├── tools
└── viewer
│ ├── requirements.in
│ ├── itbp.cfg
│ ├── templates
│ ├── itbpqueryform.html
│ └── tip.html
│ ├── requirements.txt
│ └── dockit
├── legal
├── IT Best Practices-Entity-1.0.pdf
├── IT Best Practices-Individual-1.0.pdf
└── signatures
│ └── alanr@unix.sh.sig
├── .gitignore
└── rules
└── os.app
└── security.domain
└── posix.class
├── linux.os
└── redhat
│ ├── nist_V-38683
│ ├── nist_V-38603
│ ├── nist_V-38489
│ ├── nist_V-38606
│ ├── nist_V-38681
│ ├── nist_V-38495
│ ├── nist_V-38443
│ ├── nist_V-38503
│ ├── nist_V-38449
│ ├── nist_V-38591
│ ├── nist_V-38445
│ ├── nist_V-38498
│ ├── nist_V-38448
│ ├── nist_V-38458
│ ├── nist_V-38576
│ ├── nist_V-38450
│ ├── nist_V-38451
│ ├── nist_V-38459
│ ├── nist_V-38584
│ ├── nist_V-38674
│ ├── nist_V-38461
│ ├── nist_V-38493
│ ├── nist_V-38653
│ ├── nist_V-38671
│ ├── nist_V-38579
│ ├── nist_V-38577
│ ├── nist_V-38462
│ ├── nist_V-38652
│ ├── nist_V-38610
│ ├── nist_V-38660
│ ├── nist_V-38480
│ ├── nist_V-38616
│ ├── nist_V-38463
│ ├── nist_V-38607
│ ├── nist_V-38676
│ ├── nist_V-38471
│ ├── nist_V-38578
│ ├── nist_V-38675
│ ├── nist_V-38555
│ ├── nist_V-38624
│ ├── nist_V-38654
│ ├── nist_V-38590
│ ├── nist_V-38457
│ ├── nist_V-51379
│ ├── nist_V-38502
│ ├── nist_V-38581
│ ├── nist_V-38587
│ ├── nist_V-38622
│ ├── nist_V-38477
│ ├── nist_V-38504
│ ├── nist_V-38549
│ ├── nist_V-38455
│ ├── nist_V-38491
│ ├── nist_V-51337
│ ├── nist_V-38605
│ ├── nist_V-38670
│ ├── nist_V-38588
│ ├── nist_V-38619
│ ├── nist_V-51363
│ ├── nist_V-38583
│ ├── nist_V-38687
│ ├── nist_V-38673
│ ├── nist_V-38613
│ ├── nist_V-38446
│ ├── nist_V-38611
│ ├── nist_V-38609
│ ├── nist_V-38494
│ ├── nist_V-57569
│ ├── nist_V-38512
│ ├── nist_V-38479
│ ├── nist_V-38599
│ ├── nist_V-38656
│ ├── nist_V-38700
│ ├── nist_V-38499
│ ├── nist_V-38560
│ ├── nist_V-38669
│ ├── nist_V-38696
│ ├── nist_V-38658
│ ├── nist_V-38460
│ ├── nist_V-38497
│ ├── nist_V-38500
│ ├── nist_V-38680
│ ├── nist_V-38553
│ ├── nist_V-38625
│ ├── nist_V-38627
│ ├── nist_V-38631
│ ├── nist_V-38632
│ ├── nist_V-38647
│ ├── nist_V-38651
│ ├── nist_V-38456
│ ├── nist_V-38492
│ ├── nist_V-38541
│ ├── nist_V-38639
│ ├── nist_V-38649
│ ├── nist_V-38467
│ ├── nist_V-38513
│ ├── nist_V-38657
│ ├── nist_V-38664
│ ├── nist_V-38645
│ ├── nist_V-38454
│ ├── nist_V-38551
│ ├── nist_V-38628
│ ├── nist_V-38629
│ ├── nist_V-51369
│ ├── nist_V-38698
│ ├── nist_V-38643
│ ├── nist_V-38615
│ ├── nist_V-38693
│ ├── nist_V-38473
│ ├── nist_V-38638
│ ├── nist_V-38665
│ ├── nist_V-38612
│ ├── nist_V-38699
│ ├── nist_V-38453
│ ├── nist_V-38695
│ ├── nist_V-38614
│ ├── nist_V-38691
│ ├── nist_V-38496
│ ├── nist_V-38686
│ ├── nist_V-38594
│ ├── nist_V-38617
│ ├── nist_V-38621
│ ├── nist_V-38438
│ ├── nist_V-38487
│ ├── nist_V-38620
│ ├── nist_V-38636
│ ├── nist_V-38464
│ ├── nist_V-38633
│ ├── nist_V-38474
│ ├── nist_V-38655
│ ├── nist_V-38439
│ ├── nist_V-38598
│ ├── nist_V-51875
│ ├── nist_V-38482
│ ├── nist_V-38586
│ ├── nist_V-38602
│ ├── nist_V-38488
│ ├── nist_V-43150
│ ├── nist_V-38444
│ ├── nist_V-38642
│ ├── nist_V-38530
│ ├── nist_V-38585
│ ├── nist_V-38685
│ ├── nist_V-38690
│ ├── nist_V-38524
│ ├── nist_V-38677
│ ├── nist_V-38701
│ ├── nist_V-38486
│ ├── nist_V-38608
│ ├── nist_V-38533
│ ├── nist_V-38537
│ ├── nist_V-38568
│ ├── nist_V-38548
│ ├── nist_V-38604
│ ├── nist_V-38472
│ ├── nist_V-38476
│ ├── nist_V-38517
│ ├── nist_V-38514
│ ├── nist_V-38468
│ ├── nist_V-38523
│ ├── nist_V-38535
│ ├── nist_V-38572
│ ├── nist_V-38626
│ ├── nist_V-38469
│ ├── nist_V-38516
│ ├── nist_V-38688
│ ├── nist_V-38511
│ ├── nist_V-38526
│ ├── nist_V-38529
│ ├── nist_V-38601
│ ├── nist_V-38618
│ ├── nist_V-38484
│ ├── nist_V-38531
│ ├── nist_V-38528
│ └── nist_V-38534
└── itbp-00002
/tools/viewer/requirements.in:
--------------------------------------------------------------------------------
1 | cheroot
2 | flask
3 |
--------------------------------------------------------------------------------
/tools/viewer/itbp.cfg:
--------------------------------------------------------------------------------
1 | DEBUG=True
2 | TESTING=True
3 | ITBP_PATH='/tmp/root/rules'
4 |
--------------------------------------------------------------------------------
/legal/IT Best Practices-Entity-1.0.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/IT-bestpractices/root/HEAD/legal/IT Best Practices-Entity-1.0.pdf
--------------------------------------------------------------------------------
/legal/IT Best Practices-Individual-1.0.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/IT-bestpractices/root/HEAD/legal/IT Best Practices-Individual-1.0.pdf
--------------------------------------------------------------------------------
/.gitignore:
--------------------------------------------------------------------------------
1 | Syntax: regex
2 | *.cmake
3 | */CMakeFiles
4 | */CMakeFiles/*
5 | *.pyc
6 | *.swo
7 | *.swp
8 | CMakeCache.txt
9 | CMakeFiles/*
10 | install_manifest.txt
11 | Makefile
12 |
--------------------------------------------------------------------------------
/tools/viewer/templates/itbpqueryform.html:
--------------------------------------------------------------------------------
1 |
2 |
3 | IT Best Practices Query Form
4 |
5 |
6 | IT Best Practices Tip Lookup Page
7 |
8 |
9 |
13 |
14 |
15 |
16 |
--------------------------------------------------------------------------------
/tools/viewer/templates/tip.html:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 | IT Best Practices
5 |
6 |
7 | IT Best Practices Tip: {{tipname}}
8 | Severity: {{severity}}
9 | Short Description
10 | {{shorttiptext}}
11 | Long Description
12 | {{longtiptext|safe}}
13 | How to Check Correct Configuration
14 | {{checktiptext|safe}}
15 | How to Fix
16 | {{fixtiptext|safe}}
17 |
18 |
19 |
20 |
--------------------------------------------------------------------------------
/tools/viewer/requirements.txt:
--------------------------------------------------------------------------------
1 | #
2 | # This file is autogenerated by pip-compile
3 | # To update, run:
4 | #
5 | # pip-compile
6 | #
7 | blinker==1.6.2
8 | # via flask
9 | cheroot==8.3.1
10 | # via -r requirements.in
11 | click==8.1.3
12 | # via flask
13 | flask==2.3.2
14 | # via -r requirements.in
15 | itsdangerous==2.1.2
16 | # via flask
17 | jaraco-functools==3.0.1
18 | # via cheroot
19 | jinja2==3.1.3
20 | # via flask
21 | markupsafe==2.1.2
22 | # via
23 | # jinja2
24 | # werkzeug
25 | more-itertools==8.4.0
26 | # via
27 | # cheroot
28 | # jaraco-functools
29 | six==1.15.0
30 | # via cheroot
31 | werkzeug==3.0.1
32 | # via flask
33 |
--------------------------------------------------------------------------------
/rules/os.app/security.domain/posix.class/linux.os/redhat/nist_V-38683:
--------------------------------------------------------------------------------
1 | {
2 | "severity": "low",
3 | "tags": {
4 | "nist": [
5 | "V-38683",
6 | "C-46245r1_chk",
7 | "F-43632r1_fix"
8 | ]
9 | },
10 | "text": {
11 | "en": {
12 | "check": "Run the following command to check for duplicate account names: \n\n# pwck -rq\n\nIf there are no duplicate names, no line will be returned. \nIf a line is returned, this is a finding.",
13 | "fix": "Change usernames, or delete accounts, so each has a unique name.",
14 | "long_description": "Unique usernames allow for accountability on the system.",
15 | "short_description": "All accounts on the system must have unique user or account names"
16 | }
17 | }
18 | }
--------------------------------------------------------------------------------
/rules/os.app/security.domain/posix.class/linux.os/redhat/nist_V-38603:
--------------------------------------------------------------------------------
1 | {
2 | "severity": "medium",
3 | "tags": {
4 | "nist": [
5 | "V-38603",
6 | "C-46161r1_chk",
7 | "F-43551r1_fix"
8 | ]
9 | },
10 | "text": {
11 | "en": {
12 | "check": "Run the following command to determine if the \"ypserv\" package is installed: \n\n# rpm -q ypserv\n\n\nIf the package is installed, this is a finding.",
13 | "fix": "The \"ypserv\" package can be uninstalled with the following command: \n\n# yum erase ypserv",
14 | "long_description": "Removing the \"ypserv\" package decreases the risk of the accidental (or intentional) activation of NIS or NIS+ services.",
15 | "short_description": "The ypserv package must not be installed."
16 | }
17 | }
18 | }
--------------------------------------------------------------------------------
/rules/os.app/security.domain/posix.class/linux.os/redhat/nist_V-38489:
--------------------------------------------------------------------------------
1 | {
2 | "severity": "medium",
3 | "tags": {
4 | "nist": [
5 | "V-38489",
6 | "C-46046r1_chk",
7 | "F-43436r1_fix"
8 | ]
9 | },
10 | "text": {
11 | "en": {
12 | "check": "If another file integrity tool is installed, this is not a finding.\n\nRun the following command to determine if the \"aide\" package is installed: \n\n# rpm -q aide\n\n\nIf the package is not installed, this is a finding.",
13 | "fix": "Install the AIDE package with the command: \n\n# yum install aide",
14 | "long_description": "The AIDE package must be installed if it is to be available for integrity checking.",
15 | "short_description": "A file integrity tool must be installed."
16 | }
17 | }
18 | }
--------------------------------------------------------------------------------
/rules/os.app/security.domain/posix.class/linux.os/redhat/nist_V-38606:
--------------------------------------------------------------------------------
1 | {
2 | "severity": "medium",
3 | "tags": {
4 | "nist": [
5 | "V-38606",
6 | "C-46164r1_chk",
7 | "F-43554r1_fix"
8 | ]
9 | },
10 | "text": {
11 | "en": {
12 | "check": "Run the following command to determine if the \"tftp-server\" package is installed: \n\n# rpm -q tftp-server\n\n\nIf the package is installed, this is a finding.",
13 | "fix": "The \"tftp-server\" package can be removed with the following command: \n\n# yum erase tftp-server",
14 | "long_description": "Removing the \"tftp-server\" package decreases the risk of the accidental (or intentional) activation of tftp services.",
15 | "short_description": "The tftp-server package must not be installed unless required."
16 | }
17 | }
18 | }
--------------------------------------------------------------------------------
/rules/os.app/security.domain/posix.class/linux.os/redhat/nist_V-38681:
--------------------------------------------------------------------------------
1 | {
2 | "severity": "low",
3 | "tags": {
4 | "nist": [
5 | "V-38681",
6 | "C-46243r2_chk",
7 | "F-43630r1_fix"
8 | ]
9 | },
10 | "text": {
11 | "en": {
12 | "check": "To ensure all GIDs referenced in /etc/passwd are defined in /etc/group, run the following command: \n\n# pwck -r | grep 'no group'\n\nThere should be no output. \nIf there is output, this is a finding.",
13 | "fix": "Add a group to the system for each GID referenced without a corresponding group.",
14 | "long_description": "Inconsistency in GIDs between /etc/passwd and /etc/group could lead to a user having unintended rights.",
15 | "short_description": "All GIDs referenced in /etc/passwd must be defined in /etc/group"
16 | }
17 | }
18 | }
--------------------------------------------------------------------------------
/rules/os.app/security.domain/posix.class/linux.os/redhat/nist_V-38495:
--------------------------------------------------------------------------------
1 | {
2 | "severity": "medium",
3 | "tags": {
4 | "nist": [
5 | "V-38495",
6 | "C-46053r1_chk",
7 | "F-43443r1_fix"
8 | ]
9 | },
10 | "text": {
11 | "en": {
12 | "check": "Run the following command to check the owner of the system audit logs: \n\ngrep \"^log_file\" /etc/audit/auditd.conf|sed s/^[^\\/]*//|xargs stat -c %U:%n\n\nAudit logs must be owned by root. \nIf they are not, this is a finding.",
13 | "fix": "Change the owner of the audit log files with the following command: \n\n# chown root [audit_file]",
14 | "long_description": "If non-privileged users can write to audit logs, audit trails can be modified or destroyed.",
15 | "short_description": "Audit log files must be owned by root."
16 | }
17 | }
18 | }
--------------------------------------------------------------------------------
/rules/os.app/security.domain/posix.class/linux.os/redhat/nist_V-38443:
--------------------------------------------------------------------------------
1 | {
2 | "severity": "medium",
3 | "tags": {
4 | "nist": [
5 | "V-38443",
6 | "C-45998r1_chk",
7 | "F-43388r1_fix"
8 | ]
9 | },
10 | "text": {
11 | "en": {
12 | "check": "To check the ownership of \"/etc/gshadow\", run the command: \n\n$ ls -l /etc/gshadow\n\nIf properly configured, the output should indicate the following owner: \"root\" \nIf it does not, this is a finding.",
13 | "fix": "To properly set the owner of \"/etc/gshadow\", run the command: \n\n# chown root /etc/gshadow",
14 | "long_description": "The \"/etc/gshadow\" file contains group password hashes. Protection of this file is critical for system security.",
15 | "short_description": "The /etc/gshadow file must be owned by root."
16 | }
17 | }
18 | }
--------------------------------------------------------------------------------
/rules/os.app/security.domain/posix.class/linux.os/redhat/nist_V-38503:
--------------------------------------------------------------------------------
1 | {
2 | "severity": "medium",
3 | "tags": {
4 | "nist": [
5 | "V-38503",
6 | "C-46060r1_chk",
7 | "F-43450r1_fix"
8 | ]
9 | },
10 | "text": {
11 | "en": {
12 | "check": "To check the group ownership of \"/etc/shadow\", run the command: \n\n$ ls -l /etc/shadow\n\nIf properly configured, the output should indicate the following group-owner. \"root\" \nIf it does not, this is a finding.",
13 | "fix": "To properly set the group owner of \"/etc/shadow\", run the command: \n\n# chgrp root /etc/shadow",
14 | "long_description": "The \"/etc/shadow\" file stores password hashes. Protection of this file is critical for system security.",
15 | "short_description": "The /etc/shadow file must be group-owned by root."
16 | }
17 | }
18 | }
--------------------------------------------------------------------------------
/rules/os.app/security.domain/posix.class/linux.os/redhat/nist_V-38449:
--------------------------------------------------------------------------------
1 | {
2 | "severity": "medium",
3 | "tags": {
4 | "nist": [
5 | "V-38449",
6 | "C-46004r1_chk",
7 | "F-43394r1_fix"
8 | ]
9 | },
10 | "text": {
11 | "en": {
12 | "check": "To check the permissions of \"/etc/gshadow\", run the command: \n\n$ ls -l /etc/gshadow\n\nIf properly configured, the output should indicate the following permissions: \"----------\" \nIf it does not, this is a finding.",
13 | "fix": "To properly set the permissions of \"/etc/gshadow\", run the command: \n\n# chmod 0000 /etc/gshadow",
14 | "long_description": "The /etc/gshadow file contains group password hashes. Protection of this file is critical for system security.",
15 | "short_description": "The /etc/gshadow file must have mode 0000."
16 | }
17 | }
18 | }
--------------------------------------------------------------------------------
/rules/os.app/security.domain/posix.class/linux.os/redhat/nist_V-38591:
--------------------------------------------------------------------------------
1 | {
2 | "severity": "high",
3 | "tags": {
4 | "nist": [
5 | "V-38591",
6 | "C-46149r1_chk",
7 | "F-43539r1_fix"
8 | ]
9 | },
10 | "text": {
11 | "en": {
12 | "check": "Run the following command to determine if the \"rsh-server\" package is installed: \n\n# rpm -q rsh-server\n\n\nIf the package is installed, this is a finding.",
13 | "fix": "The \"rsh-server\" package can be uninstalled with the following command: \n\n# yum erase rsh-server",
14 | "long_description": "The \"rsh-server\" package provides several obsolete and insecure network services. Removing it decreases the risk of those services' accidental (or intentional) activation.",
15 | "short_description": "The rsh-server package must not be installed."
16 | }
17 | }
18 | }
--------------------------------------------------------------------------------
/rules/os.app/security.domain/posix.class/linux.os/redhat/nist_V-38445:
--------------------------------------------------------------------------------
1 | {
2 | "severity": "medium",
3 | "tags": {
4 | "nist": [
5 | "V-38445",
6 | "C-46000r1_chk",
7 | "F-43390r1_fix"
8 | ]
9 | },
10 | "text": {
11 | "en": {
12 | "check": "Run the following command to check the group owner of the system audit logs: \n\ngrep \"^log_file\" /etc/audit/auditd.conf|sed s/^[^\\/]*//|xargs stat -c %G:%n\n\nAudit logs must be group-owned by root. \nIf they are not, this is a finding.",
13 | "fix": "Change the group owner of the audit log files with the following command: \n\n# chgrp root [audit_file]",
14 | "long_description": "If non-privileged users can write to audit logs, audit trails can be modified or destroyed.",
15 | "short_description": "Audit log files must be group-owned by root."
16 | }
17 | }
18 | }
--------------------------------------------------------------------------------
/rules/os.app/security.domain/posix.class/linux.os/redhat/nist_V-38498:
--------------------------------------------------------------------------------
1 | {
2 | "severity": "medium",
3 | "tags": {
4 | "nist": [
5 | "V-38498",
6 | "C-46055r1_chk",
7 | "F-43445r1_fix"
8 | ]
9 | },
10 | "text": {
11 | "en": {
12 | "check": "Run the following command to check the mode of the system audit logs: \n\ngrep \"^log_file\" /etc/audit/auditd.conf|sed s/^[^\\/]*//|xargs stat -c %a:%n\n\nAudit logs must be mode 0640 or less permissive. \nIf any are more permissive, this is a finding.",
13 | "fix": "Change the mode of the audit log files with the following command: \n\n# chmod 0640 [audit_file]",
14 | "long_description": "If users can write to audit logs, audit trails can be modified or destroyed.",
15 | "short_description": "Audit log files must have mode 0640 or less permissive."
16 | }
17 | }
18 | }
--------------------------------------------------------------------------------
/rules/os.app/security.domain/posix.class/linux.os/redhat/nist_V-38448:
--------------------------------------------------------------------------------
1 | {
2 | "severity": "medium",
3 | "tags": {
4 | "nist": [
5 | "V-38448",
6 | "C-46003r1_chk",
7 | "F-43393r1_fix"
8 | ]
9 | },
10 | "text": {
11 | "en": {
12 | "check": "To check the group ownership of \"/etc/gshadow\", run the command: \n\n$ ls -l /etc/gshadow\n\nIf properly configured, the output should indicate the following group-owner. \"root\" \nIf it does not, this is a finding.",
13 | "fix": "To properly set the group owner of \"/etc/gshadow\", run the command: \n\n# chgrp root /etc/gshadow",
14 | "long_description": "The \"/etc/gshadow\" file contains group password hashes. Protection of this file is critical for system security.",
15 | "short_description": "The /etc/gshadow file must be group-owned by root."
16 | }
17 | }
18 | }
--------------------------------------------------------------------------------
/rules/os.app/security.domain/posix.class/linux.os/redhat/nist_V-38458:
--------------------------------------------------------------------------------
1 | {
2 | "severity": "medium",
3 | "tags": {
4 | "nist": [
5 | "V-38458",
6 | "C-46013r1_chk",
7 | "F-43403r1_fix"
8 | ]
9 | },
10 | "text": {
11 | "en": {
12 | "check": "To check the ownership of \"/etc/group\", run the command: \n\n$ ls -l /etc/group\n\nIf properly configured, the output should indicate the following owner: \"root\" \nIf it does not, this is a finding.",
13 | "fix": "To properly set the owner of \"/etc/group\", run the command: \n\n# chown root /etc/group",
14 | "long_description": "The \"/etc/group\" file contains information regarding groups that are configured on the system. Protection of this file is important for system security.",
15 | "short_description": "The /etc/group file must be owned by root."
16 | }
17 | }
18 | }
--------------------------------------------------------------------------------
/rules/os.app/security.domain/posix.class/linux.os/redhat/nist_V-38576:
--------------------------------------------------------------------------------
1 | {
2 | "severity": "medium",
3 | "tags": {
4 | "nist": [
5 | "V-38576",
6 | "C-46134r1_chk",
7 | "F-43524r1_fix"
8 | ]
9 | },
10 | "text": {
11 | "en": {
12 | "check": "Inspect \"/etc/login.defs\" and ensure the following line appears: \n\nENCRYPT_METHOD SHA512\n\n\nIf it does not, this is a finding.",
13 | "fix": "In \"/etc/login.defs\", add or correct the following line to ensure the system will use SHA-512 as the hashing algorithm: \n\nENCRYPT_METHOD SHA512",
14 | "long_description": "Using a stronger hashing algorithm makes password cracking attacks more difficult.",
15 | "short_description": "The system must use a FIPS 140-2 approved cryptographic hashing algorithm for generating account password hashes (login.defs)."
16 | }
17 | }
18 | }
--------------------------------------------------------------------------------
/rules/os.app/security.domain/posix.class/linux.os/redhat/nist_V-38450:
--------------------------------------------------------------------------------
1 | {
2 | "severity": "medium",
3 | "tags": {
4 | "nist": [
5 | "V-38450",
6 | "C-46005r1_chk",
7 | "F-43395r1_fix"
8 | ]
9 | },
10 | "text": {
11 | "en": {
12 | "check": "To check the ownership of \"/etc/passwd\", run the command: \n\n$ ls -l /etc/passwd\n\nIf properly configured, the output should indicate the following owner: \"root\" \nIf it does not, this is a finding.",
13 | "fix": "To properly set the owner of \"/etc/passwd\", run the command: \n\n# chown root /etc/passwd",
14 | "long_description": "The \"/etc/passwd\" file contains information about the users that are configured on the system. Protection of this file is critical for system security.",
15 | "short_description": "The /etc/passwd file must be owned by root."
16 | }
17 | }
18 | }
--------------------------------------------------------------------------------
/legal/signatures/alanr@unix.sh.sig:
--------------------------------------------------------------------------------
1 | -----BEGIN PGP SIGNED MESSAGE-----
2 | Hash: SHA1
3 |
4 | I have read and agree to the terms of the document for contributions to the IT Best Practices Project whose sha1 signature is shown below.
5 |
6 | Submitting this digitally signed email to Assimilation Systems Limited constitutes my acceptance of the terms of this agreement and I provide this file as a legally binding signature to the unmodified agreement taken from the itbestpractices.info site.
7 | The sha1 checksum of the original agreement PDF is:
8 | 967a7be949804a71e9293bd1fd1a6999a922a5bc IT Best Practices-Individual-1.0.pdf
9 |
10 | Alan Robertson
11 |
12 | 10 July, 2015.
13 | -----BEGIN PGP SIGNATURE-----
14 | Version: GnuPG v1
15 |
16 | iEYEARECAAYFAlWfz4AACgkQNkLhYXF6ZA4qyACdGEzoHvJ2QjAjZfsasLsV2A0f
17 | 9aAAoIamApxvNb6qLBwBSvaWtPjaEw19
18 | =xjKe
19 | -----END PGP SIGNATURE-----
20 |
--------------------------------------------------------------------------------
/rules/os.app/security.domain/posix.class/linux.os/redhat/nist_V-38451:
--------------------------------------------------------------------------------
1 | {
2 | "severity": "medium",
3 | "tags": {
4 | "nist": [
5 | "V-38451",
6 | "C-46006r1_chk",
7 | "F-43396r1_fix"
8 | ]
9 | },
10 | "text": {
11 | "en": {
12 | "check": "To check the group ownership of \"/etc/passwd\", run the command: \n\n$ ls -l /etc/passwd\n\nIf properly configured, the output should indicate the following group-owner. \"root\" \nIf it does not, this is a finding.",
13 | "fix": "To properly set the group owner of \"/etc/passwd\", run the command: \n\n# chgrp root /etc/passwd",
14 | "long_description": "The \"/etc/passwd\" file contains information about the users that are configured on the system. Protection of this file is critical for system security.",
15 | "short_description": "The /etc/passwd file must be group-owned by root."
16 | }
17 | }
18 | }
--------------------------------------------------------------------------------
/rules/os.app/security.domain/posix.class/linux.os/redhat/nist_V-38459:
--------------------------------------------------------------------------------
1 | {
2 | "severity": "medium",
3 | "tags": {
4 | "nist": [
5 | "V-38459",
6 | "C-46014r1_chk",
7 | "F-43404r1_fix"
8 | ]
9 | },
10 | "text": {
11 | "en": {
12 | "check": "To check the group ownership of \"/etc/group\", run the command: \n\n$ ls -l /etc/group\n\nIf properly configured, the output should indicate the following group-owner. \"root\" \nIf it does not, this is a finding.",
13 | "fix": "To properly set the group owner of \"/etc/group\", run the command: \n\n# chgrp root /etc/group",
14 | "long_description": "The \"/etc/group\" file contains information regarding groups that are configured on the system. Protection of this file is important for system security.",
15 | "short_description": "The /etc/group file must be group-owned by root."
16 | }
17 | }
18 | }
--------------------------------------------------------------------------------
/rules/os.app/security.domain/posix.class/linux.os/redhat/nist_V-38584:
--------------------------------------------------------------------------------
1 | {
2 | "severity": "low",
3 | "tags": {
4 | "nist": [
5 | "V-38584",
6 | "C-46142r1_chk",
7 | "F-43532r1_fix"
8 | ]
9 | },
10 | "text": {
11 | "en": {
12 | "check": "If network services are using the xinetd service, this is not applicable.\n\nRun the following command to determine if the \"xinetd\" package is installed: \n\n# rpm -q xinetd\n\n\nIf the package is installed, this is a finding.",
13 | "fix": "The \"xinetd\" package can be uninstalled with the following command: \n\n# yum erase xinetd",
14 | "long_description": "Removing the \"xinetd\" package decreases the risk of the xinetd service's accidental (or intentional) activation.",
15 | "short_description": "The xinetd service must be uninstalled if no network services utilizing it are enabled."
16 | }
17 | }
18 | }
--------------------------------------------------------------------------------
/rules/os.app/security.domain/posix.class/linux.os/redhat/nist_V-38674:
--------------------------------------------------------------------------------
1 | {
2 | "severity": "medium",
3 | "tags": {
4 | "nist": [
5 | "V-38674",
6 | "C-46234r1_chk",
7 | "F-43623r1_fix"
8 | ]
9 | },
10 | "text": {
11 | "en": {
12 | "check": "To verify the default runlevel is 3, run the following command: \n\n# grep initdefault /etc/inittab\n\nThe output should show the following: \n\nid:3:initdefault:\n\n\nIf it does not, this is a finding.",
13 | "fix": "Setting the system's runlevel to 3 will prevent automatic startup of the X server. To do so, ensure the following line in \"/etc/inittab\" features a \"3\" as shown: \n\nid:3:initdefault:",
14 | "long_description": "Unnecessary services should be disabled to decrease the attack surface of the system.",
15 | "short_description": "X Windows must not be enabled unless required."
16 | }
17 | }
18 | }
--------------------------------------------------------------------------------
/rules/os.app/security.domain/posix.class/linux.os/redhat/nist_V-38461:
--------------------------------------------------------------------------------
1 | {
2 | "severity": "medium",
3 | "tags": {
4 | "nist": [
5 | "V-38461",
6 | "C-46015r1_chk",
7 | "F-43406r1_fix"
8 | ]
9 | },
10 | "text": {
11 | "en": {
12 | "check": "To check the permissions of \"/etc/group\", run the command: \n\n$ ls -l /etc/group\n\nIf properly configured, the output should indicate the following permissions: \"-rw-r--r--\" \nIf it does not, this is a finding.",
13 | "fix": "To properly set the permissions of \"/etc/group\", run the command: \n\n# chmod 644 /etc/group",
14 | "long_description": "The \"/etc/group\" file contains information regarding groups that are configured on the system. Protection of this file is important for system security.",
15 | "short_description": "The /etc/group file must have mode 0644 or less permissive."
16 | }
17 | }
18 | }
--------------------------------------------------------------------------------
/rules/os.app/security.domain/posix.class/linux.os/redhat/nist_V-38493:
--------------------------------------------------------------------------------
1 | {
2 | "severity": "medium",
3 | "tags": {
4 | "nist": [
5 | "V-38493",
6 | "C-46050r1_chk",
7 | "F-43440r1_fix"
8 | ]
9 | },
10 | "text": {
11 | "en": {
12 | "check": "Run the following command to check the mode of the system audit directories: \n\ngrep \"^log_file\" /etc/audit/auditd.conf|sed 's/^[^/]*//; s/[^/]*$//'|xargs stat -c %a:%n\n\nAudit directories must be mode 0755 or less permissive. \nIf any are more permissive, this is a finding.",
13 | "fix": "Change the mode of the audit log directories with the following command: \n\n# chmod go-w [audit_directory]",
14 | "long_description": "If users can delete audit logs, audit trails can be modified or destroyed.",
15 | "short_description": "Audit log directories must have mode 0755 or less permissive."
16 | }
17 | }
18 | }
--------------------------------------------------------------------------------
/rules/os.app/security.domain/posix.class/linux.os/redhat/nist_V-38653:
--------------------------------------------------------------------------------
1 | {
2 | "severity": "high",
3 | "tags": {
4 | "nist": [
5 | "V-38653",
6 | "C-46213r1_chk",
7 | "F-43602r1_fix"
8 | ]
9 | },
10 | "text": {
11 | "en": {
12 | "check": "To ensure the default password is not set, run the following command: \n\n# grep -v \"^#\" /etc/snmp/snmpd.conf| grep public\n\nThere should be no output. \nIf there is output, this is a finding.",
13 | "fix": "Edit \"/etc/snmp/snmpd.conf\", remove default community string \"public\". Upon doing that, restart the SNMP service: \n\n# service snmpd restart",
14 | "long_description": "Presence of the default SNMP password enables querying of different system aspects and could result in unauthorized knowledge of the system.",
15 | "short_description": "The snmpd service must not use a default password."
16 | }
17 | }
18 | }
--------------------------------------------------------------------------------
/rules/os.app/security.domain/posix.class/linux.os/redhat/nist_V-38671:
--------------------------------------------------------------------------------
1 | {
2 | "severity": "medium",
3 | "tags": {
4 | "nist": [
5 | "V-38671",
6 | "C-46231r1_chk",
7 | "F-43620r1_fix"
8 | ]
9 | },
10 | "text": {
11 | "en": {
12 | "check": "Run the following command to determine if the \"sendmail\" package is installed: \n\n# rpm -q sendmail\n\n\nIf the package is installed, this is a finding.",
13 | "fix": "Sendmail is not the default mail transfer agent and is not installed by default. The \"sendmail\" package can be removed with the following command: \n\n# yum erase sendmail",
14 | "long_description": "The sendmail software was not developed with security in mind and its design prevents it from being effectively contained by SELinux. Postfix should be used instead.",
15 | "short_description": "The sendmail package must be removed."
16 | }
17 | }
18 | }
--------------------------------------------------------------------------------
/rules/os.app/security.domain/posix.class/linux.os/redhat/nist_V-38579:
--------------------------------------------------------------------------------
1 | {
2 | "severity": "medium",
3 | "tags": {
4 | "nist": [
5 | "V-38579",
6 | "C-46137r1_chk",
7 | "F-43527r1_fix"
8 | ]
9 | },
10 | "text": {
11 | "en": {
12 | "check": "To check the ownership of \"/etc/grub.conf\", run the command: \n\n$ ls -lL /etc/grub.conf\n\nIf properly configured, the output should indicate the following owner: \"root\" \nIf it does not, this is a finding.",
13 | "fix": "The file \"/etc/grub.conf\" should be owned by the \"root\" user to prevent destruction or modification of the file. To properly set the owner of \"/etc/grub.conf\", run the command: \n\n# chown root /etc/grub.conf",
14 | "long_description": "Only root should be able to modify important boot parameters.",
15 | "short_description": "The system boot loader configuration file(s) must be owned by root."
16 | }
17 | }
18 | }
--------------------------------------------------------------------------------
/rules/os.app/security.domain/posix.class/linux.os/redhat/nist_V-38577:
--------------------------------------------------------------------------------
1 | {
2 | "severity": "medium",
3 | "tags": {
4 | "nist": [
5 | "V-38577",
6 | "C-46135r1_chk",
7 | "F-43525r1_fix"
8 | ]
9 | },
10 | "text": {
11 | "en": {
12 | "check": "Inspect \"/etc/libuser.conf\" and ensure the following line appears in the \"[default]\" section: \n\ncrypt_style = sha512\n\n\nIf it does not, this is a finding.",
13 | "fix": "In \"/etc/libuser.conf\", add or correct the following line in its \"[defaults]\" section to ensure the system will use the SHA-512 algorithm for password hashing: \n\ncrypt_style = sha512",
14 | "long_description": "Using a stronger hashing algorithm makes password cracking attacks more difficult.",
15 | "short_description": "The system must use a FIPS 140-2 approved cryptographic hashing algorithm for generating account password hashes (libuser.conf)."
16 | }
17 | }
18 | }
--------------------------------------------------------------------------------
/rules/os.app/security.domain/posix.class/linux.os/redhat/nist_V-38462:
--------------------------------------------------------------------------------
1 | {
2 | "severity": "high",
3 | "tags": {
4 | "nist": [
5 | "V-38462",
6 | "C-46017r1_chk",
7 | "F-43407r1_fix"
8 | ]
9 | },
10 | "text": {
11 | "en": {
12 | "check": "Verify RPM signature validation is not disabled:\n# grep nosignature /etc/rpmrc /usr/lib/rpm/rpmrc /usr/lib/rpm/redhat/rpmrc ~root/.rpmrc\nIf any configuration is found, this is a finding.",
13 | "fix": "Edit the RPM configuration files containing the \"nosignature\" option and remove the option.",
14 | "long_description": "Ensuring all packages' cryptographic signatures are valid prior to installation ensures the provenance of the software and protects against malicious tampering.",
15 | "short_description": "The RPM package management tool must cryptographically verify the authenticity of all software packages during installation."
16 | }
17 | }
18 | }
--------------------------------------------------------------------------------
/rules/os.app/security.domain/posix.class/linux.os/redhat/nist_V-38652:
--------------------------------------------------------------------------------
1 | {
2 | "severity": "medium",
3 | "tags": {
4 | "nist": [
5 | "V-38652",
6 | "C-46212r2_chk",
7 | "F-43601r1_fix"
8 | ]
9 | },
10 | "text": {
11 | "en": {
12 | "check": "To verify the \"nodev\" option is configured for all NFS mounts, run the following command: \n\n$ mount | grep \"nfs \"\n\nAll NFS mounts should show the \"nodev\" setting in parentheses, along with other mount options. \nIf the setting does not show, this is a finding.",
13 | "fix": "Add the \"nodev\" option to the fourth column of \"/etc/fstab\" for the line which controls mounting of any NFS mounts.",
14 | "long_description": "Legitimate device files should only exist in the /dev directory. NFS mounts should not present device files to users.",
15 | "short_description": "Remote file systems must be mounted with the nodev option."
16 | }
17 | }
18 | }
--------------------------------------------------------------------------------
/rules/os.app/security.domain/posix.class/linux.os/redhat/nist_V-38610:
--------------------------------------------------------------------------------
1 | {
2 | "severity": "low",
3 | "tags": {
4 | "nist": [
5 | "V-38610",
6 | "C-46168r1_chk",
7 | "F-43558r1_fix"
8 | ]
9 | },
10 | "text": {
11 | "en": {
12 | "check": "To ensure the SSH idle timeout will occur when the \"ClientAliveCountMax\" is set, run the following command: \n\n# grep ClientAliveCountMax /etc/ssh/sshd_config\n\nIf properly configured, output should be: \n\nClientAliveCountMax 0\n\n\nIf it is not, this is a finding.",
13 | "fix": "To ensure the SSH idle timeout occurs precisely when the \"ClientAliveCountMax\" is set, edit \"/etc/ssh/sshd_config\" as follows: \n\nClientAliveCountMax 0",
14 | "long_description": "This ensures a user login will be terminated as soon as the \"ClientAliveCountMax\" is reached.",
15 | "short_description": "The SSH daemon must set a timeout count on idle sessions."
16 | }
17 | }
18 | }
--------------------------------------------------------------------------------
/rules/os.app/security.domain/posix.class/linux.os/redhat/nist_V-38660:
--------------------------------------------------------------------------------
1 | {
2 | "severity": "medium",
3 | "tags": {
4 | "nist": [
5 | "V-38660",
6 | "C-46215r1_chk",
7 | "F-43604r1_fix"
8 | ]
9 | },
10 | "text": {
11 | "en": {
12 | "check": "To ensure only SNMPv3 or newer is used, run the following command: \n\n# grep 'v1\\|v2c\\|com2sec' /etc/snmp/snmpd.conf | grep -v '^#'\n\nThere should be no output. \nIf there is output, this is a finding.",
13 | "fix": "Edit \"/etc/snmp/snmpd.conf\", removing any references to \"v1\", \"v2c\", or \"com2sec\". Upon doing that, restart the SNMP service: \n\n# service snmpd restart",
14 | "long_description": "Earlier versions of SNMP are considered insecure, as they potentially allow unauthorized access to detailed system management information.\n",
15 | "short_description": "The snmpd service must use only SNMP protocol version 3 or newer."
16 | }
17 | }
18 | }
--------------------------------------------------------------------------------
/rules/os.app/security.domain/posix.class/linux.os/redhat/nist_V-38480:
--------------------------------------------------------------------------------
1 | {
2 | "severity": "low",
3 | "tags": {
4 | "nist": [
5 | "V-38480",
6 | "C-46035r1_chk",
7 | "F-43425r1_fix"
8 | ]
9 | },
10 | "text": {
11 | "en": {
12 | "check": "To check the password warning age, run the command: \n\n$ grep PASS_WARN_AGE /etc/login.defs\n\nThe DoD requirement is 7. \nIf it is not set to the required value, this is a finding.",
13 | "fix": "To specify how many days prior to password expiration that a warning will be issued to users, edit the file \"/etc/login.defs\" and add or correct the following line, replacing [DAYS] appropriately: \n\nPASS_WARN_AGE [DAYS]\n\nThe DoD requirement is 7.",
14 | "long_description": "Setting the password warning age enables users to make the change at a practical time.",
15 | "short_description": "Users must be warned 7 days in advance of password expiration."
16 | }
17 | }
18 | }
--------------------------------------------------------------------------------
/rules/os.app/security.domain/posix.class/linux.os/redhat/nist_V-38616:
--------------------------------------------------------------------------------
1 | {
2 | "severity": "low",
3 | "tags": {
4 | "nist": [
5 | "V-38616",
6 | "C-46175r1_chk",
7 | "F-43565r1_fix"
8 | ]
9 | },
10 | "text": {
11 | "en": {
12 | "check": "To ensure users are not able to present environment daemons, run the following command: \n\n# grep PermitUserEnvironment /etc/ssh/sshd_config\n\nIf properly configured, output should be: \n\nPermitUserEnvironment no\n\n\nIf it is not, this is a finding.",
13 | "fix": "To ensure users are not able to present environment options to the SSH daemon, add or correct the following line in \"/etc/ssh/sshd_config\": \n\nPermitUserEnvironment no",
14 | "long_description": "SSH environment options potentially allow users to bypass access restriction in some configurations.",
15 | "short_description": "The SSH daemon must not permit user environment settings."
16 | }
17 | }
18 | }
--------------------------------------------------------------------------------
/rules/os.app/security.domain/posix.class/linux.os/redhat/nist_V-38463:
--------------------------------------------------------------------------------
1 | {
2 | "severity": "low",
3 | "tags": {
4 | "nist": [
5 | "V-38463",
6 | "C-46018r1_chk",
7 | "F-43408r1_fix"
8 | ]
9 | },
10 | "text": {
11 | "en": {
12 | "check": "Run the following command to determine if \"/var/log\" is on its own partition or logical volume: \n\n$ mount | grep \"on /var/log \"\n\nIf \"/var/log\" has its own partition or volume group, a line will be returned. \nIf no line is returned, this is a finding.",
13 | "fix": "System logs are stored in the \"/var/log\" directory. Ensure that it has its own partition or logical volume at installation time, or migrate it using LVM.",
14 | "long_description": "Placing \"/var/log\" in its own partition enables better separation between log files and other files in \"/var/\".",
15 | "short_description": "The system must use a separate file system for /var/log."
16 | }
17 | }
18 | }
--------------------------------------------------------------------------------
/rules/os.app/security.domain/posix.class/linux.os/redhat/nist_V-38607:
--------------------------------------------------------------------------------
1 | {
2 | "severity": "high",
3 | "tags": {
4 | "nist": [
5 | "V-38607",
6 | "C-46165r1_chk",
7 | "F-43555r1_fix"
8 | ]
9 | },
10 | "text": {
11 | "en": {
12 | "check": "To check which SSH protocol version is allowed, run the following command: \n\n# grep Protocol /etc/ssh/sshd_config\n\nIf configured properly, output should be \n\nProtocol 2\n\n\nIf it is not, this is a finding.",
13 | "fix": "Only SSH protocol version 2 connections should be permitted. The default setting in \"/etc/ssh/sshd_config\" is correct, and can be verified by ensuring that the following line appears: \n\nProtocol 2",
14 | "long_description": "SSH protocol version 1 suffers from design flaws that result in security vulnerabilities and should not be used.",
15 | "short_description": "The SSH daemon must be configured to use only the SSHv2 protocol."
16 | }
17 | }
18 | }
--------------------------------------------------------------------------------
/rules/os.app/security.domain/posix.class/linux.os/redhat/nist_V-38676:
--------------------------------------------------------------------------------
1 | {
2 | "severity": "low",
3 | "tags": {
4 | "nist": [
5 | "V-38676",
6 | "C-46236r1_chk",
7 | "F-43625r1_fix"
8 | ]
9 | },
10 | "text": {
11 | "en": {
12 | "check": "To ensure the X Windows package group is removed, run the following command: \n\n$ rpm -qi xorg-x11-server-common\n\nThe output should be: \n\npackage xorg-x11-server-common is not installed\n\n\nIf it is not, this is a finding.",
13 | "fix": "Removing all packages which constitute the X Window System ensures users or malicious software cannot start X. To do so, run the following command: \n\n# yum groupremove \"X Window System\"",
14 | "long_description": "Unnecessary packages should not be installed to decrease the attack surface of the system.",
15 | "short_description": "The xorg-x11-server-common (X Windows) package must not be installed, unless required."
16 | }
17 | }
18 | }
--------------------------------------------------------------------------------
/rules/os.app/security.domain/posix.class/linux.os/redhat/nist_V-38471:
--------------------------------------------------------------------------------
1 | {
2 | "severity": "low",
3 | "tags": {
4 | "nist": [
5 | "V-38471",
6 | "C-46026r1_chk",
7 | "F-43416r1_fix"
8 | ]
9 | },
10 | "text": {
11 | "en": {
12 | "check": "Verify the audispd plugin is active:\n\n# grep active /etc/audisp/plugins.d/syslog.conf\n\nIf the \"active\" setting is missing or set to \"no\", this is a finding.",
13 | "fix": "Set the \"active\" line in \"/etc/audisp/plugins.d/syslog.conf\" to \"yes\". Restart the auditd process.\n\n# service auditd restart",
14 | "long_description": "The auditd service does not include the ability to send audit records to a centralized server for management directly. It does, however, include an audit event multiplexor plugin (audispd) to pass audit records to the local syslog server.",
15 | "short_description": "The system must forward audit records to the syslog service."
16 | }
17 | }
18 | }
--------------------------------------------------------------------------------
/rules/os.app/security.domain/posix.class/linux.os/redhat/nist_V-38578:
--------------------------------------------------------------------------------
1 | {
2 | "severity": "low",
3 | "tags": {
4 | "nist": [
5 | "V-38578",
6 | "C-46136r1_chk",
7 | "F-43526r1_fix"
8 | ]
9 | },
10 | "text": {
11 | "en": {
12 | "check": "To verify that auditing is configured for system administrator actions, run the following command: \n\n# auditctl -l | grep \"watch=/etc/sudoers\"\n\n\nIf there is no output, this is a finding.",
13 | "fix": "At a minimum, the audit system should collect administrator actions for all users and root. Add the following to \"/etc/audit/audit.rules\": \n\n-w /etc/sudoers -p wa -k actions",
14 | "long_description": "The actions taken by system administrators should be audited to keep a record of what was executed on the system, as well as, for accountability purposes.",
15 | "short_description": "The audit system must be configured to audit changes to the /etc/sudoers file."
16 | }
17 | }
18 | }
--------------------------------------------------------------------------------
/rules/os.app/security.domain/posix.class/linux.os/redhat/nist_V-38675:
--------------------------------------------------------------------------------
1 | {
2 | "severity": "low",
3 | "tags": {
4 | "nist": [
5 | "V-38675",
6 | "C-46235r2_chk",
7 | "F-43624r1_fix"
8 | ]
9 | },
10 | "text": {
11 | "en": {
12 | "check": "To verify that core dumps are disabled for all users, run the following command:\n\n$ grep core /etc/security/limits.conf /etc/security/limits.d/*.conf\n\nThe output should be:\n\n* hard core 0\n\nIf it is not, this is a finding.",
13 | "fix": "To disable core dumps for all users, add the following line to \"/etc/security/limits.conf\": \n\n* hard core 0",
14 | "long_description": "A core dump includes a memory image taken at the time the operating system terminates an application. The memory image could contain sensitive data and is generally useful only for developers trying to debug problems.",
15 | "short_description": "Process core dumps must be disabled unless needed."
16 | }
17 | }
18 | }
--------------------------------------------------------------------------------
/rules/os.app/security.domain/posix.class/linux.os/redhat/nist_V-38555:
--------------------------------------------------------------------------------
1 | {
2 | "severity": "medium",
3 | "tags": {
4 | "nist": [
5 | "V-38555",
6 | "C-46113r2_chk",
7 | "F-43503r2_fix"
8 | ]
9 | },
10 | "text": {
11 | "en": {
12 | "check": "If the system is a cross-domain system, this is not applicable.\n\nRun the following command to determine the current status of the \"iptables\" service: \n\n# service iptables status\n\nIf the service is not running, it should return the following: \n\niptables: Firewall is not running.\n\n\nIf the service is not running, this is a finding.",
13 | "fix": "The \"iptables\" service can be enabled with the following commands: \n\n# chkconfig iptables on\n# service iptables start",
14 | "long_description": "The \"iptables\" service provides the system's host-based firewalling capability for IPv4 and ICMP.",
15 | "short_description": "The system must employ a local IPv4 firewall."
16 | }
17 | }
18 | }
--------------------------------------------------------------------------------
/rules/os.app/security.domain/posix.class/linux.os/redhat/nist_V-38624:
--------------------------------------------------------------------------------
1 | {
2 | "severity": "low",
3 | "tags": {
4 | "nist": [
5 | "V-38624",
6 | "C-46183r1_chk",
7 | "F-43573r1_fix"
8 | ]
9 | },
10 | "text": {
11 | "en": {
12 | "check": "Run the following commands to determine the current status of the \"logrotate\" service: \n\n# grep logrotate /var/log/cron*\n\nIf the logrotate service is not run on a daily basis by cron, this is a finding.",
13 | "fix": "The \"logrotate\" service should be installed or reinstalled if it is not installed and operating properly, by running the following command:\n\n# yum reinstall logrotate",
14 | "long_description": "Log files that are not properly rotated run the risk of growing so large that they fill up the /var/log partition. Valuable logging information could be lost if the /var/log partition becomes full.",
15 | "short_description": "System logs must be rotated daily."
16 | }
17 | }
18 | }
--------------------------------------------------------------------------------
/rules/os.app/security.domain/posix.class/linux.os/redhat/nist_V-38654:
--------------------------------------------------------------------------------
1 | {
2 | "severity": "medium",
3 | "tags": {
4 | "nist": [
5 | "V-38654",
6 | "C-46214r3_chk",
7 | "F-43603r1_fix"
8 | ]
9 | },
10 | "text": {
11 | "en": {
12 | "check": "To verify the \"nosuid\" option is configured for all NFS mounts, run the following command: \n\n$ mount | grep nfs\n\nAll NFS mounts should show the \"nosuid\" setting in parentheses, along with other mount options. \nIf the setting does not show, this is a finding.",
13 | "fix": "Add the \"nosuid\" option to the fourth column of \"/etc/fstab\" for the line which controls mounting of any NFS mounts.",
14 | "long_description": "NFS mounts should not present suid binaries to users. Only vendor-supplied suid executables should be installed to their default location on the local filesystem.",
15 | "short_description": "Remote file systems must be mounted with the nosuid option."
16 | }
17 | }
18 | }
--------------------------------------------------------------------------------
/rules/os.app/security.domain/posix.class/linux.os/redhat/nist_V-38590:
--------------------------------------------------------------------------------
1 | {
2 | "severity": "low",
3 | "tags": {
4 | "nist": [
5 | "V-38590",
6 | "C-46148r1_chk",
7 | "F-43538r1_fix"
8 | ]
9 | },
10 | "text": {
11 | "en": {
12 | "check": "Run the following command to determine if the \"screen\" package is installed: \n\n# rpm -q screen\n\n\nIf the package is not installed, this is a finding.",
13 | "fix": "To enable console screen locking when in text mode, install the \"screen\" package: \n\n# yum install screen\n\nInstruct users to begin new terminal sessions with the following command: \n\n$ screen\n\nThe console can now be locked with the following key combination: \n\nctrl+a x",
14 | "long_description": "Installing \"screen\" ensures a console locking capability is available for users who may need to suspend console logins.",
15 | "short_description": "The system must allow locking of the console screen in text mode."
16 | }
17 | }
18 | }
--------------------------------------------------------------------------------
/rules/os.app/security.domain/posix.class/linux.os/redhat/nist_V-38457:
--------------------------------------------------------------------------------
1 | {
2 | "severity": "medium",
3 | "tags": {
4 | "nist": [
5 | "V-38457",
6 | "C-46007r1_chk",
7 | "F-43397r1_fix"
8 | ]
9 | },
10 | "text": {
11 | "en": {
12 | "check": "To check the permissions of \"/etc/passwd\", run the command: \n\n$ ls -l /etc/passwd\n\nIf properly configured, the output should indicate the following permissions: \"-rw-r--r--\" \nIf it does not, this is a finding.",
13 | "fix": "To properly set the permissions of \"/etc/passwd\", run the command: \n\n# chmod 0644 /etc/passwd",
14 | "long_description": "If the \"/etc/passwd\" file is writable by a group-owner or the world the risk of its compromise is increased. The file contains the list of accounts on the system and associated information, and protection of this file is critical for system security.",
15 | "short_description": "The /etc/passwd file must have mode 0644 or less permissive."
16 | }
17 | }
18 | }
--------------------------------------------------------------------------------
/rules/os.app/security.domain/posix.class/linux.os/redhat/nist_V-51379:
--------------------------------------------------------------------------------
1 | {
2 | "severity": "low",
3 | "tags": {
4 | "nist": [
5 | "V-51379",
6 | "C-53719r1_chk",
7 | "F-56179r1_fix"
8 | ]
9 | },
10 | "text": {
11 | "en": {
12 | "check": "To check for unlabeled device files, run the following command:\n\n# ls -RZ /dev | grep unlabeled_t\n\nIt should produce no output in a well-configured system. \n\nIf there is output, this is a finding.",
13 | "fix": "Device files, which are used for communication with important system resources, should be labeled with proper SELinux types. If any device files carry the SELinux type \"unlabeled_t\", investigate the cause and correct the file's context.",
14 | "long_description": "If a device file carries the SELinux type \"unlabeled_t\", then SELinux cannot properly restrict access to the device file. ",
15 | "short_description": "All device files must be monitored by the system Linux Security Module."
16 | }
17 | }
18 | }
--------------------------------------------------------------------------------
/rules/os.app/security.domain/posix.class/linux.os/redhat/nist_V-38502:
--------------------------------------------------------------------------------
1 | {
2 | "severity": "medium",
3 | "tags": {
4 | "nist": [
5 | "V-38502",
6 | "C-46059r1_chk",
7 | "F-43449r1_fix"
8 | ]
9 | },
10 | "text": {
11 | "en": {
12 | "check": "To check the ownership of \"/etc/shadow\", run the command: \n\n$ ls -l /etc/shadow\n\nIf properly configured, the output should indicate the following owner: \"root\" \nIf it does not, this is a finding.",
13 | "fix": "To properly set the owner of \"/etc/shadow\", run the command: \n\n# chown root /etc/shadow",
14 | "long_description": "The \"/etc/shadow\" file contains the list of local system accounts and stores password hashes. Protection of this file is critical for system security. Failure to give ownership of this file to root provides the designated owner with access to sensitive information which could weaken the system security posture.",
15 | "short_description": "The /etc/shadow file must be owned by root."
16 | }
17 | }
18 | }
--------------------------------------------------------------------------------
/rules/os.app/security.domain/posix.class/linux.os/redhat/nist_V-38581:
--------------------------------------------------------------------------------
1 | {
2 | "severity": "medium",
3 | "tags": {
4 | "nist": [
5 | "V-38581",
6 | "C-46139r1_chk",
7 | "F-43529r1_fix"
8 | ]
9 | },
10 | "text": {
11 | "en": {
12 | "check": "To check the group ownership of \"/etc/grub.conf\", run the command: \n\n$ ls -lL /etc/grub.conf\n\nIf properly configured, the output should indicate the following group-owner. \"root\" \nIf it does not, this is a finding.",
13 | "fix": "The file \"/etc/grub.conf\" should be group-owned by the \"root\" group to prevent destruction or modification of the file. To properly set the group owner of \"/etc/grub.conf\", run the command: \n\n# chgrp root /etc/grub.conf",
14 | "long_description": "The \"root\" group is a highly-privileged group. Furthermore, the group-owner of this file should not have any access privileges anyway.",
15 | "short_description": "The system boot loader configuration file(s) must be group-owned by root."
16 | }
17 | }
18 | }
--------------------------------------------------------------------------------
/rules/os.app/security.domain/posix.class/linux.os/redhat/nist_V-38587:
--------------------------------------------------------------------------------
1 | {
2 | "severity": "high",
3 | "tags": {
4 | "nist": [
5 | "V-38587",
6 | "C-46144r1_chk",
7 | "F-43535r1_fix"
8 | ]
9 | },
10 | "text": {
11 | "en": {
12 | "check": "Run the following command to determine if the \"telnet-server\" package is installed: \n\n# rpm -q telnet-server\n\n\nIf the package is installed, this is a finding.",
13 | "fix": "The \"telnet-server\" package can be uninstalled with the following command: \n\n# yum erase telnet-server",
14 | "long_description": "Removing the \"telnet-server\" package decreases the risk of the unencrypted telnet service's accidental (or intentional) activation.\n\nMitigation: If the telnet-server package is configured to only allow encrypted sessions, such as with Kerberos or the use of encrypted network tunnels, the risk of exposing sensitive information is mitigated.",
15 | "short_description": "The telnet-server package must not be installed."
16 | }
17 | }
18 | }
--------------------------------------------------------------------------------
/rules/os.app/security.domain/posix.class/linux.os/redhat/nist_V-38622:
--------------------------------------------------------------------------------
1 | {
2 | "severity": "medium",
3 | "tags": {
4 | "nist": [
5 | "V-38622",
6 | "C-46182r2_chk",
7 | "F-43572r1_fix"
8 | ]
9 | },
10 | "text": {
11 | "en": {
12 | "check": "If the system is an authorized mail relay host, this is not applicable. \n\nRun the following command to ensure postfix accepts mail messages from only the local system: \n\n$ grep inet_interfaces /etc/postfix/main.cf\n\nIf properly configured, the output should show only \"localhost\". \nIf it does not, this is a finding.",
13 | "fix": "Edit the file \"/etc/postfix/main.cf\" to ensure that only the following \"inet_interfaces\" line appears: \n\ninet_interfaces = localhost",
14 | "long_description": "This ensures \"postfix\" accepts mail messages (such as cron job reports) from the local system only, and not from the network, which protects it from network attack.",
15 | "short_description": "Mail relaying must be restricted."
16 | }
17 | }
18 | }
--------------------------------------------------------------------------------
/rules/os.app/security.domain/posix.class/linux.os/redhat/nist_V-38477:
--------------------------------------------------------------------------------
1 | {
2 | "severity": "medium",
3 | "tags": {
4 | "nist": [
5 | "V-38477",
6 | "C-46032r1_chk",
7 | "F-43422r1_fix"
8 | ]
9 | },
10 | "text": {
11 | "en": {
12 | "check": "To check the minimum password age, run the command: \n\n$ grep PASS_MIN_DAYS /etc/login.defs\n\nThe DoD requirement is 1. \nIf it is not set to the required value, this is a finding.",
13 | "fix": "To specify password minimum age for new accounts, edit the file \"/etc/login.defs\" and add or correct the following line, replacing [DAYS] appropriately: \n\nPASS_MIN_DAYS [DAYS]\n\nA value of 1 day is considered sufficient for many environments. The DoD requirement is 1.",
14 | "long_description": "Setting the minimum password age protects against users cycling back to a favorite password after satisfying the password reuse requirement.",
15 | "short_description": "Users must not be able to change passwords more than once every 24 hours."
16 | }
17 | }
18 | }
--------------------------------------------------------------------------------
/rules/os.app/security.domain/posix.class/linux.os/redhat/nist_V-38504:
--------------------------------------------------------------------------------
1 | {
2 | "severity": "medium",
3 | "tags": {
4 | "nist": [
5 | "V-38504",
6 | "C-46061r2_chk",
7 | "F-43451r1_fix"
8 | ]
9 | },
10 | "text": {
11 | "en": {
12 | "check": "To check the permissions of \"/etc/shadow\", run the command: \n\n$ ls -l /etc/shadow\n\nIf properly configured, the output should indicate the following permissions: \"----------\" \nIf it does not, this is a finding.",
13 | "fix": "To properly set the permissions of \"/etc/shadow\", run the command: \n\n# chmod 0000 /etc/shadow",
14 | "long_description": "The \"/etc/shadow\" file contains the list of local system accounts and stores password hashes. Protection of this file is critical for system security. Failure to give ownership of this file to root provides the designated owner with access to sensitive information which could weaken the system security posture.",
15 | "short_description": "The /etc/shadow file must have mode 0000."
16 | }
17 | }
18 | }
--------------------------------------------------------------------------------
/rules/os.app/security.domain/posix.class/linux.os/redhat/nist_V-38549:
--------------------------------------------------------------------------------
1 | {
2 | "severity": "medium",
3 | "tags": {
4 | "nist": [
5 | "V-38549",
6 | "C-46107r3_chk",
7 | "F-43497r3_fix"
8 | ]
9 | },
10 | "text": {
11 | "en": {
12 | "check": "If the system is a cross-domain system, this is not applicable.\n\nIf IPv6 is disabled, this is not applicable.\n\nRun the following command to determine the current status of the \"ip6tables\" service: \n\n# service ip6tables status\n\nIf the service is not running, it should return the following: \n\nip6tables: Firewall is not running.\n\n\nIf the service is not running, this is a finding.",
13 | "fix": "The \"ip6tables\" service can be enabled with the following commands: \n\n# chkconfig ip6tables on\n# service ip6tables start",
14 | "long_description": "The \"ip6tables\" service provides the system's host-based firewalling capability for IPv6 and ICMPv6.",
15 | "short_description": "The system must employ a local IPv6 firewall."
16 | }
17 | }
18 | }
--------------------------------------------------------------------------------
/rules/os.app/security.domain/posix.class/linux.os/redhat/nist_V-38455:
--------------------------------------------------------------------------------
1 | {
2 | "severity": "low",
3 | "tags": {
4 | "nist": [
5 | "V-38455",
6 | "C-45997r1_chk",
7 | "F-43387r1_fix"
8 | ]
9 | },
10 | "text": {
11 | "en": {
12 | "check": "Run the following command to determine if \"/tmp\" is on its own partition or logical volume: \n\n$ mount | grep \"on /tmp \"\n\nIf \"/tmp\" has its own partition or volume group, a line will be returned. \nIf no line is returned, this is a finding.",
13 | "fix": "The \"/tmp\" directory is a world-writable directory used for temporary file storage. Ensure it has its own partition or logical volume at installation time, or migrate it using LVM.",
14 | "long_description": "The \"/tmp\" partition is used as temporary storage by many programs. Placing \"/tmp\" in its own partition enables the setting of more restrictive mount options, which can help protect programs which use it.",
15 | "short_description": "The system must use a separate file system for /tmp."
16 | }
17 | }
18 | }
--------------------------------------------------------------------------------
/rules/os.app/security.domain/posix.class/linux.os/redhat/nist_V-38491:
--------------------------------------------------------------------------------
1 | {
2 | "severity": "high",
3 | "tags": {
4 | "nist": [
5 | "V-38491",
6 | "C-46048r1_chk",
7 | "F-43438r1_fix"
8 | ]
9 | },
10 | "text": {
11 | "en": {
12 | "check": "The existence of the file \"/etc/hosts.equiv\" or a file named \".rhosts\" inside a user home directory indicates the presence of an Rsh trust relationship. \nIf these files exist, this is a finding.",
13 | "fix": "The files \"/etc/hosts.equiv\" and \"~/.rhosts\" (in each user's home directory) list remote hosts and users that are trusted by the local system when using the rshd daemon. To remove these files, run the following command to delete them from any location. \n\n# rm /etc/hosts.equiv\n\n\n\n$ rm ~/.rhosts",
14 | "long_description": "Trust files are convenient, but when used in conjunction with the R-services, they can allow unauthenticated access to a system.",
15 | "short_description": "There must be no .rhosts or hosts.equiv files on the system."
16 | }
17 | }
18 | }
--------------------------------------------------------------------------------
/rules/os.app/security.domain/posix.class/linux.os/redhat/nist_V-51337:
--------------------------------------------------------------------------------
1 | {
2 | "severity": "medium",
3 | "tags": {
4 | "nist": [
5 | "V-51337",
6 | "C-54007r1_chk",
7 | "F-56147r1_fix"
8 | ]
9 | },
10 | "text": {
11 | "en": {
12 | "check": "Inspect \"/etc/grub.conf\" for any instances of \"selinux=0\" in the kernel boot arguments. Presence of \"selinux=0\" indicates that SELinux is disabled at boot time. If SELinux is disabled at boot time, this is a finding.",
13 | "fix": "SELinux can be disabled at boot time by an argument in \"/etc/grub.conf\". Remove any instances of \"selinux=0\" from the kernel arguments in that file to prevent SELinux from being disabled at boot.",
14 | "long_description": "Disabling a major host protection feature, such as SELinux, at boot time prevents it from confining system services at boot time. Further, it increases the chances that it will remain off during system operation.",
15 | "short_description": "The system must use a Linux Security Module at boot time."
16 | }
17 | }
18 | }
--------------------------------------------------------------------------------
/rules/os.app/security.domain/posix.class/linux.os/redhat/nist_V-38605:
--------------------------------------------------------------------------------
1 | {
2 | "severity": "medium",
3 | "tags": {
4 | "nist": [
5 | "V-38605",
6 | "C-46163r1_chk",
7 | "F-43553r2_fix"
8 | ]
9 | },
10 | "text": {
11 | "en": {
12 | "check": "Run the following command to determine the current status of the \"crond\" service: \n\n# service crond status\n\nIf the service is enabled, it should return the following: \n\ncrond is running...\n\n\nIf the service is not running, this is a finding.",
13 | "fix": "The \"crond\" service is used to execute commands at preconfigured times. It is required by almost all systems to perform necessary maintenance tasks, such as notifying root of system activity. The \"crond\" service can be enabled with the following commands: \n\n# chkconfig crond on\n# service crond start",
14 | "long_description": "Due to its usage for maintenance and security-supporting tasks, enabling the cron daemon is essential.",
15 | "short_description": "The cron service must be running."
16 | }
17 | }
18 | }
--------------------------------------------------------------------------------
/rules/os.app/security.domain/posix.class/linux.os/redhat/nist_V-38670:
--------------------------------------------------------------------------------
1 | {
2 | "severity": "medium",
3 | "tags": {
4 | "nist": [
5 | "V-38670",
6 | "C-46229r2_chk",
7 | "F-43619r1_fix"
8 | ]
9 | },
10 | "text": {
11 | "en": {
12 | "check": "To determine that periodic AIDE execution has been scheduled, run the following command: \n\n# grep aide /etc/crontab /etc/cron.*/*\n\nIf there is no output, this is a finding.",
13 | "fix": "AIDE should be executed on a periodic basis to check for changes. To implement a daily execution of AIDE at 4:05am using cron, add the following line to /etc/crontab: \n\n05 4 * * * root /usr/sbin/aide --check\n\nAIDE can be executed periodically through other means; this is merely one example.",
14 | "long_description": "By default, AIDE does not install itself for periodic execution. Periodically running AIDE may reveal unexpected changes in installed files.",
15 | "short_description": "The operating system must detect unauthorized changes to software and information."
16 | }
17 | }
18 | }
--------------------------------------------------------------------------------
/rules/os.app/security.domain/posix.class/linux.os/redhat/nist_V-38588:
--------------------------------------------------------------------------------
1 | {
2 | "severity": "medium",
3 | "tags": {
4 | "nist": [
5 | "V-38588",
6 | "C-46146r1_chk",
7 | "F-43536r1_fix"
8 | ]
9 | },
10 | "text": {
11 | "en": {
12 | "check": "To check whether interactive boot is disabled, run the following command: \n\n$ grep PROMPT /etc/sysconfig/init\n\nIf interactive boot is disabled, the output will show: \n\nPROMPT=no\n\n\nIf it does not, this is a finding.",
13 | "fix": "To disable the ability for users to perform interactive startups, edit the file \"/etc/sysconfig/init\". Add or correct the line: \n\nPROMPT=no\n\nThe \"PROMPT\" option allows the console user to perform an interactive system startup, in which it is possible to select the set of services which are started on boot.",
14 | "long_description": "Using interactive boot, the console user could disable auditing, firewalls, or other services, weakening system security.",
15 | "short_description": "The system must not permit interactive boot."
16 | }
17 | }
18 | }
--------------------------------------------------------------------------------
/rules/os.app/security.domain/posix.class/linux.os/redhat/nist_V-38619:
--------------------------------------------------------------------------------
1 | {
2 | "severity": "medium",
3 | "tags": {
4 | "nist": [
5 | "V-38619",
6 | "C-46179r3_chk",
7 | "F-43569r2_fix"
8 | ]
9 | },
10 | "text": {
11 | "en": {
12 | "check": "To check the system for the existence of any \".netrc\" files, run the following command: \n\n$ sudo find /root /home -xdev -name .netrc\n\nIf any .netrc files exist, this is a finding.",
13 | "fix": "The \".netrc\" files contain logon information used to auto-logon into FTP servers and reside in the user's home directory. These files may contain unencrypted passwords to remote FTP servers making them susceptible to access by unauthorized users and should not be used. Any \".netrc\" files should be removed.",
14 | "long_description": "Unencrypted passwords for remote FTP servers may be stored in \".netrc\" files. DoD policy requires passwords be encrypted in storage and not used in access scripts.",
15 | "short_description": "There must be no .netrc files on the system."
16 | }
17 | }
18 | }
--------------------------------------------------------------------------------
/rules/os.app/security.domain/posix.class/linux.os/redhat/nist_V-51363:
--------------------------------------------------------------------------------
1 | {
2 | "severity": "medium",
3 | "tags": {
4 | "nist": [
5 | "V-51363",
6 | "C-53703r1_chk",
7 | "F-56165r1_fix"
8 | ]
9 | },
10 | "text": {
11 | "en": {
12 | "check": "Check the file \"/etc/selinux/config\" and ensure the following line appears:\n\nSELINUX=enforcing\n\nIf SELINUX is not set to enforcing, this is a finding.",
13 | "fix": "The SELinux state should be set to \"enforcing\" at system boot time. In the file \"/etc/selinux/config\", add or correct the following line to configure the system to boot into enforcing mode:\n\nSELINUX=enforcing",
14 | "long_description": "Setting the SELinux state to enforcing ensures SELinux is able to confine potentially compromised processes to the security policy, which is designed to prevent them from causing damage to the system or further elevating their privileges. ",
15 | "short_description": "The system must use a Linux Security Module configured to enforce limits on system services."
16 | }
17 | }
18 | }
--------------------------------------------------------------------------------
/rules/os.app/security.domain/posix.class/linux.os/redhat/nist_V-38583:
--------------------------------------------------------------------------------
1 | {
2 | "severity": "medium",
3 | "tags": {
4 | "nist": [
5 | "V-38583",
6 | "C-46141r2_chk",
7 | "F-43531r2_fix"
8 | ]
9 | },
10 | "text": {
11 | "en": {
12 | "check": "To check the permissions of /etc/grub.conf, run the command:\n\n$ sudo ls -lL /etc/grub.conf\n\nIf properly configured, the output should indicate the following permissions: \"-rw-------\"\nIf it does not, this is a finding.",
13 | "fix": "File permissions for \"/boot/grub/grub.conf\" should be set to 600, which is the default. To properly set the permissions of \"/boot/grub/grub.conf\", run the command:\n\n# chmod 600 /boot/grub/grub.conf\n\nBoot partitions based on VFAT, NTFS, or other non-standard configurations may require alternative measures.",
14 | "long_description": "Proper permissions ensure that only the root user can modify important boot parameters.",
15 | "short_description": "The system boot loader configuration file(s) must have mode 0600 or less permissive."
16 | }
17 | }
18 | }
--------------------------------------------------------------------------------
/rules/os.app/security.domain/posix.class/linux.os/redhat/nist_V-38687:
--------------------------------------------------------------------------------
1 | {
2 | "severity": "low",
3 | "tags": {
4 | "nist": [
5 | "V-38687",
6 | "C-46249r2_chk",
7 | "F-43636r1_fix"
8 | ]
9 | },
10 | "text": {
11 | "en": {
12 | "check": "If the system does not communicate over untrusted networks, this is not applicable.\n\nRun the following command to determine if the \"openswan\" package is installed: \n\n# rpm -q openswan\n\n\nIf the package is not installed, this is a finding.",
13 | "fix": "The Openswan package provides an implementation of IPsec and IKE, which permits the creation of secure tunnels over untrusted networks. The \"openswan\" package can be installed with the following command: \n\n# yum install openswan",
14 | "long_description": "Providing the ability for remote users or systems to initiate a secure VPN connection protects information when it is transmitted over a wide area network.",
15 | "short_description": "The system must provide VPN connectivity for communications over untrusted networks."
16 | }
17 | }
18 | }
--------------------------------------------------------------------------------
/rules/os.app/security.domain/posix.class/linux.os/redhat/nist_V-38673:
--------------------------------------------------------------------------------
1 | {
2 | "severity": "medium",
3 | "tags": {
4 | "nist": [
5 | "V-38673",
6 | "C-46232r2_chk",
7 | "F-43621r1_fix"
8 | ]
9 | },
10 | "text": {
11 | "en": {
12 | "check": "To determine that periodic AIDE execution has been scheduled, run the following command: \n\n# grep aide /etc/crontab /etc/cron.*/*\n\nIf there is no output, this is a finding.",
13 | "fix": "AIDE should be executed on a periodic basis to check for changes. To implement a daily execution of AIDE at 4:05am using cron, add the following line to /etc/crontab: \n\n05 4 * * * root /usr/sbin/aide --check\n\nAIDE can be executed periodically through other means; this is merely one example.",
14 | "long_description": "By default, AIDE does not install itself for periodic execution. Periodically running AIDE may reveal unexpected changes in installed files.",
15 | "short_description": "The operating system must ensure unauthorized, security-relevant configuration changes detected are tracked."
16 | }
17 | }
18 | }
--------------------------------------------------------------------------------
/rules/os.app/security.domain/posix.class/linux.os/redhat/nist_V-38613:
--------------------------------------------------------------------------------
1 | {
2 | "severity": "medium",
3 | "tags": {
4 | "nist": [
5 | "V-38613",
6 | "C-46171r1_chk",
7 | "F-43561r1_fix"
8 | ]
9 | },
10 | "text": {
11 | "en": {
12 | "check": "To determine how the SSH daemon's \"PermitRootLogin\" option is set, run the following command: \n\n# grep -i PermitRootLogin /etc/ssh/sshd_config\n\nIf a line indicating \"no\" is returned, then the required value is set. \nIf the required value is not set, this is a finding.",
13 | "fix": "The root user should never be allowed to log in to a system directly over a network. To disable root login via SSH, add or correct the following line in \"/etc/ssh/sshd_config\": \n\nPermitRootLogin no",
14 | "long_description": "Permitting direct root login reduces auditable information about who ran privileged commands on the system and also allows direct attack attempts on root's password.",
15 | "short_description": "The system must not permit root logins using remote access programs such as ssh."
16 | }
17 | }
18 | }
--------------------------------------------------------------------------------
/rules/os.app/security.domain/posix.class/linux.os/redhat/nist_V-38446:
--------------------------------------------------------------------------------
1 | {
2 | "severity": "medium",
3 | "tags": {
4 | "nist": [
5 | "V-38446",
6 | "C-46001r1_chk",
7 | "F-43391r1_fix"
8 | ]
9 | },
10 | "text": {
11 | "en": {
12 | "check": "Find the list of alias maps used by the Postfix mail server:\n\n# postconf alias_maps\n\nQuery the Postfix alias maps for an alias for \"root\":\n\n# postmap -q root \n\nIf there are no aliases configured for root that forward to a monitored email address, this is a finding.",
13 | "fix": "Set up an alias for root that forwards to a monitored email address:\n\n# echo \"root: @mail.mil\" >> /etc/aliases\n# newaliases",
14 | "long_description": "A number of system services utilize email messages sent to the root user to notify system administrators of active or impending issues. These messages must be forwarded to at least one monitored email address.",
15 | "short_description": "The mail system must forward all mail for root to one or more system administrators."
16 | }
17 | }
18 | }
--------------------------------------------------------------------------------
/rules/os.app/security.domain/posix.class/linux.os/redhat/nist_V-38611:
--------------------------------------------------------------------------------
1 | {
2 | "severity": "medium",
3 | "tags": {
4 | "nist": [
5 | "V-38611",
6 | "C-46169r1_chk",
7 | "F-43559r1_fix"
8 | ]
9 | },
10 | "text": {
11 | "en": {
12 | "check": "To determine how the SSH daemon's \"IgnoreRhosts\" option is set, run the following command: \n\n# grep -i IgnoreRhosts /etc/ssh/sshd_config\n\nIf no line, a commented line, or a line indicating the value \"yes\" is returned, then the required value is set. \nIf the required value is not set, this is a finding.",
13 | "fix": "SSH can emulate the behavior of the obsolete rsh command in allowing users to enable insecure access to their accounts via \".rhosts\" files. \n\nTo ensure this behavior is disabled, add or correct the following line in \"/etc/ssh/sshd_config\": \n\nIgnoreRhosts yes",
14 | "long_description": "SSH trust relationships mean a compromise on one host can allow an attacker to move trivially to other hosts.",
15 | "short_description": "The SSH daemon must ignore .rhosts files."
16 | }
17 | }
18 | }
--------------------------------------------------------------------------------
/rules/os.app/security.domain/posix.class/linux.os/redhat/nist_V-38609:
--------------------------------------------------------------------------------
1 | {
2 | "severity": "medium",
3 | "tags": {
4 | "nist": [
5 | "V-38609",
6 | "C-46166r2_chk",
7 | "F-43557r4_fix"
8 | ]
9 | },
10 | "text": {
11 | "en": {
12 | "check": "To check that the \"tftp\" service is disabled in system boot configuration, run the following command:\n\n# chkconfig \"tftp\" --list\n\nOutput should indicate the \"tftp\" service has either not been installed, or has been disabled, as shown in the example below:\n\n# chkconfig \"tftp\" --list\ntftp off\nOR\nerror reading information on service tftp: No such file or directory\n\n\nIf the service is running, this is a finding.",
13 | "fix": "The \"tftp\" service should be disabled. The \"tftp\" service can be disabled with the following command: \n\n# chkconfig tftp off",
14 | "long_description": "Disabling the \"tftp\" service ensures the system is not acting as a tftp server, which does not provide encryption or authentication.",
15 | "short_description": "The TFTP service must not be running."
16 | }
17 | }
18 | }
--------------------------------------------------------------------------------
/rules/os.app/security.domain/posix.class/linux.os/redhat/nist_V-38494:
--------------------------------------------------------------------------------
1 | {
2 | "severity": "low",
3 | "tags": {
4 | "nist": [
5 | "V-38494",
6 | "C-46051r1_chk",
7 | "F-43441r1_fix"
8 | ]
9 | },
10 | "text": {
11 | "en": {
12 | "check": "To check for serial port entries which permit root login, run the following command: \n\n# grep '^ttyS[0-9]' /etc/securetty\n\nIf any output is returned, then root login over serial ports is permitted. \nIf root login over serial ports is permitted, this is a finding.",
13 | "fix": "To restrict root logins on serial ports, ensure lines of this form do not appear in \"/etc/securetty\": \n\nttyS0\nttyS1\n\nNote: Serial port entries are not limited to those listed above. Any lines starting with \"ttyS\" followed by numerals should be removed",
14 | "long_description": "Preventing direct root login to serial port interfaces helps ensure accountability for actions taken on the systems using the root account.",
15 | "short_description": "The system must prevent the root account from logging in from serial consoles."
16 | }
17 | }
18 | }
--------------------------------------------------------------------------------
/rules/os.app/security.domain/posix.class/linux.os/redhat/nist_V-57569:
--------------------------------------------------------------------------------
1 | {
2 | "severity": "medium",
3 | "tags": {
4 | "nist": [
5 | "V-57569",
6 | "C-58279r1_chk",
7 | "F-62639r1_fix"
8 | ]
9 | },
10 | "text": {
11 | "en": {
12 | "check": "To verify that binaries cannot be directly executed from the /tmp directory, run the following command:\n\n$ grep '\\s/tmp' /etc/fstab\n\nThe resulting output will show whether the /tmp partition has the \"noexec\" flag set. If the /tmp partition does not have the noexec flag set, this is a finding.",
13 | "fix": "The \"noexec\" mount option can be used to prevent binaries from being executed out of \"/tmp\". Add the \"noexec\" option to the fourth column of \"/etc/fstab\" for the line which controls mounting of \"/tmp\".",
14 | "long_description": "Allowing users to execute binaries from world-writable directories such as \"/tmp\" should never be necessary in normal operation and can expose the system to potential compromise.",
15 | "short_description": "The noexec option must be added to the /tmp partition."
16 | }
17 | }
18 | }
--------------------------------------------------------------------------------
/rules/os.app/security.domain/posix.class/linux.os/redhat/nist_V-38512:
--------------------------------------------------------------------------------
1 | {
2 | "severity": "medium",
3 | "tags": {
4 | "nist": [
5 | "V-38512",
6 | "C-46069r2_chk",
7 | "F-43459r2_fix"
8 | ]
9 | },
10 | "text": {
11 | "en": {
12 | "check": "If the system is a cross-domain system, this is not applicable.\n\nRun the following command to determine the current status of the \"iptables\" service: \n\n# service iptables status\n\nIf the service is not running, it should return the following: \n\niptables: Firewall is not running.\n\n\nIf the service is not running, this is a finding.",
13 | "fix": "The \"iptables\" service can be enabled with the following commands: \n\n# chkconfig iptables on\n# service iptables start",
14 | "long_description": "The \"iptables\" service provides the system's host-based firewalling capability for IPv4 and ICMP.",
15 | "short_description": "The operating system must prevent public IPv4 access into an organizations internal networks, except as appropriately mediated by managed interfaces employing boundary protection devices."
16 | }
17 | }
18 | }
--------------------------------------------------------------------------------
/rules/os.app/security.domain/posix.class/linux.os/redhat/nist_V-38479:
--------------------------------------------------------------------------------
1 | {
2 | "severity": "medium",
3 | "tags": {
4 | "nist": [
5 | "V-38479",
6 | "C-46034r1_chk",
7 | "F-43424r1_fix"
8 | ]
9 | },
10 | "text": {
11 | "en": {
12 | "check": "To check the maximum password age, run the command: \n\n$ grep PASS_MAX_DAYS /etc/login.defs\n\nThe DoD requirement is 60. \nIf it is not set to the required value, this is a finding.",
13 | "fix": "To specify password maximum age for new accounts, edit the file \"/etc/login.defs\" and add or correct the following line, replacing [DAYS] appropriately: \n\nPASS_MAX_DAYS [DAYS]\n\nThe DoD requirement is 60.",
14 | "long_description": "Setting the password maximum age ensures users are required to periodically change their passwords. This could possibly decrease the utility of a stolen password. Requiring shorter password lifetimes increases the risk of users writing down the password in a convenient location subject to physical compromise.",
15 | "short_description": "User passwords must be changed at least every 60 days."
16 | }
17 | }
18 | }
--------------------------------------------------------------------------------
/rules/os.app/security.domain/posix.class/linux.os/redhat/nist_V-38599:
--------------------------------------------------------------------------------
1 | {
2 | "severity": "medium",
3 | "tags": {
4 | "nist": [
5 | "V-38599",
6 | "C-46174r1_chk",
7 | "F-43564r3_fix"
8 | ]
9 | },
10 | "text": {
11 | "en": {
12 | "check": "To verify this configuration, run the following command: \n\ngrep \"banner_file\" /etc/vsftpd/vsftpd.conf\n\nThe output should show the value of \"banner_file\" is set to \"/etc/issue\", an example of which is shown below. \n\n# grep \"banner_file\" /etc/vsftpd/vsftpd.conf\nbanner_file=/etc/issue\n\n\nIf it does not, this is a finding.",
13 | "fix": "Edit the vsftpd configuration file, which resides at \"/etc/vsftpd/vsftpd.conf\" by default. Add or correct the following configuration options. \n\nbanner_file=/etc/issue\n\nRestart the vsftpd daemon.\n\n# service vsftpd restart",
14 | "long_description": "This setting will cause the system greeting banner to be used for FTP connections as well.",
15 | "short_description": "The FTPS/FTP service on the system must be configured with the Department of Defense (DoD) login banner."
16 | }
17 | }
18 | }
--------------------------------------------------------------------------------
/rules/os.app/security.domain/posix.class/linux.os/redhat/nist_V-38656:
--------------------------------------------------------------------------------
1 | {
2 | "severity": "low",
3 | "tags": {
4 | "nist": [
5 | "V-38656",
6 | "C-46217r1_chk",
7 | "F-43606r1_fix"
8 | ]
9 | },
10 | "text": {
11 | "en": {
12 | "check": "To verify that Samba clients running smbclient must use packet signing, run the following command: \n\n# grep signing /etc/samba/smb.conf\n\nThe output should show: \n\nclient signing = mandatory\n\n\nIf it is not, this is a finding.",
13 | "fix": "To require samba clients running \"smbclient\" to use packet signing, add the following to the \"[global]\" section of the Samba configuration file in \"/etc/samba/smb.conf\": \n\nclient signing = mandatory\n\nRequiring samba clients such as \"smbclient\" to use packet signing ensures they can only communicate with servers that support packet signing.",
14 | "long_description": "Packet signing can prevent man-in-the-middle attacks which modify SMB packets in transit.",
15 | "short_description": "The system must use SMB client signing for connecting to samba servers using smbclient."
16 | }
17 | }
18 | }
--------------------------------------------------------------------------------
/rules/os.app/security.domain/posix.class/itbp-00002:
--------------------------------------------------------------------------------
1 | {
2 | "severity": "medium",
3 | "tags": {
4 | "itbp": ["itbp-00002"]
5 | },
6 | "text": {
7 | "en": {
8 | "check": "To check that password authentication is disabled via openssh execute the following command\n# grep PasswordAuthentication /etc/ssh/sshd_config\nThe result should be an uncommented no. If there is no result the result is commented out or the value is yes, then this is a finding.",
9 | "fix": "To fix this issue, add the following line to /etc/ssh/sshd_config\nPasswordAuthentication no",
10 | "long_description": "By default, the secure shell service allows users to log into systems using passwords tunnelled through secure communications. This makes the services vulnerable to brute force attacks for users with weak passwords or passwords were shared across sites. Although this is a disabling password authentication is a good practice in general, it is critical for any systems which face the public internet.",
11 | "short_description": "The openssh service should not allow logging in using passwords."
12 | }
13 | }
14 | }
15 |
--------------------------------------------------------------------------------
/rules/os.app/security.domain/posix.class/linux.os/redhat/nist_V-38700:
--------------------------------------------------------------------------------
1 | {
2 | "severity": "medium",
3 | "tags": {
4 | "nist": [
5 | "V-38700",
6 | "C-46262r2_chk",
7 | "F-43649r1_fix"
8 | ]
9 | },
10 | "text": {
11 | "en": {
12 | "check": "To determine that periodic AIDE execution has been scheduled, run the following command: \n\n# grep aide /etc/crontab /etc/cron.*/*\n\nIf there is no output, this is a finding.",
13 | "fix": "AIDE should be executed on a periodic basis to check for changes. To implement a daily execution of AIDE at 4:05am using cron, add the following line to /etc/crontab: \n\n05 4 * * * root /usr/sbin/aide --check\n\nAIDE can be executed periodically through other means; this is merely one example.",
14 | "long_description": "By default, AIDE does not install itself for periodic execution. Periodically running AIDE may reveal unexpected changes in installed files.",
15 | "short_description": "The operating system must provide a near real-time alert when any of the organization defined list of compromise or potential compromise indicators occurs."
16 | }
17 | }
18 | }
--------------------------------------------------------------------------------
/rules/os.app/security.domain/posix.class/linux.os/redhat/nist_V-38499:
--------------------------------------------------------------------------------
1 | {
2 | "severity": "medium",
3 | "tags": {
4 | "nist": [
5 | "V-38499",
6 | "C-46056r1_chk",
7 | "F-43446r1_fix"
8 | ]
9 | },
10 | "text": {
11 | "en": {
12 | "check": "To check that no password hashes are stored in \"/etc/passwd\", run the following command: \n\n# awk -F: '($2 != \"x\") {print}' /etc/passwd\n\nIf it produces any output, then a password hash is stored in \"/etc/passwd\". \nIf any stored hashes are found in /etc/passwd, this is a finding.",
13 | "fix": "If any password hashes are stored in \"/etc/passwd\" (in the second field, instead of an \"x\"), the cause of this misconfiguration should be investigated. The account should have its password reset and the hash should be properly stored, or the account should be deleted entirely.",
14 | "long_description": "The hashes for all user account passwords should be stored in the file \"/etc/shadow\" and never in \"/etc/passwd\", which is readable by all users.",
15 | "short_description": "The /etc/passwd file must not contain password hashes."
16 | }
17 | }
18 | }
--------------------------------------------------------------------------------
/rules/os.app/security.domain/posix.class/linux.os/redhat/nist_V-38560:
--------------------------------------------------------------------------------
1 | {
2 | "severity": "medium",
3 | "tags": {
4 | "nist": [
5 | "V-38560",
6 | "C-46118r2_chk",
7 | "F-43508r2_fix"
8 | ]
9 | },
10 | "text": {
11 | "en": {
12 | "check": "If the system is a cross-domain system, this is not applicable.\n\nRun the following command to determine the current status of the \"iptables\" service: \n\n# service iptables status\n\nIf the service is not running, it should return the following: \n\niptables: Firewall is not running.\n\n\nIf the service is not running, this is a finding.",
13 | "fix": "The \"iptables\" service can be enabled with the following commands: \n\n# chkconfig iptables on\n# service iptables start",
14 | "long_description": "The \"iptables\" service provides the system's host-based firewalling capability for IPv4 and ICMP.",
15 | "short_description": "The operating system must connect to external networks or information systems only through managed IPv4 interfaces consisting of boundary protection devices arranged in accordance with an organizational security architecture."
16 | }
17 | }
18 | }
--------------------------------------------------------------------------------
/rules/os.app/security.domain/posix.class/linux.os/redhat/nist_V-38669:
--------------------------------------------------------------------------------
1 | {
2 | "severity": "low",
3 | "tags": {
4 | "nist": [
5 | "V-38669",
6 | "C-46230r1_chk",
7 | "F-43618r1_fix"
8 | ]
9 | },
10 | "text": {
11 | "en": {
12 | "check": "Run the following command to determine the current status of the \"postfix\" service:\n\n# service postfix status\n\nIf the service is enabled, it should return the following:\n\npostfix is running...\n\nIf the service is not enabled, this is a finding.",
13 | "fix": "The Postfix mail transfer agent is used for local mail delivery within the system. The default configuration only listens for connections to the default SMTP port (port 25) on the loopback interface (127.0.0.1). It is recommended to leave this service enabled for local mail delivery. The \"postfix\" service can be enabled with the following command: \n\n# chkconfig postfix on\n# service postfix start",
14 | "long_description": "Local mail delivery is essential to some system maintenance and notification tasks.",
15 | "short_description": "The postfix service must be enabled for mail delivery."
16 | }
17 | }
18 | }
--------------------------------------------------------------------------------
/rules/os.app/security.domain/posix.class/linux.os/redhat/nist_V-38696:
--------------------------------------------------------------------------------
1 | {
2 | "severity": "medium",
3 | "tags": {
4 | "nist": [
5 | "V-38696",
6 | "C-46258r2_chk",
7 | "F-43645r1_fix"
8 | ]
9 | },
10 | "text": {
11 | "en": {
12 | "check": "To determine that periodic AIDE execution has been scheduled, run the following command: \n\n# grep aide /etc/crontab /etc/cron.*/*\n\nIf there is no output, this is a finding.",
13 | "fix": "AIDE should be executed on a periodic basis to check for changes. To implement a daily execution of AIDE at 4:05am using cron, add the following line to /etc/crontab: \n\n05 4 * * * root /usr/sbin/aide --check\n\nAIDE can be executed periodically through other means; this is merely one example.",
14 | "long_description": "By default, AIDE does not install itself for periodic execution. Periodically running AIDE may reveal unexpected changes in installed files.",
15 | "short_description": "The operating system must employ automated mechanisms, per organization defined frequency, to detect the addition of unauthorized components/devices into the operating system."
16 | }
17 | }
18 | }
--------------------------------------------------------------------------------
/rules/os.app/security.domain/posix.class/linux.os/redhat/nist_V-38658:
--------------------------------------------------------------------------------
1 | {
2 | "severity": "medium",
3 | "tags": {
4 | "nist": [
5 | "V-38658",
6 | "C-46219r1_chk",
7 | "F-43608r1_fix"
8 | ]
9 | },
10 | "text": {
11 | "en": {
12 | "check": "To verify the password reuse setting is compliant, run the following command: \n\n$ grep remember /etc/pam.d/system-auth\n\nThe output should show the following at the end of the line: \n\nremember=24\n\n\nIf it does not, this is a finding.",
13 | "fix": "Do not allow users to reuse recent passwords. This can be accomplished by using the \"remember\" option for the \"pam_unix\" PAM module. In the file \"/etc/pam.d/system-auth\", append \"remember=24\" to the line which refers to the \"pam_unix.so\" module, as shown: \n\npassword sufficient pam_unix.so [existing_options] remember=24\n\nThe DoD requirement is 24 passwords.",
14 | "long_description": "Preventing reuse of previous passwords helps ensure that a compromised password is not reused by a user.",
15 | "short_description": "The system must prohibit the reuse of passwords within twenty-four iterations."
16 | }
17 | }
18 | }
--------------------------------------------------------------------------------
/rules/os.app/security.domain/posix.class/linux.os/redhat/nist_V-38460:
--------------------------------------------------------------------------------
1 | {
2 | "severity": "low",
3 | "tags": {
4 | "nist": [
5 | "V-38460",
6 | "C-46016r1_chk",
7 | "F-43405r1_fix"
8 | ]
9 | },
10 | "text": {
11 | "en": {
12 | "check": "If the NFS server is read-only, in support of unrestricted access to organizational content, this is not applicable.\n\nThe related \"root_squash\" option provides protection against remote administrator-level access to NFS server content. Its use is not a finding.\n\nTo verify the \"all_squash\" option has been disabled, run the following command:\n\n# grep all_squash /etc/exports\n\n\nIf there is output, this is a finding.",
13 | "fix": "Remove any instances of the \"all_squash\" option from the file \"/etc/exports\". Restart the NFS daemon for the changes to take effect.\n\n# service nfs restart",
14 | "long_description": "The \"all_squash\" option maps all client requests to a single anonymous uid/gid on the NFS server, negating the ability to track file access by user ID.",
15 | "short_description": "The NFS server must not have the all_squash option enabled."
16 | }
17 | }
18 | }
--------------------------------------------------------------------------------
/rules/os.app/security.domain/posix.class/linux.os/redhat/nist_V-38497:
--------------------------------------------------------------------------------
1 | {
2 | "severity": "high",
3 | "tags": {
4 | "nist": [
5 | "V-38497",
6 | "C-46054r2_chk",
7 | "F-43444r4_fix"
8 | ]
9 | },
10 | "text": {
11 | "en": {
12 | "check": "To verify that null passwords cannot be used, run the following command: \n\n# grep nullok /etc/pam.d/system-auth\n\nIf this produces any output, it may be possible to log into accounts with empty passwords. \nIf NULL passwords can be used, this is a finding.",
13 | "fix": "If an account is configured for password authentication but does not have an assigned password, it may be possible to log onto the account without authentication. Remove any instances of the \"nullok\" option in \"/etc/pam.d/system-auth\" to prevent logons with empty passwords.",
14 | "long_description": "If an account has an empty password, anyone could log in and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments.",
15 | "short_description": "The system must not have accounts configured with blank or null passwords."
16 | }
17 | }
18 | }
--------------------------------------------------------------------------------
/rules/os.app/security.domain/posix.class/linux.os/redhat/nist_V-38500:
--------------------------------------------------------------------------------
1 | {
2 | "severity": "medium",
3 | "tags": {
4 | "nist": [
5 | "V-38500",
6 | "C-46057r2_chk",
7 | "F-43447r1_fix"
8 | ]
9 | },
10 | "text": {
11 | "en": {
12 | "check": "To list all password file entries for accounts with UID 0, run the following command: \n\n# awk -F: '($3 == 0) {print}' /etc/passwd\n\nThis should print only one line, for the user root. \nIf any account other than root has a UID of 0, this is a finding.",
13 | "fix": "If any account other than root has a UID of 0, this misconfiguration should be investigated and the accounts other than root should be removed or have their UID changed.",
14 | "long_description": "An account has root authority if it has a UID of 0. Multiple accounts with a UID of 0 afford more opportunity for potential intruders to guess a password for a privileged account. Proper configuration of sudo is recommended to afford multiple system administrators access to root privileges in an accountable manner.",
15 | "short_description": "The root account must be the only account having a UID of 0."
16 | }
17 | }
18 | }
--------------------------------------------------------------------------------
/rules/os.app/security.domain/posix.class/linux.os/redhat/nist_V-38680:
--------------------------------------------------------------------------------
1 | {
2 | "severity": "medium",
3 | "tags": {
4 | "nist": [
5 | "V-38680",
6 | "C-46241r1_chk",
7 | "F-43629r1_fix"
8 | ]
9 | },
10 | "text": {
11 | "en": {
12 | "check": "Inspect \"/etc/audit/auditd.conf\" and locate the following line to determine if the system is configured to send email to an account when it needs to notify an administrator: \n\naction_mail_acct = root\n\n\nIf auditd is not configured to send emails per identified actions, this is a finding.",
13 | "fix": "The \"auditd\" service can be configured to send email to a designated account in certain situations. Add or correct the following line in \"/etc/audit/auditd.conf\" to ensure that administrators are notified via email for those situations: \n\naction_mail_acct = root",
14 | "long_description": "Email sent to the root account is typically aliased to the administrators of the system, who can take appropriate action.",
15 | "short_description": "The audit system must identify staff members to receive notifications of audit log storage volume capacity issues."
16 | }
17 | }
18 | }
--------------------------------------------------------------------------------
/rules/os.app/security.domain/posix.class/linux.os/redhat/nist_V-38553:
--------------------------------------------------------------------------------
1 | {
2 | "severity": "medium",
3 | "tags": {
4 | "nist": [
5 | "V-38553",
6 | "C-46111r3_chk",
7 | "F-43501r2_fix"
8 | ]
9 | },
10 | "text": {
11 | "en": {
12 | "check": "If the system is a cross-domain system, this is not applicable.\n\nIf IPv6 is disabled, this is not applicable.\n\nRun the following command to determine the current status of the \"ip6tables\" service: \n\n# service ip6tables status\n\nIf the service is not running, it should return the following: \n\nip6tables: Firewall is not running.\n\n\nIf the service is not running, this is a finding.",
13 | "fix": "The \"ip6tables\" service can be enabled with the following commands: \n\n# chkconfig ip6tables on\n# service ip6tables start",
14 | "long_description": "The \"ip6tables\" service provides the system's host-based firewalling capability for IPv6 and ICMPv6.",
15 | "short_description": "The operating system must prevent public IPv6 access into an organizations internal networks, except as appropriately mediated by managed interfaces employing boundary protection devices."
16 | }
17 | }
18 | }
--------------------------------------------------------------------------------
/rules/os.app/security.domain/posix.class/linux.os/redhat/nist_V-38625:
--------------------------------------------------------------------------------
1 | {
2 | "severity": "medium",
3 | "tags": {
4 | "nist": [
5 | "V-38625",
6 | "C-46184r1_chk",
7 | "F-43574r1_fix"
8 | ]
9 | },
10 | "text": {
11 | "en": {
12 | "check": "If the system does not use LDAP for authentication or account information, this is not applicable.\n\nTo ensure LDAP is configured to use TLS for all transactions, run the following command: \n\n$ grep start_tls /etc/pam_ldap.conf\n\n\nIf no lines are returned, this is a finding.",
13 | "fix": "Configure LDAP to enforce TLS use. First, edit the file \"/etc/pam_ldap.conf\", and add or correct the following lines: \n\nssl start_tls\n\nThen review the LDAP server and ensure TLS has been configured.",
14 | "long_description": "The ssl directive specifies whether to use ssl or not. If not specified it will default to \"no\". It should be set to \"start_tls\" rather than doing LDAP over SSL.",
15 | "short_description": "If the system is using LDAP for authentication or account information, the system must use a TLS connection using FIPS 140-2 approved cryptographic algorithms."
16 | }
17 | }
18 | }
--------------------------------------------------------------------------------
/rules/os.app/security.domain/posix.class/linux.os/redhat/nist_V-38627:
--------------------------------------------------------------------------------
1 | {
2 | "severity": "low",
3 | "tags": {
4 | "nist": [
5 | "V-38627",
6 | "C-46187r1_chk",
7 | "F-43577r1_fix"
8 | ]
9 | },
10 | "text": {
11 | "en": {
12 | "check": "To verify the \"openldap-servers\" package is not installed, run the following command: \n\n$ rpm -q openldap-servers\n\nThe output should show the following. \n\npackage openldap-servers is not installed\n\n\nIf it does not, this is a finding.",
13 | "fix": "The \"openldap-servers\" package should be removed if not in use. Is this machine the OpenLDAP server? If not, remove the package. \n\n# yum erase openldap-servers\n\nThe openldap-servers RPM is not installed by default on RHEL6 machines. It is needed only by the OpenLDAP server, not by the clients which use LDAP for authentication. If the system is not intended for use as an LDAP Server it should be removed.",
14 | "long_description": "Unnecessary packages should not be installed to decrease the attack surface of the system.",
15 | "short_description": "The openldap-servers package must not be installed unless required."
16 | }
17 | }
18 | }
--------------------------------------------------------------------------------
/rules/os.app/security.domain/posix.class/linux.os/redhat/nist_V-38631:
--------------------------------------------------------------------------------
1 | {
2 | "severity": "medium",
3 | "tags": {
4 | "nist": [
5 | "V-38631",
6 | "C-46190r1_chk",
7 | "F-43580r2_fix"
8 | ]
9 | },
10 | "text": {
11 | "en": {
12 | "check": "Run the following command to determine the current status of the \"auditd\" service: \n\n# service auditd status\n\nIf the service is enabled, it should return the following: \n\nauditd is running...\n\n\nIf the service is not running, this is a finding.",
13 | "fix": "The \"auditd\" service is an essential userspace component of the Linux Auditing System, as it is responsible for writing audit records to disk. The \"auditd\" service can be enabled with the following commands: \n\n# chkconfig auditd on\n# service auditd start",
14 | "long_description": "Ensuring the \"auditd\" service is active ensures audit records generated by the kernel can be written to disk, or that appropriate actions will be taken if other obstacles exist.",
15 | "short_description": "The operating system must employ automated mechanisms to facilitate the monitoring and control of remote access methods."
16 | }
17 | }
18 | }
--------------------------------------------------------------------------------
/rules/os.app/security.domain/posix.class/linux.os/redhat/nist_V-38632:
--------------------------------------------------------------------------------
1 | {
2 | "severity": "medium",
3 | "tags": {
4 | "nist": [
5 | "V-38632",
6 | "C-46191r1_chk",
7 | "F-43581r2_fix"
8 | ]
9 | },
10 | "text": {
11 | "en": {
12 | "check": "Run the following command to determine the current status of the \"auditd\" service: \n\n# service auditd status\n\nIf the service is enabled, it should return the following: \n\nauditd is running...\n\n\nIf the service is not running, this is a finding.",
13 | "fix": "The \"auditd\" service is an essential userspace component of the Linux Auditing System, as it is responsible for writing audit records to disk. The \"auditd\" service can be enabled with the following commands: \n\n# chkconfig auditd on\n# service auditd start",
14 | "long_description": "Ensuring the \"auditd\" service is active ensures audit records generated by the kernel can be written to disk, or that appropriate actions will be taken if other obstacles exist.",
15 | "short_description": "The operating system must produce audit records containing sufficient information to establish what type of events occurred."
16 | }
17 | }
18 | }
--------------------------------------------------------------------------------
/rules/os.app/security.domain/posix.class/linux.os/redhat/nist_V-38647:
--------------------------------------------------------------------------------
1 | {
2 | "severity": "low",
3 | "tags": {
4 | "nist": [
5 | "V-38647",
6 | "C-46207r1_chk",
7 | "F-43596r1_fix"
8 | ]
9 | },
10 | "text": {
11 | "en": {
12 | "check": "Verify the \"umask\" setting is configured correctly in the \"/etc/profile\" file by running the following command: \n\n# grep \"umask\" /etc/profile\n\nAll output must show the value of \"umask\" set to 077, as shown in the below: \n\n# grep \"umask\" /etc/profile\numask 077\n\n\nIf the above command returns no output, or if the umask is configured incorrectly, this is a finding.",
13 | "fix": "To ensure the default umask controlled by \"/etc/profile\" is set properly, add or correct the \"umask\" setting in \"/etc/profile\" to read as follows: \n\numask 077",
14 | "long_description": "The umask value influences the permissions assigned to files when they are created. A misconfigured umask value could result in files with excessive permissions that can be read and/or written to by unauthorized users.",
15 | "short_description": "The system default umask in /etc/profile must be 077."
16 | }
17 | }
18 | }
--------------------------------------------------------------------------------
/rules/os.app/security.domain/posix.class/linux.os/redhat/nist_V-38651:
--------------------------------------------------------------------------------
1 | {
2 | "severity": "low",
3 | "tags": {
4 | "nist": [
5 | "V-38651",
6 | "C-46211r1_chk",
7 | "F-43600r1_fix"
8 | ]
9 | },
10 | "text": {
11 | "en": {
12 | "check": "Verify the \"umask\" setting is configured correctly in the \"/etc/bashrc\" file by running the following command: \n\n# grep \"umask\" /etc/bashrc\n\nAll output must show the value of \"umask\" set to 077, as shown below: \n\n# grep \"umask\" /etc/bashrc\numask 077\numask 077\n\n\nIf the above command returns no output, or if the umask is configured incorrectly, this is a finding.",
13 | "fix": "To ensure the default umask for users of the Bash shell is set properly, add or correct the \"umask\" setting in \"/etc/bashrc\" to read as follows: \n\numask 077",
14 | "long_description": "The umask value influences the permissions assigned to files when they are created. A misconfigured umask value could result in files with excessive permissions that can be read and/or written to by unauthorized users.",
15 | "short_description": "The system default umask for the bash shell must be 077."
16 | }
17 | }
18 | }
--------------------------------------------------------------------------------
/rules/os.app/security.domain/posix.class/linux.os/redhat/nist_V-38456:
--------------------------------------------------------------------------------
1 | {
2 | "severity": "low",
3 | "tags": {
4 | "nist": [
5 | "V-38456",
6 | "C-46011r2_chk",
7 | "F-43401r2_fix"
8 | ]
9 | },
10 | "text": {
11 | "en": {
12 | "check": "Run the following command to determine if \"/var\" is on its own partition or logical volume: \n\n$ mount | grep \"on /var \"\n\nIf \"/var\" has its own partition or volume group, a line will be returned. \nIf no line is returned, this is a finding.",
13 | "fix": "The \"/var\" directory is used by daemons and other system services to store frequently-changing data. Ensure that \"/var\" has its own partition or logical volume at installation time, or migrate it using LVM.",
14 | "long_description": "Ensuring that \"/var\" is mounted on its own partition enables the setting of more restrictive mount options. This helps protect system services such as daemons or other programs which use it. It is not uncommon for the \"/var\" directory to contain world-writable directories, installed by other software packages.",
15 | "short_description": "The system must use a separate file system for /var."
16 | }
17 | }
18 | }
--------------------------------------------------------------------------------
/rules/os.app/security.domain/posix.class/linux.os/redhat/nist_V-38492:
--------------------------------------------------------------------------------
1 | {
2 | "severity": "medium",
3 | "tags": {
4 | "nist": [
5 | "V-38492",
6 | "C-46049r1_chk",
7 | "F-43439r2_fix"
8 | ]
9 | },
10 | "text": {
11 | "en": {
12 | "check": "To check for virtual console entries which permit root login, run the following command: \n\n# grep '^vc/[0-9]' /etc/securetty\n\nIf any output is returned, then root logins over virtual console devices is permitted. \nIf root login over virtual console devices is permitted, this is a finding.",
13 | "fix": "To restrict root logins through the (deprecated) virtual console devices, ensure lines of this form do not appear in \"/etc/securetty\": \n\nvc/1\nvc/2\nvc/3\nvc/4\n\nNote: Virtual console entries are not limited to those listed above. Any lines starting with \"vc/\" followed by numerals should be removed.",
14 | "long_description": "Preventing direct root login to virtual console devices helps ensure accountability for actions taken on the system using the root account. ",
15 | "short_description": "The system must prevent the root account from logging in from virtual consoles."
16 | }
17 | }
18 | }
--------------------------------------------------------------------------------
/rules/os.app/security.domain/posix.class/linux.os/redhat/nist_V-38541:
--------------------------------------------------------------------------------
1 | {
2 | "severity": "low",
3 | "tags": {
4 | "nist": [
5 | "V-38541",
6 | "C-46099r1_chk",
7 | "F-43489r1_fix"
8 | ]
9 | },
10 | "text": {
11 | "en": {
12 | "check": "To determine if the system is configured to audit changes to its SELinux configuration files, run the following command: \n\n# auditctl -l | grep \"dir=/etc/selinux\"\n\nIf the system is configured to watch for changes to its SELinux configuration, a line should be returned (including \"perm=wa\" indicating permissions that are watched). \nIf the system is not configured to audit attempts to change the MAC policy, this is a finding.",
13 | "fix": "Add the following to \"/etc/audit/audit.rules\": \n\n-w /etc/selinux/ -p wa -k MAC-policy",
14 | "long_description": "The system's mandatory access policy (SELinux) should not be arbitrarily changed by anything other than administrator action. All changes to MAC policy should be audited.",
15 | "short_description": "The audit system must be configured to audit modifications to the systems Mandatory Access Control (MAC) configuration (SELinux)."
16 | }
17 | }
18 | }
--------------------------------------------------------------------------------
/rules/os.app/security.domain/posix.class/linux.os/redhat/nist_V-38639:
--------------------------------------------------------------------------------
1 | {
2 | "severity": "low",
3 | "tags": {
4 | "nist": [
5 | "V-38639",
6 | "C-46199r4_chk",
7 | "F-43588r2_fix"
8 | ]
9 | },
10 | "text": {
11 | "en": {
12 | "check": "If the GConf2 package is not installed, this is not applicable. \n\nTo ensure the screensaver is configured to be blank, run the following command: \n\n$ gconftool-2 --direct --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory --get /apps/gnome-screensaver/mode\n\nIf properly configured, the output should be \"blank-only\". \nIf it is not, this is a finding.",
13 | "fix": "Run the following command to set the screensaver mode in the GNOME desktop to a blank screen: \n\n# gconftool-2 \\\n--direct \\\n--config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \\\n--type string \\\n--set /apps/gnome-screensaver/mode blank-only",
14 | "long_description": "Setting the screensaver mode to blank-only conceals the contents of the display from passersby.",
15 | "short_description": "The system must display a publicly-viewable pattern during a graphical desktop environment session lock."
16 | }
17 | }
18 | }
--------------------------------------------------------------------------------
/rules/os.app/security.domain/posix.class/linux.os/redhat/nist_V-38649:
--------------------------------------------------------------------------------
1 | {
2 | "severity": "low",
3 | "tags": {
4 | "nist": [
5 | "V-38649",
6 | "C-46209r1_chk",
7 | "F-43598r1_fix"
8 | ]
9 | },
10 | "text": {
11 | "en": {
12 | "check": "Verify the \"umask\" setting is configured correctly in the \"/etc/csh.cshrc\" file by running the following command: \n\n# grep \"umask\" /etc/csh.cshrc\n\nAll output must show the value of \"umask\" set to 077, as shown in the below: \n\n# grep \"umask\" /etc/csh.cshrc\numask 077\n\n\nIf the above command returns no output, or if the umask is configured incorrectly, this is a finding.",
13 | "fix": "To ensure the default umask for users of the C shell is set properly, add or correct the \"umask\" setting in \"/etc/csh.cshrc\" to read as follows: \n\numask 077",
14 | "long_description": "The umask value influences the permissions assigned to files when they are created. A misconfigured umask value could result in files with excessive permissions that can be read and/or written to by unauthorized users.",
15 | "short_description": "The system default umask for the csh shell must be 077."
16 | }
17 | }
18 | }
--------------------------------------------------------------------------------
/rules/os.app/security.domain/posix.class/linux.os/redhat/nist_V-38467:
--------------------------------------------------------------------------------
1 | {
2 | "severity": "low",
3 | "tags": {
4 | "nist": [
5 | "V-38467",
6 | "C-46022r1_chk",
7 | "F-43412r1_fix"
8 | ]
9 | },
10 | "text": {
11 | "en": {
12 | "check": "Run the following command to determine if \"/var/log/audit\" is on its own partition or logical volume: \n\n$ mount | grep \"on /var/log/audit \"\n\nIf \"/var/log/audit\" has its own partition or volume group, a line will be returned. \nIf no line is returned, this is a finding.",
13 | "fix": "Audit logs are stored in the \"/var/log/audit\" directory. Ensure that it has its own partition or logical volume at installation time, or migrate it later using LVM. Make absolutely certain that it is large enough to store all audit logs that will be created by the auditing daemon.",
14 | "long_description": "Placing \"/var/log/audit\" in its own partition enables better separation between audit files and other files, and helps ensure that auditing cannot be halted due to the partition running out of space.",
15 | "short_description": "The system must use a separate file system for the system audit data path."
16 | }
17 | }
18 | }
--------------------------------------------------------------------------------
/rules/os.app/security.domain/posix.class/linux.os/redhat/nist_V-38513:
--------------------------------------------------------------------------------
1 | {
2 | "severity": "medium",
3 | "tags": {
4 | "nist": [
5 | "V-38513",
6 | "C-46070r1_chk",
7 | "F-43460r1_fix"
8 | ]
9 | },
10 | "text": {
11 | "en": {
12 | "check": "Inspect the file \"/etc/sysconfig/iptables\" to determine the default policy for the INPUT chain. It should be set to DROP. \n\n# grep \":INPUT\" /etc/sysconfig/iptables\n\nIf the default policy for the INPUT chain is not set to DROP, this is a finding.",
13 | "fix": "To set the default policy to DROP (instead of ACCEPT) for the built-in INPUT chain which processes incoming packets, add or correct the following line in \"/etc/sysconfig/iptables\": \n\n:INPUT DROP [0:0]",
14 | "long_description": "In \"iptables\" the default policy is applied only after all the applicable rules in the table are examined for a match. Setting the default policy to \"DROP\" implements proper design for a firewall, i.e., any packets which are not explicitly permitted should not be accepted.",
15 | "short_description": "The systems local IPv4 firewall must implement a deny-all, allow-by-exception policy for inbound packets."
16 | }
17 | }
18 | }
--------------------------------------------------------------------------------
/rules/os.app/security.domain/posix.class/linux.os/redhat/nist_V-38657:
--------------------------------------------------------------------------------
1 | {
2 | "severity": "low",
3 | "tags": {
4 | "nist": [
5 | "V-38657",
6 | "C-46218r4_chk",
7 | "F-43607r1_fix"
8 | ]
9 | },
10 | "text": {
11 | "en": {
12 | "check": "If Samba is not in use, this is not applicable.\n\nTo verify that Samba clients using mount.cifs must use packet signing, run the following command: \n\n# grep sec /etc/fstab /etc/mtab\n\nThe output should show either \"krb5i\" or \"ntlmv2i\" in use. \nIf it does not, this is a finding.",
13 | "fix": "Require packet signing of clients who mount Samba shares using the \"mount.cifs\" program (e.g., those who specify shares in \"/etc/fstab\"). To do so, ensure signing options (either \"sec=krb5i\" or \"sec=ntlmv2i\") are used. \n\nSee the \"mount.cifs(8)\" man page for more information. A Samba client should only communicate with servers who can support SMB packet signing.",
14 | "long_description": "Packet signing can prevent man-in-the-middle attacks which modify SMB packets in transit.",
15 | "short_description": "The system must use SMB client signing for connecting to samba servers using mount.cifs."
16 | }
17 | }
18 | }
--------------------------------------------------------------------------------
/rules/os.app/security.domain/posix.class/linux.os/redhat/nist_V-38664:
--------------------------------------------------------------------------------
1 | {
2 | "severity": "medium",
3 | "tags": {
4 | "nist": [
5 | "V-38664",
6 | "C-46224r1_chk",
7 | "F-43613r1_fix"
8 | ]
9 | },
10 | "text": {
11 | "en": {
12 | "check": "The following command will list which audit files on the system have ownership different from what is expected by the RPM database: \n\n# rpm -V audit | grep '^.....U'\n\n\nIf there is output, this is a finding.",
13 | "fix": "The RPM package management system can restore file ownership of the audit package files and directories. The following command will update audit files with ownership different from what is expected by the RPM database: \n\n# rpm --setugids audit",
14 | "long_description": "Ownership of audit binaries and configuration files that is incorrect could allow an unauthorized user to gain privileges that they should not have. The ownership set by the vendor should be maintained. Any deviations from this baseline should be investigated.",
15 | "short_description": "The system package management tool must verify ownership on all files and directories associated with the audit package."
16 | }
17 | }
18 | }
--------------------------------------------------------------------------------
/rules/os.app/security.domain/posix.class/linux.os/redhat/nist_V-38645:
--------------------------------------------------------------------------------
1 | {
2 | "severity": "low",
3 | "tags": {
4 | "nist": [
5 | "V-38645",
6 | "C-46205r1_chk",
7 | "F-43594r1_fix"
8 | ]
9 | },
10 | "text": {
11 | "en": {
12 | "check": "Verify the \"umask\" setting is configured correctly in the \"/etc/login.defs\" file by running the following command: \n\n# grep -i \"umask\" /etc/login.defs\n\nAll output must show the value of \"umask\" set to 077, as shown in the below: \n\n# grep -i \"umask\" /etc/login.defs\nUMASK 077\n\n\nIf the above command returns no output, or if the umask is configured incorrectly, this is a finding.",
13 | "fix": "To ensure the default umask controlled by \"/etc/login.defs\" is set properly, add or correct the \"umask\" setting in \"/etc/login.defs\" to read as follows: \n\nUMASK 077",
14 | "long_description": "The umask value influences the permissions assigned to files when they are created. A misconfigured umask value could result in files with excessive permissions that can be read and/or written to by unauthorized users.",
15 | "short_description": "The system default umask in /etc/login.defs must be 077."
16 | }
17 | }
18 | }
--------------------------------------------------------------------------------
/rules/os.app/security.domain/posix.class/linux.os/redhat/nist_V-38454:
--------------------------------------------------------------------------------
1 | {
2 | "severity": "low",
3 | "tags": {
4 | "nist": [
5 | "V-38454",
6 | "C-46010r1_chk",
7 | "F-43400r1_fix"
8 | ]
9 | },
10 | "text": {
11 | "en": {
12 | "check": "The following command will list which files on the system have ownership different from what is expected by the RPM database: \n\n# rpm -Va | grep '^.....U'\n\n\nIf there is output, this is a finding.",
13 | "fix": "The RPM package management system can restore ownership of package files and directories. The following command will update files and directories with ownership different from what is expected by the RPM database: \n\n# rpm -qf [file or directory name]\n# rpm --setugids [package]",
14 | "long_description": "Ownership of system binaries and configuration files that is incorrect could allow an unauthorized user to gain privileges that they should not have. The ownership set by the vendor should be maintained. Any deviations from this baseline should be investigated.",
15 | "short_description": "The system package management tool must verify ownership on all files and directories associated with packages."
16 | }
17 | }
18 | }
--------------------------------------------------------------------------------
/rules/os.app/security.domain/posix.class/linux.os/redhat/nist_V-38551:
--------------------------------------------------------------------------------
1 | {
2 | "severity": "medium",
3 | "tags": {
4 | "nist": [
5 | "V-38551",
6 | "C-46109r3_chk",
7 | "F-43499r2_fix"
8 | ]
9 | },
10 | "text": {
11 | "en": {
12 | "check": "If the system is a cross-domain system, this is not applicable.\n\nIf IPV6 is disabled, this is not applicable.\n\nRun the following command to determine the current status of the \"ip6tables\" service: \n\n# service ip6tables status\n\nIf the service is not running, it should return the following: \n\nip6tables: Firewall is not running.\n\n\nIf the service is not running, this is a finding.",
13 | "fix": "The \"ip6tables\" service can be enabled with the following commands: \n\n# chkconfig ip6tables on\n# service ip6tables start",
14 | "long_description": "The \"ip6tables\" service provides the system's host-based firewalling capability for IPv6 and ICMPv6.",
15 | "short_description": "The operating system must connect to external networks or information systems only through managed IPv6 interfaces consisting of boundary protection devices arranged in accordance with an organizational security architecture."
16 | }
17 | }
18 | }
--------------------------------------------------------------------------------
/rules/os.app/security.domain/posix.class/linux.os/redhat/nist_V-38628:
--------------------------------------------------------------------------------
1 | {
2 | "severity": "medium",
3 | "tags": {
4 | "nist": [
5 | "V-38628",
6 | "C-46186r1_chk",
7 | "F-43576r2_fix"
8 | ]
9 | },
10 | "text": {
11 | "en": {
12 | "check": "Run the following command to determine the current status of the \"auditd\" service: \n\n# service auditd status\n\nIf the service is enabled, it should return the following: \n\nauditd is running...\n\n\nIf the service is not running, this is a finding.",
13 | "fix": "The \"auditd\" service is an essential userspace component of the Linux Auditing System, as it is responsible for writing audit records to disk. The \"auditd\" service can be enabled with the following commands: \n\n# chkconfig auditd on\n# service auditd start",
14 | "long_description": "Ensuring the \"auditd\" service is active ensures audit records generated by the kernel can be written to disk, or that appropriate actions will be taken if other obstacles exist.",
15 | "short_description": "The operating system must produce audit records containing sufficient information to establish the identity of any user/subject associated with the event."
16 | }
17 | }
18 | }
--------------------------------------------------------------------------------
/rules/os.app/security.domain/posix.class/linux.os/redhat/nist_V-38629:
--------------------------------------------------------------------------------
1 | {
2 | "severity": "medium",
3 | "tags": {
4 | "nist": [
5 | "V-38629",
6 | "C-46188r3_chk",
7 | "F-43578r1_fix"
8 | ]
9 | },
10 | "text": {
11 | "en": {
12 | "check": "If the GConf2 package is not installed, this is not applicable.\n\nTo check the current idle time-out value, run the following command: \n\n$ gconftool-2 --direct --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory --get /apps/gnome-screensaver/idle_delay\n\nIf properly configured, the output should be \"15\". \n\nIf it is not, this is a finding.",
13 | "fix": "Run the following command to set the idle time-out value for inactivity in the GNOME desktop to 15 minutes: \n\n# gconftool-2 \\\n--direct \\\n--config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \\\n--type int \\\n--set /apps/gnome-screensaver/idle_delay 15",
14 | "long_description": "Setting the idle delay controls when the screensaver will start, and can be combined with screen locking to prevent access from passersby.",
15 | "short_description": "The graphical desktop environment must set the idle timeout to no more than 15 minutes."
16 | }
17 | }
18 | }
--------------------------------------------------------------------------------
/rules/os.app/security.domain/posix.class/linux.os/redhat/nist_V-51369:
--------------------------------------------------------------------------------
1 | {
2 | "severity": "low",
3 | "tags": {
4 | "nist": [
5 | "V-51369",
6 | "C-53711r1_chk",
7 | "F-56171r1_fix"
8 | ]
9 | },
10 | "text": {
11 | "en": {
12 | "check": "Check the file \"/etc/selinux/config\" and ensure the following line appears:\n\nSELINUXTYPE=targeted\n\nIf it does not, this is a finding.",
13 | "fix": "The SELinux \"targeted\" policy is appropriate for general-purpose desktops and servers, as well as systems in many other roles. To configure the system to use this policy, add or correct the following line in \"/etc/selinux/config\":\n\nSELINUXTYPE=targeted\n\nOther policies, such as \"mls\", provide additional security labeling and greater confinement but are not compatible with many general-purpose use cases.",
14 | "long_description": "Setting the SELinux policy to \"targeted\" or a more specialized policy ensures the system will confine processes that are likely to be targeted for exploitation, such as network or system services. ",
15 | "short_description": "The system must use a Linux Security Module configured to limit the privileges of system services."
16 | }
17 | }
18 | }
--------------------------------------------------------------------------------
/rules/os.app/security.domain/posix.class/linux.os/redhat/nist_V-38698:
--------------------------------------------------------------------------------
1 | {
2 | "severity": "medium",
3 | "tags": {
4 | "nist": [
5 | "V-38698",
6 | "C-46261r2_chk",
7 | "F-43647r1_fix"
8 | ]
9 | },
10 | "text": {
11 | "en": {
12 | "check": "To determine that periodic AIDE execution has been scheduled, run the following command: \n\n# grep aide /etc/crontab /etc/cron.*/*\n\nIf there is no output, this is a finding.",
13 | "fix": "AIDE should be executed on a periodic basis to check for changes. To implement a daily execution of AIDE at 4:05am using cron, add the following line to /etc/crontab: \n\n05 4 * * * root /usr/sbin/aide --check\n\nAIDE can be executed periodically through other means; this is merely one example.",
14 | "long_description": "By default, AIDE does not install itself for periodic execution. Periodically running AIDE may reveal unexpected changes in installed files.",
15 | "short_description": "The operating system must employ automated mechanisms to detect the presence of unauthorized software on organizational information systems and notify designated organizational officials in accordance with the organization defined frequency."
16 | }
17 | }
18 | }
--------------------------------------------------------------------------------
/rules/os.app/security.domain/posix.class/linux.os/redhat/nist_V-38643:
--------------------------------------------------------------------------------
1 | {
2 | "severity": "medium",
3 | "tags": {
4 | "nist": [
5 | "V-38643",
6 | "C-46202r3_chk",
7 | "F-43591r1_fix"
8 | ]
9 | },
10 | "text": {
11 | "en": {
12 | "check": "To find world-writable files, run the following command for each local partition [PART], excluding special filesystems such as /selinux, /proc, or /sys: \n\n# find [PART] -xdev -type f -perm -002\n\nIf there is output, this is a finding.",
13 | "fix": "It is generally a good idea to remove global (other) write access to a file when it is discovered. However, check with documentation for specific applications before making changes. Also, monitor for recurring world-writable files, as these may be symptoms of a misconfigured application or user account.",
14 | "long_description": "Data in world-writable files can be modified by any user on the system. In almost all circumstances, files can be configured using a combination of user and group permissions to support whatever legitimate access is needed without the risk caused by world-writable files.",
15 | "short_description": "There must be no world-writable files on the system."
16 | }
17 | }
18 | }
--------------------------------------------------------------------------------
/rules/os.app/security.domain/posix.class/linux.os/redhat/nist_V-38615:
--------------------------------------------------------------------------------
1 | {
2 | "severity": "medium",
3 | "tags": {
4 | "nist": [
5 | "V-38615",
6 | "C-46173r1_chk",
7 | "F-43563r1_fix"
8 | ]
9 | },
10 | "text": {
11 | "en": {
12 | "check": "To determine how the SSH daemon's \"Banner\" option is set, run the following command: \n\n# grep -i Banner /etc/ssh/sshd_config\n\nIf a line indicating /etc/issue is returned, then the required value is set. \nIf the required value is not set, this is a finding.",
13 | "fix": "To enable the warning banner and ensure it is consistent across the system, add or correct the following line in \"/etc/ssh/sshd_config\": \n\nBanner /etc/issue\n\nAnother section contains information on how to create an appropriate system-wide warning banner.",
14 | "long_description": "The warning message reinforces policy awareness during the logon process and facilitates possible legal action against attackers. Alternatively, systems whose ownership should not be obvious should ensure usage of a banner that does not provide easy attribution.",
15 | "short_description": "The SSH daemon must be configured with the Department of Defense (DoD) login banner."
16 | }
17 | }
18 | }
--------------------------------------------------------------------------------
/rules/os.app/security.domain/posix.class/linux.os/redhat/nist_V-38693:
--------------------------------------------------------------------------------
1 | {
2 | "severity": "low",
3 | "tags": {
4 | "nist": [
5 | "V-38693",
6 | "C-46255r1_chk",
7 | "F-43642r2_fix"
8 | ]
9 | },
10 | "text": {
11 | "en": {
12 | "check": "To check the maximum value for consecutive repeating characters, run the following command: \n\n$ grep pam_cracklib /etc/pam.d/system-auth\n\nLook for the value of the \"maxrepeat\" parameter. The DoD requirement is 3. \nIf maxrepeat is not found or not set to the required value, this is a finding.",
13 | "fix": "The pam_cracklib module's \"maxrepeat\" parameter controls requirements for consecutive repeating characters. When set to a positive number, it will reject passwords which contain more than that number of consecutive characters. Add \"maxrepeat=3\" after pam_cracklib.so to prevent a run of (3 + 1) or more identical characters. \n\npassword required pam_cracklib.so maxrepeat=3",
14 | "long_description": "Passwords with excessive repeating characters may be more vulnerable to password-guessing attacks.",
15 | "short_description": "The system must require passwords to contain no more than three consecutive repeating characters."
16 | }
17 | }
18 | }
--------------------------------------------------------------------------------
/rules/os.app/security.domain/posix.class/linux.os/redhat/nist_V-38473:
--------------------------------------------------------------------------------
1 | {
2 | "severity": "low",
3 | "tags": {
4 | "nist": [
5 | "V-38473",
6 | "C-46028r1_chk",
7 | "F-43418r1_fix"
8 | ]
9 | },
10 | "text": {
11 | "en": {
12 | "check": "Run the following command to determine if \"/home\" is on its own partition or logical volume: \n\n$ mount | grep \"on /home \"\n\nIf \"/home\" has its own partition or volume group, a line will be returned. \nIf no line is returned, this is a finding.",
13 | "fix": "If user home directories will be stored locally, create a separate partition for \"/home\" at installation time (or migrate it later using LVM). If \"/home\" will be mounted from another system such as an NFS server, then creating a separate partition is not necessary at installation time, and the mountpoint can instead be configured later.",
14 | "long_description": "Ensuring that \"/home\" is mounted on its own partition enables the setting of more restrictive mount options, and also helps ensure that users cannot trivially fill partitions used for log or audit data storage.",
15 | "short_description": "The system must use a separate file system for user home directories."
16 | }
17 | }
18 | }
--------------------------------------------------------------------------------
/rules/os.app/security.domain/posix.class/linux.os/redhat/nist_V-38638:
--------------------------------------------------------------------------------
1 | {
2 | "severity": "medium",
3 | "tags": {
4 | "nist": [
5 | "V-38638",
6 | "C-46198r3_chk",
7 | "F-43587r1_fix"
8 | ]
9 | },
10 | "text": {
11 | "en": {
12 | "check": "If the GConf2 package is not installed, this is not applicable. \n\nTo check the status of the idle screen lock activation, run the following command: \n\n$ gconftool-2 --direct --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory --get /apps/gnome-screensaver/lock_enabled\n\nIf properly configured, the output should be \"true\". \nIf it is not, this is a finding.",
13 | "fix": "Run the following command to activate locking of the screensaver in the GNOME desktop when it is activated: \n\n# gconftool-2 --direct \\\n--config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \\\n--type bool \\\n--set /apps/gnome-screensaver/lock_enabled true",
14 | "long_description": "Enabling the activation of the screen lock after an idle period ensures password entry will be required in order to access the system, preventing access by passersby.",
15 | "short_description": "The graphical desktop environment must have automatic lock enabled."
16 | }
17 | }
18 | }
--------------------------------------------------------------------------------
/rules/os.app/security.domain/posix.class/linux.os/redhat/nist_V-38665:
--------------------------------------------------------------------------------
1 | {
2 | "severity": "medium",
3 | "tags": {
4 | "nist": [
5 | "V-38665",
6 | "C-46225r1_chk",
7 | "F-43614r1_fix"
8 | ]
9 | },
10 | "text": {
11 | "en": {
12 | "check": "The following command will list which audit files on the system have group-ownership different from what is expected by the RPM database: \n\n# rpm -V audit | grep '^......G'\n\n\nIf there is output, this is a finding.",
13 | "fix": "The RPM package management system can restore file group-ownership of the audit package files and directories. The following command will update audit files with group-ownership different from what is expected by the RPM database: \n\n# rpm --setugids audit",
14 | "long_description": "Group-ownership of audit binaries and configuration files that is incorrect could allow an unauthorized user to gain privileges that they should not have. The group-ownership set by the vendor should be maintained. Any deviations from this baseline should be investigated.",
15 | "short_description": "The system package management tool must verify group-ownership on all files and directories associated with the audit package."
16 | }
17 | }
18 | }
--------------------------------------------------------------------------------
/rules/os.app/security.domain/posix.class/linux.os/redhat/nist_V-38612:
--------------------------------------------------------------------------------
1 | {
2 | "severity": "medium",
3 | "tags": {
4 | "nist": [
5 | "V-38612",
6 | "C-46170r1_chk",
7 | "F-43560r1_fix"
8 | ]
9 | },
10 | "text": {
11 | "en": {
12 | "check": "To determine how the SSH daemon's \"HostbasedAuthentication\" option is set, run the following command: \n\n# grep -i HostbasedAuthentication /etc/ssh/sshd_config\n\nIf no line, a commented line, or a line indicating the value \"no\" is returned, then the required value is set. \nIf the required value is not set, this is a finding.",
13 | "fix": "SSH's cryptographic host-based authentication is more secure than \".rhosts\" authentication, since hosts are cryptographically authenticated. However, it is not recommended that hosts unilaterally trust one another, even within an organization. \n\nTo disable host-based authentication, add or correct the following line in \"/etc/ssh/sshd_config\": \n\nHostbasedAuthentication no",
14 | "long_description": "SSH trust relationships mean a compromise on one host can allow an attacker to move trivially to other hosts.",
15 | "short_description": "The SSH daemon must not allow host-based authentication."
16 | }
17 | }
18 | }
--------------------------------------------------------------------------------
/rules/os.app/security.domain/posix.class/linux.os/redhat/nist_V-38699:
--------------------------------------------------------------------------------
1 | {
2 | "severity": "low",
3 | "tags": {
4 | "nist": [
5 | "V-38699",
6 | "C-46260r3_chk",
7 | "F-43648r1_fix"
8 | ]
9 | },
10 | "text": {
11 | "en": {
12 | "check": "The following command will discover and print world-writable directories that are not owned by a system account, given the assumption that only system accounts have a uid lower than 500. Run it once for each local partition [PART]: \n\n# find [PART] -xdev -type d -perm -0002 -uid +499 -print\n\n\nIf there is output, this is a finding.",
13 | "fix": "All directories in local partitions which are world-writable should be owned by root or another system account. If any world-writable directories are not owned by a system account, this should be investigated. Following this, the files should be deleted or assigned to an appropriate group.",
14 | "long_description": "Allowing a user account to own a world-writable directory is undesirable because it allows the owner of that directory to remove or replace any files that may be placed in the directory by other users.",
15 | "short_description": "All public directories must be owned by a system account."
16 | }
17 | }
18 | }
--------------------------------------------------------------------------------
/rules/os.app/security.domain/posix.class/linux.os/redhat/nist_V-38453:
--------------------------------------------------------------------------------
1 | {
2 | "severity": "low",
3 | "tags": {
4 | "nist": [
5 | "V-38453",
6 | "C-46009r1_chk",
7 | "F-43399r1_fix"
8 | ]
9 | },
10 | "text": {
11 | "en": {
12 | "check": "The following command will list which files on the system have group-ownership different from what is expected by the RPM database: \n\n# rpm -Va | grep '^......G'\n\n\nIf there is output, this is a finding.",
13 | "fix": "The RPM package management system can restore group-ownership of the package files and directories. The following command will update files and directories with group-ownership different from what is expected by the RPM database: \n\n# rpm -qf [file or directory name]\n# rpm --setugids [package]",
14 | "long_description": "Group-ownership of system binaries and configuration files that is incorrect could allow an unauthorized user to gain privileges that they should not have. The group-ownership set by the vendor should be maintained. Any deviations from this baseline should be investigated.",
15 | "short_description": "The system package management tool must verify group-ownership on all files and directories associated with packages."
16 | }
17 | }
18 | }
--------------------------------------------------------------------------------
/rules/os.app/security.domain/posix.class/linux.os/redhat/nist_V-38695:
--------------------------------------------------------------------------------
1 | {
2 | "severity": "medium",
3 | "tags": {
4 | "nist": [
5 | "V-38695",
6 | "C-46257r2_chk",
7 | "F-43644r1_fix"
8 | ]
9 | },
10 | "text": {
11 | "en": {
12 | "check": "To determine that periodic AIDE execution has been scheduled, run the following command: \n\n# grep aide /etc/crontab /etc/cron.*/*\n\nIf there is no output or if aide is not run at least weekly, this is a finding.",
13 | "fix": "AIDE should be executed on a periodic basis to check for changes. To implement a daily execution of AIDE at 4:05am using cron, add the following line to /etc/crontab: \n\n05 4 * * * root /usr/sbin/aide --check\n\nAIDE can be executed periodically through other means; this is merely one example.",
14 | "long_description": "By default, AIDE does not install itself for periodic execution. Periodically running AIDE may reveal unexpected changes in installed files.",
15 | "short_description": "A file integrity tool must be used at least weekly to check for unauthorized file changes, particularly the addition of unauthorized system libraries or binaries, or for unauthorized modification to authorized system libraries or binaries."
16 | }
17 | }
18 | }
--------------------------------------------------------------------------------
/rules/os.app/security.domain/posix.class/linux.os/redhat/nist_V-38614:
--------------------------------------------------------------------------------
1 | {
2 | "severity": "high",
3 | "tags": {
4 | "nist": [
5 | "V-38614",
6 | "C-46172r1_chk",
7 | "F-43562r1_fix"
8 | ]
9 | },
10 | "text": {
11 | "en": {
12 | "check": "To determine how the SSH daemon's \"PermitEmptyPasswords\" option is set, run the following command: \n\n# grep -i PermitEmptyPasswords /etc/ssh/sshd_config\n\nIf no line, a commented line, or a line indicating the value \"no\" is returned, then the required value is set. \nIf the required value is not set, this is a finding.",
13 | "fix": "To explicitly disallow remote login from accounts with empty passwords, add or correct the following line in \"/etc/ssh/sshd_config\": \n\nPermitEmptyPasswords no\n\nAny accounts with empty passwords should be disabled immediately, and PAM configuration should prevent users from being able to assign themselves empty passwords.",
14 | "long_description": "Configuring this setting for the SSH daemon provides additional assurance that remote login via SSH will require a password, even in the event of misconfiguration elsewhere.",
15 | "short_description": "The SSH daemon must not allow authentication using an empty password."
16 | }
17 | }
18 | }
--------------------------------------------------------------------------------
/rules/os.app/security.domain/posix.class/linux.os/redhat/nist_V-38691:
--------------------------------------------------------------------------------
1 | {
2 | "severity": "medium",
3 | "tags": {
4 | "nist": [
5 | "V-38691",
6 | "C-46253r3_chk",
7 | "F-43640r1_fix"
8 | ]
9 | },
10 | "text": {
11 | "en": {
12 | "check": "To check that the \"bluetooth\" service is disabled in system boot configuration, run the following command: \n\n# chkconfig \"bluetooth\" --list\n\nOutput should indicate the \"bluetooth\" service has either not been installed or has been disabled at all runlevels, as shown in the example below: \n\n# chkconfig \"bluetooth\" --list\n\"bluetooth\" 0:off 1:off 2:off 3:off 4:off 5:off 6:off\n\n\nIf the service is configured to run, this is a finding.",
13 | "fix": "The \"bluetooth\" service can be disabled with the following command: \n\n# chkconfig bluetooth off\n\n\n\n# service bluetooth stop",
14 | "long_description": "Disabling the \"bluetooth\" service prevents the system from attempting connections to Bluetooth devices, which entails some security risk. Nevertheless, variation in this risk decision may be expected due to the utility of Bluetooth connectivity and its limited range.",
15 | "short_description": "The Bluetooth service must be disabled."
16 | }
17 | }
18 | }
--------------------------------------------------------------------------------
/rules/os.app/security.domain/posix.class/linux.os/redhat/nist_V-38496:
--------------------------------------------------------------------------------
1 | {
2 | "severity": "medium",
3 | "tags": {
4 | "nist": [
5 | "V-38496",
6 | "C-46052r2_chk",
7 | "F-43442r2_fix"
8 | ]
9 | },
10 | "text": {
11 | "en": {
12 | "check": "To obtain a listing of all users and the contents of their shadow password field, run the command: \n\n$ awk -F: '$1 !~ /^root$/ && $2 !~ /^[!*]/ {print $1 \":\" $2}' /etc/shadow\n\nIdentify the operating system accounts from this listing. These will primarily be the accounts with UID numbers less than 500, other than root. \n\nIf any default operating system account (other than root) has a valid password hash, this is a finding.",
13 | "fix": "Some accounts are not associated with a human user of the system, and exist to perform some administrative function. An attacker should not be able to log into these accounts. \n\nDisable logon access to these accounts with the command: \n\n# passwd -l [SYSACCT]",
14 | "long_description": "Disabling authentication for default system accounts makes it more difficult for attackers to make use of them to compromise a system.",
15 | "short_description": "Default operating system accounts, other than root, must be locked."
16 | }
17 | }
18 | }
--------------------------------------------------------------------------------
/rules/os.app/security.domain/posix.class/linux.os/redhat/nist_V-38686:
--------------------------------------------------------------------------------
1 | {
2 | "severity": "medium",
3 | "tags": {
4 | "nist": [
5 | "V-38686",
6 | "C-46248r1_chk",
7 | "F-43635r1_fix"
8 | ]
9 | },
10 | "text": {
11 | "en": {
12 | "check": "Run the following command to ensure the default \"FORWARD\" policy is \"DROP\": \n\ngrep \":FORWARD\" /etc/sysconfig/iptables\n\nThe output must be the following: \n\n# grep \":FORWARD\" /etc/sysconfig/iptables\n:FORWARD DROP [0:0]\n\nIf it is not, this is a finding.",
13 | "fix": "To set the default policy to DROP (instead of ACCEPT) for the built-in FORWARD chain which processes packets that will be forwarded from one interface to another, add or correct the following line in \"/etc/sysconfig/iptables\": \n\n:FORWARD DROP [0:0]",
14 | "long_description": "In \"iptables\" the default policy is applied only after all the applicable rules in the table are examined for a match. Setting the default policy to \"DROP\" implements proper design for a firewall, i.e., any packets which are not explicitly permitted should not be accepted.",
15 | "short_description": "The systems local firewall must implement a deny-all, allow-by-exception policy for forwarded packets."
16 | }
17 | }
18 | }
--------------------------------------------------------------------------------
/rules/os.app/security.domain/posix.class/linux.os/redhat/nist_V-38594:
--------------------------------------------------------------------------------
1 | {
2 | "severity": "high",
3 | "tags": {
4 | "nist": [
5 | "V-38594",
6 | "C-46152r2_chk",
7 | "F-43542r3_fix"
8 | ]
9 | },
10 | "text": {
11 | "en": {
12 | "check": "To check that the \"rsh\" service is disabled in system boot configuration, run the following command:\n\n# chkconfig \"rsh\" --list\n\nOutput should indicate the \"rsh\" service has either not been installed, or has been disabled, as shown in the example below:\n\n# chkconfig \"rsh\" --list\nrsh off\nOR\nerror reading information on service rsh: No such file or directory\n\n\nIf the service is running, this is a finding.",
13 | "fix": "The \"rsh\" service, which is available with the \"rsh-server\" package and runs as a service through xinetd, should be disabled. The \"rsh\" service can be disabled with the following command: \n\n# chkconfig rsh off",
14 | "long_description": "The rsh service uses unencrypted network communications, which means that data from the login session, including passwords and all other information transmitted during the session, can be stolen by eavesdroppers on the network.",
15 | "short_description": "The rshd service must not be running."
16 | }
17 | }
18 | }
--------------------------------------------------------------------------------
/rules/os.app/security.domain/posix.class/linux.os/redhat/nist_V-38617:
--------------------------------------------------------------------------------
1 | {
2 | "severity": "medium",
3 | "tags": {
4 | "nist": [
5 | "V-38617",
6 | "C-46176r1_chk",
7 | "F-43566r1_fix"
8 | ]
9 | },
10 | "text": {
11 | "en": {
12 | "check": "Only FIPS-approved ciphers should be used. To verify that only FIPS-approved ciphers are in use, run the following command: \n\n# grep Ciphers /etc/ssh/sshd_config\n\nThe output should contain only those ciphers which are FIPS-approved, namely, the AES and 3DES ciphers. \nIf that is not the case, this is a finding.",
13 | "fix": "Limit the ciphers to those algorithms which are FIPS-approved. Counter (CTR) mode is also preferred over cipher-block chaining (CBC) mode. The following line in \"/etc/ssh/sshd_config\" demonstrates use of FIPS-approved ciphers: \n\nCiphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc\n\nThe man page \"sshd_config(5)\" contains a list of supported ciphers.",
14 | "long_description": "Approved algorithms should impart some level of confidence in their implementation. These are also required for compliance.",
15 | "short_description": "The SSH daemon must be configured to use only FIPS 140-2 approved ciphers."
16 | }
17 | }
18 | }
--------------------------------------------------------------------------------
/rules/os.app/security.domain/posix.class/linux.os/redhat/nist_V-38621:
--------------------------------------------------------------------------------
1 | {
2 | "severity": "medium",
3 | "tags": {
4 | "nist": [
5 | "V-38621",
6 | "C-46180r1_chk",
7 | "F-43570r1_fix"
8 | ]
9 | },
10 | "text": {
11 | "en": {
12 | "check": "A remote NTP server should be configured for time synchronization. To verify one is configured, open the following file. \n\n/etc/ntp.conf\n\nIn the file, there should be a section similar to the following: \n\n# --- OUR TIMESERVERS -----\nserver [ntpserver]\n\n\nIf this is not the case, this is a finding.",
13 | "fix": "To specify a remote NTP server for time synchronization, edit the file \"/etc/ntp.conf\". Add or correct the following lines, substituting the IP or hostname of a remote NTP server for ntpserver. \n\nserver [ntpserver]\n\nThis instructs the NTP software to contact that remote server to obtain time data.",
14 | "long_description": "Synchronizing with an NTP server makes it possible to collate system logs from multiple sources or correlate computer events with real time events. Using a trusted NTP server provided by your organization is recommended.",
15 | "short_description": "The system clock must be synchronized to an authoritative DoD time source."
16 | }
17 | }
18 | }
--------------------------------------------------------------------------------
/rules/os.app/security.domain/posix.class/linux.os/redhat/nist_V-38438:
--------------------------------------------------------------------------------
1 | {
2 | "severity": "low",
3 | "tags": {
4 | "nist": [
5 | "V-38438",
6 | "C-45992r2_chk",
7 | "F-43382r2_fix"
8 | ]
9 | },
10 | "text": {
11 | "en": {
12 | "check": "Inspect the kernel boot arguments (which follow the word \"kernel\") in \"/etc/grub.conf\". If they include \"audit=1\", then auditing is enabled at boot time. \n\nIf auditing is not enabled at boot time, this is a finding.",
13 | "fix": "To ensure all processes can be audited, even those which start prior to the audit daemon, add the argument \"audit=1\" to the kernel line in \"/etc/grub.conf\", in the manner below:\n\nkernel /vmlinuz-version ro vga=ext root=/dev/VolGroup00/LogVol00 rhgb quiet audit=1\n\nUEFI systems may prepend \"/boot\" to the \"/vmlinuz-version\" argument.",
14 | "long_description": "Each process on the system carries an \"auditable\" flag which indicates whether its activities can be audited. Although \"auditd\" takes care of enabling this for all processes which launch after it does, adding the kernel argument ensures it is set for every process during boot.",
15 | "short_description": "Auditing must be enabled at boot by setting a kernel parameter."
16 | }
17 | }
18 | }
--------------------------------------------------------------------------------
/rules/os.app/security.domain/posix.class/linux.os/redhat/nist_V-38487:
--------------------------------------------------------------------------------
1 | {
2 | "severity": "low",
3 | "tags": {
4 | "nist": [
5 | "V-38487",
6 | "C-46043r1_chk",
7 | "F-43433r1_fix"
8 | ]
9 | },
10 | "text": {
11 | "en": {
12 | "check": "To determine whether \"yum\" has been configured to disable \"gpgcheck\" for any repos, inspect all files in \"/etc/yum.repos.d\" and ensure the following does not appear in any sections: \n\ngpgcheck=0\n\nA value of \"0\" indicates that \"gpgcheck\" has been disabled for that repo. \nIf GPG checking is disabled, this is a finding.\n\nIf the \"yum\" system package management tool is not used to update the system, verify with the SA that installed packages are cryptographically signed.",
13 | "fix": "To ensure signature checking is not disabled for any repos, remove any lines from files in \"/etc/yum.repos.d\" of the form: \n\ngpgcheck=0",
14 | "long_description": "Ensuring all packages' cryptographic signatures are valid prior to installation ensures the provenance of the software and protects against malicious tampering.",
15 | "short_description": "The system package management tool must cryptographically verify the authenticity of all software packages during installation."
16 | }
17 | }
18 | }
--------------------------------------------------------------------------------
/rules/os.app/security.domain/posix.class/linux.os/redhat/nist_V-38620:
--------------------------------------------------------------------------------
1 | {
2 | "severity": "medium",
3 | "tags": {
4 | "nist": [
5 | "V-38620",
6 | "C-46178r1_chk",
7 | "F-43568r1_fix"
8 | ]
9 | },
10 | "text": {
11 | "en": {
12 | "check": "Run the following command to determine the current status of the \"ntpd\" service: \n\n# service ntpd status\n\nIf the service is enabled, it should return the following: \n\nntpd is running...\n\n\nIf the service is not running, this is a finding.",
13 | "fix": "The \"ntpd\" service can be enabled with the following command: \n\n# chkconfig ntpd on\n# service ntpd start",
14 | "long_description": "Enabling the \"ntpd\" service ensures that the \"ntpd\" service will be running and that the system will synchronize its time to any servers specified. This is important whether the system is configured to be a client (and synchronize only its own clock) or it is also acting as an NTP server to other systems. Synchronizing time is essential for authentication services such as Kerberos, but it is also important for maintaining accurate logs and auditing possible security breaches.",
15 | "short_description": "The system clock must be synchronized continuously, or at least daily."
16 | }
17 | }
18 | }
--------------------------------------------------------------------------------
/rules/os.app/security.domain/posix.class/linux.os/redhat/nist_V-38636:
--------------------------------------------------------------------------------
1 | {
2 | "severity": "medium",
3 | "tags": {
4 | "nist": [
5 | "V-38636",
6 | "C-46195r1_chk",
7 | "F-43585r1_fix"
8 | ]
9 | },
10 | "text": {
11 | "en": {
12 | "check": "Inspect \"/etc/audit/auditd.conf\" and locate the following line to determine how many logs the system is configured to retain after rotation: \"# grep num_logs /etc/audit/auditd.conf\" \n\nnum_logs = 5\n\n\nIf the overall system log file(s) retention hasn't been properly set up, this is a finding.",
13 | "fix": "Determine how many log files \"auditd\" should retain when it rotates logs. Edit the file \"/etc/audit/auditd.conf\". Add or modify the following line, substituting [NUMLOGS] with the correct value: \n\nnum_logs = [NUMLOGS]\n\nSet the value to 5 for general-purpose systems. Note that values less than 2 result in no log rotation.",
14 | "long_description": "The total storage for audit log files must be large enough to retain log information over the period required. This is a function of the maximum log file size and the number of logs retained.",
15 | "short_description": "The system must retain enough rotated audit logs to cover the required log retention period."
16 | }
17 | }
18 | }
--------------------------------------------------------------------------------
/rules/os.app/security.domain/posix.class/linux.os/redhat/nist_V-38464:
--------------------------------------------------------------------------------
1 | {
2 | "severity": "medium",
3 | "tags": {
4 | "nist": [
5 | "V-38464",
6 | "C-46020r1_chk",
7 | "F-43410r1_fix"
8 | ]
9 | },
10 | "text": {
11 | "en": {
12 | "check": "Inspect \"/etc/audit/auditd.conf\" and locate the following line to determine if the system is configured to take appropriate action when disk errors occur:\n\n# grep disk_error_action /etc/audit/auditd.conf\ndisk_error_action = [ACTION]\n\n\nIf the system is configured to \"suspend\" when disk errors occur or \"ignore\" them, this is a finding.",
13 | "fix": "Edit the file \"/etc/audit/auditd.conf\". Modify the following line, substituting [ACTION] appropriately: \n\ndisk_error_action = [ACTION]\n\nPossible values for [ACTION] are described in the \"auditd.conf\" man page. These include: \n\n\"ignore\"\n\"syslog\"\n\"exec\"\n\"suspend\"\n\"single\"\n\"halt\"\n\n\nSet this to \"syslog\", \"exec\", \"single\", or \"halt\".",
14 | "long_description": "Taking appropriate action in case of disk errors will minimize the possibility of losing audit records.",
15 | "short_description": "The audit system must take appropriate action when there are disk errors on the audit storage volume."
16 | }
17 | }
18 | }
--------------------------------------------------------------------------------
/rules/os.app/security.domain/posix.class/linux.os/redhat/nist_V-38633:
--------------------------------------------------------------------------------
1 | {
2 | "severity": "medium",
3 | "tags": {
4 | "nist": [
5 | "V-38633",
6 | "C-46192r1_chk",
7 | "F-43582r1_fix"
8 | ]
9 | },
10 | "text": {
11 | "en": {
12 | "check": "Inspect \"/etc/audit/auditd.conf\" and locate the following line to determine how much data the system will retain in each audit log file: \"# grep max_log_file /etc/audit/auditd.conf\" \n\nmax_log_file = 6\n\n\nIf the system audit data threshold hasn't been properly set up, this is a finding.",
13 | "fix": "Determine the amount of audit data (in megabytes) which should be retained in each log file. Edit the file \"/etc/audit/auditd.conf\". Add or modify the following line, substituting the correct value for [STOREMB]: \n\nmax_log_file = [STOREMB]\n\nSet the value to \"6\" (MB) or higher for general-purpose systems. Larger values, of course, support retention of even more audit data.",
14 | "long_description": "The total storage for audit log files must be large enough to retain log information over the period required. This is a function of the maximum log file size and the number of logs retained.",
15 | "short_description": "The system must set a maximum audit log file size."
16 | }
17 | }
18 | }
--------------------------------------------------------------------------------
/rules/os.app/security.domain/posix.class/linux.os/redhat/nist_V-38474:
--------------------------------------------------------------------------------
1 | {
2 | "severity": "low",
3 | "tags": {
4 | "nist": [
5 | "V-38474",
6 | "C-46030r2_chk",
7 | "F-43420r1_fix"
8 | ]
9 | },
10 | "text": {
11 | "en": {
12 | "check": "If the GConf2 package is not installed, this is not applicable.\n\nVerify the keybindings for the Gnome screensaver:\n\n# gconftool-2 --direct --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory --get /apps/gnome_settings_daemon/keybindings/screensaver\n\nIf no output is visible, this is a finding.",
13 | "fix": "Run the following command to set the Gnome desktop keybinding for locking the screen:\n\n# gconftool-2\n--direct \\\n--config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \\\n--type string \\\n--set /apps/gnome_settings_daemon/keybindings/screensaver \"l\"\n\nAnother keyboard sequence may be substituted for \"l\", which is the default for the Gnome desktop.",
14 | "long_description": "The ability to lock graphical desktop sessions manually allows users to easily secure their accounts should they need to depart from their workstations temporarily.",
15 | "short_description": "The system must allow locking of graphical desktop sessions."
16 | }
17 | }
18 | }
--------------------------------------------------------------------------------
/rules/os.app/security.domain/posix.class/linux.os/redhat/nist_V-38655:
--------------------------------------------------------------------------------
1 | {
2 | "severity": "low",
3 | "tags": {
4 | "nist": [
5 | "V-38655",
6 | "C-46216r1_chk",
7 | "F-43605r1_fix"
8 | ]
9 | },
10 | "text": {
11 | "en": {
12 | "check": "To verify that binaries cannot be directly executed from removable media, run the following command: \n\n# grep noexec /etc/fstab\n\nThe output should show \"noexec\" in use. \nIf it does not, this is a finding.",
13 | "fix": "The \"noexec\" mount option prevents the direct execution of binaries on the mounted filesystem. Users should not be allowed to execute binaries that exist on partitions mounted from removable media (such as a USB key). The \"noexec\" option prevents code from being executed directly from the media itself, and may therefore provide a line of defense against certain types of worms or malicious code. Add the \"noexec\" option to the fourth column of \"/etc/fstab\" for the line which controls mounting of any removable media partitions.",
14 | "long_description": "Allowing users to execute binaries from removable media such as USB keys exposes the system to potential compromise.",
15 | "short_description": "The noexec option must be added to removable media partitions."
16 | }
17 | }
18 | }
--------------------------------------------------------------------------------
/rules/os.app/security.domain/posix.class/linux.os/redhat/nist_V-38439:
--------------------------------------------------------------------------------
1 | {
2 | "severity": "medium",
3 | "tags": {
4 | "nist": [
5 | "V-38439",
6 | "C-45994r1_chk",
7 | "F-43384r1_fix"
8 | ]
9 | },
10 | "text": {
11 | "en": {
12 | "check": "Interview the SA to determine if there is an automated system for managing user accounts, preferably integrated with an existing enterprise user management system.\n\nIf there is not, this is a finding.",
13 | "fix": "Implement an automated system for managing user accounts that minimizes the risk of errors, either intentional or deliberate. If possible, this system should integrate with an existing enterprise user management system, such as, one based Active Directory or Kerberos.",
14 | "long_description": "A comprehensive account management process that includes automation helps to ensure the accounts designated as requiring attention are consistently and promptly addressed. Enterprise environments make user account management challenging and complex. A user management process requiring administrators to manually address account management functions adds risk of potential oversight.",
15 | "short_description": "The system must provide automated support for account management functions."
16 | }
17 | }
18 | }
--------------------------------------------------------------------------------
/rules/os.app/security.domain/posix.class/linux.os/redhat/nist_V-38598:
--------------------------------------------------------------------------------
1 | {
2 | "severity": "high",
3 | "tags": {
4 | "nist": [
5 | "V-38598",
6 | "C-46156r3_chk",
7 | "F-43546r3_fix"
8 | ]
9 | },
10 | "text": {
11 | "en": {
12 | "check": "To check that the \"rexec\" service is disabled in system boot configuration, run the following command:\n\n# chkconfig \"rexec\" --list\n\nOutput should indicate the \"rexec\" service has either not been installed, or has been disabled, as shown in the example below:\n\n# chkconfig \"rexec\" --list\nrexec off\nOR\nerror reading information on service rexec: No such file or directory\n\n\nIf the service is running, this is a finding.",
13 | "fix": "The \"rexec\" service, which is available with the \"rsh-server\" package and runs as a service through xinetd, should be disabled. The \"rexec\" service can be disabled with the following command: \n\n# chkconfig rexec off",
14 | "long_description": "The rexec service uses unencrypted network communications, which means that data from the login session, including passwords and all other information transmitted during the session, can be stolen by eavesdroppers on the network.",
15 | "short_description": "The rexecd service must not be running."
16 | }
17 | }
18 | }
--------------------------------------------------------------------------------
/rules/os.app/security.domain/posix.class/linux.os/redhat/nist_V-51875:
--------------------------------------------------------------------------------
1 | {
2 | "severity": "medium",
3 | "tags": {
4 | "nist": [
5 | "V-51875",
6 | "C-54013r1_chk",
7 | "F-56701r1_fix"
8 | ]
9 | },
10 | "text": {
11 | "en": {
12 | "check": "To ensure that last logon/access notification is configured correctly, run the following command:\n\n# grep pam_lastlog.so /etc/pam.d/system-auth\n\nThe output should show output \"showfailed\". If that is not the case, this is a finding.",
13 | "fix": "To configure the system to notify users of last logon/access using \"pam_lastlog\", add the following line immediately after \"session required pam_limits.so\":\n\nsession required pam_lastlog.so showfailed",
14 | "long_description": "Users need to be aware of activity that occurs regarding their account. Providing users with information regarding the number of unsuccessful attempts that were made to login to their account allows the user to determine if any unauthorized activity has occurred and gives them an opportunity to notify administrators. ",
15 | "short_description": "The operating system, upon successful logon/access, must display to the user the number of unsuccessful logon/access attempts since the last successful logon/access."
16 | }
17 | }
18 | }
--------------------------------------------------------------------------------
/rules/os.app/security.domain/posix.class/linux.os/redhat/nist_V-38482:
--------------------------------------------------------------------------------
1 | {
2 | "severity": "low",
3 | "tags": {
4 | "nist": [
5 | "V-38482",
6 | "C-46037r1_chk",
7 | "F-43427r1_fix"
8 | ]
9 | },
10 | "text": {
11 | "en": {
12 | "check": "To check how many digits are required in a password, run the following command: \n\n$ grep pam_cracklib /etc/pam.d/system-auth\n\nThe \"dcredit\" parameter (as a negative number) will indicate how many digits are required. The DoD requires at least one digit in a password. This would appear as \"dcredit=-1\". \nIf dcredit is not found or not set to the required value, this is a finding.",
13 | "fix": "The pam_cracklib module's \"dcredit\" parameter controls requirements for usage of digits in a password. When set to a negative number, any password will be required to contain that many digits. When set to a positive number, pam_cracklib will grant +1 additional length credit for each digit. Add \"dcredit=-1\" after pam_cracklib.so to require use of a digit in passwords.",
14 | "long_description": "Requiring digits makes password guessing attacks more difficult by ensuring a larger search space.",
15 | "short_description": "The system must require passwords to contain at least one numeric character."
16 | }
17 | }
18 | }
--------------------------------------------------------------------------------
/rules/os.app/security.domain/posix.class/linux.os/redhat/nist_V-38586:
--------------------------------------------------------------------------------
1 | {
2 | "severity": "medium",
3 | "tags": {
4 | "nist": [
5 | "V-38586",
6 | "C-46145r1_chk",
7 | "F-43534r1_fix"
8 | ]
9 | },
10 | "text": {
11 | "en": {
12 | "check": "To check if authentication is required for single-user mode, run the following command: \n\n$ grep SINGLE /etc/sysconfig/init\n\nThe output should be the following: \n\nSINGLE=/sbin/sulogin\n\n\nIf the output is different, this is a finding.",
13 | "fix": "Single-user mode is intended as a system recovery method, providing a single user root access to the system by providing a boot option at startup. By default, no authentication is performed if single-user mode is selected. \n\nTo require entry of the root password even if the system is started in single-user mode, add or correct the following line in the file \"/etc/sysconfig/init\": \n\nSINGLE=/sbin/sulogin",
14 | "long_description": "This prevents attackers with physical access from trivially bypassing security on the machine and gaining root access. Such accesses are further prevented by configuring the bootloader password.",
15 | "short_description": "The system must require authentication upon booting into single-user and maintenance modes."
16 | }
17 | }
18 | }
--------------------------------------------------------------------------------
/rules/os.app/security.domain/posix.class/linux.os/redhat/nist_V-38602:
--------------------------------------------------------------------------------
1 | {
2 | "severity": "high",
3 | "tags": {
4 | "nist": [
5 | "V-38602",
6 | "C-46158r3_chk",
7 | "F-43549r3_fix"
8 | ]
9 | },
10 | "text": {
11 | "en": {
12 | "check": "To check that the \"rlogin\" service is disabled in system boot configuration, run the following command:\n\n# chkconfig \"rlogin\" --list\n\nOutput should indicate the \"rlogin\" service has either not been installed, or has been disabled, as shown in the example below:\n\n# chkconfig \"rlogin\" --list\nrlogin off\nOR\nerror reading information on service rlogin: No such file or directory\n\n\nIf the service is running, this is a finding.",
13 | "fix": "The \"rlogin\" service, which is available with the \"rsh-server\" package and runs as a service through xinetd, should be disabled. The \"rlogin\" service can be disabled with the following command: \n\n# chkconfig rlogin off",
14 | "long_description": "The rlogin service uses unencrypted network communications, which means that data from the login session, including passwords and all other information transmitted during the session, can be stolen by eavesdroppers on the network.",
15 | "short_description": "The rlogind service must not be running."
16 | }
17 | }
18 | }
--------------------------------------------------------------------------------
/rules/os.app/security.domain/posix.class/linux.os/redhat/nist_V-38488:
--------------------------------------------------------------------------------
1 | {
2 | "severity": "medium",
3 | "tags": {
4 | "nist": [
5 | "V-38488",
6 | "C-46045r1_chk",
7 | "F-43435r1_fix"
8 | ]
9 | },
10 | "text": {
11 | "en": {
12 | "check": "Ask an administrator if a process exists to back up user data from the system. \n\nIf such a process does not exist, this is a finding.",
13 | "fix": "Procedures to back up user data from the system must be established and executed. The Red Hat operating system provides utilities for automating such a process. Commercial and open-source products are also available.\n\nImplement a process whereby user data is backed up from the system in accordance with local policies.",
14 | "long_description": "Operating system backup is a critical step in maintaining data assurance and availability. User-level information is data generated by information system and/or application users. Backups shall be consistent with organizational recovery time and recovery point objectives.",
15 | "short_description": "The operating system must conduct backups of user-level information contained in the operating system per organization defined frequency to conduct backups consistent with recovery time and recovery point objectives."
16 | }
17 | }
18 | }
--------------------------------------------------------------------------------
/rules/os.app/security.domain/posix.class/linux.os/redhat/nist_V-43150:
--------------------------------------------------------------------------------
1 | {
2 | "severity": "medium",
3 | "tags": {
4 | "nist": [
5 | "V-43150",
6 | "C-49197r4_chk",
7 | "F-48722r2_fix"
8 | ]
9 | },
10 | "text": {
11 | "en": {
12 | "check": "If the GConf2 package is not installed, this is not applicable.\n\nTo ensure the user list is disabled, run the following command:\n\n$ gconftool-2 --direct \\\n--config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \\\n--get /apps/gdm/simple-greeter/disable_user_list\n\nThe output should be \"true\". If it is not, this is a finding.",
13 | "fix": "In the default graphical environment, users logging directly into the system are greeted with a login screen that displays all known users. This functionality should be disabled.\n\nRun the following command to disable the user list:\n\n$ sudo gconftool-2 --direct \\\n--config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \\\n--type bool --set /apps/gdm/simple-greeter/disable_user_list true",
14 | "long_description": "Leaving the user list enabled is a security risk since it allows anyone with physical access to the system to quickly enumerate known user accounts without logging in.",
15 | "short_description": "The login user list must be disabled."
16 | }
17 | }
18 | }
--------------------------------------------------------------------------------
/rules/os.app/security.domain/posix.class/linux.os/redhat/nist_V-38444:
--------------------------------------------------------------------------------
1 | {
2 | "severity": "medium",
3 | "tags": {
4 | "nist": [
5 | "V-38444",
6 | "C-45999r2_chk",
7 | "F-43389r3_fix"
8 | ]
9 | },
10 | "text": {
11 | "en": {
12 | "check": "If IPv6 is disabled, this is not applicable.\n\nInspect the file \"/etc/sysconfig/ip6tables\" to determine the default policy for the INPUT chain. It should be set to DROP:\n\n# grep \":INPUT\" /etc/sysconfig/ip6tables\n\nIf the default policy for the INPUT chain is not set to DROP, this is a finding.",
13 | "fix": "To set the default policy to DROP (instead of ACCEPT) for the built-in INPUT chain which processes incoming packets, add or correct the following line in \"/etc/sysconfig/ip6tables\": \n\n:INPUT DROP [0:0]\n\nRestart the IPv6 firewall:\n\n# service ip6tables restart",
14 | "long_description": "In \"ip6tables\" the default policy is applied only after all the applicable rules in the table are examined for a match. Setting the default policy to \"DROP\" implements proper design for a firewall, i.e., any packets which are not explicitly permitted should not be accepted.",
15 | "short_description": "The systems local IPv6 firewall must implement a deny-all, allow-by-exception policy for inbound packets."
16 | }
17 | }
18 | }
--------------------------------------------------------------------------------
/rules/os.app/security.domain/posix.class/linux.os/redhat/nist_V-38642:
--------------------------------------------------------------------------------
1 | {
2 | "severity": "low",
3 | "tags": {
4 | "nist": [
5 | "V-38642",
6 | "C-46203r1_chk",
7 | "F-43592r1_fix"
8 | ]
9 | },
10 | "text": {
11 | "en": {
12 | "check": "To check the value of the \"umask\", run the following command: \n\n$ grep umask /etc/init.d/functions\n\nThe output should show either \"022\" or \"027\". \nIf it does not, this is a finding.",
13 | "fix": "The file \"/etc/init.d/functions\" includes initialization parameters for most or all daemons started at boot time. The default umask of 022 prevents creation of group- or world-writable files. To set the default umask for daemons, edit the following line, inserting 022 or 027 for [UMASK] appropriately: \n\numask [UMASK]\n\nSetting the umask to too restrictive a setting can cause serious errors at runtime. Many daemons on the system already individually restrict themselves to a umask of 077 in their own init scripts.",
14 | "long_description": "The umask influences the permissions assigned to files created by a process at run time. An unnecessarily permissive umask could result in files being created with insecure permissions.",
15 | "short_description": "The system default umask for daemons must be 027 or 022."
16 | }
17 | }
18 | }
--------------------------------------------------------------------------------
/rules/os.app/security.domain/posix.class/linux.os/redhat/nist_V-38530:
--------------------------------------------------------------------------------
1 | {
2 | "severity": "low",
3 | "tags": {
4 | "nist": [
5 | "V-38530",
6 | "C-46087r1_chk",
7 | "F-43477r1_fix"
8 | ]
9 | },
10 | "text": {
11 | "en": {
12 | "check": "To determine if the system is configured to audit attempts to alter time via the /etc/localtime file, run the following command: \n\n# auditctl -l | grep \"watch=/etc/localtime\"\n\nIf the system is configured to audit this activity, it will return a line. \nIf the system is not configured to audit time changes, this is a finding.",
13 | "fix": "Add the following to \"/etc/audit/audit.rules\": \n\n-w /etc/localtime -p wa -k audit_time_rules\n\nThe -k option allows for the specification of a key in string form that can be used for better reporting capability through ausearch and aureport and should always be used.",
14 | "long_description": "Arbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited.",
15 | "short_description": "The audit system must be configured to audit all attempts to alter system time through /etc/localtime."
16 | }
17 | }
18 | }
--------------------------------------------------------------------------------
/rules/os.app/security.domain/posix.class/linux.os/redhat/nist_V-38585:
--------------------------------------------------------------------------------
1 | {
2 | "severity": "medium",
3 | "tags": {
4 | "nist": [
5 | "V-38585",
6 | "C-46143r1_chk",
7 | "F-43533r1_fix"
8 | ]
9 | },
10 | "text": {
11 | "en": {
12 | "check": "To verify the boot loader password has been set and encrypted, run the following command: \n\n# grep password /etc/grub.conf\n\nThe output should show the following: \n\npassword --encrypted \"$6$[rest-of-the-password-hash]\"\n\n\nIf it does not, this is a finding.",
13 | "fix": "The grub boot loader should have password protection enabled to protect boot-time settings. To do so, select a password and then generate a hash from it by running the following command: \n\n# grub-crypt --sha-512\n\nWhen prompted to enter a password, insert the following line into \"/etc/grub.conf\" immediately after the header comments. (Use the output from \"grub-crypt\" as the value of [password-hash]): \n\npassword --encrypted [password-hash]",
14 | "long_description": "Password protection on the boot loader configuration ensures users with physical access cannot trivially alter important bootloader settings. These include which kernel to use, and whether to enter single-user mode.",
15 | "short_description": "The system boot loader must require authentication."
16 | }
17 | }
18 | }
--------------------------------------------------------------------------------
/rules/os.app/security.domain/posix.class/linux.os/redhat/nist_V-38685:
--------------------------------------------------------------------------------
1 | {
2 | "severity": "low",
3 | "tags": {
4 | "nist": [
5 | "V-38685",
6 | "C-46247r1_chk",
7 | "F-43634r1_fix"
8 | ]
9 | },
10 | "text": {
11 | "en": {
12 | "check": "For every temporary account, run the following command to obtain its account aging and expiration information: \n\n# chage -l [USER]\n\nVerify each of these accounts has an expiration date set as documented. \nIf any temporary accounts have no expiration date set or do not expire within a documented time frame, this is a finding.",
13 | "fix": "In the event temporary accounts are required, configure the system to terminate them after a documented time period. For every temporary account, run the following command to set an expiration date on it, substituting \"[USER]\" and \"[YYYY-MM-DD]\" appropriately: \n\n# chage -E [YYYY-MM-DD] [USER]\n\n\"[YYYY-MM-DD]\" indicates the documented expiration date for the account.",
14 | "long_description": "When temporary accounts are created, there is a risk they may remain in place and active after the need for them no longer exists. Account expiration greatly reduces the risk of accounts being misused or hijacked.",
15 | "short_description": "Temporary accounts must be provisioned with an expiration date."
16 | }
17 | }
18 | }
--------------------------------------------------------------------------------
/rules/os.app/security.domain/posix.class/linux.os/redhat/nist_V-38690:
--------------------------------------------------------------------------------
1 | {
2 | "severity": "low",
3 | "tags": {
4 | "nist": [
5 | "V-38690",
6 | "C-46251r1_chk",
7 | "F-43639r1_fix"
8 | ]
9 | },
10 | "text": {
11 | "en": {
12 | "check": "For every emergency account, run the following command to obtain its account aging and expiration information: \n\n# chage -l [USER]\n\nVerify each of these accounts has an expiration date set as documented. \nIf any emergency accounts have no expiration date set or do not expire within a documented time frame, this is a finding.",
13 | "fix": "In the event emergency accounts are required, configure the system to terminate them after a documented time period. For every emergency account, run the following command to set an expiration date on it, substituting \"[USER]\" and \"[YYYY-MM-DD]\" appropriately: \n\n# chage -E [YYYY-MM-DD] [USER]\n\n\"[YYYY-MM-DD]\" indicates the documented expiration date for the account.",
14 | "long_description": "When emergency accounts are created, there is a risk they may remain in place and active after the need for them no longer exists. Account expiration greatly reduces the risk of accounts being misused or hijacked.",
15 | "short_description": "Emergency accounts must be provisioned with an expiration date."
16 | }
17 | }
18 | }
--------------------------------------------------------------------------------
/rules/os.app/security.domain/posix.class/linux.os/redhat/nist_V-38524:
--------------------------------------------------------------------------------
1 | {
2 | "severity": "medium",
3 | "tags": {
4 | "nist": [
5 | "V-38524",
6 | "C-46082r2_chk",
7 | "F-43472r1_fix"
8 | ]
9 | },
10 | "text": {
11 | "en": {
12 | "check": "The status of the \"net.ipv4.conf.all.accept_redirects\" kernel parameter can be queried by running the following command:\n\n$ sysctl net.ipv4.conf.all.accept_redirects\n\nThe output of the command should indicate a value of \"0\". If this value is not the default value, investigate how it could have been adjusted at runtime, and verify it is not set improperly in \"/etc/sysctl.conf\".\n\n$ grep net.ipv4.conf.all.accept_redirects /etc/sysctl.conf\n\nIf the correct value is not returned, this is a finding.",
13 | "fix": "To set the runtime status of the \"net.ipv4.conf.all.accept_redirects\" kernel parameter, run the following command: \n\n# sysctl -w net.ipv4.conf.all.accept_redirects=0\n\nIf this is not the system's default value, add the following line to \"/etc/sysctl.conf\": \n\nnet.ipv4.conf.all.accept_redirects = 0",
14 | "long_description": "Accepting ICMP redirects has few legitimate uses. It should be disabled unless it is absolutely required.",
15 | "short_description": "The system must not accept ICMPv4 redirect packets on any interface."
16 | }
17 | }
18 | }
--------------------------------------------------------------------------------
/rules/os.app/security.domain/posix.class/linux.os/redhat/nist_V-38677:
--------------------------------------------------------------------------------
1 | {
2 | "severity": "high",
3 | "tags": {
4 | "nist": [
5 | "V-38677",
6 | "C-46239r1_chk",
7 | "F-43626r1_fix"
8 | ]
9 | },
10 | "text": {
11 | "en": {
12 | "check": "To verify insecure file locking has been disabled, run the following command: \n\n# grep insecure_locks /etc/exports\n\n\nIf there is output, this is a finding.",
13 | "fix": "By default the NFS server requires secure file-lock requests, which require credentials from the client in order to lock a file. Most NFS clients send credentials with file lock requests, however, there are a few clients that do not send credentials when requesting a file-lock, allowing the client to only be able to lock world-readable files. To get around this, the \"insecure_locks\" option can be used so these clients can access the desired export. This poses a security risk by potentially allowing the client access to data for which it does not have authorization. Remove any instances of the \"insecure_locks\" option from the file \"/etc/exports\".",
14 | "long_description": "Allowing insecure file locking could allow for sensitive data to be viewed or edited by an unauthorized user.",
15 | "short_description": "The NFS server must not have the insecure file locking option enabled."
16 | }
17 | }
18 | }
--------------------------------------------------------------------------------
/rules/os.app/security.domain/posix.class/linux.os/redhat/nist_V-38701:
--------------------------------------------------------------------------------
1 | {
2 | "severity": "high",
3 | "tags": {
4 | "nist": [
5 | "V-38701",
6 | "C-46263r1_chk",
7 | "F-43650r1_fix"
8 | ]
9 | },
10 | "text": {
11 | "en": {
12 | "check": "Verify \"tftp\" is configured by with the \"-s\" option by running the following command: \n\ngrep \"server_args\" /etc/xinetd.d/tftp\n\nThe output should indicate the \"server_args\" variable is configured with the \"-s\" flag, matching the example below:\n\n# grep \"server_args\" /etc/xinetd.d/tftp\nserver_args = -s /var/lib/tftpboot\n\nIf it does not, this is a finding.",
13 | "fix": "If running the \"tftp\" service is necessary, it should be configured to change its root directory at startup. To do so, ensure \"/etc/xinetd.d/tftp\" includes \"-s\" as a command line argument, as shown in the following example (which is also the default): \n\nserver_args = -s /var/lib/tftpboot",
14 | "long_description": "Using the \"-s\" option causes the TFTP service to only serve files from the given directory. Serving files from an intentionally specified directory reduces the risk of sharing files which should remain private.",
15 | "short_description": "The TFTP daemon must operate in secure mode which provides access only to a single directory on the host file system."
16 | }
17 | }
18 | }
--------------------------------------------------------------------------------
/rules/os.app/security.domain/posix.class/linux.os/redhat/nist_V-38486:
--------------------------------------------------------------------------------
1 | {
2 | "severity": "medium",
3 | "tags": {
4 | "nist": [
5 | "V-38486",
6 | "C-46044r1_chk",
7 | "F-43434r1_fix"
8 | ]
9 | },
10 | "text": {
11 | "en": {
12 | "check": "Ask an administrator if a process exists to back up OS data from the system, including configuration data. \n\nIf such a process does not exist, this is a finding.",
13 | "fix": "Procedures to back up OS data from the system must be established and executed. The Red Hat operating system provides utilities for automating such a process. Commercial and open-source products are also available.\n\nImplement a process whereby OS data is backed up from the system in accordance with local policies.",
14 | "long_description": "Operating system backup is a critical step in maintaining data assurance and availability. System-level information includes system-state information, operating system and application software, and licenses. Backups must be consistent with organizational recovery time and recovery point objectives.",
15 | "short_description": "The operating system must conduct backups of system-level information contained in the information system per organization defined frequency to conduct backups that are consistent with recovery time and recovery point objectives."
16 | }
17 | }
18 | }
--------------------------------------------------------------------------------
/rules/os.app/security.domain/posix.class/linux.os/redhat/nist_V-38608:
--------------------------------------------------------------------------------
1 | {
2 | "severity": "low",
3 | "tags": {
4 | "nist": [
5 | "V-38608",
6 | "C-46167r1_chk",
7 | "F-43556r1_fix"
8 | ]
9 | },
10 | "text": {
11 | "en": {
12 | "check": "Run the following command to see what the timeout interval is: \n\n# grep ClientAliveInterval /etc/ssh/sshd_config\n\nIf properly configured, the output should be: \n\nClientAliveInterval 900\n\n\nIf it is not, this is a finding.",
13 | "fix": "SSH allows administrators to set an idle timeout interval. After this interval has passed, the idle user will be automatically logged out. \n\nTo set an idle timeout interval, edit the following line in \"/etc/ssh/sshd_config\" as follows: \n\nClientAliveInterval [interval]\n\nThe timeout [interval] is given in seconds. To have a timeout of 15 minutes, set [interval] to 900. \n\nIf a shorter timeout has already been set for the login shell, that value will preempt any SSH setting made here. Keep in mind that some processes may stop SSH from correctly detecting that the user is idle.",
14 | "long_description": "Causing idle users to be automatically logged out guards against compromises one system leading trivially to compromises on another.",
15 | "short_description": "The SSH daemon must set a timeout interval on idle sessions."
16 | }
17 | }
18 | }
--------------------------------------------------------------------------------
/tools/viewer/dockit:
--------------------------------------------------------------------------------
1 | BP_VERSION=1.0.0
2 | IMAGE_TAG=it-bestpractices:${BP_VERSION}
3 |
4 | PYVERSION=python:3.8.4-alpine3.12
5 | PYVERSION=python:3.8.4-slim-buster
6 | PYVERSION=python:rc-buster # Latest release candidate
7 | GITGZ_URL=https://codeload.github.com/IT-bestpractices/root/tar.gz/master
8 | SRCDIR=/usr/src/it-bestpractices
9 | PYTHON=/usr/local/bin/python
10 | ROOTDIR=root-master
11 |
12 | # Copy the current master tip source from IT-bestpractices.info
13 | TMPDIR=$(mktemp -d)
14 | trap "rm -fr ${TMPDIR}" 0
15 | TMPFILE=${TMPDIR}/it-bestpractices.tar.gz
16 | curl $GITGZ_URL > $TMPFILE
17 | tar xzf $TMPFILE
18 |
19 | # FIXME!!>>
20 | # this file, requirements.in and requirmements.txt should be put into source control
21 | # at IT-bestpractices.info
22 | # < Dockerfile
30 | FROM ${PYVERSION}
31 | RUN mkdir -p $SRCDIR
32 | ENV ITBP_PATH $SRCDIR/rules
33 | WORKDIR $SRCDIR
34 | ADD requirements.txt $ROOTDIR $SRCDIR/
35 | RUN $PYTHON -m pip install -r requirements.txt
36 |
37 | CMD [ "$PYTHON", "$SRCDIR/tools/viewer/itbp.py" ]
38 | !DOCKERFILE
39 |
40 | echo "ITBP_CONFIG=$CONFIG"
41 | echo "ITBP_PATH = $SRCDIR/rules" >$SRCDIR/
42 | docker build -t $IMAGE_TAG .
43 |
--------------------------------------------------------------------------------
/rules/os.app/security.domain/posix.class/linux.os/redhat/nist_V-38533:
--------------------------------------------------------------------------------
1 | {
2 | "severity": "low",
3 | "tags": {
4 | "nist": [
5 | "V-38533",
6 | "C-46091r2_chk",
7 | "F-43481r1_fix"
8 | ]
9 | },
10 | "text": {
11 | "en": {
12 | "check": "The status of the \"net.ipv4.conf.default.accept_redirects\" kernel parameter can be queried by running the following command:\n\n$ sysctl net.ipv4.conf.default.accept_redirects\n\nThe output of the command should indicate a value of \"0\". If this value is not the default value, investigate how it could have been adjusted at runtime, and verify it is not set improperly in \"/etc/sysctl.conf\".\n\n$ grep net.ipv4.conf.default.accept_redirects /etc/sysctl.conf\n\nIf the correct value is not returned, this is a finding.",
13 | "fix": "To set the runtime status of the \"net.ipv4.conf.default.accept_redirects\" kernel parameter, run the following command: \n\n# sysctl -w net.ipv4.conf.default.accept_redirects=0\n\nIf this is not the system's default value, add the following line to \"/etc/sysctl.conf\": \n\nnet.ipv4.conf.default.accept_redirects = 0",
14 | "long_description": "This feature of the IPv4 protocol has few legitimate uses. It should be disabled unless it is absolutely required.",
15 | "short_description": "The system must ignore ICMPv4 redirect messages by default."
16 | }
17 | }
18 | }
--------------------------------------------------------------------------------
/rules/os.app/security.domain/posix.class/linux.os/redhat/nist_V-38537:
--------------------------------------------------------------------------------
1 | {
2 | "severity": "low",
3 | "tags": {
4 | "nist": [
5 | "V-38537",
6 | "C-46095r2_chk",
7 | "F-43485r1_fix"
8 | ]
9 | },
10 | "text": {
11 | "en": {
12 | "check": "The status of the \"net.ipv4.icmp_ignore_bogus_error_responses\" kernel parameter can be queried by running the following command:\n\n$ sysctl net.ipv4.icmp_ignore_bogus_error_responses\n\nThe output of the command should indicate a value of \"1\". If this value is not the default value, investigate how it could have been adjusted at runtime, and verify it is not set improperly in \"/etc/sysctl.conf\".\n\n$ grep net.ipv4.icmp_ignore_bogus_error_responses /etc/sysctl.conf\n\nIf the correct value is not returned, this is a finding.",
13 | "fix": "To set the runtime status of the \"net.ipv4.icmp_ignore_bogus_error_responses\" kernel parameter, run the following command: \n\n# sysctl -w net.ipv4.icmp_ignore_bogus_error_responses=1\n\nIf this is not the system's default value, add the following line to \"/etc/sysctl.conf\": \n\nnet.ipv4.icmp_ignore_bogus_error_responses = 1",
14 | "long_description": "Ignoring bogus ICMP error responses reduces log size, although some activity would not be logged.",
15 | "short_description": "The system must ignore ICMPv4 bogus error responses."
16 | }
17 | }
18 | }
--------------------------------------------------------------------------------
/rules/os.app/security.domain/posix.class/linux.os/redhat/nist_V-38568:
--------------------------------------------------------------------------------
1 | {
2 | "severity": "low",
3 | "tags": {
4 | "nist": [
5 | "V-38568",
6 | "C-46126r2_chk",
7 | "F-43516r2_fix"
8 | ]
9 | },
10 | "text": {
11 | "en": {
12 | "check": "To verify that auditing is configured for all media exportation events, run the following command: \n\n$ sudo grep -w \"mount\" /etc/audit/audit.rules\n\nIf the system is configured to audit this activity, it will return several lines. \n\nIf no line is returned, this is a finding.",
13 | "fix": "At a minimum, the audit system should collect media exportation events for all users and root. Add the following to \"/etc/audit/audit.rules\", setting ARCH to either b32 or b64 as appropriate for your system: \n\n-a always,exit -F arch=ARCH -S mount -F auid>=500 -F auid!=4294967295 -k export\n-a always,exit -F arch=ARCH -S mount -F auid=0 -k export",
14 | "long_description": "The unauthorized exportation of data to external media could result in an information leak where classified information, Privacy Act information, and intellectual property could be lost. An audit trail should be created each time a filesystem is mounted to help identify and guard against information loss.",
15 | "short_description": "The audit system must be configured to audit successful file system mounts."
16 | }
17 | }
18 | }
--------------------------------------------------------------------------------
/rules/os.app/security.domain/posix.class/linux.os/redhat/nist_V-38548:
--------------------------------------------------------------------------------
1 | {
2 | "severity": "medium",
3 | "tags": {
4 | "nist": [
5 | "V-38548",
6 | "C-46106r3_chk",
7 | "F-43496r1_fix"
8 | ]
9 | },
10 | "text": {
11 | "en": {
12 | "check": "If IPv6 is disabled, this is not applicable.\n\nThe status of the \"net.ipv6.conf.default.accept_redirects\" kernel parameter can be queried by running the following command:\n\n$ sysctl net.ipv6.conf.default.accept_redirects\n\nThe output of the command should indicate a value of \"0\". If this value is not the default value, investigate how it could have been adjusted at runtime, and verify it is not set improperly in \"/etc/sysctl.conf\".\n\n$ grep net.ipv6.conf.default.accept_redirects /etc/sysctl.conf\n\nIf the correct value is not returned, this is a finding.",
13 | "fix": "To set the runtime status of the \"net.ipv6.conf.default.accept_redirects\" kernel parameter, run the following command: \n\n# sysctl -w net.ipv6.conf.default.accept_redirects=0\n\nIf this is not the system's default value, add the following line to \"/etc/sysctl.conf\": \n\nnet.ipv6.conf.default.accept_redirects = 0",
14 | "long_description": "An illicit ICMP redirect message could result in a man-in-the-middle attack.",
15 | "short_description": "The system must ignore ICMPv6 redirects by default."
16 | }
17 | }
18 | }
--------------------------------------------------------------------------------
/rules/os.app/security.domain/posix.class/linux.os/redhat/nist_V-38604:
--------------------------------------------------------------------------------
1 | {
2 | "severity": "medium",
3 | "tags": {
4 | "nist": [
5 | "V-38604",
6 | "C-46162r2_chk",
7 | "F-43552r2_fix"
8 | ]
9 | },
10 | "text": {
11 | "en": {
12 | "check": "To check that the \"ypbind\" service is disabled in system boot configuration, run the following command: \n\n# chkconfig \"ypbind\" --list\n\nOutput should indicate the \"ypbind\" service has either not been installed, or has been disabled at all runlevels, as shown in the example below: \n\n# chkconfig \"ypbind\" --list\n\"ypbind\" 0:off 1:off 2:off 3:off 4:off 5:off 6:off\n\nRun the following command to verify \"ypbind\" is disabled through current runtime configuration: \n\n# service ypbind status\n\nIf the service is disabled the command will return the following output: \n\nypbind is stopped\n\n\nIf the service is running, this is a finding.",
13 | "fix": "The \"ypbind\" service, which allows the system to act as a client in a NIS or NIS+ domain, should be disabled. The \"ypbind\" service can be disabled with the following commands: \n\n# chkconfig ypbind off\n# service ypbind stop",
14 | "long_description": "Disabling the \"ypbind\" service ensures the system is not acting as a client in a NIS or NIS+ domain.",
15 | "short_description": "The ypbind service must not be running."
16 | }
17 | }
18 | }
--------------------------------------------------------------------------------
/rules/os.app/security.domain/posix.class/linux.os/redhat/nist_V-38472:
--------------------------------------------------------------------------------
1 | {
2 | "severity": "medium",
3 | "tags": {
4 | "nist": [
5 | "V-38472",
6 | "C-46027r1_chk",
7 | "F-43417r1_fix"
8 | ]
9 | },
10 | "text": {
11 | "en": {
12 | "check": "System executables are stored in the following directories by default: \n\n/bin\n/usr/bin\n/usr/local/bin\n/sbin\n/usr/sbin\n/usr/local/sbin\n\nAll files in these directories should not be group-writable or world-writable. To find system executables that are not owned by \"root\", run the following command for each directory [DIR] which contains system executables: \n\n$ find -L [DIR] \\! -user root\n\n\nIf any system executables are found to not be owned by root, this is a finding.",
13 | "fix": "System executables are stored in the following directories by default: \n\n/bin\n/usr/bin\n/usr/local/bin\n/sbin\n/usr/sbin\n/usr/local/sbin\n\nIf any file [FILE] in these directories is found to be owned by a user other than root, correct its ownership with the following command: \n\n# chown root [FILE]",
14 | "long_description": "System binaries are executed by privileged users as well as system services, and restrictive permissions are necessary to ensure that their execution of these programs cannot be co-opted.",
15 | "short_description": "All system command files must be owned by root."
16 | }
17 | }
18 | }
--------------------------------------------------------------------------------
/rules/os.app/security.domain/posix.class/linux.os/redhat/nist_V-38476:
--------------------------------------------------------------------------------
1 | {
2 | "severity": "high",
3 | "tags": {
4 | "nist": [
5 | "V-38476",
6 | "C-46031r3_chk",
7 | "F-43421r3_fix"
8 | ]
9 | },
10 | "text": {
11 | "en": {
12 | "check": "To ensure that the GPG keys are installed, run:\n\n$ rpm -q gpg-pubkey\n\nThe command should return the strings below:\n\ngpg-pubkey-fd431d51-4ae0493b\ngpg-pubkey-2fa658e0-45700c69\n\nIf the Red Hat GPG Keys are not installed, this is a finding.",
13 | "fix": "To ensure the system can cryptographically verify base software packages come from Red Hat (and to connect to the Red Hat Network to receive them), the Red Hat GPG keys must be installed properly. To install the Red Hat GPG keys, run:\n\n# rhn_register\n\nIf the system is not connected to the Internet or an RHN Satellite, then install the Red Hat GPG keys from trusted media such as the Red Hat installation CD-ROM or DVD. Assuming the disc is mounted in \"/media/cdrom\", use the following command as the root user to import them into the keyring:\n\n# rpm --import /media/cdrom/RPM-GPG-KEY",
14 | "long_description": "The Red Hat GPG keys are necessary to cryptographically verify packages are from Red Hat. ",
15 | "short_description": "Vendor-provided cryptographic certificates must be installed to verify the integrity of system software."
16 | }
17 | }
18 | }
--------------------------------------------------------------------------------
/rules/os.app/security.domain/posix.class/linux.os/redhat/nist_V-38517:
--------------------------------------------------------------------------------
1 | {
2 | "severity": "medium",
3 | "tags": {
4 | "nist": [
5 | "V-38517",
6 | "C-46074r3_chk",
7 | "F-43464r3_fix"
8 | ]
9 | },
10 | "text": {
11 | "en": {
12 | "check": "If the system is configured to prevent the loading of the \"tipc\" kernel module, it will contain lines inside any file in \"/etc/modprobe.d\" or the deprecated\"/etc/modprobe.conf\". These lines instruct the module loading system to run another program (such as \"/bin/true\") upon a module \"install\" event. Run the following command to search for such lines in all files in \"/etc/modprobe.d\" and the deprecated \"/etc/modprobe.conf\": \n\n$ grep -r tipc /etc/modprobe.conf /etc/modprobe.d\n\nIf no line is returned, this is a finding.",
13 | "fix": "The Transparent Inter-Process Communication (TIPC) protocol is designed to provide communications between nodes in a cluster. To configure the system to prevent the \"tipc\" kernel module from being loaded, add the following line to a file in the directory \"/etc/modprobe.d\": \n\ninstall tipc /bin/true",
14 | "long_description": "Disabling TIPC protects the system against exploitation of any flaws in its implementation.",
15 | "short_description": "The Transparent Inter-Process Communication (TIPC) protocol must be disabled unless required."
16 | }
17 | }
18 | }
--------------------------------------------------------------------------------
/rules/os.app/security.domain/posix.class/linux.os/redhat/nist_V-38514:
--------------------------------------------------------------------------------
1 | {
2 | "severity": "medium",
3 | "tags": {
4 | "nist": [
5 | "V-38514",
6 | "C-46071r3_chk",
7 | "F-43461r3_fix"
8 | ]
9 | },
10 | "text": {
11 | "en": {
12 | "check": "If the system is configured to prevent the loading of the \"dccp\" kernel module, it will contain lines inside any file in \"/etc/modprobe.d\" or the deprecated\"/etc/modprobe.conf\". These lines instruct the module loading system to run another program (such as \"/bin/true\") upon a module \"install\" event. Run the following command to search for such lines in all files in \"/etc/modprobe.d\" and the deprecated \"/etc/modprobe.conf\": \n\n$ grep -r dccp /etc/modprobe.conf /etc/modprobe.d\n\nIf no line is returned, this is a finding.",
13 | "fix": "The Datagram Congestion Control Protocol (DCCP) is a relatively new transport layer protocol, designed to support streaming media and telephony. To configure the system to prevent the \"dccp\" kernel module from being loaded, add the following line to a file in the directory \"/etc/modprobe.d\": \n\ninstall dccp /bin/true",
14 | "long_description": "Disabling DCCP protects the system against exploitation of any flaws in its implementation.",
15 | "short_description": "The Datagram Congestion Control Protocol (DCCP) must be disabled unless required."
16 | }
17 | }
18 | }
--------------------------------------------------------------------------------
/rules/os.app/security.domain/posix.class/linux.os/redhat/nist_V-38468:
--------------------------------------------------------------------------------
1 | {
2 | "severity": "medium",
3 | "tags": {
4 | "nist": [
5 | "V-38468",
6 | "C-46023r1_chk",
7 | "F-43413r1_fix"
8 | ]
9 | },
10 | "text": {
11 | "en": {
12 | "check": "Inspect \"/etc/audit/auditd.conf\" and locate the following line to determine if the system is configured to take appropriate action when the audit storage volume is full:\n\n# grep disk_full_action /etc/audit/auditd.conf\ndisk_full_action = [ACTION]\n\n\nIf the system is configured to \"suspend\" when the volume is full or \"ignore\" that it is full, this is a finding.",
13 | "fix": "The \"auditd\" service can be configured to take an action when disk space starts to run low. Edit the file \"/etc/audit/auditd.conf\". Modify the following line, substituting [ACTION] appropriately: \n\ndisk_full_action = [ACTION]\n\nPossible values for [ACTION] are described in the \"auditd.conf\" man page. These include: \n\n\"ignore\"\n\"syslog\"\n\"exec\"\n\"suspend\"\n\"single\"\n\"halt\"\n\n\nSet this to \"syslog\", \"exec\", \"single\", or \"halt\".",
14 | "long_description": "Taking appropriate action in case of a filled audit storage volume will minimize the possibility of losing audit records.",
15 | "short_description": "The audit system must take appropriate action when the audit storage volume is full."
16 | }
17 | }
18 | }
--------------------------------------------------------------------------------
/rules/os.app/security.domain/posix.class/linux.os/redhat/nist_V-38523:
--------------------------------------------------------------------------------
1 | {
2 | "severity": "medium",
3 | "tags": {
4 | "nist": [
5 | "V-38523",
6 | "C-46081r3_chk",
7 | "F-43471r1_fix"
8 | ]
9 | },
10 | "text": {
11 | "en": {
12 | "check": "The status of the \"net.ipv4.conf.all.accept_source_route\" kernel parameter can be queried by running the following command:\n\n$ sysctl net.ipv4.conf.all.accept_source_route\n\nThe output of the command should indicate a value of \"0\". If this value is not the default value, investigate how it could have been adjusted at runtime, and verify it is not set improperly in \"/etc/sysctl.conf\".\n\n$ grep net.ipv4.conf.all.accept_source_route /etc/sysctl.conf\n\nIf the correct value is not returned, this is a finding.",
13 | "fix": "To set the runtime status of the \"net.ipv4.conf.all.accept_source_route\" kernel parameter, run the following command: \n\n# sysctl -w net.ipv4.conf.all.accept_source_route=0\n\nIf this is not the system's default value, add the following line to \"/etc/sysctl.conf\": \n\nnet.ipv4.conf.all.accept_source_route = 0",
14 | "long_description": "Accepting source-routed packets in the IPv4 protocol has few legitimate uses. It should be disabled unless it is absolutely required.",
15 | "short_description": "The system must not accept IPv4 source-routed packets on any interface."
16 | }
17 | }
18 | }
--------------------------------------------------------------------------------
/rules/os.app/security.domain/posix.class/linux.os/redhat/nist_V-38535:
--------------------------------------------------------------------------------
1 | {
2 | "severity": "low",
3 | "tags": {
4 | "nist": [
5 | "V-38535",
6 | "C-46093r2_chk",
7 | "F-43483r1_fix"
8 | ]
9 | },
10 | "text": {
11 | "en": {
12 | "check": "The status of the \"net.ipv4.icmp_echo_ignore_broadcasts\" kernel parameter can be queried by running the following command:\n\n$ sysctl net.ipv4.icmp_echo_ignore_broadcasts\n\nThe output of the command should indicate a value of \"1\". If this value is not the default value, investigate how it could have been adjusted at runtime, and verify it is not set improperly in \"/etc/sysctl.conf\".\n\n$ grep net.ipv4.icmp_echo_ignore_broadcasts /etc/sysctl.conf\n\nIf the correct value is not returned, this is a finding.",
13 | "fix": "To set the runtime status of the \"net.ipv4.icmp_echo_ignore_broadcasts\" kernel parameter, run the following command: \n\n# sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1\n\nIf this is not the system's default value, add the following line to \"/etc/sysctl.conf\": \n\nnet.ipv4.icmp_echo_ignore_broadcasts = 1",
14 | "long_description": "Ignoring ICMP echo requests (pings) sent to broadcast or multicast addresses makes the system slightly more difficult to enumerate on the network.",
15 | "short_description": "The system must not respond to ICMPv4 sent to a broadcast address."
16 | }
17 | }
18 | }
--------------------------------------------------------------------------------
/rules/os.app/security.domain/posix.class/linux.os/redhat/nist_V-38572:
--------------------------------------------------------------------------------
1 | {
2 | "severity": "low",
3 | "tags": {
4 | "nist": [
5 | "V-38572",
6 | "C-46130r1_chk",
7 | "F-43520r1_fix"
8 | ]
9 | },
10 | "text": {
11 | "en": {
12 | "check": "To check how many characters must differ during a password change, run the following command: \n\n$ grep pam_cracklib /etc/pam.d/system-auth\n\nThe \"difok\" parameter will indicate how many characters must differ. The DoD requires four characters differ during a password change. This would appear as \"difok=4\". \nIf difok is not found or not set to the required value, this is a finding.",
13 | "fix": "The pam_cracklib module's \"difok\" parameter controls requirements for usage of different characters during a password change. Add \"difok=[NUM]\" after pam_cracklib.so to require differing characters when changing passwords, substituting [NUM] appropriately. The DoD requirement is 4.",
14 | "long_description": "Requiring a minimum number of different characters during password changes ensures that newly changed passwords should not resemble previously compromised ones. Note that passwords which are changed on compromised systems will still be compromised, however.",
15 | "short_description": "The system must require at least four characters be changed between the old and new passwords during a password change."
16 | }
17 | }
18 | }
--------------------------------------------------------------------------------
/rules/os.app/security.domain/posix.class/linux.os/redhat/nist_V-38626:
--------------------------------------------------------------------------------
1 | {
2 | "severity": "medium",
3 | "tags": {
4 | "nist": [
5 | "V-38626",
6 | "C-46185r1_chk",
7 | "F-43575r1_fix"
8 | ]
9 | },
10 | "text": {
11 | "en": {
12 | "check": "If the system does not use LDAP for authentication or account information, this is not applicable.\n\nTo ensure TLS is configured with trust certificates, run the following command: \n\n# grep cert /etc/pam_ldap.conf\n\n\nIf there is no output, or the lines are commented out, this is a finding.",
13 | "fix": "Ensure a copy of the site's CA certificate has been placed in the file \"/etc/pki/tls/CA/cacert.pem\". Configure LDAP to enforce TLS use and to trust certificates signed by the site's CA. First, edit the file \"/etc/pam_ldap.conf\", and add or correct either of the following lines: \n\ntls_cacertdir /etc/pki/tls/CA\n\nor \n\ntls_cacertfile /etc/pki/tls/CA/cacert.pem\n\nThen review the LDAP server and ensure TLS has been configured.",
14 | "long_description": "The tls_cacertdir or tls_cacertfile directives are required when tls_checkpeer is configured (which is the default for openldap versions 2.1 and up). These directives define the path to the trust certificates signed by the site CA.",
15 | "short_description": "The LDAP client must use a TLS connection using trust certificates signed by the site CA."
16 | }
17 | }
18 | }
--------------------------------------------------------------------------------
/rules/os.app/security.domain/posix.class/linux.os/redhat/nist_V-38469:
--------------------------------------------------------------------------------
1 | {
2 | "severity": "medium",
3 | "tags": {
4 | "nist": [
5 | "V-38469",
6 | "C-46024r3_chk",
7 | "F-43414r1_fix"
8 | ]
9 | },
10 | "text": {
11 | "en": {
12 | "check": "System executables are stored in the following directories by default: \n\n/bin\n/usr/bin\n/usr/local/bin\n/sbin\n/usr/sbin\n/usr/local/sbin\n\nAll files in these directories should not be group-writable or world-writable. To find system executables that are group-writable or world-writable, run the following command for each directory [DIR] which contains system executables: \n\n$ find -L [DIR] -perm /022 -type f\n\nIf any system executables are found to be group-writable or world-writable, this is a finding.",
13 | "fix": "System executables are stored in the following directories by default: \n\n/bin\n/usr/bin\n/usr/local/bin\n/sbin\n/usr/sbin\n/usr/local/sbin\n\nIf any file in these directories is found to be group-writable or world-writable, correct its permission with the following command: \n\n# chmod go-w [FILE]",
14 | "long_description": "System binaries are executed by privileged users, as well as system services, and restrictive permissions are necessary to ensure execution of these programs cannot be co-opted.",
15 | "short_description": "All system command files must have mode 755 or less permissive."
16 | }
17 | }
18 | }
--------------------------------------------------------------------------------
/rules/os.app/security.domain/posix.class/linux.os/redhat/nist_V-38516:
--------------------------------------------------------------------------------
1 | {
2 | "severity": "low",
3 | "tags": {
4 | "nist": [
5 | "V-38516",
6 | "C-46073r3_chk",
7 | "F-43463r4_fix"
8 | ]
9 | },
10 | "text": {
11 | "en": {
12 | "check": "If the system is configured to prevent the loading of the \"rds\" kernel module, it will contain lines inside any file in \"/etc/modprobe.d\" or the deprecated \"/etc/modprobe.conf\". These lines instruct the module loading system to run another program (such as \"/bin/true\") upon a module \"install\" event. Run the following command to search for such lines in all files in \"/etc/modprobe.d\" and the deprecated \"/etc/modprobe.conf\": \n\n$ grep -r rds /etc/modprobe.conf /etc/modprobe.d\n\nIf no line is returned, this is a finding.",
13 | "fix": "The Reliable Datagram Sockets (RDS) protocol is a transport layer protocol designed to provide reliable high-bandwidth, low-latency communications between nodes in a cluster. To configure the system to prevent the \"rds\" kernel module from being loaded, add the following line to a file in the directory \"/etc/modprobe.d\": \n\ninstall rds /bin/true",
14 | "long_description": "Disabling RDS protects the system against exploitation of any flaws in its implementation.",
15 | "short_description": "The Reliable Datagram Sockets (RDS) protocol must be disabled unless required."
16 | }
17 | }
18 | }
--------------------------------------------------------------------------------
/rules/os.app/security.domain/posix.class/linux.os/redhat/nist_V-38688:
--------------------------------------------------------------------------------
1 | {
2 | "severity": "medium",
3 | "tags": {
4 | "nist": [
5 | "V-38688",
6 | "C-46250r3_chk",
7 | "F-43637r2_fix"
8 | ]
9 | },
10 | "text": {
11 | "en": {
12 | "check": "If the GConf2 package is not installed, this is not applicable.\n\nTo ensure a login warning banner is enabled, run the following: \n\n$ gconftool-2 --direct --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory --get /apps/gdm/simple-greeter/banner_message_enable\n\nSearch for the \"banner_message_enable\" schema. If properly configured, the \"default\" value should be \"true\". \nIf it is not, this is a finding.",
13 | "fix": "To enable displaying a login warning banner in the GNOME Display Manager's login screen, run the following command: \n\n# gconftool-2 --direct \\\n--config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \\\n--type bool \\\n--set /apps/gdm/simple-greeter/banner_message_enable true\n\nTo display a banner, this setting must be enabled and then banner text must also be set.",
14 | "long_description": "An appropriate warning message reinforces policy awareness during the logon process and facilitates possible legal action against attackers.",
15 | "short_description": "A login banner must be displayed immediately prior to, or as part of, graphical desktop environment login prompts."
16 | }
17 | }
18 | }
--------------------------------------------------------------------------------
/rules/os.app/security.domain/posix.class/linux.os/redhat/nist_V-38511:
--------------------------------------------------------------------------------
1 | {
2 | "severity": "medium",
3 | "tags": {
4 | "nist": [
5 | "V-38511",
6 | "C-46068r3_chk",
7 | "F-43458r2_fix"
8 | ]
9 | },
10 | "text": {
11 | "en": {
12 | "check": "The status of the \"net.ipv4.ip_forward\" kernel parameter can be queried by running the following command:\n\n$ sysctl net.ipv4.ip_forward\n\nThe output of the command should indicate a value of \"0\". If this value is not the default value, investigate how it could have been adjusted at runtime, and verify it is not set improperly in \"/etc/sysctl.conf\".\n\n$ grep net.ipv4.ip_forward /etc/sysctl.conf\n\nThe ability to forward packets is only appropriate for routers. If the correct value is not returned, this is a finding.",
13 | "fix": "To set the runtime status of the \"net.ipv4.ip_forward\" kernel parameter, run the following command: \n\n# sysctl -w net.ipv4.ip_forward=0\n\nIf this is not the system's default value, add the following line to \"/etc/sysctl.conf\": \n\nnet.ipv4.ip_forward = 0",
14 | "long_description": "IP forwarding permits the kernel to forward packets from one network interface to another. The ability to forward packets between two networks is only appropriate for systems acting as routers.",
15 | "short_description": "IP forwarding for IPv4 must not be enabled, unless the system is a router."
16 | }
17 | }
18 | }
--------------------------------------------------------------------------------
/rules/os.app/security.domain/posix.class/linux.os/redhat/nist_V-38526:
--------------------------------------------------------------------------------
1 | {
2 | "severity": "medium",
3 | "tags": {
4 | "nist": [
5 | "V-38526",
6 | "C-46084r2_chk",
7 | "F-43474r1_fix"
8 | ]
9 | },
10 | "text": {
11 | "en": {
12 | "check": "The status of the \"net.ipv4.conf.all.secure_redirects\" kernel parameter can be queried by running the following command:\n\n$ sysctl net.ipv4.conf.all.secure_redirects\n\nThe output of the command should indicate a value of \"0\". If this value is not the default value, investigate how it could have been adjusted at runtime, and verify it is not set improperly in \"/etc/sysctl.conf\".\n\n$ grep net.ipv4.conf.all.secure_redirects /etc/sysctl.conf\n\nIf the correct value is not returned, this is a finding.",
13 | "fix": "To set the runtime status of the \"net.ipv4.conf.all.secure_redirects\" kernel parameter, run the following command: \n\n# sysctl -w net.ipv4.conf.all.secure_redirects=0\n\nIf this is not the system's default value, add the following line to \"/etc/sysctl.conf\": \n\nnet.ipv4.conf.all.secure_redirects = 0",
14 | "long_description": "Accepting \"secure\" ICMP redirects (from those gateways listed as default gateways) has few legitimate uses. It should be disabled unless it is absolutely required.",
15 | "short_description": "The system must not accept ICMPv4 secure redirect packets on any interface."
16 | }
17 | }
18 | }
--------------------------------------------------------------------------------
/rules/os.app/security.domain/posix.class/linux.os/redhat/nist_V-38529:
--------------------------------------------------------------------------------
1 | {
2 | "severity": "medium",
3 | "tags": {
4 | "nist": [
5 | "V-38529",
6 | "C-46088r2_chk",
7 | "F-43478r1_fix"
8 | ]
9 | },
10 | "text": {
11 | "en": {
12 | "check": "The status of the \"net.ipv4.conf.default.accept_source_route\" kernel parameter can be queried by running the following command:\n\n$ sysctl net.ipv4.conf.default.accept_source_route\n\nThe output of the command should indicate a value of \"0\". If this value is not the default value, investigate how it could have been adjusted at runtime, and verify it is not set improperly in \"/etc/sysctl.conf\".\n\n$ grep net.ipv4.conf.default.accept_source_route /etc/sysctl.conf\n\nIf the correct value is not returned, this is a finding.",
13 | "fix": "To set the runtime status of the \"net.ipv4.conf.default.accept_source_route\" kernel parameter, run the following command: \n\n# sysctl -w net.ipv4.conf.default.accept_source_route=0\n\nIf this is not the system's default value, add the following line to \"/etc/sysctl.conf\": \n\nnet.ipv4.conf.default.accept_source_route = 0",
14 | "long_description": "Accepting source-routed packets in the IPv4 protocol has few legitimate uses. It should be disabled unless it is absolutely required.",
15 | "short_description": "The system must not accept IPv4 source-routed packets by default."
16 | }
17 | }
18 | }
--------------------------------------------------------------------------------
/rules/os.app/security.domain/posix.class/linux.os/redhat/nist_V-38601:
--------------------------------------------------------------------------------
1 | {
2 | "severity": "medium",
3 | "tags": {
4 | "nist": [
5 | "V-38601",
6 | "C-46159r2_chk",
7 | "F-43548r1_fix"
8 | ]
9 | },
10 | "text": {
11 | "en": {
12 | "check": "The status of the \"net.ipv4.conf.all.send_redirects\" kernel parameter can be queried by running the following command:\n\n$ sysctl net.ipv4.conf.all.send_redirects\n\nThe output of the command should indicate a value of \"0\". If this value is not the default value, investigate how it could have been adjusted at runtime, and verify it is not set improperly in \"/etc/sysctl.conf\".\n\n$ grep net.ipv4.conf.all.send_redirects /etc/sysctl.conf\n\nIf the correct value is not returned, this is a finding.",
13 | "fix": "To set the runtime status of the \"net.ipv4.conf.all.send_redirects\" kernel parameter, run the following command: \n\n# sysctl -w net.ipv4.conf.all.send_redirects=0\n\nIf this is not the system's default value, add the following line to \"/etc/sysctl.conf\": \n\nnet.ipv4.conf.all.send_redirects = 0",
14 | "long_description": "Sending ICMP redirects permits the system to instruct other systems to update their routing information. The ability to send ICMP redirects is only appropriate for systems acting as routers.",
15 | "short_description": "The system must not send ICMPv4 redirects from any interface."
16 | }
17 | }
18 | }
--------------------------------------------------------------------------------
/rules/os.app/security.domain/posix.class/linux.os/redhat/nist_V-38618:
--------------------------------------------------------------------------------
1 | {
2 | "severity": "low",
3 | "tags": {
4 | "nist": [
5 | "V-38618",
6 | "C-46177r1_chk",
7 | "F-43567r2_fix"
8 | ]
9 | },
10 | "text": {
11 | "en": {
12 | "check": "To check that the \"avahi-daemon\" service is disabled in system boot configuration, run the following command: \n\n# chkconfig \"avahi-daemon\" --list\n\nOutput should indicate the \"avahi-daemon\" service has either not been installed, or has been disabled at all runlevels, as shown in the example below: \n\n# chkconfig \"avahi-daemon\" --list\n\"avahi-daemon\" 0:off 1:off 2:off 3:off 4:off 5:off 6:off\n\nRun the following command to verify \"avahi-daemon\" is disabled through current runtime configuration: \n\n# service avahi-daemon status\n\nIf the service is disabled the command will return the following output: \n\navahi-daemon is stopped\n\n\nIf the service is running, this is a finding.",
13 | "fix": "The \"avahi-daemon\" service can be disabled with the following commands: \n\n# chkconfig avahi-daemon off\n# service avahi-daemon stop",
14 | "long_description": "Because the Avahi daemon service keeps an open network port, it is subject to network attacks. Its functionality is convenient but is only appropriate if the local network can be trusted.",
15 | "short_description": "The avahi service must be disabled."
16 | }
17 | }
18 | }
--------------------------------------------------------------------------------
/rules/os.app/security.domain/posix.class/linux.os/redhat/nist_V-38484:
--------------------------------------------------------------------------------
1 | {
2 | "severity": "medium",
3 | "tags": {
4 | "nist": [
5 | "V-38484",
6 | "C-46041r2_chk",
7 | "F-43431r2_fix"
8 | ]
9 | },
10 | "text": {
11 | "en": {
12 | "check": "Verify the value associated with the \"PrintLastLog\" keyword in /etc/ssh/sshd_config:\n\n# grep -i \"^PrintLastLog\" /etc/ssh/sshd_config\n\nIf the \"PrintLastLog\" keyword is not present, this is not a finding. If the value is not set to \"yes\", this is a finding.",
13 | "fix": "Update the \"PrintLastLog\" keyword to \"yes\" in /etc/ssh/sshd_config:\n\nPrintLastLog yes\n\nWhile it is acceptable to remove the keyword entirely since the default action for the SSH daemon is to print the last logon date and time, it is preferred to have the value explicitly documented.",
14 | "long_description": "Users need to be aware of activity that occurs regarding their account. Providing users with information regarding the date and time of their last successful login allows the user to determine if any unauthorized activity has occurred and gives them an opportunity to notify administrators.\n\nAt ssh login, a user must be presented with the last successful login date and time.",
15 | "short_description": "The operating system, upon successful logon, must display to the user the date and time of the last logon or access via ssh."
16 | }
17 | }
18 | }
--------------------------------------------------------------------------------
/rules/os.app/security.domain/posix.class/linux.os/redhat/nist_V-38531:
--------------------------------------------------------------------------------
1 | {
2 | "severity": "low",
3 | "tags": {
4 | "nist": [
5 | "V-38531",
6 | "C-46090r1_chk",
7 | "F-43480r1_fix"
8 | ]
9 | },
10 | "text": {
11 | "en": {
12 | "check": "To determine if the system is configured to audit account changes, run the following command: \n\nauditctl -l | egrep '(/etc/passwd|/etc/shadow|/etc/group|/etc/gshadow|/etc/security/opasswd)'\n\nIf the system is configured to watch for account changes, lines should be returned for each file specified (and with \"perm=wa\" for each). \nIf the system is not configured to audit account changes, this is a finding.",
13 | "fix": "Add the following to \"/etc/audit/audit.rules\", in order to capture events that modify account changes: \n\n# audit_account_changes\n-w /etc/group -p wa -k audit_account_changes\n-w /etc/passwd -p wa -k audit_account_changes\n-w /etc/gshadow -p wa -k audit_account_changes\n-w /etc/shadow -p wa -k audit_account_changes\n-w /etc/security/opasswd -p wa -k audit_account_changes",
14 | "long_description": "In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy.",
15 | "short_description": "The operating system must automatically audit account creation."
16 | }
17 | }
18 | }
--------------------------------------------------------------------------------
/rules/os.app/security.domain/posix.class/linux.os/redhat/nist_V-38528:
--------------------------------------------------------------------------------
1 | {
2 | "severity": "low",
3 | "tags": {
4 | "nist": [
5 | "V-38528",
6 | "C-46086r3_chk",
7 | "F-43476r1_fix"
8 | ]
9 | },
10 | "text": {
11 | "en": {
12 | "check": "The status of the \"net.ipv4.conf.all.log_martians\" kernel parameter can be queried by running the following command:\n\n$ sysctl net.ipv4.conf.all.log_martians\n\nThe output of the command should indicate a value of \"1\". If this value is not the default value, investigate how it could have been adjusted at runtime, and verify it is not set improperly in \"/etc/sysctl.conf\".\n\n$ grep net.ipv4.conf.all.log_martians /etc/sysctl.conf\n\nIf the correct value is not returned, this is a finding.",
13 | "fix": "To set the runtime status of the \"net.ipv4.conf.all.log_martians\" kernel parameter, run the following command: \n\n# sysctl -w net.ipv4.conf.all.log_martians=1\n\nIf this is not the system's default value, add the following line to \"/etc/sysctl.conf\": \n\nnet.ipv4.conf.all.log_martians = 1",
14 | "long_description": "The presence of \"martian\" packets (which have impossible addresses) as well as spoofed packets, source-routed packets, and redirects could be a sign of nefarious network activity. Logging these packets enables this activity to be detected.",
15 | "short_description": "The system must log Martian packets."
16 | }
17 | }
18 | }
--------------------------------------------------------------------------------
/rules/os.app/security.domain/posix.class/linux.os/redhat/nist_V-38534:
--------------------------------------------------------------------------------
1 | {
2 | "severity": "low",
3 | "tags": {
4 | "nist": [
5 | "V-38534",
6 | "C-46092r1_chk",
7 | "F-43482r1_fix"
8 | ]
9 | },
10 | "text": {
11 | "en": {
12 | "check": "To determine if the system is configured to audit account changes, run the following command: \n\nauditctl -l | egrep '(/etc/passwd|/etc/shadow|/etc/group|/etc/gshadow|/etc/security/opasswd)'\n\nIf the system is configured to watch for account changes, lines should be returned for each file specified (and with \"perm=wa\" for each). \nIf the system is not configured to audit account changes, this is a finding.",
13 | "fix": "Add the following to \"/etc/audit/audit.rules\", in order to capture events that modify account changes: \n\n# audit_account_changes\n-w /etc/group -p wa -k audit_account_changes\n-w /etc/passwd -p wa -k audit_account_changes\n-w /etc/gshadow -p wa -k audit_account_changes\n-w /etc/shadow -p wa -k audit_account_changes\n-w /etc/security/opasswd -p wa -k audit_account_changes",
14 | "long_description": "In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy.",
15 | "short_description": "The operating system must automatically audit account modification."
16 | }
17 | }
18 | }
--------------------------------------------------------------------------------