information from information systems include, for example: (i) strict adherence to protocol formats; (ii) monitoring for beaconing from information systems; (iii) monitoring for steganography; (iv) disconnecting external network interfaces except when explicitly needed; (v) disassembling and reassembling packet headers; and (vi) employing traffic profile analysis to detect deviations from the volume/types of traffic expected within organizations or call backs to command and control centers. Devices enforcing strict adherence to protocol formats include, for example, deep packet inspection firewalls and XML gateways. These devices verify adherence to protocol formats and specification at the application layer and serve to identify vulnerabilities that cannot be detected by devices operating at the network or transport layers. This control enhancement is closely associated with cross-domain solutions and system guards enforcing information flow requirements. Related control: SI-3. ü NEED. High-impact systems warrant careful attention to scenarios associated with exfiltration of sensitive organizational information. Different systems and implementation will trigger different scenarios, but regardless of the specific system context, organizations are warranted in establishing this control for high-impact systems with subsystems deployed into shared-service environments. ANALYSIS. Organizations should devote careful attention to design considerations relative to this control. Simpler designs will allow the use of COTS tools that will lower implementation time and costs. More sensitive and complex environments will drive those costs higher. SAMPLE THREAT VECTORS. Authorized processes push very large volumes of data to external networks. Internal devices send address/status/security information to external networks. Relevant security-control attributes: Integrity-Assured, Absorptive, Survivable, Adaptive, Agile, Auditable, Monitored, Controlled, Data Controllable, Access-Controlled SYSTEM AND COMMUNICATIONS PROTECTION SC-7 (12) BOUNDARY PROTECTION | HOST-BASED PROTECTION ü The organization implements [Assignment: organization-defined host-based boundary protection mechanisms] at [Assignment: organization-defined information system components]. Supplemental Guidance: Host-based boundary protection mechanisms include, for example, host-based firewalls. Information system components employing host-based boundary protection mechanisms include, for example, servers, workstations, and mobile devices. ü ü Included in FedRAMP Moderate Baseline, Rev 4 SYSTEM AND COMMUNICATIONS PROTECTION SC-7 (13) BOUNDARY PROTECTION | ISOLATION OF SECURITY TOOLS / MECHANISMS / SUPPORT COMPONENTS ü The organization isolates [Assignment: organization-defined information security tools, mechanisms, and support components] from other internal information system components by implementing physically separate subnetworks with managed interfaces to other components of the system. Supplemental Guidance: Physically separate subnetworks with managed interfaces are useful, for example, in isolating computer network defenses from critical operational processing networks to prevent adversaries from discovering the analysis and forensics techniques of organizations. Related controls: SA-8, SC-2, SC-3. ü SC-7 (13). Requirement: The service provider defines key information security tools, mechanisms, and support components associated with system and security administration and isolates those tools, mechanisms, and support components from other internal information system components via physically or logically separate subnets. ü Included in FedRAMP Moderate Baseline, Rev 4 SYSTEM AND COMMUNICATIONS PROTECTION SC-7 (18) BOUNDARY PROTECTION | FAIL SECURE The information system fails securely in the event of an operational failure of a boundary protection device. Supplemental Guidance: Fail secure is a condition achieved by employing information system mechanisms to ensure that in the event of operational failures of boundary protection devices at managed interfaces (e.g., routers, firewalls, guards, and application gateways residing on protected subnetworks commonly referred to as demilitarized zones), information systems do not enter into unsecure states where intended security properties no longer hold. Failures of boundary protection devices cannot lead to, or cause information external to the devices to enter the devices, nor can failures permit unauthorized information releases. Related controls: CP-2, SC-24. ü ü Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 SYSTEM AND COMMUNICATIONS PROTECTION SC-7 (20) BOUNDARY PROTECTION | DYNAMIC ISOLATION / SEGREGATION ü The information system provides the capability to dynamically isolate/segregate [Assignment: organization-defined information system components] from other components of the system. Supplemental Guidance: The capability to dynamically isolate or segregate certain internal components of organizational information systems is useful when it is necessary to partition or separate certain components of dubious origin from those components possessing greater trustworthiness. Component isolation reduces the attack surface of organizational information systems. Isolation of selected information system components is also a means of limiting the damage from successful cyber attacks when those attacks occur. ü NEED. High-impact systems warrant careful attention to situations where specific sources or methods become suspect. Such situations can involve specific user accounts, messages, message payloads, data, applications, or even entire subsystems. Under these circumstances, a capability for dynamic segregation is highly justified. ANALYSIS. Isolation techniques are well understood in the cyber market, and constantly evolving. Example techniques include honey pots and honey nets. Both techniques can isolate a user, an autonomous application, or an entire subsystem. By doing so, honey pots/honey nets allow analysis to continue as the suspected user/component continues activity in controlled and observed conditions where the organization’s data and systems are not directly exposed. SAMPLE THREAT VECTORS. Anomalous user behavior is detected Messages arrive from suspect domains. Messages arrive with suspect attachments. Applications begin to behave anomalously. Subsystems begin moving data anomalously. RELEVANT SECURITY CONTROL ATTRIBUTES. Integrity-Assured, Absorptive, Survivable, Adaptive, Agile, Auditable, Monitored, Controlled, Data Controllable, Access-Controlled [organization and service provider-defined information system components] SYSTEM AND COMMUNICATIONS PROTECTION SC-7 (21) BOUNDARY PROTECTION | ISOLATION OF INFORMATION SYSTEM COMPONENTS ü The organization employs boundary protection mechanisms to separate [Assignment: organization-defined information system components] supporting [Assignment: organization- defined missions and/or business functions]. Supplemental Guidance: Organizations can isolate information system components performing different missions and/or business functions. Such isolation limits unauthorized information flows among system components and also provides the opportunity to deploy greater levels of protection for selected components. Separating system components with boundary protection mechanisms provides the capability for increased protection of individual components and to more effectively control information flows between those components. This type of enhanced protection limits the potential harm from cyber attacks and errors. The degree of separation provided varies depending upon the mechanisms chosen. Boundary protection mechanisms include, for example, routers, gateways, and firewalls separating system components into physically separate networks or subnetworks, cross-domain devices separating subnetworks, virtualization techniques, and encrypting information flows among system components using distinct encryption keys. Related controls: CA-9, SC-3. ü Included in NIST High Baseline, Rev 4 [organization and service provider-defined information system components] [organization-defined mission and/or business functions] SYSTEM AND COMMUNICATIONS PROTECTION SC-8 TRANSMISSION CONFIDENTIALITY AND INTEGRITY ü The information system protects the [Selection (one or more): confidentiality; integrity] of transmitted information. Supplemental Guidance: This control applies to both internal and external networks and all types of information system components from which information can be transmitted (e.g., servers, mobile devices, notebook computers, printers, copiers, scanners, facsimile machines). Communication paths outside the physical protection of a controlled boundary are exposed to the possibility of interception and modification. Protecting the confidentiality and/or integrity of organizational information can be accomplished by physical means (e.g., by employing physical distribution systems) or by logical means (e.g., employing encryption techniques). Organizations relying on commercial providers offering transmission services as commodity services rather than as fully dedicated services (i.e., services which can be highly specialized to individual customer needs), may find it difficult to obtain the necessary assurances regarding the implementation of needed security controls for transmission confidentiality/integrity. In such situations, organizations determine what types of confidentiality/integrity services are available in standard, commercial telecommunication service packages. If it is infeasible or impractical to obtain the necessary security controls and assurances of control effectiveness through appropriate contracting vehicles, organizations implement appropriate compensating security controls or explicitly accept the additional risk. Related controls: AC-17, PE-4. ü SC-8. [confidentiality AND integrity] ü Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 SYSTEM AND COMMUNICATIONS PROTECTION SC-8 (1) TRANSMISSION CONFIDENTIALITY AND INTEGRITY | CRYPTOGRAPHIC OR ALTERNATE PHYSICAL PROTECTION ü The information system implements cryptographic mechanisms to [Selection (one or more): prevent unauthorized disclosure of information; detect changes to information] during transmission unless otherwise protected by [Assignment: organization-defined alternative physical safeguards]. Supplemental Guidance: Encrypting information for transmission protects information from unauthorized disclosure and modification. Cryptographic mechanisms implemented to protect information integrity include, for example, cryptographic hash functions which have common application in digital signatures, checksums, and message authentication codes. Alternative physical security safeguards include, for example, protected distribution systems. Related control: SC-13. ü SC-8 (1). [prevent unauthorized disclosure of information AND detect changes to information] [a hardened or alarmed carrier Protective Distribution System (PDS)] ü Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 SYSTEM AND COMMUNICATIONS PROTECTION SC-10 NETWORK DISCONNECT ü The information system terminates the network connection associated with a communications session at the end of the session or after [Assignment: organization-defined time period] of inactivity. Supplemental Guidance: This control applies to both internal and external networks. Terminating network connections associated with communications sessions include, for example, de-allocating associated TCP/IP address/port pairs at the operating system level, or de-allocating networking assignments at the application level if multiple application sessions are using a single, operating system-level network connection. Time periods of inactivity may be established by organizations and include, for example, time periods by type of network access or for specific network accesses. Control Enhancements: None. References: None. ü SC-10. [no longer than 30 minutes for RAS-based sessions or no longer than 60 minutes for non-interactive user sessions] ü Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 [no longer than 10 minutes in-band management and no longer than 15 minutes for user sessions] SYSTEM AND COMMUNICATIONS PROTECTION SC-12 CRYPTOGRAPHIC KEY ESTABLISHMENT AND MANAGEMENT ü The organization establishes and manages cryptographic keys for required cryptography employed within the information system in accordance with [Assignment: organization-defined requirements for key generation, distribution, storage, access, and destruction]. Supplemental Guidance: Cryptographic key management and establishment can be performed using manual procedures or automated mechanisms with supporting manual procedures. Organizations define key management requirements in accordance with applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance, specifying appropriate options, levels, and parameters. Organizations manage trust stores to ensure that only approved trust anchors are in such trust stores. This includes certificates with visibility external to organizational information systems and certificates related to the internal operations of systems. Related controls: SC-13, SC-17. ü ü SC-12 Guidance: Federally approved cryptography ü Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 SYSTEM AND COMMUNICATIONS PROTECTION SC-12 (1) CRYPTOGRAPHIC KEY ESTABLISHMENT AND MANAGEMENT | AVAILABILITY The organization maintains availability of information in the event of the loss of cryptographic keys by users. Supplemental Guidance: Escrowing of encryption keys is a common practice for ensuring availability in the event of loss of keys (e.g., due to forgotten passphrase). ü Included in NIST High Baseline, Rev 4 SYSTEM AND COMMUNICATIONS PROTECTION SC-12 (2) CRYPTOGRAPHIC KEY ESTABLISHMENT AND MANAGEMENT | SYMMETRIC KEYS ü The organization produces, controls, and distributes symmetric cryptographic keys using [Selection: NIST FIPS-compliant; NSA-approved] key management technology and processes. ü SC-12 (2). [NIST FIPS-compliant] ü Included in FedRAMP Moderate Baseline, Rev 4 SYSTEM AND COMMUNICATIONS PROTECTION SC-12 (3) CRYPTOGRAPHIC KEY ESTABLISHMENT AND MANAGEMENT | ASYMMETRIC KEYS ü The organization produces, controls, and distributes asymmetric cryptographic keys using [Selection: NSA-approved key management technology and processes; approved PKI Class 3 certificates or prepositioned keying material; approved PKI Class 3 or Class 4 certificates and hardware security tokens that protect the user’s private key]. ü ü Included in FedRAMP Moderate Baseline, Rev 4 SYSTEM AND COMMUNICATIONS PROTECTION SC-13 CRYPTOGRAPHIC PROTECTION ü The information system implements [Assignment: organization-defined cryptographic uses and type of cryptography required for each use] in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards. Supplemental Guidance: Cryptography can be employed to support a variety of security solutions including, for example, the protection of classified and Controlled Unclassified Information, the provision of digital signatures, and the enforcement of information separation when authorized individuals have the necessary clearances for such information but lack the necessary formal access approvals. Cryptography can also be used to support random number generation and hash generation. Generally applicable cryptographic standards include FIPS-validated cryptography and NSA-approved cryptography. This control does not impose any requirements on organizations to use cryptography. However, if cryptography is required based on the selection of other security controls, organizations define each type of cryptographic use and the type of cryptography required (e.g., protection of classified information: NSA-approved cryptography; provision of digital signatures: FIPS-validated cryptography). Related controls: AC-2, AC-3, AC-7, AC-17, AC-18, AU-9, AU-10, CM-11, CP-9, IA-3, IA-7, MA-4, MP-2, MP-4, MP-5, SA-4, SC-8, SC-12, SC-28, SI-7. ü ü [FIPS-validated or NSA-approved cryptography] ü Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 SYSTEM AND COMMUNICATIONS PROTECTION SC-15 COLLABORATIVE COMPUTING DEVICES ü The information system: a. Prohibits remote activation of collaborative computing devices with the following exceptions: [Assignment: organization-defined exceptions where remote activation is to be allowed]; and b. Provides an explicit indication of use to users physically present at the devices. Supplemental Guidance: Collaborative computing devices include, for example, networked white boards, cameras, and microphones. Explicit indication of use includes, for example, signals to users when collaborative computing devices are activated. Related control: AC-21. ü ü SC-15a. [no exceptions] ü Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 SYSTEM AND COMMUNICATIONS PROTECTION SC-17 PUBLIC KEY INFRASTRUCTURE CERTIFICATES ü The organization issues public key certificates under an [Assignment: organization- defined certificate policy] or obtains public key certificates from an approved service provider. Supplemental Guidance: For all certificates, organizations manage information system trust stores to ensure only approved trust anchors are in the trust stores. This control addresses both certificates with visibility external to organizational information systems and certificates related to the internal operations of systems, for example, application-specific time services. Related control: SC-12. Control Enhancements: None. References: OMB Memorandum 05-24; NIST Special Publications 800-32, 800-63. ü ü Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 SYSTEM AND COMMUNICATIONS PROTECTION SC-18 MOBILE CODE The organization: a. Defines acceptable and unacceptable mobile code and mobile code technologies; b. Establishes usage restrictions and implementation guidance for acceptable mobile code and mobile code technologies; and c. Authorizes, monitors, and controls the use of mobile code within the information system. Supplemental Guidance: Decisions regarding the employment of mobile code within organizational information systems are based on the potential for the code to cause damage to the systems if used maliciously. Mobile code technologies include, for example, Java, JavaScript, ActiveX, Postscript, PDF, Shockwave movies, Flash animations, and VBScript. Usage restrictions and implementation guidance apply to both the selection and use of mobile code installed on servers and mobile code downloaded and executed on individual workstations and devices (e.g., smart phones). Mobile code policy and procedures address preventing the development, acquisition, or introduction of unacceptable mobile code within organizational information systems. Related controls: AU-2, AU-12, CM-2, CM-6, SI-3. ü ü Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 SYSTEM AND COMMUNICATIONS PROTECTION SC-19 VOICE OVER INTERNET PROTOCOL The organization: a. Establishes usage restrictions and implementation guidance for Voice over Internet Protocol (VoIP) technologies based on the potential to cause damage to the information system if used maliciously; and b. Authorizes, monitors, and controls the use of VoIP within the information system. Supplemental Guidance: Related controls: CM-6, SC-7, SC-15. References: NIST Special Publication 800-58. ü ü Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 SYSTEM AND COMMUNICATIONS PROTECTION SC-20 SECURE NAME /ADDRESS RESOLUTION SERVICE (AUTHORITATIVE SOURCE) The information system: a. Provides additional data origin and integrity artifacts along with the authoritative name resolution data the system returns in response to external name/address resolution queries; and b. Provides the means to indicate the security status of child zones and (if the child supports secure resolution services) to enable verification of a chain of trust among parent and child domains, when operating as part of a distributed, hierarchical namespace. Supplemental Guidance: This control enables external clients including, for example, remote Internet clients, to obtain origin authentication and integrity verification assurances for the host/service name to network address resolution information obtained through the service. Information systems that provide name and address resolution services include, for example, domain name system (DNS) servers. Additional artifacts include, for example, DNS Security (DNSSEC) digital signatures and cryptographic keys. DNS resource records are examples of authoritative data. The means to indicate the security status of child zones includes, for example, the use of delegation signer resource records in the DNS. The DNS security controls reflect (and are referenced from) OMB Memorandum 08-23. Information systems that use technologies other than the DNS to map between host/service names and network addresses provide other means to assure the authenticity and integrity of response data. Related controls: AU-10, SC-8, SC-12, SC- 13, SC-21, SC-22. ü ü ü Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 SYSTEM AND COMMUNICATIONS PROTECTION SC-21 SECURE NAME /ADDRESS RESOLUTION SERVICE (RECURSIVE OR CACHING RESOLVER) The information system requests and performs data origin authentication and data integrity verification on the name/address resolution responses the system receives from authoritative sources. Supplemental Guidance: Each client of name resolution services either performs this validation on its own, or has authenticated channels to trusted validation providers. Information systems that provide name and address resolution services for local clients include, for example, recursive resolving or caching domain name system (DNS) servers. DNS client resolvers either perform validation of DNSSEC signatures, or clients use authenticated channels to recursive resolvers that perform such validations. Information systems that use technologies other than the DNS to map between host/service names and network addresses provide other means to enable clients to verify the authenticity and integrity of response data. Related controls: SC-20, SC-22. ü ü ü Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 SYSTEM AND COMMUNICATIONS PROTECTION SC-22 ARCHITECTURE AND PROVISIONING FOR NAME/ADDRESS RESOLUTION SERVICE The information systems that collectively provide name/address resolution service for an organization are fault-tolerant and implement internal/external role separation. Supplemental Guidance: Information systems that provide name and address resolution services include, for example, domain name system (DNS) servers. To eliminate single points of failure and to enhance redundancy, organizations employ at least two authoritative domain name system servers, one configured as the primary server and the other configured as the secondary server. Additionally, organizations typically deploy the servers in two geographically separated network subnetworks (i.e., not located in the same physical facility). For role separation, DNS servers with internal roles only process name and address resolution requests from within organizations (i.e., from internal clients). DNS servers with external roles only process name and address resolution information requests from clients external to organizations (i.e., on external networks including the Internet). Organizations specify clients that can access authoritative DNS servers in particular roles (e.g., by address ranges, explicit lists). Related controls: SC-2, SC-20, SC-21, SC-24. Control Enhancements: None. References: NIST Special Publication 800-81. ü ü ü Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 SYSTEM AND COMMUNICATIONS PROTECTION SC-23 SESSION AUTHENTICITY The information system protects the authenticity of communications sessions. Supplemental Guidance: This control addresses communications protection at the session, versus packet level (e.g., sessions in service-oriented architectures providing web-based services) and establishes grounds for confidence at both ends of communications sessions in ongoing identities of other parties and in the validity of information transmitted. Authenticity protection includes, for example, protecting against man-in-the-middle attacks/session hijacking and the insertion of false information into sessions. Related controls: SC-8, SC-10, SC-11. ü ü Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 SYSTEM AND COMMUNICATIONS PROTECTION SC-24 FAIL IN KNOWN STATE ü The information system fails to a [Assignment: organization-defined known-state] for [Assignment: organization-defined types of failures] preserving [Assignment: organization-defined system state information] in failure. Supplemental Guidance: Failure in a known state addresses security concerns in accordance with the mission/business needs of organizations. Failure in a known secure state helps to prevent the loss of confidentiality, integrity, or availability of information in the event of failures of organizational information systems or system components. Failure in a known safe state helps to prevent systems from failing to a state that may cause injury to individuals or destruction to property. Preserving information system state information facilitates system restart and return to the operational mode of organizations with less disruption of mission/business processes. Related controls: CP-2, CP- 10, CP-12, SC-7, SC-22. Control Enhancements: None. References: None. ü Included in NIST High Baseline, Rev 4 SYSTEM AND COMMUNICATIONS PROTECTION SC-28 PROTECTION OF INFORMATION AT REST ü The information system protects the [Selection (one or more): confidentiality; integrity] of [Assignment: organization-defined information at rest]. Supplemental Guidance: This control addresses the confidentiality and integrity of information at rest and covers user information and system information. Information at rest refers to the state of information when it is located on storage devices as specific components of information systems. System-related information requiring protection includes, for example, configurations or rule sets for firewalls, gateways, intrusion detection/prevention systems, filtering routers, and authenticator content. Organizations may employ different mechanisms to achieve confidentiality and integrity protections, including the use of cryptographic mechanisms and file share scanning. Integrity protection can be achieved, for example, by implementing Write-Once-Read-Many (WORM) technologies. Organizations may also employ other security controls including, for example, secure off-line storage in lieu of online storage when adequate protection of information at rest cannot otherwise be achieved and/or continuous monitoring to identify malicious code at rest. Related controls: AC-3, AC-6, CA-7, CM-3, CM-5, CM-6, PE-3, SC-8, SC-13, SI-3, SI-7. ü SC-28. [confidentiality AND integrity] SC-28. Guidance: The organization supports the capability to use cryptographic mechanisms to protect information at rest. ü Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 SYSTEM AND COMMUNICATIONS PROTECTION SC-28 (1) PROTECTION OF INFORMATION AT REST | CRYPTOGRAPHIC PROTECTION ü The information system implements cryptographic mechanisms to prevent unauthorized disclosure and modification of [Assignment: organization-defined information] on [Assignment: organization-defined information system components]. Supplemental Guidance: Selection of cryptographic mechanisms is based on the need to protect the confidentiality and integrity of organizational information. The strength of mechanism is commensurate with the security category and/or classification of the information. This control enhancement applies to significant concentrations of digital media in organizational areas designated for media storage and also to limited quantities of media generally associated with information system components in operational environments (e.g., portable storage devices, mobile devices). Organizations have the flexibility to either encrypt all information on storage devices (i.e., full disk encryption) or encrypt specific data structures (e.g., files, records, or fields). Organizations employing cryptographic mechanisms to protect information at rest also consider cryptographic key management solutions. Related controls: AC-19, SC-12. ü ü Included in FedRAMP Moderate Baseline, Rev 4 SYSTEM AND COMMUNICATIONS PROTECTION SC-39 PROCESS ISOLATION The information system maintains a separate execution domain for each executing process. Supplemental Guidance: Information systems can maintain separate execution domains for each executing process by assigning each process a separate address space. Each information system process has a distinct address space so that communication between processes is performed in a manner controlled through the security functions, and one process cannot modify the executing code of another process. Maintaining separate execution domains for executing processes can be achieved, for example, by implementing separate address spaces. This capability is available in most commercial operating systems that employ multi-state processor technologies. Related controls: AC-3, AC-4, AC-6, SA-4, SA-5, SA-8, SC-2, SC-3. ü ü ü Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 SYSTEM AND INFORMATION INTEGRITY SI-1 SYSTEM AND INFORMATION INTEGRITY POLICY AND PROCEDURES ü The organization: a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: 1. A system and information integrity policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and 2. Procedures to facilitate the implementation of the system and information integrity policy and associated system and information integrity controls; and b. Reviews and updates the current: 1. System and information integrity policy [Assignment: organization-defined frequency]; and 2. System and information integrity procedures [Assignment: organization-defined frequency]. Supplemental Guidance: This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the SI family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9. Control Enhancements: None. References: NIST Special Publications 800-12, 800-100. ü ü SI-1.b.1 [at least every 3 years] SI-1.b.2 [at least annually] ü Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 SI-1.b.1 [at least annually] SI-1.b.2 [at least every six months] SYSTEM AND INFORMATION INTEGRITY SI-2 FLAW REMEDIATION ü The organization: a. Identifies, reports, and corrects information system flaws; b. Tests software and firmware updates related to flaw remediation for effectiveness and potential side effects before installation; c. Installs security-relevant software and firmware updates within [Assignment: organization- defined time period] of the release of the updates; and d. Incorporates flaw remediation into the organizational configuration management process. Supplemental Guidance: Organizations identify information systems affected by announced software flaws including potential vulnerabilities resulting from those flaws, and report this information to designated organizational personnel with information security responsibilities. Security-relevant software updates include, for example, patches, service packs, hot fixes, and anti-virus signatures. Organizations also address flaws discovered during security assessments, continuous monitoring, incident response activities, and system error handling. Organizations take advantage of available resources such as the Common Weakness Enumeration (CWE) or Common Vulnerabilities and Exposures (CVE) databases in remediating flaws discovered in organizational information systems. By incorporating flaw remediation into ongoing configuration management processes, required/anticipated remediation actions can be tracked and verified. Flaw remediation actions that can be tracked and verified include, for example, determining whether organizations follow US-CERT guidance and Information Assurance Vulnerability Alerts. Organization-defined time periods for updating security-relevant software and firmware may vary based on a variety of factors including, for example, the security category of the information system or the criticality of the update (i.e., severity of the vulnerability related to the discovered flaw). Some types of flaw remediation may require more testing than other types. Organizations determine the degree and type of testing needed for the specific type of flaw remediation activity under consideration and also the types of changes that are to be configuration-managed. In some situations, organizations may determine that the testing of software and/or firmware updates is not necessary or practical, for example, when implementing simple anti-virus signature updates. Organizations may also consider in testing decisions, whether security-relevant software or firmware updates are obtained from authorized sources with appropriate digital signatures. Related controls: CA-2, CA-7, CM-3, CM-5, CM-8, MA-2, IR-4, RA-5, SA-10, SA-11, SI-11. ü ü SI-2c. [Within 30 days of release of updates] ü Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 SYSTEM AND INFORMATION INTEGRITY SI-2 (1) FLAW REMEDIATION | CENTRAL MANAGEMENT The organization centrally manages the flaw remediation process. Supplemental Guidance: Central management is the organization-wide management and implementation of flaw remediation processes. Central management includes planning, implementing, assessing, authorizing, and monitoring the organization-defined, centrally managed flaw remediation security controls. ü Included in NIST High Baseline, Rev 4 SYSTEM AND INFORMATION INTEGRITY SI-2 (2) FLAW REMEDIATION | AUTOMATED FLAW REMEDIATION STATUS ü The organization employs automated mechanisms [Assignment: organization-defined frequency] to determine the state of information system components with regard to flaw remediation. Supplemental Guidance: Related controls: CM-6, SI-4. ü SI-2 (2). [at least monthly] ü Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 SYSTEM AND INFORMATION INTEGRITY SI-2 (3) FLAW REMEDIATION | TIME TO REMEDIATE FLAWS / BENCHMARKS FOR CORRECTIVE ACTIONS ü The organization: (a) Measures the time between flaw identification and flaw remediation; and (b) Establishes [Assignment: organization-defined benchmarks] for taking corrective actions. Supplemental Guidance: This control enhancement requires organizations to determine the current time it takes on the average to correct information system flaws after such flaws have been identified, and subsequently establish organizational benchmarks (i.e., time frames) for taking corrective actions. Benchmarks can be established by type of flaw and/or severity of the potential vulnerability if the flaw can be exploited. ü ü Included in FedRAMP Moderate Baseline, Rev 4 SYSTEM AND INFORMATION INTEGRITY SI-3 MALICIOUS CODE PROTECTION ü The organization: a. Employs malicious code protection mechanisms at information system entry and exit points to detect and eradicate malicious code; b. Updates malicious code protection mechanisms whenever new releases are available in accordance with organizational configuration management policy and procedures; c. Configures malicious code protection mechanisms to: 1. Perform periodic scans of the information system [Assignment: organization-defined frequency] and real-time scans of files from external sources at [Selection (one or more); endpoint; network entry/exit points] as the files are downloaded, opened, or executed in accordance with organizational security policy; and 2. [Selection (one or more): block malicious code; quarantine malicious code; send alert to administrator; [Assignment: organization-defined action]] in response to malicious code detection; and d. Addresses the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the information system. Supplemental Guidance: Information system entry and exit points include, for example, firewalls, electronic mail servers, web servers, proxy servers, remote-access servers, workstations, notebook computers, and mobile devices. Malicious code includes, for example, viruses, worms, Trojan horses, and spyware. Malicious code can also be encoded in various formats (e.g., UUENCODE, Unicode), contained within compressed or hidden files, or hidden in files using steganography. Malicious code can be transported by different means including, for example, web accesses, electronic mail, electronic mail attachments, and portable storage devices. Malicious code insertions occur through the exploitation of information system vulnerabilities. Malicious code protection mechanisms include, for example, anti-virus signature definitions and reputation-based technologies. A variety of technologies and methods exist to limit or eliminate the effects of malicious code. Pervasive configuration management and comprehensive software integrity controls may be effective in preventing execution of unauthorized code. In addition to commercial off-the-shelf software, malicious code may also be present in custom-built software. This could include, for example, logic bombs, back doors, and other types of cyber attacks that could affect organizational missions/business functions. Traditional malicious code protection mechanisms cannot always detect such code. In these situations, organizations rely instead on other safeguards including, for example, secure coding practices, configuration management and control, trusted procurement processes, and monitoring practices to help ensure that software does not perform functions other than the functions intended. Organizations may determine that in response to the detection of malicious code, different actions may be warranted. For example, organizations can define actions in response to malicious code detection during periodic scans, actions in response to detection of malicious downloads, and/or actions in response to detection of maliciousness when attempting to open or execute files. Related controls: CM-3, MP-2, SA-4, SA-8, SA-12, SA-13, SC-7, SC-26, SC-44, SI-2, SI-4, SI-7. ü ü SI-3.c.1 [at least weekly] [to include endpoints] SI-3.c.2 [to include alerting administrator or defined security personnel] ü Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 SI-3.c.1 [at least weekly] [to include endpoints] SI-3.c.2 [to include blocking and quarantining malicious code and alerting administrator or defined security personnel near-realtime] SYSTEM AND INFORMATION INTEGRITY SI-3 (1) MALICIOUS CODE PROTECTION | CENTRAL MANAGEMENT The organization centrally manages malicious code protection mechanisms. Supplemental Guidance: Central management is the organization-wide management and implementation of malicious code protection mechanisms. Central management includes planning, implementing, assessing, authorizing, and monitoring the organization-defined, centrally managed flaw malicious code protection security controls. Related controls: AU-2, SI-8. ü ü Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 SYSTEM AND INFORMATION INTEGRITY SI-3 (2) MALICIOUS CODE PROTECTION | AUTOMATIC UPDATES The information system automatically updates malicious code protection mechanisms. Supplemental Guidance: Malicious code protection mechanisms include, for example, signature definitions. Due to information system integrity and availability concerns, organizations give careful consideration to the methodology used to carry out automatic updates. Related control: SI-8. ü ü Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 SYSTEM AND INFORMATION INTEGRITY SI-3 (7) MALICIOUS CODE PROTECTION | NONSIGNATURE-BASED DETECTION The information system implements nonsignature-based malicious code detection mechanisms. Supplemental Guidance: Nonsignature-based detection mechanisms include, for example, the use of heuristics to detect, analyze, and describe the characteristics or behavior of malicious code and to provide safeguards against malicious code for which signatures do not yet exist or for which existing signatures may not be effective. This includes polymorphic malicious code (i.e., code that changes signatures when it replicates). This control enhancement does not preclude the use of signature-based detection mechanisms. ü ü Included in FedRAMP Moderate Baseline, Rev 4 SYSTEM AND INFORMATION INTEGRITY SI-4 INFORMATION SYSTEM MONITORING ü The organization: a. Monitors the information system to detect: 1. Attacks and indicators of potential attacks in accordance with [Assignment: organization- defined monitoring objectives]; and 2. Unauthorized local, network, and remote connections; b. Identifies unauthorized use of the information system through [Assignment: organization- defined techniques and methods]; c. Deploys monitoring devices: (i) strategically within the information system to collect organization-determined essential information; and (ii) at ad hoc locations within the system to track specific types of transactions of interest to the organization; d. Protects information obtained from intrusion-monitoring tools from unauthorized access, modification, and deletion; e. Heightens the level of information system monitoring activity whenever there is an indication of increased risk to organizational operations and assets, individuals, other organizations, or the Nation based on law enforcement information, intelligence information, or other credible sources of information; f. Obtains legal opinion with regard to information system monitoring activities in accordance with applicable federal laws, Executive Orders, directives, policies, or regulations; and g. Provides [Assignment: organization-defined information system monitoring information] to [Assignment: organization-defined personnel or roles] [Selection (one or more): as needed; [Assignment: organization-defined frequency]]. Supplemental Guidance: Information system monitoring includes external and internal monitoring. External monitoring includes the observation of events occurring at the information system boundary (i.e., part of perimeter defense and boundary protection). Internal monitoring includes the observation of events occurring within the information system. Organizations can monitor information systems, for example, by observing audit activities in real time or by observing other system aspects such as access patterns, characteristics of access, and other actions. The monitoring objectives may guide determination of the events. Information system monitoring capability is achieved through a variety of tools and techniques (e.g., intrusion detection systems, intrusion prevention systems, malicious code protection software, scanning tools, audit record monitoring software, network monitoring software). Strategic locations for monitoring devices include, for example, selected perimeter locations and near server farms supporting critical applications, with such devices typically being employed at the managed interfaces associated with controls SC-7 and AC-17. Einstein network monitoring devices from the Department of Homeland Security can also be included as monitoring devices. The granularity of monitoring information collected is based on organizational monitoring objectives and the capability of information systems to support such objectives. Specific types of transactions of interest include, for example, Hyper Text Transfer Protocol (HTTP) traffic that bypasses HTTP proxies. Information system monitoring is an integral part of organizational continuous monitoring and incident response programs. Output from system monitoring serves as input to continuous monitoring and incident response programs. A network connection is any connection with a device that communicates through a network (e.g., local area network, Internet). A remote connection is any connection with a device communicating through an external network (e.g., the Internet). Local, network, and remote connections can be either wired or wireless. Related controls: AC-3, AC-4, AC-8, AC-17, AU-2, AU-6, AU-7, AU-9, AU-12, CA-7, IR-4, PE-3, RA-5, SC-7, SC-26, SC-35, SI-3, SI-7. ü ü ü Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 Coordination between service provider and consumer, including exchange of analysis information, signatures, indicators of compromise, etc. shall be documented and accepted by the Authorizing Official. In multi-tennant environments, capability and means for providing appropriate level(s) of issolation pertaining to consumers data shall be documented. SYSTEM AND INFORMATION INTEGRITY SI-4 (1) INFORMATION SYSTEM MONITORING | SYSTEM-WIDE INTRUSION DETECTION SYSTEM The organization connects and configures individual intrusion detection tools into an information system-wide intrusion detection system. ü ü Included in FedRAMP Moderate Baseline, Rev 4 SYSTEM AND INFORMATION INTEGRITY SI-4 (2) INFORMATION SYSTEM MONITORING | AUTOMATED TOOLS FOR REAL-TIME ANALYSIS The organization employs automated tools to support near real-time analysis of events. Supplemental Guidance: Automated tools include, for example, host-based, network-based, transport-based, or storage-based event monitoring tools or Security Information and Event Management (SIEM) technologies that provide real time analysis of alerts and/or notifications generated by organizational information systems. ü ü Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 SYSTEM AND INFORMATION INTEGRITY SI-4 (4) INFORMATION SYSTEM MONITORING | INBOUND AND OUTBOUND COMMUNICATIONS TRAFFIC ü The information system monitors inbound and outbound communications traffic [Assignment: organization-defined frequency] for unusual or unauthorized activities or conditions. Supplemental Guidance: Unusual/unauthorized activities or conditions related to information system inbound and outbound communications traffic include, for example, internal traffic that indicates the presence of malicious code within organizational information systems or propagating among system components, the unauthorized exporting of information, or signaling to external information systems. Evidence of malicious code is used to identify potentially compromised information systems or information system components. ü SI-4 (4). [continuously] ü Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 SI-4 (4). [continuously] SYSTEM AND INFORMATION INTEGRITY SI-4 (5) INFORMATION SYSTEM MONITORING | SYSTEM-GENERATED ALERTS ü The information system alerts [Assignment: organization-defined personnel or roles] when the following indications of compromise or potential compromise occur: [Assignment: organization- defined compromise indicators]. Supplemental Guidance: Alerts may be generated from a variety of sources, including, for example, audit records or inputs from malicious code protection mechanisms, intrusion detection or prevention mechanisms, or boundary protection devices such as firewalls, gateways, and routers. Alerts can be transmitted, for example, telephonically, by electronic mail messages, or by text messaging. Organizational personnel on the notification list can include, for example, system administrators, mission/business owners, system owners, or information system security officers. Related controls: AU-5, PE-6. ü SI-4(5) Guidance: In accordance with the incident response plan. ü Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 SYSTEM AND INFORMATION INTEGRITY SI-4 (11) INFORMATION SYSTEM MONITORING | ANALYZE COMMUNICATIONS TRAFFIC ANOMALIES ü The organization analyzes outbound communications traffic at the external boundary of the information system and selected [Assignment: organization-defined interior points within the system (e.g., subnetworks, subsystems)] to discover anomalies. Supplemental Guidance: Anomalies within organizational information systems include, for example, large file transfers, long-time persistent connections, unusual protocols and ports in use, and attempted communications with suspected malicious external addresses. ü NEED. When a high-impact system is implemented in a shared-service environment, organizations should ensure their sensitive data is properly protected against classic threats to the confidentiality of its sensitive information. This control partially meets that need. ANALYSIS. The tools and techniques for implementing this monitoring control are now well understood and embedded in COTS operating systems and software. SAMPLE THREAT VECTORS. Large outbound file transfers execute without being detected. External malware network sites are accessed from within the organization without detection. Network sessions remain connected for long periods of time without detection. Esoteric protocols are active and undetected on ports not defined by the organization. RELEVANT SECURITY CONTROL ATTRIBUTES. Monitored [organization and service provider-defined interior points within the system (e.g., subnetworks, subsystems)] SYSTEM AND INFORMATION INTEGRITY SI-4 (14) INFORMATION SYSTEM MONITORING | WIRELESS INTRUSION DETECTION The organization employs a wireless intrusion detection system to identify rogue wireless devices and to detect attack attempts and potential compromises/breaches to the information system. Supplemental Guidance: Wireless signals may radiate beyond the confines of organization- controlled facilities. Organizations proactively search for unauthorized wireless connections including the conduct of thorough scans for unauthorized wireless access points. Scans are not limited to those areas within facilities containing information systems, but also include areas outside of facilities as needed, to verify that unauthorized wireless access points are not connected to the systems. Related controls: AC-18, IA-3. ü ü Included in FedRAMP Moderate Baseline, Rev 4 SYSTEM AND INFORMATION INTEGRITY SI-4 (16) INFORMATION SYSTEM MONITORING | CORRELATE MONITORING INFORMATION The organization correlates information from monitoring tools employed throughout the information system. Supplemental Guidance: Correlating information from different monitoring tools can provide a more comprehensive view of information system activity. The correlation of monitoring tools that usually work in isolation (e.g., host monitoring, network monitoring, anti-virus software) can provide an organization-wide view and in so doing, may reveal otherwise unseen attack patterns. Understanding the capabilities/limitations of diverse monitoring tools and how to maximize the utility of information generated by those tools can help organizations to build, operate, and maintain effective monitoring programs. Related control: AU-6. ü ü Included in FedRAMP Moderate Baseline, Rev 4 SYSTEM AND INFORMATION INTEGRITY SI-4 (18) INFORMATION SYSTEM MONITORING | ANALYZE TRAFFIC / COVERT EXFILTRATION ü The organization analyzes outbound communications traffic at the external boundary of the information system (i.e., system perimeter) and at [Assignment: organization-defined interior points within the system (e.g., subsystems, subnetworks)] to detect covert exfiltration of information. Supplemental Guidance: Covert means that can be used for the unauthorized exfiltration of organizational information include, for example, steganography. ü NEED. When a high-impact system is implemented in a shared-service environment, organizations should ensure their sensitive data is properly protected against classic threats to the confidentiality of sensitive information. This control partially meets that need. ANALYSIS. The tools and techniques for implementing this monitoring control are now well understood, and embedded in COTS operating systems and software. SAMPLE THREAT VECTORS. Large outbound files are disguised to transfer without being detected. Communications with external malware network sites are embedded to avoid detection. RELEVANT SECURITY CONTROL ATTRIBUTES. Substantiated Integrity, Monitored, Assessed [organization and service provider-defined interior points within the system (e.g., subnetworks, subsystems)] SYSTEM AND INFORMATION INTEGRITY SI-4 (22) INFORMATION SYSTEM MONITORING | UNAUTHORIZED NETWORK SERVICES ü The information system detects network services that have not been authorized or approved by [Assignment: organization-defined authorization or approval processes] and [Selection (one or more): audits; alerts [Assignment: organization-defined personnel or roles]]. Supplemental Guidance: Unauthorized or unapproved network services include, for example, services in service-oriented architectures that lack organizational verification or validation and therefore may be unreliable or serve as malicious rogues for valid services. Related controls: AC-6, CM-7, SA-5, SA-9. ü NEED. When a high-impact system is implemented across networks in a shared-service environment, organizations should monitor network services to protect against unauthorized services capable of exfiltrating sensitive information. This control meets that monitoring need. ANALYSIS. The tools and techniques for implementing this monitoring control are well understood, and embedded in COTS operating systems and software. SAMPLE THREAT VECTORS. Systems daemons and application services running in the background, exfiltrating sensitive information to external networks. RELEVANT SECURITY CONTROL ATTRIBUTES. Monitored, Assessed [organization and service provider-defined authorization or approval processes] [audits; alerts organization and service provider designated security personnel ]]. SYSTEM AND INFORMATION INTEGRITY SI-4 (23) INFORMATION SYSTEM MONITORING | HOST-BASED DEVICES ü The organization implements [Assignment: organization-defined host-based monitoring mechanisms] at [Assignment: organization-defined information system components]. Supplemental Guidance: Information system components where host-based monitoring can be implemented include, for example, servers, workstations, and mobile devices. Organizations consider employing host-based monitoring mechanisms from multiple information technology product developers. ü ü Included in FedRAMP Moderate Baseline, Rev 4 SYSTEM AND INFORMATION INTEGRITY SI-4 (24) INFORMATION SYSTEM MONITORING | INDICATORS OF COMPROMISE The information system discovers, collects, distributes, and uses indicators of compromise. Supplemental Guidance: Indicators of compromise (IOC) are forensic artifacts from intrusions that are identified on organizational information systems (at the host or network level). IOCs provide organizations with valuable information on objects or information systems that have been compromised. IOCs for the discovery of compromised hosts can include for example, the creation of registry key values. IOCs for network traffic include, for example, Universal Resource Locator (URL) or protocol elements that indicate malware command and control servers. The rapid distribution and adoption of IOCs can improve information security by reducing the time that information systems and organizations are vulnerable to the same exploit or attack. ü NEED. When a high-impact system is implemented across networks in a shared-service environment, organizations should aggressively monitor for symptoms that system integrity has been compromised. This control addresses that monitoring need. ANALYSIS. The tools and techniques for implementing this monitoring control are no longer unusual, but their implementation still requires careful initial analysis of tools, standards, and sources for indicators of compromise (IOC) data. This capability is not a simple matter of installing COTS software and watching for alerts. Rather, it requires staff to maintain a keen understanding of the threat-scape in order to properly understand the alerts coming from the IOC subsystem. SAMPLE THREAT VECTORS. Temporary files appear but are not associated with any known system processes; independent security services warn of new surveillance techniques appearing globally; evidence of those new techniques appears in an organization’s event logs. Reports on the payload of a new botnet indicate that the system has been touched by the botnet. RELEVANT SECURITY CONTROL ATTRIBUTES. Monitored, Assessed SYSTEM AND INFORMATION INTEGRITY SI-5 SECURITY ALERTS, ADVISORIES, AND DIRECTIVES ü The organization: a. Receives information system security alerts, advisories, and directives from [Assignment: organization-defined external organizations] on an ongoing basis; b. Generates internal security alerts, advisories, and directives as deemed necessary; c. Disseminates security alerts, advisories, and directives to: [Selection (one or more): [Assignment: organization-defined personnel or roles]; [Assignment: organization-defined elements within the organization]; [Assignment: organization-defined external organizations]]; and d. Implements security directives in accordance with established time frames, or notifies the issuing organization of the degree of noncompliance. Supplemental Guidance: The United States Computer Emergency Readiness Team (US-CERT) generates security alerts and advisories to maintain situational awareness across the federal government. Security directives are issued by OMB or other designated organizations with the responsibility and authority to issue such directives. Compliance to security directives is essential due to the critical nature of many of these directives and the potential immediate adverse effects on organizational operations and assets, individuals, other organizations, and the Nation should the directives not be implemented in a timely manner. External organizations include, for example, external mission/business partners, supply chain partners, external service providers, and other peer/supporting organizations. Related control: SI-2. ü ü SI-5a. [to include US-CERT] SI-5c. [to include system security personnel and administrators with configuration/patch-management responsibilities] ü Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 SYSTEM AND INFORMATION INTEGRITY SI-5 (1) SECURITY ALERTS, ADVISORIES, AND DIRECTIVES | AUTOMATED ALERTS AND ADVISORIES The organization employs automated mechanisms to make security alert and advisory information available throughout the organization. Supplemental Guidance: The significant number of changes to organizational information systems and the environments in which those systems operate requires the dissemination of security-related information to a variety of organizational entities that have a direct interest in the success of organizational missions and business functions. Based on the information provided by the security alerts and advisories, changes may be required at one or more of the three tiers related to the management of information security risk including the governance level, mission/business process/enterprise architecture level, and the information system level. References: NIST Special Publication 800-40. ü Included in NIST High Baseline, Rev 4 SYSTEM AND INFORMATION INTEGRITY SI-6 SECURITY FUNCTION VERIFICATION ü The information system: a. Verifies the correct operation of [Assignment: organization-defined security functions]; b. Performs this verification [Selection (one or more): [Assignment: organization-defined system transitional states]; upon command by user with appropriate privilege; [Assignment: organization-defined frequency]]; c. Notifies [Assignment: organization-defined personnel or roles] of failed security verification tests; and d. [Selection (one or more): shuts the information system down; restarts the information system; [Assignment: organization-defined alternative action(s)]] when anomalies are discovered. ü SI-6b [to include upon system startup and/or restart and at least monthly] SI-6c [to include system administrators and security personnel] SI-6d [to include notification of system administrators and security personnel] ü Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 SYSTEM AND INFORMATION INTEGRITY SI-7 SOFTWARE, FIRMWARE, AND INFORMATION INTEGRITY ü The organization employs integrity verification tools to detect unauthorized changes to [Assignment: organization-defined software, firmware, and information]. Supplemental Guidance: Unauthorized changes to software, firmware, and information can occur due to errors or malicious activity (e.g., tampering). Software includes, for example, operating systems (with key internal components such as kernels, drivers), middleware, and applications. Firmware includes, for example, the Basic Input Output System (BIOS). Information includes metadata such as security attributes associated with information. State-of-the-practice integrity- checking mechanisms (e.g., parity checks, cyclical redundancy checks, cryptographic hashes) and associated tools can automatically monitor the integrity of information systems and hosted applications. Related controls: SA-12, SC-8, SC-13, SI-3. ü ü Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 SYSTEM AND INFORMATION INTEGRITY SI-7 (1) SOFTWARE, FIRMWARE, AND INFORMATION INTEGRITY | INTEGRITY CHECKS ü The information system performs an integrity check of [Assignment: organization-defined software, firmware, and information] [Selection (one or more): at startup; at [Assignment: organization-defined transitional states or security-relevant events]; [Assignment: organization- defined frequency]]. Supplemental Guidance: Security-relevant events include, for example, the identification of a new threat to which organizational information systems are susceptible, and the installation of new hardware, software, or firmware. Transitional states include, for example, system startup, restart, shutdown, and abort. ü SI-7 (1). [Selection to include security relevant events and at least monthly] ü Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 SYSTEM AND INFORMATION INTEGRITY SI-7 (2) SOFTWARE, FIRMWARE, AND INFORMATION INTEGRITY | AUTOMATED NOTIFICATIONS OF INTEGRITY VIOLATIONS ü The organization employs automated tools that provide notification to [Assignment: organization- defined personnel or roles] upon discovering discrepancies during integrity verification. Supplemental Guidance: The use of automated tools to report integrity violations and to notify organizational personnel in a timely matter is an essential precursor to effective risk response. Personnel having an interest in integrity violations include, for example, mission/business owners, information system owners, systems administrators, software developers, systems integrators, and information security officers. ü Included in NIST High Baseline, Rev 4 [organization and service provider-defined system/application admin personnel] SYSTEM AND INFORMATION INTEGRITY SI-7 (5) SOFTWARE, FIRMWARE, AND INFORMATION INTEGRITY | AUTOMATED RESPONSE TO INTEGRITY VIOLATIONS ü The information system automatically [Selection (one or more): shuts the information system down; restarts the information system; implements [Assignment: organization-defined security safeguards]] when integrity violations are discovered. Supplemental Guidance: Organizations may define different integrity checking and anomaly responses: (i) by type of information (e.g., firmware, software, user data); (ii) by specific information (e.g., boot firmware, boot firmware for a specific types of machines); or (iii) a combination of both. Automatic implementation of specific safeguards within organizational information systems includes, for example, reversing the changes, halting the information system, or triggering audit alerts when unauthorized modifications to critical security files occur. ü Included in NIST High Baseline, Rev 4 [organization and service provider selects (one or more): shuts the information system down; restarts the information system; implements [organization and service provider-defined security safeguards]] SYSTEM AND INFORMATION INTEGRITY SI-7 (7) SOFTWARE, FIRMWARE, AND INFORMATION INTEGRITY | INTEGRATION OF DETECTION AND RESPONSE ü The organization incorporates the detection of unauthorized [Assignment: organization-defined security-relevant changes to the information system] into the organizational incident response capability. Supplemental Guidance: This control enhancement helps to ensure that detected events are tracked, monitored, corrected, and available for historical purposes. Maintaining historical records is important both for being able to identify and discern adversary actions over an extended period of time and for possible legal actions. Security-relevant changes include, for example, unauthorized changes to established configuration settings or unauthorized elevation of information system privileges. Related controls: IR-4, IR-5, SI-4. ü ü Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 SYSTEM AND INFORMATION INTEGRITY SI-7 (14) SOFTWARE, FIRMWARE, AND INFORMATION INTEGRITY | BINARY OR MACHINE EXECUTABLE CODE The organization: (a) Prohibits the use of binary or machine-executable code from sources with limited or no warranty and without the provision of source code; and (b) Provides exceptions to the source code requirement only for compelling mission/operational requirements and with the approval of the authorizing official. Supplemental Guidance: This control enhancement applies to all sources of binary or machine- executable code including, for example, commercial software/firmware and open source software. Organizations assess software products without accompanying source code from sources with limited or no warranty for potential security impacts. The assessments address the fact that these types of software products may be very difficult to review, repair, or extend, given that organizations, in most cases, do not have access to the original source code, and there may be no owners who could make such repairs on behalf of organizations. Related control: SA-5. ü Included in NIST High Baseline, Rev 4 SYSTEM AND INFORMATION INTEGRITY SI-8 SPAM PROTECTION The organization: a. Employs spam protection mechanisms at information system entry and exit points to detect and take action on unsolicited messages; and b. Updates spam protection mechanisms when new releases are available in accordance with organizational configuration management policy and procedures. Supplemental Guidance: Information system entry and exit points include, for example, firewalls, electronic mail servers, web servers, proxy servers, remote-access servers, workstations, mobile devices, and notebook/laptop computers. Spam can be transported by different means including, for example, electronic mail, electronic mail attachments, and web accesses. Spam protection mechanisms include, for example, signature definitions. Related controls: AT-2, AT-3, SC-5, SC- 7, SI-3. ü ü Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 SYSTEM AND INFORMATION INTEGRITY SI-8 (1) SPAM PROTECTION | CENTRAL MANAGEMENT The organization centrally manages spam protection mechanisms. Supplemental Guidance: Central management is the organization-wide management and implementation of spam protection mechanisms. Central management includes planning, implementing, assessing, authorizing, and monitoring the organization-defined, centrally managed spam protection security controls. Related controls: AU-3, SI-2, SI-7. ü ü Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 SYSTEM AND INFORMATION INTEGRITY SI-8 (2) SPAM PROTECTION | AUTOMATIC UPDATES The information system automatically updates spam protection mechanisms. ü ü Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 SYSTEM AND INFORMATION INTEGRITY SI-10 INFORMATION INPUT VALIDATION ü The information system checks the validity of [Assignment: organization-defined information inputs]. Supplemental Guidance: Checking the valid syntax and semantics of information system inputs (e.g., character set, length, numerical range, and acceptable values) verifies that inputs match specified definitions for format and content. Software applications typically follow well-defined protocols that use structured messages (i.e., commands or queries) to communicate between software modules or system components. Structured messages can contain raw or unstructured data interspersed with metadata or control information. If software applications use attacker- supplied inputs to construct structured messages without properly encoding such messages, then the attacker could insert malicious commands or special characters that can cause the data to be interpreted as control information or metadata. Consequently, the module or component that receives the tainted output will perform the wrong operations or otherwise interpret the data incorrectly. Prescreening inputs prior to passing to interpreters prevents the content from being unintentionally interpreted as commands. Input validation helps to ensure accurate and correct inputs and prevent attacks such as cross-site scripting and a variety of injection attacks. ü ü Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 SYSTEM AND INFORMATION INTEGRITY SI-11 ERROR HANDLING ü The information system: a. Generates error messages that provide information necessary for corrective actions without revealing information that could be exploited by adversaries; and b. Reveals error messages only to [Assignment: organization-defined personnel or roles]. Supplemental Guidance: Organizations carefully consider the structure/content of error messages. The extent to which information systems are able to identify and handle error conditions is guided by organizational policy and operational requirements. Information that could be exploited by adversaries includes, for example, erroneous logon attempts with passwords entered by mistake as the username, mission/business information that can be derived from (if not stated explicitly by) information recorded, and personal information such as account numbers, social security numbers, and credit card numbers. In addition, error messages may provide a covert channel for transmitting information. Related controls: AU-2, AU-3, SC-31. Control Enhancements: None. References: None. ü ü Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 SYSTEM AND INFORMATION INTEGRITY SI-12 INFORMATION HANDLING AND RETENTION The organization handles and retains information within the information system and information output from the system in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and operational requirements. Supplemental Guidance: Information handling and retention requirements cover the full life cycle of information, in some cases extending beyond the disposal of information systems. The National Archives and Records Administration provides guidance on records retention. Related controls: AC-16, AU-5, AU-11, MP-2, MP-4. ü ü ü Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 SYSTEM AND INFORMATION INTEGRITY SI-16 MEMORY PROTECTION ü The information system implements [Assignment: organization-defined security safeguards] to protect its memory from unauthorized code execution. Supplemental Guidance: Some adversaries launch attacks with the intent of executing code in non- executable regions of memory or in memory locations that are prohibited. Security safeguards employed to protect memory include, for example, data execution prevention and address space layout randomization. Data execution prevention safeguards can either be hardware-enforced or software-enforced with hardware providing the greater strength of mechanism. Related controls: AC-25, SC-3. Control Enhancements: None. References: None. ü ü Included in NIST High Baseline, Rev 4 and FedRAMP Moderate Baseline, Rev 4 Inherited from RHEL