Login
Log in using an SSO provider:
Fedora Account System
Red Hat Associate
Red Hat Customer
Login using a Red Hat Bugzilla account
Forgot Password
Create an Account
Red Hat Bugzilla – View All Attachments for
Bug 1867158
Home
New
Search
Simple Search
Advanced Search
My Links
Browse
Requests
Reports
Current State
Search
Tabular reports
Graphical reports
Duplicates
Other Reports
User Changes
Plotly Reports
Bug Status
Bug Severity
Non-Defaults
Product Dashboard
Help
Bug Writing Guidelines
What's new
Browser Support Policy
5.0.4.rh92 Release notes
FAQ
Guides index
User guide
Web Services
Contact
Legal
[?]
This site requires JavaScript to be enabled to function correctly, please enable it.
Attachment #1717529
openscap-report
application/xhtml+xml
2020-09-29 13:09:38 UTC
2.67 MB
no flags
Details
<b>You cannot view the attachment on this page because your browser does not support IFRAMEs. <a href="attachment.cgi?id=1717529">View the attachment on a separate page</a>.</b>
Attachment #1717531
openscap-report
text/html
2020-09-29 13:11:02 UTC
2.67 MB
no flags
Details
<!DOCTYPE html><html xmlns="http://www.w3.org/1999/xhtml" xmlns:arf="http://scap.nist.gov/schema/asset-reporting-format/1.1" lang="en"><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"><meta charset="utf-8"></meta><meta http-equiv="X-UA-Compatible" content="IE=edge"></meta><meta name="viewport" content="width=device-width, initial-scale=1"></meta><title>xccdf_org.open-scap_testresult_xccdf_org.ssgproject.content_profile_stig | OpenSCAP Evaluation Report</title><style> /*! * Bootstrap v3.3.7 (http://getbootstrap.com) * Copyright 2011-2016 Twitter, Inc. * Licensed under MIT (https://github.com/twbs/bootstrap/blob/master/LICENSE) */ /*! * Generated using the Bootstrap Customizer (https://getbootstrap.com/customize/?id=8160adef040364fa8f688f6065765caf) * Config saved to config.json and https://gist.github.com/8160adef040364fa8f688f6065765caf *//*! * Bootstrap v3.3.7 (http://getbootstrap.com) * Copyright 2011-2016 Twitter, Inc. * Licensed under MIT (https://github.com/twbs/bootstrap/blob/master/LICENSE) *//*! normalize.css v3.0.3 | MIT License | github.com/necolas/normalize.css */html{font-family:sans-serif;-ms-text-size-adjust:100%;-webkit-text-size-adjust:100%}body{margin:0}article,aside,details,figcaption,figure,footer,header,hgroup,main,menu,nav,section,summary{display:block}audio,canvas,progress,video{display:inline-block;vertical-align:baseline}audio:not([controls]){display:none;height:0}[hidden],template{display:none}a{background-color:transparent}a:active,a:hover{outline:0}abbr[title]{border-bottom:1px dotted}b,strong{font-weight:bold}dfn{font-style:italic}h1{font-size:2em;margin:0.67em 0}mark{background:#ff0;color:#000}small{font-size:80%}sub,sup{font-size:75%;line-height:0;position:relative;vertical-align:baseline}sup{top:-0.5em}sub{bottom:-0.25em}img{border:0}svg:not(:root){overflow:hidden}figure{margin:1em 40px}hr{-webkit-box-sizing:content-box;-moz-box-sizing:content-box;box-sizing:content-box;height:0}pre{overflow:auto}code,kbd,pre,samp{font-family:monospace, monospace;font-size:1em}button,input,optgroup,select,textarea{color:inherit;font:inherit;margin:0}button{overflow:visible}button,select{text-transform:none}button,html input[type="button"],input[type="reset"],input[type="submit"]{-webkit-appearance:button;cursor:pointer}button[disabled],html input[disabled]{cursor:default}button::-moz-focus-inner,input::-moz-focus-inner{border:0;padding:0}input{line-height:normal}input[type="checkbox"],input[type="radio"]{-webkit-box-sizing:border-box;-moz-box-sizing:border-box;box-sizing:border-box;padding:0}input[type="number"]::-webkit-inner-spin-button,input[type="number"]::-webkit-outer-spin-button{height:auto}input[type="search"]{-webkit-appearance:textfield;-webkit-box-sizing:content-box;-moz-box-sizing:content-box;box-sizing:content-box}input[type="search"]::-webkit-search-cancel-button,input[type="search"]::-webkit-search-decoration{-webkit-appearance:none}fieldset{border:1px solid #c0c0c0;margin:0 2px;padding:0.35em 0.625em 0.75em}legend{border:0;padding:0}textarea{overflow:auto}optgroup{font-weight:bold}table{border-collapse:collapse;border-spacing:0}td,th{padding:0}/*! Source: https://github.com/h5bp/html5-boilerplate/blob/master/src/css/main.css */@media print{*,*:before,*:after{background:transparent !important;color:#000 !important;-webkit-box-shadow:none !important;box-shadow:none !important;text-shadow:none !important}a,a:visited{text-decoration:underline}a[href^="#"]:after,a[href^="javascript:"]:after{content:""}pre,blockquote{border:1px solid #999;page-break-inside:avoid}thead{display:table-header-group}tr,img{page-break-inside:avoid}img{max-width:100% !important}p,h2,h3{orphans:3;widows:3}h2,h3{page-break-after:avoid}.navbar{display:none}.btn>.caret,.dropup>.btn>.caret{border-top-color:#000 !important}.label{border:1px solid #000}.table{border-collapse:collapse !important}.table td,.table th{background-color:#fff !important}.table-bordered th,.table-bordered td{border:1px solid #ddd !important}}*{-webkit-box-sizing:border-box;-moz-box-sizing:border-box;box-sizing:border-box}*:before,*:after{-webkit-box-sizing:border-box;-moz-box-sizing:border-box;box-sizing:border-box}html{font-size:10px;-webkit-tap-highlight-color:rgba(0,0,0,0)}body{font-family:"Helvetica Neue",Helvetica,Arial,sans-serif;font-size:14px;line-height:1.42857143;color:#333;background-color:#fff}input,button,select,textarea{font-family:inherit;font-size:inherit;line-height:inherit}a{color:#428bca;text-decoration:none}a:hover,a:focus{color:#2a6496;text-decoration:underline}a:focus{outline:5px auto -webkit-focus-ring-color;outline-offset:-2px}figure{margin:0}img{vertical-align:middle}.img-responsive{display:block;max-width:100%;height:auto}.img-rounded{border-radius:6px}.img-thumbnail{padding:4px;line-height:1.42857143;background-color:#fff;border:1px solid #ddd;border-radius:4px;-webkit-transition:all .2s ease-in-out;-o-transition:all .2s ease-in-out;transition:all .2s ease-in-out;display:inline-block;max-width:100%;height:auto}.img-circle{border-radius:50%}hr{margin-top:20px;margin-bottom:20px;border:0;border-top:1px solid #eee}.sr-only{position:absolute;width:1px;height:1px;margin:-1px;padding:0;overflow:hidden;clip:rect(0, 0, 0, 0);border:0}.sr-only-focusable:active,.sr-only-focusable:focus{position:static;width:auto;height:auto;margin:0;overflow:visible;clip:auto}[role="button"]{cursor:pointer}h1,h2,h3,h4,h5,h6,.h1,.h2,.h3,.h4,.h5,.h6{font-family:inherit;font-weight:500;line-height:1.1;color:inherit}h1 small,h2 small,h3 small,h4 small,h5 small,h6 small,.h1 small,.h2 small,.h3 small,.h4 small,.h5 small,.h6 small,h1 .small,h2 .small,h3 .small,h4 .small,h5 .small,h6 .small,.h1 .small,.h2 .small,.h3 .small,.h4 .small,.h5 .small,.h6 .small{font-weight:normal;line-height:1;color:#777}h1,.h1,h2,.h2,h3,.h3{margin-top:20px;margin-bottom:10px}h1 small,.h1 small,h2 small,.h2 small,h3 small,.h3 small,h1 .small,.h1 .small,h2 .small,.h2 .small,h3 .small,.h3 .small{font-size:65%}h4,.h4,h5,.h5,h6,.h6{margin-top:10px;margin-bottom:10px}h4 small,.h4 small,h5 small,.h5 small,h6 small,.h6 small,h4 .small,.h4 .small,h5 .small,.h5 .small,h6 .small,.h6 .small{font-size:75%}h1,.h1{font-size:36px}h2,.h2{font-size:30px}h3,.h3{font-size:24px}h4,.h4{font-size:18px}h5,.h5{font-size:14px}h6,.h6{font-size:12px}p{margin:0 0 10px}.lead{margin-bottom:20px;font-size:16px;font-weight:300;line-height:1.4}@media (min-width:768px){.lead{font-size:21px}}small,.small{font-size:85%}mark,.mark{background-color:#fcf8e3;padding:.2em}.text-left{text-align:left}.text-right{text-align:right}.text-center{text-align:center}.text-justify{text-align:justify}.text-nowrap{white-space:nowrap}.text-lowercase{text-transform:lowercase}.text-uppercase{text-transform:uppercase}.text-capitalize{text-transform:capitalize}.text-muted{color:#777}.text-primary{color:#428bca}a.text-primary:hover,a.text-primary:focus{color:#3071a9}.text-success{color:#3c763d}a.text-success:hover,a.text-success:focus{color:#2b542c}.text-info{color:#31708f}a.text-info:hover,a.text-info:focus{color:#245269}.text-warning{color:#8a6d3b}a.text-warning:hover,a.text-warning:focus{color:#66512c}.text-danger{color:#a94442}a.text-danger:hover,a.text-danger:focus{color:#843534}.bg-primary{color:#fff;background-color:#428bca}a.bg-primary:hover,a.bg-primary:focus{background-color:#3071a9}.bg-success{background-color:#dff0d8}a.bg-success:hover,a.bg-success:focus{background-color:#c1e2b3}.bg-info{background-color:#d9edf7}a.bg-info:hover,a.bg-info:focus{background-color:#afd9ee}.bg-warning{background-color:#fcf8e3}a.bg-warning:hover,a.bg-warning:focus{background-color:#f7ecb5}.bg-danger{background-color:#f2dede}a.bg-danger:hover,a.bg-danger:focus{background-color:#e4b9b9}.page-header{padding-bottom:9px;margin:40px 0 20px;border-bottom:1px solid #eee}ul,ol{margin-top:0;margin-bottom:10px}ul ul,ol ul,ul ol,ol ol{margin-bottom:0}.list-unstyled{padding-left:0;list-style:none}.list-inline{padding-left:0;list-style:none;margin-left:-5px}.list-inline>li{display:inline-block;padding-left:5px;padding-right:5px}dl{margin-top:0;margin-bottom:20px}dt,dd{line-height:1.42857143}dt{font-weight:bold}dd{margin-left:0}@media (min-width:768px){.dl-horizontal dt{float:left;width:160px;clear:left;text-align:right;overflow:hidden;text-overflow:ellipsis;white-space:nowrap}.dl-horizontal dd{margin-left:180px}}abbr[title],abbr[data-original-title]{cursor:help;border-bottom:1px dotted #777}.initialism{font-size:90%;text-transform:uppercase}blockquote{padding:10px 20px;margin:0 0 20px;font-size:17.5px;border-left:5px solid #eee}blockquote p:last-child,blockquote ul:last-child,blockquote ol:last-child{margin-bottom:0}blockquote footer,blockquote small,blockquote .small{display:block;font-size:80%;line-height:1.42857143;color:#777}blockquote footer:before,blockquote small:before,blockquote .small:before{content:'\2014 \00A0'}.blockquote-reverse,blockquote.pull-right{padding-right:15px;padding-left:0;border-right:5px solid #eee;border-left:0;text-align:right}.blockquote-reverse footer:before,blockquote.pull-right footer:before,.blockquote-reverse small:before,blockquote.pull-right small:before,.blockquote-reverse .small:before,blockquote.pull-right .small:before{content:''}.blockquote-reverse footer:after,blockquote.pull-right footer:after,.blockquote-reverse small:after,blockquote.pull-right small:after,.blockquote-reverse .small:after,blockquote.pull-right .small:after{content:'\00A0 \2014'}address{margin-bottom:20px;font-style:normal;line-height:1.42857143}code,kbd,pre,samp{font-family:Menlo,Monaco,Consolas,"Courier New",monospace}code{padding:2px 4px;font-size:90%;color:#c7254e;background-color:#f9f2f4;border-radius:4px}kbd{padding:2px 4px;font-size:90%;color:#fff;background-color:#333;border-radius:3px;-webkit-box-shadow:inset 0 -1px 0 rgba(0,0,0,0.25);box-shadow:inset 0 -1px 0 rgba(0,0,0,0.25)}kbd kbd{padding:0;font-size:100%;font-weight:bold;-webkit-box-shadow:none;box-shadow:none}pre{display:block;padding:9.5px;margin:0 0 10px;font-size:13px;line-height:1.42857143;word-break:break-all;word-wrap:break-word;color:#333;background-color:#f5f5f5;border:1px solid #ccc;border-radius:4px}pre code{padding:0;font-size:inherit;color:inherit;white-space:pre-wrap;background-color:transparent;border-radius:0}.pre-scrollable{max-height:340px;overflow-y:scroll}.container{margin-right:auto;margin-left:auto;padding-left:15px;padding-right:15px}@media (min-width:768px){.container{width:750px}}@media (min-width:992px){.container{width:970px}}@media (min-width:1200px){.container{width:1170px}}.container-fluid{margin-right:auto;margin-left:auto;padding-left:15px;padding-right:15px}.row{margin-left:-15px;margin-right:-15px}.col-xs-1, .col-sm-1, .col-md-1, .col-lg-1, .col-xs-2, .col-sm-2, .col-md-2, .col-lg-2, .col-xs-3, .col-sm-3, .col-md-3, .col-lg-3, .col-xs-4, .col-sm-4, .col-md-4, .col-lg-4, .col-xs-5, .col-sm-5, .col-md-5, .col-lg-5, .col-xs-6, .col-sm-6, .col-md-6, .col-lg-6, .col-xs-7, .col-sm-7, .col-md-7, .col-lg-7, .col-xs-8, .col-sm-8, .col-md-8, .col-lg-8, .col-xs-9, .col-sm-9, .col-md-9, .col-lg-9, .col-xs-10, .col-sm-10, .col-md-10, .col-lg-10, .col-xs-11, .col-sm-11, .col-md-11, .col-lg-11, .col-xs-12, .col-sm-12, .col-md-12, .col-lg-12{position:relative;min-height:1px;padding-left:15px;padding-right:15px}.col-xs-1, .col-xs-2, .col-xs-3, .col-xs-4, .col-xs-5, .col-xs-6, .col-xs-7, .col-xs-8, .col-xs-9, .col-xs-10, .col-xs-11, .col-xs-12{float:left}.col-xs-12{width:100%}.col-xs-11{width:91.66666667%}.col-xs-10{width:83.33333333%}.col-xs-9{width:75%}.col-xs-8{width:66.66666667%}.col-xs-7{width:58.33333333%}.col-xs-6{width:50%}.col-xs-5{width:41.66666667%}.col-xs-4{width:33.33333333%}.col-xs-3{width:25%}.col-xs-2{width:16.66666667%}.col-xs-1{width:8.33333333%}.col-xs-pull-12{right:100%}.col-xs-pull-11{right:91.66666667%}.col-xs-pull-10{right:83.33333333%}.col-xs-pull-9{right:75%}.col-xs-pull-8{right:66.66666667%}.col-xs-pull-7{right:58.33333333%}.col-xs-pull-6{right:50%}.col-xs-pull-5{right:41.66666667%}.col-xs-pull-4{right:33.33333333%}.col-xs-pull-3{right:25%}.col-xs-pull-2{right:16.66666667%}.col-xs-pull-1{right:8.33333333%}.col-xs-pull-0{right:auto}.col-xs-push-12{left:100%}.col-xs-push-11{left:91.66666667%}.col-xs-push-10{left:83.33333333%}.col-xs-push-9{left:75%}.col-xs-push-8{left:66.66666667%}.col-xs-push-7{left:58.33333333%}.col-xs-push-6{left:50%}.col-xs-push-5{left:41.66666667%}.col-xs-push-4{left:33.33333333%}.col-xs-push-3{left:25%}.col-xs-push-2{left:16.66666667%}.col-xs-push-1{left:8.33333333%}.col-xs-push-0{left:auto}.col-xs-offset-12{margin-left:100%}.col-xs-offset-11{margin-left:91.66666667%}.col-xs-offset-10{margin-left:83.33333333%}.col-xs-offset-9{margin-left:75%}.col-xs-offset-8{margin-left:66.66666667%}.col-xs-offset-7{margin-left:58.33333333%}.col-xs-offset-6{margin-left:50%}.col-xs-offset-5{margin-left:41.66666667%}.col-xs-offset-4{margin-left:33.33333333%}.col-xs-offset-3{margin-left:25%}.col-xs-offset-2{margin-left:16.66666667%}.col-xs-offset-1{margin-left:8.33333333%}.col-xs-offset-0{margin-left:0}@media (min-width:768px){.col-sm-1, .col-sm-2, .col-sm-3, .col-sm-4, .col-sm-5, .col-sm-6, .col-sm-7, .col-sm-8, .col-sm-9, .col-sm-10, .col-sm-11, .col-sm-12{float:left}.col-sm-12{width:100%}.col-sm-11{width:91.66666667%}.col-sm-10{width:83.33333333%}.col-sm-9{width:75%}.col-sm-8{width:66.66666667%}.col-sm-7{width:58.33333333%}.col-sm-6{width:50%}.col-sm-5{width:41.66666667%}.col-sm-4{width:33.33333333%}.col-sm-3{width:25%}.col-sm-2{width:16.66666667%}.col-sm-1{width:8.33333333%}.col-sm-pull-12{right:100%}.col-sm-pull-11{right:91.66666667%}.col-sm-pull-10{right:83.33333333%}.col-sm-pull-9{right:75%}.col-sm-pull-8{right:66.66666667%}.col-sm-pull-7{right:58.33333333%}.col-sm-pull-6{right:50%}.col-sm-pull-5{right:41.66666667%}.col-sm-pull-4{right:33.33333333%}.col-sm-pull-3{right:25%}.col-sm-pull-2{right:16.66666667%}.col-sm-pull-1{right:8.33333333%}.col-sm-pull-0{right:auto}.col-sm-push-12{left:100%}.col-sm-push-11{left:91.66666667%}.col-sm-push-10{left:83.33333333%}.col-sm-push-9{left:75%}.col-sm-push-8{left:66.66666667%}.col-sm-push-7{left:58.33333333%}.col-sm-push-6{left:50%}.col-sm-push-5{left:41.66666667%}.col-sm-push-4{left:33.33333333%}.col-sm-push-3{left:25%}.col-sm-push-2{left:16.66666667%}.col-sm-push-1{left:8.33333333%}.col-sm-push-0{left:auto}.col-sm-offset-12{margin-left:100%}.col-sm-offset-11{margin-left:91.66666667%}.col-sm-offset-10{margin-left:83.33333333%}.col-sm-offset-9{margin-left:75%}.col-sm-offset-8{margin-left:66.66666667%}.col-sm-offset-7{margin-left:58.33333333%}.col-sm-offset-6{margin-left:50%}.col-sm-offset-5{margin-left:41.66666667%}.col-sm-offset-4{margin-left:33.33333333%}.col-sm-offset-3{margin-left:25%}.col-sm-offset-2{margin-left:16.66666667%}.col-sm-offset-1{margin-left:8.33333333%}.col-sm-offset-0{margin-left:0}}@media (min-width:992px){.col-md-1, .col-md-2, .col-md-3, .col-md-4, .col-md-5, .col-md-6, .col-md-7, .col-md-8, .col-md-9, .col-md-10, .col-md-11, .col-md-12{float:left}.col-md-12{width:100%}.col-md-11{width:91.66666667%}.col-md-10{width:83.33333333%}.col-md-9{width:75%}.col-md-8{width:66.66666667%}.col-md-7{width:58.33333333%}.col-md-6{width:50%}.col-md-5{width:41.66666667%}.col-md-4{width:33.33333333%}.col-md-3{width:25%}.col-md-2{width:16.66666667%}.col-md-1{width:8.33333333%}.col-md-pull-12{right:100%}.col-md-pull-11{right:91.66666667%}.col-md-pull-10{right:83.33333333%}.col-md-pull-9{right:75%}.col-md-pull-8{right:66.66666667%}.col-md-pull-7{right:58.33333333%}.col-md-pull-6{right:50%}.col-md-pull-5{right:41.66666667%}.col-md-pull-4{right:33.33333333%}.col-md-pull-3{right:25%}.col-md-pull-2{right:16.66666667%}.col-md-pull-1{right:8.33333333%}.col-md-pull-0{right:auto}.col-md-push-12{left:100%}.col-md-push-11{left:91.66666667%}.col-md-push-10{left:83.33333333%}.col-md-push-9{left:75%}.col-md-push-8{left:66.66666667%}.col-md-push-7{left:58.33333333%}.col-md-push-6{left:50%}.col-md-push-5{left:41.66666667%}.col-md-push-4{left:33.33333333%}.col-md-push-3{left:25%}.col-md-push-2{left:16.66666667%}.col-md-push-1{left:8.33333333%}.col-md-push-0{left:auto}.col-md-offset-12{margin-left:100%}.col-md-offset-11{margin-left:91.66666667%}.col-md-offset-10{margin-left:83.33333333%}.col-md-offset-9{margin-left:75%}.col-md-offset-8{margin-left:66.66666667%}.col-md-offset-7{margin-left:58.33333333%}.col-md-offset-6{margin-left:50%}.col-md-offset-5{margin-left:41.66666667%}.col-md-offset-4{margin-left:33.33333333%}.col-md-offset-3{margin-left:25%}.col-md-offset-2{margin-left:16.66666667%}.col-md-offset-1{margin-left:8.33333333%}.col-md-offset-0{margin-left:0}}@media (min-width:1200px){.col-lg-1, .col-lg-2, .col-lg-3, .col-lg-4, .col-lg-5, .col-lg-6, .col-lg-7, .col-lg-8, .col-lg-9, .col-lg-10, .col-lg-11, .col-lg-12{float:left}.col-lg-12{width:100%}.col-lg-11{width:91.66666667%}.col-lg-10{width:83.33333333%}.col-lg-9{width:75%}.col-lg-8{width:66.66666667%}.col-lg-7{width:58.33333333%}.col-lg-6{width:50%}.col-lg-5{width:41.66666667%}.col-lg-4{width:33.33333333%}.col-lg-3{width:25%}.col-lg-2{width:16.66666667%}.col-lg-1{width:8.33333333%}.col-lg-pull-12{right:100%}.col-lg-pull-11{right:91.66666667%}.col-lg-pull-10{right:83.33333333%}.col-lg-pull-9{right:75%}.col-lg-pull-8{right:66.66666667%}.col-lg-pull-7{right:58.33333333%}.col-lg-pull-6{right:50%}.col-lg-pull-5{right:41.66666667%}.col-lg-pull-4{right:33.33333333%}.col-lg-pull-3{right:25%}.col-lg-pull-2{right:16.66666667%}.col-lg-pull-1{right:8.33333333%}.col-lg-pull-0{right:auto}.col-lg-push-12{left:100%}.col-lg-push-11{left:91.66666667%}.col-lg-push-10{left:83.33333333%}.col-lg-push-9{left:75%}.col-lg-push-8{left:66.66666667%}.col-lg-push-7{left:58.33333333%}.col-lg-push-6{left:50%}.col-lg-push-5{left:41.66666667%}.col-lg-push-4{left:33.33333333%}.col-lg-push-3{left:25%}.col-lg-push-2{left:16.66666667%}.col-lg-push-1{left:8.33333333%}.col-lg-push-0{left:auto}.col-lg-offset-12{margin-left:100%}.col-lg-offset-11{margin-left:91.66666667%}.col-lg-offset-10{margin-left:83.33333333%}.col-lg-offset-9{margin-left:75%}.col-lg-offset-8{margin-left:66.66666667%}.col-lg-offset-7{margin-left:58.33333333%}.col-lg-offset-6{margin-left:50%}.col-lg-offset-5{margin-left:41.66666667%}.col-lg-offset-4{margin-left:33.33333333%}.col-lg-offset-3{margin-left:25%}.col-lg-offset-2{margin-left:16.66666667%}.col-lg-offset-1{margin-left:8.33333333%}.col-lg-offset-0{margin-left:0}}table{background-color:transparent}caption{padding-top:8px;padding-bottom:8px;color:#777;text-align:left}th{text-align:left}.table{width:100%;max-width:100%;margin-bottom:20px}.table>thead>tr>th,.table>tbody>tr>th,.table>tfoot>tr>th,.table>thead>tr>td,.table>tbody>tr>td,.table>tfoot>tr>td{padding:8px;line-height:1.42857143;vertical-align:top;border-top:1px solid #ddd}.table>thead>tr>th{vertical-align:bottom;border-bottom:2px solid #ddd}.table>caption+thead>tr:first-child>th,.table>colgroup+thead>tr:first-child>th,.table>thead:first-child>tr:first-child>th,.table>caption+thead>tr:first-child>td,.table>colgroup+thead>tr:first-child>td,.table>thead:first-child>tr:first-child>td{border-top:0}.table>tbody+tbody{border-top:2px solid #ddd}.table .table{background-color:#fff}.table-condensed>thead>tr>th,.table-condensed>tbody>tr>th,.table-condensed>tfoot>tr>th,.table-condensed>thead>tr>td,.table-condensed>tbody>tr>td,.table-condensed>tfoot>tr>td{padding:5px}.table-bordered{border:1px solid #ddd}.table-bordered>thead>tr>th,.table-bordered>tbody>tr>th,.table-bordered>tfoot>tr>th,.table-bordered>thead>tr>td,.table-bordered>tbody>tr>td,.table-bordered>tfoot>tr>td{border:1px solid #ddd}.table-bordered>thead>tr>th,.table-bordered>thead>tr>td{border-bottom-width:2px}.table-striped>tbody>tr:nth-of-type(odd){background-color:#f9f9f9}.table-hover>tbody>tr:hover{background-color:#f5f5f5}table col[class*="col-"]{position:static;float:none;display:table-column}table td[class*="col-"],table th[class*="col-"]{position:static;float:none;display:table-cell}.table>thead>tr>td.active,.table>tbody>tr>td.active,.table>tfoot>tr>td.active,.table>thead>tr>th.active,.table>tbody>tr>th.active,.table>tfoot>tr>th.active,.table>thead>tr.active>td,.table>tbody>tr.active>td,.table>tfoot>tr.active>td,.table>thead>tr.active>th,.table>tbody>tr.active>th,.table>tfoot>tr.active>th{background-color:#f5f5f5}.table-hover>tbody>tr>td.active:hover,.table-hover>tbody>tr>th.active:hover,.table-hover>tbody>tr.active:hover>td,.table-hover>tbody>tr:hover>.active,.table-hover>tbody>tr.active:hover>th{background-color:#e8e8e8}.table>thead>tr>td.success,.table>tbody>tr>td.success,.table>tfoot>tr>td.success,.table>thead>tr>th.success,.table>tbody>tr>th.success,.table>tfoot>tr>th.success,.table>thead>tr.success>td,.table>tbody>tr.success>td,.table>tfoot>tr.success>td,.table>thead>tr.success>th,.table>tbody>tr.success>th,.table>tfoot>tr.success>th{background-color:#dff0d8}.table-hover>tbody>tr>td.success:hover,.table-hover>tbody>tr>th.success:hover,.table-hover>tbody>tr.success:hover>td,.table-hover>tbody>tr:hover>.success,.table-hover>tbody>tr.success:hover>th{background-color:#d0e9c6}.table>thead>tr>td.info,.table>tbody>tr>td.info,.table>tfoot>tr>td.info,.table>thead>tr>th.info,.table>tbody>tr>th.info,.table>tfoot>tr>th.info,.table>thead>tr.info>td,.table>tbody>tr.info>td,.table>tfoot>tr.info>td,.table>thead>tr.info>th,.table>tbody>tr.info>th,.table>tfoot>tr.info>th{background-color:#d9edf7}.table-hover>tbody>tr>td.info:hover,.table-hover>tbody>tr>th.info:hover,.table-hover>tbody>tr.info:hover>td,.table-hover>tbody>tr:hover>.info,.table-hover>tbody>tr.info:hover>th{background-color:#c4e3f3}.table>thead>tr>td.warning,.table>tbody>tr>td.warning,.table>tfoot>tr>td.warning,.table>thead>tr>th.warning,.table>tbody>tr>th.warning,.table>tfoot>tr>th.warning,.table>thead>tr.warning>td,.table>tbody>tr.warning>td,.table>tfoot>tr.warning>td,.table>thead>tr.warning>th,.table>tbody>tr.warning>th,.table>tfoot>tr.warning>th{background-color:#fcf8e3}.table-hover>tbody>tr>td.warning:hover,.table-hover>tbody>tr>th.warning:hover,.table-hover>tbody>tr.warning:hover>td,.table-hover>tbody>tr:hover>.warning,.table-hover>tbody>tr.warning:hover>th{background-color:#faf2cc}.table>thead>tr>td.danger,.table>tbody>tr>td.danger,.table>tfoot>tr>td.danger,.table>thead>tr>th.danger,.table>tbody>tr>th.danger,.table>tfoot>tr>th.danger,.table>thead>tr.danger>td,.table>tbody>tr.danger>td,.table>tfoot>tr.danger>td,.table>thead>tr.danger>th,.table>tbody>tr.danger>th,.table>tfoot>tr.danger>th{background-color:#f2dede}.table-hover>tbody>tr>td.danger:hover,.table-hover>tbody>tr>th.danger:hover,.table-hover>tbody>tr.danger:hover>td,.table-hover>tbody>tr:hover>.danger,.table-hover>tbody>tr.danger:hover>th{background-color:#ebcccc}.table-responsive{overflow-x:auto;min-height:0.01%}@media screen and (max-width:767px){.table-responsive{width:100%;margin-bottom:15px;overflow-y:hidden;-ms-overflow-style:-ms-autohiding-scrollbar;border:1px solid #ddd}.table-responsive>.table{margin-bottom:0}.table-responsive>.table>thead>tr>th,.table-responsive>.table>tbody>tr>th,.table-responsive>.table>tfoot>tr>th,.table-responsive>.table>thead>tr>td,.table-responsive>.table>tbody>tr>td,.table-responsive>.table>tfoot>tr>td{white-space:nowrap}.table-responsive>.table-bordered{border:0}.table-responsive>.table-bordered>thead>tr>th:first-child,.table-responsive>.table-bordered>tbody>tr>th:first-child,.table-responsive>.table-bordered>tfoot>tr>th:first-child,.table-responsive>.table-bordered>thead>tr>td:first-child,.table-responsive>.table-bordered>tbody>tr>td:first-child,.table-responsive>.table-bordered>tfoot>tr>td:first-child{border-left:0}.table-responsive>.table-bordered>thead>tr>th:last-child,.table-responsive>.table-bordered>tbody>tr>th:last-child,.table-responsive>.table-bordered>tfoot>tr>th:last-child,.table-responsive>.table-bordered>thead>tr>td:last-child,.table-responsive>.table-bordered>tbody>tr>td:last-child,.table-responsive>.table-bordered>tfoot>tr>td:last-child{border-right:0}.table-responsive>.table-bordered>tbody>tr:last-child>th,.table-responsive>.table-bordered>tfoot>tr:last-child>th,.table-responsive>.table-bordered>tbody>tr:last-child>td,.table-responsive>.table-bordered>tfoot>tr:last-child>td{border-bottom:0}}fieldset{padding:0;margin:0;border:0;min-width:0}legend{display:block;width:100%;padding:0;margin-bottom:20px;font-size:21px;line-height:inherit;color:#333;border:0;border-bottom:1px solid #e5e5e5}label{display:inline-block;max-width:100%;margin-bottom:5px;font-weight:bold}input[type="search"]{-webkit-box-sizing:border-box;-moz-box-sizing:border-box;box-sizing:border-box}input[type="radio"],input[type="checkbox"]{margin:4px 0 0;margin-top:1px \9;line-height:normal}input[type="file"]{display:block}input[type="range"]{display:block;width:100%}select[multiple],select[size]{height:auto}input[type="file"]:focus,input[type="radio"]:focus,input[type="checkbox"]:focus{outline:5px auto -webkit-focus-ring-color;outline-offset:-2px}output{display:block;padding-top:7px;font-size:14px;line-height:1.42857143;color:#555}.form-control{display:block;width:100%;height:34px;padding:6px 12px;font-size:14px;line-height:1.42857143;color:#555;background-color:#fff;background-image:none;border:1px solid #ccc;border-radius:4px;-webkit-box-shadow:inset 0 1px 1px rgba(0,0,0,0.075);box-shadow:inset 0 1px 1px rgba(0,0,0,0.075);-webkit-transition:border-color ease-in-out .15s, -webkit-box-shadow ease-in-out .15s;-o-transition:border-color ease-in-out .15s, box-shadow ease-in-out .15s;transition:border-color ease-in-out .15s, box-shadow ease-in-out .15s}.form-control:focus{border-color:#66afe9;outline:0;-webkit-box-shadow:inset 0 1px 1px rgba(0,0,0,.075), 0 0 8px rgba(102, 175, 233, 0.6);box-shadow:inset 0 1px 1px rgba(0,0,0,.075), 0 0 8px rgba(102, 175, 233, 0.6)}.form-control::-moz-placeholder{color:#777;opacity:1}.form-control:-ms-input-placeholder{color:#777}.form-control::-webkit-input-placeholder{color:#777}.form-control::-ms-expand{border:0;background-color:transparent}.form-control[disabled],.form-control[readonly],fieldset[disabled] .form-control{background-color:#eee;opacity:1}.form-control[disabled],fieldset[disabled] .form-control{cursor:not-allowed}textarea.form-control{height:auto}input[type="search"]{-webkit-appearance:none}@media screen and (-webkit-min-device-pixel-ratio:0){input[type="date"].form-control,input[type="time"].form-control,input[type="datetime-local"].form-control,input[type="month"].form-control{line-height:34px}input[type="date"].input-sm,input[type="time"].input-sm,input[type="datetime-local"].input-sm,input[type="month"].input-sm,.input-group-sm input[type="date"],.input-group-sm input[type="time"],.input-group-sm input[type="datetime-local"],.input-group-sm input[type="month"]{line-height:30px}input[type="date"].input-lg,input[type="time"].input-lg,input[type="datetime-local"].input-lg,input[type="month"].input-lg,.input-group-lg input[type="date"],.input-group-lg input[type="time"],.input-group-lg input[type="datetime-local"],.input-group-lg input[type="month"]{line-height:46px}}.form-group{margin-bottom:15px}.radio,.checkbox{position:relative;display:block;margin-top:10px;margin-bottom:10px}.radio label,.checkbox label{min-height:20px;padding-left:20px;margin-bottom:0;font-weight:normal;cursor:pointer}.radio input[type="radio"],.radio-inline input[type="radio"],.checkbox input[type="checkbox"],.checkbox-inline input[type="checkbox"]{position:absolute;margin-left:-20px;margin-top:4px \9}.radio+.radio,.checkbox+.checkbox{margin-top:-5px}.radio-inline,.checkbox-inline{position:relative;display:inline-block;padding-left:20px;margin-bottom:0;vertical-align:middle;font-weight:normal;cursor:pointer}.radio-inline+.radio-inline,.checkbox-inline+.checkbox-inline{margin-top:0;margin-left:10px}input[type="radio"][disabled],input[type="checkbox"][disabled],input[type="radio"].disabled,input[type="checkbox"].disabled,fieldset[disabled] input[type="radio"],fieldset[disabled] input[type="checkbox"]{cursor:not-allowed}.radio-inline.disabled,.checkbox-inline.disabled,fieldset[disabled] .radio-inline,fieldset[disabled] .checkbox-inline{cursor:not-allowed}.radio.disabled label,.checkbox.disabled label,fieldset[disabled] .radio label,fieldset[disabled] .checkbox label{cursor:not-allowed}.form-control-static{padding-top:7px;padding-bottom:7px;margin-bottom:0;min-height:34px}.form-control-static.input-lg,.form-control-static.input-sm{padding-left:0;padding-right:0}.input-sm{height:30px;padding:5px 10px;font-size:12px;line-height:1.5;border-radius:3px}select.input-sm{height:30px;line-height:30px}textarea.input-sm,select[multiple].input-sm{height:auto}.form-group-sm .form-control{height:30px;padding:5px 10px;font-size:12px;line-height:1.5;border-radius:3px}.form-group-sm select.form-control{height:30px;line-height:30px}.form-group-sm textarea.form-control,.form-group-sm select[multiple].form-control{height:auto}.form-group-sm .form-control-static{height:30px;min-height:32px;padding:6px 10px;font-size:12px;line-height:1.5}.input-lg{height:46px;padding:10px 16px;font-size:18px;line-height:1.33;border-radius:6px}select.input-lg{height:46px;line-height:46px}textarea.input-lg,select[multiple].input-lg{height:auto}.form-group-lg .form-control{height:46px;padding:10px 16px;font-size:18px;line-height:1.33;border-radius:6px}.form-group-lg select.form-control{height:46px;line-height:46px}.form-group-lg textarea.form-control,.form-group-lg select[multiple].form-control{height:auto}.form-group-lg .form-control-static{height:46px;min-height:38px;padding:11px 16px;font-size:18px;line-height:1.33}.has-feedback{position:relative}.has-feedback .form-control{padding-right:42.5px}.form-control-feedback{position:absolute;top:0;right:0;z-index:2;display:block;width:34px;height:34px;line-height:34px;text-align:center;pointer-events:none}.input-lg+.form-control-feedback,.input-group-lg+.form-control-feedback,.form-group-lg .form-control+.form-control-feedback{width:46px;height:46px;line-height:46px}.input-sm+.form-control-feedback,.input-group-sm+.form-control-feedback,.form-group-sm .form-control+.form-control-feedback{width:30px;height:30px;line-height:30px}.has-success .help-block,.has-success .control-label,.has-success .radio,.has-success .checkbox,.has-success .radio-inline,.has-success .checkbox-inline,.has-success.radio label,.has-success.checkbox label,.has-success.radio-inline label,.has-success.checkbox-inline label{color:#3c763d}.has-success .form-control{border-color:#3c763d;-webkit-box-shadow:inset 0 1px 1px rgba(0,0,0,0.075);box-shadow:inset 0 1px 1px rgba(0,0,0,0.075)}.has-success .form-control:focus{border-color:#2b542c;-webkit-box-shadow:inset 0 1px 1px rgba(0,0,0,0.075),0 0 6px #67b168;box-shadow:inset 0 1px 1px rgba(0,0,0,0.075),0 0 6px #67b168}.has-success .input-group-addon{color:#3c763d;border-color:#3c763d;background-color:#dff0d8}.has-success .form-control-feedback{color:#3c763d}.has-warning .help-block,.has-warning .control-label,.has-warning .radio,.has-warning .checkbox,.has-warning .radio-inline,.has-warning .checkbox-inline,.has-warning.radio label,.has-warning.checkbox label,.has-warning.radio-inline label,.has-warning.checkbox-inline label{color:#8a6d3b}.has-warning .form-control{border-color:#8a6d3b;-webkit-box-shadow:inset 0 1px 1px rgba(0,0,0,0.075);box-shadow:inset 0 1px 1px rgba(0,0,0,0.075)}.has-warning .form-control:focus{border-color:#66512c;-webkit-box-shadow:inset 0 1px 1px rgba(0,0,0,0.075),0 0 6px #c0a16b;box-shadow:inset 0 1px 1px rgba(0,0,0,0.075),0 0 6px #c0a16b}.has-warning .input-group-addon{color:#8a6d3b;border-color:#8a6d3b;background-color:#fcf8e3}.has-warning .form-control-feedback{color:#8a6d3b}.has-error .help-block,.has-error .control-label,.has-error .radio,.has-error .checkbox,.has-error .radio-inline,.has-error .checkbox-inline,.has-error.radio label,.has-error.checkbox label,.has-error.radio-inline label,.has-error.checkbox-inline label{color:#a94442}.has-error .form-control{border-color:#a94442;-webkit-box-shadow:inset 0 1px 1px rgba(0,0,0,0.075);box-shadow:inset 0 1px 1px rgba(0,0,0,0.075)}.has-error .form-control:focus{border-color:#843534;-webkit-box-shadow:inset 0 1px 1px rgba(0,0,0,0.075),0 0 6px #ce8483;box-shadow:inset 0 1px 1px rgba(0,0,0,0.075),0 0 6px #ce8483}.has-error .input-group-addon{color:#a94442;border-color:#a94442;background-color:#f2dede}.has-error .form-control-feedback{color:#a94442}.has-feedback label~.form-control-feedback{top:25px}.has-feedback label.sr-only~.form-control-feedback{top:0}.help-block{display:block;margin-top:5px;margin-bottom:10px;color:#737373}@media (min-width:768px){.form-inline .form-group{display:inline-block;margin-bottom:0;vertical-align:middle}.form-inline .form-control{display:inline-block;width:auto;vertical-align:middle}.form-inline .form-control-static{display:inline-block}.form-inline .input-group{display:inline-table;vertical-align:middle}.form-inline .input-group .input-group-addon,.form-inline .input-group .input-group-btn,.form-inline .input-group .form-control{width:auto}.form-inline .input-group>.form-control{width:100%}.form-inline .control-label{margin-bottom:0;vertical-align:middle}.form-inline .radio,.form-inline .checkbox{display:inline-block;margin-top:0;margin-bottom:0;vertical-align:middle}.form-inline .radio label,.form-inline .checkbox label{padding-left:0}.form-inline .radio input[type="radio"],.form-inline .checkbox input[type="checkbox"]{position:relative;margin-left:0}.form-inline .has-feedback .form-control-feedback{top:0}}.form-horizontal .radio,.form-horizontal .checkbox,.form-horizontal .radio-inline,.form-horizontal .checkbox-inline{margin-top:0;margin-bottom:0;padding-top:7px}.form-horizontal .radio,.form-horizontal .checkbox{min-height:27px}.form-horizontal .form-group{margin-left:-15px;margin-right:-15px}@media (min-width:768px){.form-horizontal .control-label{text-align:right;margin-bottom:0;padding-top:7px}}.form-horizontal .has-feedback .form-control-feedback{right:15px}@media (min-width:768px){.form-horizontal .form-group-lg .control-label{padding-top:11px;font-size:18px}}@media (min-width:768px){.form-horizontal .form-group-sm .control-label{padding-top:6px;font-size:12px}}.btn{display:inline-block;margin-bottom:0;font-weight:normal;text-align:center;vertical-align:middle;-ms-touch-action:manipulation;touch-action:manipulation;cursor:pointer;background-image:none;border:1px solid transparent;white-space:nowrap;padding:6px 12px;font-size:14px;line-height:1.42857143;border-radius:4px;-webkit-user-select:none;-moz-user-select:none;-ms-user-select:none;user-select:none}.btn:focus,.btn:active:focus,.btn.active:focus,.btn.focus,.btn:active.focus,.btn.active.focus{outline:5px auto -webkit-focus-ring-color;outline-offset:-2px}.btn:hover,.btn:focus,.btn.focus{color:#333;text-decoration:none}.btn:active,.btn.active{outline:0;background-image:none;-webkit-box-shadow:inset 0 3px 5px rgba(0,0,0,0.125);box-shadow:inset 0 3px 5px rgba(0,0,0,0.125)}.btn.disabled,.btn[disabled],fieldset[disabled] .btn{cursor:not-allowed;opacity:.65;filter:alpha(opacity=65);-webkit-box-shadow:none;box-shadow:none}a.btn.disabled,fieldset[disabled] a.btn{pointer-events:none}.btn-default{color:#333;background-color:#fff;border-color:#ccc}.btn-default:focus,.btn-default.focus{color:#333;background-color:#e6e6e6;border-color:#8c8c8c}.btn-default:hover{color:#333;background-color:#e6e6e6;border-color:#adadad}.btn-default:active,.btn-default.active,.open>.dropdown-toggle.btn-default{color:#333;background-color:#e6e6e6;border-color:#adadad}.btn-default:active:hover,.btn-default.active:hover,.open>.dropdown-toggle.btn-default:hover,.btn-default:active:focus,.btn-default.active:focus,.open>.dropdown-toggle.btn-default:focus,.btn-default:active.focus,.btn-default.active.focus,.open>.dropdown-toggle.btn-default.focus{color:#333;background-color:#d4d4d4;border-color:#8c8c8c}.btn-default:active,.btn-default.active,.open>.dropdown-toggle.btn-default{background-image:none}.btn-default.disabled:hover,.btn-default[disabled]:hover,fieldset[disabled] .btn-default:hover,.btn-default.disabled:focus,.btn-default[disabled]:focus,fieldset[disabled] .btn-default:focus,.btn-default.disabled.focus,.btn-default[disabled].focus,fieldset[disabled] .btn-default.focus{background-color:#fff;border-color:#ccc}.btn-default .badge{color:#fff;background-color:#333}.btn-primary{color:#fff;background-color:#428bca;border-color:#357ebd}.btn-primary:focus,.btn-primary.focus{color:#fff;background-color:#3071a9;border-color:#193c5a}.btn-primary:hover{color:#fff;background-color:#3071a9;border-color:#285e8e}.btn-primary:active,.btn-primary.active,.open>.dropdown-toggle.btn-primary{color:#fff;background-color:#3071a9;border-color:#285e8e}.btn-primary:active:hover,.btn-primary.active:hover,.open>.dropdown-toggle.btn-primary:hover,.btn-primary:active:focus,.btn-primary.active:focus,.open>.dropdown-toggle.btn-primary:focus,.btn-primary:active.focus,.btn-primary.active.focus,.open>.dropdown-toggle.btn-primary.focus{color:#fff;background-color:#285e8e;border-color:#193c5a}.btn-primary:active,.btn-primary.active,.open>.dropdown-toggle.btn-primary{background-image:none}.btn-primary.disabled:hover,.btn-primary[disabled]:hover,fieldset[disabled] .btn-primary:hover,.btn-primary.disabled:focus,.btn-primary[disabled]:focus,fieldset[disabled] .btn-primary:focus,.btn-primary.disabled.focus,.btn-primary[disabled].focus,fieldset[disabled] .btn-primary.focus{background-color:#428bca;border-color:#357ebd}.btn-primary .badge{color:#428bca;background-color:#fff}.btn-success{color:#fff;background-color:#5cb85c;border-color:#4cae4c}.btn-success:focus,.btn-success.focus{color:#fff;background-color:#449d44;border-color:#255625}.btn-success:hover{color:#fff;background-color:#449d44;border-color:#398439}.btn-success:active,.btn-success.active,.open>.dropdown-toggle.btn-success{color:#fff;background-color:#449d44;border-color:#398439}.btn-success:active:hover,.btn-success.active:hover,.open>.dropdown-toggle.btn-success:hover,.btn-success:active:focus,.btn-success.active:focus,.open>.dropdown-toggle.btn-success:focus,.btn-success:active.focus,.btn-success.active.focus,.open>.dropdown-toggle.btn-success.focus{color:#fff;background-color:#398439;border-color:#255625}.btn-success:active,.btn-success.active,.open>.dropdown-toggle.btn-success{background-image:none}.btn-success.disabled:hover,.btn-success[disabled]:hover,fieldset[disabled] .btn-success:hover,.btn-success.disabled:focus,.btn-success[disabled]:focus,fieldset[disabled] .btn-success:focus,.btn-success.disabled.focus,.btn-success[disabled].focus,fieldset[disabled] .btn-success.focus{background-color:#5cb85c;border-color:#4cae4c}.btn-success .badge{color:#5cb85c;background-color:#fff}.btn-info{color:#fff;background-color:#5bc0de;border-color:#46b8da}.btn-info:focus,.btn-info.focus{color:#fff;background-color:#31b0d5;border-color:#1b6d85}.btn-info:hover{color:#fff;background-color:#31b0d5;border-color:#269abc}.btn-info:active,.btn-info.active,.open>.dropdown-toggle.btn-info{color:#fff;background-color:#31b0d5;border-color:#269abc}.btn-info:active:hover,.btn-info.active:hover,.open>.dropdown-toggle.btn-info:hover,.btn-info:active:focus,.btn-info.active:focus,.open>.dropdown-toggle.btn-info:focus,.btn-info:active.focus,.btn-info.active.focus,.open>.dropdown-toggle.btn-info.focus{color:#fff;background-color:#269abc;border-color:#1b6d85}.btn-info:active,.btn-info.active,.open>.dropdown-toggle.btn-info{background-image:none}.btn-info.disabled:hover,.btn-info[disabled]:hover,fieldset[disabled] .btn-info:hover,.btn-info.disabled:focus,.btn-info[disabled]:focus,fieldset[disabled] .btn-info:focus,.btn-info.disabled.focus,.btn-info[disabled].focus,fieldset[disabled] .btn-info.focus{background-color:#5bc0de;border-color:#46b8da}.btn-info .badge{color:#5bc0de;background-color:#fff}.btn-warning{color:#fff;background-color:#f0ad4e;border-color:#eea236}.btn-warning:focus,.btn-warning.focus{color:#fff;background-color:#ec971f;border-color:#985f0d}.btn-warning:hover{color:#fff;background-color:#ec971f;border-color:#d58512}.btn-warning:active,.btn-warning.active,.open>.dropdown-toggle.btn-warning{color:#fff;background-color:#ec971f;border-color:#d58512}.btn-warning:active:hover,.btn-warning.active:hover,.open>.dropdown-toggle.btn-warning:hover,.btn-warning:active:focus,.btn-warning.active:focus,.open>.dropdown-toggle.btn-warning:focus,.btn-warning:active.focus,.btn-warning.active.focus,.open>.dropdown-toggle.btn-warning.focus{color:#fff;background-color:#d58512;border-color:#985f0d}.btn-warning:active,.btn-warning.active,.open>.dropdown-toggle.btn-warning{background-image:none}.btn-warning.disabled:hover,.btn-warning[disabled]:hover,fieldset[disabled] .btn-warning:hover,.btn-warning.disabled:focus,.btn-warning[disabled]:focus,fieldset[disabled] .btn-warning:focus,.btn-warning.disabled.focus,.btn-warning[disabled].focus,fieldset[disabled] .btn-warning.focus{background-color:#f0ad4e;border-color:#eea236}.btn-warning .badge{color:#f0ad4e;background-color:#fff}.btn-danger{color:#fff;background-color:#d9534f;border-color:#d43f3a}.btn-danger:focus,.btn-danger.focus{color:#fff;background-color:#c9302c;border-color:#761c19}.btn-danger:hover{color:#fff;background-color:#c9302c;border-color:#ac2925}.btn-danger:active,.btn-danger.active,.open>.dropdown-toggle.btn-danger{color:#fff;background-color:#c9302c;border-color:#ac2925}.btn-danger:active:hover,.btn-danger.active:hover,.open>.dropdown-toggle.btn-danger:hover,.btn-danger:active:focus,.btn-danger.active:focus,.open>.dropdown-toggle.btn-danger:focus,.btn-danger:active.focus,.btn-danger.active.focus,.open>.dropdown-toggle.btn-danger.focus{color:#fff;background-color:#ac2925;border-color:#761c19}.btn-danger:active,.btn-danger.active,.open>.dropdown-toggle.btn-danger{background-image:none}.btn-danger.disabled:hover,.btn-danger[disabled]:hover,fieldset[disabled] .btn-danger:hover,.btn-danger.disabled:focus,.btn-danger[disabled]:focus,fieldset[disabled] .btn-danger:focus,.btn-danger.disabled.focus,.btn-danger[disabled].focus,fieldset[disabled] .btn-danger.focus{background-color:#d9534f;border-color:#d43f3a}.btn-danger .badge{color:#d9534f;background-color:#fff}.btn-link{color:#428bca;font-weight:normal;border-radius:0}.btn-link,.btn-link:active,.btn-link.active,.btn-link[disabled],fieldset[disabled] .btn-link{background-color:transparent;-webkit-box-shadow:none;box-shadow:none}.btn-link,.btn-link:hover,.btn-link:focus,.btn-link:active{border-color:transparent}.btn-link:hover,.btn-link:focus{color:#2a6496;text-decoration:underline;background-color:transparent}.btn-link[disabled]:hover,fieldset[disabled] .btn-link:hover,.btn-link[disabled]:focus,fieldset[disabled] .btn-link:focus{color:#777;text-decoration:none}.btn-lg,.btn-group-lg>.btn{padding:10px 16px;font-size:18px;line-height:1.33;border-radius:6px}.btn-sm,.btn-group-sm>.btn{padding:5px 10px;font-size:12px;line-height:1.5;border-radius:3px}.btn-xs,.btn-group-xs>.btn{padding:1px 5px;font-size:12px;line-height:1.5;border-radius:3px}.btn-block{display:block;width:100%}.btn-block+.btn-block{margin-top:5px}input[type="submit"].btn-block,input[type="reset"].btn-block,input[type="button"].btn-block{width:100%}.fade{opacity:0;-webkit-transition:opacity .15s linear;-o-transition:opacity .15s linear;transition:opacity .15s linear}.fade.in{opacity:1}.collapse{display:none}.collapse.in{display:block}tr.collapse.in{display:table-row}tbody.collapse.in{display:table-row-group}.collapsing{position:relative;height:0;overflow:hidden;-webkit-transition-property:height, visibility;-o-transition-property:height, visibility;transition-property:height, visibility;-webkit-transition-duration:.35s;-o-transition-duration:.35s;transition-duration:.35s;-webkit-transition-timing-function:ease;-o-transition-timing-function:ease;transition-timing-function:ease}.btn-group,.btn-group-vertical{position:relative;display:inline-block;vertical-align:middle}.btn-group>.btn,.btn-group-vertical>.btn{position:relative;float:left}.btn-group>.btn:hover,.btn-group-vertical>.btn:hover,.btn-group>.btn:focus,.btn-group-vertical>.btn:focus,.btn-group>.btn:active,.btn-group-vertical>.btn:active,.btn-group>.btn.active,.btn-group-vertical>.btn.active{z-index:2}.btn-group .btn+.btn,.btn-group .btn+.btn-group,.btn-group .btn-group+.btn,.btn-group .btn-group+.btn-group{margin-left:-1px}.btn-toolbar{margin-left:-5px}.btn-toolbar .btn,.btn-toolbar .btn-group,.btn-toolbar .input-group{float:left}.btn-toolbar>.btn,.btn-toolbar>.btn-group,.btn-toolbar>.input-group{margin-left:5px}.btn-group>.btn:not(:first-child):not(:last-child):not(.dropdown-toggle){border-radius:0}.btn-group>.btn:first-child{margin-left:0}.btn-group>.btn:first-child:not(:last-child):not(.dropdown-toggle){border-bottom-right-radius:0;border-top-right-radius:0}.btn-group>.btn:last-child:not(:first-child),.btn-group>.dropdown-toggle:not(:first-child){border-bottom-left-radius:0;border-top-left-radius:0}.btn-group>.btn-group{float:left}.btn-group>.btn-group:not(:first-child):not(:last-child)>.btn{border-radius:0}.btn-group>.btn-group:first-child:not(:last-child)>.btn:last-child,.btn-group>.btn-group:first-child:not(:last-child)>.dropdown-toggle{border-bottom-right-radius:0;border-top-right-radius:0}.btn-group>.btn-group:last-child:not(:first-child)>.btn:first-child{border-bottom-left-radius:0;border-top-left-radius:0}.btn-group .dropdown-toggle:active,.btn-group.open .dropdown-toggle{outline:0}.btn-group>.btn+.dropdown-toggle{padding-left:8px;padding-right:8px}.btn-group>.btn-lg+.dropdown-toggle{padding-left:12px;padding-right:12px}.btn-group.open .dropdown-toggle{-webkit-box-shadow:inset 0 3px 5px rgba(0,0,0,0.125);box-shadow:inset 0 3px 5px rgba(0,0,0,0.125)}.btn-group.open .dropdown-toggle.btn-link{-webkit-box-shadow:none;box-shadow:none}.btn .caret{margin-left:0}.btn-lg .caret{border-width:5px 5px 0;border-bottom-width:0}.dropup .btn-lg .caret{border-width:0 5px 5px}.btn-group-vertical>.btn,.btn-group-vertical>.btn-group,.btn-group-vertical>.btn-group>.btn{display:block;float:none;width:100%;max-width:100%}.btn-group-vertical>.btn-group>.btn{float:none}.btn-group-vertical>.btn+.btn,.btn-group-vertical>.btn+.btn-group,.btn-group-vertical>.btn-group+.btn,.btn-group-vertical>.btn-group+.btn-group{margin-top:-1px;margin-left:0}.btn-group-vertical>.btn:not(:first-child):not(:last-child){border-radius:0}.btn-group-vertical>.btn:first-child:not(:last-child){border-top-right-radius:4px;border-top-left-radius:4px;border-bottom-right-radius:0;border-bottom-left-radius:0}.btn-group-vertical>.btn:last-child:not(:first-child){border-top-right-radius:0;border-top-left-radius:0;border-bottom-right-radius:4px;border-bottom-left-radius:4px}.btn-group-vertical>.btn-group:not(:first-child):not(:last-child)>.btn{border-radius:0}.btn-group-vertical>.btn-group:first-child:not(:last-child)>.btn:last-child,.btn-group-vertical>.btn-group:first-child:not(:last-child)>.dropdown-toggle{border-bottom-right-radius:0;border-bottom-left-radius:0}.btn-group-vertical>.btn-group:last-child:not(:first-child)>.btn:first-child{border-top-right-radius:0;border-top-left-radius:0}.btn-group-justified{display:table;width:100%;table-layout:fixed;border-collapse:separate}.btn-group-justified>.btn,.btn-group-justified>.btn-group{float:none;display:table-cell;width:1%}.btn-group-justified>.btn-group .btn{width:100%}.btn-group-justified>.btn-group .dropdown-menu{left:auto}[data-toggle="buttons"]>.btn input[type="radio"],[data-toggle="buttons"]>.btn-group>.btn input[type="radio"],[data-toggle="buttons"]>.btn input[type="checkbox"],[data-toggle="buttons"]>.btn-group>.btn input[type="checkbox"]{position:absolute;clip:rect(0, 0, 0, 0);pointer-events:none}.input-group{position:relative;display:table;border-collapse:separate}.input-group[class*="col-"]{float:none;padding-left:0;padding-right:0}.input-group .form-control{position:relative;z-index:2;float:left;width:100%;margin-bottom:0}.input-group .form-control:focus{z-index:3}.input-group-lg>.form-control,.input-group-lg>.input-group-addon,.input-group-lg>.input-group-btn>.btn{height:46px;padding:10px 16px;font-size:18px;line-height:1.33;border-radius:6px}select.input-group-lg>.form-control,select.input-group-lg>.input-group-addon,select.input-group-lg>.input-group-btn>.btn{height:46px;line-height:46px}textarea.input-group-lg>.form-control,textarea.input-group-lg>.input-group-addon,textarea.input-group-lg>.input-group-btn>.btn,select[multiple].input-group-lg>.form-control,select[multiple].input-group-lg>.input-group-addon,select[multiple].input-group-lg>.input-group-btn>.btn{height:auto}.input-group-sm>.form-control,.input-group-sm>.input-group-addon,.input-group-sm>.input-group-btn>.btn{height:30px;padding:5px 10px;font-size:12px;line-height:1.5;border-radius:3px}select.input-group-sm>.form-control,select.input-group-sm>.input-group-addon,select.input-group-sm>.input-group-btn>.btn{height:30px;line-height:30px}textarea.input-group-sm>.form-control,textarea.input-group-sm>.input-group-addon,textarea.input-group-sm>.input-group-btn>.btn,select[multiple].input-group-sm>.form-control,select[multiple].input-group-sm>.input-group-addon,select[multiple].input-group-sm>.input-group-btn>.btn{height:auto}.input-group-addon,.input-group-btn,.input-group .form-control{display:table-cell}.input-group-addon:not(:first-child):not(:last-child),.input-group-btn:not(:first-child):not(:last-child),.input-group .form-control:not(:first-child):not(:last-child){border-radius:0}.input-group-addon,.input-group-btn{width:1%;white-space:nowrap;vertical-align:middle}.input-group-addon{padding:6px 12px;font-size:14px;font-weight:normal;line-height:1;color:#555;text-align:center;background-color:#eee;border:1px solid #ccc;border-radius:4px}.input-group-addon.input-sm{padding:5px 10px;font-size:12px;border-radius:3px}.input-group-addon.input-lg{padding:10px 16px;font-size:18px;border-radius:6px}.input-group-addon input[type="radio"],.input-group-addon input[type="checkbox"]{margin-top:0}.input-group .form-control:first-child,.input-group-addon:first-child,.input-group-btn:first-child>.btn,.input-group-btn:first-child>.btn-group>.btn,.input-group-btn:first-child>.dropdown-toggle,.input-group-btn:last-child>.btn:not(:last-child):not(.dropdown-toggle),.input-group-btn:last-child>.btn-group:not(:last-child)>.btn{border-bottom-right-radius:0;border-top-right-radius:0}.input-group-addon:first-child{border-right:0}.input-group .form-control:last-child,.input-group-addon:last-child,.input-group-btn:last-child>.btn,.input-group-btn:last-child>.btn-group>.btn,.input-group-btn:last-child>.dropdown-toggle,.input-group-btn:first-child>.btn:not(:first-child),.input-group-btn:first-child>.btn-group:not(:first-child)>.btn{border-bottom-left-radius:0;border-top-left-radius:0}.input-group-addon:last-child{border-left:0}.input-group-btn{position:relative;font-size:0;white-space:nowrap}.input-group-btn>.btn{position:relative}.input-group-btn>.btn+.btn{margin-left:-1px}.input-group-btn>.btn:hover,.input-group-btn>.btn:focus,.input-group-btn>.btn:active{z-index:2}.input-group-btn:first-child>.btn,.input-group-btn:first-child>.btn-group{margin-right:-1px}.input-group-btn:last-child>.btn,.input-group-btn:last-child>.btn-group{z-index:2;margin-left:-1px}.nav{margin-bottom:0;padding-left:0;list-style:none}.nav>li{position:relative;display:block}.nav>li>a{position:relative;display:block;padding:10px 15px}.nav>li>a:hover,.nav>li>a:focus{text-decoration:none;background-color:#eee}.nav>li.disabled>a{color:#777}.nav>li.disabled>a:hover,.nav>li.disabled>a:focus{color:#777;text-decoration:none;background-color:transparent;cursor:not-allowed}.nav .open>a,.nav .open>a:hover,.nav .open>a:focus{background-color:#eee;border-color:#428bca}.nav .nav-divider{height:1px;margin:9px 0;overflow:hidden;background-color:#e5e5e5}.nav>li>a>img{max-width:none}.nav-tabs{border-bottom:1px solid #ddd}.nav-tabs>li{float:left;margin-bottom:-1px}.nav-tabs>li>a{margin-right:2px;line-height:1.42857143;border:1px solid transparent;border-radius:4px 4px 0 0}.nav-tabs>li>a:hover{border-color:#eee #eee #ddd}.nav-tabs>li.active>a,.nav-tabs>li.active>a:hover,.nav-tabs>li.active>a:focus{color:#555;background-color:#fff;border:1px solid #ddd;border-bottom-color:transparent;cursor:default}.nav-tabs.nav-justified{width:100%;border-bottom:0}.nav-tabs.nav-justified>li{float:none}.nav-tabs.nav-justified>li>a{text-align:center;margin-bottom:5px}.nav-tabs.nav-justified>.dropdown .dropdown-menu{top:auto;left:auto}@media (min-width:768px){.nav-tabs.nav-justified>li{display:table-cell;width:1%}.nav-tabs.nav-justified>li>a{margin-bottom:0}}.nav-tabs.nav-justified>li>a{margin-right:0;border-radius:4px}.nav-tabs.nav-justified>.active>a,.nav-tabs.nav-justified>.active>a:hover,.nav-tabs.nav-justified>.active>a:focus{border:1px solid #ddd}@media (min-width:768px){.nav-tabs.nav-justified>li>a{border-bottom:1px solid #ddd;border-radius:4px 4px 0 0}.nav-tabs.nav-justified>.active>a,.nav-tabs.nav-justified>.active>a:hover,.nav-tabs.nav-justified>.active>a:focus{border-bottom-color:#fff}}.nav-pills>li{float:left}.nav-pills>li>a{border-radius:4px}.nav-pills>li+li{margin-left:2px}.nav-pills>li.active>a,.nav-pills>li.active>a:hover,.nav-pills>li.active>a:focus{color:#fff;background-color:#428bca}.nav-stacked>li{float:none}.nav-stacked>li+li{margin-top:2px;margin-left:0}.nav-justified{width:100%}.nav-justified>li{float:none}.nav-justified>li>a{text-align:center;margin-bottom:5px}.nav-justified>.dropdown .dropdown-menu{top:auto;left:auto}@media (min-width:768px){.nav-justified>li{display:table-cell;width:1%}.nav-justified>li>a{margin-bottom:0}}.nav-tabs-justified{border-bottom:0}.nav-tabs-justified>li>a{margin-right:0;border-radius:4px}.nav-tabs-justified>.active>a,.nav-tabs-justified>.active>a:hover,.nav-tabs-justified>.active>a:focus{border:1px solid #ddd}@media (min-width:768px){.nav-tabs-justified>li>a{border-bottom:1px solid #ddd;border-radius:4px 4px 0 0}.nav-tabs-justified>.active>a,.nav-tabs-justified>.active>a:hover,.nav-tabs-justified>.active>a:focus{border-bottom-color:#fff}}.tab-content>.tab-pane{display:none}.tab-content>.active{display:block}.nav-tabs .dropdown-menu{margin-top:-1px;border-top-right-radius:0;border-top-left-radius:0}.navbar{position:relative;min-height:50px;margin-bottom:20px;border:1px solid transparent}@media (min-width:768px){.navbar{border-radius:4px}}@media (min-width:768px){.navbar-header{float:left}}.navbar-collapse{overflow-x:visible;padding-right:15px;padding-left:15px;border-top:1px solid transparent;-webkit-box-shadow:inset 0 1px 0 rgba(255,255,255,0.1);box-shadow:inset 0 1px 0 rgba(255,255,255,0.1);-webkit-overflow-scrolling:touch}.navbar-collapse.in{overflow-y:auto}@media (min-width:768px){.navbar-collapse{width:auto;border-top:0;-webkit-box-shadow:none;box-shadow:none}.navbar-collapse.collapse{display:block !important;height:auto !important;padding-bottom:0;overflow:visible !important}.navbar-collapse.in{overflow-y:visible}.navbar-fixed-top .navbar-collapse,.navbar-static-top .navbar-collapse,.navbar-fixed-bottom .navbar-collapse{padding-left:0;padding-right:0}}.navbar-fixed-top .navbar-collapse,.navbar-fixed-bottom .navbar-collapse{max-height:340px}@media (max-device-width:480px) and (orientation:landscape){.navbar-fixed-top .navbar-collapse,.navbar-fixed-bottom .navbar-collapse{max-height:200px}}.container>.navbar-header,.container-fluid>.navbar-header,.container>.navbar-collapse,.container-fluid>.navbar-collapse{margin-right:-15px;margin-left:-15px}@media (min-width:768px){.container>.navbar-header,.container-fluid>.navbar-header,.container>.navbar-collapse,.container-fluid>.navbar-collapse{margin-right:0;margin-left:0}}.navbar-static-top{z-index:1000;border-width:0 0 1px}@media (min-width:768px){.navbar-static-top{border-radius:0}}.navbar-fixed-top,.navbar-fixed-bottom{position:fixed;right:0;left:0;z-index:1030}@media (min-width:768px){.navbar-fixed-top,.navbar-fixed-bottom{border-radius:0}}.navbar-fixed-top{top:0;border-width:0 0 1px}.navbar-fixed-bottom{bottom:0;margin-bottom:0;border-width:1px 0 0}.navbar-brand{float:left;padding:15px 15px;font-size:18px;line-height:20px;height:50px}.navbar-brand:hover,.navbar-brand:focus{text-decoration:none}.navbar-brand>img{display:block}@media (min-width:768px){.navbar>.container .navbar-brand,.navbar>.container-fluid .navbar-brand{margin-left:-15px}}.navbar-toggle{position:relative;float:right;margin-right:15px;padding:9px 10px;margin-top:8px;margin-bottom:8px;background-color:transparent;background-image:none;border:1px solid transparent;border-radius:4px}.navbar-toggle:focus{outline:0}.navbar-toggle .icon-bar{display:block;width:22px;height:2px;border-radius:1px}.navbar-toggle .icon-bar+.icon-bar{margin-top:4px}@media (min-width:768px){.navbar-toggle{display:none}}.navbar-nav{margin:7.5px -15px}.navbar-nav>li>a{padding-top:10px;padding-bottom:10px;line-height:20px}@media (max-width:767px){.navbar-nav .open .dropdown-menu{position:static;float:none;width:auto;margin-top:0;background-color:transparent;border:0;-webkit-box-shadow:none;box-shadow:none}.navbar-nav .open .dropdown-menu>li>a,.navbar-nav .open .dropdown-menu .dropdown-header{padding:5px 15px 5px 25px}.navbar-nav .open .dropdown-menu>li>a{line-height:20px}.navbar-nav .open .dropdown-menu>li>a:hover,.navbar-nav .open .dropdown-menu>li>a:focus{background-image:none}}@media (min-width:768px){.navbar-nav{float:left;margin:0}.navbar-nav>li{float:left}.navbar-nav>li>a{padding-top:15px;padding-bottom:15px}}.navbar-form{margin-left:-15px;margin-right:-15px;padding:10px 15px;border-top:1px solid transparent;border-bottom:1px solid transparent;-webkit-box-shadow:inset 0 1px 0 rgba(255,255,255,0.1),0 1px 0 rgba(255,255,255,0.1);box-shadow:inset 0 1px 0 rgba(255,255,255,0.1),0 1px 0 rgba(255,255,255,0.1);margin-top:8px;margin-bottom:8px}@media (min-width:768px){.navbar-form .form-group{display:inline-block;margin-bottom:0;vertical-align:middle}.navbar-form .form-control{display:inline-block;width:auto;vertical-align:middle}.navbar-form .form-control-static{display:inline-block}.navbar-form .input-group{display:inline-table;vertical-align:middle}.navbar-form .input-group .input-group-addon,.navbar-form .input-group .input-group-btn,.navbar-form .input-group .form-control{width:auto}.navbar-form .input-group>.form-control{width:100%}.navbar-form .control-label{margin-bottom:0;vertical-align:middle}.navbar-form .radio,.navbar-form .checkbox{display:inline-block;margin-top:0;margin-bottom:0;vertical-align:middle}.navbar-form .radio label,.navbar-form .checkbox label{padding-left:0}.navbar-form .radio input[type="radio"],.navbar-form .checkbox input[type="checkbox"]{position:relative;margin-left:0}.navbar-form .has-feedback .form-control-feedback{top:0}}@media (max-width:767px){.navbar-form .form-group{margin-bottom:5px}.navbar-form .form-group:last-child{margin-bottom:0}}@media (min-width:768px){.navbar-form{width:auto;border:0;margin-left:0;margin-right:0;padding-top:0;padding-bottom:0;-webkit-box-shadow:none;box-shadow:none}}.navbar-nav>li>.dropdown-menu{margin-top:0;border-top-right-radius:0;border-top-left-radius:0}.navbar-fixed-bottom .navbar-nav>li>.dropdown-menu{margin-bottom:0;border-top-right-radius:4px;border-top-left-radius:4px;border-bottom-right-radius:0;border-bottom-left-radius:0}.navbar-btn{margin-top:8px;margin-bottom:8px}.navbar-btn.btn-sm{margin-top:10px;margin-bottom:10px}.navbar-btn.btn-xs{margin-top:14px;margin-bottom:14px}.navbar-text{margin-top:15px;margin-bottom:15px}@media (min-width:768px){.navbar-text{float:left;margin-left:15px;margin-right:15px}}@media (min-width:768px){.navbar-left{float:left !important}.navbar-right{float:right !important;margin-right:-15px}.navbar-right~.navbar-right{margin-right:0}}.navbar-default{background-color:#f8f8f8;border-color:#e7e7e7}.navbar-default .navbar-brand{color:#777}.navbar-default .navbar-brand:hover,.navbar-default .navbar-brand:focus{color:#5e5e5e;background-color:transparent}.navbar-default .navbar-text{color:#777}.navbar-default .navbar-nav>li>a{color:#777}.navbar-default .navbar-nav>li>a:hover,.navbar-default .navbar-nav>li>a:focus{color:#333;background-color:transparent}.navbar-default .navbar-nav>.active>a,.navbar-default .navbar-nav>.active>a:hover,.navbar-default .navbar-nav>.active>a:focus{color:#555;background-color:#e7e7e7}.navbar-default .navbar-nav>.disabled>a,.navbar-default .navbar-nav>.disabled>a:hover,.navbar-default .navbar-nav>.disabled>a:focus{color:#ccc;background-color:transparent}.navbar-default .navbar-toggle{border-color:#ddd}.navbar-default .navbar-toggle:hover,.navbar-default .navbar-toggle:focus{background-color:#ddd}.navbar-default .navbar-toggle .icon-bar{background-color:#888}.navbar-default .navbar-collapse,.navbar-default .navbar-form{border-color:#e7e7e7}.navbar-default .navbar-nav>.open>a,.navbar-default .navbar-nav>.open>a:hover,.navbar-default .navbar-nav>.open>a:focus{background-color:#e7e7e7;color:#555}@media (max-width:767px){.navbar-default .navbar-nav .open .dropdown-menu>li>a{color:#777}.navbar-default .navbar-nav .open .dropdown-menu>li>a:hover,.navbar-default .navbar-nav .open .dropdown-menu>li>a:focus{color:#333;background-color:transparent}.navbar-default .navbar-nav .open .dropdown-menu>.active>a,.navbar-default .navbar-nav .open .dropdown-menu>.active>a:hover,.navbar-default .navbar-nav .open .dropdown-menu>.active>a:focus{color:#555;background-color:#e7e7e7}.navbar-default .navbar-nav .open .dropdown-menu>.disabled>a,.navbar-default .navbar-nav .open .dropdown-menu>.disabled>a:hover,.navbar-default .navbar-nav .open .dropdown-menu>.disabled>a:focus{color:#ccc;background-color:transparent}}.navbar-default .navbar-link{color:#777}.navbar-default .navbar-link:hover{color:#333}.navbar-default .btn-link{color:#777}.navbar-default .btn-link:hover,.navbar-default .btn-link:focus{color:#333}.navbar-default .btn-link[disabled]:hover,fieldset[disabled] .navbar-default .btn-link:hover,.navbar-default .btn-link[disabled]:focus,fieldset[disabled] .navbar-default .btn-link:focus{color:#ccc}.navbar-inverse{background-color:#222;border-color:#080808}.navbar-inverse .navbar-brand{color:#777}.navbar-inverse .navbar-brand:hover,.navbar-inverse .navbar-brand:focus{color:#fff;background-color:transparent}.navbar-inverse .navbar-text{color:#777}.navbar-inverse .navbar-nav>li>a{color:#777}.navbar-inverse .navbar-nav>li>a:hover,.navbar-inverse .navbar-nav>li>a:focus{color:#fff;background-color:transparent}.navbar-inverse .navbar-nav>.active>a,.navbar-inverse .navbar-nav>.active>a:hover,.navbar-inverse .navbar-nav>.active>a:focus{color:#fff;background-color:#080808}.navbar-inverse .navbar-nav>.disabled>a,.navbar-inverse .navbar-nav>.disabled>a:hover,.navbar-inverse .navbar-nav>.disabled>a:focus{color:#444;background-color:transparent}.navbar-inverse .navbar-toggle{border-color:#333}.navbar-inverse .navbar-toggle:hover,.navbar-inverse .navbar-toggle:focus{background-color:#333}.navbar-inverse .navbar-toggle .icon-bar{background-color:#fff}.navbar-inverse .navbar-collapse,.navbar-inverse .navbar-form{border-color:#101010}.navbar-inverse .navbar-nav>.open>a,.navbar-inverse .navbar-nav>.open>a:hover,.navbar-inverse .navbar-nav>.open>a:focus{background-color:#080808;color:#fff}@media (max-width:767px){.navbar-inverse .navbar-nav .open .dropdown-menu>.dropdown-header{border-color:#080808}.navbar-inverse .navbar-nav .open .dropdown-menu .divider{background-color:#080808}.navbar-inverse .navbar-nav .open .dropdown-menu>li>a{color:#777}.navbar-inverse .navbar-nav .open .dropdown-menu>li>a:hover,.navbar-inverse .navbar-nav .open .dropdown-menu>li>a:focus{color:#fff;background-color:transparent}.navbar-inverse .navbar-nav .open .dropdown-menu>.active>a,.navbar-inverse .navbar-nav .open .dropdown-menu>.active>a:hover,.navbar-inverse .navbar-nav .open .dropdown-menu>.active>a:focus{color:#fff;background-color:#080808}.navbar-inverse .navbar-nav .open .dropdown-menu>.disabled>a,.navbar-inverse .navbar-nav .open .dropdown-menu>.disabled>a:hover,.navbar-inverse .navbar-nav .open .dropdown-menu>.disabled>a:focus{color:#444;background-color:transparent}}.navbar-inverse .navbar-link{color:#777}.navbar-inverse .navbar-link:hover{color:#fff}.navbar-inverse .btn-link{color:#777}.navbar-inverse .btn-link:hover,.navbar-inverse .btn-link:focus{color:#fff}.navbar-inverse .btn-link[disabled]:hover,fieldset[disabled] .navbar-inverse .btn-link:hover,.navbar-inverse .btn-link[disabled]:focus,fieldset[disabled] .navbar-inverse .btn-link:focus{color:#444}.label{display:inline;padding:.2em .6em .3em;font-size:75%;font-weight:bold;line-height:1;color:#fff;text-align:center;white-space:nowrap;vertical-align:baseline;border-radius:.25em}a.label:hover,a.label:focus{color:#fff;text-decoration:none;cursor:pointer}.label:empty{display:none}.btn .label{position:relative;top:-1px}.label-default{background-color:#777}.label-default[href]:hover,.label-default[href]:focus{background-color:#5e5e5e}.label-primary{background-color:#428bca}.label-primary[href]:hover,.label-primary[href]:focus{background-color:#3071a9}.label-success{background-color:#5cb85c}.label-success[href]:hover,.label-success[href]:focus{background-color:#449d44}.label-info{background-color:#5bc0de}.label-info[href]:hover,.label-info[href]:focus{background-color:#31b0d5}.label-warning{background-color:#f0ad4e}.label-warning[href]:hover,.label-warning[href]:focus{background-color:#ec971f}.label-danger{background-color:#d9534f}.label-danger[href]:hover,.label-danger[href]:focus{background-color:#c9302c}.badge{display:inline-block;min-width:10px;padding:3px 7px;font-size:12px;font-weight:bold;color:#fff;line-height:1;vertical-align:middle;white-space:nowrap;text-align:center;background-color:#777;border-radius:10px}.badge:empty{display:none}.btn .badge{position:relative;top:-1px}.btn-xs .badge,.btn-group-xs>.btn .badge{top:0;padding:1px 5px}a.badge:hover,a.badge:focus{color:#fff;text-decoration:none;cursor:pointer}.list-group-item.active>.badge,.nav-pills>.active>a>.badge{color:#428bca;background-color:#fff}.list-group-item>.badge{float:right}.list-group-item>.badge+.badge{margin-right:5px}.nav-pills>li>a>.badge{margin-left:3px}.alert{padding:15px;margin-bottom:20px;border:1px solid transparent;border-radius:4px}.alert h4{margin-top:0;color:inherit}.alert .alert-link{font-weight:bold}.alert>p,.alert>ul{margin-bottom:0}.alert>p+p{margin-top:5px}.alert-dismissable,.alert-dismissible{padding-right:35px}.alert-dismissable .close,.alert-dismissible .close{position:relative;top:-2px;right:-21px;color:inherit}.alert-success{background-color:#dff0d8;border-color:#d6e9c6;color:#3c763d}.alert-success hr{border-top-color:#c9e2b3}.alert-success .alert-link{color:#2b542c}.alert-info{background-color:#d9edf7;border-color:#bce8f1;color:#31708f}.alert-info hr{border-top-color:#a6e1ec}.alert-info .alert-link{color:#245269}.alert-warning{background-color:#fcf8e3;border-color:#faebcc;color:#8a6d3b}.alert-warning hr{border-top-color:#f7e1b5}.alert-warning .alert-link{color:#66512c}.alert-danger{background-color:#f2dede;border-color:#ebccd1;color:#a94442}.alert-danger hr{border-top-color:#e4b9c0}.alert-danger .alert-link{color:#843534}@-webkit-keyframes progress-bar-stripes{from{background-position:40px 0}to{background-position:0 0}}@-o-keyframes progress-bar-stripes{from{background-position:40px 0}to{background-position:0 0}}@keyframes progress-bar-stripes{from{background-position:40px 0}to{background-position:0 0}}.progress{overflow:hidden;height:20px;margin-bottom:20px;background-color:#f5f5f5;border-radius:4px;-webkit-box-shadow:inset 0 1px 2px rgba(0,0,0,0.1);box-shadow:inset 0 1px 2px rgba(0,0,0,0.1)}.progress-bar{float:left;width:0%;height:100%;font-size:12px;line-height:20px;color:#fff;text-align:center;background-color:#428bca;-webkit-box-shadow:inset 0 -1px 0 rgba(0,0,0,0.15);box-shadow:inset 0 -1px 0 rgba(0,0,0,0.15);-webkit-transition:width .6s ease;-o-transition:width .6s ease;transition:width .6s ease}.progress-striped .progress-bar,.progress-bar-striped{background-image:-webkit-linear-gradient(45deg, rgba(255,255,255,0.15) 25%, transparent 25%, transparent 50%, rgba(255,255,255,0.15) 50%, rgba(255,255,255,0.15) 75%, transparent 75%, transparent);background-image:-o-linear-gradient(45deg, rgba(255,255,255,0.15) 25%, transparent 25%, transparent 50%, rgba(255,255,255,0.15) 50%, rgba(255,255,255,0.15) 75%, transparent 75%, transparent);background-image:linear-gradient(45deg, rgba(255,255,255,0.15) 25%, transparent 25%, transparent 50%, rgba(255,255,255,0.15) 50%, rgba(255,255,255,0.15) 75%, transparent 75%, transparent);-webkit-background-size:40px 40px;background-size:40px 40px}.progress.active .progress-bar,.progress-bar.active{-webkit-animation:progress-bar-stripes 2s linear infinite;-o-animation:progress-bar-stripes 2s linear infinite;animation:progress-bar-stripes 2s linear infinite}.progress-bar-success{background-color:#5cb85c}.progress-striped .progress-bar-success{background-image:-webkit-linear-gradient(45deg, rgba(255,255,255,0.15) 25%, transparent 25%, transparent 50%, rgba(255,255,255,0.15) 50%, rgba(255,255,255,0.15) 75%, transparent 75%, transparent);background-image:-o-linear-gradient(45deg, rgba(255,255,255,0.15) 25%, transparent 25%, transparent 50%, rgba(255,255,255,0.15) 50%, rgba(255,255,255,0.15) 75%, transparent 75%, transparent);background-image:linear-gradient(45deg, rgba(255,255,255,0.15) 25%, transparent 25%, transparent 50%, rgba(255,255,255,0.15) 50%, rgba(255,255,255,0.15) 75%, transparent 75%, transparent)}.progress-bar-info{background-color:#5bc0de}.progress-striped .progress-bar-info{background-image:-webkit-linear-gradient(45deg, rgba(255,255,255,0.15) 25%, transparent 25%, transparent 50%, rgba(255,255,255,0.15) 50%, rgba(255,255,255,0.15) 75%, transparent 75%, transparent);background-image:-o-linear-gradient(45deg, rgba(255,255,255,0.15) 25%, transparent 25%, transparent 50%, rgba(255,255,255,0.15) 50%, rgba(255,255,255,0.15) 75%, transparent 75%, transparent);background-image:linear-gradient(45deg, rgba(255,255,255,0.15) 25%, transparent 25%, transparent 50%, rgba(255,255,255,0.15) 50%, rgba(255,255,255,0.15) 75%, transparent 75%, transparent)}.progress-bar-warning{background-color:#f0ad4e}.progress-striped .progress-bar-warning{background-image:-webkit-linear-gradient(45deg, rgba(255,255,255,0.15) 25%, transparent 25%, transparent 50%, rgba(255,255,255,0.15) 50%, rgba(255,255,255,0.15) 75%, transparent 75%, transparent);background-image:-o-linear-gradient(45deg, rgba(255,255,255,0.15) 25%, transparent 25%, transparent 50%, rgba(255,255,255,0.15) 50%, rgba(255,255,255,0.15) 75%, transparent 75%, transparent);background-image:linear-gradient(45deg, rgba(255,255,255,0.15) 25%, transparent 25%, transparent 50%, rgba(255,255,255,0.15) 50%, rgba(255,255,255,0.15) 75%, transparent 75%, transparent)}.progress-bar-danger{background-color:#d9534f}.progress-striped .progress-bar-danger{background-image:-webkit-linear-gradient(45deg, rgba(255,255,255,0.15) 25%, transparent 25%, transparent 50%, rgba(255,255,255,0.15) 50%, rgba(255,255,255,0.15) 75%, transparent 75%, transparent);background-image:-o-linear-gradient(45deg, rgba(255,255,255,0.15) 25%, transparent 25%, transparent 50%, rgba(255,255,255,0.15) 50%, rgba(255,255,255,0.15) 75%, transparent 75%, transparent);background-image:linear-gradient(45deg, rgba(255,255,255,0.15) 25%, transparent 25%, transparent 50%, rgba(255,255,255,0.15) 50%, rgba(255,255,255,0.15) 75%, transparent 75%, transparent)}.panel{margin-bottom:20px;background-color:#fff;border:1px solid transparent;border-radius:4px;-webkit-box-shadow:0 1px 1px rgba(0,0,0,0.05);box-shadow:0 1px 1px rgba(0,0,0,0.05)}.panel-body{padding:15px}.panel-heading{padding:10px 15px;border-bottom:1px solid transparent;border-top-right-radius:3px;border-top-left-radius:3px}.panel-heading>.dropdown .dropdown-toggle{color:inherit}.panel-title{margin-top:0;margin-bottom:0;font-size:16px;color:inherit}.panel-title>a,.panel-title>small,.panel-title>.small,.panel-title>small>a,.panel-title>.small>a{color:inherit}.panel-footer{padding:10px 15px;background-color:#f5f5f5;border-top:1px solid #ddd;border-bottom-right-radius:3px;border-bottom-left-radius:3px}.panel>.list-group,.panel>.panel-collapse>.list-group{margin-bottom:0}.panel>.list-group .list-group-item,.panel>.panel-collapse>.list-group .list-group-item{border-width:1px 0;border-radius:0}.panel>.list-group:first-child .list-group-item:first-child,.panel>.panel-collapse>.list-group:first-child .list-group-item:first-child{border-top:0;border-top-right-radius:3px;border-top-left-radius:3px}.panel>.list-group:last-child .list-group-item:last-child,.panel>.panel-collapse>.list-group:last-child .list-group-item:last-child{border-bottom:0;border-bottom-right-radius:3px;border-bottom-left-radius:3px}.panel>.panel-heading+.panel-collapse>.list-group .list-group-item:first-child{border-top-right-radius:0;border-top-left-radius:0}.panel-heading+.list-group .list-group-item:first-child{border-top-width:0}.list-group+.panel-footer{border-top-width:0}.panel>.table,.panel>.table-responsive>.table,.panel>.panel-collapse>.table{margin-bottom:0}.panel>.table caption,.panel>.table-responsive>.table caption,.panel>.panel-collapse>.table caption{padding-left:15px;padding-right:15px}.panel>.table:first-child,.panel>.table-responsive:first-child>.table:first-child{border-top-right-radius:3px;border-top-left-radius:3px}.panel>.table:first-child>thead:first-child>tr:first-child,.panel>.table-responsive:first-child>.table:first-child>thead:first-child>tr:first-child,.panel>.table:first-child>tbody:first-child>tr:first-child,.panel>.table-responsive:first-child>.table:first-child>tbody:first-child>tr:first-child{border-top-left-radius:3px;border-top-right-radius:3px}.panel>.table:first-child>thead:first-child>tr:first-child td:first-child,.panel>.table-responsive:first-child>.table:first-child>thead:first-child>tr:first-child td:first-child,.panel>.table:first-child>tbody:first-child>tr:first-child td:first-child,.panel>.table-responsive:first-child>.table:first-child>tbody:first-child>tr:first-child td:first-child,.panel>.table:first-child>thead:first-child>tr:first-child th:first-child,.panel>.table-responsive:first-child>.table:first-child>thead:first-child>tr:first-child th:first-child,.panel>.table:first-child>tbody:first-child>tr:first-child th:first-child,.panel>.table-responsive:first-child>.table:first-child>tbody:first-child>tr:first-child th:first-child{border-top-left-radius:3px}.panel>.table:first-child>thead:first-child>tr:first-child td:last-child,.panel>.table-responsive:first-child>.table:first-child>thead:first-child>tr:first-child td:last-child,.panel>.table:first-child>tbody:first-child>tr:first-child td:last-child,.panel>.table-responsive:first-child>.table:first-child>tbody:first-child>tr:first-child td:last-child,.panel>.table:first-child>thead:first-child>tr:first-child th:last-child,.panel>.table-responsive:first-child>.table:first-child>thead:first-child>tr:first-child th:last-child,.panel>.table:first-child>tbody:first-child>tr:first-child th:last-child,.panel>.table-responsive:first-child>.table:first-child>tbody:first-child>tr:first-child th:last-child{border-top-right-radius:3px}.panel>.table:last-child,.panel>.table-responsive:last-child>.table:last-child{border-bottom-right-radius:3px;border-bottom-left-radius:3px}.panel>.table:last-child>tbody:last-child>tr:last-child,.panel>.table-responsive:last-child>.table:last-child>tbody:last-child>tr:last-child,.panel>.table:last-child>tfoot:last-child>tr:last-child,.panel>.table-responsive:last-child>.table:last-child>tfoot:last-child>tr:last-child{border-bottom-left-radius:3px;border-bottom-right-radius:3px}.panel>.table:last-child>tbody:last-child>tr:last-child td:first-child,.panel>.table-responsive:last-child>.table:last-child>tbody:last-child>tr:last-child td:first-child,.panel>.table:last-child>tfoot:last-child>tr:last-child td:first-child,.panel>.table-responsive:last-child>.table:last-child>tfoot:last-child>tr:last-child td:first-child,.panel>.table:last-child>tbody:last-child>tr:last-child th:first-child,.panel>.table-responsive:last-child>.table:last-child>tbody:last-child>tr:last-child th:first-child,.panel>.table:last-child>tfoot:last-child>tr:last-child th:first-child,.panel>.table-responsive:last-child>.table:last-child>tfoot:last-child>tr:last-child th:first-child{border-bottom-left-radius:3px}.panel>.table:last-child>tbody:last-child>tr:last-child td:last-child,.panel>.table-responsive:last-child>.table:last-child>tbody:last-child>tr:last-child td:last-child,.panel>.table:last-child>tfoot:last-child>tr:last-child td:last-child,.panel>.table-responsive:last-child>.table:last-child>tfoot:last-child>tr:last-child td:last-child,.panel>.table:last-child>tbody:last-child>tr:last-child th:last-child,.panel>.table-responsive:last-child>.table:last-child>tbody:last-child>tr:last-child th:last-child,.panel>.table:last-child>tfoot:last-child>tr:last-child th:last-child,.panel>.table-responsive:last-child>.table:last-child>tfoot:last-child>tr:last-child th:last-child{border-bottom-right-radius:3px}.panel>.panel-body+.table,.panel>.panel-body+.table-responsive,.panel>.table+.panel-body,.panel>.table-responsive+.panel-body{border-top:1px solid #ddd}.panel>.table>tbody:first-child>tr:first-child th,.panel>.table>tbody:first-child>tr:first-child td{border-top:0}.panel>.table-bordered,.panel>.table-responsive>.table-bordered{border:0}.panel>.table-bordered>thead>tr>th:first-child,.panel>.table-responsive>.table-bordered>thead>tr>th:first-child,.panel>.table-bordered>tbody>tr>th:first-child,.panel>.table-responsive>.table-bordered>tbody>tr>th:first-child,.panel>.table-bordered>tfoot>tr>th:first-child,.panel>.table-responsive>.table-bordered>tfoot>tr>th:first-child,.panel>.table-bordered>thead>tr>td:first-child,.panel>.table-responsive>.table-bordered>thead>tr>td:first-child,.panel>.table-bordered>tbody>tr>td:first-child,.panel>.table-responsive>.table-bordered>tbody>tr>td:first-child,.panel>.table-bordered>tfoot>tr>td:first-child,.panel>.table-responsive>.table-bordered>tfoot>tr>td:first-child{border-left:0}.panel>.table-bordered>thead>tr>th:last-child,.panel>.table-responsive>.table-bordered>thead>tr>th:last-child,.panel>.table-bordered>tbody>tr>th:last-child,.panel>.table-responsive>.table-bordered>tbody>tr>th:last-child,.panel>.table-bordered>tfoot>tr>th:last-child,.panel>.table-responsive>.table-bordered>tfoot>tr>th:last-child,.panel>.table-bordered>thead>tr>td:last-child,.panel>.table-responsive>.table-bordered>thead>tr>td:last-child,.panel>.table-bordered>tbody>tr>td:last-child,.panel>.table-responsive>.table-bordered>tbody>tr>td:last-child,.panel>.table-bordered>tfoot>tr>td:last-child,.panel>.table-responsive>.table-bordered>tfoot>tr>td:last-child{border-right:0}.panel>.table-bordered>thead>tr:first-child>td,.panel>.table-responsive>.table-bordered>thead>tr:first-child>td,.panel>.table-bordered>tbody>tr:first-child>td,.panel>.table-responsive>.table-bordered>tbody>tr:first-child>td,.panel>.table-bordered>thead>tr:first-child>th,.panel>.table-responsive>.table-bordered>thead>tr:first-child>th,.panel>.table-bordered>tbody>tr:first-child>th,.panel>.table-responsive>.table-bordered>tbody>tr:first-child>th{border-bottom:0}.panel>.table-bordered>tbody>tr:last-child>td,.panel>.table-responsive>.table-bordered>tbody>tr:last-child>td,.panel>.table-bordered>tfoot>tr:last-child>td,.panel>.table-responsive>.table-bordered>tfoot>tr:last-child>td,.panel>.table-bordered>tbody>tr:last-child>th,.panel>.table-responsive>.table-bordered>tbody>tr:last-child>th,.panel>.table-bordered>tfoot>tr:last-child>th,.panel>.table-responsive>.table-bordered>tfoot>tr:last-child>th{border-bottom:0}.panel>.table-responsive{border:0;margin-bottom:0}.panel-group{margin-bottom:20px}.panel-group .panel{margin-bottom:0;border-radius:4px}.panel-group .panel+.panel{margin-top:5px}.panel-group .panel-heading{border-bottom:0}.panel-group .panel-heading+.panel-collapse>.panel-body,.panel-group .panel-heading+.panel-collapse>.list-group{border-top:1px solid #ddd}.panel-group .panel-footer{border-top:0}.panel-group .panel-footer+.panel-collapse .panel-body{border-bottom:1px solid #ddd}.panel-default{border-color:#ddd}.panel-default>.panel-heading{color:#333;background-color:#f5f5f5;border-color:#ddd}.panel-default>.panel-heading+.panel-collapse>.panel-body{border-top-color:#ddd}.panel-default>.panel-heading .badge{color:#f5f5f5;background-color:#333}.panel-default>.panel-footer+.panel-collapse>.panel-body{border-bottom-color:#ddd}.panel-primary{border-color:#428bca}.panel-primary>.panel-heading{color:#fff;background-color:#428bca;border-color:#428bca}.panel-primary>.panel-heading+.panel-collapse>.panel-body{border-top-color:#428bca}.panel-primary>.panel-heading .badge{color:#428bca;background-color:#fff}.panel-primary>.panel-footer+.panel-collapse>.panel-body{border-bottom-color:#428bca}.panel-success{border-color:#d6e9c6}.panel-success>.panel-heading{color:#3c763d;background-color:#dff0d8;border-color:#d6e9c6}.panel-success>.panel-heading+.panel-collapse>.panel-body{border-top-color:#d6e9c6}.panel-success>.panel-heading .badge{color:#dff0d8;background-color:#3c763d}.panel-success>.panel-footer+.panel-collapse>.panel-body{border-bottom-color:#d6e9c6}.panel-info{border-color:#bce8f1}.panel-info>.panel-heading{color:#31708f;background-color:#d9edf7;border-color:#bce8f1}.panel-info>.panel-heading+.panel-collapse>.panel-body{border-top-color:#bce8f1}.panel-info>.panel-heading .badge{color:#d9edf7;background-color:#31708f}.panel-info>.panel-footer+.panel-collapse>.panel-body{border-bottom-color:#bce8f1}.panel-warning{border-color:#faebcc}.panel-warning>.panel-heading{color:#8a6d3b;background-color:#fcf8e3;border-color:#faebcc}.panel-warning>.panel-heading+.panel-collapse>.panel-body{border-top-color:#faebcc}.panel-warning>.panel-heading .badge{color:#fcf8e3;background-color:#8a6d3b}.panel-warning>.panel-footer+.panel-collapse>.panel-body{border-bottom-color:#faebcc}.panel-danger{border-color:#ebccd1}.panel-danger>.panel-heading{color:#a94442;background-color:#f2dede;border-color:#ebccd1}.panel-danger>.panel-heading+.panel-collapse>.panel-body{border-top-color:#ebccd1}.panel-danger>.panel-heading .badge{color:#f2dede;background-color:#a94442}.panel-danger>.panel-footer+.panel-collapse>.panel-body{border-bottom-color:#ebccd1}.modal-open{overflow:hidden}.modal{display:none;overflow:hidden;position:fixed;top:0;right:0;bottom:0;left:0;z-index:1050;-webkit-overflow-scrolling:touch;outline:0}.modal.fade .modal-dialog{-webkit-transform:translate(0, -25%);-ms-transform:translate(0, -25%);-o-transform:translate(0, -25%);transform:translate(0, -25%);-webkit-transition:-webkit-transform 0.3s ease-out;-o-transition:-o-transform 0.3s ease-out;transition:transform 0.3s ease-out}.modal.in .modal-dialog{-webkit-transform:translate(0, 0);-ms-transform:translate(0, 0);-o-transform:translate(0, 0);transform:translate(0, 0)}.modal-open .modal{overflow-x:hidden;overflow-y:auto}.modal-dialog{position:relative;width:auto;margin:10px}.modal-content{position:relative;background-color:#fff;border:1px solid #999;border:1px solid rgba(0,0,0,0.2);border-radius:6px;-webkit-box-shadow:0 3px 9px rgba(0,0,0,0.5);box-shadow:0 3px 9px rgba(0,0,0,0.5);-webkit-background-clip:padding-box;background-clip:padding-box;outline:0}.modal-backdrop{position:fixed;top:0;right:0;bottom:0;left:0;z-index:1040;background-color:#000}.modal-backdrop.fade{opacity:0;filter:alpha(opacity=0)}.modal-backdrop.in{opacity:.5;filter:alpha(opacity=50)}.modal-header{padding:15px;border-bottom:1px solid #e5e5e5}.modal-header .close{margin-top:-2px}.modal-title{margin:0;line-height:1.42857143}.modal-body{position:relative;padding:15px}.modal-footer{padding:15px;text-align:right;border-top:1px solid #e5e5e5}.modal-footer .btn+.btn{margin-left:5px;margin-bottom:0}.modal-footer .btn-group .btn+.btn{margin-left:-1px}.modal-footer .btn-block+.btn-block{margin-left:0}.modal-scrollbar-measure{position:absolute;top:-9999px;width:50px;height:50px;overflow:scroll}@media (min-width:768px){.modal-dialog{width:600px;margin:30px auto}.modal-content{-webkit-box-shadow:0 5px 15px rgba(0,0,0,0.5);box-shadow:0 5px 15px rgba(0,0,0,0.5)}.modal-sm{width:300px}}@media (min-width:992px){.modal-lg{width:900px}}.clearfix:before,.clearfix:after,.dl-horizontal dd:before,.dl-horizontal dd:after,.container:before,.container:after,.container-fluid:before,.container-fluid:after,.row:before,.row:after,.form-horizontal .form-group:before,.form-horizontal .form-group:after,.btn-toolbar:before,.btn-toolbar:after,.btn-group-vertical>.btn-group:before,.btn-group-vertical>.btn-group:after,.nav:before,.nav:after,.navbar:before,.navbar:after,.navbar-header:before,.navbar-header:after,.navbar-collapse:before,.navbar-collapse:after,.panel-body:before,.panel-body:after,.modal-header:before,.modal-header:after,.modal-footer:before,.modal-footer:after{content:" ";display:table}.clearfix:after,.dl-horizontal dd:after,.container:after,.container-fluid:after,.row:after,.form-horizontal .form-group:after,.btn-toolbar:after,.btn-group-vertical>.btn-group:after,.nav:after,.navbar:after,.navbar-header:after,.navbar-collapse:after,.panel-body:after,.modal-header:after,.modal-footer:after{clear:both}.center-block{display:block;margin-left:auto;margin-right:auto}.pull-right{float:right !important}.pull-left{float:left !important}.hide{display:none !important}.show{display:block !important}.invisible{visibility:hidden}.text-hide{font:0/0 a;color:transparent;text-shadow:none;background-color:transparent;border:0}.hidden{display:none !important}.affix{position:fixed}@-ms-viewport{width:device-width}.visible-xs,.visible-sm,.visible-md,.visible-lg{display:none !important}.visible-xs-block,.visible-xs-inline,.visible-xs-inline-block,.visible-sm-block,.visible-sm-inline,.visible-sm-inline-block,.visible-md-block,.visible-md-inline,.visible-md-inline-block,.visible-lg-block,.visible-lg-inline,.visible-lg-inline-block{display:none !important}@media (max-width:767px){.visible-xs{display:block !important}table.visible-xs{display:table !important}tr.visible-xs{display:table-row !important}th.visible-xs,td.visible-xs{display:table-cell !important}}@media (max-width:767px){.visible-xs-block{display:block !important}}@media (max-width:767px){.visible-xs-inline{display:inline !important}}@media (max-width:767px){.visible-xs-inline-block{display:inline-block !important}}@media (min-width:768px) and (max-width:991px){.visible-sm{display:block !important}table.visible-sm{display:table !important}tr.visible-sm{display:table-row !important}th.visible-sm,td.visible-sm{display:table-cell !important}}@media (min-width:768px) and (max-width:991px){.visible-sm-block{display:block !important}}@media (min-width:768px) and (max-width:991px){.visible-sm-inline{display:inline !important}}@media (min-width:768px) and (max-width:991px){.visible-sm-inline-block{display:inline-block !important}}@media (min-width:992px) and (max-width:1199px){.visible-md{display:block !important}table.visible-md{display:table !important}tr.visible-md{display:table-row !important}th.visible-md,td.visible-md{display:table-cell !important}}@media (min-width:992px) and (max-width:1199px){.visible-md-block{display:block !important}}@media (min-width:992px) and (max-width:1199px){.visible-md-inline{display:inline !important}}@media (min-width:992px) and (max-width:1199px){.visible-md-inline-block{display:inline-block !important}}@media (min-width:1200px){.visible-lg{display:block !important}table.visible-lg{display:table !important}tr.visible-lg{display:table-row !important}th.visible-lg,td.visible-lg{display:table-cell !important}}@media (min-width:1200px){.visible-lg-block{display:block !important}}@media (min-width:1200px){.visible-lg-inline{display:inline !important}}@media (min-width:1200px){.visible-lg-inline-block{display:inline-block !important}}@media (max-width:767px){.hidden-xs{display:none !important}}@media (min-width:768px) and (max-width:991px){.hidden-sm{display:none !important}}@media (min-width:992px) and (max-width:1199px){.hidden-md{display:none !important}}@media (min-width:1200px){.hidden-lg{display:none !important}}.visible-print{display:none !important}@media print{.visible-print{display:block !important}table.visible-print{display:table !important}tr.visible-print{display:table-row !important}th.visible-print,td.visible-print{display:table-cell !important}}.visible-print-block{display:none !important}@media print{.visible-print-block{display:block !important}}.visible-print-inline{display:none !important}@media print{.visible-print-inline{display:inline !important}}.visible-print-inline-block{display:none !important}@media print{.visible-print-inline-block{display:inline-block !important}}@media print{.hidden-print{display:none !important}} table.treetable span.indenter{display:inline-block;margin:0;padding:0;text-align:right;user-select:none;-khtml-user-select:none;-moz-user-select:none;-o-user-select:none;-webkit-user-select:none;-webkit-box-sizing:content-box;-moz-box-sizing:content-box;box-sizing:content-box;width:19px}table.treetable span.indenter a{background-position:left center;background-repeat:no-repeat;display:inline-block;text-decoration:none;width:19px}table.treetable tr.collapsed span.indenter a{background-image:url(data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABAAAAAQCAYAAAAf8/9hAAAACXBIWXMAAAsTAAALEwEAmpwYAAAKT2lDQ1BQaG90b3Nob3AgSUNDIHByb2ZpbGUAAHjanVNnVFPpFj333vRCS4iAlEtvUhUIIFJCi4AUkSYqIQkQSoghodkVUcERRUUEG8igiAOOjoCMFVEsDIoK2AfkIaKOg6OIisr74Xuja9a89+bN/rXXPues852zzwfACAyWSDNRNYAMqUIeEeCDx8TG4eQuQIEKJHAAEAizZCFz/SMBAPh+PDwrIsAHvgABeNMLCADATZvAMByH/w/qQplcAYCEAcB0kThLCIAUAEB6jkKmAEBGAYCdmCZTAKAEAGDLY2LjAFAtAGAnf+bTAICd+Jl7AQBblCEVAaCRACATZYhEAGg7AKzPVopFAFgwABRmS8Q5ANgtADBJV2ZIALC3AMDOEAuyAAgMADBRiIUpAAR7AGDIIyN4AISZABRG8lc88SuuEOcqAAB4mbI8uSQ5RYFbCC1xB1dXLh4ozkkXKxQ2YQJhmkAuwnmZGTKBNA/g88wAAKCRFRHgg/P9eM4Ors7ONo62Dl8t6r8G/yJiYuP+5c+rcEAAAOF0ftH+LC+zGoA7BoBt/qIl7gRoXgugdfeLZrIPQLUAoOnaV/Nw+H48PEWhkLnZ2eXk5NhKxEJbYcpXff5nwl/AV/1s+X48/Pf14L7iJIEyXYFHBPjgwsz0TKUcz5IJhGLc5o9H/LcL//wd0yLESWK5WCoU41EScY5EmozzMqUiiUKSKcUl0v9k4t8s+wM+3zUAsGo+AXuRLahdYwP2SycQWHTA4vcAAPK7b8HUKAgDgGiD4c93/+8//UegJQCAZkmScQAAXkQkLlTKsz/HCAAARKCBKrBBG/TBGCzABhzBBdzBC/xgNoRCJMTCQhBCCmSAHHJgKayCQiiGzbAdKmAv1EAdNMBRaIaTcA4uwlW4Dj1wD/phCJ7BKLyBCQRByAgTYSHaiAFiilgjjggXmYX4IcFIBBKLJCDJiBRRIkuRNUgxUopUIFVIHfI9cgI5h1xGupE7yAAygvyGvEcxlIGyUT3UDLVDuag3GoRGogvQZHQxmo8WoJvQcrQaPYw2oefQq2gP2o8+Q8cwwOgYBzPEbDAuxsNCsTgsCZNjy7EirAyrxhqwVqwDu4n1Y8+xdwQSgUXACTYEd0IgYR5BSFhMWE7YSKggHCQ0EdoJNwkDhFHCJyKTqEu0JroR+cQYYjIxh1hILCPWEo8TLxB7iEPENyQSiUMyJ7mQAkmxpFTSEtJG0m5SI+ksqZs0SBojk8naZGuyBzmULCAryIXkneTD5DPkG+Qh8lsKnWJAcaT4U+IoUspqShnlEOU05QZlmDJBVaOaUt2ooVQRNY9aQq2htlKvUYeoEzR1mjnNgxZJS6WtopXTGmgXaPdpr+h0uhHdlR5Ol9BX0svpR+iX6AP0dwwNhhWDx4hnKBmbGAcYZxl3GK+YTKYZ04sZx1QwNzHrmOeZD5lvVVgqtip8FZHKCpVKlSaVGyovVKmqpqreqgtV81XLVI+pXlN9rkZVM1PjqQnUlqtVqp1Q61MbU2epO6iHqmeob1Q/pH5Z/YkGWcNMw09DpFGgsV/jvMYgC2MZs3gsIWsNq4Z1gTXEJrHN2Xx2KruY/R27iz2qqaE5QzNKM1ezUvOUZj8H45hx+Jx0TgnnKKeX836K3hTvKeIpG6Y0TLkxZVxrqpaXllirSKtRq0frvTau7aedpr1Fu1n7gQ5Bx0onXCdHZ4/OBZ3nU9lT3acKpxZNPTr1ri6qa6UbobtEd79up+6Ynr5egJ5Mb6feeb3n+hx9L/1U/W36p/VHDFgGswwkBtsMzhg8xTVxbzwdL8fb8VFDXcNAQ6VhlWGX4YSRudE8o9VGjUYPjGnGXOMk423GbcajJgYmISZLTepN7ppSTbmmKaY7TDtMx83MzaLN1pk1mz0x1zLnm+eb15vft2BaeFostqi2uGVJsuRaplnutrxuhVo5WaVYVVpds0atna0l1rutu6cRp7lOk06rntZnw7Dxtsm2qbcZsOXYBtuutm22fWFnYhdnt8Wuw+6TvZN9un2N/T0HDYfZDqsdWh1+c7RyFDpWOt6azpzuP33F9JbpL2dYzxDP2DPjthPLKcRpnVOb00dnF2e5c4PziIuJS4LLLpc+Lpsbxt3IveRKdPVxXeF60vWdm7Obwu2o26/uNu5p7ofcn8w0nymeWTNz0MPIQ+BR5dE/C5+VMGvfrH5PQ0+BZ7XnIy9jL5FXrdewt6V3qvdh7xc+9j5yn+M+4zw33jLeWV/MN8C3yLfLT8Nvnl+F30N/I/9k/3r/0QCngCUBZwOJgUGBWwL7+Hp8Ib+OPzrbZfay2e1BjKC5QRVBj4KtguXBrSFoyOyQrSH355jOkc5pDoVQfujW0Adh5mGLw34MJ4WHhVeGP45wiFga0TGXNXfR3ENz30T6RJZE3ptnMU85ry1KNSo+qi5qPNo3ujS6P8YuZlnM1VidWElsSxw5LiquNm5svt/87fOH4p3iC+N7F5gvyF1weaHOwvSFpxapLhIsOpZATIhOOJTwQRAqqBaMJfITdyWOCnnCHcJnIi/RNtGI2ENcKh5O8kgqTXqS7JG8NXkkxTOlLOW5hCepkLxMDUzdmzqeFpp2IG0yPTq9MYOSkZBxQqohTZO2Z+pn5mZ2y6xlhbL+xW6Lty8elQfJa7OQrAVZLQq2QqboVFoo1yoHsmdlV2a/zYnKOZarnivN7cyzytuQN5zvn//tEsIS4ZK2pYZLVy0dWOa9rGo5sjxxedsK4xUFK4ZWBqw8uIq2Km3VT6vtV5eufr0mek1rgV7ByoLBtQFr6wtVCuWFfevc1+1dT1gvWd+1YfqGnRs+FYmKrhTbF5cVf9go3HjlG4dvyr+Z3JS0qavEuWTPZtJm6ebeLZ5bDpaql+aXDm4N2dq0Dd9WtO319kXbL5fNKNu7g7ZDuaO/PLi8ZafJzs07P1SkVPRU+lQ27tLdtWHX+G7R7ht7vPY07NXbW7z3/T7JvttVAVVN1WbVZftJ+7P3P66Jqun4lvttXa1ObXHtxwPSA/0HIw6217nU1R3SPVRSj9Yr60cOxx++/p3vdy0NNg1VjZzG4iNwRHnk6fcJ3/ceDTradox7rOEH0x92HWcdL2pCmvKaRptTmvtbYlu6T8w+0dbq3nr8R9sfD5w0PFl5SvNUyWna6YLTk2fyz4ydlZ19fi753GDborZ752PO32oPb++6EHTh0kX/i+c7vDvOXPK4dPKy2+UTV7hXmq86X23qdOo8/pPTT8e7nLuarrlca7nuer21e2b36RueN87d9L158Rb/1tWeOT3dvfN6b/fF9/XfFt1+cif9zsu72Xcn7q28T7xf9EDtQdlD3YfVP1v+3Njv3H9qwHeg89HcR/cGhYPP/pH1jw9DBY+Zj8uGDYbrnjg+OTniP3L96fynQ89kzyaeF/6i/suuFxYvfvjV69fO0ZjRoZfyl5O/bXyl/erA6xmv28bCxh6+yXgzMV70VvvtwXfcdx3vo98PT+R8IH8o/2j5sfVT0Kf7kxmTk/8EA5jz/GMzLdsAAAAgY0hSTQAAeiUAAICDAAD5/wAAgOkAAHUwAADqYAAAOpgAABdvkl/FRgAAAHlJREFUeNrcU1sNgDAQ6wgmcAM2MICGGlg1gJnNzWQcvwQGy1j4oUl/7tH0mpwzM7SgQyO+EZAUWh2MkkzSWhJwuRAlHYsJwEwyvs1gABDuzqoJcTw5qxaIJN0bgQRgIjnlmn1heSO5PE6Y2YXe+5Cr5+h++gs12AcAS6FS+7YOsj4AAAAASUVORK5CYII=)}table.treetable tr.expanded span.indenter a{background-image:url(data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABAAAAAQCAYAAAAf8/9hAAAACXBIWXMAAAsTAAALEwEAmpwYAAAKT2lDQ1BQaG90b3Nob3AgSUNDIHByb2ZpbGUAAHjanVNnVFPpFj333vRCS4iAlEtvUhUIIFJCi4AUkSYqIQkQSoghodkVUcERRUUEG8igiAOOjoCMFVEsDIoK2AfkIaKOg6OIisr74Xuja9a89+bN/rXXPues852zzwfACAyWSDNRNYAMqUIeEeCDx8TG4eQuQIEKJHAAEAizZCFz/SMBAPh+PDwrIsAHvgABeNMLCADATZvAMByH/w/qQplcAYCEAcB0kThLCIAUAEB6jkKmAEBGAYCdmCZTAKAEAGDLY2LjAFAtAGAnf+bTAICd+Jl7AQBblCEVAaCRACATZYhEAGg7AKzPVopFAFgwABRmS8Q5ANgtADBJV2ZIALC3AMDOEAuyAAgMADBRiIUpAAR7AGDIIyN4AISZABRG8lc88SuuEOcqAAB4mbI8uSQ5RYFbCC1xB1dXLh4ozkkXKxQ2YQJhmkAuwnmZGTKBNA/g88wAAKCRFRHgg/P9eM4Ors7ONo62Dl8t6r8G/yJiYuP+5c+rcEAAAOF0ftH+LC+zGoA7BoBt/qIl7gRoXgugdfeLZrIPQLUAoOnaV/Nw+H48PEWhkLnZ2eXk5NhKxEJbYcpXff5nwl/AV/1s+X48/Pf14L7iJIEyXYFHBPjgwsz0TKUcz5IJhGLc5o9H/LcL//wd0yLESWK5WCoU41EScY5EmozzMqUiiUKSKcUl0v9k4t8s+wM+3zUAsGo+AXuRLahdYwP2SycQWHTA4vcAAPK7b8HUKAgDgGiD4c93/+8//UegJQCAZkmScQAAXkQkLlTKsz/HCAAARKCBKrBBG/TBGCzABhzBBdzBC/xgNoRCJMTCQhBCCmSAHHJgKayCQiiGzbAdKmAv1EAdNMBRaIaTcA4uwlW4Dj1wD/phCJ7BKLyBCQRByAgTYSHaiAFiilgjjggXmYX4IcFIBBKLJCDJiBRRIkuRNUgxUopUIFVIHfI9cgI5h1xGupE7yAAygvyGvEcxlIGyUT3UDLVDuag3GoRGogvQZHQxmo8WoJvQcrQaPYw2oefQq2gP2o8+Q8cwwOgYBzPEbDAuxsNCsTgsCZNjy7EirAyrxhqwVqwDu4n1Y8+xdwQSgUXACTYEd0IgYR5BSFhMWE7YSKggHCQ0EdoJNwkDhFHCJyKTqEu0JroR+cQYYjIxh1hILCPWEo8TLxB7iEPENyQSiUMyJ7mQAkmxpFTSEtJG0m5SI+ksqZs0SBojk8naZGuyBzmULCAryIXkneTD5DPkG+Qh8lsKnWJAcaT4U+IoUspqShnlEOU05QZlmDJBVaOaUt2ooVQRNY9aQq2htlKvUYeoEzR1mjnNgxZJS6WtopXTGmgXaPdpr+h0uhHdlR5Ol9BX0svpR+iX6AP0dwwNhhWDx4hnKBmbGAcYZxl3GK+YTKYZ04sZx1QwNzHrmOeZD5lvVVgqtip8FZHKCpVKlSaVGyovVKmqpqreqgtV81XLVI+pXlN9rkZVM1PjqQnUlqtVqp1Q61MbU2epO6iHqmeob1Q/pH5Z/YkGWcNMw09DpFGgsV/jvMYgC2MZs3gsIWsNq4Z1gTXEJrHN2Xx2KruY/R27iz2qqaE5QzNKM1ezUvOUZj8H45hx+Jx0TgnnKKeX836K3hTvKeIpG6Y0TLkxZVxrqpaXllirSKtRq0frvTau7aedpr1Fu1n7gQ5Bx0onXCdHZ4/OBZ3nU9lT3acKpxZNPTr1ri6qa6UbobtEd79up+6Ynr5egJ5Mb6feeb3n+hx9L/1U/W36p/VHDFgGswwkBtsMzhg8xTVxbzwdL8fb8VFDXcNAQ6VhlWGX4YSRudE8o9VGjUYPjGnGXOMk423GbcajJgYmISZLTepN7ppSTbmmKaY7TDtMx83MzaLN1pk1mz0x1zLnm+eb15vft2BaeFostqi2uGVJsuRaplnutrxuhVo5WaVYVVpds0atna0l1rutu6cRp7lOk06rntZnw7Dxtsm2qbcZsOXYBtuutm22fWFnYhdnt8Wuw+6TvZN9un2N/T0HDYfZDqsdWh1+c7RyFDpWOt6azpzuP33F9JbpL2dYzxDP2DPjthPLKcRpnVOb00dnF2e5c4PziIuJS4LLLpc+Lpsbxt3IveRKdPVxXeF60vWdm7Obwu2o26/uNu5p7ofcn8w0nymeWTNz0MPIQ+BR5dE/C5+VMGvfrH5PQ0+BZ7XnIy9jL5FXrdewt6V3qvdh7xc+9j5yn+M+4zw33jLeWV/MN8C3yLfLT8Nvnl+F30N/I/9k/3r/0QCngCUBZwOJgUGBWwL7+Hp8Ib+OPzrbZfay2e1BjKC5QRVBj4KtguXBrSFoyOyQrSH355jOkc5pDoVQfujW0Adh5mGLw34MJ4WHhVeGP45wiFga0TGXNXfR3ENz30T6RJZE3ptnMU85ry1KNSo+qi5qPNo3ujS6P8YuZlnM1VidWElsSxw5LiquNm5svt/87fOH4p3iC+N7F5gvyF1weaHOwvSFpxapLhIsOpZATIhOOJTwQRAqqBaMJfITdyWOCnnCHcJnIi/RNtGI2ENcKh5O8kgqTXqS7JG8NXkkxTOlLOW5hCepkLxMDUzdmzqeFpp2IG0yPTq9MYOSkZBxQqohTZO2Z+pn5mZ2y6xlhbL+xW6Lty8elQfJa7OQrAVZLQq2QqboVFoo1yoHsmdlV2a/zYnKOZarnivN7cyzytuQN5zvn//tEsIS4ZK2pYZLVy0dWOa9rGo5sjxxedsK4xUFK4ZWBqw8uIq2Km3VT6vtV5eufr0mek1rgV7ByoLBtQFr6wtVCuWFfevc1+1dT1gvWd+1YfqGnRs+FYmKrhTbF5cVf9go3HjlG4dvyr+Z3JS0qavEuWTPZtJm6ebeLZ5bDpaql+aXDm4N2dq0Dd9WtO319kXbL5fNKNu7g7ZDuaO/PLi8ZafJzs07P1SkVPRU+lQ27tLdtWHX+G7R7ht7vPY07NXbW7z3/T7JvttVAVVN1WbVZftJ+7P3P66Jqun4lvttXa1ObXHtxwPSA/0HIw6217nU1R3SPVRSj9Yr60cOxx++/p3vdy0NNg1VjZzG4iNwRHnk6fcJ3/ceDTradox7rOEH0x92HWcdL2pCmvKaRptTmvtbYlu6T8w+0dbq3nr8R9sfD5w0PFl5SvNUyWna6YLTk2fyz4ydlZ19fi753GDborZ752PO32oPb++6EHTh0kX/i+c7vDvOXPK4dPKy2+UTV7hXmq86X23qdOo8/pPTT8e7nLuarrlca7nuer21e2b36RueN87d9L158Rb/1tWeOT3dvfN6b/fF9/XfFt1+cif9zsu72Xcn7q28T7xf9EDtQdlD3YfVP1v+3Njv3H9qwHeg89HcR/cGhYPP/pH1jw9DBY+Zj8uGDYbrnjg+OTniP3L96fynQ89kzyaeF/6i/suuFxYvfvjV69fO0ZjRoZfyl5O/bXyl/erA6xmv28bCxh6+yXgzMV70VvvtwXfcdx3vo98PT+R8IH8o/2j5sfVT0Kf7kxmTk/8EA5jz/GMzLdsAAAAgY0hSTQAAeiUAAICDAAD5/wAAgOkAAHUwAADqYAAAOpgAABdvkl/FRgAAAHFJREFUeNpi/P//PwMlgImBQsA44C6gvhfa29v3MzAwOODRc6CystIRbxi0t7fjDJjKykpGYrwwi1hxnLHQ3t7+jIGBQRJJ6HllZaUUKYEYRYBPOB0gBShKwKGA////48VtbW3/8clTnBIH3gCKkzJgAGvBX0dDm0sCAAAAAElFTkSuQmCC)}table.treetable tr.branch{background-color:#f9f9f9}table.treetable tr.selected{background-color:#3875d7;color:#fff}table.treetable tr span.indenter a{outline:0}tr.rule-overview-needs-attention td a{color:#d9534f}td.rule-result div,span.rule-result{text-align:center;font-weight:bold;color:#fff;background:gray}td.rule-result-fail div,span.rule-result-fail{background:#d9534f}td.rule-result-error div,span.rule-result-error{background:#d9534f}td.rule-result-unknown div,span.rule-result-unknown{background:#f0ad4e}td.rule-result-pass div,span.rule-result-pass{background:#5cb85c}td.rule-result-fixed div,span.rule-result-fixed{background:#5cb85c}.js-only{display:none}.rule-result-filtered,.rule-result-filtered>*{display:none !important}.search-no-match,.search-no-match>*{display:none !important}.rule-detail-fail,.rule-detail-error,.rule-detail-unknown{border:2px solid #d9534f}#footer{text-align:center;margin-top:50px}pre{overflow:auto !important;word-wrap:normal !important;white-space:pre-wrap}div.check-system-details,div.remediation,div.description{width:0;min-width:100%;overflow-x:auto}div.profile-description{white-space:pre-wrap}div.modal-body{margin:50px;padding:0}div.horizontal-scroll{overflow-x:auto}div.top-spacer-10{margin-top:10px}@media print{.noprint{display:none}.label{border:0;padding:0}.container{width:100%}abbr[title]{border:0;text-decoration:none}div.progress{overflow:visible;height:auto}div.progress-bar{width:auto;float:none;width:auto !important;text-align:left}div.panel-body{padding:4px}} </style><script> /*! jQuery v1.12.4 | (c) jQuery Foundation | jquery.org/license */ !function(a,b){"object"==typeof module&&"object"==typeof module.exports?module.exports=a.document?b(a,!0):function(a){if(!a.document)throw new Error("jQuery requires a window with a document");return b(a)}:b(a)}("undefined"!=typeof window?window:this,function(a,b){var c=[],d=a.document,e=c.slice,f=c.concat,g=c.push,h=c.indexOf,i={},j=i.toString,k=i.hasOwnProperty,l={},m="1.12.4",n=function(a,b){return new n.fn.init(a,b)},o=/^[\s\uFEFF\xA0]+|[\s\uFEFF\xA0]+$/g,p=/^-ms-/,q=/-([\da-z])/gi,r=function(a,b){return b.toUpperCase()};n.fn=n.prototype={jquery:m,constructor:n,selector:"",length:0,toArray:function(){return e.call(this)},get:function(a){return null!=a?0>a?this[a+this.length]:this[a]:e.call(this)},pushStack:function(a){var b=n.merge(this.constructor(),a);return b.prevObject=this,b.context=this.context,b},each:function(a){return n.each(this,a)},map:function(a){return this.pushStack(n.map(this,function(b,c){return a.call(b,c,b)}))},slice:function(){return this.pushStack(e.apply(this,arguments))},first:function(){return this.eq(0)},last:function(){return this.eq(-1)},eq:function(a){var b=this.length,c=+a+(0>a?b:0);return this.pushStack(c>=0&&b>c?[this[c]]:[])},end:function(){return this.prevObject||this.constructor()},push:g,sort:c.sort,splice:c.splice},n.extend=n.fn.extend=function(){var a,b,c,d,e,f,g=arguments[0]||{},h=1,i=arguments.length,j=!1;for("boolean"==typeof g&&(j=g,g=arguments[h]||{},h++),"object"==typeof g||n.isFunction(g)||(g={}),h===i&&(g=this,h--);i>h;h++)if(null!=(e=arguments[h]))for(d in e)a=g[d],c=e[d],g!==c&&(j&&c&&(n.isPlainObject(c)||(b=n.isArray(c)))?(b?(b=!1,f=a&&n.isArray(a)?a:[]):f=a&&n.isPlainObject(a)?a:{},g[d]=n.extend(j,f,c)):void 0!==c&&(g[d]=c));return g},n.extend({expando:"jQuery"+(m+Math.random()).replace(/\D/g,""),isReady:!0,error:function(a){throw new Error(a)},noop:function(){},isFunction:function(a){return"function"===n.type(a)},isArray:Array.isArray||function(a){return"array"===n.type(a)},isWindow:function(a){return null!=a&&a==a.window},isNumeric:function(a){var b=a&&a.toString();return!n.isArray(a)&&b-parseFloat(b)+1>=0},isEmptyObject:function(a){var b;for(b in a)return!1;return!0},isPlainObject:function(a){var b;if(!a||"object"!==n.type(a)||a.nodeType||n.isWindow(a))return!1;try{if(a.constructor&&!k.call(a,"constructor")&&!k.call(a.constructor.prototype,"isPrototypeOf"))return!1}catch(c){return!1}if(!l.ownFirst)for(b in a)return k.call(a,b);for(b in a);return void 0===b||k.call(a,b)},type:function(a){return null==a?a+"":"object"==typeof a||"function"==typeof a?i[j.call(a)]||"object":typeof a},globalEval:function(b){b&&n.trim(b)&&(a.execScript||function(b){a.eval.call(a,b)})(b)},camelCase:function(a){return a.replace(p,"ms-").replace(q,r)},nodeName:function(a,b){return a.nodeName&&a.nodeName.toLowerCase()===b.toLowerCase()},each:function(a,b){var c,d=0;if(s(a)){for(c=a.length;c>d;d++)if(b.call(a[d],d,a[d])===!1)break}else for(d in a)if(b.call(a[d],d,a[d])===!1)break;return a},trim:function(a){return null==a?"":(a+"").replace(o,"")},makeArray:function(a,b){var c=b||[];return null!=a&&(s(Object(a))?n.merge(c,"string"==typeof a?[a]:a):g.call(c,a)),c},inArray:function(a,b,c){var d;if(b){if(h)return h.call(b,a,c);for(d=b.length,c=c?0>c?Math.max(0,d+c):c:0;d>c;c++)if(c in b&&b[c]===a)return c}return-1},merge:function(a,b){var c=+b.length,d=0,e=a.length;while(c>d)a[e++]=b[d++];if(c!==c)while(void 0!==b[d])a[e++]=b[d++];return a.length=e,a},grep:function(a,b,c){for(var d,e=[],f=0,g=a.length,h=!c;g>f;f++)d=!b(a[f],f),d!==h&&e.push(a[f]);return e},map:function(a,b,c){var d,e,g=0,h=[];if(s(a))for(d=a.length;d>g;g++)e=b(a[g],g,c),null!=e&&h.push(e);else for(g in a)e=b(a[g],g,c),null!=e&&h.push(e);return f.apply([],h)},guid:1,proxy:function(a,b){var c,d,f;return"string"==typeof b&&(f=a[b],b=a,a=f),n.isFunction(a)?(c=e.call(arguments,2),d=function(){return a.apply(b||this,c.concat(e.call(arguments)))},d.guid=a.guid=a.guid||n.guid++,d):void 0},now:function(){return+new Date},support:l}),"function"==typeof Symbol&&(n.fn[Symbol.iterator]=c[Symbol.iterator]),n.each("Boolean Number String Function Array Date RegExp Object Error Symbol".split(" "),function(a,b){i["[object "+b+"]"]=b.toLowerCase()});function s(a){var b=!!a&&"length"in a&&a.length,c=n.type(a);return"function"===c||n.isWindow(a)?!1:"array"===c||0===b||"number"==typeof b&&b>0&&b-1 in a}var t=function(a){var b,c,d,e,f,g,h,i,j,k,l,m,n,o,p,q,r,s,t,u="sizzle"+1*new Date,v=a.document,w=0,x=0,y=ga(),z=ga(),A=ga(),B=function(a,b){return a===b&&(l=!0),0},C=1<<31,D={}.hasOwnProperty,E=[],F=E.pop,G=E.push,H=E.push,I=E.slice,J=function(a,b){for(var c=0,d=a.length;d>c;c++)if(a[c]===b)return c;return-1},K="checked|selected|async|autofocus|autoplay|controls|defer|disabled|hidden|ismap|loop|multiple|open|readonly|required|scoped",L="[\\x20\\t\\r\\n\\f]",M="(?:\\\\.|[\\w-]|[^\\x00-\\xa0])+",N="\\["+L+"*("+M+")(?:"+L+"*([*^$|!~]?=)"+L+"*(?:'((?:\\\\.|[^\\\\'])*)'|\"((?:\\\\.|[^\\\\\"])*)\"|("+M+"))|)"+L+"*\\]",O=":("+M+")(?:\\((('((?:\\\\.|[^\\\\'])*)'|\"((?:\\\\.|[^\\\\\"])*)\")|((?:\\\\.|[^\\\\()[\\]]|"+N+")*)|.*)\\)|)",P=new RegExp(L+"+","g"),Q=new RegExp("^"+L+"+|((?:^|[^\\\\])(?:\\\\.)*)"+L+"+$","g"),R=new RegExp("^"+L+"*,"+L+"*"),S=new RegExp("^"+L+"*([>+~]|"+L+")"+L+"*"),T=new RegExp("="+L+"*([^\\]'\"]*?)"+L+"*\\]","g"),U=new RegExp(O),V=new RegExp("^"+M+"$"),W={ID:new RegExp("^#("+M+")"),CLASS:new RegExp("^\\.("+M+")"),TAG:new RegExp("^("+M+"|[*])"),ATTR:new RegExp("^"+N),PSEUDO:new RegExp("^"+O),CHILD:new RegExp("^:(only|first|last|nth|nth-last)-(child|of-type)(?:\\("+L+"*(even|odd|(([+-]|)(\\d*)n|)"+L+"*(?:([+-]|)"+L+"*(\\d+)|))"+L+"*\\)|)","i"),bool:new RegExp("^(?:"+K+")$","i"),needsContext:new RegExp("^"+L+"*[>+~]|:(even|odd|eq|gt|lt|nth|first|last)(?:\\("+L+"*((?:-\\d)?\\d*)"+L+"*\\)|)(?=[^-]|$)","i")},X=/^(?:input|select|textarea|button)$/i,Y=/^h\d$/i,Z=/^[^{]+\{\s*\[native \w/,$=/^(?:#([\w-]+)|(\w+)|\.([\w-]+))$/,_=/[+~]/,aa=/'|\\/g,ba=new RegExp("\\\\([\\da-f]{1,6}"+L+"?|("+L+")|.)","ig"),ca=function(a,b,c){var d="0x"+b-65536;return d!==d||c?b:0>d?String.fromCharCode(d+65536):String.fromCharCode(d>>10|55296,1023&d|56320)},da=function(){m()};try{H.apply(E=I.call(v.childNodes),v.childNodes),E[v.childNodes.length].nodeType}catch(ea){H={apply:E.length?function(a,b){G.apply(a,I.call(b))}:function(a,b){var c=a.length,d=0;while(a[c++]=b[d++]);a.length=c-1}}}function fa(a,b,d,e){var f,h,j,k,l,o,r,s,w=b&&b.ownerDocument,x=b?b.nodeType:9;if(d=d||[],"string"!=typeof a||!a||1!==x&&9!==x&&11!==x)return d;if(!e&&((b?b.ownerDocument||b:v)!==n&&m(b),b=b||n,p)){if(11!==x&&(o=$.exec(a)))if(f=o[1]){if(9===x){if(!(j=b.getElementById(f)))return d;if(j.id===f)return d.push(j),d}else if(w&&(j=w.getElementById(f))&&t(b,j)&&j.id===f)return d.push(j),d}else{if(o[2])return H.apply(d,b.getElementsByTagName(a)),d;if((f=o[3])&&c.getElementsByClassName&&b.getElementsByClassName)return H.apply(d,b.getElementsByClassName(f)),d}if(c.qsa&&!A[a+" "]&&(!q||!q.test(a))){if(1!==x)w=b,s=a;else if("object"!==b.nodeName.toLowerCase()){(k=b.getAttribute("id"))?k=k.replace(aa,"\\$&"):b.setAttribute("id",k=u),r=g(a),h=r.length,l=V.test(k)?"#"+k:"[id='"+k+"']";while(h--)r[h]=l+" "+qa(r[h]);s=r.join(","),w=_.test(a)&&oa(b.parentNode)||b}if(s)try{return H.apply(d,w.querySelectorAll(s)),d}catch(y){}finally{k===u&&b.removeAttribute("id")}}}return i(a.replace(Q,"$1"),b,d,e)}function ga(){var a=[];function b(c,e){return a.push(c+" ")>d.cacheLength&&delete b[a.shift()],b[c+" "]=e}return b}function ha(a){return a[u]=!0,a}function ia(a){var b=n.createElement("div");try{return!!a(b)}catch(c){return!1}finally{b.parentNode&&b.parentNode.removeChild(b),b=null}}function ja(a,b){var c=a.split("|"),e=c.length;while(e--)d.attrHandle[c[e]]=b}function ka(a,b){var c=b&&a,d=c&&1===a.nodeType&&1===b.nodeType&&(~b.sourceIndex||C)-(~a.sourceIndex||C);if(d)return d;if(c)while(c=c.nextSibling)if(c===b)return-1;return a?1:-1}function la(a){return function(b){var c=b.nodeName.toLowerCase();return"input"===c&&b.type===a}}function ma(a){return function(b){var c=b.nodeName.toLowerCase();return("input"===c||"button"===c)&&b.type===a}}function na(a){return ha(function(b){return b=+b,ha(function(c,d){var e,f=a([],c.length,b),g=f.length;while(g--)c[e=f[g]]&&(c[e]=!(d[e]=c[e]))})})}function oa(a){return a&&"undefined"!=typeof a.getElementsByTagName&&a}c=fa.support={},f=fa.isXML=function(a){var b=a&&(a.ownerDocument||a).documentElement;return b?"HTML"!==b.nodeName:!1},m=fa.setDocument=function(a){var b,e,g=a?a.ownerDocument||a:v;return g!==n&&9===g.nodeType&&g.documentElement?(n=g,o=n.documentElement,p=!f(n),(e=n.defaultView)&&e.top!==e&&(e.addEventListener?e.addEventListener("unload",da,!1):e.attachEvent&&e.attachEvent("onunload",da)),c.attributes=ia(function(a){return a.className="i",!a.getAttribute("className")}),c.getElementsByTagName=ia(function(a){return a.appendChild(n.createComment("")),!a.getElementsByTagName("*").length}),c.getElementsByClassName=Z.test(n.getElementsByClassName),c.getById=ia(function(a){return o.appendChild(a).id=u,!n.getElementsByName||!n.getElementsByName(u).length}),c.getById?(d.find.ID=function(a,b){if("undefined"!=typeof b.getElementById&&p){var c=b.getElementById(a);return c?[c]:[]}},d.filter.ID=function(a){var b=a.replace(ba,ca);return function(a){return a.getAttribute("id")===b}}):(delete d.find.ID,d.filter.ID=function(a){var b=a.replace(ba,ca);return function(a){var c="undefined"!=typeof a.getAttributeNode&&a.getAttributeNode("id");return c&&c.value===b}}),d.find.TAG=c.getElementsByTagName?function(a,b){return"undefined"!=typeof b.getElementsByTagName?b.getElementsByTagName(a):c.qsa?b.querySelectorAll(a):void 0}:function(a,b){var c,d=[],e=0,f=b.getElementsByTagName(a);if("*"===a){while(c=f[e++])1===c.nodeType&&d.push(c);return d}return f},d.find.CLASS=c.getElementsByClassName&&function(a,b){return"undefined"!=typeof b.getElementsByClassName&&p?b.getElementsByClassName(a):void 0},r=[],q=[],(c.qsa=Z.test(n.querySelectorAll))&&(ia(function(a){o.appendChild(a).innerHTML="<a id='"+u+"'></a><select id='"+u+"-\r\\' msallowcapture=''><option selected=''></option></select>",a.querySelectorAll("[msallowcapture^='']").length&&q.push("[*^$]="+L+"*(?:''|\"\")"),a.querySelectorAll("[selected]").length||q.push("\\["+L+"*(?:value|"+K+")"),a.querySelectorAll("[id~="+u+"-]").length||q.push("~="),a.querySelectorAll(":checked").length||q.push(":checked"),a.querySelectorAll("a#"+u+"+*").length||q.push(".#.+[+~]")}),ia(function(a){var b=n.createElement("input");b.setAttribute("type","hidden"),a.appendChild(b).setAttribute("name","D"),a.querySelectorAll("[name=d]").length&&q.push("name"+L+"*[*^$|!~]?="),a.querySelectorAll(":enabled").length||q.push(":enabled",":disabled"),a.querySelectorAll("*,:x"),q.push(",.*:")})),(c.matchesSelector=Z.test(s=o.matches||o.webkitMatchesSelector||o.mozMatchesSelector||o.oMatchesSelector||o.msMatchesSelector))&&ia(function(a){c.disconnectedMatch=s.call(a,"div"),s.call(a,"[s!='']:x"),r.push("!=",O)}),q=q.length&&new RegExp(q.join("|")),r=r.length&&new RegExp(r.join("|")),b=Z.test(o.compareDocumentPosition),t=b||Z.test(o.contains)?function(a,b){var c=9===a.nodeType?a.documentElement:a,d=b&&b.parentNode;return a===d||!(!d||1!==d.nodeType||!(c.contains?c.contains(d):a.compareDocumentPosition&&16&a.compareDocumentPosition(d)))}:function(a,b){if(b)while(b=b.parentNode)if(b===a)return!0;return!1},B=b?function(a,b){if(a===b)return l=!0,0;var d=!a.compareDocumentPosition-!b.compareDocumentPosition;return d?d:(d=(a.ownerDocument||a)===(b.ownerDocument||b)?a.compareDocumentPosition(b):1,1&d||!c.sortDetached&&b.compareDocumentPosition(a)===d?a===n||a.ownerDocument===v&&t(v,a)?-1:b===n||b.ownerDocument===v&&t(v,b)?1:k?J(k,a)-J(k,b):0:4&d?-1:1)}:function(a,b){if(a===b)return l=!0,0;var c,d=0,e=a.parentNode,f=b.parentNode,g=[a],h=[b];if(!e||!f)return a===n?-1:b===n?1:e?-1:f?1:k?J(k,a)-J(k,b):0;if(e===f)return ka(a,b);c=a;while(c=c.parentNode)g.unshift(c);c=b;while(c=c.parentNode)h.unshift(c);while(g[d]===h[d])d++;return d?ka(g[d],h[d]):g[d]===v?-1:h[d]===v?1:0},n):n},fa.matches=function(a,b){return fa(a,null,null,b)},fa.matchesSelector=function(a,b){if((a.ownerDocument||a)!==n&&m(a),b=b.replace(T,"='$1']"),c.matchesSelector&&p&&!A[b+" "]&&(!r||!r.test(b))&&(!q||!q.test(b)))try{var d=s.call(a,b);if(d||c.disconnectedMatch||a.document&&11!==a.document.nodeType)return d}catch(e){}return fa(b,n,null,[a]).length>0},fa.contains=function(a,b){return(a.ownerDocument||a)!==n&&m(a),t(a,b)},fa.attr=function(a,b){(a.ownerDocument||a)!==n&&m(a);var e=d.attrHandle[b.toLowerCase()],f=e&&D.call(d.attrHandle,b.toLowerCase())?e(a,b,!p):void 0;return void 0!==f?f:c.attributes||!p?a.getAttribute(b):(f=a.getAttributeNode(b))&&f.specified?f.value:null},fa.error=function(a){throw new Error("Syntax error, unrecognized expression: "+a)},fa.uniqueSort=function(a){var b,d=[],e=0,f=0;if(l=!c.detectDuplicates,k=!c.sortStable&&a.slice(0),a.sort(B),l){while(b=a[f++])b===a[f]&&(e=d.push(f));while(e--)a.splice(d[e],1)}return k=null,a},e=fa.getText=function(a){var b,c="",d=0,f=a.nodeType;if(f){if(1===f||9===f||11===f){if("string"==typeof a.textContent)return a.textContent;for(a=a.firstChild;a;a=a.nextSibling)c+=e(a)}else if(3===f||4===f)return a.nodeValue}else while(b=a[d++])c+=e(b);return c},d=fa.selectors={cacheLength:50,createPseudo:ha,match:W,attrHandle:{},find:{},relative:{">":{dir:"parentNode",first:!0}," ":{dir:"parentNode"},"+":{dir:"previousSibling",first:!0},"~":{dir:"previousSibling"}},preFilter:{ATTR:function(a){return a[1]=a[1].replace(ba,ca),a[3]=(a[3]||a[4]||a[5]||"").replace(ba,ca),"~="===a[2]&&(a[3]=" "+a[3]+" "),a.slice(0,4)},CHILD:function(a){return a[1]=a[1].toLowerCase(),"nth"===a[1].slice(0,3)?(a[3]||fa.error(a[0]),a[4]=+(a[4]?a[5]+(a[6]||1):2*("even"===a[3]||"odd"===a[3])),a[5]=+(a[7]+a[8]||"odd"===a[3])):a[3]&&fa.error(a[0]),a},PSEUDO:function(a){var b,c=!a[6]&&a[2];return W.CHILD.test(a[0])?null:(a[3]?a[2]=a[4]||a[5]||"":c&&U.test(c)&&(b=g(c,!0))&&(b=c.indexOf(")",c.length-b)-c.length)&&(a[0]=a[0].slice(0,b),a[2]=c.slice(0,b)),a.slice(0,3))}},filter:{TAG:function(a){var b=a.replace(ba,ca).toLowerCase();return"*"===a?function(){return!0}:function(a){return a.nodeName&&a.nodeName.toLowerCase()===b}},CLASS:function(a){var b=y[a+" "];return b||(b=new RegExp("(^|"+L+")"+a+"("+L+"|$)"))&&y(a,function(a){return b.test("string"==typeof a.className&&a.className||"undefined"!=typeof a.getAttribute&&a.getAttribute("class")||"")})},ATTR:function(a,b,c){return function(d){var e=fa.attr(d,a);return null==e?"!="===b:b?(e+="","="===b?e===c:"!="===b?e!==c:"^="===b?c&&0===e.indexOf(c):"*="===b?c&&e.indexOf(c)>-1:"$="===b?c&&e.slice(-c.length)===c:"~="===b?(" "+e.replace(P," ")+" ").indexOf(c)>-1:"|="===b?e===c||e.slice(0,c.length+1)===c+"-":!1):!0}},CHILD:function(a,b,c,d,e){var f="nth"!==a.slice(0,3),g="last"!==a.slice(-4),h="of-type"===b;return 1===d&&0===e?function(a){return!!a.parentNode}:function(b,c,i){var j,k,l,m,n,o,p=f!==g?"nextSibling":"previousSibling",q=b.parentNode,r=h&&b.nodeName.toLowerCase(),s=!i&&!h,t=!1;if(q){if(f){while(p){m=b;while(m=m[p])if(h?m.nodeName.toLowerCase()===r:1===m.nodeType)return!1;o=p="only"===a&&!o&&"nextSibling"}return!0}if(o=[g?q.firstChild:q.lastChild],g&&s){m=q,l=m[u]||(m[u]={}),k=l[m.uniqueID]||(l[m.uniqueID]={}),j=k[a]||[],n=j[0]===w&&j[1],t=n&&j[2],m=n&&q.childNodes[n];while(m=++n&&m&&m[p]||(t=n=0)||o.pop())if(1===m.nodeType&&++t&&m===b){k[a]=[w,n,t];break}}else if(s&&(m=b,l=m[u]||(m[u]={}),k=l[m.uniqueID]||(l[m.uniqueID]={}),j=k[a]||[],n=j[0]===w&&j[1],t=n),t===!1)while(m=++n&&m&&m[p]||(t=n=0)||o.pop())if((h?m.nodeName.toLowerCase()===r:1===m.nodeType)&&++t&&(s&&(l=m[u]||(m[u]={}),k=l[m.uniqueID]||(l[m.uniqueID]={}),k[a]=[w,t]),m===b))break;return t-=e,t===d||t%d===0&&t/d>=0}}},PSEUDO:function(a,b){var c,e=d.pseudos[a]||d.setFilters[a.toLowerCase()]||fa.error("unsupported pseudo: "+a);return e[u]?e(b):e.length>1?(c=[a,a,"",b],d.setFilters.hasOwnProperty(a.toLowerCase())?ha(function(a,c){var d,f=e(a,b),g=f.length;while(g--)d=J(a,f[g]),a[d]=!(c[d]=f[g])}):function(a){return e(a,0,c)}):e}},pseudos:{not:ha(function(a){var b=[],c=[],d=h(a.replace(Q,"$1"));return d[u]?ha(function(a,b,c,e){var f,g=d(a,null,e,[]),h=a.length;while(h--)(f=g[h])&&(a[h]=!(b[h]=f))}):function(a,e,f){return b[0]=a,d(b,null,f,c),b[0]=null,!c.pop()}}),has:ha(function(a){return function(b){return fa(a,b).length>0}}),contains:ha(function(a){return a=a.replace(ba,ca),function(b){return(b.textContent||b.innerText||e(b)).indexOf(a)>-1}}),lang:ha(function(a){return V.test(a||"")||fa.error("unsupported lang: "+a),a=a.replace(ba,ca).toLowerCase(),function(b){var c;do if(c=p?b.lang:b.getAttribute("xml:lang")||b.getAttribute("lang"))return c=c.toLowerCase(),c===a||0===c.indexOf(a+"-");while((b=b.parentNode)&&1===b.nodeType);return!1}}),target:function(b){var c=a.location&&a.location.hash;return c&&c.slice(1)===b.id},root:function(a){return a===o},focus:function(a){return a===n.activeElement&&(!n.hasFocus||n.hasFocus())&&!!(a.type||a.href||~a.tabIndex)},enabled:function(a){return a.disabled===!1},disabled:function(a){return a.disabled===!0},checked:function(a){var b=a.nodeName.toLowerCase();return"input"===b&&!!a.checked||"option"===b&&!!a.selected},selected:function(a){return a.parentNode&&a.parentNode.selectedIndex,a.selected===!0},empty:function(a){for(a=a.firstChild;a;a=a.nextSibling)if(a.nodeType<6)return!1;return!0},parent:function(a){return!d.pseudos.empty(a)},header:function(a){return Y.test(a.nodeName)},input:function(a){return X.test(a.nodeName)},button:function(a){var b=a.nodeName.toLowerCase();return"input"===b&&"button"===a.type||"button"===b},text:function(a){var b;return"input"===a.nodeName.toLowerCase()&&"text"===a.type&&(null==(b=a.getAttribute("type"))||"text"===b.toLowerCase())},first:na(function(){return[0]}),last:na(function(a,b){return[b-1]}),eq:na(function(a,b,c){return[0>c?c+b:c]}),even:na(function(a,b){for(var c=0;b>c;c+=2)a.push(c);return a}),odd:na(function(a,b){for(var c=1;b>c;c+=2)a.push(c);return a}),lt:na(function(a,b,c){for(var d=0>c?c+b:c;--d>=0;)a.push(d);return a}),gt:na(function(a,b,c){for(var d=0>c?c+b:c;++d<b;)a.push(d);return a})}},d.pseudos.nth=d.pseudos.eq;for(b in{radio:!0,checkbox:!0,file:!0,password:!0,image:!0})d.pseudos[b]=la(b);for(b in{submit:!0,reset:!0})d.pseudos[b]=ma(b);function pa(){}pa.prototype=d.filters=d.pseudos,d.setFilters=new pa,g=fa.tokenize=function(a,b){var c,e,f,g,h,i,j,k=z[a+" "];if(k)return b?0:k.slice(0);h=a,i=[],j=d.preFilter;while(h){c&&!(e=R.exec(h))||(e&&(h=h.slice(e[0].length)||h),i.push(f=[])),c=!1,(e=S.exec(h))&&(c=e.shift(),f.push({value:c,type:e[0].replace(Q," ")}),h=h.slice(c.length));for(g in d.filter)!(e=W[g].exec(h))||j[g]&&!(e=j[g](e))||(c=e.shift(),f.push({value:c,type:g,matches:e}),h=h.slice(c.length));if(!c)break}return b?h.length:h?fa.error(a):z(a,i).slice(0)};function qa(a){for(var b=0,c=a.length,d="";c>b;b++)d+=a[b].value;return d}function ra(a,b,c){var d=b.dir,e=c&&"parentNode"===d,f=x++;return b.first?function(b,c,f){while(b=b[d])if(1===b.nodeType||e)return a(b,c,f)}:function(b,c,g){var h,i,j,k=[w,f];if(g){while(b=b[d])if((1===b.nodeType||e)&&a(b,c,g))return!0}else while(b=b[d])if(1===b.nodeType||e){if(j=b[u]||(b[u]={}),i=j[b.uniqueID]||(j[b.uniqueID]={}),(h=i[d])&&h[0]===w&&h[1]===f)return k[2]=h[2];if(i[d]=k,k[2]=a(b,c,g))return!0}}}function sa(a){return a.length>1?function(b,c,d){var e=a.length;while(e--)if(!a[e](b,c,d))return!1;return!0}:a[0]}function ta(a,b,c){for(var d=0,e=b.length;e>d;d++)fa(a,b[d],c);return c}function ua(a,b,c,d,e){for(var f,g=[],h=0,i=a.length,j=null!=b;i>h;h++)(f=a[h])&&(c&&!c(f,d,e)||(g.push(f),j&&b.push(h)));return g}function va(a,b,c,d,e,f){return d&&!d[u]&&(d=va(d)),e&&!e[u]&&(e=va(e,f)),ha(function(f,g,h,i){var j,k,l,m=[],n=[],o=g.length,p=f||ta(b||"*",h.nodeType?[h]:h,[]),q=!a||!f&&b?p:ua(p,m,a,h,i),r=c?e||(f?a:o||d)?[]:g:q;if(c&&c(q,r,h,i),d){j=ua(r,n),d(j,[],h,i),k=j.length;while(k--)(l=j[k])&&(r[n[k]]=!(q[n[k]]=l))}if(f){if(e||a){if(e){j=[],k=r.length;while(k--)(l=r[k])&&j.push(q[k]=l);e(null,r=[],j,i)}k=r.length;while(k--)(l=r[k])&&(j=e?J(f,l):m[k])>-1&&(f[j]=!(g[j]=l))}}else r=ua(r===g?r.splice(o,r.length):r),e?e(null,g,r,i):H.apply(g,r)})}function wa(a){for(var b,c,e,f=a.length,g=d.relative[a[0].type],h=g||d.relative[" "],i=g?1:0,k=ra(function(a){return a===b},h,!0),l=ra(function(a){return J(b,a)>-1},h,!0),m=[function(a,c,d){var e=!g&&(d||c!==j)||((b=c).nodeType?k(a,c,d):l(a,c,d));return b=null,e}];f>i;i++)if(c=d.relative[a[i].type])m=[ra(sa(m),c)];else{if(c=d.filter[a[i].type].apply(null,a[i].matches),c[u]){for(e=++i;f>e;e++)if(d.relative[a[e].type])break;return va(i>1&&sa(m),i>1&&qa(a.slice(0,i-1).concat({value:" "===a[i-2].type?"*":""})).replace(Q,"$1"),c,e>i&&wa(a.slice(i,e)),f>e&&wa(a=a.slice(e)),f>e&&qa(a))}m.push(c)}return sa(m)}function xa(a,b){var c=b.length>0,e=a.length>0,f=function(f,g,h,i,k){var l,o,q,r=0,s="0",t=f&&[],u=[],v=j,x=f||e&&d.find.TAG("*",k),y=w+=null==v?1:Math.random()||.1,z=x.length;for(k&&(j=g===n||g||k);s!==z&&null!=(l=x[s]);s++){if(e&&l){o=0,g||l.ownerDocument===n||(m(l),h=!p);while(q=a[o++])if(q(l,g||n,h)){i.push(l);break}k&&(w=y)}c&&((l=!q&&l)&&r--,f&&t.push(l))}if(r+=s,c&&s!==r){o=0;while(q=b[o++])q(t,u,g,h);if(f){if(r>0)while(s--)t[s]||u[s]||(u[s]=F.call(i));u=ua(u)}H.apply(i,u),k&&!f&&u.length>0&&r+b.length>1&&fa.uniqueSort(i)}return k&&(w=y,j=v),t};return c?ha(f):f}return h=fa.compile=function(a,b){var c,d=[],e=[],f=A[a+" "];if(!f){b||(b=g(a)),c=b.length;while(c--)f=wa(b[c]),f[u]?d.push(f):e.push(f);f=A(a,xa(e,d)),f.selector=a}return f},i=fa.select=function(a,b,e,f){var i,j,k,l,m,n="function"==typeof a&&a,o=!f&&g(a=n.selector||a);if(e=e||[],1===o.length){if(j=o[0]=o[0].slice(0),j.length>2&&"ID"===(k=j[0]).type&&c.getById&&9===b.nodeType&&p&&d.relative[j[1].type]){if(b=(d.find.ID(k.matches[0].replace(ba,ca),b)||[])[0],!b)return e;n&&(b=b.parentNode),a=a.slice(j.shift().value.length)}i=W.needsContext.test(a)?0:j.length;while(i--){if(k=j[i],d.relative[l=k.type])break;if((m=d.find[l])&&(f=m(k.matches[0].replace(ba,ca),_.test(j[0].type)&&oa(b.parentNode)||b))){if(j.splice(i,1),a=f.length&&qa(j),!a)return H.apply(e,f),e;break}}}return(n||h(a,o))(f,b,!p,e,!b||_.test(a)&&oa(b.parentNode)||b),e},c.sortStable=u.split("").sort(B).join("")===u,c.detectDuplicates=!!l,m(),c.sortDetached=ia(function(a){return 1&a.compareDocumentPosition(n.createElement("div"))}),ia(function(a){return a.innerHTML="<a href='#'></a>","#"===a.firstChild.getAttribute("href")})||ja("type|href|height|width",function(a,b,c){return c?void 0:a.getAttribute(b,"type"===b.toLowerCase()?1:2)}),c.attributes&&ia(function(a){return a.innerHTML="<input/>",a.firstChild.setAttribute("value",""),""===a.firstChild.getAttribute("value")})||ja("value",function(a,b,c){return c||"input"!==a.nodeName.toLowerCase()?void 0:a.defaultValue}),ia(function(a){return null==a.getAttribute("disabled")})||ja(K,function(a,b,c){var d;return c?void 0:a[b]===!0?b.toLowerCase():(d=a.getAttributeNode(b))&&d.specified?d.value:null}),fa}(a);n.find=t,n.expr=t.selectors,n.expr[":"]=n.expr.pseudos,n.uniqueSort=n.unique=t.uniqueSort,n.text=t.getText,n.isXMLDoc=t.isXML,n.contains=t.contains;var u=function(a,b,c){var d=[],e=void 0!==c;while((a=a[b])&&9!==a.nodeType)if(1===a.nodeType){if(e&&n(a).is(c))break;d.push(a)}return d},v=function(a,b){for(var c=[];a;a=a.nextSibling)1===a.nodeType&&a!==b&&c.push(a);return c},w=n.expr.match.needsContext,x=/^<([\w-]+)\s*\/?>(?:<\/\1>|)$/,y=/^.[^:#\[\.,]*$/;function z(a,b,c){if(n.isFunction(b))return n.grep(a,function(a,d){return!!b.call(a,d,a)!==c});if(b.nodeType)return n.grep(a,function(a){return a===b!==c});if("string"==typeof b){if(y.test(b))return n.filter(b,a,c);b=n.filter(b,a)}return n.grep(a,function(a){return n.inArray(a,b)>-1!==c})}n.filter=function(a,b,c){var d=b[0];return c&&(a=":not("+a+")"),1===b.length&&1===d.nodeType?n.find.matchesSelector(d,a)?[d]:[]:n.find.matches(a,n.grep(b,function(a){return 1===a.nodeType}))},n.fn.extend({find:function(a){var b,c=[],d=this,e=d.length;if("string"!=typeof a)return this.pushStack(n(a).filter(function(){for(b=0;e>b;b++)if(n.contains(d[b],this))return!0}));for(b=0;e>b;b++)n.find(a,d[b],c);return c=this.pushStack(e>1?n.unique(c):c),c.selector=this.selector?this.selector+" "+a:a,c},filter:function(a){return this.pushStack(z(this,a||[],!1))},not:function(a){return this.pushStack(z(this,a||[],!0))},is:function(a){return!!z(this,"string"==typeof a&&w.test(a)?n(a):a||[],!1).length}});var A,B=/^(?:\s*(<[\w\W]+>)[^>]*|#([\w-]*))$/,C=n.fn.init=function(a,b,c){var e,f;if(!a)return this;if(c=c||A,"string"==typeof a){if(e="<"===a.charAt(0)&&">"===a.charAt(a.length-1)&&a.length>=3?[null,a,null]:B.exec(a),!e||!e[1]&&b)return!b||b.jquery?(b||c).find(a):this.constructor(b).find(a);if(e[1]){if(b=b instanceof n?b[0]:b,n.merge(this,n.parseHTML(e[1],b&&b.nodeType?b.ownerDocument||b:d,!0)),x.test(e[1])&&n.isPlainObject(b))for(e in b)n.isFunction(this[e])?this[e](b[e]):this.attr(e,b[e]);return this}if(f=d.getElementById(e[2]),f&&f.parentNode){if(f.id!==e[2])return A.find(a);this.length=1,this[0]=f}return this.context=d,this.selector=a,this}return a.nodeType?(this.context=this[0]=a,this.length=1,this):n.isFunction(a)?"undefined"!=typeof c.ready?c.ready(a):a(n):(void 0!==a.selector&&(this.selector=a.selector,this.context=a.context),n.makeArray(a,this))};C.prototype=n.fn,A=n(d);var D=/^(?:parents|prev(?:Until|All))/,E={children:!0,contents:!0,next:!0,prev:!0};n.fn.extend({has:function(a){var b,c=n(a,this),d=c.length;return this.filter(function(){for(b=0;d>b;b++)if(n.contains(this,c[b]))return!0})},closest:function(a,b){for(var c,d=0,e=this.length,f=[],g=w.test(a)||"string"!=typeof a?n(a,b||this.context):0;e>d;d++)for(c=this[d];c&&c!==b;c=c.parentNode)if(c.nodeType<11&&(g?g.index(c)>-1:1===c.nodeType&&n.find.matchesSelector(c,a))){f.push(c);break}return this.pushStack(f.length>1?n.uniqueSort(f):f)},index:function(a){return a?"string"==typeof a?n.inArray(this[0],n(a)):n.inArray(a.jquery?a[0]:a,this):this[0]&&this[0].parentNode?this.first().prevAll().length:-1},add:function(a,b){return this.pushStack(n.uniqueSort(n.merge(this.get(),n(a,b))))},addBack:function(a){return this.add(null==a?this.prevObject:this.prevObject.filter(a))}});function F(a,b){do a=a[b];while(a&&1!==a.nodeType);return a}n.each({parent:function(a){var b=a.parentNode;return b&&11!==b.nodeType?b:null},parents:function(a){return u(a,"parentNode")},parentsUntil:function(a,b,c){return u(a,"parentNode",c)},next:function(a){return F(a,"nextSibling")},prev:function(a){return F(a,"previousSibling")},nextAll:function(a){return u(a,"nextSibling")},prevAll:function(a){return u(a,"previousSibling")},nextUntil:function(a,b,c){return u(a,"nextSibling",c)},prevUntil:function(a,b,c){return u(a,"previousSibling",c)},siblings:function(a){return v((a.parentNode||{}).firstChild,a)},children:function(a){return v(a.firstChild)},contents:function(a){return n.nodeName(a,"iframe")?a.contentDocument||a.contentWindow.document:n.merge([],a.childNodes)}},function(a,b){n.fn[a]=function(c,d){var e=n.map(this,b,c);return"Until"!==a.slice(-5)&&(d=c),d&&"string"==typeof d&&(e=n.filter(d,e)),this.length>1&&(E[a]||(e=n.uniqueSort(e)),D.test(a)&&(e=e.reverse())),this.pushStack(e)}});var G=/\S+/g;function H(a){var b={};return n.each(a.match(G)||[],function(a,c){b[c]=!0}),b}n.Callbacks=function(a){a="string"==typeof a?H(a):n.extend({},a);var b,c,d,e,f=[],g=[],h=-1,i=function(){for(e=a.once,d=b=!0;g.length;h=-1){c=g.shift();while(++h<f.length)f[h].apply(c[0],c[1])===!1&&a.stopOnFalse&&(h=f.length,c=!1)}a.memory||(c=!1),b=!1,e&&(f=c?[]:"")},j={add:function(){return f&&(c&&!b&&(h=f.length-1,g.push(c)),function d(b){n.each(b,function(b,c){n.isFunction(c)?a.unique&&j.has(c)||f.push(c):c&&c.length&&"string"!==n.type(c)&&d(c)})}(arguments),c&&!b&&i()),this},remove:function(){return n.each(arguments,function(a,b){var c;while((c=n.inArray(b,f,c))>-1)f.splice(c,1),h>=c&&h--}),this},has:function(a){return a?n.inArray(a,f)>-1:f.length>0},empty:function(){return f&&(f=[]),this},disable:function(){return e=g=[],f=c="",this},disabled:function(){return!f},lock:function(){return e=!0,c||j.disable(),this},locked:function(){return!!e},fireWith:function(a,c){return e||(c=c||[],c=[a,c.slice?c.slice():c],g.push(c),b||i()),this},fire:function(){return j.fireWith(this,arguments),this},fired:function(){return!!d}};return j},n.extend({Deferred:function(a){var b=[["resolve","done",n.Callbacks("once memory"),"resolved"],["reject","fail",n.Callbacks("once memory"),"rejected"],["notify","progress",n.Callbacks("memory")]],c="pending",d={state:function(){return c},always:function(){return e.done(arguments).fail(arguments),this},then:function(){var a=arguments;return n.Deferred(function(c){n.each(b,function(b,f){var g=n.isFunction(a[b])&&a[b];e[f[1]](function(){var a=g&&g.apply(this,arguments);a&&n.isFunction(a.promise)?a.promise().progress(c.notify).done(c.resolve).fail(c.reject):c[f[0]+"With"](this===d?c.promise():this,g?[a]:arguments)})}),a=null}).promise()},promise:function(a){return null!=a?n.extend(a,d):d}},e={};return d.pipe=d.then,n.each(b,function(a,f){var g=f[2],h=f[3];d[f[1]]=g.add,h&&g.add(function(){c=h},b[1^a][2].disable,b[2][2].lock),e[f[0]]=function(){return e[f[0]+"With"](this===e?d:this,arguments),this},e[f[0]+"With"]=g.fireWith}),d.promise(e),a&&a.call(e,e),e},when:function(a){var b=0,c=e.call(arguments),d=c.length,f=1!==d||a&&n.isFunction(a.promise)?d:0,g=1===f?a:n.Deferred(),h=function(a,b,c){return function(d){b[a]=this,c[a]=arguments.length>1?e.call(arguments):d,c===i?g.notifyWith(b,c):--f||g.resolveWith(b,c)}},i,j,k;if(d>1)for(i=new Array(d),j=new Array(d),k=new Array(d);d>b;b++)c[b]&&n.isFunction(c[b].promise)?c[b].promise().progress(h(b,j,i)).done(h(b,k,c)).fail(g.reject):--f;return f||g.resolveWith(k,c),g.promise()}});var I;n.fn.ready=function(a){return n.ready.promise().done(a),this},n.extend({isReady:!1,readyWait:1,holdReady:function(a){a?n.readyWait++:n.ready(!0)},ready:function(a){(a===!0?--n.readyWait:n.isReady)||(n.isReady=!0,a!==!0&&--n.readyWait>0||(I.resolveWith(d,[n]),n.fn.triggerHandler&&(n(d).triggerHandler("ready"),n(d).off("ready"))))}});function J(){d.addEventListener?(d.removeEventListener("DOMContentLoaded",K),a.removeEventListener("load",K)):(d.detachEvent("onreadystatechange",K),a.detachEvent("onload",K))}function K(){(d.addEventListener||"load"===a.event.type||"complete"===d.readyState)&&(J(),n.ready())}n.ready.promise=function(b){if(!I)if(I=n.Deferred(),"complete"===d.readyState||"loading"!==d.readyState&&!d.documentElement.doScroll)a.setTimeout(n.ready);else if(d.addEventListener)d.addEventListener("DOMContentLoaded",K),a.addEventListener("load",K);else{d.attachEvent("onreadystatechange",K),a.attachEvent("onload",K);var c=!1;try{c=null==a.frameElement&&d.documentElement}catch(e){}c&&c.doScroll&&!function f(){if(!n.isReady){try{c.doScroll("left")}catch(b){return a.setTimeout(f,50)}J(),n.ready()}}()}return I.promise(b)},n.ready.promise();var L;for(L in n(l))break;l.ownFirst="0"===L,l.inlineBlockNeedsLayout=!1,n(function(){var a,b,c,e;c=d.getElementsByTagName("body")[0],c&&c.style&&(b=d.createElement("div"),e=d.createElement("div"),e.style.cssText="position:absolute;border:0;width:0;height:0;top:0;left:-9999px",c.appendChild(e).appendChild(b),"undefined"!=typeof b.style.zoom&&(b.style.cssText="display:inline;margin:0;border:0;padding:1px;width:1px;zoom:1",l.inlineBlockNeedsLayout=a=3===b.offsetWidth,a&&(c.style.zoom=1)),c.removeChild(e))}),function(){var a=d.createElement("div");l.deleteExpando=!0;try{delete a.test}catch(b){l.deleteExpando=!1}a=null}();var M=function(a){var b=n.noData[(a.nodeName+" ").toLowerCase()],c=+a.nodeType||1;return 1!==c&&9!==c?!1:!b||b!==!0&&a.getAttribute("classid")===b},N=/^(?:\{[\w\W]*\}|\[[\w\W]*\])$/,O=/([A-Z])/g;function P(a,b,c){if(void 0===c&&1===a.nodeType){var d="data-"+b.replace(O,"-$1").toLowerCase();if(c=a.getAttribute(d),"string"==typeof c){try{c="true"===c?!0:"false"===c?!1:"null"===c?null:+c+""===c?+c:N.test(c)?n.parseJSON(c):c}catch(e){}n.data(a,b,c)}else c=void 0; }return c}function Q(a){var b;for(b in a)if(("data"!==b||!n.isEmptyObject(a[b]))&&"toJSON"!==b)return!1;return!0}function R(a,b,d,e){if(M(a)){var f,g,h=n.expando,i=a.nodeType,j=i?n.cache:a,k=i?a[h]:a[h]&&h;if(k&&j[k]&&(e||j[k].data)||void 0!==d||"string"!=typeof b)return k||(k=i?a[h]=c.pop()||n.guid++:h),j[k]||(j[k]=i?{}:{toJSON:n.noop}),"object"!=typeof b&&"function"!=typeof b||(e?j[k]=n.extend(j[k],b):j[k].data=n.extend(j[k].data,b)),g=j[k],e||(g.data||(g.data={}),g=g.data),void 0!==d&&(g[n.camelCase(b)]=d),"string"==typeof b?(f=g[b],null==f&&(f=g[n.camelCase(b)])):f=g,f}}function S(a,b,c){if(M(a)){var d,e,f=a.nodeType,g=f?n.cache:a,h=f?a[n.expando]:n.expando;if(g[h]){if(b&&(d=c?g[h]:g[h].data)){n.isArray(b)?b=b.concat(n.map(b,n.camelCase)):b in d?b=[b]:(b=n.camelCase(b),b=b in d?[b]:b.split(" ")),e=b.length;while(e--)delete d[b[e]];if(c?!Q(d):!n.isEmptyObject(d))return}(c||(delete g[h].data,Q(g[h])))&&(f?n.cleanData([a],!0):l.deleteExpando||g!=g.window?delete g[h]:g[h]=void 0)}}}n.extend({cache:{},noData:{"applet ":!0,"embed ":!0,"object ":"clsid:D27CDB6E-AE6D-11cf-96B8-444553540000"},hasData:function(a){return a=a.nodeType?n.cache[a[n.expando]]:a[n.expando],!!a&&!Q(a)},data:function(a,b,c){return R(a,b,c)},removeData:function(a,b){return S(a,b)},_data:function(a,b,c){return R(a,b,c,!0)},_removeData:function(a,b){return S(a,b,!0)}}),n.fn.extend({data:function(a,b){var c,d,e,f=this[0],g=f&&f.attributes;if(void 0===a){if(this.length&&(e=n.data(f),1===f.nodeType&&!n._data(f,"parsedAttrs"))){c=g.length;while(c--)g[c]&&(d=g[c].name,0===d.indexOf("data-")&&(d=n.camelCase(d.slice(5)),P(f,d,e[d])));n._data(f,"parsedAttrs",!0)}return e}return"object"==typeof a?this.each(function(){n.data(this,a)}):arguments.length>1?this.each(function(){n.data(this,a,b)}):f?P(f,a,n.data(f,a)):void 0},removeData:function(a){return this.each(function(){n.removeData(this,a)})}}),n.extend({queue:function(a,b,c){var d;return a?(b=(b||"fx")+"queue",d=n._data(a,b),c&&(!d||n.isArray(c)?d=n._data(a,b,n.makeArray(c)):d.push(c)),d||[]):void 0},dequeue:function(a,b){b=b||"fx";var c=n.queue(a,b),d=c.length,e=c.shift(),f=n._queueHooks(a,b),g=function(){n.dequeue(a,b)};"inprogress"===e&&(e=c.shift(),d--),e&&("fx"===b&&c.unshift("inprogress"),delete f.stop,e.call(a,g,f)),!d&&f&&f.empty.fire()},_queueHooks:function(a,b){var c=b+"queueHooks";return n._data(a,c)||n._data(a,c,{empty:n.Callbacks("once memory").add(function(){n._removeData(a,b+"queue"),n._removeData(a,c)})})}}),n.fn.extend({queue:function(a,b){var c=2;return"string"!=typeof a&&(b=a,a="fx",c--),arguments.length<c?n.queue(this[0],a):void 0===b?this:this.each(function(){var c=n.queue(this,a,b);n._queueHooks(this,a),"fx"===a&&"inprogress"!==c[0]&&n.dequeue(this,a)})},dequeue:function(a){return this.each(function(){n.dequeue(this,a)})},clearQueue:function(a){return this.queue(a||"fx",[])},promise:function(a,b){var c,d=1,e=n.Deferred(),f=this,g=this.length,h=function(){--d||e.resolveWith(f,[f])};"string"!=typeof a&&(b=a,a=void 0),a=a||"fx";while(g--)c=n._data(f[g],a+"queueHooks"),c&&c.empty&&(d++,c.empty.add(h));return h(),e.promise(b)}}),function(){var a;l.shrinkWrapBlocks=function(){if(null!=a)return a;a=!1;var b,c,e;return c=d.getElementsByTagName("body")[0],c&&c.style?(b=d.createElement("div"),e=d.createElement("div"),e.style.cssText="position:absolute;border:0;width:0;height:0;top:0;left:-9999px",c.appendChild(e).appendChild(b),"undefined"!=typeof b.style.zoom&&(b.style.cssText="-webkit-box-sizing:content-box;-moz-box-sizing:content-box;box-sizing:content-box;display:block;margin:0;border:0;padding:1px;width:1px;zoom:1",b.appendChild(d.createElement("div")).style.width="5px",a=3!==b.offsetWidth),c.removeChild(e),a):void 0}}();var T=/[+-]?(?:\d*\.|)\d+(?:[eE][+-]?\d+|)/.source,U=new RegExp("^(?:([+-])=|)("+T+")([a-z%]*)$","i"),V=["Top","Right","Bottom","Left"],W=function(a,b){return a=b||a,"none"===n.css(a,"display")||!n.contains(a.ownerDocument,a)};function X(a,b,c,d){var e,f=1,g=20,h=d?function(){return d.cur()}:function(){return n.css(a,b,"")},i=h(),j=c&&c[3]||(n.cssNumber[b]?"":"px"),k=(n.cssNumber[b]||"px"!==j&&+i)&&U.exec(n.css(a,b));if(k&&k[3]!==j){j=j||k[3],c=c||[],k=+i||1;do f=f||".5",k/=f,n.style(a,b,k+j);while(f!==(f=h()/i)&&1!==f&&--g)}return c&&(k=+k||+i||0,e=c[1]?k+(c[1]+1)*c[2]:+c[2],d&&(d.unit=j,d.start=k,d.end=e)),e}var Y=function(a,b,c,d,e,f,g){var h=0,i=a.length,j=null==c;if("object"===n.type(c)){e=!0;for(h in c)Y(a,b,h,c[h],!0,f,g)}else if(void 0!==d&&(e=!0,n.isFunction(d)||(g=!0),j&&(g?(b.call(a,d),b=null):(j=b,b=function(a,b,c){return j.call(n(a),c)})),b))for(;i>h;h++)b(a[h],c,g?d:d.call(a[h],h,b(a[h],c)));return e?a:j?b.call(a):i?b(a[0],c):f},Z=/^(?:checkbox|radio)$/i,$=/<([\w:-]+)/,_=/^$|\/(?:java|ecma)script/i,aa=/^\s+/,ba="abbr|article|aside|audio|bdi|canvas|data|datalist|details|dialog|figcaption|figure|footer|header|hgroup|main|mark|meter|nav|output|picture|progress|section|summary|template|time|video";function ca(a){var b=ba.split("|"),c=a.createDocumentFragment();if(c.createElement)while(b.length)c.createElement(b.pop());return c}!function(){var a=d.createElement("div"),b=d.createDocumentFragment(),c=d.createElement("input");a.innerHTML=" <link/><table></table><a href='/a'>a</a><input type='checkbox'/>",l.leadingWhitespace=3===a.firstChild.nodeType,l.tbody=!a.getElementsByTagName("tbody").length,l.htmlSerialize=!!a.getElementsByTagName("link").length,l.html5Clone="<:nav></:nav>"!==d.createElement("nav").cloneNode(!0).outerHTML,c.type="checkbox",c.checked=!0,b.appendChild(c),l.appendChecked=c.checked,a.innerHTML="<textarea>x</textarea>",l.noCloneChecked=!!a.cloneNode(!0).lastChild.defaultValue,b.appendChild(a),c=d.createElement("input"),c.setAttribute("type","radio"),c.setAttribute("checked","checked"),c.setAttribute("name","t"),a.appendChild(c),l.checkClone=a.cloneNode(!0).cloneNode(!0).lastChild.checked,l.noCloneEvent=!!a.addEventListener,a[n.expando]=1,l.attributes=!a.getAttribute(n.expando)}();var da={option:[1,"<select multiple='multiple'>","</select>"],legend:[1,"<fieldset>","</fieldset>"],area:[1,"<map>","</map>"],param:[1,"<object>","</object>"],thead:[1,"<table>","</table>"],tr:[2,"<table><tbody>","</tbody></table>"],col:[2,"<table><tbody></tbody><colgroup>","</colgroup></table>"],td:[3,"<table><tbody><tr>","</tr></tbody></table>"],_default:l.htmlSerialize?[0,"",""]:[1,"X<div>","</div>"]};da.optgroup=da.option,da.tbody=da.tfoot=da.colgroup=da.caption=da.thead,da.th=da.td;function ea(a,b){var c,d,e=0,f="undefined"!=typeof a.getElementsByTagName?a.getElementsByTagName(b||"*"):"undefined"!=typeof a.querySelectorAll?a.querySelectorAll(b||"*"):void 0;if(!f)for(f=[],c=a.childNodes||a;null!=(d=c[e]);e++)!b||n.nodeName(d,b)?f.push(d):n.merge(f,ea(d,b));return void 0===b||b&&n.nodeName(a,b)?n.merge([a],f):f}function fa(a,b){for(var c,d=0;null!=(c=a[d]);d++)n._data(c,"globalEval",!b||n._data(b[d],"globalEval"))}var ga=/<|&#?\w+;/,ha=/<tbody/i;function ia(a){Z.test(a.type)&&(a.defaultChecked=a.checked)}function ja(a,b,c,d,e){for(var f,g,h,i,j,k,m,o=a.length,p=ca(b),q=[],r=0;o>r;r++)if(g=a[r],g||0===g)if("object"===n.type(g))n.merge(q,g.nodeType?[g]:g);else if(ga.test(g)){i=i||p.appendChild(b.createElement("div")),j=($.exec(g)||["",""])[1].toLowerCase(),m=da[j]||da._default,i.innerHTML=m[1]+n.htmlPrefilter(g)+m[2],f=m[0];while(f--)i=i.lastChild;if(!l.leadingWhitespace&&aa.test(g)&&q.push(b.createTextNode(aa.exec(g)[0])),!l.tbody){g="table"!==j||ha.test(g)?"<table>"!==m[1]||ha.test(g)?0:i:i.firstChild,f=g&&g.childNodes.length;while(f--)n.nodeName(k=g.childNodes[f],"tbody")&&!k.childNodes.length&&g.removeChild(k)}n.merge(q,i.childNodes),i.textContent="";while(i.firstChild)i.removeChild(i.firstChild);i=p.lastChild}else q.push(b.createTextNode(g));i&&p.removeChild(i),l.appendChecked||n.grep(ea(q,"input"),ia),r=0;while(g=q[r++])if(d&&n.inArray(g,d)>-1)e&&e.push(g);else if(h=n.contains(g.ownerDocument,g),i=ea(p.appendChild(g),"script"),h&&fa(i),c){f=0;while(g=i[f++])_.test(g.type||"")&&c.push(g)}return i=null,p}!function(){var b,c,e=d.createElement("div");for(b in{submit:!0,change:!0,focusin:!0})c="on"+b,(l[b]=c in a)||(e.setAttribute(c,"t"),l[b]=e.attributes[c].expando===!1);e=null}();var ka=/^(?:input|select|textarea)$/i,la=/^key/,ma=/^(?:mouse|pointer|contextmenu|drag|drop)|click/,na=/^(?:focusinfocus|focusoutblur)$/,oa=/^([^.]*)(?:\.(.+)|)/;function pa(){return!0}function qa(){return!1}function ra(){try{return d.activeElement}catch(a){}}function sa(a,b,c,d,e,f){var g,h;if("object"==typeof b){"string"!=typeof c&&(d=d||c,c=void 0);for(h in b)sa(a,h,c,d,b[h],f);return a}if(null==d&&null==e?(e=c,d=c=void 0):null==e&&("string"==typeof c?(e=d,d=void 0):(e=d,d=c,c=void 0)),e===!1)e=qa;else if(!e)return a;return 1===f&&(g=e,e=function(a){return n().off(a),g.apply(this,arguments)},e.guid=g.guid||(g.guid=n.guid++)),a.each(function(){n.event.add(this,b,e,d,c)})}n.event={global:{},add:function(a,b,c,d,e){var f,g,h,i,j,k,l,m,o,p,q,r=n._data(a);if(r){c.handler&&(i=c,c=i.handler,e=i.selector),c.guid||(c.guid=n.guid++),(g=r.events)||(g=r.events={}),(k=r.handle)||(k=r.handle=function(a){return"undefined"==typeof n||a&&n.event.triggered===a.type?void 0:n.event.dispatch.apply(k.elem,arguments)},k.elem=a),b=(b||"").match(G)||[""],h=b.length;while(h--)f=oa.exec(b[h])||[],o=q=f[1],p=(f[2]||"").split(".").sort(),o&&(j=n.event.special[o]||{},o=(e?j.delegateType:j.bindType)||o,j=n.event.special[o]||{},l=n.extend({type:o,origType:q,data:d,handler:c,guid:c.guid,selector:e,needsContext:e&&n.expr.match.needsContext.test(e),namespace:p.join(".")},i),(m=g[o])||(m=g[o]=[],m.delegateCount=0,j.setup&&j.setup.call(a,d,p,k)!==!1||(a.addEventListener?a.addEventListener(o,k,!1):a.attachEvent&&a.attachEvent("on"+o,k))),j.add&&(j.add.call(a,l),l.handler.guid||(l.handler.guid=c.guid)),e?m.splice(m.delegateCount++,0,l):m.push(l),n.event.global[o]=!0);a=null}},remove:function(a,b,c,d,e){var f,g,h,i,j,k,l,m,o,p,q,r=n.hasData(a)&&n._data(a);if(r&&(k=r.events)){b=(b||"").match(G)||[""],j=b.length;while(j--)if(h=oa.exec(b[j])||[],o=q=h[1],p=(h[2]||"").split(".").sort(),o){l=n.event.special[o]||{},o=(d?l.delegateType:l.bindType)||o,m=k[o]||[],h=h[2]&&new RegExp("(^|\\.)"+p.join("\\.(?:.*\\.|)")+"(\\.|$)"),i=f=m.length;while(f--)g=m[f],!e&&q!==g.origType||c&&c.guid!==g.guid||h&&!h.test(g.namespace)||d&&d!==g.selector&&("**"!==d||!g.selector)||(m.splice(f,1),g.selector&&m.delegateCount--,l.remove&&l.remove.call(a,g));i&&!m.length&&(l.teardown&&l.teardown.call(a,p,r.handle)!==!1||n.removeEvent(a,o,r.handle),delete k[o])}else for(o in k)n.event.remove(a,o+b[j],c,d,!0);n.isEmptyObject(k)&&(delete r.handle,n._removeData(a,"events"))}},trigger:function(b,c,e,f){var g,h,i,j,l,m,o,p=[e||d],q=k.call(b,"type")?b.type:b,r=k.call(b,"namespace")?b.namespace.split("."):[];if(i=m=e=e||d,3!==e.nodeType&&8!==e.nodeType&&!na.test(q+n.event.triggered)&&(q.indexOf(".")>-1&&(r=q.split("."),q=r.shift(),r.sort()),h=q.indexOf(":")<0&&"on"+q,b=b[n.expando]?b:new n.Event(q,"object"==typeof b&&b),b.isTrigger=f?2:3,b.namespace=r.join("."),b.rnamespace=b.namespace?new RegExp("(^|\\.)"+r.join("\\.(?:.*\\.|)")+"(\\.|$)"):null,b.result=void 0,b.target||(b.target=e),c=null==c?[b]:n.makeArray(c,[b]),l=n.event.special[q]||{},f||!l.trigger||l.trigger.apply(e,c)!==!1)){if(!f&&!l.noBubble&&!n.isWindow(e)){for(j=l.delegateType||q,na.test(j+q)||(i=i.parentNode);i;i=i.parentNode)p.push(i),m=i;m===(e.ownerDocument||d)&&p.push(m.defaultView||m.parentWindow||a)}o=0;while((i=p[o++])&&!b.isPropagationStopped())b.type=o>1?j:l.bindType||q,g=(n._data(i,"events")||{})[b.type]&&n._data(i,"handle"),g&&g.apply(i,c),g=h&&i[h],g&&g.apply&&M(i)&&(b.result=g.apply(i,c),b.result===!1&&b.preventDefault());if(b.type=q,!f&&!b.isDefaultPrevented()&&(!l._default||l._default.apply(p.pop(),c)===!1)&&M(e)&&h&&e[q]&&!n.isWindow(e)){m=e[h],m&&(e[h]=null),n.event.triggered=q;try{e[q]()}catch(s){}n.event.triggered=void 0,m&&(e[h]=m)}return b.result}},dispatch:function(a){a=n.event.fix(a);var b,c,d,f,g,h=[],i=e.call(arguments),j=(n._data(this,"events")||{})[a.type]||[],k=n.event.special[a.type]||{};if(i[0]=a,a.delegateTarget=this,!k.preDispatch||k.preDispatch.call(this,a)!==!1){h=n.event.handlers.call(this,a,j),b=0;while((f=h[b++])&&!a.isPropagationStopped()){a.currentTarget=f.elem,c=0;while((g=f.handlers[c++])&&!a.isImmediatePropagationStopped())a.rnamespace&&!a.rnamespace.test(g.namespace)||(a.handleObj=g,a.data=g.data,d=((n.event.special[g.origType]||{}).handle||g.handler).apply(f.elem,i),void 0!==d&&(a.result=d)===!1&&(a.preventDefault(),a.stopPropagation()))}return k.postDispatch&&k.postDispatch.call(this,a),a.result}},handlers:function(a,b){var c,d,e,f,g=[],h=b.delegateCount,i=a.target;if(h&&i.nodeType&&("click"!==a.type||isNaN(a.button)||a.button<1))for(;i!=this;i=i.parentNode||this)if(1===i.nodeType&&(i.disabled!==!0||"click"!==a.type)){for(d=[],c=0;h>c;c++)f=b[c],e=f.selector+" ",void 0===d[e]&&(d[e]=f.needsContext?n(e,this).index(i)>-1:n.find(e,this,null,[i]).length),d[e]&&d.push(f);d.length&&g.push({elem:i,handlers:d})}return h<b.length&&g.push({elem:this,handlers:b.slice(h)}),g},fix:function(a){if(a[n.expando])return a;var b,c,e,f=a.type,g=a,h=this.fixHooks[f];h||(this.fixHooks[f]=h=ma.test(f)?this.mouseHooks:la.test(f)?this.keyHooks:{}),e=h.props?this.props.concat(h.props):this.props,a=new n.Event(g),b=e.length;while(b--)c=e[b],a[c]=g[c];return a.target||(a.target=g.srcElement||d),3===a.target.nodeType&&(a.target=a.target.parentNode),a.metaKey=!!a.metaKey,h.filter?h.filter(a,g):a},props:"altKey bubbles cancelable ctrlKey currentTarget detail eventPhase metaKey relatedTarget shiftKey target timeStamp view which".split(" "),fixHooks:{},keyHooks:{props:"char charCode key keyCode".split(" "),filter:function(a,b){return null==a.which&&(a.which=null!=b.charCode?b.charCode:b.keyCode),a}},mouseHooks:{props:"button buttons clientX clientY fromElement offsetX offsetY pageX pageY screenX screenY toElement".split(" "),filter:function(a,b){var c,e,f,g=b.button,h=b.fromElement;return null==a.pageX&&null!=b.clientX&&(e=a.target.ownerDocument||d,f=e.documentElement,c=e.body,a.pageX=b.clientX+(f&&f.scrollLeft||c&&c.scrollLeft||0)-(f&&f.clientLeft||c&&c.clientLeft||0),a.pageY=b.clientY+(f&&f.scrollTop||c&&c.scrollTop||0)-(f&&f.clientTop||c&&c.clientTop||0)),!a.relatedTarget&&h&&(a.relatedTarget=h===a.target?b.toElement:h),a.which||void 0===g||(a.which=1&g?1:2&g?3:4&g?2:0),a}},special:{load:{noBubble:!0},focus:{trigger:function(){if(this!==ra()&&this.focus)try{return this.focus(),!1}catch(a){}},delegateType:"focusin"},blur:{trigger:function(){return this===ra()&&this.blur?(this.blur(),!1):void 0},delegateType:"focusout"},click:{trigger:function(){return n.nodeName(this,"input")&&"checkbox"===this.type&&this.click?(this.click(),!1):void 0},_default:function(a){return n.nodeName(a.target,"a")}},beforeunload:{postDispatch:function(a){void 0!==a.result&&a.originalEvent&&(a.originalEvent.returnValue=a.result)}}},simulate:function(a,b,c){var d=n.extend(new n.Event,c,{type:a,isSimulated:!0});n.event.trigger(d,null,b),d.isDefaultPrevented()&&c.preventDefault()}},n.removeEvent=d.removeEventListener?function(a,b,c){a.removeEventListener&&a.removeEventListener(b,c)}:function(a,b,c){var d="on"+b;a.detachEvent&&("undefined"==typeof a[d]&&(a[d]=null),a.detachEvent(d,c))},n.Event=function(a,b){return this instanceof n.Event?(a&&a.type?(this.originalEvent=a,this.type=a.type,this.isDefaultPrevented=a.defaultPrevented||void 0===a.defaultPrevented&&a.returnValue===!1?pa:qa):this.type=a,b&&n.extend(this,b),this.timeStamp=a&&a.timeStamp||n.now(),void(this[n.expando]=!0)):new n.Event(a,b)},n.Event.prototype={constructor:n.Event,isDefaultPrevented:qa,isPropagationStopped:qa,isImmediatePropagationStopped:qa,preventDefault:function(){var a=this.originalEvent;this.isDefaultPrevented=pa,a&&(a.preventDefault?a.preventDefault():a.returnValue=!1)},stopPropagation:function(){var a=this.originalEvent;this.isPropagationStopped=pa,a&&!this.isSimulated&&(a.stopPropagation&&a.stopPropagation(),a.cancelBubble=!0)},stopImmediatePropagation:function(){var a=this.originalEvent;this.isImmediatePropagationStopped=pa,a&&a.stopImmediatePropagation&&a.stopImmediatePropagation(),this.stopPropagation()}},n.each({mouseenter:"mouseover",mouseleave:"mouseout",pointerenter:"pointerover",pointerleave:"pointerout"},function(a,b){n.event.special[a]={delegateType:b,bindType:b,handle:function(a){var c,d=this,e=a.relatedTarget,f=a.handleObj;return e&&(e===d||n.contains(d,e))||(a.type=f.origType,c=f.handler.apply(this,arguments),a.type=b),c}}}),l.submit||(n.event.special.submit={setup:function(){return n.nodeName(this,"form")?!1:void n.event.add(this,"click._submit keypress._submit",function(a){var b=a.target,c=n.nodeName(b,"input")||n.nodeName(b,"button")?n.prop(b,"form"):void 0;c&&!n._data(c,"submit")&&(n.event.add(c,"submit._submit",function(a){a._submitBubble=!0}),n._data(c,"submit",!0))})},postDispatch:function(a){a._submitBubble&&(delete a._submitBubble,this.parentNode&&!a.isTrigger&&n.event.simulate("submit",this.parentNode,a))},teardown:function(){return n.nodeName(this,"form")?!1:void n.event.remove(this,"._submit")}}),l.change||(n.event.special.change={setup:function(){return ka.test(this.nodeName)?("checkbox"!==this.type&&"radio"!==this.type||(n.event.add(this,"propertychange._change",function(a){"checked"===a.originalEvent.propertyName&&(this._justChanged=!0)}),n.event.add(this,"click._change",function(a){this._justChanged&&!a.isTrigger&&(this._justChanged=!1),n.event.simulate("change",this,a)})),!1):void n.event.add(this,"beforeactivate._change",function(a){var b=a.target;ka.test(b.nodeName)&&!n._data(b,"change")&&(n.event.add(b,"change._change",function(a){!this.parentNode||a.isSimulated||a.isTrigger||n.event.simulate("change",this.parentNode,a)}),n._data(b,"change",!0))})},handle:function(a){var b=a.target;return this!==b||a.isSimulated||a.isTrigger||"radio"!==b.type&&"checkbox"!==b.type?a.handleObj.handler.apply(this,arguments):void 0},teardown:function(){return n.event.remove(this,"._change"),!ka.test(this.nodeName)}}),l.focusin||n.each({focus:"focusin",blur:"focusout"},function(a,b){var c=function(a){n.event.simulate(b,a.target,n.event.fix(a))};n.event.special[b]={setup:function(){var d=this.ownerDocument||this,e=n._data(d,b);e||d.addEventListener(a,c,!0),n._data(d,b,(e||0)+1)},teardown:function(){var d=this.ownerDocument||this,e=n._data(d,b)-1;e?n._data(d,b,e):(d.removeEventListener(a,c,!0),n._removeData(d,b))}}}),n.fn.extend({on:function(a,b,c,d){return sa(this,a,b,c,d)},one:function(a,b,c,d){return sa(this,a,b,c,d,1)},off:function(a,b,c){var d,e;if(a&&a.preventDefault&&a.handleObj)return d=a.handleObj,n(a.delegateTarget).off(d.namespace?d.origType+"."+d.namespace:d.origType,d.selector,d.handler),this;if("object"==typeof a){for(e in a)this.off(e,b,a[e]);return this}return b!==!1&&"function"!=typeof b||(c=b,b=void 0),c===!1&&(c=qa),this.each(function(){n.event.remove(this,a,c,b)})},trigger:function(a,b){return this.each(function(){n.event.trigger(a,b,this)})},triggerHandler:function(a,b){var c=this[0];return c?n.event.trigger(a,b,c,!0):void 0}});var ta=/ jQuery\d+="(?:null|\d+)"/g,ua=new RegExp("<(?:"+ba+")[\\s/>]","i"),va=/<(?!area|br|col|embed|hr|img|input|link|meta|param)(([\w:-]+)[^>]*)\/>/gi,wa=/<script|<style|<link/i,xa=/checked\s*(?:[^=]|=\s*.checked.)/i,ya=/^true\/(.*)/,za=/^\s*<!(?:\[CDATA\[|--)|(?:\]\]|--)>\s*$/g,Aa=ca(d),Ba=Aa.appendChild(d.createElement("div"));function Ca(a,b){return n.nodeName(a,"table")&&n.nodeName(11!==b.nodeType?b:b.firstChild,"tr")?a.getElementsByTagName("tbody")[0]||a.appendChild(a.ownerDocument.createElement("tbody")):a}function Da(a){return a.type=(null!==n.find.attr(a,"type"))+"/"+a.type,a}function Ea(a){var b=ya.exec(a.type);return b?a.type=b[1]:a.removeAttribute("type"),a}function Fa(a,b){if(1===b.nodeType&&n.hasData(a)){var c,d,e,f=n._data(a),g=n._data(b,f),h=f.events;if(h){delete g.handle,g.events={};for(c in h)for(d=0,e=h[c].length;e>d;d++)n.event.add(b,c,h[c][d])}g.data&&(g.data=n.extend({},g.data))}}function Ga(a,b){var c,d,e;if(1===b.nodeType){if(c=b.nodeName.toLowerCase(),!l.noCloneEvent&&b[n.expando]){e=n._data(b);for(d in e.events)n.removeEvent(b,d,e.handle);b.removeAttribute(n.expando)}"script"===c&&b.text!==a.text?(Da(b).text=a.text,Ea(b)):"object"===c?(b.parentNode&&(b.outerHTML=a.outerHTML),l.html5Clone&&a.innerHTML&&!n.trim(b.innerHTML)&&(b.innerHTML=a.innerHTML)):"input"===c&&Z.test(a.type)?(b.defaultChecked=b.checked=a.checked,b.value!==a.value&&(b.value=a.value)):"option"===c?b.defaultSelected=b.selected=a.defaultSelected:"input"!==c&&"textarea"!==c||(b.defaultValue=a.defaultValue)}}function Ha(a,b,c,d){b=f.apply([],b);var e,g,h,i,j,k,m=0,o=a.length,p=o-1,q=b[0],r=n.isFunction(q);if(r||o>1&&"string"==typeof q&&!l.checkClone&&xa.test(q))return a.each(function(e){var f=a.eq(e);r&&(b[0]=q.call(this,e,f.html())),Ha(f,b,c,d)});if(o&&(k=ja(b,a[0].ownerDocument,!1,a,d),e=k.firstChild,1===k.childNodes.length&&(k=e),e||d)){for(i=n.map(ea(k,"script"),Da),h=i.length;o>m;m++)g=k,m!==p&&(g=n.clone(g,!0,!0),h&&n.merge(i,ea(g,"script"))),c.call(a[m],g,m);if(h)for(j=i[i.length-1].ownerDocument,n.map(i,Ea),m=0;h>m;m++)g=i[m],_.test(g.type||"")&&!n._data(g,"globalEval")&&n.contains(j,g)&&(g.src?n._evalUrl&&n._evalUrl(g.src):n.globalEval((g.text||g.textContent||g.innerHTML||"").replace(za,"")));k=e=null}return a}function Ia(a,b,c){for(var d,e=b?n.filter(b,a):a,f=0;null!=(d=e[f]);f++)c||1!==d.nodeType||n.cleanData(ea(d)),d.parentNode&&(c&&n.contains(d.ownerDocument,d)&&fa(ea(d,"script")),d.parentNode.removeChild(d));return a}n.extend({htmlPrefilter:function(a){return a.replace(va,"<$1></$2>")},clone:function(a,b,c){var d,e,f,g,h,i=n.contains(a.ownerDocument,a);if(l.html5Clone||n.isXMLDoc(a)||!ua.test("<"+a.nodeName+">")?f=a.cloneNode(!0):(Ba.innerHTML=a.outerHTML,Ba.removeChild(f=Ba.firstChild)),!(l.noCloneEvent&&l.noCloneChecked||1!==a.nodeType&&11!==a.nodeType||n.isXMLDoc(a)))for(d=ea(f),h=ea(a),g=0;null!=(e=h[g]);++g)d[g]&&Ga(e,d[g]);if(b)if(c)for(h=h||ea(a),d=d||ea(f),g=0;null!=(e=h[g]);g++)Fa(e,d[g]);else Fa(a,f);return d=ea(f,"script"),d.length>0&&fa(d,!i&&ea(a,"script")),d=h=e=null,f},cleanData:function(a,b){for(var d,e,f,g,h=0,i=n.expando,j=n.cache,k=l.attributes,m=n.event.special;null!=(d=a[h]);h++)if((b||M(d))&&(f=d[i],g=f&&j[f])){if(g.events)for(e in g.events)m[e]?n.event.remove(d,e):n.removeEvent(d,e,g.handle);j[f]&&(delete j[f],k||"undefined"==typeof d.removeAttribute?d[i]=void 0:d.removeAttribute(i),c.push(f))}}}),n.fn.extend({domManip:Ha,detach:function(a){return Ia(this,a,!0)},remove:function(a){return Ia(this,a)},text:function(a){return Y(this,function(a){return void 0===a?n.text(this):this.empty().append((this[0]&&this[0].ownerDocument||d).createTextNode(a))},null,a,arguments.length)},append:function(){return Ha(this,arguments,function(a){if(1===this.nodeType||11===this.nodeType||9===this.nodeType){var b=Ca(this,a);b.appendChild(a)}})},prepend:function(){return Ha(this,arguments,function(a){if(1===this.nodeType||11===this.nodeType||9===this.nodeType){var b=Ca(this,a);b.insertBefore(a,b.firstChild)}})},before:function(){return Ha(this,arguments,function(a){this.parentNode&&this.parentNode.insertBefore(a,this)})},after:function(){return Ha(this,arguments,function(a){this.parentNode&&this.parentNode.insertBefore(a,this.nextSibling)})},empty:function(){for(var a,b=0;null!=(a=this[b]);b++){1===a.nodeType&&n.cleanData(ea(a,!1));while(a.firstChild)a.removeChild(a.firstChild);a.options&&n.nodeName(a,"select")&&(a.options.length=0)}return this},clone:function(a,b){return a=null==a?!1:a,b=null==b?a:b,this.map(function(){return n.clone(this,a,b)})},html:function(a){return Y(this,function(a){var b=this[0]||{},c=0,d=this.length;if(void 0===a)return 1===b.nodeType?b.innerHTML.replace(ta,""):void 0;if("string"==typeof a&&!wa.test(a)&&(l.htmlSerialize||!ua.test(a))&&(l.leadingWhitespace||!aa.test(a))&&!da[($.exec(a)||["",""])[1].toLowerCase()]){a=n.htmlPrefilter(a);try{for(;d>c;c++)b=this[c]||{},1===b.nodeType&&(n.cleanData(ea(b,!1)),b.innerHTML=a);b=0}catch(e){}}b&&this.empty().append(a)},null,a,arguments.length)},replaceWith:function(){var a=[];return Ha(this,arguments,function(b){var c=this.parentNode;n.inArray(this,a)<0&&(n.cleanData(ea(this)),c&&c.replaceChild(b,this))},a)}}),n.each({appendTo:"append",prependTo:"prepend",insertBefore:"before",insertAfter:"after",replaceAll:"replaceWith"},function(a,b){n.fn[a]=function(a){for(var c,d=0,e=[],f=n(a),h=f.length-1;h>=d;d++)c=d===h?this:this.clone(!0),n(f[d])[b](c),g.apply(e,c.get());return this.pushStack(e)}});var Ja,Ka={HTML:"block",BODY:"block"};function La(a,b){var c=n(b.createElement(a)).appendTo(b.body),d=n.css(c[0],"display");return c.detach(),d}function Ma(a){var b=d,c=Ka[a];return c||(c=La(a,b),"none"!==c&&c||(Ja=(Ja||n("<iframe frameborder='0' width='0' height='0'/>")).appendTo(b.documentElement),b=(Ja[0].contentWindow||Ja[0].contentDocument).document,b.write(),b.close(),c=La(a,b),Ja.detach()),Ka[a]=c),c}var Na=/^margin/,Oa=new RegExp("^("+T+")(?!px)[a-z%]+$","i"),Pa=function(a,b,c,d){var e,f,g={};for(f in b)g[f]=a.style[f],a.style[f]=b[f];e=c.apply(a,d||[]);for(f in b)a.style[f]=g[f];return e},Qa=d.documentElement;!function(){var b,c,e,f,g,h,i=d.createElement("div"),j=d.createElement("div");if(j.style){j.style.cssText="float:left;opacity:.5",l.opacity="0.5"===j.style.opacity,l.cssFloat=!!j.style.cssFloat,j.style.backgroundClip="content-box",j.cloneNode(!0).style.backgroundClip="",l.clearCloneStyle="content-box"===j.style.backgroundClip,i=d.createElement("div"),i.style.cssText="border:0;width:8px;height:0;top:0;left:-9999px;padding:0;margin-top:1px;position:absolute",j.innerHTML="",i.appendChild(j),l.boxSizing=""===j.style.boxSizing||""===j.style.MozBoxSizing||""===j.style.WebkitBoxSizing,n.extend(l,{reliableHiddenOffsets:function(){return null==b&&k(),f},boxSizingReliable:function(){return null==b&&k(),e},pixelMarginRight:function(){return null==b&&k(),c},pixelPosition:function(){return null==b&&k(),b},reliableMarginRight:function(){return null==b&&k(),g},reliableMarginLeft:function(){return null==b&&k(),h}});function k(){var k,l,m=d.documentElement;m.appendChild(i),j.style.cssText="-webkit-box-sizing:border-box;box-sizing:border-box;position:relative;display:block;margin:auto;border:1px;padding:1px;top:1%;width:50%",b=e=h=!1,c=g=!0,a.getComputedStyle&&(l=a.getComputedStyle(j),b="1%"!==(l||{}).top,h="2px"===(l||{}).marginLeft,e="4px"===(l||{width:"4px"}).width,j.style.marginRight="50%",c="4px"===(l||{marginRight:"4px"}).marginRight,k=j.appendChild(d.createElement("div")),k.style.cssText=j.style.cssText="-webkit-box-sizing:content-box;-moz-box-sizing:content-box;box-sizing:content-box;display:block;margin:0;border:0;padding:0",k.style.marginRight=k.style.width="0",j.style.width="1px",g=!parseFloat((a.getComputedStyle(k)||{}).marginRight),j.removeChild(k)),j.style.display="none",f=0===j.getClientRects().length,f&&(j.style.display="",j.innerHTML="<table><tr><td></td><td>t</td></tr></table>",j.childNodes[0].style.borderCollapse="separate",k=j.getElementsByTagName("td"),k[0].style.cssText="margin:0;border:0;padding:0;display:none",f=0===k[0].offsetHeight,f&&(k[0].style.display="",k[1].style.display="none",f=0===k[0].offsetHeight)),m.removeChild(i)}}}();var Ra,Sa,Ta=/^(top|right|bottom|left)$/;a.getComputedStyle?(Ra=function(b){var c=b.ownerDocument.defaultView;return c&&c.opener||(c=a),c.getComputedStyle(b)},Sa=function(a,b,c){var d,e,f,g,h=a.style;return c=c||Ra(a),g=c?c.getPropertyValue(b)||c[b]:void 0,""!==g&&void 0!==g||n.contains(a.ownerDocument,a)||(g=n.style(a,b)),c&&!l.pixelMarginRight()&&Oa.test(g)&&Na.test(b)&&(d=h.width,e=h.minWidth,f=h.maxWidth,h.minWidth=h.maxWidth=h.width=g,g=c.width,h.width=d,h.minWidth=e,h.maxWidth=f),void 0===g?g:g+""}):Qa.currentStyle&&(Ra=function(a){return a.currentStyle},Sa=function(a,b,c){var d,e,f,g,h=a.style;return c=c||Ra(a),g=c?c[b]:void 0,null==g&&h&&h[b]&&(g=h[b]),Oa.test(g)&&!Ta.test(b)&&(d=h.left,e=a.runtimeStyle,f=e&&e.left,f&&(e.left=a.currentStyle.left),h.left="fontSize"===b?"1em":g,g=h.pixelLeft+"px",h.left=d,f&&(e.left=f)),void 0===g?g:g+""||"auto"});function Ua(a,b){return{get:function(){return a()?void delete this.get:(this.get=b).apply(this,arguments)}}}var Va=/alpha\([^)]*\)/i,Wa=/opacity\s*=\s*([^)]*)/i,Xa=/^(none|table(?!-c[ea]).+)/,Ya=new RegExp("^("+T+")(.*)$","i"),Za={position:"absolute",visibility:"hidden",display:"block"},$a={letterSpacing:"0",fontWeight:"400"},_a=["Webkit","O","Moz","ms"],ab=d.createElement("div").style;function bb(a){if(a in ab)return a;var b=a.charAt(0).toUpperCase()+a.slice(1),c=_a.length;while(c--)if(a=_a[c]+b,a in ab)return a}function cb(a,b){for(var c,d,e,f=[],g=0,h=a.length;h>g;g++)d=a[g],d.style&&(f[g]=n._data(d,"olddisplay"),c=d.style.display,b?(f[g]||"none"!==c||(d.style.display=""),""===d.style.display&&W(d)&&(f[g]=n._data(d,"olddisplay",Ma(d.nodeName)))):(e=W(d),(c&&"none"!==c||!e)&&n._data(d,"olddisplay",e?c:n.css(d,"display"))));for(g=0;h>g;g++)d=a[g],d.style&&(b&&"none"!==d.style.display&&""!==d.style.display||(d.style.display=b?f[g]||"":"none"));return a}function db(a,b,c){var d=Ya.exec(b);return d?Math.max(0,d[1]-(c||0))+(d[2]||"px"):b}function eb(a,b,c,d,e){for(var f=c===(d?"border":"content")?4:"width"===b?1:0,g=0;4>f;f+=2)"margin"===c&&(g+=n.css(a,c+V[f],!0,e)),d?("content"===c&&(g-=n.css(a,"padding"+V[f],!0,e)),"margin"!==c&&(g-=n.css(a,"border"+V[f]+"Width",!0,e))):(g+=n.css(a,"padding"+V[f],!0,e),"padding"!==c&&(g+=n.css(a,"border"+V[f]+"Width",!0,e)));return g}function fb(a,b,c){var d=!0,e="width"===b?a.offsetWidth:a.offsetHeight,f=Ra(a),g=l.boxSizing&&"border-box"===n.css(a,"boxSizing",!1,f);if(0>=e||null==e){if(e=Sa(a,b,f),(0>e||null==e)&&(e=a.style[b]),Oa.test(e))return e;d=g&&(l.boxSizingReliable()||e===a.style[b]),e=parseFloat(e)||0}return e+eb(a,b,c||(g?"border":"content"),d,f)+"px"}n.extend({cssHooks:{opacity:{get:function(a,b){if(b){var c=Sa(a,"opacity");return""===c?"1":c}}}},cssNumber:{animationIterationCount:!0,columnCount:!0,fillOpacity:!0,flexGrow:!0,flexShrink:!0,fontWeight:!0,lineHeight:!0,opacity:!0,order:!0,orphans:!0,widows:!0,zIndex:!0,zoom:!0},cssProps:{"float":l.cssFloat?"cssFloat":"styleFloat"},style:function(a,b,c,d){if(a&&3!==a.nodeType&&8!==a.nodeType&&a.style){var e,f,g,h=n.camelCase(b),i=a.style;if(b=n.cssProps[h]||(n.cssProps[h]=bb(h)||h),g=n.cssHooks[b]||n.cssHooks[h],void 0===c)return g&&"get"in g&&void 0!==(e=g.get(a,!1,d))?e:i[b];if(f=typeof c,"string"===f&&(e=U.exec(c))&&e[1]&&(c=X(a,b,e),f="number"),null!=c&&c===c&&("number"===f&&(c+=e&&e[3]||(n.cssNumber[h]?"":"px")),l.clearCloneStyle||""!==c||0!==b.indexOf("background")||(i[b]="inherit"),!(g&&"set"in g&&void 0===(c=g.set(a,c,d)))))try{i[b]=c}catch(j){}}},css:function(a,b,c,d){var e,f,g,h=n.camelCase(b);return b=n.cssProps[h]||(n.cssProps[h]=bb(h)||h),g=n.cssHooks[b]||n.cssHooks[h],g&&"get"in g&&(f=g.get(a,!0,c)),void 0===f&&(f=Sa(a,b,d)),"normal"===f&&b in $a&&(f=$a[b]),""===c||c?(e=parseFloat(f),c===!0||isFinite(e)?e||0:f):f}}),n.each(["height","width"],function(a,b){n.cssHooks[b]={get:function(a,c,d){return c?Xa.test(n.css(a,"display"))&&0===a.offsetWidth?Pa(a,Za,function(){return fb(a,b,d)}):fb(a,b,d):void 0},set:function(a,c,d){var e=d&&Ra(a);return db(a,c,d?eb(a,b,d,l.boxSizing&&"border-box"===n.css(a,"boxSizing",!1,e),e):0)}}}),l.opacity||(n.cssHooks.opacity={get:function(a,b){return Wa.test((b&&a.currentStyle?a.currentStyle.filter:a.style.filter)||"")?.01*parseFloat(RegExp.$1)+"":b?"1":""},set:function(a,b){var c=a.style,d=a.currentStyle,e=n.isNumeric(b)?"alpha(opacity="+100*b+")":"",f=d&&d.filter||c.filter||"";c.zoom=1,(b>=1||""===b)&&""===n.trim(f.replace(Va,""))&&c.removeAttribute&&(c.removeAttribute("filter"),""===b||d&&!d.filter)||(c.filter=Va.test(f)?f.replace(Va,e):f+" "+e)}}),n.cssHooks.marginRight=Ua(l.reliableMarginRight,function(a,b){return b?Pa(a,{display:"inline-block"},Sa,[a,"marginRight"]):void 0}),n.cssHooks.marginLeft=Ua(l.reliableMarginLeft,function(a,b){return b?(parseFloat(Sa(a,"marginLeft"))||(n.contains(a.ownerDocument,a)?a.getBoundingClientRect().left-Pa(a,{ marginLeft:0},function(){return a.getBoundingClientRect().left}):0))+"px":void 0}),n.each({margin:"",padding:"",border:"Width"},function(a,b){n.cssHooks[a+b]={expand:function(c){for(var d=0,e={},f="string"==typeof c?c.split(" "):[c];4>d;d++)e[a+V[d]+b]=f[d]||f[d-2]||f[0];return e}},Na.test(a)||(n.cssHooks[a+b].set=db)}),n.fn.extend({css:function(a,b){return Y(this,function(a,b,c){var d,e,f={},g=0;if(n.isArray(b)){for(d=Ra(a),e=b.length;e>g;g++)f[b[g]]=n.css(a,b[g],!1,d);return f}return void 0!==c?n.style(a,b,c):n.css(a,b)},a,b,arguments.length>1)},show:function(){return cb(this,!0)},hide:function(){return cb(this)},toggle:function(a){return"boolean"==typeof a?a?this.show():this.hide():this.each(function(){W(this)?n(this).show():n(this).hide()})}});function gb(a,b,c,d,e){return new gb.prototype.init(a,b,c,d,e)}n.Tween=gb,gb.prototype={constructor:gb,init:function(a,b,c,d,e,f){this.elem=a,this.prop=c,this.easing=e||n.easing._default,this.options=b,this.start=this.now=this.cur(),this.end=d,this.unit=f||(n.cssNumber[c]?"":"px")},cur:function(){var a=gb.propHooks[this.prop];return a&&a.get?a.get(this):gb.propHooks._default.get(this)},run:function(a){var b,c=gb.propHooks[this.prop];return this.options.duration?this.pos=b=n.easing[this.easing](a,this.options.duration*a,0,1,this.options.duration):this.pos=b=a,this.now=(this.end-this.start)*b+this.start,this.options.step&&this.options.step.call(this.elem,this.now,this),c&&c.set?c.set(this):gb.propHooks._default.set(this),this}},gb.prototype.init.prototype=gb.prototype,gb.propHooks={_default:{get:function(a){var b;return 1!==a.elem.nodeType||null!=a.elem[a.prop]&&null==a.elem.style[a.prop]?a.elem[a.prop]:(b=n.css(a.elem,a.prop,""),b&&"auto"!==b?b:0)},set:function(a){n.fx.step[a.prop]?n.fx.step[a.prop](a):1!==a.elem.nodeType||null==a.elem.style[n.cssProps[a.prop]]&&!n.cssHooks[a.prop]?a.elem[a.prop]=a.now:n.style(a.elem,a.prop,a.now+a.unit)}}},gb.propHooks.scrollTop=gb.propHooks.scrollLeft={set:function(a){a.elem.nodeType&&a.elem.parentNode&&(a.elem[a.prop]=a.now)}},n.easing={linear:function(a){return a},swing:function(a){return.5-Math.cos(a*Math.PI)/2},_default:"swing"},n.fx=gb.prototype.init,n.fx.step={};var hb,ib,jb=/^(?:toggle|show|hide)$/,kb=/queueHooks$/;function lb(){return a.setTimeout(function(){hb=void 0}),hb=n.now()}function mb(a,b){var c,d={height:a},e=0;for(b=b?1:0;4>e;e+=2-b)c=V[e],d["margin"+c]=d["padding"+c]=a;return b&&(d.opacity=d.width=a),d}function nb(a,b,c){for(var d,e=(qb.tweeners[b]||[]).concat(qb.tweeners["*"]),f=0,g=e.length;g>f;f++)if(d=e[f].call(c,b,a))return d}function ob(a,b,c){var d,e,f,g,h,i,j,k,m=this,o={},p=a.style,q=a.nodeType&&W(a),r=n._data(a,"fxshow");c.queue||(h=n._queueHooks(a,"fx"),null==h.unqueued&&(h.unqueued=0,i=h.empty.fire,h.empty.fire=function(){h.unqueued||i()}),h.unqueued++,m.always(function(){m.always(function(){h.unqueued--,n.queue(a,"fx").length||h.empty.fire()})})),1===a.nodeType&&("height"in b||"width"in b)&&(c.overflow=[p.overflow,p.overflowX,p.overflowY],j=n.css(a,"display"),k="none"===j?n._data(a,"olddisplay")||Ma(a.nodeName):j,"inline"===k&&"none"===n.css(a,"float")&&(l.inlineBlockNeedsLayout&&"inline"!==Ma(a.nodeName)?p.zoom=1:p.display="inline-block")),c.overflow&&(p.overflow="hidden",l.shrinkWrapBlocks()||m.always(function(){p.overflow=c.overflow[0],p.overflowX=c.overflow[1],p.overflowY=c.overflow[2]}));for(d in b)if(e=b[d],jb.exec(e)){if(delete b[d],f=f||"toggle"===e,e===(q?"hide":"show")){if("show"!==e||!r||void 0===r[d])continue;q=!0}o[d]=r&&r[d]||n.style(a,d)}else j=void 0;if(n.isEmptyObject(o))"inline"===("none"===j?Ma(a.nodeName):j)&&(p.display=j);else{r?"hidden"in r&&(q=r.hidden):r=n._data(a,"fxshow",{}),f&&(r.hidden=!q),q?n(a).show():m.done(function(){n(a).hide()}),m.done(function(){var b;n._removeData(a,"fxshow");for(b in o)n.style(a,b,o[b])});for(d in o)g=nb(q?r[d]:0,d,m),d in r||(r[d]=g.start,q&&(g.end=g.start,g.start="width"===d||"height"===d?1:0))}}function pb(a,b){var c,d,e,f,g;for(c in a)if(d=n.camelCase(c),e=b[d],f=a[c],n.isArray(f)&&(e=f[1],f=a[c]=f[0]),c!==d&&(a[d]=f,delete a[c]),g=n.cssHooks[d],g&&"expand"in g){f=g.expand(f),delete a[d];for(c in f)c in a||(a[c]=f[c],b[c]=e)}else b[d]=e}function qb(a,b,c){var d,e,f=0,g=qb.prefilters.length,h=n.Deferred().always(function(){delete i.elem}),i=function(){if(e)return!1;for(var b=hb||lb(),c=Math.max(0,j.startTime+j.duration-b),d=c/j.duration||0,f=1-d,g=0,i=j.tweens.length;i>g;g++)j.tweens[g].run(f);return h.notifyWith(a,[j,f,c]),1>f&&i?c:(h.resolveWith(a,[j]),!1)},j=h.promise({elem:a,props:n.extend({},b),opts:n.extend(!0,{specialEasing:{},easing:n.easing._default},c),originalProperties:b,originalOptions:c,startTime:hb||lb(),duration:c.duration,tweens:[],createTween:function(b,c){var d=n.Tween(a,j.opts,b,c,j.opts.specialEasing[b]||j.opts.easing);return j.tweens.push(d),d},stop:function(b){var c=0,d=b?j.tweens.length:0;if(e)return this;for(e=!0;d>c;c++)j.tweens[c].run(1);return b?(h.notifyWith(a,[j,1,0]),h.resolveWith(a,[j,b])):h.rejectWith(a,[j,b]),this}}),k=j.props;for(pb(k,j.opts.specialEasing);g>f;f++)if(d=qb.prefilters[f].call(j,a,k,j.opts))return n.isFunction(d.stop)&&(n._queueHooks(j.elem,j.opts.queue).stop=n.proxy(d.stop,d)),d;return n.map(k,nb,j),n.isFunction(j.opts.start)&&j.opts.start.call(a,j),n.fx.timer(n.extend(i,{elem:a,anim:j,queue:j.opts.queue})),j.progress(j.opts.progress).done(j.opts.done,j.opts.complete).fail(j.opts.fail).always(j.opts.always)}n.Animation=n.extend(qb,{tweeners:{"*":[function(a,b){var c=this.createTween(a,b);return X(c.elem,a,U.exec(b),c),c}]},tweener:function(a,b){n.isFunction(a)?(b=a,a=["*"]):a=a.match(G);for(var c,d=0,e=a.length;e>d;d++)c=a[d],qb.tweeners[c]=qb.tweeners[c]||[],qb.tweeners[c].unshift(b)},prefilters:[ob],prefilter:function(a,b){b?qb.prefilters.unshift(a):qb.prefilters.push(a)}}),n.speed=function(a,b,c){var d=a&&"object"==typeof a?n.extend({},a):{complete:c||!c&&b||n.isFunction(a)&&a,duration:a,easing:c&&b||b&&!n.isFunction(b)&&b};return d.duration=n.fx.off?0:"number"==typeof d.duration?d.duration:d.duration in n.fx.speeds?n.fx.speeds[d.duration]:n.fx.speeds._default,null!=d.queue&&d.queue!==!0||(d.queue="fx"),d.old=d.complete,d.complete=function(){n.isFunction(d.old)&&d.old.call(this),d.queue&&n.dequeue(this,d.queue)},d},n.fn.extend({fadeTo:function(a,b,c,d){return this.filter(W).css("opacity",0).show().end().animate({opacity:b},a,c,d)},animate:function(a,b,c,d){var e=n.isEmptyObject(a),f=n.speed(b,c,d),g=function(){var b=qb(this,n.extend({},a),f);(e||n._data(this,"finish"))&&b.stop(!0)};return g.finish=g,e||f.queue===!1?this.each(g):this.queue(f.queue,g)},stop:function(a,b,c){var d=function(a){var b=a.stop;delete a.stop,b(c)};return"string"!=typeof a&&(c=b,b=a,a=void 0),b&&a!==!1&&this.queue(a||"fx",[]),this.each(function(){var b=!0,e=null!=a&&a+"queueHooks",f=n.timers,g=n._data(this);if(e)g[e]&&g[e].stop&&d(g[e]);else for(e in g)g[e]&&g[e].stop&&kb.test(e)&&d(g[e]);for(e=f.length;e--;)f[e].elem!==this||null!=a&&f[e].queue!==a||(f[e].anim.stop(c),b=!1,f.splice(e,1));!b&&c||n.dequeue(this,a)})},finish:function(a){return a!==!1&&(a=a||"fx"),this.each(function(){var b,c=n._data(this),d=c[a+"queue"],e=c[a+"queueHooks"],f=n.timers,g=d?d.length:0;for(c.finish=!0,n.queue(this,a,[]),e&&e.stop&&e.stop.call(this,!0),b=f.length;b--;)f[b].elem===this&&f[b].queue===a&&(f[b].anim.stop(!0),f.splice(b,1));for(b=0;g>b;b++)d[b]&&d[b].finish&&d[b].finish.call(this);delete c.finish})}}),n.each(["toggle","show","hide"],function(a,b){var c=n.fn[b];n.fn[b]=function(a,d,e){return null==a||"boolean"==typeof a?c.apply(this,arguments):this.animate(mb(b,!0),a,d,e)}}),n.each({slideDown:mb("show"),slideUp:mb("hide"),slideToggle:mb("toggle"),fadeIn:{opacity:"show"},fadeOut:{opacity:"hide"},fadeToggle:{opacity:"toggle"}},function(a,b){n.fn[a]=function(a,c,d){return this.animate(b,a,c,d)}}),n.timers=[],n.fx.tick=function(){var a,b=n.timers,c=0;for(hb=n.now();c<b.length;c++)a=b[c],a()||b[c]!==a||b.splice(c--,1);b.length||n.fx.stop(),hb=void 0},n.fx.timer=function(a){n.timers.push(a),a()?n.fx.start():n.timers.pop()},n.fx.interval=13,n.fx.start=function(){ib||(ib=a.setInterval(n.fx.tick,n.fx.interval))},n.fx.stop=function(){a.clearInterval(ib),ib=null},n.fx.speeds={slow:600,fast:200,_default:400},n.fn.delay=function(b,c){return b=n.fx?n.fx.speeds[b]||b:b,c=c||"fx",this.queue(c,function(c,d){var e=a.setTimeout(c,b);d.stop=function(){a.clearTimeout(e)}})},function(){var a,b=d.createElement("input"),c=d.createElement("div"),e=d.createElement("select"),f=e.appendChild(d.createElement("option"));c=d.createElement("div"),c.setAttribute("className","t"),c.innerHTML=" <link/><table></table><a href='/a'>a</a><input type='checkbox'/>",a=c.getElementsByTagName("a")[0],b.setAttribute("type","checkbox"),c.appendChild(b),a=c.getElementsByTagName("a")[0],a.style.cssText="top:1px",l.getSetAttribute="t"!==c.className,l.style=/top/.test(a.getAttribute("style")),l.hrefNormalized="/a"===a.getAttribute("href"),l.checkOn=!!b.value,l.optSelected=f.selected,l.enctype=!!d.createElement("form").enctype,e.disabled=!0,l.optDisabled=!f.disabled,b=d.createElement("input"),b.setAttribute("value",""),l.input=""===b.getAttribute("value"),b.value="t",b.setAttribute("type","radio"),l.radioValue="t"===b.value}();var rb=/\r/g,sb=/[\x20\t\r\n\f]+/g;n.fn.extend({val:function(a){var b,c,d,e=this[0];{if(arguments.length)return d=n.isFunction(a),this.each(function(c){var e;1===this.nodeType&&(e=d?a.call(this,c,n(this).val()):a,null==e?e="":"number"==typeof e?e+="":n.isArray(e)&&(e=n.map(e,function(a){return null==a?"":a+""})),b=n.valHooks[this.type]||n.valHooks[this.nodeName.toLowerCase()],b&&"set"in b&&void 0!==b.set(this,e,"value")||(this.value=e))});if(e)return b=n.valHooks[e.type]||n.valHooks[e.nodeName.toLowerCase()],b&&"get"in b&&void 0!==(c=b.get(e,"value"))?c:(c=e.value,"string"==typeof c?c.replace(rb,""):null==c?"":c)}}}),n.extend({valHooks:{option:{get:function(a){var b=n.find.attr(a,"value");return null!=b?b:n.trim(n.text(a)).replace(sb," ")}},select:{get:function(a){for(var b,c,d=a.options,e=a.selectedIndex,f="select-one"===a.type||0>e,g=f?null:[],h=f?e+1:d.length,i=0>e?h:f?e:0;h>i;i++)if(c=d[i],(c.selected||i===e)&&(l.optDisabled?!c.disabled:null===c.getAttribute("disabled"))&&(!c.parentNode.disabled||!n.nodeName(c.parentNode,"optgroup"))){if(b=n(c).val(),f)return b;g.push(b)}return g},set:function(a,b){var c,d,e=a.options,f=n.makeArray(b),g=e.length;while(g--)if(d=e[g],n.inArray(n.valHooks.option.get(d),f)>-1)try{d.selected=c=!0}catch(h){d.scrollHeight}else d.selected=!1;return c||(a.selectedIndex=-1),e}}}}),n.each(["radio","checkbox"],function(){n.valHooks[this]={set:function(a,b){return n.isArray(b)?a.checked=n.inArray(n(a).val(),b)>-1:void 0}},l.checkOn||(n.valHooks[this].get=function(a){return null===a.getAttribute("value")?"on":a.value})});var tb,ub,vb=n.expr.attrHandle,wb=/^(?:checked|selected)$/i,xb=l.getSetAttribute,yb=l.input;n.fn.extend({attr:function(a,b){return Y(this,n.attr,a,b,arguments.length>1)},removeAttr:function(a){return this.each(function(){n.removeAttr(this,a)})}}),n.extend({attr:function(a,b,c){var d,e,f=a.nodeType;if(3!==f&&8!==f&&2!==f)return"undefined"==typeof a.getAttribute?n.prop(a,b,c):(1===f&&n.isXMLDoc(a)||(b=b.toLowerCase(),e=n.attrHooks[b]||(n.expr.match.bool.test(b)?ub:tb)),void 0!==c?null===c?void n.removeAttr(a,b):e&&"set"in e&&void 0!==(d=e.set(a,c,b))?d:(a.setAttribute(b,c+""),c):e&&"get"in e&&null!==(d=e.get(a,b))?d:(d=n.find.attr(a,b),null==d?void 0:d))},attrHooks:{type:{set:function(a,b){if(!l.radioValue&&"radio"===b&&n.nodeName(a,"input")){var c=a.value;return a.setAttribute("type",b),c&&(a.value=c),b}}}},removeAttr:function(a,b){var c,d,e=0,f=b&&b.match(G);if(f&&1===a.nodeType)while(c=f[e++])d=n.propFix[c]||c,n.expr.match.bool.test(c)?yb&&xb||!wb.test(c)?a[d]=!1:a[n.camelCase("default-"+c)]=a[d]=!1:n.attr(a,c,""),a.removeAttribute(xb?c:d)}}),ub={set:function(a,b,c){return b===!1?n.removeAttr(a,c):yb&&xb||!wb.test(c)?a.setAttribute(!xb&&n.propFix[c]||c,c):a[n.camelCase("default-"+c)]=a[c]=!0,c}},n.each(n.expr.match.bool.source.match(/\w+/g),function(a,b){var c=vb[b]||n.find.attr;yb&&xb||!wb.test(b)?vb[b]=function(a,b,d){var e,f;return d||(f=vb[b],vb[b]=e,e=null!=c(a,b,d)?b.toLowerCase():null,vb[b]=f),e}:vb[b]=function(a,b,c){return c?void 0:a[n.camelCase("default-"+b)]?b.toLowerCase():null}}),yb&&xb||(n.attrHooks.value={set:function(a,b,c){return n.nodeName(a,"input")?void(a.defaultValue=b):tb&&tb.set(a,b,c)}}),xb||(tb={set:function(a,b,c){var d=a.getAttributeNode(c);return d||a.setAttributeNode(d=a.ownerDocument.createAttribute(c)),d.value=b+="","value"===c||b===a.getAttribute(c)?b:void 0}},vb.id=vb.name=vb.coords=function(a,b,c){var d;return c?void 0:(d=a.getAttributeNode(b))&&""!==d.value?d.value:null},n.valHooks.button={get:function(a,b){var c=a.getAttributeNode(b);return c&&c.specified?c.value:void 0},set:tb.set},n.attrHooks.contenteditable={set:function(a,b,c){tb.set(a,""===b?!1:b,c)}},n.each(["width","height"],function(a,b){n.attrHooks[b]={set:function(a,c){return""===c?(a.setAttribute(b,"auto"),c):void 0}}})),l.style||(n.attrHooks.style={get:function(a){return a.style.cssText||void 0},set:function(a,b){return a.style.cssText=b+""}});var zb=/^(?:input|select|textarea|button|object)$/i,Ab=/^(?:a|area)$/i;n.fn.extend({prop:function(a,b){return Y(this,n.prop,a,b,arguments.length>1)},removeProp:function(a){return a=n.propFix[a]||a,this.each(function(){try{this[a]=void 0,delete this[a]}catch(b){}})}}),n.extend({prop:function(a,b,c){var d,e,f=a.nodeType;if(3!==f&&8!==f&&2!==f)return 1===f&&n.isXMLDoc(a)||(b=n.propFix[b]||b,e=n.propHooks[b]),void 0!==c?e&&"set"in e&&void 0!==(d=e.set(a,c,b))?d:a[b]=c:e&&"get"in e&&null!==(d=e.get(a,b))?d:a[b]},propHooks:{tabIndex:{get:function(a){var b=n.find.attr(a,"tabindex");return b?parseInt(b,10):zb.test(a.nodeName)||Ab.test(a.nodeName)&&a.href?0:-1}}},propFix:{"for":"htmlFor","class":"className"}}),l.hrefNormalized||n.each(["href","src"],function(a,b){n.propHooks[b]={get:function(a){return a.getAttribute(b,4)}}}),l.optSelected||(n.propHooks.selected={get:function(a){var b=a.parentNode;return b&&(b.selectedIndex,b.parentNode&&b.parentNode.selectedIndex),null},set:function(a){var b=a.parentNode;b&&(b.selectedIndex,b.parentNode&&b.parentNode.selectedIndex)}}),n.each(["tabIndex","readOnly","maxLength","cellSpacing","cellPadding","rowSpan","colSpan","useMap","frameBorder","contentEditable"],function(){n.propFix[this.toLowerCase()]=this}),l.enctype||(n.propFix.enctype="encoding");var Bb=/[\t\r\n\f]/g;function Cb(a){return n.attr(a,"class")||""}n.fn.extend({addClass:function(a){var b,c,d,e,f,g,h,i=0;if(n.isFunction(a))return this.each(function(b){n(this).addClass(a.call(this,b,Cb(this)))});if("string"==typeof a&&a){b=a.match(G)||[];while(c=this[i++])if(e=Cb(c),d=1===c.nodeType&&(" "+e+" ").replace(Bb," ")){g=0;while(f=b[g++])d.indexOf(" "+f+" ")<0&&(d+=f+" ");h=n.trim(d),e!==h&&n.attr(c,"class",h)}}return this},removeClass:function(a){var b,c,d,e,f,g,h,i=0;if(n.isFunction(a))return this.each(function(b){n(this).removeClass(a.call(this,b,Cb(this)))});if(!arguments.length)return this.attr("class","");if("string"==typeof a&&a){b=a.match(G)||[];while(c=this[i++])if(e=Cb(c),d=1===c.nodeType&&(" "+e+" ").replace(Bb," ")){g=0;while(f=b[g++])while(d.indexOf(" "+f+" ")>-1)d=d.replace(" "+f+" "," ");h=n.trim(d),e!==h&&n.attr(c,"class",h)}}return this},toggleClass:function(a,b){var c=typeof a;return"boolean"==typeof b&&"string"===c?b?this.addClass(a):this.removeClass(a):n.isFunction(a)?this.each(function(c){n(this).toggleClass(a.call(this,c,Cb(this),b),b)}):this.each(function(){var b,d,e,f;if("string"===c){d=0,e=n(this),f=a.match(G)||[];while(b=f[d++])e.hasClass(b)?e.removeClass(b):e.addClass(b)}else void 0!==a&&"boolean"!==c||(b=Cb(this),b&&n._data(this,"__className__",b),n.attr(this,"class",b||a===!1?"":n._data(this,"__className__")||""))})},hasClass:function(a){var b,c,d=0;b=" "+a+" ";while(c=this[d++])if(1===c.nodeType&&(" "+Cb(c)+" ").replace(Bb," ").indexOf(b)>-1)return!0;return!1}}),n.each("blur focus focusin focusout load resize scroll unload click dblclick mousedown mouseup mousemove mouseover mouseout mouseenter mouseleave change select submit keydown keypress keyup error contextmenu".split(" "),function(a,b){n.fn[b]=function(a,c){return arguments.length>0?this.on(b,null,a,c):this.trigger(b)}}),n.fn.extend({hover:function(a,b){return this.mouseenter(a).mouseleave(b||a)}});var Db=a.location,Eb=n.now(),Fb=/\?/,Gb=/(,)|(\[|{)|(}|])|"(?:[^"\\\r\n]|\\["\\\/bfnrt]|\\u[\da-fA-F]{4})*"\s*:?|true|false|null|-?(?!0\d)\d+(?:\.\d+|)(?:[eE][+-]?\d+|)/g;n.parseJSON=function(b){if(a.JSON&&a.JSON.parse)return a.JSON.parse(b+"");var c,d=null,e=n.trim(b+"");return e&&!n.trim(e.replace(Gb,function(a,b,e,f){return c&&b&&(d=0),0===d?a:(c=e||b,d+=!f-!e,"")}))?Function("return "+e)():n.error("Invalid JSON: "+b)},n.parseXML=function(b){var c,d;if(!b||"string"!=typeof b)return null;try{a.DOMParser?(d=new a.DOMParser,c=d.parseFromString(b,"text/xml")):(c=new a.ActiveXObject("Microsoft.XMLDOM"),c.async="false",c.loadXML(b))}catch(e){c=void 0}return c&&c.documentElement&&!c.getElementsByTagName("parsererror").length||n.error("Invalid XML: "+b),c};var Hb=/#.*$/,Ib=/([?&])_=[^&]*/,Jb=/^(.*?):[ \t]*([^\r\n]*)\r?$/gm,Kb=/^(?:about|app|app-storage|.+-extension|file|res|widget):$/,Lb=/^(?:GET|HEAD)$/,Mb=/^\/\//,Nb=/^([\w.+-]+:)(?:\/\/(?:[^\/?#]*@|)([^\/?#:]*)(?::(\d+)|)|)/,Ob={},Pb={},Qb="*/".concat("*"),Rb=Db.href,Sb=Nb.exec(Rb.toLowerCase())||[];function Tb(a){return function(b,c){"string"!=typeof b&&(c=b,b="*");var d,e=0,f=b.toLowerCase().match(G)||[];if(n.isFunction(c))while(d=f[e++])"+"===d.charAt(0)?(d=d.slice(1)||"*",(a[d]=a[d]||[]).unshift(c)):(a[d]=a[d]||[]).push(c)}}function Ub(a,b,c,d){var e={},f=a===Pb;function g(h){var i;return e[h]=!0,n.each(a[h]||[],function(a,h){var j=h(b,c,d);return"string"!=typeof j||f||e[j]?f?!(i=j):void 0:(b.dataTypes.unshift(j),g(j),!1)}),i}return g(b.dataTypes[0])||!e["*"]&&g("*")}function Vb(a,b){var c,d,e=n.ajaxSettings.flatOptions||{};for(d in b)void 0!==b[d]&&((e[d]?a:c||(c={}))[d]=b[d]);return c&&n.extend(!0,a,c),a}function Wb(a,b,c){var d,e,f,g,h=a.contents,i=a.dataTypes;while("*"===i[0])i.shift(),void 0===e&&(e=a.mimeType||b.getResponseHeader("Content-Type"));if(e)for(g in h)if(h[g]&&h[g].test(e)){i.unshift(g);break}if(i[0]in c)f=i[0];else{for(g in c){if(!i[0]||a.converters[g+" "+i[0]]){f=g;break}d||(d=g)}f=f||d}return f?(f!==i[0]&&i.unshift(f),c[f]):void 0}function Xb(a,b,c,d){var e,f,g,h,i,j={},k=a.dataTypes.slice();if(k[1])for(g in a.converters)j[g.toLowerCase()]=a.converters[g];f=k.shift();while(f)if(a.responseFields[f]&&(c[a.responseFields[f]]=b),!i&&d&&a.dataFilter&&(b=a.dataFilter(b,a.dataType)),i=f,f=k.shift())if("*"===f)f=i;else if("*"!==i&&i!==f){if(g=j[i+" "+f]||j["* "+f],!g)for(e in j)if(h=e.split(" "),h[1]===f&&(g=j[i+" "+h[0]]||j["* "+h[0]])){g===!0?g=j[e]:j[e]!==!0&&(f=h[0],k.unshift(h[1]));break}if(g!==!0)if(g&&a["throws"])b=g(b);else try{b=g(b)}catch(l){return{state:"parsererror",error:g?l:"No conversion from "+i+" to "+f}}}return{state:"success",data:b}}n.extend({active:0,lastModified:{},etag:{},ajaxSettings:{url:Rb,type:"GET",isLocal:Kb.test(Sb[1]),global:!0,processData:!0,async:!0,contentType:"application/x-www-form-urlencoded; charset=UTF-8",accepts:{"*":Qb,text:"text/plain",html:"text/html",xml:"application/xml, text/xml",json:"application/json, text/javascript"},contents:{xml:/\bxml\b/,html:/\bhtml/,json:/\bjson\b/},responseFields:{xml:"responseXML",text:"responseText",json:"responseJSON"},converters:{"* text":String,"text html":!0,"text json":n.parseJSON,"text xml":n.parseXML},flatOptions:{url:!0,context:!0}},ajaxSetup:function(a,b){return b?Vb(Vb(a,n.ajaxSettings),b):Vb(n.ajaxSettings,a)},ajaxPrefilter:Tb(Ob),ajaxTransport:Tb(Pb),ajax:function(b,c){"object"==typeof b&&(c=b,b=void 0),c=c||{};var d,e,f,g,h,i,j,k,l=n.ajaxSetup({},c),m=l.context||l,o=l.context&&(m.nodeType||m.jquery)?n(m):n.event,p=n.Deferred(),q=n.Callbacks("once memory"),r=l.statusCode||{},s={},t={},u=0,v="canceled",w={readyState:0,getResponseHeader:function(a){var b;if(2===u){if(!k){k={};while(b=Jb.exec(g))k[b[1].toLowerCase()]=b[2]}b=k[a.toLowerCase()]}return null==b?null:b},getAllResponseHeaders:function(){return 2===u?g:null},setRequestHeader:function(a,b){var c=a.toLowerCase();return u||(a=t[c]=t[c]||a,s[a]=b),this},overrideMimeType:function(a){return u||(l.mimeType=a),this},statusCode:function(a){var b;if(a)if(2>u)for(b in a)r[b]=[r[b],a[b]];else w.always(a[w.status]);return this},abort:function(a){var b=a||v;return j&&j.abort(b),y(0,b),this}};if(p.promise(w).complete=q.add,w.success=w.done,w.error=w.fail,l.url=((b||l.url||Rb)+"").replace(Hb,"").replace(Mb,Sb[1]+"//"),l.type=c.method||c.type||l.method||l.type,l.dataTypes=n.trim(l.dataType||"*").toLowerCase().match(G)||[""],null==l.crossDomain&&(d=Nb.exec(l.url.toLowerCase()),l.crossDomain=!(!d||d[1]===Sb[1]&&d[2]===Sb[2]&&(d[3]||("http:"===d[1]?"80":"443"))===(Sb[3]||("http:"===Sb[1]?"80":"443")))),l.data&&l.processData&&"string"!=typeof l.data&&(l.data=n.param(l.data,l.traditional)),Ub(Ob,l,c,w),2===u)return w;i=n.event&&l.global,i&&0===n.active++&&n.event.trigger("ajaxStart"),l.type=l.type.toUpperCase(),l.hasContent=!Lb.test(l.type),f=l.url,l.hasContent||(l.data&&(f=l.url+=(Fb.test(f)?"&":"?")+l.data,delete l.data),l.cache===!1&&(l.url=Ib.test(f)?f.replace(Ib,"$1_="+Eb++):f+(Fb.test(f)?"&":"?")+"_="+Eb++)),l.ifModified&&(n.lastModified[f]&&w.setRequestHeader("If-Modified-Since",n.lastModified[f]),n.etag[f]&&w.setRequestHeader("If-None-Match",n.etag[f])),(l.data&&l.hasContent&&l.contentType!==!1||c.contentType)&&w.setRequestHeader("Content-Type",l.contentType),w.setRequestHeader("Accept",l.dataTypes[0]&&l.accepts[l.dataTypes[0]]?l.accepts[l.dataTypes[0]]+("*"!==l.dataTypes[0]?", "+Qb+"; q=0.01":""):l.accepts["*"]);for(e in l.headers)w.setRequestHeader(e,l.headers[e]);if(l.beforeSend&&(l.beforeSend.call(m,w,l)===!1||2===u))return w.abort();v="abort";for(e in{success:1,error:1,complete:1})w[e](l[e]);if(j=Ub(Pb,l,c,w)){if(w.readyState=1,i&&o.trigger("ajaxSend",[w,l]),2===u)return w;l.async&&l.timeout>0&&(h=a.setTimeout(function(){w.abort("timeout")},l.timeout));try{u=1,j.send(s,y)}catch(x){if(!(2>u))throw x;y(-1,x)}}else y(-1,"No Transport");function y(b,c,d,e){var k,s,t,v,x,y=c;2!==u&&(u=2,h&&a.clearTimeout(h),j=void 0,g=e||"",w.readyState=b>0?4:0,k=b>=200&&300>b||304===b,d&&(v=Wb(l,w,d)),v=Xb(l,v,w,k),k?(l.ifModified&&(x=w.getResponseHeader("Last-Modified"),x&&(n.lastModified[f]=x),x=w.getResponseHeader("etag"),x&&(n.etag[f]=x)),204===b||"HEAD"===l.type?y="nocontent":304===b?y="notmodified":(y=v.state,s=v.data,t=v.error,k=!t)):(t=y,!b&&y||(y="error",0>b&&(b=0))),w.status=b,w.statusText=(c||y)+"",k?p.resolveWith(m,[s,y,w]):p.rejectWith(m,[w,y,t]),w.statusCode(r),r=void 0,i&&o.trigger(k?"ajaxSuccess":"ajaxError",[w,l,k?s:t]),q.fireWith(m,[w,y]),i&&(o.trigger("ajaxComplete",[w,l]),--n.active||n.event.trigger("ajaxStop")))}return w},getJSON:function(a,b,c){return n.get(a,b,c,"json")},getScript:function(a,b){return n.get(a,void 0,b,"script")}}),n.each(["get","post"],function(a,b){n[b]=function(a,c,d,e){return n.isFunction(c)&&(e=e||d,d=c,c=void 0),n.ajax(n.extend({url:a,type:b,dataType:e,data:c,success:d},n.isPlainObject(a)&&a))}}),n._evalUrl=function(a){return n.ajax({url:a,type:"GET",dataType:"script",cache:!0,async:!1,global:!1,"throws":!0})},n.fn.extend({wrapAll:function(a){if(n.isFunction(a))return this.each(function(b){n(this).wrapAll(a.call(this,b))});if(this[0]){var b=n(a,this[0].ownerDocument).eq(0).clone(!0);this[0].parentNode&&b.insertBefore(this[0]),b.map(function(){var a=this;while(a.firstChild&&1===a.firstChild.nodeType)a=a.firstChild;return a}).append(this)}return this},wrapInner:function(a){return n.isFunction(a)?this.each(function(b){n(this).wrapInner(a.call(this,b))}):this.each(function(){var b=n(this),c=b.contents();c.length?c.wrapAll(a):b.append(a)})},wrap:function(a){var b=n.isFunction(a);return this.each(function(c){n(this).wrapAll(b?a.call(this,c):a)})},unwrap:function(){return this.parent().each(function(){n.nodeName(this,"body")||n(this).replaceWith(this.childNodes)}).end()}});function Yb(a){return a.style&&a.style.display||n.css(a,"display")}function Zb(a){if(!n.contains(a.ownerDocument||d,a))return!0;while(a&&1===a.nodeType){if("none"===Yb(a)||"hidden"===a.type)return!0;a=a.parentNode}return!1}n.expr.filters.hidden=function(a){return l.reliableHiddenOffsets()?a.offsetWidth<=0&&a.offsetHeight<=0&&!a.getClientRects().length:Zb(a)},n.expr.filters.visible=function(a){return!n.expr.filters.hidden(a)};var $b=/%20/g,_b=/\[\]$/,ac=/\r?\n/g,bc=/^(?:submit|button|image|reset|file)$/i,cc=/^(?:input|select|textarea|keygen)/i;function dc(a,b,c,d){var e;if(n.isArray(b))n.each(b,function(b,e){c||_b.test(a)?d(a,e):dc(a+"["+("object"==typeof e&&null!=e?b:"")+"]",e,c,d)});else if(c||"object"!==n.type(b))d(a,b);else for(e in b)dc(a+"["+e+"]",b[e],c,d)}n.param=function(a,b){var c,d=[],e=function(a,b){b=n.isFunction(b)?b():null==b?"":b,d[d.length]=encodeURIComponent(a)+"="+encodeURIComponent(b)};if(void 0===b&&(b=n.ajaxSettings&&n.ajaxSettings.traditional),n.isArray(a)||a.jquery&&!n.isPlainObject(a))n.each(a,function(){e(this.name,this.value)});else for(c in a)dc(c,a[c],b,e);return d.join("&").replace($b,"+")},n.fn.extend({serialize:function(){return n.param(this.serializeArray())},serializeArray:function(){return this.map(function(){var a=n.prop(this,"elements");return a?n.makeArray(a):this}).filter(function(){var a=this.type;return this.name&&!n(this).is(":disabled")&&cc.test(this.nodeName)&&!bc.test(a)&&(this.checked||!Z.test(a))}).map(function(a,b){var c=n(this).val();return null==c?null:n.isArray(c)?n.map(c,function(a){return{name:b.name,value:a.replace(ac,"\r\n")}}):{name:b.name,value:c.replace(ac,"\r\n")}}).get()}}),n.ajaxSettings.xhr=void 0!==a.ActiveXObject?function(){return this.isLocal?ic():d.documentMode>8?hc():/^(get|post|head|put|delete|options)$/i.test(this.type)&&hc()||ic()}:hc;var ec=0,fc={},gc=n.ajaxSettings.xhr();a.attachEvent&&a.attachEvent("onunload",function(){for(var a in fc)fc[a](void 0,!0)}),l.cors=!!gc&&"withCredentials"in gc,gc=l.ajax=!!gc,gc&&n.ajaxTransport(function(b){if(!b.crossDomain||l.cors){var c;return{send:function(d,e){var f,g=b.xhr(),h=++ec;if(g.open(b.type,b.url,b.async,b.username,b.password),b.xhrFields)for(f in b.xhrFields)g[f]=b.xhrFields[f];b.mimeType&&g.overrideMimeType&&g.overrideMimeType(b.mimeType),b.crossDomain||d["X-Requested-With"]||(d["X-Requested-With"]="XMLHttpRequest");for(f in d)void 0!==d[f]&&g.setRequestHeader(f,d[f]+"");g.send(b.hasContent&&b.data||null),c=function(a,d){var f,i,j;if(c&&(d||4===g.readyState))if(delete fc[h],c=void 0,g.onreadystatechange=n.noop,d)4!==g.readyState&&g.abort();else{j={},f=g.status,"string"==typeof g.responseText&&(j.text=g.responseText);try{i=g.statusText}catch(k){i=""}f||!b.isLocal||b.crossDomain?1223===f&&(f=204):f=j.text?200:404}j&&e(f,i,j,g.getAllResponseHeaders())},b.async?4===g.readyState?a.setTimeout(c):g.onreadystatechange=fc[h]=c:c()},abort:function(){c&&c(void 0,!0)}}}});function hc(){try{return new a.XMLHttpRequest}catch(b){}}function ic(){try{return new a.ActiveXObject("Microsoft.XMLHTTP")}catch(b){}}n.ajaxSetup({accepts:{script:"text/javascript, application/javascript, application/ecmascript, application/x-ecmascript"},contents:{script:/\b(?:java|ecma)script\b/},converters:{"text script":function(a){return n.globalEval(a),a}}}),n.ajaxPrefilter("script",function(a){void 0===a.cache&&(a.cache=!1),a.crossDomain&&(a.type="GET",a.global=!1)}),n.ajaxTransport("script",function(a){if(a.crossDomain){var b,c=d.head||n("head")[0]||d.documentElement;return{send:function(e,f){b=d.createElement("script"),b.async=!0,a.scriptCharset&&(b.charset=a.scriptCharset),b.src=a.url,b.onload=b.onreadystatechange=function(a,c){(c||!b.readyState||/loaded|complete/.test(b.readyState))&&(b.onload=b.onreadystatechange=null,b.parentNode&&b.parentNode.removeChild(b),b=null,c||f(200,"success"))},c.insertBefore(b,c.firstChild)},abort:function(){b&&b.onload(void 0,!0)}}}});var jc=[],kc=/(=)\?(?=&|$)|\?\?/;n.ajaxSetup({jsonp:"callback",jsonpCallback:function(){var a=jc.pop()||n.expando+"_"+Eb++;return this[a]=!0,a}}),n.ajaxPrefilter("json jsonp",function(b,c,d){var e,f,g,h=b.jsonp!==!1&&(kc.test(b.url)?"url":"string"==typeof b.data&&0===(b.contentType||"").indexOf("application/x-www-form-urlencoded")&&kc.test(b.data)&&"data");return h||"jsonp"===b.dataTypes[0]?(e=b.jsonpCallback=n.isFunction(b.jsonpCallback)?b.jsonpCallback():b.jsonpCallback,h?b[h]=b[h].replace(kc,"$1"+e):b.jsonp!==!1&&(b.url+=(Fb.test(b.url)?"&":"?")+b.jsonp+"="+e),b.converters["script json"]=function(){return g||n.error(e+" was not called"),g[0]},b.dataTypes[0]="json",f=a[e],a[e]=function(){g=arguments},d.always(function(){void 0===f?n(a).removeProp(e):a[e]=f,b[e]&&(b.jsonpCallback=c.jsonpCallback,jc.push(e)),g&&n.isFunction(f)&&f(g[0]),g=f=void 0}),"script"):void 0}),n.parseHTML=function(a,b,c){if(!a||"string"!=typeof a)return null;"boolean"==typeof b&&(c=b,b=!1),b=b||d;var e=x.exec(a),f=!c&&[];return e?[b.createElement(e[1])]:(e=ja([a],b,f),f&&f.length&&n(f).remove(),n.merge([],e.childNodes))};var lc=n.fn.load;n.fn.load=function(a,b,c){if("string"!=typeof a&&lc)return lc.apply(this,arguments);var d,e,f,g=this,h=a.indexOf(" ");return h>-1&&(d=n.trim(a.slice(h,a.length)),a=a.slice(0,h)),n.isFunction(b)?(c=b,b=void 0):b&&"object"==typeof b&&(e="POST"),g.length>0&&n.ajax({url:a,type:e||"GET",dataType:"html",data:b}).done(function(a){f=arguments,g.html(d?n("<div>").append(n.parseHTML(a)).find(d):a)}).always(c&&function(a,b){g.each(function(){c.apply(this,f||[a.responseText,b,a])})}),this},n.each(["ajaxStart","ajaxStop","ajaxComplete","ajaxError","ajaxSuccess","ajaxSend"],function(a,b){n.fn[b]=function(a){return this.on(b,a)}}),n.expr.filters.animated=function(a){return n.grep(n.timers,function(b){return a===b.elem}).length};function mc(a){return n.isWindow(a)?a:9===a.nodeType?a.defaultView||a.parentWindow:!1}n.offset={setOffset:function(a,b,c){var d,e,f,g,h,i,j,k=n.css(a,"position"),l=n(a),m={};"static"===k&&(a.style.position="relative"),h=l.offset(),f=n.css(a,"top"),i=n.css(a,"left"),j=("absolute"===k||"fixed"===k)&&n.inArray("auto",[f,i])>-1,j?(d=l.position(),g=d.top,e=d.left):(g=parseFloat(f)||0,e=parseFloat(i)||0),n.isFunction(b)&&(b=b.call(a,c,n.extend({},h))),null!=b.top&&(m.top=b.top-h.top+g),null!=b.left&&(m.left=b.left-h.left+e),"using"in b?b.using.call(a,m):l.css(m)}},n.fn.extend({offset:function(a){if(arguments.length)return void 0===a?this:this.each(function(b){n.offset.setOffset(this,a,b)});var b,c,d={top:0,left:0},e=this[0],f=e&&e.ownerDocument;if(f)return b=f.documentElement,n.contains(b,e)?("undefined"!=typeof e.getBoundingClientRect&&(d=e.getBoundingClientRect()),c=mc(f),{top:d.top+(c.pageYOffset||b.scrollTop)-(b.clientTop||0),left:d.left+(c.pageXOffset||b.scrollLeft)-(b.clientLeft||0)}):d},position:function(){if(this[0]){var a,b,c={top:0,left:0},d=this[0];return"fixed"===n.css(d,"position")?b=d.getBoundingClientRect():(a=this.offsetParent(),b=this.offset(),n.nodeName(a[0],"html")||(c=a.offset()),c.top+=n.css(a[0],"borderTopWidth",!0),c.left+=n.css(a[0],"borderLeftWidth",!0)),{top:b.top-c.top-n.css(d,"marginTop",!0),left:b.left-c.left-n.css(d,"marginLeft",!0)}}},offsetParent:function(){return this.map(function(){var a=this.offsetParent;while(a&&!n.nodeName(a,"html")&&"static"===n.css(a,"position"))a=a.offsetParent;return a||Qa})}}),n.each({scrollLeft:"pageXOffset",scrollTop:"pageYOffset"},function(a,b){var c=/Y/.test(b);n.fn[a]=function(d){return Y(this,function(a,d,e){var f=mc(a);return void 0===e?f?b in f?f[b]:f.document.documentElement[d]:a[d]:void(f?f.scrollTo(c?n(f).scrollLeft():e,c?e:n(f).scrollTop()):a[d]=e)},a,d,arguments.length,null)}}),n.each(["top","left"],function(a,b){n.cssHooks[b]=Ua(l.pixelPosition,function(a,c){return c?(c=Sa(a,b),Oa.test(c)?n(a).position()[b]+"px":c):void 0})}),n.each({Height:"height",Width:"width"},function(a,b){n.each({ padding:"inner"+a,content:b,"":"outer"+a},function(c,d){n.fn[d]=function(d,e){var f=arguments.length&&(c||"boolean"!=typeof d),g=c||(d===!0||e===!0?"margin":"border");return Y(this,function(b,c,d){var e;return n.isWindow(b)?b.document.documentElement["client"+a]:9===b.nodeType?(e=b.documentElement,Math.max(b.body["scroll"+a],e["scroll"+a],b.body["offset"+a],e["offset"+a],e["client"+a])):void 0===d?n.css(b,c,g):n.style(b,c,d,g)},b,f?d:void 0,f,null)}})}),n.fn.extend({bind:function(a,b,c){return this.on(a,null,b,c)},unbind:function(a,b){return this.off(a,null,b)},delegate:function(a,b,c,d){return this.on(b,a,c,d)},undelegate:function(a,b,c){return 1===arguments.length?this.off(a,"**"):this.off(b,a||"**",c)}}),n.fn.size=function(){return this.length},n.fn.andSelf=n.fn.addBack,"function"==typeof define&&define.amd&&define("jquery",[],function(){return n});var nc=a.jQuery,oc=a.$;return n.noConflict=function(b){return a.$===n&&(a.$=oc),b&&a.jQuery===n&&(a.jQuery=nc),n},b||(a.jQuery=a.$=n),n}); (function($){var Node,Tree,methods;Node=(function(){function Node(row,tree,settings){var parentId;this.row=row;this.tree=tree;this.settings=settings;this.id=this.row.data(this.settings.nodeIdAttr);parentId=this.row.data(this.settings.parentIdAttr);if(parentId!=null&&parentId!=="")this.parentId=parentId;this.treeCell=$(this.row.children(this.settings.columnElType)[this.settings.column]);this.expander=$(this.settings.expanderTemplate);this.indenter=$(this.settings.indenterTemplate);this.children=[];this.initialized=false;this.treeCell.prepend(this.indenter);}Node.prototype.addChild=function(child){return this.children.push(child);};Node.prototype.ancestors=function(){var ancestors,node;node=this;ancestors=[];while(node=node.parentNode())ancestors.push(node);return ancestors;};Node.prototype.collapse=function(){if(this.collapsed())return this;this.row.removeClass("expanded").addClass("collapsed");this._hideChildren();this.expander.attr("title",this.settings.stringExpand);if(this.initialized&&this.settings.onNodeCollapse!=null)this.settings.onNodeCollapse.apply(this);return this;};Node.prototype.collapsed=function(){return this.row.hasClass("collapsed");};Node.prototype.expand=function(){if(this.expanded())return this;this.row.removeClass("collapsed").addClass("expanded");if(this.initialized&&this.settings.onNodeExpand!=null)this.settings.onNodeExpand.apply(this);if($(this.row).is(":visible"))this._showChildren();this.expander.attr("title",this.settings.stringCollapse);return this;};Node.prototype.expanded=function(){return this.row.hasClass("expanded");};Node.prototype.hide=function(){this._hideChildren();this.row.hide();return this;};Node.prototype.isBranchNode=function(){if(this.children.length>0||this.row.data(this.settings.branchAttr)===true)return true;else return false;};Node.prototype.updateBranchLeafClass=function(){this.row.removeClass('branch');this.row.removeClass('leaf');this.row.addClass(this.isBranchNode()?'branch':'leaf');};Node.prototype.level=function(){return this.ancestors().length;};Node.prototype.parentNode=function(){if(this.parentId!=null)return this.tree[this.parentId];else return null;};Node.prototype.removeChild=function(child){var i=$.inArray(child,this.children);return this.children.splice(i,1);};Node.prototype.render=function(){var handler,settings=this.settings,target;if(settings.expandable===true&&this.isBranchNode()){handler=function(e){$(this).parents("table").treetable("node",$(this).parents("tr").data(settings.nodeIdAttr)).toggle();return e.preventDefault();};this.indenter.html(this.expander);target=settings.clickableNodeNames===true?this.treeCell:this.expander;target.off("click.treetable").on("click.treetable",handler);target.off("keydown.treetable").on("keydown.treetable",function(e){if(e.keyCode==13)handler.apply(this,[e]);});}this.indenter[0].style.paddingLeft=""+(this.level()*settings.indent)+"px";return this;};Node.prototype.reveal=function(){if(this.parentId!=null)this.parentNode().reveal();return this.expand();};Node.prototype.setParent=function(node){if(this.parentId!=null)this.tree[this.parentId].removeChild(this);this.parentId=node.id;this.row.data(this.settings.parentIdAttr,node.id);return node.addChild(this);};Node.prototype.show=function(){if(!this.initialized)this._initialize();this.row.show();if(this.expanded())this._showChildren();return this;};Node.prototype.toggle=function(){if(this.expanded())this.collapse();else this.expand();return this;};Node.prototype._hideChildren=function(){var child,_i,_len,_ref,_results;_ref=this.children;_results=[];for(_i=0,_len=_ref.length;_i<_len;_i++){child=_ref[_i];_results.push(child.hide());}return _results;};Node.prototype._initialize=function(){var settings=this.settings;this.render();if(settings.expandable===true&&settings.initialState==="collapsed")this.collapse();else this.expand();if(settings.onNodeInitialized!=null)settings.onNodeInitialized.apply(this);return this.initialized=true;};Node.prototype._showChildren=function(){var child,_i,_len,_ref,_results;_ref=this.children;_results=[];for(_i=0,_len=_ref.length;_i<_len;_i++){child=_ref[_i];_results.push(child.show());}return _results;};return Node;})();Tree=(function(){function Tree(table,settings){this.table=table;this.settings=settings;this.tree={};this.nodes=[];this.roots=[];}Tree.prototype.collapseAll=function(){var node,_i,_len,_ref,_results;_ref=this.nodes;_results=[];for(_i=0,_len=_ref.length;_i<_len;_i++){node=_ref[_i];_results.push(node.collapse());}return _results;};Tree.prototype.expandAll=function(){var node,_i,_len,_ref,_results;_ref=this.nodes;_results=[];for(_i=0,_len=_ref.length;_i<_len;_i++){node=_ref[_i];_results.push(node.expand());}return _results;};Tree.prototype.findLastNode=function(node){if(node.children.length>0)return this.findLastNode(node.children[node.children.length-1]);else return node;};Tree.prototype.loadRows=function(rows){var node,row,i;if(rows!=null)for(i=0;i<rows.length;i++){row=$(rows[i]);if(row.data(this.settings.nodeIdAttr)!=null){node=new Node(row,this.tree,this.settings);this.nodes.push(node);this.tree[node.id]=node;if(node.parentId!=null&&this.tree[node.parentId])this.tree[node.parentId].addChild(node);else this.roots.push(node);}}for(i=0;i<this.nodes.length;i++)node=this.nodes[i].updateBranchLeafClass();return this;};Tree.prototype.move=function(node,destination){var nodeParent=node.parentNode();if(node!==destination&&destination.id!==node.parentId&&$.inArray(node,destination.ancestors())===-1){node.setParent(destination);this._moveRows(node,destination);if(node.parentNode().children.length===1)node.parentNode().render();}if(nodeParent)nodeParent.updateBranchLeafClass();if(node.parentNode())node.parentNode().updateBranchLeafClass();node.updateBranchLeafClass();return this;};Tree.prototype.removeNode=function(node){this.unloadBranch(node);node.row.remove();if(node.parentId!=null)node.parentNode().removeChild(node);delete this.tree[node.id];this.nodes.splice($.inArray(node,this.nodes),1);return this;};Tree.prototype.render=function(){var root,_i,_len,_ref;_ref=this.roots;for(_i=0,_len=_ref.length;_i<_len;_i++){root=_ref[_i];root.show();}return this;};Tree.prototype.sortBranch=function(node,sortFun){node.children.sort(sortFun);this._sortChildRows(node);return this;};Tree.prototype.unloadBranch=function(node){var children=node.children.slice(0),i;for(i=0;i<children.length;i++)this.removeNode(children[i]);node.children=[];node.updateBranchLeafClass();return this;};Tree.prototype._moveRows=function(node,destination){var children=node.children,i;node.row.insertAfter(destination.row);node.render();for(i=children.length-1;i>=0;i--)this._moveRows(children[i],node);};Tree.prototype._sortChildRows=function(parentNode){return this._moveRows(parentNode,parentNode);};return Tree;})();methods={init:function(options,force){var settings;settings=$.extend({branchAttr:"ttBranch",clickableNodeNames:false,column:0,columnElType:"td",expandable:false,expanderTemplate:"<a href='#'> </a>",indent:19,indenterTemplate:"<span class='indenter'></span>",initialState:"collapsed",nodeIdAttr:"ttId",parentIdAttr:"ttParentId",stringExpand:"Expand",stringCollapse:"Collapse",onInitialized:null,onNodeCollapse:null,onNodeExpand:null,onNodeInitialized:null},options);return this.each(function(){var el=$(this),tree;if(force||el.data("treetable")===undefined){tree=new Tree(this,settings);tree.loadRows(this.rows).render();el.addClass("treetable").data("treetable",tree);if(settings.onInitialized!=null)settings.onInitialized.apply(tree);}return el;});},destroy:function(){return this.each(function(){return $(this).removeData("treetable").removeClass("treetable");});},collapseAll:function(){this.data("treetable").collapseAll();return this;},collapseNode:function(id){var node=this.data("treetable").tree[id];if(node)node.collapse();else throw new Error("Unknown node '"+id+"'");return this;},expandAll:function(){this.data("treetable").expandAll();return this;},expandNode:function(id){var node=this.data("treetable").tree[id];if(node){if(!node.initialized)node._initialize();node.expand();}else throw new Error("Unknown node '"+id+"'");return this;},loadBranch:function(node,rows){var settings=this.data("treetable").settings,tree=this.data("treetable").tree;rows=$(rows);if(node==null)this.append(rows);else{var lastNode=this.data("treetable").findLastNode(node);rows.insertAfter(lastNode.row);}this.data("treetable").loadRows(rows);rows.filter("tr").each(function(){tree[$(this).data(settings.nodeIdAttr)].show();});if(node!=null)node.render().expand();return this;},move:function(nodeId,destinationId){var destination,node;node=this.data("treetable").tree[nodeId];destination=this.data("treetable").tree[destinationId];this.data("treetable").move(node,destination);return this;},node:function(id){return this.data("treetable").tree[id];},removeNode:function(id){var node=this.data("treetable").tree[id];if(node)this.data("treetable").removeNode(node);else throw new Error("Unknown node '"+id+"'");return this;},reveal:function(id){var node=this.data("treetable").tree[id];if(node)node.reveal();else throw new Error("Unknown node '"+id+"'");return this;},sortBranch:function(node,columnOrFunction){var settings=this.data("treetable").settings,prepValue,sortFun;columnOrFunction=columnOrFunction||settings.column;sortFun=columnOrFunction;if($.isNumeric(columnOrFunction))sortFun=function(a,b){var extractValue,valA,valB;extractValue=function(node){var val=node.row.find("td:eq("+columnOrFunction+")").text();return $.trim(val).toUpperCase();};valA=extractValue(a);valB=extractValue(b);if(valA<valB)return -1;if(valA>valB)return 1;return 0;};this.data("treetable").sortBranch(node,sortFun);return this;},unloadBranch:function(node){this.data("treetable").unloadBranch(node);return this;}};$.fn.treetable=function(method){if(methods[method])return methods[method].apply(this,Array.prototype.slice.call(arguments,1));else if(typeof method==='object'||!method)return methods.init.apply(this,arguments);else return $.error("Method "+method+" does not exist on jQuery.treetable");};this.TreeTable||(this.TreeTable={});this.TreeTable.Node=Node;this.TreeTable.Tree=Tree;})(jQuery);if("undefined"==typeof jQuery)throw new Error("Bootstrap's JavaScript requires jQuery");+function(t){"use strict";var e=t.fn.jquery.split(" ")[0].split(".");if(e[0]<2&&e[1]<9||1==e[0]&&9==e[1]&&e[2]<1||e[0]>3)throw new Error("Bootstrap's JavaScript requires jQuery version 1.9.1 or higher, but lower than version 4");}(jQuery),+function(t){"use strict";function e(e){return this.each(function(){var i=t(this),o=i.data("bs.alert");o||i.data("bs.alert",o=new n(this)),"string"==typeof e&&o[e].call(i);});}var i='[data-dismiss="alert"]',n=function(e){t(e).on("click",i,this.close);};n.VERSION="3.3.7",n.TRANSITION_DURATION=150,n.prototype.close=function(e){function i(){a.detach().trigger("closed.bs.alert").remove();}var o=t(this),s=o.attr("data-target");s||(s=o.attr("href"),s=s&&s.replace(/.*(?=#[^\s]*$)/,""));var a=t("#"===s?[]:s);e&&e.preventDefault(),a.length||(a=o.closest(".alert")),a.trigger(e=t.Event("close.bs.alert")),e.isDefaultPrevented()||(a.removeClass("in"),t.support.transition&&a.hasClass("fade")?a.one("bsTransitionEnd",i).emulateTransitionEnd(n.TRANSITION_DURATION):i());};var o=t.fn.alert;t.fn.alert=e,t.fn.alert.Constructor=n,t.fn.alert.noConflict=function(){return t.fn.alert=o,this;},t(document).on("click.bs.alert.data-api",i,n.prototype.close);}(jQuery),+function(t){"use strict";function e(e){var i=e.attr("data-target");i||(i=e.attr("href"),i=i&&/#[A-Za-z]/.test(i)&&i.replace(/.*(?=#[^\s]*$)/,""));var n=i&&t(i);return n&&n.length?n:e.parent();}function i(i){i&&3===i.which||(t(o).remove(),t(s).each(function(){var n=t(this),o=e(n),s={relatedTarget:this};o.hasClass("open")&&(i&&"click"==i.type&&/input|textarea/i.test(i.target.tagName)&&t.contains(o[0],i.target)||(o.trigger(i=t.Event("hide.bs.dropdown",s)),i.isDefaultPrevented()||(n.attr("aria-expanded","false"),o.removeClass("open").trigger(t.Event("hidden.bs.dropdown",s)))));}));}function n(e){return this.each(function(){var i=t(this),n=i.data("bs.dropdown");n||i.data("bs.dropdown",n=new a(this)),"string"==typeof e&&n[e].call(i);});}var o=".dropdown-backdrop",s='[data-toggle="dropdown"]',a=function(e){t(e).on("click.bs.dropdown",this.toggle);};a.VERSION="3.3.7",a.prototype.toggle=function(n){var o=t(this);if(!o.is(".disabled, :disabled")){var s=e(o),a=s.hasClass("open");if(i(),!a){"ontouchstart" in document.documentElement&&!s.closest(".navbar-nav").length&&t(document.createElement("div")).addClass("dropdown-backdrop").insertAfter(t(this)).on("click",i);var r={relatedTarget:this};if(s.trigger(n=t.Event("show.bs.dropdown",r)),n.isDefaultPrevented())return;o.trigger("focus").attr("aria-expanded","true"),s.toggleClass("open").trigger(t.Event("shown.bs.dropdown",r));}return !1;}},a.prototype.keydown=function(i){if(/(38|40|27|32)/.test(i.which)&&!/input|textarea/i.test(i.target.tagName)){var n=t(this);if(i.preventDefault(),i.stopPropagation(),!n.is(".disabled, :disabled")){var o=e(n),a=o.hasClass("open");if(!a&&27!=i.which||a&&27==i.which)return 27==i.which&&o.find(s).trigger("focus"),n.trigger("click");var r=" li:not(.disabled):visible a",d=o.find(".dropdown-menu"+r);if(d.length){var l=d.index(i.target);38==i.which&&l>0&&l--,40==i.which&&l<d.length-1&&l++,~l||(l=0),d.eq(l).trigger("focus");}}}};var r=t.fn.dropdown;t.fn.dropdown=n,t.fn.dropdown.Constructor=a,t.fn.dropdown.noConflict=function(){return t.fn.dropdown=r,this;},t(document).on("click.bs.dropdown.data-api",i).on("click.bs.dropdown.data-api",".dropdown form",function(t){t.stopPropagation();}).on("click.bs.dropdown.data-api",s,a.prototype.toggle).on("keydown.bs.dropdown.data-api",s,a.prototype.keydown).on("keydown.bs.dropdown.data-api",".dropdown-menu",a.prototype.keydown);}(jQuery),+function(t){"use strict";function e(e,n){return this.each(function(){var o=t(this),s=o.data("bs.modal"),a=t.extend({},i.DEFAULTS,o.data(),"object"==typeof e&&e);s||o.data("bs.modal",s=new i(this,a)),"string"==typeof e?s[e](n):a.show&&s.show(n);});}var i=function(e,i){this.options=i,this.$body=t(document.body),this.$element=t(e),this.$dialog=this.$element.find(".modal-dialog"),this.$backdrop=null,this.isShown=null,this.originalBodyPad=null,this.scrollbarWidth=0,this.ignoreBackdropClick=!1,this.options.remote&&this.$element.find(".modal-content").load(this.options.remote,t.proxy(function(){this.$element.trigger("loaded.bs.modal");},this));};i.VERSION="3.3.7",i.TRANSITION_DURATION=300,i.BACKDROP_TRANSITION_DURATION=150,i.DEFAULTS={backdrop:!0,keyboard:!0,show:!0},i.prototype.toggle=function(t){return this.isShown?this.hide():this.show(t);},i.prototype.show=function(e){var n=this,o=t.Event("show.bs.modal",{relatedTarget:e});this.$element.trigger(o),this.isShown||o.isDefaultPrevented()||(this.isShown=!0,this.checkScrollbar(),this.setScrollbar(),this.$body.addClass("modal-open"),this.escape(),this.resize(),this.$element.on("click.dismiss.bs.modal",'[data-dismiss="modal"]',t.proxy(this.hide,this)),this.$dialog.on("mousedown.dismiss.bs.modal",function(){n.$element.one("mouseup.dismiss.bs.modal",function(e){t(e.target).is(n.$element)&&(n.ignoreBackdropClick=!0);});}),this.backdrop(function(){var o=t.support.transition&&n.$element.hasClass("fade");n.$element.parent().length||n.$element.appendTo(n.$body),n.$element.show().scrollTop(0),n.adjustDialog(),o&&n.$element[0].offsetWidth,n.$element.addClass("in"),n.enforceFocus();var s=t.Event("shown.bs.modal",{relatedTarget:e});o?n.$dialog.one("bsTransitionEnd",function(){n.$element.trigger("focus").trigger(s);}).emulateTransitionEnd(i.TRANSITION_DURATION):n.$element.trigger("focus").trigger(s);}));},i.prototype.hide=function(e){e&&e.preventDefault(),e=t.Event("hide.bs.modal"),this.$element.trigger(e),this.isShown&&!e.isDefaultPrevented()&&(this.isShown=!1,this.escape(),this.resize(),t(document).off("focusin.bs.modal"),this.$element.removeClass("in").off("click.dismiss.bs.modal").off("mouseup.dismiss.bs.modal"),this.$dialog.off("mousedown.dismiss.bs.modal"),t.support.transition&&this.$element.hasClass("fade")?this.$element.one("bsTransitionEnd",t.proxy(this.hideModal,this)).emulateTransitionEnd(i.TRANSITION_DURATION):this.hideModal());},i.prototype.enforceFocus=function(){t(document).off("focusin.bs.modal").on("focusin.bs.modal",t.proxy(function(t){document===t.target||this.$element[0]===t.target||this.$element.has(t.target).length||this.$element.trigger("focus");},this));},i.prototype.escape=function(){this.isShown&&this.options.keyboard?this.$element.on("keydown.dismiss.bs.modal",t.proxy(function(t){27==t.which&&this.hide();},this)):this.isShown||this.$element.off("keydown.dismiss.bs.modal");},i.prototype.resize=function(){this.isShown?t(window).on("resize.bs.modal",t.proxy(this.handleUpdate,this)):t(window).off("resize.bs.modal");},i.prototype.hideModal=function(){var t=this;this.$element.hide(),this.backdrop(function(){t.$body.removeClass("modal-open"),t.resetAdjustments(),t.resetScrollbar(),t.$element.trigger("hidden.bs.modal");});},i.prototype.removeBackdrop=function(){this.$backdrop&&this.$backdrop.remove(),this.$backdrop=null;},i.prototype.backdrop=function(e){var n=this,o=this.$element.hasClass("fade")?"fade":"";if(this.isShown&&this.options.backdrop){var s=t.support.transition&&o;if(this.$backdrop=t(document.createElement("div")).addClass("modal-backdrop "+o).appendTo(this.$body),this.$element.on("click.dismiss.bs.modal",t.proxy(function(t){return this.ignoreBackdropClick?void (this.ignoreBackdropClick=!1):void (t.target===t.currentTarget&&("static"==this.options.backdrop?this.$element[0].focus():this.hide()));},this)),s&&this.$backdrop[0].offsetWidth,this.$backdrop.addClass("in"),!e)return;s?this.$backdrop.one("bsTransitionEnd",e).emulateTransitionEnd(i.BACKDROP_TRANSITION_DURATION):e();}else if(!this.isShown&&this.$backdrop){this.$backdrop.removeClass("in");var a=function(){n.removeBackdrop(),e&&e();};t.support.transition&&this.$element.hasClass("fade")?this.$backdrop.one("bsTransitionEnd",a).emulateTransitionEnd(i.BACKDROP_TRANSITION_DURATION):a();}else e&&e();},i.prototype.handleUpdate=function(){this.adjustDialog();},i.prototype.adjustDialog=function(){var t=this.$element[0].scrollHeight>document.documentElement.clientHeight;this.$element.css({paddingLeft:!this.bodyIsOverflowing&&t?this.scrollbarWidth:"",paddingRight:this.bodyIsOverflowing&&!t?this.scrollbarWidth:""});},i.prototype.resetAdjustments=function(){this.$element.css({paddingLeft:"",paddingRight:""});},i.prototype.checkScrollbar=function(){var t=window.innerWidth;if(!t){var e=document.documentElement.getBoundingClientRect();t=e.right-Math.abs(e.left);}this.bodyIsOverflowing=document.body.clientWidth<t,this.scrollbarWidth=this.measureScrollbar();},i.prototype.setScrollbar=function(){var t=parseInt(this.$body.css("padding-right")||0,10);this.originalBodyPad=document.body.style.paddingRight||"",this.bodyIsOverflowing&&this.$body.css("padding-right",t+this.scrollbarWidth);},i.prototype.resetScrollbar=function(){this.$body.css("padding-right",this.originalBodyPad);},i.prototype.measureScrollbar=function(){var t=document.createElement("div");t.className="modal-scrollbar-measure",this.$body.append(t);var e=t.offsetWidth-t.clientWidth;return this.$body[0].removeChild(t),e;};var n=t.fn.modal;t.fn.modal=e,t.fn.modal.Constructor=i,t.fn.modal.noConflict=function(){return t.fn.modal=n,this;},t(document).on("click.bs.modal.data-api",'[data-toggle="modal"]',function(i){var n=t(this),o=n.attr("href"),s=t(n.attr("data-target")||o&&o.replace(/.*(?=#[^\s]+$)/,"")),a=s.data("bs.modal")?"toggle":t.extend({remote:!/#/.test(o)&&o},s.data(),n.data());n.is("a")&&i.preventDefault(),s.one("show.bs.modal",function(t){t.isDefaultPrevented()||s.one("hidden.bs.modal",function(){n.is(":visible")&&n.trigger("focus");});}),e.call(s,a,this);});}(jQuery),+function(t){"use strict";function e(e){var i,n=e.attr("data-target")||(i=e.attr("href"))&&i.replace(/.*(?=#[^\s]+$)/,"");return t(n);}function i(e){return this.each(function(){var i=t(this),o=i.data("bs.collapse"),s=t.extend({},n.DEFAULTS,i.data(),"object"==typeof e&&e);!o&&s.toggle&&/show|hide/.test(e)&&(s.toggle=!1),o||i.data("bs.collapse",o=new n(this,s)),"string"==typeof e&&o[e]();});}var n=function(e,i){this.$element=t(e),this.options=t.extend({},n.DEFAULTS,i),this.$trigger=t('[data-toggle="collapse"][href="#'+e.id+'"],[data-toggle="collapse"][data-target="#'+e.id+'"]'),this.transitioning=null,this.options.parent?this.$parent=this.getParent():this.addAriaAndCollapsedClass(this.$element,this.$trigger),this.options.toggle&&this.toggle();};n.VERSION="3.3.7",n.TRANSITION_DURATION=350,n.DEFAULTS={toggle:!0},n.prototype.dimension=function(){var t=this.$element.hasClass("width");return t?"width":"height";},n.prototype.show=function(){if(!this.transitioning&&!this.$element.hasClass("in")){var e,o=this.$parent&&this.$parent.children(".panel").children(".in, .collapsing");if(!(o&&o.length&&(e=o.data("bs.collapse"),e&&e.transitioning))){var s=t.Event("show.bs.collapse");if(this.$element.trigger(s),!s.isDefaultPrevented()){o&&o.length&&(i.call(o,"hide"),e||o.data("bs.collapse",null));var a=this.dimension();this.$element.removeClass("collapse").addClass("collapsing")[a](0).attr("aria-expanded",!0),this.$trigger.removeClass("collapsed").attr("aria-expanded",!0),this.transitioning=1;var r=function(){this.$element.removeClass("collapsing").addClass("collapse in")[a](""),this.transitioning=0,this.$element.trigger("shown.bs.collapse");};if(!t.support.transition)return r.call(this);var d=t.camelCase(["scroll",a].join("-"));this.$element.one("bsTransitionEnd",t.proxy(r,this)).emulateTransitionEnd(n.TRANSITION_DURATION)[a](this.$element[0][d]);}}}},n.prototype.hide=function(){if(!this.transitioning&&this.$element.hasClass("in")){var e=t.Event("hide.bs.collapse");if(this.$element.trigger(e),!e.isDefaultPrevented()){var i=this.dimension();this.$element[i](this.$element[i]())[0].offsetHeight,this.$element.addClass("collapsing").removeClass("collapse in").attr("aria-expanded",!1),this.$trigger.addClass("collapsed").attr("aria-expanded",!1),this.transitioning=1;var o=function(){this.transitioning=0,this.$element.removeClass("collapsing").addClass("collapse").trigger("hidden.bs.collapse");};return t.support.transition?void this.$element[i](0).one("bsTransitionEnd",t.proxy(o,this)).emulateTransitionEnd(n.TRANSITION_DURATION):o.call(this);}}},n.prototype.toggle=function(){this[this.$element.hasClass("in")?"hide":"show"]();},n.prototype.getParent=function(){return t(this.options.parent).find('[data-toggle="collapse"][data-parent="'+this.options.parent+'"]').each(t.proxy(function(i,n){var o=t(n);this.addAriaAndCollapsedClass(e(o),o);},this)).end();},n.prototype.addAriaAndCollapsedClass=function(t,e){var i=t.hasClass("in");t.attr("aria-expanded",i),e.toggleClass("collapsed",!i).attr("aria-expanded",i);};var o=t.fn.collapse;t.fn.collapse=i,t.fn.collapse.Constructor=n,t.fn.collapse.noConflict=function(){return t.fn.collapse=o,this;},t(document).on("click.bs.collapse.data-api",'[data-toggle="collapse"]',function(n){var o=t(this);o.attr("data-target")||n.preventDefault();var s=e(o),a=s.data("bs.collapse"),r=a?"toggle":o.data();i.call(s,r);});}(jQuery),+function(t){"use strict";function e(){var t=document.createElement("bootstrap"),e={WebkitTransition:"webkitTransitionEnd",MozTransition:"transitionend",OTransition:"oTransitionEnd otransitionend",transition:"transitionend"};for(var i in e)if(void 0!==t.style[i])return{end:e[i]};return !1;}t.fn.emulateTransitionEnd=function(e){var i=!1,n=this;t(this).one("bsTransitionEnd",function(){i=!0;});var o=function(){i||t(n).trigger(t.support.transition.end);};return setTimeout(o,e),this;},t(function(){t.support.transition=e(),t.support.transition&&(t.event.special.bsTransitionEnd={bindType:t.support.transition.end,delegateType:t.support.transition.end,handle:function(e){return t(e.target).is(this)?e.handleObj.handler.apply(this,arguments):void 0;}});});}(jQuery);function openRuleDetailsDialog(rule_result_id){var closebutton=$('<button type="button" class="close btn btn-sm btn-default" data-dismiss="modal" aria-hidden="false" title="Close">❌</button>');var modal=$('<div id="detail-modal" class="modal fade" tabindex="-1" role="dialog" aria-hidden="false"><div id="detail-modal-body" class="modal-body"></div></div>');$("body").prepend(modal);var clone=$("#rule-detail-"+rule_result_id).clone();clone.attr("id","");clone.children(".panel-heading").append(closebutton);closebutton.css({"float":"right"});closebutton.css({"margin-top":"-=23px"});$("#detail-modal-body").append(clone);$('#detail-modal').on('hidden.bs.modal',function(e){$("#detail-modal").remove();});$("#detail-modal").modal();return false;}function toggleRuleDisplay(checkbox){var result=checkbox.value;if(checkbox.checked){$(".rule-overview-leaf-"+result).removeClass("rule-result-filtered");$(".rule-detail-"+result).removeClass("rule-result-filtered");}else{$(".rule-overview-leaf-"+result).addClass("rule-result-filtered");$(".rule-detail-"+result).addClass("rule-result-filtered");}stripeTreeTable();}function toggleResultDetails(button){var result_details=$("#result-details");if(result_details.is(":visible")){result_details.hide();$(button).html("Show all result details");}else{result_details.show();$(button).html("Hide all result details");}return false;}function ruleSearchMatches(detail_leaf,keywords){if(keywords.length==0)return true;var match=true;var checked_keywords=detail_leaf.children(".keywords").text().toLowerCase();var index;for(index=0;index<keywords.length;++index)if(checked_keywords.indexOf(keywords[index].toLowerCase())<0){match=false;break;}return match;}function ruleSearch(){var search_input=$("#search-input").val();var keywords=search_input.split(/[\s,\.;]+/);var matches=0;$(".rule-detail").each(function(){var rrid=$(this).attr("id").substring(12);var overview_leaf=$("#rule-overview-leaf-"+rrid);var detail_leaf=$(this);if(ruleSearchMatches(detail_leaf,keywords)){overview_leaf.removeClass("search-no-match");detail_leaf.removeClass("search-no-match");++matches;}else{overview_leaf.addClass("search-no-match");detail_leaf.addClass("search-no-match");}});if(!search_input)$("#search-matches").html("");else if(matches>0)$("#search-matches").html(matches.toString()+" rules match.");else $("#search-matches").html("No rules match your search criteria!");}var is_original=true;var original_treetable=null;$(document).ready(function(){$("#result-details").hide();$(".js-only").show();$(".form-group select").val("default");$(".toggle-rule-display").each(function(){toggleRuleDisplay(this);});original_treetable=$(".treetable").clone();$(".treetable").treetable({column:0,expandable:true,clickableNodeNames:true,initialState:"expanded",indent:0});is_original=true;stripeTreeTable();});function resetTreetable(){if(!is_original){$(".treetable").remove();$("#rule-overview").append(original_treetable.clone());$(".treetable").treetable({column:0,expandable:true,clickableNodeNames:true,initialState:"expanded",indent:0});$(".toggle-rule-display").each(function(){toggleRuleDisplay(this);});is_original=true;}}function newGroupLine(key,group_name){var maxKeyLength=24;if(key.length>maxKeyLength)key=key.substring(0,maxKeyLength-1)+"â¦";return "<tr class=\"rule-overview-inner-node\" data-tt-id=\""+group_name+"\">"+"<td colspan=\"3\"><small>"+key+"</small> = <strong>"+group_name+"</strong></td></tr>";}var KeysEnum={DEFAULT:"default",SEVERITY:"severity",RESULT:"result",NIST:"NIST SP 800-53 ID",DISA_CCI:"DISA CCI",DISA_SRG:"DISA SRG",DISA_STIG_ID:"DISA STIG ID",PCI_DSS:"PCI DSS Requirement",CIS:"CIS Recommendation"};function getTargetGroupsList(rule,key){switch(key){case KeysEnum.SEVERITY:var severity=rule.children(".rule-severity").text();return [severity];case KeysEnum.RESULT:var result=rule.children(".rule-result").text();return [result];default:try{var references=JSON.parse(rule.attr("data-references"));}catch(err){return ["unknown"];}if(!references.hasOwnProperty(key))return ["unknown"];return references[key];}}function sortGroups(groups,key){switch(key){case KeysEnum.SEVERITY:return ["high","medium","low"];case KeysEnum.RESULT:return groups.sort();default:return groups.sort(function(a,b){var a_parts=a.split(/[.()-]/);var b_parts=b.split(/[.()-]/);var result=0;var min_length=Math.min(a_parts.length,b_parts.length);var number=/^[1-9][0-9]*$/;for(i=0;i<min_length&&result==0;i++)if(a_parts[i].match(number)==null||a_parts[i].match(number)==null)result=a_parts[i].localeCompare(b_parts[i]);else result=parseInt(a_parts[i])-parseInt(b_parts[i]);if(result==0)result=a_parts.length-b_parts.length;return result;});}}function groupRulesBy(key){resetTreetable();if(key==KeysEnum.DEFAULT)return;var lines={};$(".rule-overview-leaf").each(function(){$(this).children("td:first").css("padding-left","0px");var id=$(this).attr("data-tt-id");var target_groups=getTargetGroupsList($(this),key);for(i=0;i<target_groups.length;i++){var target_group=target_groups[i];if(!lines.hasOwnProperty(target_group))lines[target_group]=[newGroupLine(key,target_group)];var clone=$(this).clone();clone.attr("data-tt-id",id+"copy"+i);clone.attr("data-tt-parent-id",target_group);var new_line=clone.wrap("<div>").parent().html();lines[target_group].push(new_line);}});$(".treetable").remove();var groups=sortGroups(Object.keys(lines),key);var html_text="";for(i=0;i<groups.length;i++)html_text+=lines[groups[i]].join("\n");new_table="<table class=\"treetable table table-bordered\"><thead><tr><th>Group</th> <th style=\"width: 120px; text-align: center\">Severity</th><th style=\"width: 120px; text-align: center\">Result</th></tr></thead><tbody>"+html_text+"</tbody></table>";$("#rule-overview").append(new_table);is_original=false;$(".treetable").treetable({column:0,expandable:true,clickableNodeNames:true,initialState:"expanded",indent:0});stripeTreeTable();}function stripeTreeTable(){var rows=$(".rule-overview-leaf:not(.rule-result-filtered)");var even=false;$(rows).each(function(){$(this).css("background-color",even?"#F9F9F9":"inherit");even=!even;});}</script></head><body><nav class="navbar navbar-default" role="navigation"><div class="navbar-header" style="float: none"><a class="navbar-brand" href="#"><svg xmlns="http://www.w3.org/2000/svg" version="1.1" width="52" height="52" id="svg2"><g transform="matrix(0.75266991,0,0,0.75266991,-17.752968,-104.57468)" id="g32"><path d="m 24.7,173.5 c 0,-9 3.5,-17.5 9.9,-23.9 6.8,-6.8 15.7,-10.4 25,-10 8.6,0.3 16.9,3.9 22.9,9.8 6.4,6.4 9.9,14.9 10,23.8 0.1,9.1 -3.5,17.8 -10,24.3 -13.2,13.2 -34.7,13.1 -48,-0.1 -1.5,-1.5 -1.9,-4.2 0.2,-6.2 l 9,-9 c -2,-3.6 -4.9,-13.1 2.6,-20.7 7.6,-7.6 18.6,-6 24.4,-0.2 3.3,3.3 5.1,7.6 5.1,12.1 0.1,4.6 -1.8,9.1 -5.3,12.5 -4.2,4.2 -10.2,5.8 -16.1,4.4 -1.5,-0.4 -2.4,-1.9 -2.1,-3.4 0.4,-1.5 1.9,-2.4 3.4,-2.1 4.1,1 8,-0.1 10.9,-2.9 2.3,-2.3 3.6,-5.3 3.6,-8.4 0,0 0,-0.1 0,-0.1 0,-3 -1.3,-5.9 -3.5,-8.2 -3.9,-3.9 -11.3,-4.9 -16.5,0.2 -6.3,6.3 -1.6,14.1 -1.6,14.2 1.5,2.4 0.7,5 -0.9,6.3 l -8.4,8.4 c 9.9,8.9 27.2,11.2 39.1,-0.8 5.4,-5.4 8.4,-12.5 8.4,-20 0,-0.1 0,-0.2 0,-0.3 -0.1,-7.5 -3,-14.6 -8.4,-19.9 -5,-5 -11.9,-8 -19.1,-8.2 -7.8,-0.3 -15.2,2.7 -20.9,8.4 -8.7,8.7 -8.7,19 -7.9,24.3 0.3,2.4 1.1,4.9 2.2,7.3 0.6,1.4 0,3.1 -1.4,3.7 -1.4,0.6 -3.1,0 -3.7,-1.4 -1.3,-2.9 -2.2,-5.8 -2.6,-8.7 -0.3,-1.7 -0.4,-3.5 -0.4,-5.2 z" id="path34" style="fill:#12497f"></path></g></svg></a><div><h1>OpenSCAP Evaluation Report</h1></div></div></nav><div class="container"><div id="content"><div id="introduction"><div class="row"><h2>Guide to the Secure Configuration of Red Hat Enterprise Linux 8</h2><blockquote>with profile <mark>[DRAFT] DISA STIG for Red Hat Enterprise Linux 8</mark><div class="col-md-12 well well-lg horizontal-scroll"><div class="description profile-description"><small>This profile contains configuration checks that align to the [DRAFT] DISA STIG for Red Hat Enterprise Linux 8. In addition to being applicable to Red Hat Enterprise Linux 8, DISA recognizes this configuration baseline as applicable to the operating system tier of Red Hat technologies that are based on Red Hat Enterprise Linux 8, such as: - Red Hat Enterprise Linux Server - Red Hat Enterprise Linux Workstation and Desktop - Red Hat Enterprise Linux for HPC - Red Hat Storage - Red Hat Containers with a Red Hat Enterprise Linux 8 image</small></div></div></blockquote><div class="col-md-12 well well-lg horizontal-scroll"><div class="front-matter">The SCAP Security Guide Project<br> <a href="https://www.open-scap.org/security-policies/scap-security-guide">https://www.open-scap.org/security-policies/scap-security-guide</a> </div><div class="description">This guide presents a catalog of security-relevant configuration settings for Red Hat Enterprise Linux 8. It is a rendering of content structured in the eXtensible Configuration Checklist Description Format (XCCDF) in order to support security automation. The SCAP content is is available in the <code>scap-security-guide</code> package which is developed at <a href="https://www.open-scap.org/security-policies/scap-security-guide">https://www.open-scap.org/security-policies/scap-security-guide</a>. <br><br> Providing system administrators with such guidance informs them how to securely configure systems under their control in a variety of network roles. Policy makers and baseline creators can use this catalog of settings, with its associated references to higher-level security control catalogs, in order to assist them in security baseline creation. This guide is a <em>catalog, not a checklist</em>, and satisfaction of every item is not likely to be possible or sensible in many operational scenarios. However, the XCCDF format enables granular selection and adjustment of settings, and their association with OVAL and OCIL content provides an automated checking capability. Transformations of this document, and its associated automated checking content, are capable of providing baselines that meet a diverse set of policy objectives. Some example XCCDF <em>Profiles</em>, which are selections of items that form checklists and can be used as baselines, are available with this guide. They can be processed, in an automated fashion, with tools that support the Security Content Automation Protocol (SCAP). The DISA STIG, which provides required settings for US Department of Defense systems, is one example of a baseline created from this guidance. </div><div class="top-spacer-10"><div class="alert alert-info">Do not attempt to implement any of the settings in this guide without first testing them in a non-operational environment. The creators of this guidance assume no responsibility whatsoever for its use by other parties, and makes no guarantees, expressed or implied, about its quality, reliability, or any other characteristic. </div></div></div></div></div><div id="characteristics"><h2>Evaluation Characteristics</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Evaluation target</th><td>qe-engine.asrachmani.com</td></tr><tr><th>Benchmark URL</th><td>/usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml</td></tr><tr><th>Benchmark ID</th><td>xccdf_org.ssgproject.content_benchmark_RHEL-8</td></tr><tr><th>Benchmark version</th><td>0.1.48</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_stig</td></tr><tr><th>Started at</th><td>2020-09-29T11:21:17</td></tr><tr><th>Finished at</th><td>2020-09-29T11:21:17</td></tr><tr><th>Performed by</th><td>root</td></tr><tr><th>Test system</th><td>cpe:/a:redhat:openscap:1.3.2</td></tr></table></div><div class="col-md-3 horizontal-scroll"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-success" title="CPE platform cpe:/o:redhat:enterprise_linux:8 was found applicable on the evaluated machine">cpe:/o:redhat:enterprise_linux:8</span></li></ul></div><div class="col-md-4 horizontal-scroll"><h4>Addresses</h4><ul class="list-group"><li class="list-group-item"><span class="label label-primary">IPv4</span>  127.0.0.1</li><li class="list-group-item"><span class="label label-primary">IPv4</span>  192.168.1.65</li><li class="list-group-item"><span class="label label-info">IPv6</span>  0:0:0:0:0:0:0:1</li><li class="list-group-item"><span class="label label-info">IPv6</span>  fe80:0:0:0:5054:ff:fe6f:7823</li><li class="list-group-item"><span class="label label-default">MAC</span>  00:00:00:00:00:00</li><li class="list-group-item"><span class="label label-default">MAC</span>  52:54:00:6F:78:23</li></ul></div></div></div><div id="compliance-and-scoring"><h2>Compliance and Scoring</h2><div class="alert alert-danger"><strong>The target system did not satisfy the conditions of 4 rules!</strong> Furthermore, the results of 18 rules were inconclusive. Please review rule results and consider applying remediation. </div><h3>Rule results</h3><div class="progress" title="Displays proportion of passed/fixed, failed/error, and other rules (in that order). There were 197 rules taken into account."><div class="progress-bar progress-bar-success" style="width: 85.2791878172589%">168 passed </div><div class="progress-bar progress-bar-danger" style="width: 2.030456852791878%">4 failed </div><div class="progress-bar progress-bar-warning" style="width: 12.6903553299492%">25 other </div></div><h3>Severity of failed rules</h3><div class="progress" title="Displays proportion of high, medium, low, and other severity failed rules (in that order). There were 4 total failed rules."><div class="progress-bar progress-bar-success" style="width: 25%">1 other </div><div class="progress-bar progress-bar-info" style="width: 0%">0 low </div><div class="progress-bar progress-bar-warning" style="width: 75%">3 medium </div><div class="progress-bar progress-bar-danger" style="width: 0%">0 high </div></div><h3 title="As per the XCCDF specification">Score</h3><table class="table table-striped table-bordered"><thead><tr><th>Scoring system</th><th class="text-center">Score</th><th class="text-center">Maximum</th><th class="text-center" style="width: 40%">Percent</th></tr></thead><tbody><tr><td>urn:xccdf:scoring:default</td><td class="text-center">83.070435</td><td class="text-center">100.000000</td><td><div class="progress"><div class="progress-bar progress-bar-success" style="width: 83.070435%">83.07%</div><div class="progress-bar progress-bar-danger" style="width: 16.929565%"></div></div></td></tr></tbody></table></div><div id="rule-overview"><h2>Rule Overview</h2><div class="form-group js-only hidden-print"><div class="row"><div title="Filter rules by their XCCDF result"><div class="col-sm-2 toggle-rule-display-success"><div class="checkbox"><label><input class="toggle-rule-display" type="checkbox" onclick="toggleRuleDisplay(this)" checked value="pass"></input>pass</label></div><div class="checkbox"><label><input class="toggle-rule-display" type="checkbox" onclick="toggleRuleDisplay(this)" checked value="fixed"></input>fixed</label></div><div class="checkbox"><label><input class="toggle-rule-display" type="checkbox" onclick="toggleRuleDisplay(this)" checked value="informational"></input>informational</label></div></div><div class="col-sm-2 toggle-rule-display-danger"><div class="checkbox"><label><input class="toggle-rule-display" type="checkbox" onclick="toggleRuleDisplay(this)" checked value="fail"></input>fail</label></div><div class="checkbox"><label><input class="toggle-rule-display" type="checkbox" onclick="toggleRuleDisplay(this)" checked value="error"></input>error</label></div><div class="checkbox"><label><input class="toggle-rule-display" type="checkbox" onclick="toggleRuleDisplay(this)" checked value="unknown"></input>unknown</label></div></div><div class="col-sm-2 toggle-rule-display-other"><div class="checkbox"><label><input class="toggle-rule-display" type="checkbox" onclick="toggleRuleDisplay(this)" checked value="notchecked"></input>notchecked</label></div><div class="checkbox"><label><input class="toggle-rule-display" type="checkbox" onclick="toggleRuleDisplay(this)" checked value="notapplicable"></input>notapplicable</label></div></div></div><div class="col-sm-6"><div class="input-group"><input type="text" class="form-control" placeholder="Search through XCCDF rules" id="search-input" oninput="ruleSearch()"></input><div class="input-group-btn"><button class="btn btn-default" onclick="ruleSearch()">Search</button></div></div><p id="search-matches"></p> Group rules by: <select name="groupby" onchange="groupRulesBy(value)"><option value="default" selected>Default</option><option value="severity">Severity</option><option value="result">Result</option><option disabled>ââââââââââ</option><option value="NIST SP 800-171">NIST SP 800-171</option><option value="NIST SP 800-53">NIST SP 800-53</option><option value="http://www.isaca.org/COBIT/Pages/default.aspx">http://www.isaca.org/COBIT/Pages/default.aspx</option><option value="ANSSI">ANSSI</option><option value="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf</option><option value="https://public.cyber.mil/stigs/cci/">https://public.cyber.mil/stigs/cci/</option><option value="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os</option><option value="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf</option><option value="FBI CJIS">FBI CJIS</option><option value="HIPAA">HIPAA</option><option value="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731</option><option value="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785</option><option value="ISO 27001-2013">ISO 27001-2013</option><option value="https://www.niap-ccevs.org/Profile/PP.cfm">https://www.niap-ccevs.org/Profile/PP.cfm</option><option value="PCI-DSS Requirement">PCI-DSS Requirement</option></select></div></div></div><table class="treetable table table-bordered"><thead><tr><th>Title</th><th style="width: 120px; text-align: center">Severity</th><th style="width: 120px; text-align: center">Result</th></tr></thead><tbody><tr data-tt-id="xccdf_org.ssgproject.content_benchmark_RHEL-8" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_benchmark_RHEL-8"><td colspan="3" style="padding-left: 0px"><strong>Guide to the Secure Configuration of Red Hat Enterprise Linux 8</strong> <span class="badge">4x fail</span> <span class="badge">18x error</span> <span class="badge">5x notchecked</span></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_system" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="xccdf_org.ssgproject.content_benchmark_RHEL-8"><td colspan="3" style="padding-left: 19px"><strong>System Settings</strong> <span class="badge">4x fail</span> <span class="badge">12x error</span> <span class="badge">5x notchecked</span></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_software" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_software" data-tt-parent-id="xccdf_org.ssgproject.content_group_system"><td colspan="3" style="padding-left: 38px"><strong>Installing and Maintaining Software</strong> <span class="badge">1x fail</span> <span class="badge">6x error</span> <span class="badge">1x notchecked</span></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_sudo" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_sudo" data-tt-parent-id="xccdf_org.ssgproject.content_group_software"><td colspan="3" style="padding-left: 57px">Sudo<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_sudo");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_package_sudo_installed" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_package_sudo_installed" id="rule-overview-leaf-idm45342104873488" data-tt-parent-id="xccdf_org.ssgproject.content_group_sudo" data-references='{"NIST SP 800-53":["CM-6(a)"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000324-GPOS-00125"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45342104873488" onclick="return openRuleDetailsDialog('idm45342104873488')">Install sudo Package</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_disk_partitioning" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_disk_partitioning" data-tt-parent-id="xccdf_org.ssgproject.content_group_software"><td colspan="3" style="padding-left: 57px"><strong>Disk Partitioning</strong> <span class="badge">1x notchecked</span></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_partition_for_var_log" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_partition_for_var_log" id="rule-overview-leaf-idm45342104860320" data-tt-parent-id="xccdf_org.ssgproject.content_group_disk_partitioning" data-references='{"":["1.1.11"],"NIST SP 800-53":["CM-6(a)","AU-4","SC-5(2)"],"http://www.isaca.org/COBIT/Pages/default.aspx":["APO11.04","APO13.01","BAI03.05","DSS05.02","DSS05.04","DSS05.07","MEA02.01"],"ANSSI":["NT28(R12)","NT28(R47)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.PT-1","PR.PT-4"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000480-GPOS-00227"],"https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf":["1","12","14","15","16","3","5","6","8"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731":["4.3.3.3.9","4.3.3.5.8","4.3.4.4.7","4.4.2.1","4.4.2.2","4.4.2.4"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785":["SR 2.10","SR 2.11","SR 2.12","SR 2.8","SR 2.9","SR 3.1","SR 3.5","SR 3.8","SR 4.1","SR 4.3","SR 5.1","SR 5.2","SR 5.3","SR 7.1","SR 7.6"],"ISO 27001-2013":["A.12.4.1","A.12.4.2","A.12.4.3","A.12.4.4","A.12.7.1","A.13.1.1","A.13.2.1","A.14.1.3"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45342104860320" onclick="return openRuleDetailsDialog('idm45342104860320')">Ensure /var/log Located On Separate Partition</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_partition_for_var_log_audit" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_partition_for_var_log_audit" id="rule-overview-leaf-idm45342104856672" data-tt-parent-id="xccdf_org.ssgproject.content_group_disk_partitioning" data-references='{"":["1.1.12","SRG-OS-000341-VMM-001220"],"NIST SP 800-53":["CM-6(a)","AU-4","SC-5(2)"],"http://www.isaca.org/COBIT/Pages/default.aspx":["APO11.04","APO13.01","BAI03.05","BAI04.04","DSS05.02","DSS05.04","DSS05.07","MEA02.01"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.DS-4","PR.PT-1","PR.PT-4"],"https://public.cyber.mil/stigs/cci/":["CCI-000366"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000480-GPOS-00227"],"https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf":["1","12","13","14","15","16","2","3","5","6","8"],"HIPAA":["164.312(a)(2)(ii)"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731":["4.3.3.3.9","4.3.3.5.8","4.3.4.4.7","4.4.2.1","4.4.2.2","4.4.2.4"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785":["SR 2.10","SR 2.11","SR 2.12","SR 2.8","SR 2.9","SR 3.1","SR 3.5","SR 3.8","SR 4.1","SR 4.3","SR 5.1","SR 5.2","SR 5.3","SR 7.1","SR 7.2","SR 7.6"],"ISO 27001-2013":["A.12.1.3","A.12.4.1","A.12.4.2","A.12.4.3","A.12.4.4","A.12.7.1","A.13.1.1","A.13.2.1","A.14.1.3","A.17.2.1"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45342104856672" onclick="return openRuleDetailsDialog('idm45342104856672')">Ensure /var/log/audit Located On Separate Partition</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_partition_for_home" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_partition_for_home" id="rule-overview-leaf-idm45342104850624" data-tt-parent-id="xccdf_org.ssgproject.content_group_disk_partitioning" data-references='{"":["1.1.13"],"NIST SP 800-53":["CM-6(a)","SC-5(2)"],"http://www.isaca.org/COBIT/Pages/default.aspx":["APO13.01","DSS05.02"],"ANSSI":["NT28(R12)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.PT-4"],"https://public.cyber.mil/stigs/cci/":["CCI-000366","CCI-001208"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000480-GPOS-00227"],"https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf":["12","15","8"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785":["SR 3.1","SR 3.5","SR 3.8","SR 4.1","SR 4.3","SR 5.1","SR 5.2","SR 5.3","SR 7.1","SR 7.6"],"ISO 27001-2013":["A.13.1.1","A.13.2.1","A.14.1.3"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45342104850624" onclick="return openRuleDetailsDialog('idm45342104850624')">Ensure /home Located On Separate Partition</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_partition_for_var" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_partition_for_var" id="rule-overview-leaf-idm45342104845248" data-tt-parent-id="xccdf_org.ssgproject.content_group_disk_partitioning" data-references='{"":["1.1.6","SRG-OS-000341-VMM-001220"],"NIST SP 800-53":["CM-6(a)","SC-5(2)"],"http://www.isaca.org/COBIT/Pages/default.aspx":["APO13.01","DSS05.02"],"ANSSI":["NT28(R12)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.PT-4"],"https://public.cyber.mil/stigs/cci/":["CCI-000366"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000480-GPOS-00227"],"https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf":["12","15","8"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785":["SR 3.1","SR 3.5","SR 3.8","SR 4.1","SR 4.3","SR 5.1","SR 5.2","SR 5.3","SR 7.1","SR 7.6"],"ISO 27001-2013":["A.13.1.1","A.13.2.1","A.14.1.3"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45342104845248" onclick="return openRuleDetailsDialog('idm45342104845248')">Ensure /var Located On Separate Partition</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_encrypt_partitions" class="rule-overview-leaf rule-overview-leaf-notchecked rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_encrypt_partitions" id="rule-overview-leaf-idm45342104841600" data-tt-parent-id="xccdf_org.ssgproject.content_group_disk_partitioning" data-references='{"":["SRG-OS-000404-VMM-001650","SRG-OS-000405-VMM-001660"],"NIST SP 800-171":["3.13.16"],"NIST SP 800-53":["CM-6(a)","SC-28","SC-28(1)","SC-13","AU-9(3)"],"http://www.isaca.org/COBIT/Pages/default.aspx":["APO01.06","BAI02.01","BAI06.01","DSS04.07","DSS05.03","DSS05.04","DSS05.07","DSS06.02","DSS06.06"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.DS-1","PR.DS-5"],"https://public.cyber.mil/stigs/cci/":["CCI-001199","CCI-002475","CCI-002476"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000405-GPOS-00184","SRG-OS-000185-GPOS-00079","SRG-OS-000404-GPOS-00183"],"https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf":["13","14"],"HIPAA":["164.308(a)(1)(ii)(D)","164.308(b)(1)","164.310(d)","164.312(a)(1)","164.312(a)(2)(iii)","164.312(a)(2)(iv)","164.312(b)","164.312(c)","164.314(b)(2)(i)","164.312(d)"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785":["SR 3.4","SR 4.1","SR 5.2"],"ISO 27001-2013":["A.10.1.1","A.11.1.4","A.11.1.5","A.11.2.1","A.13.1.1","A.13.1.3","A.13.2.1","A.13.2.3","A.13.2.4","A.14.1.2","A.14.1.3","A.6.1.2","A.7.1.1","A.7.1.2","A.7.3.1","A.8.2.2","A.8.2.3","A.9.1.1","A.9.1.2","A.9.2.3","A.9.4.1","A.9.4.4","A.9.4.5"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45342104841600" onclick="return openRuleDetailsDialog('idm45342104841600')">Encrypt Partitions</a></td><td class="rule-severity" style="text-align: center">high</td><td class="rule-result rule-result-notchecked"><div><abbr title="The Rule was not evaluated by the checking engine. This status is designed for Rule elements that have no check elements or that correspond to an unsupported checking system. It may also correspond to a status returned by a checking engine if the checking engine does not support the indicated check code.">notchecked</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_updating" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_updating" data-tt-parent-id="xccdf_org.ssgproject.content_group_software"><td colspan="3" style="padding-left: 57px"><strong>Updating Software</strong> <span class="badge">2x error</span></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_package_dnf-automatic_installed" class="rule-overview-leaf rule-overview-leaf-error rule-overview-needs-attention" id="rule-overview-leaf-idm45342104836864" data-tt-parent-id="xccdf_org.ssgproject.content_group_updating" data-references='{"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000191-GPOS-00080"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45342104836864" onclick="return openRuleDetailsDialog('idm45342104836864')">Install dnf-automatic Package</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-error"><div><abbr title="The checking engine could not complete the evaluation, therefore the status of the target's compliance with the rule is not certain. This could happen, for example, if a testing tool was run with insufficient privileges and could not gather all of the necessary information.">error</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_ensure_redhat_gpgkey_installed" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_ensure_redhat_gpgkey_installed" id="rule-overview-leaf-idm45342104829040" data-tt-parent-id="xccdf_org.ssgproject.content_group_updating" data-references='{"":["1.2.3","SRG-OS-000366-VMM-001430","SRG-OS-000370-VMM-001460","SRG-OS-000404-VMM-001650"],"NIST SP 800-171":["3.4.8"],"NIST SP 800-53":["CM-5(3)","SI-7","SC-12","SC-12(3)","CM-6(a)"],"http://www.isaca.org/COBIT/Pages/default.aspx":["APO01.06","BAI03.05","BAI06.01","BAI10.01","BAI10.02","BAI10.03","BAI10.05","DSS06.02"],"ANSSI":["NT28(R15)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.DS-6","PR.DS-8","PR.IP-1"],"https://public.cyber.mil/stigs/cci/":["CCI-001749"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000366-GPOS-00153"],"https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf":["11","2","3","9"],"FBI CJIS":["5.10.4.1"],"HIPAA":["164.308(a)(1)(ii)(D)","164.312(b)","164.312(c)(1)","164.312(c)(2)","164.312(e)(2)(i)"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731":["4.3.4.3.2","4.3.4.3.3","4.3.4.4.4"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785":["SR 3.1","SR 3.3","SR 3.4","SR 3.8","SR 7.6"],"ISO 27001-2013":["A.11.2.4","A.12.1.2","A.12.2.1","A.12.5.1","A.12.6.2","A.14.1.2","A.14.1.3","A.14.2.2","A.14.2.3","A.14.2.4"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FAU_GEN.1.1.c"],"PCI-DSS Requirement":["Req-6.2"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45342104829040" onclick="return openRuleDetailsDialog('idm45342104829040')">Ensure Red Hat GPG Key Installed</a></td><td class="rule-severity" style="text-align: center">high</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_ensure_gpgcheck_never_disabled" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_ensure_gpgcheck_never_disabled" id="rule-overview-leaf-idm45342104821728" data-tt-parent-id="xccdf_org.ssgproject.content_group_updating" data-references='{"":["SRG-OS-000366-VMM-001430","SRG-OS-000370-VMM-001460","SRG-OS-000404-VMM-001650"],"NIST SP 800-171":["3.4.8"],"NIST SP 800-53":["CM-5(3)","SI-7","SC-12","SC-12(3)","CM-6(a)","SA-12","SA-12(10)","CM-11(a)","CM-11(b)"],"http://www.isaca.org/COBIT/Pages/default.aspx":["APO01.06","BAI03.05","BAI06.01","BAI10.01","BAI10.02","BAI10.03","BAI10.05","DSS06.02"],"ANSSI":["NT28(R15)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.DS-6","PR.DS-8","PR.IP-1"],"https://public.cyber.mil/stigs/cci/":["CCI-001749"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000366-GPOS-00153"],"https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf":["11","2","3","9"],"FBI CJIS":["5.10.4.1"],"HIPAA":["164.308(a)(1)(ii)(D)","164.312(b)","164.312(c)(1)","164.312(c)(2)","164.312(e)(2)(i)"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731":["4.3.4.3.2","4.3.4.3.3","4.3.4.4.4"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785":["SR 3.1","SR 3.3","SR 3.4","SR 3.8","SR 7.6"],"ISO 27001-2013":["A.11.2.4","A.12.1.2","A.12.2.1","A.12.5.1","A.12.6.2","A.14.1.2","A.14.1.3","A.14.2.2","A.14.2.3","A.14.2.4"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FAU_GEN.1.1.c"],"PCI-DSS Requirement":["Req-6.2"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45342104821728" onclick="return openRuleDetailsDialog('idm45342104821728')">Ensure gpgcheck Enabled for All yum Package Repositories</a></td><td class="rule-severity" style="text-align: center">high</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_dnf-automatic_apply_updates" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_dnf-automatic_apply_updates" id="rule-overview-leaf-idm45342104818048" data-tt-parent-id="xccdf_org.ssgproject.content_group_updating" data-references='{"NIST SP 800-53":["SI-2(5)","CM-6(a)","SI-2(c)"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000191-GPOS-00080"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FMT_SMF_EXT.1"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45342104818048" onclick="return openRuleDetailsDialog('idm45342104818048')">Configure dnf-automatic to Install Available Updates Automatically</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_ensure_gpgcheck_local_packages" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_ensure_gpgcheck_local_packages" id="rule-overview-leaf-idm45342104812048" data-tt-parent-id="xccdf_org.ssgproject.content_group_updating" data-references='{"":["SRG-OS-000366-VMM-001430","SRG-OS-000370-VMM-001460","SRG-OS-000404-VMM-001650"],"NIST SP 800-171":["3.4.8"],"NIST SP 800-53":["CM-11(a)","CM-11(b)","CM-6(a)","CM-5(3)","SA-12","SA-12(10)"],"http://www.isaca.org/COBIT/Pages/default.aspx":["BAI10.01","BAI10.02","BAI10.03","BAI10.05"],"ANSSI":["NT28(R15)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.IP-1"],"https://public.cyber.mil/stigs/cci/":["CCI-001749"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000366-GPOS-00153"],"https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf":["11","3","9"],"HIPAA":["164.308(a)(1)(ii)(D)","164.312(b)","164.312(c)(1)","164.312(c)(2)","164.312(e)(2)(i)"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731":["4.3.4.3.2","4.3.4.3.3"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785":["SR 7.6"],"ISO 27001-2013":["A.12.1.2","A.12.5.1","A.12.6.2","A.14.2.2","A.14.2.3","A.14.2.4"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FAU_GEN.1.1.c"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45342104812048" onclick="return openRuleDetailsDialog('idm45342104812048')">Ensure gpgcheck Enabled for Local Packages</a></td><td class="rule-severity" style="text-align: center">high</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_ensure_gpgcheck_globally_activated" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_ensure_gpgcheck_globally_activated" id="rule-overview-leaf-idm45342104800992" data-tt-parent-id="xccdf_org.ssgproject.content_group_updating" data-references='{"":["1.2.2","SRG-OS-000366-VMM-001430","SRG-OS-000370-VMM-001460","SRG-OS-000404-VMM-001650"],"NIST SP 800-171":["3.4.8"],"NIST SP 800-53":["CM-5(3)","SI-7","SC-12","SC-12(3)","CM-6(a)","SA-12","SA-12(10)","CM-11(a)","CM-11(b)"],"http://www.isaca.org/COBIT/Pages/default.aspx":["APO01.06","BAI03.05","BAI06.01","BAI10.01","BAI10.02","BAI10.03","BAI10.05","DSS06.02"],"ANSSI":["NT28(R15)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.DS-6","PR.DS-8","PR.IP-1"],"https://public.cyber.mil/stigs/cci/":["CCI-001749"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000366-GPOS-00153"],"https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf":["11","2","3","9"],"FBI CJIS":["5.10.4.1"],"HIPAA":["164.308(a)(1)(ii)(D)","164.312(b)","164.312(c)(1)","164.312(c)(2)","164.312(e)(2)(i)"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731":["4.3.4.3.2","4.3.4.3.3","4.3.4.4.4"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785":["SR 3.1","SR 3.3","SR 3.4","SR 3.8","SR 7.6"],"ISO 27001-2013":["A.11.2.4","A.12.1.2","A.12.2.1","A.12.5.1","A.12.6.2","A.14.1.2","A.14.1.3","A.14.2.2","A.14.2.3","A.14.2.4"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FAU_GEN.1.1.c"],"PCI-DSS Requirement":["Req-6.2"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45342104800992" onclick="return openRuleDetailsDialog('idm45342104800992')">Ensure gpgcheck Enabled In Main yum Configuration</a></td><td class="rule-severity" style="text-align: center">high</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_dnf-automatic_security_updates_only" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_dnf-automatic_security_updates_only" id="rule-overview-leaf-idm45342104797312" data-tt-parent-id="xccdf_org.ssgproject.content_group_updating" data-references='{"NIST SP 800-53":["SI-2(5)","CM-6(a)","SI-2(c)"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000191-GPOS-00080"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FMT_SMF_EXT.1"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45342104797312" onclick="return openRuleDetailsDialog('idm45342104797312')">Configure dnf-automatic to Install Only Security Updates</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_clean_components_post_updating" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_clean_components_post_updating" id="rule-overview-leaf-idm45342104791296" data-tt-parent-id="xccdf_org.ssgproject.content_group_updating" data-references='{"":["SRG-OS-000437-VMM-001760"],"NIST SP 800-171":["3.4.8"],"NIST SP 800-53":["SI-2(6)","CM-11(a)","CM-11(b)","CM-6(a)"],"http://www.isaca.org/COBIT/Pages/default.aspx":["APO12.01","APO12.02","APO12.03","APO12.04","BAI03.10","DSS05.01","DSS05.02"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["ID.RA-1","PR.IP-12"],"https://public.cyber.mil/stigs/cci/":["CCI-002617"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000437-GPOS-00194"],"https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf":["18","20","4"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731":["4.2.3","4.2.3.12","4.2.3.7","4.2.3.9"],"ISO 27001-2013":["A.12.6.1","A.14.2.3","A.16.1.3","A.18.2.2","A.18.2.3"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45342104791296" onclick="return openRuleDetailsDialog('idm45342104791296')">Ensure yum Removes Previous Package Versions</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_timer_dnf-automatic_enabled" class="rule-overview-leaf rule-overview-leaf-error rule-overview-needs-attention" id="rule-overview-leaf-idm45342104787616" data-tt-parent-id="xccdf_org.ssgproject.content_group_updating" data-references='{"NIST SP 800-53":["SI-2(5)","CM-6(a)","SI-2(c)"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000191-GPOS-00080"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FMT_SMF_EXT.1"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45342104787616" onclick="return openRuleDetailsDialog('idm45342104787616')">Enable dnf-automatic Timer</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-error"><div><abbr title="The checking engine could not complete the evaluation, therefore the status of the target's compliance with the rule is not certain. This could happen, for example, if a testing tool was run with insufficient privileges and could not gather all of the necessary information.">error</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_system-tools" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_system-tools" data-tt-parent-id="xccdf_org.ssgproject.content_group_software"><td colspan="3" style="padding-left: 57px"><strong>System Tooling / Utilities</strong> <span class="badge">2x error</span></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_package_openscap-scanner_installed" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_package_openscap-scanner_installed" id="rule-overview-leaf-idm45342104775008" data-tt-parent-id="xccdf_org.ssgproject.content_group_system-tools" data-references='{"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000480-GPOS-00227","SRG-OS-000191-GPOS-00080"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45342104775008" onclick="return openRuleDetailsDialog('idm45342104775008')">Install openscap-scanner Package</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_package_scap-security-guide_installed" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_package_scap-security-guide_installed" id="rule-overview-leaf-idm45342104771328" data-tt-parent-id="xccdf_org.ssgproject.content_group_system-tools" data-references='{"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000480-GPOS-00227"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45342104771328" onclick="return openRuleDetailsDialog('idm45342104771328')">Install scap-security-guide Package</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_package_dnf-plugin-subscription-manager_installed" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_package_dnf-plugin-subscription-manager_installed" id="rule-overview-leaf-idm45342104767648" data-tt-parent-id="xccdf_org.ssgproject.content_group_system-tools" data-references='{"https://www.niap-ccevs.org/Profile/PP.cfm":["FPT_TUD_EXT.1","FPT_TUD_EXT.2"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45342104767648" onclick="return openRuleDetailsDialog('idm45342104767648')">Install dnf-plugin-subscription-manager Package</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_package_gnutls-utils_installed" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_package_gnutls-utils_installed" id="rule-overview-leaf-idm45342104763936" data-tt-parent-id="xccdf_org.ssgproject.content_group_system-tools" data-references='{"https://www.niap-ccevs.org/Profile/PP.cfm":["FMT_SMF_EXT.1"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45342104763936" onclick="return openRuleDetailsDialog('idm45342104763936')">Ensure gnutls-utils is installed</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_package_rng-tools_installed" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_package_rng-tools_installed" id="rule-overview-leaf-idm45342104757888" data-tt-parent-id="xccdf_org.ssgproject.content_group_system-tools" data-references='{"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000480-GPOS-00227"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45342104757888" onclick="return openRuleDetailsDialog('idm45342104757888')">Install rng-tools Package</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_package_subscription-manager_installed" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_package_subscription-manager_installed" id="rule-overview-leaf-idm45342104754208" data-tt-parent-id="xccdf_org.ssgproject.content_group_system-tools" data-references='{"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000366-GPOS-00153"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FPT_TUD_EXT.1","FPT_TUD_EXT.2"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45342104754208" onclick="return openRuleDetailsDialog('idm45342104754208')">Install subscription-manager Package</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_package_nss-tools_installed" class="rule-overview-leaf rule-overview-leaf-error rule-overview-needs-attention" id="rule-overview-leaf-idm45342104750512" data-tt-parent-id="xccdf_org.ssgproject.content_group_system-tools" data-references='{"https://www.niap-ccevs.org/Profile/PP.cfm":["FMT_SMF_EXT.1"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45342104750512" onclick="return openRuleDetailsDialog('idm45342104750512')">Ensure nss-tools is installed</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-error"><div><abbr title="The checking engine could not complete the evaluation, therefore the status of the target's compliance with the rule is not certain. This could happen, for example, if a testing tool was run with insufficient privileges and could not gather all of the necessary information.">error</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_package_libcap-ng-utils_installed" class="rule-overview-leaf rule-overview-leaf-error rule-overview-needs-attention" id="rule-overview-leaf-idm45342104740352" data-tt-parent-id="xccdf_org.ssgproject.content_group_system-tools" data-references='{"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000445-GPOS-00199"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45342104740352" onclick="return openRuleDetailsDialog('idm45342104740352')">Install libcap-ng-utils Package</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-error"><div><abbr title="The checking engine could not complete the evaluation, therefore the status of the target's compliance with the rule is not certain. This could happen, for example, if a testing tool was run with insufficient privileges and could not gather all of the necessary information.">error</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_package_abrt-addon-python_removed" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_package_abrt-addon-python_removed" id="rule-overview-leaf-idm45342104732576" data-tt-parent-id="xccdf_org.ssgproject.content_group_system-tools" data-references='{"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000095-GPOS-00049"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45342104732576" onclick="return openRuleDetailsDialog('idm45342104732576')">Uninstall abrt-addon-python Package</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_package_abrt-plugin-logger_removed" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_package_abrt-plugin-logger_removed" id="rule-overview-leaf-idm45342104728896" data-tt-parent-id="xccdf_org.ssgproject.content_group_system-tools" data-references='{"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000095-GPOS-00049"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45342104728896" onclick="return openRuleDetailsDialog('idm45342104728896')">Uninstall abrt-plugin-logger Package</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_package_abrt-addon-kerneloops_removed" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_package_abrt-addon-kerneloops_removed" id="rule-overview-leaf-idm45342104722832" data-tt-parent-id="xccdf_org.ssgproject.content_group_system-tools" data-references='{"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000095-GPOS-00049"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45342104722832" onclick="return openRuleDetailsDialog('idm45342104722832')">Uninstall abrt-addon-kerneloops Package</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_package_abrt-cli_removed" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_package_abrt-cli_removed" id="rule-overview-leaf-idm45342104719152" data-tt-parent-id="xccdf_org.ssgproject.content_group_system-tools" data-references='{"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000095-GPOS-00049"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45342104719152" onclick="return openRuleDetailsDialog('idm45342104719152')">Uninstall abrt-cli Package</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_package_gssproxy_removed" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_package_gssproxy_removed" id="rule-overview-leaf-idm45342104715488" data-tt-parent-id="xccdf_org.ssgproject.content_group_system-tools" data-references='{"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000095-GPOS-00049"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45342104715488" onclick="return openRuleDetailsDialog('idm45342104715488')">Uninstall gssproxy Package</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_package_abrt-addon-ccpp_removed" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_package_abrt-addon-ccpp_removed" id="rule-overview-leaf-idm45342104461760" data-tt-parent-id="xccdf_org.ssgproject.content_group_system-tools" data-references='{"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000095-GPOS-00049"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45342104461760" onclick="return openRuleDetailsDialog('idm45342104461760')">Uninstall abrt-addon-ccpp Package</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_package_tuned_removed" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_package_tuned_removed" id="rule-overview-leaf-idm45342104458080" data-tt-parent-id="xccdf_org.ssgproject.content_group_system-tools" data-references='{"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000095-GPOS-00049"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45342104458080" onclick="return openRuleDetailsDialog('idm45342104458080')">Uninstall tuned Package</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_package_abrt-plugin-sosreport_removed" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_package_abrt-plugin-sosreport_removed" id="rule-overview-leaf-idm45342104447856" data-tt-parent-id="xccdf_org.ssgproject.content_group_system-tools" data-references='{"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000095-GPOS-00049"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45342104447856" onclick="return openRuleDetailsDialog('idm45342104447856')">Uninstall abrt-plugin-sosreport Package</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_package_pigz_removed" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_package_pigz_removed" id="rule-overview-leaf-idm45342104444176" data-tt-parent-id="xccdf_org.ssgproject.content_group_system-tools" data-references="{}"><td style="padding-left: 76px"><a href="#rule-detail-idm45342104444176" onclick="return openRuleDetailsDialog('idm45342104444176')">Uninstall pigz Package</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_package_krb5-workstation_removed" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_package_krb5-workstation_removed" id="rule-overview-leaf-idm45342104435984" data-tt-parent-id="xccdf_org.ssgproject.content_group_system-tools" data-references='{"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000095-GPOS-00049","SRG-OS-000120-GPOS-00061"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45342104435984" onclick="return openRuleDetailsDialog('idm45342104435984')">Uninstall krb5-workstation Package</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_package_abrt-plugin-rhtsupport_removed" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_package_abrt-plugin-rhtsupport_removed" id="rule-overview-leaf-idm45342104432304" data-tt-parent-id="xccdf_org.ssgproject.content_group_system-tools" data-references='{"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000095-GPOS-00049"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45342104432304" onclick="return openRuleDetailsDialog('idm45342104432304')">Uninstall abrt-plugin-rhtsupport Package</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_package_iprutils_removed" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_package_iprutils_removed" id="rule-overview-leaf-idm45342104426224" data-tt-parent-id="xccdf_org.ssgproject.content_group_system-tools" data-references='{"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000095-GPOS-00049"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45342104426224" onclick="return openRuleDetailsDialog('idm45342104426224')">Uninstall iprutils Package</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_integrity" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_integrity" data-tt-parent-id="xccdf_org.ssgproject.content_group_software"><td colspan="3" style="padding-left: 57px"><strong>System and Software Integrity</strong> <span class="badge">1x fail</span> <span class="badge">2x error</span></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_fips" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_fips" data-tt-parent-id="xccdf_org.ssgproject.content_group_integrity"><td colspan="3" style="padding-left: 76px"><strong>Federal Information Processing Standard (FIPS)</strong> <span class="badge">1x fail</span> <span class="badge">1x error</span></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_enable_dracut_fips_module" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idm45342104415536" data-tt-parent-id="xccdf_org.ssgproject.content_group_fips" data-references='{"":["SRG-OS-000120-VMM-000600","SRG-OS-000478-VMM-001980","SRG-OS-000396-VMM-001590"],"NIST SP 800-53":["SC-12(2)","SC-12(3)","IA-7","SC-13","CM-6(a)","SC-12"],"https://public.cyber.mil/stigs/cci/":["CCI-000068","CCI-000803","CCI-002450"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000478-GPOS-00223"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm45342104415536" onclick="return openRuleDetailsDialog('idm45342104415536')">Enable Dracut FIPS Module</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_enable_fips_mode" class="rule-overview-leaf rule-overview-leaf-error rule-overview-needs-attention" id="rule-overview-leaf-idm45342104409488" data-tt-parent-id="xccdf_org.ssgproject.content_group_fips" data-references='{"":["SRG-OS-000120-VMM-000600","SRG-OS-000478-VMM-001980","SRG-OS-000396-VMM-001590"],"NIST SP 800-53":["SC-12(2)","SC-12(3)","IA-7","SC-13","CM-6(a)","SC-12"],"https://public.cyber.mil/stigs/cci/":["CCI-000068","CCI-000803","CCI-002450"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000478-GPOS-00223","SRG-OS-000396-GPOS-00176"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm45342104409488" onclick="return openRuleDetailsDialog('idm45342104409488')">Enable FIPS Mode</a></td><td class="rule-severity" style="text-align: center">high</td><td class="rule-result rule-result-error"><div><abbr title="The checking engine could not complete the evaluation, therefore the status of the target's compliance with the rule is not certain. This could happen, for example, if a testing tool was run with insufficient privileges and could not gather all of the necessary information.">error</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_crypto" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_crypto" data-tt-parent-id="xccdf_org.ssgproject.content_group_integrity"><td colspan="3" style="padding-left: 76px"><strong>System Cryptographic Policies</strong> <span class="badge">1x error</span></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_configure_bind_crypto_policy" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_configure_bind_crypto_policy" id="rule-overview-leaf-idm45342104399920" data-tt-parent-id="xccdf_org.ssgproject.content_group_crypto" data-references='{"NIST SP 800-53":["SC-13","SC-12(2)","SC-12(3)"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000423-GPOS-00187","SRG-OS-000426-GPOS-00190"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm45342104399920" onclick="return openRuleDetailsDialog('idm45342104399920')">Configure BIND to use System Crypto Policy</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_configure_openssl_crypto_policy" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_configure_openssl_crypto_policy" id="rule-overview-leaf-idm45342104391472" data-tt-parent-id="xccdf_org.ssgproject.content_group_crypto" data-references='{"NIST SP 800-53":["AC-17(a)","AC-17(2)","CM-6(a)","MA-4(6)","SC-13","SC-12(2)","SC-12(3)"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000250-GPOS-00093"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm45342104391472" onclick="return openRuleDetailsDialog('idm45342104391472')">Configure OpenSSL library to use System Crypto Policy</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_configure_libreswan_crypto_policy" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_configure_libreswan_crypto_policy" id="rule-overview-leaf-idm45342104385120" data-tt-parent-id="xccdf_org.ssgproject.content_group_crypto" data-references='{"NIST SP 800-53":["CM-6(a)","MA-4(6)","SC-13","SC-12(2)","SC-12(3)"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000033-GPOS-00014"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm45342104385120" onclick="return openRuleDetailsDialog('idm45342104385120')">Configure Libreswan to use System Crypto Policy</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_configure_crypto_policy" class="rule-overview-leaf rule-overview-leaf-error rule-overview-needs-attention" id="rule-overview-leaf-idm45342104381440" data-tt-parent-id="xccdf_org.ssgproject.content_group_crypto" data-references='{"NIST SP 800-53":["AC-17(a)","AC-17(2)","CM-6(a)","MA-4(6)","SC-13","SC-12(2)","SC-12(3)"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000396-GPOS-00176","SRG-OS-000393-GPOS-00173","SRG-OS-000394-GPOS-00174"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm45342104381440" onclick="return openRuleDetailsDialog('idm45342104381440')">Configure System Cryptography Policy</a></td><td class="rule-severity" style="text-align: center">high</td><td class="rule-result rule-result-error"><div><abbr title="The checking engine could not complete the evaluation, therefore the status of the target's compliance with the rule is not certain. This could happen, for example, if a testing tool was run with insufficient privileges and could not gather all of the necessary information.">error</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_configure_kerberos_crypto_policy" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_configure_kerberos_crypto_policy" id="rule-overview-leaf-idm45342104373680" data-tt-parent-id="xccdf_org.ssgproject.content_group_crypto" data-references='{"NIST SP 800-53":["SC-13","SC-12(2)","SC-12(3)"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000120-GPOS-00061"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm45342104373680" onclick="return openRuleDetailsDialog('idm45342104373680')">Configure Kerberos to use System Crypto Policy</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_software-integrity" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_software-integrity" data-tt-parent-id="xccdf_org.ssgproject.content_group_integrity"><td colspan="3" style="padding-left: 76px">Software Integrity Checking<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_software-integrity");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_aide" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_aide" data-tt-parent-id="xccdf_org.ssgproject.content_group_software-integrity"><td colspan="3" style="padding-left: 95px">Verify Integrity with AIDE<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_aide");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_package_aide_installed" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_package_aide_installed" id="rule-overview-leaf-idm45342104344832" data-tt-parent-id="xccdf_org.ssgproject.content_group_aide" data-references='{"":["1.3.1"],"NIST SP 800-53":["CM-6(a)"],"http://www.isaca.org/COBIT/Pages/default.aspx":["APO01.06","BAI01.06","BAI02.01","BAI03.05","BAI06.01","BAI10.01","BAI10.02","BAI10.03","BAI10.05","DSS01.03","DSS03.05","DSS04.07","DSS05.02","DSS05.03","DSS05.05","DSS05.07","DSS06.02","DSS06.06"],"ANSSI":["NT28(R51)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["DE.CM-1","DE.CM-7","PR.DS-1","PR.DS-6","PR.DS-8","PR.IP-1","PR.IP-3"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000363-GPOS-00150"],"https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf":["1","11","12","13","14","15","16","2","3","5","7","8","9"],"FBI CJIS":["5.10.1.3"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731":["4.3.4.3.2","4.3.4.3.3","4.3.4.4.4"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785":["SR 3.1","SR 3.3","SR 3.4","SR 3.8","SR 4.1","SR 6.2","SR 7.6"],"ISO 27001-2013":["A.11.2.4","A.12.1.2","A.12.2.1","A.12.4.1","A.12.5.1","A.12.6.2","A.14.1.2","A.14.1.3","A.14.2.2","A.14.2.3","A.14.2.4","A.14.2.7","A.15.2.1","A.8.2.3"],"PCI-DSS Requirement":["Req-11.5"]}'><td style="padding-left: 114px"><a href="#rule-detail-idm45342104344832" onclick="return openRuleDetailsDialog('idm45342104344832')">Install AIDE</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_bootloader-grub2" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_bootloader-grub2" data-tt-parent-id="xccdf_org.ssgproject.content_group_system"><td colspan="3" style="padding-left: 38px">GRUB2 bootloader configuration<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_bootloader-grub2");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_grub2_pti_argument" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_grub2_pti_argument" id="rule-overview-leaf-idm45342104313008" data-tt-parent-id="xccdf_org.ssgproject.content_group_bootloader-grub2" data-references='{"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000433-GPOS-00193"]}'><td style="padding-left: 57px"><a href="#rule-detail-idm45342104313008" onclick="return openRuleDetailsDialog('idm45342104313008')">Enable Kernel Page-Table Isolation (KPTI)</a></td><td class="rule-severity" style="text-align: center">high</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_grub2_uefi_password" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_grub2_uefi_password" id="rule-overview-leaf-idm45342104298656" data-tt-parent-id="xccdf_org.ssgproject.content_group_bootloader-grub2" data-references='{"":["1.4.2"],"NIST SP 800-171":["3.4.5"],"NIST SP 800-53":["CM-6(a)"],"http://www.isaca.org/COBIT/Pages/default.aspx":["DSS05.02","DSS05.04","DSS05.05","DSS05.07","DSS06.03","DSS06.06"],"ANSSI":["NT28(R17)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.AC-4","PR.AC-6","PR.PT-3"],"https://public.cyber.mil/stigs/cci/":["CCI-000213"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000080-GPOS-00048"],"https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf":["11","12","14","15","16","18","3","5"],"HIPAA":["164.308(a)(1)(ii)(B)","164.308(a)(7)(i)","164.308(a)(7)(ii)(A)","164.310(a)(1)","164.310(a)(2)(i)","164.310(a)(2)(ii)","164.310(a)(2)(iii)","164.310(b)","164.310(c)","164.310(d)(1)","164.310(d)(2)(iii)"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731":["4.3.3.2.2","4.3.3.5.1","4.3.3.5.2","4.3.3.5.3","4.3.3.5.4","4.3.3.5.5","4.3.3.5.6","4.3.3.5.7","4.3.3.5.8","4.3.3.6.1","4.3.3.6.2","4.3.3.6.3","4.3.3.6.4","4.3.3.6.5","4.3.3.6.6","4.3.3.6.7","4.3.3.6.8","4.3.3.6.9","4.3.3.7.1","4.3.3.7.2","4.3.3.7.3","4.3.3.7.4"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785":["SR 1.1","SR 1.10","SR 1.11","SR 1.12","SR 1.13","SR 1.2","SR 1.3","SR 1.4","SR 1.5","SR 1.6","SR 1.7","SR 1.8","SR 1.9","SR 2.1","SR 2.2","SR 2.3","SR 2.4","SR 2.5","SR 2.6","SR 2.7"],"ISO 27001-2013":["A.6.1.2","A.7.1.1","A.9.1.2","A.9.2.1","A.9.2.3","A.9.4.1","A.9.4.4","A.9.4.5"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FIA_AFL.1"]}'><td style="padding-left: 57px"><a href="#rule-detail-idm45342104298656" onclick="return openRuleDetailsDialog('idm45342104298656')">Set the UEFI Boot Loader Password</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_auditing" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_auditing" data-tt-parent-id="xccdf_org.ssgproject.content_group_system"><td colspan="3" style="padding-left: 38px"><strong>System Accounting with auditd</strong> <span class="badge">2x error</span></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_policy_rules" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_policy_rules" data-tt-parent-id="xccdf_org.ssgproject.content_group_auditing"><td colspan="3" style="padding-left: 57px"><strong>System Accounting with auditd</strong> <span class="badge">1x error</span></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_audit_rules_for_ospp" class="rule-overview-leaf rule-overview-leaf-error rule-overview-needs-attention" id="rule-overview-leaf-idm45342104267152" data-tt-parent-id="xccdf_org.ssgproject.content_group_policy_rules" data-references='{"NIST SP 800-53":["NONE"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000004-GPOS-00004","SRG-OS-000240-GPOS-00090","SRG-OS-000241-GPOS-00091","SRG-OS-000303-GPOS-00120","SRG-OS-000476-GPOS-00221","SRG-OS-000327-GPOS-00127","SRG-OS-000064-GPOS-00033","SRG-OS-000365-GPOS-00152","SRG-OS-000458-GPOS-00203","SRG-OS-000461-GPOS-00205","SRG-OS-000462-GPOS-00206","SRG-OS-000463-GPOS-00207","SRG-OS-000465-GPOS-00209","SRG-OS-000466-GPOS-00210","SRG-OS-000467-GPOS-00211","SRG-OS-000468-GPOS-00212","SRG-OS-000470-GPOS-00214","SRG-OS-000471-GPOS-00215","SRG-OS-000471-GPOS-00216","SRG-OS-000472-GPOS-00217","SRG-OS-000474-GPOS-00219","SRG-OS-000475-GPOS-00220","SRG-OS-000477-GPOS-00222"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FAU_GEN.1.1.c"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45342104267152" onclick="return openRuleDetailsDialog('idm45342104267152')">Configure audit according to OSPP requirements</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-error"><div><abbr title="The checking engine could not complete the evaluation, therefore the status of the target's compliance with the rule is not certain. This could happen, for example, if a testing tool was run with insufficient privileges and could not gather all of the necessary information.">error</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_auditd_configure_rules" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_auditd_configure_rules" data-tt-parent-id="xccdf_org.ssgproject.content_group_auditing"><td colspan="3" style="padding-left: 57px">Configure auditd Rules for Comprehensive Auditing<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_auditd_configure_rules");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_passwd" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_passwd" id="rule-overview-leaf-idm45342104230832" data-tt-parent-id="xccdf_org.ssgproject.content_group_auditd_configure_rules" data-references='{"":["5.2.5","SRG-OS-000004-VMM-000040","SRG-OS-000239-VMM-000810","SRG-OS-000240-VMM-000820","SRG-OS-000241-VMM-000830","SRG-OS-000274-VMM-000960","SRG-OS-000275-VMM-000970","SRG-OS-000276-VMM-000980","SRG-OS-000277-VMM-000990","SRG-OS-000303-VMM-001090","SRG-OS-000304-VMM-001100","SRG-OS-000476-VMM-001960"],"NIST SP 800-171":["3.1.7"],"NIST SP 800-53":["AC-2(4)","AU-2(d)","AU-12(c)","AC-6(9)","CM-6(a)"],"http://www.isaca.org/COBIT/Pages/default.aspx":["APO10.01","APO10.03","APO10.04","APO10.05","APO11.04","APO12.06","APO13.01","BAI03.05","BAI08.02","DSS01.03","DSS01.04","DSS02.02","DSS02.04","DSS02.07","DSS03.01","DSS03.05","DSS05.02","DSS05.03","DSS05.04","DSS05.05","DSS05.07","DSS06.03","MEA01.01","MEA01.02","MEA01.03","MEA01.04","MEA01.05","MEA02.01"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["DE.AE-3","DE.AE-5","DE.CM-1","DE.CM-3","DE.CM-7","ID.SC-4","PR.AC-1","PR.AC-3","PR.AC-4","PR.AC-6","PR.PT-1","PR.PT-4","RS.AN-1","RS.AN-4"],"https://public.cyber.mil/stigs/cci/":["CCI-000018","CCI-000172","CCI-001403","CCI-001404","CCI-001405","CCI-001683","CCI-001684","CCI-001685","CCI-001686","CCI-002130","CCI-002132"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000004-GPOS-00004","SRG-OS-000239-GPOS-00089","SRG-OS-000240-GPOS-00090","SRG-OS-000241-GPOS-00091","SRG-OS-000303-GPOS-00120","SRG-OS-000476-GPOS-00221","SRG-OS-000274-GPOS-00104","SRG-OS-000275-GPOS-00105","SRG-OS-000276-GPOS-00106","SRG-OS-000277-GPOS-00107"],"https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf":["1","11","12","13","14","15","16","18","19","2","3","4","5","6","7","8","9"],"FBI CJIS":["5.4.1.1"],"HIPAA":["164.308(a)(1)(ii)(D)","164.308(a)(3)(ii)(A)","164.308(a)(5)(ii)(C)","164.312(a)(2)(i)","164.312(b)","164.312(d)","164.312(e)"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731":["4.2.3.10","4.3.2.6.7","4.3.3.2.2","4.3.3.3.9","4.3.3.5.1","4.3.3.5.2","4.3.3.5.8","4.3.3.6.6","4.3.3.7.2","4.3.3.7.3","4.3.3.7.4","4.3.4.4.7","4.3.4.5.6","4.3.4.5.7","4.3.4.5.8","4.4.2.1","4.4.2.2","4.4.2.4"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785":["SR 1.1","SR 1.13","SR 1.2","SR 1.3","SR 1.4","SR 1.5","SR 1.7","SR 1.8","SR 1.9","SR 2.1","SR 2.10","SR 2.11","SR 2.12","SR 2.6","SR 2.8","SR 2.9","SR 3.1","SR 3.5","SR 3.8","SR 4.1","SR 4.3","SR 5.1","SR 5.2","SR 5.3","SR 6.1","SR 6.2","SR 7.1","SR 7.6"],"ISO 27001-2013":["A.11.2.6","A.12.4.1","A.12.4.2","A.12.4.3","A.12.4.4","A.12.7.1","A.13.1.1","A.13.2.1","A.14.1.3","A.14.2.7","A.15.2.1","A.15.2.2","A.16.1.4","A.16.1.5","A.16.1.7","A.6.1.2","A.6.2.1","A.6.2.2","A.7.1.1","A.9.1.2","A.9.2.1","A.9.2.2","A.9.2.3","A.9.2.4","A.9.2.6","A.9.3.1","A.9.4.1","A.9.4.2","A.9.4.3","A.9.4.4","A.9.4.5"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FAU_GEN.1.1.c"],"PCI-DSS Requirement":["Req-10.2.5"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45342104230832" onclick="return openRuleDetailsDialog('idm45342104230832')">Record Events that Modify User/Group Information - /etc/passwd</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_configure_auditd_data_retention" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_configure_auditd_data_retention" data-tt-parent-id="xccdf_org.ssgproject.content_group_auditing"><td colspan="3" style="padding-left: 57px">Configure auditd Data Retention<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_configure_auditd_data_retention");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_auditd_name_format" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_auditd_name_format" id="rule-overview-leaf-idm45342103880784" data-tt-parent-id="xccdf_org.ssgproject.content_group_configure_auditd_data_retention" data-references='{"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000039-GPOS-00017"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FAU_GEN.1"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45342103880784" onclick="return openRuleDetailsDialog('idm45342103880784')">Set hostname as computer node name in audit logs</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_auditd_local_events" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_auditd_local_events" id="rule-overview-leaf-idm45342103874160" data-tt-parent-id="xccdf_org.ssgproject.content_group_configure_auditd_data_retention" data-references='{"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000062-GPOS-00031"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FAU_GEN.1.1.c"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45342103874160" onclick="return openRuleDetailsDialog('idm45342103874160')">Include Local Events in Audit Logs</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_auditd_freq" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_auditd_freq" id="rule-overview-leaf-idm45342103870512" data-tt-parent-id="xccdf_org.ssgproject.content_group_configure_auditd_data_retention" data-references='{"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000051-GPOS-00024"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FAU_GEN.1"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45342103870512" onclick="return openRuleDetailsDialog('idm45342103870512')">Set number of records to cause an explicit flush to audit logs</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_auditd_log_format" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_auditd_log_format" id="rule-overview-leaf-idm45342103856208" data-tt-parent-id="xccdf_org.ssgproject.content_group_configure_auditd_data_retention" data-references='{"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000255-GPOS-00096"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FAU_GEN.1"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45342103856208" onclick="return openRuleDetailsDialog('idm45342103856208')">Resolve information before writing to audit logs</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_auditd_write_logs" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_auditd_write_logs" id="rule-overview-leaf-idm45342103846672" data-tt-parent-id="xccdf_org.ssgproject.content_group_configure_auditd_data_retention" data-references='{"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000480-GPOS-00227"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FAU_GEN.1.1.c"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45342103846672" onclick="return openRuleDetailsDialog('idm45342103846672')">Write Audit Logs to the Disk</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_auditd_data_retention_flush" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_auditd_data_retention_flush" id="rule-overview-leaf-idm45342103838240" data-tt-parent-id="xccdf_org.ssgproject.content_group_configure_auditd_data_retention" data-references='{"NIST SP 800-171":["3.3.1"],"NIST SP 800-53":["AU-11","CM-6(a)"],"http://www.isaca.org/COBIT/Pages/default.aspx":["APO10.01","APO10.03","APO10.04","APO10.05","APO11.04","BAI03.05","DSS01.03","DSS03.05","DSS05.02","DSS05.04","DSS05.05","DSS05.07","MEA01.01","MEA01.02","MEA01.03","MEA01.04","MEA01.05","MEA02.01"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["DE.CM-1","DE.CM-3","DE.CM-7","ID.SC-4","PR.PT-1"],"https://public.cyber.mil/stigs/cci/":["CCI-001576"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000480-GPOS-00227"],"https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf":["1","12","13","14","15","16","2","3","5","6","7","8","9"],"HIPAA":["164.308(a)(1)(ii)(D)","164.308(a)(3)(ii)(A)","164.308(a)(5)(ii)(C)","164.312(a)(2)(i)","164.312(b)","164.312(d)","164.312(e)"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731":["4.3.2.6.7","4.3.3.3.9","4.3.3.5.8","4.3.4.4.7","4.4.2.1","4.4.2.2","4.4.2.4"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785":["SR 2.10","SR 2.11","SR 2.12","SR 2.8","SR 2.9","SR 6.1","SR 6.2"],"ISO 27001-2013":["A.12.4.1","A.12.4.2","A.12.4.3","A.12.4.4","A.12.7.1","A.14.2.7","A.15.2.1","A.15.2.2"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45342103838240" onclick="return openRuleDetailsDialog('idm45342103838240')">Configure auditd flush priority</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_auditd_audispd_syslog_plugin_activated" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_auditd_audispd_syslog_plugin_activated" id="rule-overview-leaf-idm45342103833744" data-tt-parent-id="xccdf_org.ssgproject.content_group_configure_auditd_data_retention" data-references='{"":["SRG-OS-000051-VMM-000230","SRG-OS-000058-VMM-000270","SRG-OS-000059-VMM-000280","SRG-OS-000479-VMM-001990","SRG-OS-000479-VMM-001990"],"NIST SP 800-171":["3.3.1"],"NIST SP 800-53":["AU-4(1)","CM-6(a)"],"http://www.isaca.org/COBIT/Pages/default.aspx":["APO11.04","APO12.06","BAI03.05","BAI08.02","DSS02.02","DSS02.04","DSS02.07","DSS03.01","DSS05.04","DSS05.07","MEA02.01"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["DE.AE-3","DE.AE-5","PR.PT-1","RS.AN-1","RS.AN-4"],"https://public.cyber.mil/stigs/cci/":["CCI-000136"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000479-GPOS-00224","SRG-OS-000342-GPOS-00133"],"https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf":["1","11","12","13","14","15","16","19","3","4","5","6","7","8"],"FBI CJIS":["5.4.1.1"],"HIPAA":["164.308(a)(1)(ii)(D)","164.308(a)(5)(ii)(B)","164.308(a)(5)(ii)(C)","164.308(a)(6)(ii)","164.308(a)(8)","164.310(d)(2)(iii)","164.312(b)","164.314(a)(2)(i)(C)","164.314(a)(2)(iii)"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731":["4.2.3.10","4.3.3.3.9","4.3.3.5.8","4.3.4.4.7","4.3.4.5.6","4.3.4.5.7","4.3.4.5.8","4.4.2.1","4.4.2.2","4.4.2.4"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785":["SR 2.10","SR 2.11","SR 2.12","SR 2.8","SR 2.9","SR 6.1"],"ISO 27001-2013":["A.12.4.1","A.12.4.2","A.12.4.3","A.12.4.4","A.12.7.1","A.16.1.4","A.16.1.5","A.16.1.7"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FAU_GEN.1.1.c"],"PCI-DSS Requirement":["Req-10.5.3"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45342103833744" onclick="return openRuleDetailsDialog('idm45342103833744')">Configure auditd to use audispd's syslog plugin</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_package_audit_installed" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_package_audit_installed" id="rule-overview-leaf-idm45342104293264" data-tt-parent-id="xccdf_org.ssgproject.content_group_auditing" data-references='{"NIST SP 800-53":["AC-7(a)","AU-7(1)","AU-7(2)","AU-14","AU-12(2)","AU-2(a)","CM-6(a)"],"ANSSI":["NT28(R50)"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000480-GPOS-00227","SRG-OS-000122-GPOS-00063"]}'><td style="padding-left: 57px"><a href="#rule-detail-idm45342104293264" onclick="return openRuleDetailsDialog('idm45342104293264')">Ensure the audit Subsystem is Installed</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_package_audispd-plugins_installed" class="rule-overview-leaf rule-overview-leaf-error rule-overview-needs-attention" id="rule-overview-leaf-idm45342104289600" data-tt-parent-id="xccdf_org.ssgproject.content_group_auditing" data-references='{"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000342-GPOS-00133"]}'><td style="padding-left: 57px"><a href="#rule-detail-idm45342104289600" onclick="return openRuleDetailsDialog('idm45342104289600')">Install audispd-plugins Package</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-error"><div><abbr title="The checking engine could not complete the evaluation, therefore the status of the target's compliance with the rule is not certain. This could happen, for example, if a testing tool was run with insufficient privileges and could not gather all of the necessary information.">error</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_service_auditd_enabled" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_service_auditd_enabled" id="rule-overview-leaf-idm45342104281824" data-tt-parent-id="xccdf_org.ssgproject.content_group_auditing" data-references='{"":["4.1.2","SRG-OS-000037-VMM-000150","SRG-OS-000063-VMM-000310","SRG-OS-000038-VMM-000160","SRG-OS-000039-VMM-000170","SRG-OS-000040-VMM-000180","SRG-OS-000041-VMM-000190"],"NIST SP 800-171":["3.3.1","3.3.2","3.3.6"],"NIST SP 800-53":["AC-2(g)","AU-3","AU-10","AU-2(d)","AU-12(c)","AU-14(1)","AC-6(9)","CM-6(a)"],"http://www.isaca.org/COBIT/Pages/default.aspx":["APO10.01","APO10.03","APO10.04","APO10.05","APO11.04","APO12.06","APO13.01","BAI03.05","BAI08.02","DSS01.03","DSS01.04","DSS02.02","DSS02.04","DSS02.07","DSS03.01","DSS03.05","DSS05.02","DSS05.03","DSS05.04","DSS05.05","DSS05.07","MEA01.01","MEA01.02","MEA01.03","MEA01.04","MEA01.05","MEA02.01"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["DE.AE-3","DE.AE-5","DE.CM-1","DE.CM-3","DE.CM-7","ID.SC-4","PR.AC-3","PR.PT-1","PR.PT-4","RS.AN-1","RS.AN-4"],"https://public.cyber.mil/stigs/cci/":["CCI-000126","CCI-000130","CCI-000131","CCI-000132","CCI-000133","CCI-000134"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000037-GPOS-00015","SRG-OS-000038-GPOS-00016","SRG-OS-000039-GPOS-00017","SRG-OS-000040-GPOS-00018","SRG-OS-000042-GPOS-00021","SRG-OS-000255-GPOS-00096"],"https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf":["1","11","12","13","14","15","16","19","2","3","4","5","6","7","8","9"],"FBI CJIS":["5.4.1.1"],"HIPAA":["164.308(a)(1)(ii)(D)","164.308(a)(5)(ii)(C)","164.310(a)(2)(iv)","164.310(d)(2)(iii)","164.312(b)"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731":["4.2.3.10","4.3.2.6.7","4.3.3.3.9","4.3.3.5.8","4.3.3.6.6","4.3.4.4.7","4.3.4.5.6","4.3.4.5.7","4.3.4.5.8","4.4.2.1","4.4.2.2","4.4.2.4"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785":["SR 1.13","SR 2.10","SR 2.11","SR 2.12","SR 2.6","SR 2.8","SR 2.9","SR 3.1","SR 3.5","SR 3.8","SR 4.1","SR 4.3","SR 5.1","SR 5.2","SR 5.3","SR 6.1","SR 6.2","SR 7.1","SR 7.6"],"ISO 27001-2013":["A.11.2.6","A.12.4.1","A.12.4.2","A.12.4.3","A.12.4.4","A.12.7.1","A.13.1.1","A.13.2.1","A.14.1.3","A.14.2.7","A.15.2.1","A.15.2.2","A.16.1.4","A.16.1.5","A.16.1.7","A.6.2.1","A.6.2.2"],"PCI-DSS Requirement":["Req-10.1"]}'><td style="padding-left: 57px"><a href="#rule-detail-idm45342104281824" onclick="return openRuleDetailsDialog('idm45342104281824')">Enable auditd Service</a></td><td class="rule-severity" style="text-align: center">high</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_grub2_audit_argument" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_grub2_audit_argument" id="rule-overview-leaf-idm45342104278160" data-tt-parent-id="xccdf_org.ssgproject.content_group_auditing" data-references='{"":["4.1.3","SRG-OS-000254-VMM-000880"],"NIST SP 800-171":["3.3.1"],"NIST SP 800-53":["AC-17(1)","AU-14(1)","AU-10","CM-6(a)","IR-5(1)"],"http://www.isaca.org/COBIT/Pages/default.aspx":["APO10.01","APO10.03","APO10.04","APO10.05","APO11.04","APO12.06","APO13.01","BAI03.05","BAI08.02","DSS01.04","DSS02.02","DSS02.04","DSS02.07","DSS03.01","DSS05.02","DSS05.03","DSS05.04","DSS05.07","MEA01.01","MEA01.02","MEA01.03","MEA01.04","MEA01.05","MEA02.01"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["DE.AE-3","DE.AE-5","ID.SC-4","PR.AC-3","PR.PT-1","PR.PT-4","RS.AN-1","RS.AN-4"],"https://public.cyber.mil/stigs/cci/":["CCI-001464","CCI-000130"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000254-GPOS-00095"],"https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf":["1","11","12","13","14","15","16","19","3","4","5","6","7","8"],"FBI CJIS":["5.4.1.1"],"HIPAA":["164.308(a)(1)(ii)(D)","164.308(a)(5)(ii)(C)","164.310(a)(2)(iv)","164.310(d)(2)(iii)","164.312(b)"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731":["4.2.3.10","4.3.2.6.7","4.3.3.3.9","4.3.3.5.8","4.3.3.6.6","4.3.4.4.7","4.3.4.5.6","4.3.4.5.7","4.3.4.5.8","4.4.2.1","4.4.2.2","4.4.2.4"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785":["SR 1.13","SR 2.10","SR 2.11","SR 2.12","SR 2.6","SR 2.8","SR 2.9","SR 3.1","SR 3.5","SR 3.8","SR 4.1","SR 4.3","SR 5.1","SR 5.2","SR 5.3","SR 6.1","SR 7.1","SR 7.6"],"ISO 27001-2013":["A.11.2.6","A.12.4.1","A.12.4.2","A.12.4.3","A.12.4.4","A.12.7.1","A.13.1.1","A.13.2.1","A.14.1.3","A.15.2.1","A.15.2.2","A.16.1.4","A.16.1.5","A.16.1.7","A.6.2.1","A.6.2.2"],"PCI-DSS Requirement":["Req-10.3"]}'><td style="padding-left: 57px"><a href="#rule-detail-idm45342104278160" onclick="return openRuleDetailsDialog('idm45342104278160')">Enable Auditing for Processes Which Start Prior to the Audit Daemon</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_grub2_audit_backlog_limit_argument" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_grub2_audit_backlog_limit_argument" id="rule-overview-leaf-idm45342104272688" data-tt-parent-id="xccdf_org.ssgproject.content_group_auditing" data-references='{"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000254-GPOS-00095"]}'><td style="padding-left: 57px"><a href="#rule-detail-idm45342104272688" onclick="return openRuleDetailsDialog('idm45342104272688')">Extend Audit Backlog Limit for the Audit Daemon</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_network" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_network" data-tt-parent-id="xccdf_org.ssgproject.content_group_system"><td colspan="3" style="padding-left: 38px">Network Configuration and Firewalls<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_network");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_network-uncommon" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_network-uncommon" data-tt-parent-id="xccdf_org.ssgproject.content_group_network"><td colspan="3" style="padding-left: 57px">Uncommon Network Protocols<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_network-uncommon");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_kernel_module_sctp_disabled" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_kernel_module_sctp_disabled" id="rule-overview-leaf-idm45342103814304" data-tt-parent-id="xccdf_org.ssgproject.content_group_network-uncommon" data-references='{"":["3.5.2"],"NIST SP 800-171":["3.4.6"],"NIST SP 800-53":["CM-7(a)","CM-7(b)","CM-6(a)"],"http://www.isaca.org/COBIT/Pages/default.aspx":["BAI10.01","BAI10.02","BAI10.03","BAI10.05","DSS05.02","DSS05.05","DSS06.06"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.IP-1","PR.PT-3"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000095-GPOS-00049"],"https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf":["11","14","3","9"],"FBI CJIS":["5.10.1"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731":["4.3.3.5.1","4.3.3.5.2","4.3.3.5.3","4.3.3.5.4","4.3.3.5.5","4.3.3.5.6","4.3.3.5.7","4.3.3.5.8","4.3.3.6.1","4.3.3.6.2","4.3.3.6.3","4.3.3.6.4","4.3.3.6.5","4.3.3.6.6","4.3.3.6.7","4.3.3.6.8","4.3.3.6.9","4.3.3.7.1","4.3.3.7.2","4.3.3.7.3","4.3.3.7.4","4.3.4.3.2","4.3.4.3.3"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785":["SR 1.1","SR 1.10","SR 1.11","SR 1.12","SR 1.13","SR 1.2","SR 1.3","SR 1.4","SR 1.5","SR 1.6","SR 1.7","SR 1.8","SR 1.9","SR 2.1","SR 2.2","SR 2.3","SR 2.4","SR 2.5","SR 2.6","SR 2.7","SR 7.6"],"ISO 27001-2013":["A.12.1.2","A.12.5.1","A.12.6.2","A.14.2.2","A.14.2.3","A.14.2.4","A.9.1.2"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45342103814304" onclick="return openRuleDetailsDialog('idm45342103814304')">Disable SCTP Support</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_kernel_module_can_disabled" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_kernel_module_can_disabled" id="rule-overview-leaf-idm45342103804976" data-tt-parent-id="xccdf_org.ssgproject.content_group_network-uncommon" data-references='{"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000095-GPOS-00049"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FMT_SMF_EXT.1"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45342103804976" onclick="return openRuleDetailsDialog('idm45342103804976')">Disable CAN Support</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_kernel_module_tipc_disabled" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_kernel_module_tipc_disabled" id="rule-overview-leaf-idm45342103797408" data-tt-parent-id="xccdf_org.ssgproject.content_group_network-uncommon" data-references='{"NIST SP 800-53":["CM-7(a)","CM-7(b)","CM-6(a)"],"http://www.isaca.org/COBIT/Pages/default.aspx":["BAI10.01","BAI10.02","BAI10.03","BAI10.05","DSS05.02","DSS05.05","DSS06.06"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.IP-1","PR.PT-3"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000095-GPOS-00049"],"https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf":["11","14","3","9"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731":["4.3.3.5.1","4.3.3.5.2","4.3.3.5.3","4.3.3.5.4","4.3.3.5.5","4.3.3.5.6","4.3.3.5.7","4.3.3.5.8","4.3.3.6.1","4.3.3.6.2","4.3.3.6.3","4.3.3.6.4","4.3.3.6.5","4.3.3.6.6","4.3.3.6.7","4.3.3.6.8","4.3.3.6.9","4.3.3.7.1","4.3.3.7.2","4.3.3.7.3","4.3.3.7.4","4.3.4.3.2","4.3.4.3.3"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785":["SR 1.1","SR 1.10","SR 1.11","SR 1.12","SR 1.13","SR 1.2","SR 1.3","SR 1.4","SR 1.5","SR 1.6","SR 1.7","SR 1.8","SR 1.9","SR 2.1","SR 2.2","SR 2.3","SR 2.4","SR 2.5","SR 2.6","SR 2.7","SR 7.6"],"ISO 27001-2013":["A.12.1.2","A.12.5.1","A.12.6.2","A.14.2.2","A.14.2.3","A.14.2.4","A.9.1.2"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FMT_SMF_EXT.1"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45342103797408" onclick="return openRuleDetailsDialog('idm45342103797408')">Disable TIPC Support</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_kernel_module_firewire-core_disabled" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_kernel_module_firewire-core_disabled" id="rule-overview-leaf-idm45342103789824" data-tt-parent-id="xccdf_org.ssgproject.content_group_network-uncommon" data-references='{"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000095-GPOS-00049"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FMT_SMF_EXT.1"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45342103789824" onclick="return openRuleDetailsDialog('idm45342103789824')">Disable IEEE 1394 (FireWire) Support</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_kernel_module_atm_disabled" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_kernel_module_atm_disabled" id="rule-overview-leaf-idm45342103782176" data-tt-parent-id="xccdf_org.ssgproject.content_group_network-uncommon" data-references='{"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000095-GPOS-00049"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FMT_SMF_EXT.1"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45342103782176" onclick="return openRuleDetailsDialog('idm45342103782176')">Disable ATM Support</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_network-ipv6" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_network-ipv6" data-tt-parent-id="xccdf_org.ssgproject.content_group_network"><td colspan="3" style="padding-left: 57px">IPv6<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_network-ipv6");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_configuring_ipv6" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_configuring_ipv6" data-tt-parent-id="xccdf_org.ssgproject.content_group_network-ipv6"><td colspan="3" style="padding-left: 76px">Configure IPv6 Settings if Necessary<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_configuring_ipv6");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_redirects" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_redirects" id="rule-overview-leaf-idm45342103765248" data-tt-parent-id="xccdf_org.ssgproject.content_group_configuring_ipv6" data-references='{"":["3.3.2"],"NIST SP 800-171":["3.1.20"],"NIST SP 800-53":["CM-7(a)","CM-7(b)","CM-6(a)"],"http://www.isaca.org/COBIT/Pages/default.aspx":["BAI10.01","BAI10.02","BAI10.03","BAI10.05","DSS05.02","DSS05.05","DSS06.06"],"ANSSI":["NT28(R22)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.IP-1","PR.PT-3"],"https://public.cyber.mil/stigs/cci/":["CCI-001551"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000480-GPOS-00227"],"https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf":["11","14","3","9"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731":["4.3.3.5.1","4.3.3.5.2","4.3.3.5.3","4.3.3.5.4","4.3.3.5.5","4.3.3.5.6","4.3.3.5.7","4.3.3.5.8","4.3.3.6.1","4.3.3.6.2","4.3.3.6.3","4.3.3.6.4","4.3.3.6.5","4.3.3.6.6","4.3.3.6.7","4.3.3.6.8","4.3.3.6.9","4.3.3.7.1","4.3.3.7.2","4.3.3.7.3","4.3.3.7.4","4.3.4.3.2","4.3.4.3.3"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785":["SR 1.1","SR 1.10","SR 1.11","SR 1.12","SR 1.13","SR 1.2","SR 1.3","SR 1.4","SR 1.5","SR 1.6","SR 1.7","SR 1.8","SR 1.9","SR 2.1","SR 2.2","SR 2.3","SR 2.4","SR 2.5","SR 2.6","SR 2.7","SR 7.6"],"ISO 27001-2013":["A.12.1.2","A.12.5.1","A.12.6.2","A.14.2.2","A.14.2.3","A.14.2.4","A.9.1.2"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm45342103765248" onclick="return openRuleDetailsDialog('idm45342103765248')">Disable Accepting ICMP Redirects for All IPv6 Interfaces</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_ra" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_ra" id="rule-overview-leaf-idm45342103752224" data-tt-parent-id="xccdf_org.ssgproject.content_group_configuring_ipv6" data-references='{"":["3.3.1"],"NIST SP 800-171":["3.1.20"],"NIST SP 800-53":["CM-7(a)","CM-7(b)","CM-6(a)"],"http://www.isaca.org/COBIT/Pages/default.aspx":["BAI10.01","BAI10.02","BAI10.03","BAI10.05","DSS05.02","DSS05.05","DSS06.06"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.IP-1","PR.PT-3"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000480-GPOS-00227"],"https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf":["11","14","3","9"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731":["4.3.3.5.1","4.3.3.5.2","4.3.3.5.3","4.3.3.5.4","4.3.3.5.5","4.3.3.5.6","4.3.3.5.7","4.3.3.5.8","4.3.3.6.1","4.3.3.6.2","4.3.3.6.3","4.3.3.6.4","4.3.3.6.5","4.3.3.6.6","4.3.3.6.7","4.3.3.6.8","4.3.3.6.9","4.3.3.7.1","4.3.3.7.2","4.3.3.7.3","4.3.3.7.4","4.3.4.3.2","4.3.4.3.3"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785":["SR 1.1","SR 1.10","SR 1.11","SR 1.12","SR 1.13","SR 1.2","SR 1.3","SR 1.4","SR 1.5","SR 1.6","SR 1.7","SR 1.8","SR 1.9","SR 2.1","SR 2.2","SR 2.3","SR 2.4","SR 2.5","SR 2.6","SR 2.7","SR 7.6"],"ISO 27001-2013":["A.12.1.2","A.12.5.1","A.12.6.2","A.14.2.2","A.14.2.3","A.14.2.4","A.9.1.2"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm45342103752224" onclick="return openRuleDetailsDialog('idm45342103752224')">Disable Accepting Router Advertisements on all IPv6 Interfaces by Default</a></td><td class="rule-severity" style="text-align: center">unknown</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_ra" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_ra" id="rule-overview-leaf-idm45342103740992" data-tt-parent-id="xccdf_org.ssgproject.content_group_configuring_ipv6" data-references='{"":["3.3.1"],"NIST SP 800-171":["3.1.20"],"NIST SP 800-53":["CM-7(a)","CM-7(b)","CM-6(a)"],"http://www.isaca.org/COBIT/Pages/default.aspx":["BAI10.01","BAI10.02","BAI10.03","BAI10.05","DSS05.02","DSS05.05","DSS06.06"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.IP-1","PR.PT-3"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000480-GPOS-00227"],"https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf":["11","14","3","9"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731":["4.3.3.5.1","4.3.3.5.2","4.3.3.5.3","4.3.3.5.4","4.3.3.5.5","4.3.3.5.6","4.3.3.5.7","4.3.3.5.8","4.3.3.6.1","4.3.3.6.2","4.3.3.6.3","4.3.3.6.4","4.3.3.6.5","4.3.3.6.6","4.3.3.6.7","4.3.3.6.8","4.3.3.6.9","4.3.3.7.1","4.3.3.7.2","4.3.3.7.3","4.3.3.7.4","4.3.4.3.2","4.3.4.3.3"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785":["SR 1.1","SR 1.10","SR 1.11","SR 1.12","SR 1.13","SR 1.2","SR 1.3","SR 1.4","SR 1.5","SR 1.6","SR 1.7","SR 1.8","SR 1.9","SR 2.1","SR 2.2","SR 2.3","SR 2.4","SR 2.5","SR 2.6","SR 2.7","SR 7.6"],"ISO 27001-2013":["A.12.1.2","A.12.5.1","A.12.6.2","A.14.2.2","A.14.2.3","A.14.2.4","A.9.1.2"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm45342103740992" onclick="return openRuleDetailsDialog('idm45342103740992')">Configure Accepting Router Advertisements on All IPv6 Interfaces</a></td><td class="rule-severity" style="text-align: center">unknown</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_source_route" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_source_route" id="rule-overview-leaf-idm45342103728080" data-tt-parent-id="xccdf_org.ssgproject.content_group_configuring_ipv6" data-references='{"NIST SP 800-171":["3.1.20"],"NIST SP 800-53":["CM-7(a)","CM-7(b)","CM-6(a)"],"http://www.isaca.org/COBIT/Pages/default.aspx":["APO01.06","APO13.01","DSS01.05","DSS03.01","DSS05.02","DSS05.04","DSS05.07","DSS06.02"],"ANSSI":["NT28(R22)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["DE.AE-1","ID.AM-3","PR.AC-5","PR.DS-5","PR.PT-4"],"https://public.cyber.mil/stigs/cci/":["CCI-000366"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000480-GPOS-00227"],"https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf":["1","12","13","14","15","16","18","4","6","8","9"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731":["4.2.3.4","4.3.3.4","4.4.3.3"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785":["SR 3.1","SR 3.5","SR 3.8","SR 4.1","SR 4.3","SR 5.1","SR 5.2","SR 5.3","SR 7.1","SR 7.6"],"ISO 27001-2013":["A.10.1.1","A.11.1.4","A.11.1.5","A.11.2.1","A.12.1.1","A.12.1.2","A.13.1.1","A.13.1.2","A.13.1.3","A.13.2.1","A.13.2.2","A.13.2.3","A.13.2.4","A.14.1.2","A.14.1.3","A.6.1.2","A.7.1.1","A.7.1.2","A.7.3.1","A.8.2.2","A.8.2.3","A.9.1.1","A.9.1.2","A.9.2.3","A.9.4.1","A.9.4.4","A.9.4.5"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm45342103728080" onclick="return openRuleDetailsDialog('idm45342103728080')">Disable Kernel Parameter for Accepting Source-Routed Packets on IPv6 Interfaces by Default</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_redirects" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_redirects" id="rule-overview-leaf-idm45342103713232" data-tt-parent-id="xccdf_org.ssgproject.content_group_configuring_ipv6" data-references='{"":["3.3.2"],"NIST SP 800-171":["3.1.20"],"NIST SP 800-53":["CM-7(a)","CM-7(b)","CM-6(a)"],"http://www.isaca.org/COBIT/Pages/default.aspx":["BAI10.01","BAI10.02","BAI10.03","BAI10.05","DSS05.02","DSS05.05","DSS06.06"],"ANSSI":["NT28(R22)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.IP-1","PR.PT-3"],"https://public.cyber.mil/stigs/cci/":["CCI-001551"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000480-GPOS-00227"],"https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf":["11","14","3","9"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731":["4.3.3.5.1","4.3.3.5.2","4.3.3.5.3","4.3.3.5.4","4.3.3.5.5","4.3.3.5.6","4.3.3.5.7","4.3.3.5.8","4.3.3.6.1","4.3.3.6.2","4.3.3.6.3","4.3.3.6.4","4.3.3.6.5","4.3.3.6.6","4.3.3.6.7","4.3.3.6.8","4.3.3.6.9","4.3.3.7.1","4.3.3.7.2","4.3.3.7.3","4.3.3.7.4","4.3.4.3.2","4.3.4.3.3"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785":["SR 1.1","SR 1.10","SR 1.11","SR 1.12","SR 1.13","SR 1.2","SR 1.3","SR 1.4","SR 1.5","SR 1.6","SR 1.7","SR 1.8","SR 1.9","SR 2.1","SR 2.2","SR 2.3","SR 2.4","SR 2.5","SR 2.6","SR 2.7","SR 7.6"],"ISO 27001-2013":["A.12.1.2","A.12.5.1","A.12.6.2","A.14.2.2","A.14.2.3","A.14.2.4","A.9.1.2"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm45342103713232" onclick="return openRuleDetailsDialog('idm45342103713232')">Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv6 Interfaces</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_source_route" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_source_route" id="rule-overview-leaf-idm45342103701920" data-tt-parent-id="xccdf_org.ssgproject.content_group_configuring_ipv6" data-references='{"NIST SP 800-171":["3.1.20"],"NIST SP 800-53":["CM-7(a)","CM-7(b)","CM-6(a)"],"http://www.isaca.org/COBIT/Pages/default.aspx":["APO01.06","APO13.01","DSS01.05","DSS03.01","DSS05.02","DSS05.04","DSS05.07","DSS06.02"],"ANSSI":["NT28(R22)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["DE.AE-1","ID.AM-3","PR.AC-5","PR.DS-5","PR.PT-4"],"https://public.cyber.mil/stigs/cci/":["CCI-000366"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000480-GPOS-00227"],"https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf":["1","12","13","14","15","16","18","4","6","8","9"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731":["4.2.3.4","4.3.3.4","4.4.3.3"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785":["SR 3.1","SR 3.5","SR 3.8","SR 4.1","SR 4.3","SR 5.1","SR 5.2","SR 5.3","SR 7.1","SR 7.6"],"ISO 27001-2013":["A.10.1.1","A.11.1.4","A.11.1.5","A.11.2.1","A.12.1.1","A.12.1.2","A.13.1.1","A.13.1.2","A.13.1.3","A.13.2.1","A.13.2.2","A.13.2.3","A.13.2.4","A.14.1.2","A.14.1.3","A.6.1.2","A.7.1.1","A.7.1.2","A.7.3.1","A.8.2.2","A.8.2.3","A.9.1.1","A.9.1.2","A.9.2.3","A.9.4.1","A.9.4.4","A.9.4.5"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm45342103701920" onclick="return openRuleDetailsDialog('idm45342103701920')">Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv6 Interfaces</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_network-iptables" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_network-iptables" data-tt-parent-id="xccdf_org.ssgproject.content_group_network"><td colspan="3" style="padding-left: 57px">iptables and ip6tables<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_network-iptables");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_package_iptables_installed" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_package_iptables_installed" id="rule-overview-leaf-idm45342103690608" data-tt-parent-id="xccdf_org.ssgproject.content_group_network-iptables" data-references='{"NIST SP 800-53":["CM-6(a)"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000480-GPOS-00227"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45342103690608" onclick="return openRuleDetailsDialog('idm45342103690608')">Install iptables Package</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_network-kernel" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_network-kernel" data-tt-parent-id="xccdf_org.ssgproject.content_group_network"><td colspan="3" style="padding-left: 57px">Kernel Parameters Which Affect Networking<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_network-kernel");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_network_host_and_router_parameters" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_network_host_and_router_parameters" data-tt-parent-id="xccdf_org.ssgproject.content_group_network-kernel"><td colspan="3" style="padding-left: 76px">Network Related Kernel Runtime Parameters for Hosts and Routers<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_network_host_and_router_parameters");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_rp_filter" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_rp_filter" id="rule-overview-leaf-idm45342103678208" data-tt-parent-id="xccdf_org.ssgproject.content_group_network_host_and_router_parameters" data-references='{"":["3.2.7"],"NIST SP 800-171":["3.1.20"],"NIST SP 800-53":["CM-7(a)","CM-7(b)","CM-6(a)","SC-7(a)"],"http://www.isaca.org/COBIT/Pages/default.aspx":["APO01.06","APO13.01","BAI04.04","DSS01.03","DSS01.05","DSS03.01","DSS03.05","DSS05.02","DSS05.04","DSS05.07","DSS06.02"],"ANSSI":["NT28(R22)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["DE.AE-1","DE.CM-1","ID.AM-3","PR.AC-5","PR.DS-4","PR.DS-5","PR.PT-4"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000480-GPOS-00227"],"https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf":["1","12","13","14","15","16","18","2","4","6","7","8","9"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731":["4.2.3.4","4.3.3.4","4.4.3.3"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785":["SR 3.1","SR 3.5","SR 3.8","SR 4.1","SR 4.3","SR 5.1","SR 5.2","SR 5.3","SR 6.2","SR 7.1","SR 7.2","SR 7.6"],"ISO 27001-2013":["A.10.1.1","A.11.1.4","A.11.1.5","A.11.2.1","A.12.1.1","A.12.1.2","A.12.1.3","A.13.1.1","A.13.1.2","A.13.1.3","A.13.2.1","A.13.2.2","A.13.2.3","A.13.2.4","A.14.1.2","A.14.1.3","A.17.2.1","A.6.1.2","A.7.1.1","A.7.1.2","A.7.3.1","A.8.2.2","A.8.2.3","A.9.1.1","A.9.1.2","A.9.2.3","A.9.4.1","A.9.4.4","A.9.4.5"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm45342103678208" onclick="return openRuleDetailsDialog('idm45342103678208')">Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces by Default</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_log_martians" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_log_martians" id="rule-overview-leaf-idm45342103666976" data-tt-parent-id="xccdf_org.ssgproject.content_group_network_host_and_router_parameters" data-references='{"":["3.2.4"],"NIST SP 800-171":["3.1.20"],"NIST SP 800-53":["CM-7(a)","CM-7(b)","SC-5(3)(a)"],"http://www.isaca.org/COBIT/Pages/default.aspx":["APO13.01","BAI04.04","BAI10.01","BAI10.02","BAI10.03","BAI10.05","DSS01.03","DSS01.04","DSS03.05","DSS05.02","DSS05.03","DSS05.05","DSS05.07","DSS06.06"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["DE.CM-1","PR.AC-3","PR.DS-4","PR.IP-1","PR.PT-3","PR.PT-4"],"https://public.cyber.mil/stigs/cci/":["CCI-000126"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000480-GPOS-00227"],"https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf":["1","11","12","13","14","15","16","2","3","7","8","9"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731":["4.3.3.5.1","4.3.3.5.2","4.3.3.5.3","4.3.3.5.4","4.3.3.5.5","4.3.3.5.6","4.3.3.5.7","4.3.3.5.8","4.3.3.6.1","4.3.3.6.2","4.3.3.6.3","4.3.3.6.4","4.3.3.6.5","4.3.3.6.6","4.3.3.6.7","4.3.3.6.8","4.3.3.6.9","4.3.3.7.1","4.3.3.7.2","4.3.3.7.3","4.3.3.7.4","4.3.4.3.2","4.3.4.3.3"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785":["SR 1.1","SR 1.10","SR 1.11","SR 1.12","SR 1.13","SR 1.2","SR 1.3","SR 1.4","SR 1.5","SR 1.6","SR 1.7","SR 1.8","SR 1.9","SR 2.1","SR 2.2","SR 2.3","SR 2.4","SR 2.5","SR 2.6","SR 2.7","SR 3.1","SR 3.5","SR 3.8","SR 4.1","SR 4.3","SR 5.1","SR 5.2","SR 5.3","SR 6.2","SR 7.1","SR 7.2","SR 7.6"],"ISO 27001-2013":["A.11.2.6","A.12.1.2","A.12.1.3","A.12.5.1","A.12.6.2","A.13.1.1","A.13.2.1","A.14.1.3","A.14.2.2","A.14.2.3","A.14.2.4","A.17.2.1","A.6.2.1","A.6.2.2","A.9.1.2"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm45342103666976" onclick="return openRuleDetailsDialog('idm45342103666976')">Enable Kernel Paremeter to Log Martian Packets on all IPv4 Interfaces by Default</a></td><td class="rule-severity" style="text-align: center">unknown</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_accept_redirects" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_accept_redirects" id="rule-overview-leaf-idm45342103655696" data-tt-parent-id="xccdf_org.ssgproject.content_group_network_host_and_router_parameters" data-references='{"":["3.2.2"],"NIST SP 800-171":["3.1.20"],"NIST SP 800-53":["CM-7(a)","CM-7(b)","CM-6(a)","SC-7(a)"],"http://www.isaca.org/COBIT/Pages/default.aspx":["APO13.01","BAI04.04","BAI10.01","BAI10.02","BAI10.03","BAI10.05","DSS01.03","DSS03.05","DSS05.02","DSS05.05","DSS05.07","DSS06.06"],"ANSSI":["NT28(R22)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["DE.CM-1","PR.DS-4","PR.IP-1","PR.PT-3"],"https://public.cyber.mil/stigs/cci/":["CCI-000366","CCI-001503","CCI-001551"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000480-GPOS-00227"],"https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf":["1","11","12","13","14","15","16","2","3","7","8","9"],"FBI CJIS":["5.10.1.1"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731":["4.3.3.5.1","4.3.3.5.2","4.3.3.5.3","4.3.3.5.4","4.3.3.5.5","4.3.3.5.6","4.3.3.5.7","4.3.3.5.8","4.3.3.6.1","4.3.3.6.2","4.3.3.6.3","4.3.3.6.4","4.3.3.6.5","4.3.3.6.6","4.3.3.6.7","4.3.3.6.8","4.3.3.6.9","4.3.3.7.1","4.3.3.7.2","4.3.3.7.3","4.3.3.7.4","4.3.4.3.2","4.3.4.3.3"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785":["SR 1.1","SR 1.10","SR 1.11","SR 1.12","SR 1.13","SR 1.2","SR 1.3","SR 1.4","SR 1.5","SR 1.6","SR 1.7","SR 1.8","SR 1.9","SR 2.1","SR 2.2","SR 2.3","SR 2.4","SR 2.5","SR 2.6","SR 2.7","SR 6.2","SR 7.1","SR 7.2","SR 7.6"],"ISO 27001-2013":["A.12.1.2","A.12.1.3","A.12.5.1","A.12.6.2","A.14.2.2","A.14.2.3","A.14.2.4","A.17.2.1","A.9.1.2"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm45342103655696" onclick="return openRuleDetailsDialog('idm45342103655696')">Disable Accepting ICMP Redirects for All IPv4 Interfaces</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_icmp_echo_ignore_broadcasts" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_icmp_echo_ignore_broadcasts" id="rule-overview-leaf-idm45342103644416" data-tt-parent-id="xccdf_org.ssgproject.content_group_network_host_and_router_parameters" data-references='{"":["3.2.5"],"NIST SP 800-171":["3.1.20"],"NIST SP 800-53":["CM-7(a)","CM-7(b)","SC-5"],"http://www.isaca.org/COBIT/Pages/default.aspx":["APO01.06","APO13.01","BAI04.04","BAI10.01","BAI10.02","BAI10.03","BAI10.05","DSS01.03","DSS01.05","DSS03.01","DSS03.05","DSS05.02","DSS05.04","DSS05.05","DSS05.07","DSS06.02","DSS06.06"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["DE.AE-1","DE.CM-1","ID.AM-3","PR.AC-5","PR.DS-4","PR.DS-5","PR.IP-1","PR.PT-3","PR.PT-4"],"https://public.cyber.mil/stigs/cci/":["CCI-000366"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000480-GPOS-00227"],"https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf":["1","11","12","13","14","15","16","18","2","3","4","6","7","8","9"],"FBI CJIS":["5.10.1.1"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731":["4.2.3.4","4.3.3.4","4.3.3.5.1","4.3.3.5.2","4.3.3.5.3","4.3.3.5.4","4.3.3.5.5","4.3.3.5.6","4.3.3.5.7","4.3.3.5.8","4.3.3.6.1","4.3.3.6.2","4.3.3.6.3","4.3.3.6.4","4.3.3.6.5","4.3.3.6.6","4.3.3.6.7","4.3.3.6.8","4.3.3.6.9","4.3.3.7.1","4.3.3.7.2","4.3.3.7.3","4.3.3.7.4","4.3.4.3.2","4.3.4.3.3","4.4.3.3"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785":["SR 1.1","SR 1.10","SR 1.11","SR 1.12","SR 1.13","SR 1.2","SR 1.3","SR 1.4","SR 1.5","SR 1.6","SR 1.7","SR 1.8","SR 1.9","SR 2.1","SR 2.2","SR 2.3","SR 2.4","SR 2.5","SR 2.6","SR 2.7","SR 3.1","SR 3.5","SR 3.8","SR 4.1","SR 4.3","SR 5.1","SR 5.2","SR 5.3","SR 6.2","SR 7.1","SR 7.2","SR 7.6"],"ISO 27001-2013":["A.10.1.1","A.11.1.4","A.11.1.5","A.11.2.1","A.12.1.1","A.12.1.2","A.12.1.3","A.12.5.1","A.12.6.2","A.13.1.1","A.13.1.2","A.13.1.3","A.13.2.1","A.13.2.2","A.13.2.3","A.13.2.4","A.14.1.2","A.14.1.3","A.14.2.2","A.14.2.3","A.14.2.4","A.17.2.1","A.6.1.2","A.7.1.1","A.7.1.2","A.7.3.1","A.8.2.2","A.8.2.3","A.9.1.1","A.9.1.2","A.9.2.3","A.9.4.1","A.9.4.4","A.9.4.5"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm45342103644416" onclick="return openRuleDetailsDialog('idm45342103644416')">Enable Kernel Parameter to Ignore ICMP Broadcast Echo Requests on IPv4 Interfaces</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_tcp_syncookies" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_tcp_syncookies" id="rule-overview-leaf-idm45342103633120" data-tt-parent-id="xccdf_org.ssgproject.content_group_network_host_and_router_parameters" data-references='{"":["3.2.8"],"NIST SP 800-171":["3.1.20"],"NIST SP 800-53":["CM-7(a)","CM-7(b)","SC-5(1)","SC-5(2)","SC-5(3)(a)","CM-6(a)"],"http://www.isaca.org/COBIT/Pages/default.aspx":["APO01.06","APO13.01","BAI04.04","DSS01.03","DSS01.05","DSS03.01","DSS03.05","DSS05.02","DSS05.04","DSS05.07","DSS06.02"],"ANSSI":["NT28(R22)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["DE.AE-1","DE.CM-1","ID.AM-3","PR.AC-5","PR.DS-4","PR.DS-5","PR.PT-4"],"https://public.cyber.mil/stigs/cci/":["CCI-000366"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000480-GPOS-00227","SRG-OS-000420-GPOS-00186","SRG-OS-000142-GPOS-00071"],"https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf":["1","12","13","14","15","16","18","2","4","6","7","8","9"],"FBI CJIS":["5.10.1.1"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731":["4.2.3.4","4.3.3.4","4.4.3.3"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785":["SR 3.1","SR 3.5","SR 3.8","SR 4.1","SR 4.3","SR 5.1","SR 5.2","SR 5.3","SR 6.2","SR 7.1","SR 7.2","SR 7.6"],"ISO 27001-2013":["A.10.1.1","A.11.1.4","A.11.1.5","A.11.2.1","A.12.1.1","A.12.1.2","A.12.1.3","A.13.1.1","A.13.1.2","A.13.1.3","A.13.2.1","A.13.2.2","A.13.2.3","A.13.2.4","A.14.1.2","A.14.1.3","A.17.2.1","A.6.1.2","A.7.1.1","A.7.1.2","A.7.3.1","A.8.2.2","A.8.2.3","A.9.1.1","A.9.1.2","A.9.2.3","A.9.4.1","A.9.4.4","A.9.4.5"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm45342103633120" onclick="return openRuleDetailsDialog('idm45342103633120')">Enable Kernel Parameter to Use TCP Syncookies on IPv4 Interfaces</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_accept_source_route" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_accept_source_route" id="rule-overview-leaf-idm45342103622000" data-tt-parent-id="xccdf_org.ssgproject.content_group_network_host_and_router_parameters" data-references='{"":["3.2.1"],"NIST SP 800-171":["3.1.20"],"NIST SP 800-53":["CM-7(a)","CM-7(b)","SC-5","SC-7(a)"],"http://www.isaca.org/COBIT/Pages/default.aspx":["APO01.06","APO13.01","BAI04.04","BAI10.01","BAI10.02","BAI10.03","BAI10.05","DSS01.03","DSS01.05","DSS03.01","DSS03.05","DSS05.02","DSS05.04","DSS05.05","DSS05.07","DSS06.02","DSS06.06"],"ANSSI":["NT28(R22)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["DE.AE-1","DE.CM-1","ID.AM-3","PR.AC-5","PR.DS-4","PR.DS-5","PR.IP-1","PR.PT-3","PR.PT-4"],"https://public.cyber.mil/stigs/cci/":["CCI-000366","CCI-001551"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000480-GPOS-00227"],"https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf":["1","11","12","13","14","15","16","18","2","3","4","6","7","8","9"],"FBI CJIS":["5.10.1.1"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731":["4.2.3.4","4.3.3.4","4.3.3.5.1","4.3.3.5.2","4.3.3.5.3","4.3.3.5.4","4.3.3.5.5","4.3.3.5.6","4.3.3.5.7","4.3.3.5.8","4.3.3.6.1","4.3.3.6.2","4.3.3.6.3","4.3.3.6.4","4.3.3.6.5","4.3.3.6.6","4.3.3.6.7","4.3.3.6.8","4.3.3.6.9","4.3.3.7.1","4.3.3.7.2","4.3.3.7.3","4.3.3.7.4","4.3.4.3.2","4.3.4.3.3","4.4.3.3"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785":["SR 1.1","SR 1.10","SR 1.11","SR 1.12","SR 1.13","SR 1.2","SR 1.3","SR 1.4","SR 1.5","SR 1.6","SR 1.7","SR 1.8","SR 1.9","SR 2.1","SR 2.2","SR 2.3","SR 2.4","SR 2.5","SR 2.6","SR 2.7","SR 3.1","SR 3.5","SR 3.8","SR 4.1","SR 4.3","SR 5.1","SR 5.2","SR 5.3","SR 6.2","SR 7.1","SR 7.2","SR 7.6"],"ISO 27001-2013":["A.10.1.1","A.11.1.4","A.11.1.5","A.11.2.1","A.12.1.1","A.12.1.2","A.12.1.3","A.12.5.1","A.12.6.2","A.13.1.1","A.13.1.2","A.13.1.3","A.13.2.1","A.13.2.2","A.13.2.3","A.13.2.4","A.14.1.2","A.14.1.3","A.14.2.2","A.14.2.3","A.14.2.4","A.17.2.1","A.6.1.2","A.7.1.1","A.7.1.2","A.7.3.1","A.8.2.2","A.8.2.3","A.9.1.1","A.9.1.2","A.9.2.3","A.9.4.1","A.9.4.4","A.9.4.5"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm45342103622000" onclick="return openRuleDetailsDialog('idm45342103622000')">Disable Kernel Parameter for Accepting Source-Routed Packets on IPv4 Interfaces by Default</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_rp_filter" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_rp_filter" id="rule-overview-leaf-idm45342103610640" data-tt-parent-id="xccdf_org.ssgproject.content_group_network_host_and_router_parameters" data-references='{"":["3.2.7"],"NIST SP 800-171":["3.1.20"],"NIST SP 800-53":["CM-7(a)","CM-7(b)","CM-6(a)","SC-7(a)"],"http://www.isaca.org/COBIT/Pages/default.aspx":["APO01.06","APO13.01","BAI04.04","DSS01.03","DSS01.05","DSS03.01","DSS03.05","DSS05.02","DSS05.04","DSS05.07","DSS06.02"],"ANSSI":["NT28(R22)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["DE.AE-1","DE.CM-1","ID.AM-3","PR.AC-5","PR.DS-4","PR.DS-5","PR.PT-4"],"https://public.cyber.mil/stigs/cci/":["CCI-001551"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000480-GPOS-00227"],"https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf":["1","12","13","14","15","16","18","2","4","6","7","8","9"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731":["4.2.3.4","4.3.3.4","4.4.3.3"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785":["SR 3.1","SR 3.5","SR 3.8","SR 4.1","SR 4.3","SR 5.1","SR 5.2","SR 5.3","SR 6.2","SR 7.1","SR 7.2","SR 7.6"],"ISO 27001-2013":["A.10.1.1","A.11.1.4","A.11.1.5","A.11.2.1","A.12.1.1","A.12.1.2","A.12.1.3","A.13.1.1","A.13.1.2","A.13.1.3","A.13.2.1","A.13.2.2","A.13.2.3","A.13.2.4","A.14.1.2","A.14.1.3","A.17.2.1","A.6.1.2","A.7.1.1","A.7.1.2","A.7.3.1","A.8.2.2","A.8.2.3","A.9.1.1","A.9.1.2","A.9.2.3","A.9.4.1","A.9.4.4","A.9.4.5"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm45342103610640" onclick="return openRuleDetailsDialog('idm45342103610640')">Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_log_martians" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_log_martians" id="rule-overview-leaf-idm45342103606096" data-tt-parent-id="xccdf_org.ssgproject.content_group_network_host_and_router_parameters" data-references='{"":["3.2.4"],"NIST SP 800-171":["3.1.20"],"NIST SP 800-53":["CM-7(a)","CM-7(b)","SC-5(3)(a)"],"http://www.isaca.org/COBIT/Pages/default.aspx":["APO13.01","BAI04.04","BAI10.01","BAI10.02","BAI10.03","BAI10.05","DSS01.03","DSS01.04","DSS03.05","DSS05.02","DSS05.03","DSS05.05","DSS05.07","DSS06.06"],"ANSSI":["NT28(R22)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["DE.CM-1","PR.AC-3","PR.DS-4","PR.IP-1","PR.PT-3","PR.PT-4"],"https://public.cyber.mil/stigs/cci/":["CCI-000126"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000480-GPOS-00227"],"https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf":["1","11","12","13","14","15","16","2","3","7","8","9"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731":["4.3.3.5.1","4.3.3.5.2","4.3.3.5.3","4.3.3.5.4","4.3.3.5.5","4.3.3.5.6","4.3.3.5.7","4.3.3.5.8","4.3.3.6.1","4.3.3.6.2","4.3.3.6.3","4.3.3.6.4","4.3.3.6.5","4.3.3.6.6","4.3.3.6.7","4.3.3.6.8","4.3.3.6.9","4.3.3.7.1","4.3.3.7.2","4.3.3.7.3","4.3.3.7.4","4.3.4.3.2","4.3.4.3.3"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785":["SR 1.1","SR 1.10","SR 1.11","SR 1.12","SR 1.13","SR 1.2","SR 1.3","SR 1.4","SR 1.5","SR 1.6","SR 1.7","SR 1.8","SR 1.9","SR 2.1","SR 2.2","SR 2.3","SR 2.4","SR 2.5","SR 2.6","SR 2.7","SR 3.1","SR 3.5","SR 3.8","SR 4.1","SR 4.3","SR 5.1","SR 5.2","SR 5.3","SR 6.2","SR 7.1","SR 7.2","SR 7.6"],"ISO 27001-2013":["A.11.2.6","A.12.1.2","A.12.1.3","A.12.5.1","A.12.6.2","A.13.1.1","A.13.2.1","A.14.1.3","A.14.2.2","A.14.2.3","A.14.2.4","A.17.2.1","A.6.2.1","A.6.2.2","A.9.1.2"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm45342103606096" onclick="return openRuleDetailsDialog('idm45342103606096')">Enable Kernel Parameter to Log Martian Packets on all IPv4 Interfaces</a></td><td class="rule-severity" style="text-align: center">unknown</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_accept_source_route" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_accept_source_route" id="rule-overview-leaf-idm45342103594896" data-tt-parent-id="xccdf_org.ssgproject.content_group_network_host_and_router_parameters" data-references='{"":["3.2.1"],"NIST SP 800-171":["3.1.20"],"NIST SP 800-53":["CM-7(a)","CM-7(b)","SC-5CM-6(a)","SC-7(a)"],"http://www.isaca.org/COBIT/Pages/default.aspx":["APO01.06","APO13.01","BAI04.04","BAI10.01","BAI10.02","BAI10.03","BAI10.05","DSS01.03","DSS01.05","DSS03.01","DSS03.05","DSS05.02","DSS05.04","DSS05.05","DSS05.07","DSS06.02","DSS06.06"],"ANSSI":["NT28(R22)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["DE.AE-1","DE.CM-1","ID.AM-3","PR.AC-5","PR.DS-4","PR.DS-5","PR.IP-1","PR.PT-3","PR.PT-4"],"https://public.cyber.mil/stigs/cci/":["CCI-000366"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000480-GPOS-00227"],"https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf":["1","11","12","13","14","15","16","18","2","3","4","6","7","8","9"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731":["4.2.3.4","4.3.3.4","4.3.3.5.1","4.3.3.5.2","4.3.3.5.3","4.3.3.5.4","4.3.3.5.5","4.3.3.5.6","4.3.3.5.7","4.3.3.5.8","4.3.3.6.1","4.3.3.6.2","4.3.3.6.3","4.3.3.6.4","4.3.3.6.5","4.3.3.6.6","4.3.3.6.7","4.3.3.6.8","4.3.3.6.9","4.3.3.7.1","4.3.3.7.2","4.3.3.7.3","4.3.3.7.4","4.3.4.3.2","4.3.4.3.3","4.4.3.3"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785":["SR 1.1","SR 1.10","SR 1.11","SR 1.12","SR 1.13","SR 1.2","SR 1.3","SR 1.4","SR 1.5","SR 1.6","SR 1.7","SR 1.8","SR 1.9","SR 2.1","SR 2.2","SR 2.3","SR 2.4","SR 2.5","SR 2.6","SR 2.7","SR 3.1","SR 3.5","SR 3.8","SR 4.1","SR 4.3","SR 5.1","SR 5.2","SR 5.3","SR 6.2","SR 7.1","SR 7.2","SR 7.6"],"ISO 27001-2013":["A.10.1.1","A.11.1.4","A.11.1.5","A.11.2.1","A.12.1.1","A.12.1.2","A.12.1.3","A.12.5.1","A.12.6.2","A.13.1.1","A.13.1.2","A.13.1.3","A.13.2.1","A.13.2.2","A.13.2.3","A.13.2.4","A.14.1.2","A.14.1.3","A.14.2.2","A.14.2.3","A.14.2.4","A.17.2.1","A.6.1.2","A.7.1.1","A.7.1.2","A.7.3.1","A.8.2.2","A.8.2.3","A.9.1.1","A.9.1.2","A.9.2.3","A.9.4.1","A.9.4.4","A.9.4.5"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm45342103594896" onclick="return openRuleDetailsDialog('idm45342103594896')">Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv4 Interfaces</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_icmp_ignore_bogus_error_responses" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_icmp_ignore_bogus_error_responses" id="rule-overview-leaf-idm45342103590304" data-tt-parent-id="xccdf_org.ssgproject.content_group_network_host_and_router_parameters" data-references='{"":["3.2.6"],"NIST SP 800-171":["3.1.20"],"NIST SP 800-53":["CM-7(a)","CM-7(b)","SC-5"],"http://www.isaca.org/COBIT/Pages/default.aspx":["APO13.01","BAI04.04","BAI10.01","BAI10.02","BAI10.03","BAI10.05","DSS01.03","DSS03.05","DSS05.02","DSS05.05","DSS05.07","DSS06.06"],"ANSSI":["NT28(R22)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["DE.CM-1","PR.DS-4","PR.IP-1","PR.PT-3"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000480-GPOS-00227"],"https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf":["1","11","12","13","14","15","16","2","3","7","8","9"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731":["4.3.3.5.1","4.3.3.5.2","4.3.3.5.3","4.3.3.5.4","4.3.3.5.5","4.3.3.5.6","4.3.3.5.7","4.3.3.5.8","4.3.3.6.1","4.3.3.6.2","4.3.3.6.3","4.3.3.6.4","4.3.3.6.5","4.3.3.6.6","4.3.3.6.7","4.3.3.6.8","4.3.3.6.9","4.3.3.7.1","4.3.3.7.2","4.3.3.7.3","4.3.3.7.4","4.3.4.3.2","4.3.4.3.3"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785":["SR 1.1","SR 1.10","SR 1.11","SR 1.12","SR 1.13","SR 1.2","SR 1.3","SR 1.4","SR 1.5","SR 1.6","SR 1.7","SR 1.8","SR 1.9","SR 2.1","SR 2.2","SR 2.3","SR 2.4","SR 2.5","SR 2.6","SR 2.7","SR 6.2","SR 7.1","SR 7.2","SR 7.6"],"ISO 27001-2013":["A.12.1.2","A.12.1.3","A.12.5.1","A.12.6.2","A.14.2.2","A.14.2.3","A.14.2.4","A.17.2.1","A.9.1.2"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm45342103590304" onclick="return openRuleDetailsDialog('idm45342103590304')">Enable Kernel Parameter to Ignore Bogus ICMP Error Responses on IPv4 Interfaces</a></td><td class="rule-severity" style="text-align: center">unknown</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_accept_redirects" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_accept_redirects" id="rule-overview-leaf-idm45342103578944" data-tt-parent-id="xccdf_org.ssgproject.content_group_network_host_and_router_parameters" data-references='{"":["3.2.2"],"NIST SP 800-171":["3.1.20"],"NIST SP 800-53":["CM-7(a)","CM-7(b)","CM-6(a)","SC-7(a)"],"http://www.isaca.org/COBIT/Pages/default.aspx":["APO01.06","APO13.01","BAI04.04","BAI10.01","BAI10.02","BAI10.03","BAI10.05","DSS01.03","DSS01.05","DSS03.01","DSS03.05","DSS05.02","DSS05.04","DSS05.05","DSS05.07","DSS06.02","DSS06.06"],"ANSSI":["NT28(R22)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["DE.AE-1","DE.CM-1","ID.AM-3","PR.AC-5","PR.DS-4","PR.DS-5","PR.IP-1","PR.PT-3","PR.PT-4"],"https://public.cyber.mil/stigs/cci/":["CCI-001551"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000480-GPOS-00227"],"https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf":["1","11","12","13","14","15","16","18","2","3","4","6","7","8","9"],"FBI CJIS":["5.10.1.1"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731":["4.2.3.4","4.3.3.4","4.3.3.5.1","4.3.3.5.2","4.3.3.5.3","4.3.3.5.4","4.3.3.5.5","4.3.3.5.6","4.3.3.5.7","4.3.3.5.8","4.3.3.6.1","4.3.3.6.2","4.3.3.6.3","4.3.3.6.4","4.3.3.6.5","4.3.3.6.6","4.3.3.6.7","4.3.3.6.8","4.3.3.6.9","4.3.3.7.1","4.3.3.7.2","4.3.3.7.3","4.3.3.7.4","4.3.4.3.2","4.3.4.3.3","4.4.3.3"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785":["SR 1.1","SR 1.10","SR 1.11","SR 1.12","SR 1.13","SR 1.2","SR 1.3","SR 1.4","SR 1.5","SR 1.6","SR 1.7","SR 1.8","SR 1.9","SR 2.1","SR 2.2","SR 2.3","SR 2.4","SR 2.5","SR 2.6","SR 2.7","SR 3.1","SR 3.5","SR 3.8","SR 4.1","SR 4.3","SR 5.1","SR 5.2","SR 5.3","SR 6.2","SR 7.1","SR 7.2","SR 7.6"],"ISO 27001-2013":["A.10.1.1","A.11.1.4","A.11.1.5","A.11.2.1","A.12.1.1","A.12.1.2","A.12.1.3","A.12.5.1","A.12.6.2","A.13.1.1","A.13.1.2","A.13.1.3","A.13.2.1","A.13.2.2","A.13.2.3","A.13.2.4","A.14.1.2","A.14.1.3","A.14.2.2","A.14.2.3","A.14.2.4","A.17.2.1","A.6.1.2","A.7.1.1","A.7.1.2","A.7.3.1","A.8.2.2","A.8.2.3","A.9.1.1","A.9.1.2","A.9.2.3","A.9.4.1","A.9.4.4","A.9.4.5"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm45342103578944" onclick="return openRuleDetailsDialog('idm45342103578944')">Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv4 Interfaces</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_secure_redirects" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_secure_redirects" id="rule-overview-leaf-idm45342103567632" data-tt-parent-id="xccdf_org.ssgproject.content_group_network_host_and_router_parameters" data-references='{"":["3.2.3"],"NIST SP 800-171":["3.1.20"],"NIST SP 800-53":["CM-7(a)","CM-7(b)","SC-5","SC-7(a)"],"http://www.isaca.org/COBIT/Pages/default.aspx":["APO01.06","APO13.01","BAI04.04","BAI10.01","BAI10.02","BAI10.03","BAI10.05","DSS01.03","DSS01.05","DSS03.01","DSS03.05","DSS05.02","DSS05.04","DSS05.05","DSS05.07","DSS06.02","DSS06.06"],"ANSSI":["NT28(R22)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["DE.AE-1","DE.CM-1","ID.AM-3","PR.AC-5","PR.DS-4","PR.DS-5","PR.IP-1","PR.PT-3","PR.PT-4"],"https://public.cyber.mil/stigs/cci/":["CCI-001551"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000480-GPOS-00227"],"https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf":["1","11","12","13","14","15","16","18","2","3","4","6","7","8","9"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731":["4.2.3.4","4.3.3.4","4.3.3.5.1","4.3.3.5.2","4.3.3.5.3","4.3.3.5.4","4.3.3.5.5","4.3.3.5.6","4.3.3.5.7","4.3.3.5.8","4.3.3.6.1","4.3.3.6.2","4.3.3.6.3","4.3.3.6.4","4.3.3.6.5","4.3.3.6.6","4.3.3.6.7","4.3.3.6.8","4.3.3.6.9","4.3.3.7.1","4.3.3.7.2","4.3.3.7.3","4.3.3.7.4","4.3.4.3.2","4.3.4.3.3","4.4.3.3"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785":["SR 1.1","SR 1.10","SR 1.11","SR 1.12","SR 1.13","SR 1.2","SR 1.3","SR 1.4","SR 1.5","SR 1.6","SR 1.7","SR 1.8","SR 1.9","SR 2.1","SR 2.2","SR 2.3","SR 2.4","SR 2.5","SR 2.6","SR 2.7","SR 3.1","SR 3.5","SR 3.8","SR 4.1","SR 4.3","SR 5.1","SR 5.2","SR 5.3","SR 6.2","SR 7.1","SR 7.2","SR 7.6"],"ISO 27001-2013":["A.10.1.1","A.11.1.4","A.11.1.5","A.11.2.1","A.12.1.1","A.12.1.2","A.12.1.3","A.12.5.1","A.12.6.2","A.13.1.1","A.13.1.2","A.13.1.3","A.13.2.1","A.13.2.2","A.13.2.3","A.13.2.4","A.14.1.2","A.14.1.3","A.14.2.2","A.14.2.3","A.14.2.4","A.17.2.1","A.6.1.2","A.7.1.1","A.7.1.2","A.7.3.1","A.8.2.2","A.8.2.3","A.9.1.1","A.9.1.2","A.9.2.3","A.9.4.1","A.9.4.4","A.9.4.5"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm45342103567632" onclick="return openRuleDetailsDialog('idm45342103567632')">Configure Kernel Parameter for Accepting Secure Redirects By Default</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_secure_redirects" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_secure_redirects" id="rule-overview-leaf-idm45342103556320" data-tt-parent-id="xccdf_org.ssgproject.content_group_network_host_and_router_parameters" data-references='{"":["3.2.3"],"NIST SP 800-171":["3.1.20"],"NIST SP 800-53":["CM-7(a)","CM-7(b)","CM-6(a)","SC-7(a)"],"http://www.isaca.org/COBIT/Pages/default.aspx":["APO01.06","APO13.01","BAI04.04","BAI10.01","BAI10.02","BAI10.03","BAI10.05","DSS01.03","DSS01.05","DSS03.01","DSS03.05","DSS05.02","DSS05.04","DSS05.05","DSS05.07","DSS06.02","DSS06.06"],"ANSSI":["NT28(R22)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["DE.AE-1","DE.CM-1","ID.AM-3","PR.AC-5","PR.DS-4","PR.DS-5","PR.IP-1","PR.PT-3","PR.PT-4"],"https://public.cyber.mil/stigs/cci/":["CCI-001503","CCI-001551"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000480-GPOS-00227"],"https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf":["1","11","12","13","14","15","16","18","2","3","4","6","7","8","9"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731":["4.2.3.4","4.3.3.4","4.3.3.5.1","4.3.3.5.2","4.3.3.5.3","4.3.3.5.4","4.3.3.5.5","4.3.3.5.6","4.3.3.5.7","4.3.3.5.8","4.3.3.6.1","4.3.3.6.2","4.3.3.6.3","4.3.3.6.4","4.3.3.6.5","4.3.3.6.6","4.3.3.6.7","4.3.3.6.8","4.3.3.6.9","4.3.3.7.1","4.3.3.7.2","4.3.3.7.3","4.3.3.7.4","4.3.4.3.2","4.3.4.3.3","4.4.3.3"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785":["SR 1.1","SR 1.10","SR 1.11","SR 1.12","SR 1.13","SR 1.2","SR 1.3","SR 1.4","SR 1.5","SR 1.6","SR 1.7","SR 1.8","SR 1.9","SR 2.1","SR 2.2","SR 2.3","SR 2.4","SR 2.5","SR 2.6","SR 2.7","SR 3.1","SR 3.5","SR 3.8","SR 4.1","SR 4.3","SR 5.1","SR 5.2","SR 5.3","SR 6.2","SR 7.1","SR 7.2","SR 7.6"],"ISO 27001-2013":["A.10.1.1","A.11.1.4","A.11.1.5","A.11.2.1","A.12.1.1","A.12.1.2","A.12.1.3","A.12.5.1","A.12.6.2","A.13.1.1","A.13.1.2","A.13.1.3","A.13.2.1","A.13.2.2","A.13.2.3","A.13.2.4","A.14.1.2","A.14.1.3","A.14.2.2","A.14.2.3","A.14.2.4","A.17.2.1","A.6.1.2","A.7.1.1","A.7.1.2","A.7.3.1","A.8.2.2","A.8.2.3","A.9.1.1","A.9.1.2","A.9.2.3","A.9.4.1","A.9.4.4","A.9.4.5"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm45342103556320" onclick="return openRuleDetailsDialog('idm45342103556320')">Disable Kernel Parameter for Accepting Secure ICMP Redirects on all IPv4 Interfaces</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_network_host_parameters" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_network_host_parameters" data-tt-parent-id="xccdf_org.ssgproject.content_group_network-kernel"><td colspan="3" style="padding-left: 76px">Network Parameters for Hosts Only<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_network_host_parameters");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_send_redirects" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_send_redirects" id="rule-overview-leaf-idm45342103545040" data-tt-parent-id="xccdf_org.ssgproject.content_group_network_host_parameters" data-references='{"":["3.1.2"],"NIST SP 800-171":["3.1.20"],"NIST SP 800-53":["CM-7(a)","CM-7(b)","SC-5CM-6(a)","SC-7(a)"],"http://www.isaca.org/COBIT/Pages/default.aspx":["APO01.06","APO13.01","BAI04.04","BAI10.01","BAI10.02","BAI10.03","BAI10.05","DSS01.03","DSS01.05","DSS03.01","DSS03.05","DSS05.02","DSS05.04","DSS05.05","DSS05.07","DSS06.02","DSS06.06"],"ANSSI":["NT28(R22)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["DE.AE-1","DE.CM-1","ID.AM-3","PR.AC-5","PR.DS-4","PR.DS-5","PR.IP-1","PR.PT-3","PR.PT-4"],"https://public.cyber.mil/stigs/cci/":["CCI-000366"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000480-GPOS-00227"],"https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf":["1","11","12","13","14","15","16","18","2","3","4","6","7","8","9"],"FBI CJIS":["5.10.1.1"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731":["4.2.3.4","4.3.3.4","4.3.3.5.1","4.3.3.5.2","4.3.3.5.3","4.3.3.5.4","4.3.3.5.5","4.3.3.5.6","4.3.3.5.7","4.3.3.5.8","4.3.3.6.1","4.3.3.6.2","4.3.3.6.3","4.3.3.6.4","4.3.3.6.5","4.3.3.6.6","4.3.3.6.7","4.3.3.6.8","4.3.3.6.9","4.3.3.7.1","4.3.3.7.2","4.3.3.7.3","4.3.3.7.4","4.3.4.3.2","4.3.4.3.3","4.4.3.3"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785":["SR 1.1","SR 1.10","SR 1.11","SR 1.12","SR 1.13","SR 1.2","SR 1.3","SR 1.4","SR 1.5","SR 1.6","SR 1.7","SR 1.8","SR 1.9","SR 2.1","SR 2.2","SR 2.3","SR 2.4","SR 2.5","SR 2.6","SR 2.7","SR 3.1","SR 3.5","SR 3.8","SR 4.1","SR 4.3","SR 5.1","SR 5.2","SR 5.3","SR 6.2","SR 7.1","SR 7.2","SR 7.6"],"ISO 27001-2013":["A.10.1.1","A.11.1.4","A.11.1.5","A.11.2.1","A.12.1.1","A.12.1.2","A.12.1.3","A.12.5.1","A.12.6.2","A.13.1.1","A.13.1.2","A.13.1.3","A.13.2.1","A.13.2.2","A.13.2.3","A.13.2.4","A.14.1.2","A.14.1.3","A.14.2.2","A.14.2.3","A.14.2.4","A.17.2.1","A.6.1.2","A.7.1.1","A.7.1.2","A.7.3.1","A.8.2.2","A.8.2.3","A.9.1.1","A.9.1.2","A.9.2.3","A.9.4.1","A.9.4.4","A.9.4.5"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm45342103545040" onclick="return openRuleDetailsDialog('idm45342103545040')">Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces by Default</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_ip_forward" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_ip_forward" id="rule-overview-leaf-idm45342103534800" data-tt-parent-id="xccdf_org.ssgproject.content_group_network_host_parameters" data-references='{"":["3.1.1"],"NIST SP 800-171":["3.1.20"],"NIST SP 800-53":["CM-7(a)","CM-7(b)","SC-5CM-6(a)","SC-7(a)"],"http://www.isaca.org/COBIT/Pages/default.aspx":["APO13.01","BAI04.04","BAI10.01","BAI10.02","BAI10.03","BAI10.05","DSS01.03","DSS03.05","DSS05.02","DSS05.05","DSS05.07","DSS06.06"],"ANSSI":["NT28(R22)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["DE.CM-1","PR.DS-4","PR.IP-1","PR.PT-3","PR.PT-4"],"https://public.cyber.mil/stigs/cci/":["CCI-000366"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000480-GPOS-00227"],"https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf":["1","11","12","13","14","15","16","2","3","7","8","9"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731":["4.3.3.5.1","4.3.3.5.2","4.3.3.5.3","4.3.3.5.4","4.3.3.5.5","4.3.3.5.6","4.3.3.5.7","4.3.3.5.8","4.3.3.6.1","4.3.3.6.2","4.3.3.6.3","4.3.3.6.4","4.3.3.6.5","4.3.3.6.6","4.3.3.6.7","4.3.3.6.8","4.3.3.6.9","4.3.3.7.1","4.3.3.7.2","4.3.3.7.3","4.3.3.7.4","4.3.4.3.2","4.3.4.3.3"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785":["SR 1.1","SR 1.10","SR 1.11","SR 1.12","SR 1.13","SR 1.2","SR 1.3","SR 1.4","SR 1.5","SR 1.6","SR 1.7","SR 1.8","SR 1.9","SR 2.1","SR 2.2","SR 2.3","SR 2.4","SR 2.5","SR 2.6","SR 2.7","SR 3.1","SR 3.5","SR 3.8","SR 4.1","SR 4.3","SR 5.1","SR 5.2","SR 5.3","SR 6.2","SR 7.1","SR 7.2","SR 7.6"],"ISO 27001-2013":["A.12.1.2","A.12.1.3","A.12.5.1","A.12.6.2","A.13.1.1","A.13.2.1","A.14.1.3","A.14.2.2","A.14.2.3","A.14.2.4","A.17.2.1","A.9.1.2"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm45342103534800" onclick="return openRuleDetailsDialog('idm45342103534800')">Disable Kernel Parameter for IP Forwarding on IPv4 Interfaces</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_send_redirects" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_send_redirects" id="rule-overview-leaf-idm45342103524688" data-tt-parent-id="xccdf_org.ssgproject.content_group_network_host_parameters" data-references='{"":["3.1.2"],"NIST SP 800-171":["3.1.20"],"NIST SP 800-53":["CM-7(a)","CM-7(b)","SC-5CM-6(a)","SC-7(a)"],"http://www.isaca.org/COBIT/Pages/default.aspx":["APO01.06","APO13.01","BAI04.04","BAI10.01","BAI10.02","BAI10.03","BAI10.05","DSS01.03","DSS01.05","DSS03.01","DSS03.05","DSS05.02","DSS05.04","DSS05.05","DSS05.07","DSS06.02","DSS06.06"],"ANSSI":["NT28(R22)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["DE.AE-1","DE.CM-1","ID.AM-3","PR.AC-5","PR.DS-4","PR.DS-5","PR.IP-1","PR.PT-3","PR.PT-4"],"https://public.cyber.mil/stigs/cci/":["CCI-000366"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000480-GPOS-00227"],"https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf":["1","11","12","13","14","15","16","18","2","3","4","6","7","8","9"],"FBI CJIS":["5.10.1.1"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731":["4.2.3.4","4.3.3.4","4.3.3.5.1","4.3.3.5.2","4.3.3.5.3","4.3.3.5.4","4.3.3.5.5","4.3.3.5.6","4.3.3.5.7","4.3.3.5.8","4.3.3.6.1","4.3.3.6.2","4.3.3.6.3","4.3.3.6.4","4.3.3.6.5","4.3.3.6.6","4.3.3.6.7","4.3.3.6.8","4.3.3.6.9","4.3.3.7.1","4.3.3.7.2","4.3.3.7.3","4.3.3.7.4","4.3.4.3.2","4.3.4.3.3","4.4.3.3"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785":["SR 1.1","SR 1.10","SR 1.11","SR 1.12","SR 1.13","SR 1.2","SR 1.3","SR 1.4","SR 1.5","SR 1.6","SR 1.7","SR 1.8","SR 1.9","SR 2.1","SR 2.2","SR 2.3","SR 2.4","SR 2.5","SR 2.6","SR 2.7","SR 3.1","SR 3.5","SR 3.8","SR 4.1","SR 4.3","SR 5.1","SR 5.2","SR 5.3","SR 6.2","SR 7.1","SR 7.2","SR 7.6"],"ISO 27001-2013":["A.10.1.1","A.11.1.4","A.11.1.5","A.11.2.1","A.12.1.1","A.12.1.2","A.12.1.3","A.12.5.1","A.12.6.2","A.13.1.1","A.13.1.2","A.13.1.3","A.13.2.1","A.13.2.2","A.13.2.3","A.13.2.4","A.14.1.2","A.14.1.3","A.14.2.2","A.14.2.3","A.14.2.4","A.17.2.1","A.6.1.2","A.7.1.1","A.7.1.2","A.7.3.1","A.8.2.2","A.8.2.3","A.9.1.1","A.9.1.2","A.9.2.3","A.9.4.1","A.9.4.4","A.9.4.5"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm45342103524688" onclick="return openRuleDetailsDialog('idm45342103524688')">Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_network-firewalld" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_network-firewalld" data-tt-parent-id="xccdf_org.ssgproject.content_group_network"><td colspan="3" style="padding-left: 57px">firewalld<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_network-firewalld");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_firewalld_activation" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_firewalld_activation" data-tt-parent-id="xccdf_org.ssgproject.content_group_network-firewalld"><td colspan="3" style="padding-left: 76px">Inspect and Activate Default firewalld Rules<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_firewalld_activation");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_package_firewalld_installed" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_package_firewalld_installed" id="rule-overview-leaf-idm45342103509728" data-tt-parent-id="xccdf_org.ssgproject.content_group_firewalld_activation" data-references='{"NIST SP 800-53":["CM-6(a)"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000480-GPOS-00227","SRG-OS-000298-GPOS-00116"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm45342103509728" onclick="return openRuleDetailsDialog('idm45342103509728')">Install firewalld Package</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_service_firewalld_enabled" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_service_firewalld_enabled" id="rule-overview-leaf-idm45342103506048" data-tt-parent-id="xccdf_org.ssgproject.content_group_firewalld_activation" data-references='{"":["4.7"],"NIST SP 800-171":["3.1.3","3.4.7"],"NIST SP 800-53":["AC-4","CM-7(b)","CA-3(5)","SC-7(21)","CM-6(a)"],"http://www.isaca.org/COBIT/Pages/default.aspx":["BAI10.01","BAI10.02","BAI10.03","BAI10.05"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.IP-1"],"https://public.cyber.mil/stigs/cci/":["CCI-000366"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000480-GPOS-00227"],"https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf":["11","3","9"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731":["4.3.4.3.2","4.3.4.3.3"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785":["SR 7.6"],"ISO 27001-2013":["A.12.1.2","A.12.5.1","A.12.6.2","A.14.2.2","A.14.2.3","A.14.2.4"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FMT_MOF_EXT.1"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm45342103506048" onclick="return openRuleDetailsDialog('idm45342103506048')">Verify firewalld Enabled</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_network-wireless" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_network-wireless" data-tt-parent-id="xccdf_org.ssgproject.content_group_network"><td colspan="3" style="padding-left: 57px">Wireless Networking<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_network-wireless");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_wireless_software" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_wireless_software" data-tt-parent-id="xccdf_org.ssgproject.content_group_network-wireless"><td colspan="3" style="padding-left: 76px">Disable Wireless Through Software Configuration<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_wireless_software");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_kernel_module_bluetooth_disabled" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_kernel_module_bluetooth_disabled" id="rule-overview-leaf-idm45342103493008" data-tt-parent-id="xccdf_org.ssgproject.content_group_wireless_software" data-references='{"NIST SP 800-171":["3.1.16"],"NIST SP 800-53":["AC-18(a)","AC-18(3)","CM-7(a)","CM-7(b)","CM-6(a)","MP-7"],"http://www.isaca.org/COBIT/Pages/default.aspx":["APO13.01","BAI10.01","BAI10.02","BAI10.03","BAI10.05","DSS01.04","DSS05.02","DSS05.03","DSS05.05","DSS06.06"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.AC-3","PR.IP-1","PR.PT-3","PR.PT-4"],"https://public.cyber.mil/stigs/cci/":["CCI-000085","CCI-001551"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000095-GPOS-00049"],"https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf":["11","12","14","15","3","8","9"],"FBI CJIS":["5.13.1.3"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731":["4.3.3.5.1","4.3.3.5.2","4.3.3.5.3","4.3.3.5.4","4.3.3.5.5","4.3.3.5.6","4.3.3.5.7","4.3.3.5.8","4.3.3.6.1","4.3.3.6.2","4.3.3.6.3","4.3.3.6.4","4.3.3.6.5","4.3.3.6.6","4.3.3.6.7","4.3.3.6.8","4.3.3.6.9","4.3.3.7.1","4.3.3.7.2","4.3.3.7.3","4.3.3.7.4","4.3.4.3.2","4.3.4.3.3"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785":["SR 1.1","SR 1.10","SR 1.11","SR 1.12","SR 1.13","SR 1.2","SR 1.3","SR 1.4","SR 1.5","SR 1.6","SR 1.7","SR 1.8","SR 1.9","SR 2.1","SR 2.2","SR 2.3","SR 2.4","SR 2.5","SR 2.6","SR 2.7","SR 3.1","SR 3.5","SR 3.8","SR 4.1","SR 4.3","SR 5.1","SR 5.2","SR 5.3","SR 7.1","SR 7.6"],"ISO 27001-2013":["A.11.2.6","A.12.1.2","A.12.5.1","A.12.6.2","A.13.1.1","A.13.2.1","A.14.1.3","A.14.2.2","A.14.2.3","A.14.2.4","A.6.2.1","A.6.2.2","A.9.1.2"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm45342103493008" onclick="return openRuleDetailsDialog('idm45342103493008')">Disable Bluetooth Kernel Module</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_accounts" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_accounts" data-tt-parent-id="xccdf_org.ssgproject.content_group_system"><td colspan="3" style="padding-left: 38px"><strong>Account and Access Control</strong> <span class="badge">4x notchecked</span></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_accounts-physical" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_accounts-physical" data-tt-parent-id="xccdf_org.ssgproject.content_group_accounts"><td colspan="3" style="padding-left: 57px"><strong>Protect Physical Console Access</strong> <span class="badge">1x notchecked</span></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_screen_locking" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_screen_locking" data-tt-parent-id="xccdf_org.ssgproject.content_group_accounts-physical"><td colspan="3" style="padding-left: 76px"><strong>Configure Screen Locking</strong> <span class="badge">1x notchecked</span></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_smart_card_login" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_smart_card_login" data-tt-parent-id="xccdf_org.ssgproject.content_group_screen_locking"><td colspan="3" style="padding-left: 95px"><strong>Hardware Tokens for Authentication</strong> <span class="badge">1x notchecked</span></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_smartcard_configure_cert_checking" class="rule-overview-leaf rule-overview-leaf-notchecked rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_smartcard_configure_cert_checking" id="rule-overview-leaf-idm45342103443424" data-tt-parent-id="xccdf_org.ssgproject.content_group_smart_card_login" data-references='{"https://public.cyber.mil/stigs/cci/":["CCI-001954"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000375-GPOS-00160","SRG-OS-000384-GPOS-00167"]}'><td style="padding-left: 114px"><a href="#rule-detail-idm45342103443424" onclick="return openRuleDetailsDialog('idm45342103443424')">Configure Smart Card Certificate Status Checking</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-notchecked"><div><abbr title="The Rule was not evaluated by the checking engine. This status is designed for Rule elements that have no check elements or that correspond to an unsupported checking system. It may also correspond to a status returned by a checking engine if the checking engine does not support the indicated check code.">notchecked</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_console_screen_locking" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_console_screen_locking" data-tt-parent-id="xccdf_org.ssgproject.content_group_screen_locking"><td colspan="3" style="padding-left: 95px">Configure Console Screen Locking<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_console_screen_locking");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_package_tmux_installed" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_package_tmux_installed" id="rule-overview-leaf-idm45342103440400" data-tt-parent-id="xccdf_org.ssgproject.content_group_console_screen_locking" data-references='{"":["FMT_MOF_EXT.1","SRG-OS-000030-VMM-000110"],"NIST SP 800-171":["3.1.10"],"NIST SP 800-53":["CM-6(a)"],"http://www.isaca.org/COBIT/Pages/default.aspx":["DSS05.04","DSS05.10","DSS06.10"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.AC-7"],"https://public.cyber.mil/stigs/cci/":["CCI-000058"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000030-GPOS-00011"],"https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf":["1","12","15","16"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731":["4.3.3.6.1","4.3.3.6.2","4.3.3.6.3","4.3.3.6.4","4.3.3.6.5","4.3.3.6.6","4.3.3.6.7","4.3.3.6.8","4.3.3.6.9"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785":["SR 1.1","SR 1.10","SR 1.2","SR 1.5","SR 1.7","SR 1.8","SR 1.9"],"ISO 27001-2013":["A.18.1.4","A.9.2.1","A.9.2.4","A.9.3.1","A.9.4.2","A.9.4.3"]}'><td style="padding-left: 114px"><a href="#rule-detail-idm45342103440400" onclick="return openRuleDetailsDialog('idm45342103440400')">Install the tmux Package</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_configure_tmux_lock_after_time" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_configure_tmux_lock_after_time" id="rule-overview-leaf-idm45342103436736" data-tt-parent-id="xccdf_org.ssgproject.content_group_console_screen_locking" data-references='{"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000029-GPOS-00010"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FMT_SMF_EXT.1"]}'><td style="padding-left: 114px"><a href="#rule-detail-idm45342103436736" onclick="return openRuleDetailsDialog('idm45342103436736')">Configure tmux to lock session after inactivity</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_configure_bashrc_exec_tmux" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_configure_bashrc_exec_tmux" id="rule-overview-leaf-idm45342103430432" data-tt-parent-id="xccdf_org.ssgproject.content_group_console_screen_locking" data-references='{"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000031-GPOS-00012"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FMT_SMF_EXT.1"]}'><td style="padding-left: 114px"><a href="#rule-detail-idm45342103430432" onclick="return openRuleDetailsDialog('idm45342103430432')">Support session locking with tmux</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_configure_tmux_lock_command" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_configure_tmux_lock_command" id="rule-overview-leaf-idm45342103424784" data-tt-parent-id="xccdf_org.ssgproject.content_group_console_screen_locking" data-references='{"":["SRG-OS-000028-VMM-000090","SRG-OS-000030-VMM-000110"],"NIST SP 800-53":["AC-11(a)","AC-11(b)","CM-6(a)"],"https://public.cyber.mil/stigs/cci/":["CCI-000056","CCI-000058"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000028-GPOS-00009"]}'><td style="padding-left: 114px"><a href="#rule-detail-idm45342103424784" onclick="return openRuleDetailsDialog('idm45342103424784')">Configure the tmux Lock Command</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_no_tmux_in_shells" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_no_tmux_in_shells" id="rule-overview-leaf-idm45342103419152" data-tt-parent-id="xccdf_org.ssgproject.content_group_console_screen_locking" data-references='{"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000324-GPOS-00125"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FMT_SMF_EXT.1"]}'><td style="padding-left: 114px"><a href="#rule-detail-idm45342103419152" onclick="return openRuleDetailsDialog('idm45342103419152')">Prevent user from disabling the screen lock</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_service_debug-shell_disabled" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_service_debug-shell_disabled" id="rule-overview-leaf-idm45342103483648" data-tt-parent-id="xccdf_org.ssgproject.content_group_accounts-physical" data-references='{"NIST SP 800-171":["3.4.5"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000324-GPOS-00125"],"HIPAA":["164.308(a)(1)(ii)(B)","164.308(a)(7)(i)","164.308(a)(7)(ii)(A)","164.310(a)(1)","164.310(a)(2)(i)","164.310(a)(2)(ii)","164.310(a)(2)(iii)","164.310(b)","164.310(c)","164.310(d)(1)","164.310(d)(2)(iii)"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FIA_AFL.1"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45342103483648" onclick="return openRuleDetailsDialog('idm45342103483648')">Disable debug-shell SystemD Service</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_require_singleuser_auth" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_require_singleuser_auth" id="rule-overview-leaf-idm45342103479968" data-tt-parent-id="xccdf_org.ssgproject.content_group_accounts-physical" data-references='{"":["1.5.3"],"NIST SP 800-171":["3.1.1","3.4.5"],"NIST SP 800-53":["IA-2","AC-3","CM-6(a)"],"http://www.isaca.org/COBIT/Pages/default.aspx":["DSS05.02","DSS05.04","DSS05.05","DSS05.07","DSS05.10","DSS06.03","DSS06.06","DSS06.10"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.AC-1","PR.AC-4","PR.AC-6","PR.AC-7","PR.PT-3"],"https://public.cyber.mil/stigs/cci/":["CCI-000213"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000080-GPOS-00048"],"https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf":["1","11","12","14","15","16","18","3","5"],"HIPAA":["164.308(a)(1)(ii)(B)","164.308(a)(7)(i)","164.308(a)(7)(ii)(A)","164.310(a)(1)","164.310(a)(2)(i)","164.310(a)(2)(ii)","164.310(a)(2)(iii)","164.310(b)","164.310(c)","164.310(d)(1)","164.310(d)(2)(iii)"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731":["4.3.3.2.2","4.3.3.5.1","4.3.3.5.2","4.3.3.5.3","4.3.3.5.4","4.3.3.5.5","4.3.3.5.6","4.3.3.5.7","4.3.3.5.8","4.3.3.6.1","4.3.3.6.2","4.3.3.6.3","4.3.3.6.4","4.3.3.6.5","4.3.3.6.6","4.3.3.6.7","4.3.3.6.8","4.3.3.6.9","4.3.3.7.1","4.3.3.7.2","4.3.3.7.3","4.3.3.7.4"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785":["SR 1.1","SR 1.10","SR 1.11","SR 1.12","SR 1.13","SR 1.2","SR 1.3","SR 1.4","SR 1.5","SR 1.6","SR 1.7","SR 1.8","SR 1.9","SR 2.1","SR 2.2","SR 2.3","SR 2.4","SR 2.5","SR 2.6","SR 2.7"],"ISO 27001-2013":["A.18.1.4","A.6.1.2","A.7.1.1","A.9.1.2","A.9.2.1","A.9.2.2","A.9.2.3","A.9.2.4","A.9.2.6","A.9.3.1","A.9.4.1","A.9.4.2","A.9.4.3","A.9.4.4","A.9.4.5"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FIA_AFL.1"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45342103479968" onclick="return openRuleDetailsDialog('idm45342103479968')">Require Authentication for Single User Mode</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_disable_ctrlaltdel_reboot" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_disable_ctrlaltdel_reboot" id="rule-overview-leaf-idm45342103473920" data-tt-parent-id="xccdf_org.ssgproject.content_group_accounts-physical" data-references='{"NIST SP 800-171":["3.4.5"],"NIST SP 800-53":["CM-6(a)","AC-6(1)"],"http://www.isaca.org/COBIT/Pages/default.aspx":["APO01.06","DSS05.04","DSS05.07","DSS06.02"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.AC-4","PR.DS-5"],"https://public.cyber.mil/stigs/cci/":["CCI-000366"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000324-GPOS-00125"],"https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf":["12","13","14","15","16","18","3","5"],"HIPAA":["164.308(a)(1)(ii)(B)","164.308(a)(7)(i)","164.308(a)(7)(ii)(A)","164.310(a)(1)","164.310(a)(2)(i)","164.310(a)(2)(ii)","164.310(a)(2)(iii)","164.310(b)","164.310(c)","164.310(d)(1)","164.310(d)(2)(iii)"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731":["4.3.3.7.3"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785":["SR 2.1","SR 5.2"],"ISO 27001-2013":["A.10.1.1","A.11.1.4","A.11.1.5","A.11.2.1","A.13.1.1","A.13.1.3","A.13.2.1","A.13.2.3","A.13.2.4","A.14.1.2","A.14.1.3","A.6.1.2","A.7.1.1","A.7.1.2","A.7.3.1","A.8.2.2","A.8.2.3","A.9.1.1","A.9.1.2","A.9.2.3","A.9.4.1","A.9.4.4","A.9.4.5"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45342103473920" onclick="return openRuleDetailsDialog('idm45342103473920')">Disable Ctrl-Alt-Del Reboot Activation</a></td><td class="rule-severity" style="text-align: center">high</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_grub2_disable_interactive_boot" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_grub2_disable_interactive_boot" id="rule-overview-leaf-idm45342103467696" data-tt-parent-id="xccdf_org.ssgproject.content_group_accounts-physical" data-references='{"NIST SP 800-171":["3.1.2","3.4.5"],"NIST SP 800-53":["SC-2(1)","CM-6(a)"],"http://www.isaca.org/COBIT/Pages/default.aspx":["DSS05.02","DSS05.04","DSS05.05","DSS05.07","DSS06.03","DSS06.06"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.AC-4","PR.AC-6","PR.PT-3"],"https://public.cyber.mil/stigs/cci/":["CCI-000213"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000480-GPOS-00227"],"https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf":["11","12","14","15","16","18","3","5"],"HIPAA":["164.308(a)(1)(ii)(B)","164.308(a)(7)(i)","164.308(a)(7)(ii)(A)","164.310(a)(1)","164.310(a)(2)(i)","164.310(a)(2)(ii)","164.310(a)(2)(iii)","164.310(b)","164.310(c)","164.310(d)(1)","164.310(d)(2)(iii)"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731":["4.3.3.2.2","4.3.3.5.1","4.3.3.5.2","4.3.3.5.3","4.3.3.5.4","4.3.3.5.5","4.3.3.5.6","4.3.3.5.7","4.3.3.5.8","4.3.3.6.1","4.3.3.6.2","4.3.3.6.3","4.3.3.6.4","4.3.3.6.5","4.3.3.6.6","4.3.3.6.7","4.3.3.6.8","4.3.3.6.9","4.3.3.7.1","4.3.3.7.2","4.3.3.7.3","4.3.3.7.4"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785":["SR 1.1","SR 1.10","SR 1.11","SR 1.12","SR 1.13","SR 1.2","SR 1.3","SR 1.4","SR 1.5","SR 1.6","SR 1.7","SR 1.8","SR 1.9","SR 2.1","SR 2.2","SR 2.3","SR 2.4","SR 2.5","SR 2.6","SR 2.7"],"ISO 27001-2013":["A.6.1.2","A.7.1.1","A.9.1.2","A.9.2.1","A.9.2.3","A.9.4.1","A.9.4.4","A.9.4.5"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FIA_AFL.1"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45342103467696" onclick="return openRuleDetailsDialog('idm45342103467696')">Verify that Interactive Boot is Disabled</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_disable_ctrlaltdel_burstaction" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_disable_ctrlaltdel_burstaction" id="rule-overview-leaf-idm45342103464016" data-tt-parent-id="xccdf_org.ssgproject.content_group_accounts-physical" data-references='{"NIST SP 800-171":["3.4.5"],"NIST SP 800-53":["CM-6(a)","AC-6(1)","CM-6(a)"],"http://www.isaca.org/COBIT/Pages/default.aspx":["APO01.06","DSS05.04","DSS05.07","DSS06.02"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.AC-4","PR.DS-5"],"https://public.cyber.mil/stigs/cci/":["CCI-000366"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000324-GPOS-00125"],"https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf":["12","13","14","15","16","18","3","5"],"HIPAA":["164.308(a)(1)(ii)(B)","164.308(a)(7)(i)","164.308(a)(7)(ii)(A)","164.310(a)(1)","164.310(a)(2)(i)","164.310(a)(2)(ii)","164.310(a)(2)(iii)","164.310(b)","164.310(c)","164.310(d)(1)","164.310(d)(2)(iii)"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731":["4.3.3.7.3"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785":["SR 2.1","SR 5.2"],"ISO 27001-2013":["A.10.1.1","A.11.1.4","A.11.1.5","A.11.2.1","A.13.1.1","A.13.1.3","A.13.2.1","A.13.2.3","A.13.2.4","A.14.1.2","A.14.1.3","A.6.1.2","A.7.1.1","A.7.1.2","A.7.3.1","A.8.2.2","A.8.2.3","A.9.1.1","A.9.1.2","A.9.2.3","A.9.4.1","A.9.4.4","A.9.4.5"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45342103464016" onclick="return openRuleDetailsDialog('idm45342103464016')">Disable Ctrl-Alt-Del Burst Action</a></td><td class="rule-severity" style="text-align: center">high</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_accounts-banners" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_accounts-banners" data-tt-parent-id="xccdf_org.ssgproject.content_group_accounts"><td colspan="3" style="padding-left: 57px">Warning Banners for System Accesses<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_accounts-banners");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_gui_login_banner" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_gui_login_banner" data-tt-parent-id="xccdf_org.ssgproject.content_group_accounts-banners"><td colspan="3" style="padding-left: 76px">Implement a GUI Warning Banner<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_gui_login_banner");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_dconf_gnome_banner_enabled" class="rule-overview-leaf rule-overview-leaf-notapplicable rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_dconf_gnome_banner_enabled" id="rule-overview-leaf-idm45342103399360" data-tt-parent-id="xccdf_org.ssgproject.content_group_gui_login_banner" data-references='{"":["1.7.2"],"NIST SP 800-171":["3.1.9"],"NIST SP 800-53":["AC-8(a)","AC-8(b)","AC-8(c)"],"http://www.isaca.org/COBIT/Pages/default.aspx":["DSS05.04","DSS05.10","DSS06.10"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.AC-7"],"https://public.cyber.mil/stigs/cci/":["CCI-000048"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000023-GPOS-00006","SRG-OS-000024-GPOS-00007","SRG-OS-000228-GPOS-00088"],"https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf":["1","12","15","16"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731":["4.3.3.6.1","4.3.3.6.2","4.3.3.6.3","4.3.3.6.4","4.3.3.6.5","4.3.3.6.6","4.3.3.6.7","4.3.3.6.8","4.3.3.6.9"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785":["SR 1.1","SR 1.10","SR 1.2","SR 1.5","SR 1.7","SR 1.8","SR 1.9"],"ISO 27001-2013":["A.18.1.4","A.9.2.1","A.9.2.4","A.9.3.1","A.9.4.2","A.9.4.3"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FMT_MOF_EXT.1"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm45342103399360" onclick="return openRuleDetailsDialog('idm45342103399360')">Enable GNOME3 Login Warning Banner</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-notapplicable"><div><abbr title="The Rule was not applicable to the target of the test. For example, the Rule might have been specific to a different version of the target OS, or it might have been a test against a platform feature that was not installed.">notapplicable</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_banner_etc_issue" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_banner_etc_issue" id="rule-overview-leaf-idm45342103413728" data-tt-parent-id="xccdf_org.ssgproject.content_group_accounts-banners" data-references='{"":["1.7.1.2","SRG-OS-000023-VMM-000060","SRG-OS-000024-VMM-000070"],"NIST SP 800-171":["3.1.9"],"NIST SP 800-53":["AC-8(a)","AC-8(c)"],"http://www.isaca.org/COBIT/Pages/default.aspx":["DSS05.04","DSS05.10","DSS06.10"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.AC-7"],"https://public.cyber.mil/stigs/cci/":["CCI-000048","CCI-000050"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000023-GPOS-00006","SRG-OS-000024-GPOS-00007"],"https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf":["1","12","15","16"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731":["4.3.3.6.1","4.3.3.6.2","4.3.3.6.3","4.3.3.6.4","4.3.3.6.5","4.3.3.6.6","4.3.3.6.7","4.3.3.6.8","4.3.3.6.9"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785":["SR 1.1","SR 1.10","SR 1.2","SR 1.5","SR 1.7","SR 1.8","SR 1.9"],"ISO 27001-2013":["A.18.1.4","A.9.2.1","A.9.2.4","A.9.3.1","A.9.4.2","A.9.4.3"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FMT_MOF_EXT.1"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45342103413728" onclick="return openRuleDetailsDialog('idm45342103413728')">Modify the System Login Banner</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_accounts-pam" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_accounts-pam" data-tt-parent-id="xccdf_org.ssgproject.content_group_accounts"><td colspan="3" style="padding-left: 57px">Protect Accounts by Configuring PAM<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_accounts-pam");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_password_quality" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_password_quality" data-tt-parent-id="xccdf_org.ssgproject.content_group_accounts-pam"><td colspan="3" style="padding-left: 76px">Set Password Quality Requirements<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_password_quality");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_password_quality_pwquality" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_password_quality_pwquality" data-tt-parent-id="xccdf_org.ssgproject.content_group_password_quality"><td colspan="3" style="padding-left: 95px">Set Password Quality Requirements with pam_pwquality<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_password_quality_pwquality");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_accounts_password_pam_lcredit" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_accounts_password_pam_lcredit" id="rule-overview-leaf-idm45342103389824" data-tt-parent-id="xccdf_org.ssgproject.content_group_password_quality_pwquality" data-references='{"":["SRG-OS-000070-VMM-000370"],"NIST SP 800-53":["IA-5(c)","IA-5(1)(a)","CM-6(a)","IA-5(4)"],"http://www.isaca.org/COBIT/Pages/default.aspx":["DSS05.04","DSS05.05","DSS05.07","DSS05.10","DSS06.03","DSS06.10"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.AC-1","PR.AC-6","PR.AC-7"],"https://public.cyber.mil/stigs/cci/":["CCI-000193"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000070-GPOS-00038"],"https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf":["1","12","15","16","5"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731":["4.3.3.2.2","4.3.3.5.1","4.3.3.5.2","4.3.3.6.1","4.3.3.6.2","4.3.3.6.3","4.3.3.6.4","4.3.3.6.5","4.3.3.6.6","4.3.3.6.7","4.3.3.6.8","4.3.3.6.9","4.3.3.7.2","4.3.3.7.4"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785":["SR 1.1","SR 1.10","SR 1.2","SR 1.3","SR 1.4","SR 1.5","SR 1.7","SR 1.8","SR 1.9","SR 2.1"],"ISO 27001-2013":["A.18.1.4","A.7.1.1","A.9.2.1","A.9.2.2","A.9.2.3","A.9.2.4","A.9.2.6","A.9.3.1","A.9.4.2","A.9.4.3"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FMT_MOF_EXT.1"],"PCI-DSS Requirement":["Req-8.2.3"]}'><td style="padding-left: 114px"><a href="#rule-detail-idm45342103389824" onclick="return openRuleDetailsDialog('idm45342103389824')">Ensure PAM Enforces Password Requirements - Minimum Lowercase Characters</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_accounts_password_pam_ucredit" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_accounts_password_pam_ucredit" id="rule-overview-leaf-idm45342103379344" data-tt-parent-id="xccdf_org.ssgproject.content_group_password_quality_pwquality" data-references='{"":["6.3.2","SRG-OS-000069-VMM-000360"],"NIST SP 800-53":["IA-5(c)","IA-5(1)(a)","CM-6(a)","IA-5(4)"],"http://www.isaca.org/COBIT/Pages/default.aspx":["DSS05.04","DSS05.05","DSS05.07","DSS05.10","DSS06.03","DSS06.10"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.AC-1","PR.AC-6","PR.AC-7"],"https://public.cyber.mil/stigs/cci/":["CCI-000192"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000069-GPOS-00037"],"https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf":["1","12","15","16","5"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731":["4.3.3.2.2","4.3.3.5.1","4.3.3.5.2","4.3.3.6.1","4.3.3.6.2","4.3.3.6.3","4.3.3.6.4","4.3.3.6.5","4.3.3.6.6","4.3.3.6.7","4.3.3.6.8","4.3.3.6.9","4.3.3.7.2","4.3.3.7.4"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785":["SR 1.1","SR 1.10","SR 1.2","SR 1.3","SR 1.4","SR 1.5","SR 1.7","SR 1.8","SR 1.9","SR 2.1"],"ISO 27001-2013":["A.18.1.4","A.7.1.1","A.9.2.1","A.9.2.2","A.9.2.3","A.9.2.4","A.9.2.6","A.9.3.1","A.9.4.2","A.9.4.3"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FMT_MOF_EXT.1"],"PCI-DSS Requirement":["Req-8.2.3"]}'><td style="padding-left: 114px"><a href="#rule-detail-idm45342103379344" onclick="return openRuleDetailsDialog('idm45342103379344')">Ensure PAM Enforces Password Requirements - Minimum Uppercase Characters</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_accounts_password_pam_maxclassrepeat" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_accounts_password_pam_maxclassrepeat" id="rule-overview-leaf-idm45342103366480" data-tt-parent-id="xccdf_org.ssgproject.content_group_password_quality_pwquality" data-references='{"NIST SP 800-53":["IA-5(c)","IA-5(1)(a)","CM-6(a)","IA-5(4)"],"http://www.isaca.org/COBIT/Pages/default.aspx":["DSS05.04","DSS05.05","DSS05.07","DSS05.10","DSS06.03","DSS06.10"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.AC-1","PR.AC-6","PR.AC-7"],"https://public.cyber.mil/stigs/cci/":["CCI-000195"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000072-GPOS-00040"],"https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf":["1","12","15","16","5"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731":["4.3.3.2.2","4.3.3.5.1","4.3.3.5.2","4.3.3.6.1","4.3.3.6.2","4.3.3.6.3","4.3.3.6.4","4.3.3.6.5","4.3.3.6.6","4.3.3.6.7","4.3.3.6.8","4.3.3.6.9","4.3.3.7.2","4.3.3.7.4"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785":["SR 1.1","SR 1.10","SR 1.2","SR 1.3","SR 1.4","SR 1.5","SR 1.7","SR 1.8","SR 1.9","SR 2.1"],"ISO 27001-2013":["A.18.1.4","A.7.1.1","A.9.2.1","A.9.2.2","A.9.2.3","A.9.2.4","A.9.2.6","A.9.3.1","A.9.4.2","A.9.4.3"]}'><td style="padding-left: 114px"><a href="#rule-detail-idm45342103366480" onclick="return openRuleDetailsDialog('idm45342103366480')">Ensure PAM Enforces Password Requirements - Maximum Consecutive Repeating Characters from Same Character Class</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_accounts_password_pam_difok" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_accounts_password_pam_difok" id="rule-overview-leaf-idm45342103355968" data-tt-parent-id="xccdf_org.ssgproject.content_group_password_quality_pwquality" data-references='{"":["SRG-OS-000072-VMM-000390"],"NIST SP 800-53":["IA-5(c)","IA-5(1)(b)","CM-6(a)","IA-5(4)"],"http://www.isaca.org/COBIT/Pages/default.aspx":["DSS05.04","DSS05.05","DSS05.07","DSS05.10","DSS06.03","DSS06.10"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.AC-1","PR.AC-6","PR.AC-7"],"https://public.cyber.mil/stigs/cci/":["CCI-000195"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000072-GPOS-00040"],"https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf":["1","12","15","16","5"],"FBI CJIS":["5.6.2.1.1"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731":["4.3.3.2.2","4.3.3.5.1","4.3.3.5.2","4.3.3.6.1","4.3.3.6.2","4.3.3.6.3","4.3.3.6.4","4.3.3.6.5","4.3.3.6.6","4.3.3.6.7","4.3.3.6.8","4.3.3.6.9","4.3.3.7.2","4.3.3.7.4"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785":["SR 1.1","SR 1.10","SR 1.2","SR 1.3","SR 1.4","SR 1.5","SR 1.7","SR 1.8","SR 1.9","SR 2.1"],"ISO 27001-2013":["A.18.1.4","A.7.1.1","A.9.2.1","A.9.2.2","A.9.2.3","A.9.2.4","A.9.2.6","A.9.3.1","A.9.4.2","A.9.4.3"]}'><td style="padding-left: 114px"><a href="#rule-detail-idm45342103355968" onclick="return openRuleDetailsDialog('idm45342103355968')">Ensure PAM Enforces Password Requirements - Minimum Different Characters</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_accounts_password_pam_dcredit" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_accounts_password_pam_dcredit" id="rule-overview-leaf-idm45342103345504" data-tt-parent-id="xccdf_org.ssgproject.content_group_password_quality_pwquality" data-references='{"":["6.3.2","SRG-OS-000071-VMM-000380"],"NIST SP 800-53":["IA-5(c)","IA-5(1)(a)","CM-6(a)","IA-5(4)"],"http://www.isaca.org/COBIT/Pages/default.aspx":["DSS05.04","DSS05.05","DSS05.07","DSS05.10","DSS06.03","DSS06.10"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.AC-1","PR.AC-6","PR.AC-7"],"https://public.cyber.mil/stigs/cci/":["CCI-000194"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000071-GPOS-00039"],"https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf":["1","12","15","16","5"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731":["4.3.3.2.2","4.3.3.5.1","4.3.3.5.2","4.3.3.6.1","4.3.3.6.2","4.3.3.6.3","4.3.3.6.4","4.3.3.6.5","4.3.3.6.6","4.3.3.6.7","4.3.3.6.8","4.3.3.6.9","4.3.3.7.2","4.3.3.7.4"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785":["SR 1.1","SR 1.10","SR 1.2","SR 1.3","SR 1.4","SR 1.5","SR 1.7","SR 1.8","SR 1.9","SR 2.1"],"ISO 27001-2013":["A.18.1.4","A.7.1.1","A.9.2.1","A.9.2.2","A.9.2.3","A.9.2.4","A.9.2.6","A.9.3.1","A.9.4.2","A.9.4.3"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FMT_MOF_EXT.1"],"PCI-DSS Requirement":["Req-8.2.3"]}'><td style="padding-left: 114px"><a href="#rule-detail-idm45342103345504" onclick="return openRuleDetailsDialog('idm45342103345504')">Ensure PAM Enforces Password Requirements - Minimum Digit Characters</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_accounts_password_pam_maxrepeat" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_accounts_password_pam_maxrepeat" id="rule-overview-leaf-idm45342103335024" data-tt-parent-id="xccdf_org.ssgproject.content_group_password_quality_pwquality" data-references='{"NIST SP 800-53":["IA-5(c)","CM-6(a)","IA-5(4)"],"http://www.isaca.org/COBIT/Pages/default.aspx":["DSS05.04","DSS05.05","DSS05.07","DSS05.10","DSS06.03","DSS06.10"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.AC-1","PR.AC-6","PR.AC-7"],"https://public.cyber.mil/stigs/cci/":["CCI-000195"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000072-GPOS-00040"],"https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf":["1","12","15","16","5"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731":["4.3.3.2.2","4.3.3.5.1","4.3.3.5.2","4.3.3.6.1","4.3.3.6.2","4.3.3.6.3","4.3.3.6.4","4.3.3.6.5","4.3.3.6.6","4.3.3.6.7","4.3.3.6.8","4.3.3.6.9","4.3.3.7.2","4.3.3.7.4"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785":["SR 1.1","SR 1.10","SR 1.2","SR 1.3","SR 1.4","SR 1.5","SR 1.7","SR 1.8","SR 1.9","SR 2.1"],"ISO 27001-2013":["A.18.1.4","A.7.1.1","A.9.2.1","A.9.2.2","A.9.2.3","A.9.2.4","A.9.2.6","A.9.3.1","A.9.4.2","A.9.4.3"]}'><td style="padding-left: 114px"><a href="#rule-detail-idm45342103335024" onclick="return openRuleDetailsDialog('idm45342103335024')">Set Password Maximum Consecutive Repeating Characters</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_accounts_password_pam_minlen" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_accounts_password_pam_minlen" id="rule-overview-leaf-idm45342103324528" data-tt-parent-id="xccdf_org.ssgproject.content_group_password_quality_pwquality" data-references='{"":["6.3.2","SRG-OS-000072-VMM-000390","SRG-OS-000078-VMM-000450"],"NIST SP 800-53":["IA-5(c)","IA-5(1)(a)","CM-6(a)","IA-5(4)"],"http://www.isaca.org/COBIT/Pages/default.aspx":["DSS05.04","DSS05.05","DSS05.07","DSS05.10","DSS06.03","DSS06.10"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.AC-1","PR.AC-6","PR.AC-7"],"https://public.cyber.mil/stigs/cci/":["CCI-000205"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000078-GPOS-00046"],"https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf":["1","12","15","16","5"],"FBI CJIS":["5.6.2.1.1"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731":["4.3.3.2.2","4.3.3.5.1","4.3.3.5.2","4.3.3.6.1","4.3.3.6.2","4.3.3.6.3","4.3.3.6.4","4.3.3.6.5","4.3.3.6.6","4.3.3.6.7","4.3.3.6.8","4.3.3.6.9","4.3.3.7.2","4.3.3.7.4"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785":["SR 1.1","SR 1.10","SR 1.2","SR 1.3","SR 1.4","SR 1.5","SR 1.7","SR 1.8","SR 1.9","SR 2.1"],"ISO 27001-2013":["A.18.1.4","A.7.1.1","A.9.2.1","A.9.2.2","A.9.2.3","A.9.2.4","A.9.2.6","A.9.3.1","A.9.4.2","A.9.4.3"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FMT_MOF_EXT.1"],"PCI-DSS Requirement":["Req-8.2.3"]}'><td style="padding-left: 114px"><a href="#rule-detail-idm45342103324528" onclick="return openRuleDetailsDialog('idm45342103324528')">Ensure PAM Enforces Password Requirements - Minimum Length</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_accounts_password_pam_ocredit" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_accounts_password_pam_ocredit" id="rule-overview-leaf-idm45342103314048" data-tt-parent-id="xccdf_org.ssgproject.content_group_password_quality_pwquality" data-references='{"":["SRG-OS-000266-VMM-000940"],"NIST SP 800-53":["IA-5(c)","IA-5(1)(a)","CM-6(a)","IA-5(4)"],"http://www.isaca.org/COBIT/Pages/default.aspx":["DSS05.04","DSS05.05","DSS05.07","DSS05.10","DSS06.03","DSS06.10"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.AC-1","PR.AC-6","PR.AC-7"],"https://public.cyber.mil/stigs/cci/":["CCI-001619"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000266-GPOS-00101"],"https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf":["1","12","15","16","5"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731":["4.3.3.2.2","4.3.3.5.1","4.3.3.5.2","4.3.3.6.1","4.3.3.6.2","4.3.3.6.3","4.3.3.6.4","4.3.3.6.5","4.3.3.6.6","4.3.3.6.7","4.3.3.6.8","4.3.3.6.9","4.3.3.7.2","4.3.3.7.4"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785":["SR 1.1","SR 1.10","SR 1.2","SR 1.3","SR 1.4","SR 1.5","SR 1.7","SR 1.8","SR 1.9","SR 2.1"],"ISO 27001-2013":["A.18.1.4","A.7.1.1","A.9.2.1","A.9.2.2","A.9.2.3","A.9.2.4","A.9.2.6","A.9.3.1","A.9.4.2","A.9.4.3"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FMT_MOF_EXT.1"]}'><td style="padding-left: 114px"><a href="#rule-detail-idm45342103314048" onclick="return openRuleDetailsDialog('idm45342103314048')">Ensure PAM Enforces Password Requirements - Minimum Special Characters</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_locking_out_password_attempts" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_locking_out_password_attempts" data-tt-parent-id="xccdf_org.ssgproject.content_group_accounts-pam"><td colspan="3" style="padding-left: 76px">Set Lockouts for Failed Password Attempts<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_locking_out_password_attempts");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny" id="rule-overview-leaf-idm45342103296368" data-tt-parent-id="xccdf_org.ssgproject.content_group_locking_out_password_attempts" data-references='{"":["5.3.2","SRG-OS-000021-VMM-000050"],"NIST SP 800-171":["3.1.8"],"NIST SP 800-53":["CM-6(a)","AC-7(a)"],"http://www.isaca.org/COBIT/Pages/default.aspx":["DSS05.04","DSS05.10","DSS06.10"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.AC-7"],"https://public.cyber.mil/stigs/cci/":["CCI-002238","CCI-000044"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000329-GPOS-00128","SRG-OS-000021-GPOS-00005"],"https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf":["1","12","15","16"],"FBI CJIS":["5.5.3"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731":["4.3.3.6.1","4.3.3.6.2","4.3.3.6.3","4.3.3.6.4","4.3.3.6.5","4.3.3.6.6","4.3.3.6.7","4.3.3.6.8","4.3.3.6.9"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785":["SR 1.1","SR 1.10","SR 1.2","SR 1.5","SR 1.7","SR 1.8","SR 1.9"],"ISO 27001-2013":["A.18.1.4","A.9.2.1","A.9.2.4","A.9.3.1","A.9.4.2","A.9.4.3"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FMT_MOF_EXT.1"],"PCI-DSS Requirement":["Req-8.1.6"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm45342103296368" onclick="return openRuleDetailsDialog('idm45342103296368')">Set Deny For Failed Password Attempts</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_interval" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_interval" id="rule-overview-leaf-idm45342103287568" data-tt-parent-id="xccdf_org.ssgproject.content_group_locking_out_password_attempts" data-references='{"":["SRG-OS-000021-VMM-000050"],"NIST SP 800-53":["CM-6(a)","AC-7(a)"],"http://www.isaca.org/COBIT/Pages/default.aspx":["DSS05.04","DSS05.10","DSS06.10"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.AC-7"],"https://public.cyber.mil/stigs/cci/":["CCI-002238","CCI-000044"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000329-GPOS-00128","SRG-OS-000021-GPOS-00005"],"https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf":["1","12","15","16"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731":["4.3.3.6.1","4.3.3.6.2","4.3.3.6.3","4.3.3.6.4","4.3.3.6.5","4.3.3.6.6","4.3.3.6.7","4.3.3.6.8","4.3.3.6.9"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785":["SR 1.1","SR 1.10","SR 1.2","SR 1.5","SR 1.7","SR 1.8","SR 1.9"],"ISO 27001-2013":["A.18.1.4","A.9.2.1","A.9.2.4","A.9.3.1","A.9.4.2","A.9.4.3"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FMT_MOF_EXT.1"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm45342103287568" onclick="return openRuleDetailsDialog('idm45342103287568')">Set Interval For Counting Failed Password Attempts</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_unlock_time" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_unlock_time" id="rule-overview-leaf-idm45342103278592" data-tt-parent-id="xccdf_org.ssgproject.content_group_locking_out_password_attempts" data-references='{"":["5.3.2","SRG-OS-000329-VMM-001180"],"NIST SP 800-171":["3.1.8"],"NIST SP 800-53":["CM-6(a)","AC-7(b)"],"http://www.isaca.org/COBIT/Pages/default.aspx":["DSS05.04","DSS05.10","DSS06.10"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.AC-7"],"https://public.cyber.mil/stigs/cci/":["CCI-002238"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000329-GPOS-00128","SRG-OS-000021-GPOS-00005"],"https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf":["1","12","15","16"],"FBI CJIS":["5.5.3"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731":["4.3.3.6.1","4.3.3.6.2","4.3.3.6.3","4.3.3.6.4","4.3.3.6.5","4.3.3.6.6","4.3.3.6.7","4.3.3.6.8","4.3.3.6.9"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785":["SR 1.1","SR 1.10","SR 1.2","SR 1.5","SR 1.7","SR 1.8","SR 1.9"],"ISO 27001-2013":["A.18.1.4","A.9.2.1","A.9.2.4","A.9.3.1","A.9.4.2","A.9.4.3"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FMT_MOF_EXT.1"],"PCI-DSS Requirement":["Req-8.1.7"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm45342103278592" onclick="return openRuleDetailsDialog('idm45342103278592')">Set Lockout Time for Failed Password Attempts</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_accounts_password_pam_unix_remember" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_accounts_password_pam_unix_remember" id="rule-overview-leaf-idm45342103267232" data-tt-parent-id="xccdf_org.ssgproject.content_group_locking_out_password_attempts" data-references='{"":["5.3.3","SRG-OS-000077-VMM-000440"],"NIST SP 800-171":["3.5.8"],"NIST SP 800-53":["IA-5(f)","IA-5(1)(e)"],"http://www.isaca.org/COBIT/Pages/default.aspx":["DSS05.04","DSS05.05","DSS05.07","DSS05.10","DSS06.03","DSS06.10"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.AC-1","PR.AC-6","PR.AC-7"],"https://public.cyber.mil/stigs/cci/":["CCI-000200"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000077-GPOS-00045"],"https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf":["1","12","15","16","5"],"FBI CJIS":["5.6.2.1.1"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731":["4.3.3.2.2","4.3.3.5.1","4.3.3.5.2","4.3.3.6.1","4.3.3.6.2","4.3.3.6.3","4.3.3.6.4","4.3.3.6.5","4.3.3.6.6","4.3.3.6.7","4.3.3.6.8","4.3.3.6.9","4.3.3.7.2","4.3.3.7.4"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785":["SR 1.1","SR 1.10","SR 1.2","SR 1.3","SR 1.4","SR 1.5","SR 1.7","SR 1.8","SR 1.9","SR 2.1"],"ISO 27001-2013":["A.18.1.4","A.7.1.1","A.9.2.1","A.9.2.2","A.9.2.3","A.9.2.4","A.9.2.6","A.9.3.1","A.9.4.2","A.9.4.3"],"PCI-DSS Requirement":["Req-8.2.5"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm45342103267232" onclick="return openRuleDetailsDialog('idm45342103267232')">Limit Password Reuse</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_accounts-session" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_accounts-session" data-tt-parent-id="xccdf_org.ssgproject.content_group_accounts"><td colspan="3" style="padding-left: 57px">Secure Session Configuration Files for Login Accounts<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_accounts-session");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_user_umask" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_user_umask" data-tt-parent-id="xccdf_org.ssgproject.content_group_accounts-session"><td colspan="3" style="padding-left: 76px">Ensure that Users Have Sensible Umask Values<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_user_umask");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_accounts_umask_etc_profile" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_accounts_umask_etc_profile" id="rule-overview-leaf-idm45342103218528" data-tt-parent-id="xccdf_org.ssgproject.content_group_user_umask" data-references='{"":["5.4.4"],"NIST SP 800-53":["AC-6(1)","CM-6(a)"],"http://www.isaca.org/COBIT/Pages/default.aspx":["APO13.01","BAI03.01","BAI03.02","BAI03.03"],"ANSSI":["NT28(R35)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.IP-2"],"https://public.cyber.mil/stigs/cci/":["CCI-000366"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000480-GPOS-00228"],"https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf":["18"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731":["4.3.4.3.3"],"ISO 27001-2013":["A.14.1.1","A.14.2.1","A.14.2.5","A.6.1.5"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm45342103218528" onclick="return openRuleDetailsDialog('idm45342103218528')">Ensure the Default Umask is Set Correctly in /etc/profile</a></td><td class="rule-severity" style="text-align: center">unknown</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_accounts_umask_etc_bashrc" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_accounts_umask_etc_bashrc" id="rule-overview-leaf-idm45342103212080" data-tt-parent-id="xccdf_org.ssgproject.content_group_user_umask" data-references='{"":["5.4.4"],"NIST SP 800-53":["AC-6(1)","CM-6(a)"],"http://www.isaca.org/COBIT/Pages/default.aspx":["APO13.01","BAI03.01","BAI03.02","BAI03.03"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.IP-2"],"https://public.cyber.mil/stigs/cci/":["CCI-000366"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000480-GPOS-00228"],"https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf":["18"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731":["4.3.4.3.3"],"ISO 27001-2013":["A.14.1.1","A.14.2.1","A.14.2.5","A.6.1.5"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm45342103212080" onclick="return openRuleDetailsDialog('idm45342103212080')">Ensure the Default Bash Umask is Set Correctly</a></td><td class="rule-severity" style="text-align: center">unknown</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_accounts_umask_etc_csh_cshrc" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_accounts_umask_etc_csh_cshrc" id="rule-overview-leaf-idm45342103205648" data-tt-parent-id="xccdf_org.ssgproject.content_group_user_umask" data-references='{"NIST SP 800-53":["AC-6(1)","CM-6(a)"],"http://www.isaca.org/COBIT/Pages/default.aspx":["APO13.01","BAI03.01","BAI03.02","BAI03.03"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.IP-2"],"https://public.cyber.mil/stigs/cci/":["CCI-000366"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000480-GPOS-00228"],"https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf":["18"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731":["4.3.4.3.3"],"ISO 27001-2013":["A.14.1.1","A.14.2.1","A.14.2.5","A.6.1.5"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm45342103205648" onclick="return openRuleDetailsDialog('idm45342103205648')">Ensure the Default C Shell Umask is Set Correctly</a></td><td class="rule-severity" style="text-align: center">unknown</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_accounts_max_concurrent_login_sessions" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_accounts_max_concurrent_login_sessions" id="rule-overview-leaf-idm45342103247632" data-tt-parent-id="xccdf_org.ssgproject.content_group_accounts-session" data-references='{"":["SRG-OS-000027-VMM-000080"],"NIST SP 800-53":["AC-10","CM-6(a)"],"http://www.isaca.org/COBIT/Pages/default.aspx":["DSS01.05","DSS05.02"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.AC-5"],"https://public.cyber.mil/stigs/cci/":["CCI-000054"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000027-GPOS-00008"],"https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf":["14","15","18","9"],"FBI CJIS":["5.5.2.2"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731":["4.3.3.4"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785":["SR 3.1","SR 3.8"],"ISO 27001-2013":["A.13.1.1","A.13.1.3","A.13.2.1","A.14.1.2","A.14.1.3"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45342103247632" onclick="return openRuleDetailsDialog('idm45342103247632')">Limit the Number of Concurrent Login Sessions Allowed Per User</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_accounts-restrictions" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_accounts-restrictions" data-tt-parent-id="xccdf_org.ssgproject.content_group_accounts"><td colspan="3" style="padding-left: 57px"><strong>Protect Accounts by Restricting Password-Based Login</strong> <span class="badge">3x notchecked</span></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_password_expiration" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_password_expiration" data-tt-parent-id="xccdf_org.ssgproject.content_group_accounts-restrictions"><td colspan="3" style="padding-left: 76px"><strong>Set Password Expiration Parameters</strong> <span class="badge">2x notchecked</span></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_accounts_password_set_min_life_existing" class="rule-overview-leaf rule-overview-leaf-notchecked rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_accounts_password_set_min_life_existing" id="rule-overview-leaf-idm45342103195712" data-tt-parent-id="xccdf_org.ssgproject.content_group_password_expiration" data-references='{"":["SRG-OS-000075-VMM000420"],"NIST SP 800-53":["IA-5(f)","IA-5(1)(d)","CM-6(a)"],"https://public.cyber.mil/stigs/cci/":["CCI-000198"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000075-GPOS-00043"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm45342103195712" onclick="return openRuleDetailsDialog('idm45342103195712')">Set Existing Passwords Minimum Age</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-notchecked"><div><abbr title="The Rule was not evaluated by the checking engine. This status is designed for Rule elements that have no check elements or that correspond to an unsupported checking system. It may also correspond to a status returned by a checking engine if the checking engine does not support the indicated check code.">notchecked</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_accounts_password_minlen_login_defs" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_accounts_password_minlen_login_defs" id="rule-overview-leaf-idm45342103187904" data-tt-parent-id="xccdf_org.ssgproject.content_group_password_expiration" data-references='{"NIST SP 800-171":["3.5.7"],"NIST SP 800-53":["IA-5(f)","IA-5(1)(a)","CM-6(a)"],"http://www.isaca.org/COBIT/Pages/default.aspx":["DSS05.04","DSS05.05","DSS05.07","DSS05.10","DSS06.03","DSS06.10"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.AC-1","PR.AC-6","PR.AC-7"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000078-GPOS-00046"],"https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf":["1","12","15","16","5"],"FBI CJIS":["5.6.2.1"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731":["4.3.3.2.2","4.3.3.5.1","4.3.3.5.2","4.3.3.6.1","4.3.3.6.2","4.3.3.6.3","4.3.3.6.4","4.3.3.6.5","4.3.3.6.6","4.3.3.6.7","4.3.3.6.8","4.3.3.6.9","4.3.3.7.2","4.3.3.7.4"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785":["SR 1.1","SR 1.10","SR 1.2","SR 1.3","SR 1.4","SR 1.5","SR 1.7","SR 1.8","SR 1.9","SR 2.1"],"ISO 27001-2013":["A.18.1.4","A.7.1.1","A.9.2.1","A.9.2.2","A.9.2.3","A.9.2.4","A.9.2.6","A.9.3.1","A.9.4.2","A.9.4.3"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FMT_MOF_EXT.1"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm45342103187904" onclick="return openRuleDetailsDialog('idm45342103187904')">Set Password Minimum Length in login.defs</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_accounts_password_set_max_life_existing" class="rule-overview-leaf rule-overview-leaf-notchecked rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_accounts_password_set_max_life_existing" id="rule-overview-leaf-idm45342103181296" data-tt-parent-id="xccdf_org.ssgproject.content_group_password_expiration" data-references='{"":["SRG-OS-000076-VMM-000430"],"NIST SP 800-53":["IA-5(f)","IA-5(1)(d)","CM-6(a)"],"https://public.cyber.mil/stigs/cci/":["CCI-000199"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000076-GPOS-00044"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm45342103181296" onclick="return openRuleDetailsDialog('idm45342103181296')">Set Existing Passwords Maximum Age</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-notchecked"><div><abbr title="The Rule was not evaluated by the checking engine. This status is designed for Rule elements that have no check elements or that correspond to an unsupported checking system. It may also correspond to a status returned by a checking engine if the checking engine does not support the indicated check code.">notchecked</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_root_logins" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_root_logins" data-tt-parent-id="xccdf_org.ssgproject.content_group_accounts-restrictions"><td colspan="3" style="padding-left: 76px">Restrict Root Logins<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_root_logins");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_securetty_root_login_console_only" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_securetty_root_login_console_only" id="rule-overview-leaf-idm45342103161152" data-tt-parent-id="xccdf_org.ssgproject.content_group_root_logins" data-references='{"NIST SP 800-171":["3.1.1","3.1.5"],"NIST SP 800-53":["AC-6","CM-6(a)"],"http://www.isaca.org/COBIT/Pages/default.aspx":["APO01.06","DSS05.04","DSS05.07","DSS06.02"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.AC-4","PR.DS-5"],"https://public.cyber.mil/stigs/cci/":["CCI-000770"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000324-GPOS-00125"],"https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf":["12","13","14","15","16","18","3","5"],"HIPAA":["164.308(a)(1)(ii)(B)","164.308(a)(7)(i)","164.308(a)(7)(ii)(A)","164.310(a)(1)","164.310(a)(2)(i)","164.310(a)(2)(ii)","164.310(a)(2)(iii)","164.310(b)","164.310(c)","164.310(d)(1)","164.310(d)(2)(iii)"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731":["4.3.3.7.3"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785":["SR 2.1","SR 5.2"],"ISO 27001-2013":["A.10.1.1","A.11.1.4","A.11.1.5","A.11.2.1","A.13.1.1","A.13.1.3","A.13.2.1","A.13.2.3","A.13.2.4","A.14.1.2","A.14.1.3","A.6.1.2","A.7.1.1","A.7.1.2","A.7.3.1","A.8.2.2","A.8.2.3","A.9.1.1","A.9.1.2","A.9.2.3","A.9.4.1","A.9.4.4","A.9.4.5"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm45342103161152" onclick="return openRuleDetailsDialog('idm45342103161152')">Restrict Virtual Console Root Logins</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_account_expiration" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_account_expiration" data-tt-parent-id="xccdf_org.ssgproject.content_group_accounts-restrictions"><td colspan="3" style="padding-left: 76px"><strong>Set Account Expiration Parameters</strong> <span class="badge">1x notchecked</span></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_account_disable_post_pw_expiration" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_account_disable_post_pw_expiration" id="rule-overview-leaf-idm45342103155712" data-tt-parent-id="xccdf_org.ssgproject.content_group_account_expiration" data-references='{"":["SRG-OS-000003-VMM-000030","SRG-OS-000118-VMM-000590"],"NIST SP 800-171":["3.5.6"],"NIST SP 800-53":["IA-4(e)","AC-2(3)","CM-6(a)"],"http://www.isaca.org/COBIT/Pages/default.aspx":["DSS01.03","DSS03.05","DSS05.04","DSS05.05","DSS05.07","DSS05.10","DSS06.03","DSS06.10"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["DE.CM-1","DE.CM-3","PR.AC-1","PR.AC-4","PR.AC-6","PR.AC-7"],"https://public.cyber.mil/stigs/cci/":["CCI-000017","CCI-000795"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000118-GPOS-00060"],"https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf":["1","12","13","14","15","16","18","3","5","7","8"],"FBI CJIS":["5.6.2.1.1"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731":["4.3.3.2.2","4.3.3.5.1","4.3.3.5.2","4.3.3.6.1","4.3.3.6.2","4.3.3.6.3","4.3.3.6.4","4.3.3.6.5","4.3.3.6.6","4.3.3.6.7","4.3.3.6.8","4.3.3.6.9","4.3.3.7.2","4.3.3.7.3","4.3.3.7.4"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785":["SR 1.1","SR 1.10","SR 1.2","SR 1.3","SR 1.4","SR 1.5","SR 1.7","SR 1.8","SR 1.9","SR 2.1","SR 6.2"],"ISO 27001-2013":["A.12.4.1","A.12.4.3","A.18.1.4","A.6.1.2","A.7.1.1","A.9.1.2","A.9.2.1","A.9.2.2","A.9.2.3","A.9.2.4","A.9.2.6","A.9.3.1","A.9.4.1","A.9.4.2","A.9.4.3","A.9.4.4","A.9.4.5"],"PCI-DSS Requirement":["Req-8.1.4"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm45342103155712" onclick="return openRuleDetailsDialog('idm45342103155712')">Set Account Expiration Following Inactivity</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_account_temp_expire_date" class="rule-overview-leaf rule-overview-leaf-notchecked rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_account_temp_expire_date" id="rule-overview-leaf-idm45342103143728" data-tt-parent-id="xccdf_org.ssgproject.content_group_account_expiration" data-references='{"":["SRG-OS-000002-VMM-000020","SRG-OS-000123-VMM-000620"],"NIST SP 800-53":["AC-2(2)","AC-2(3)","CM-6(a)"],"http://www.isaca.org/COBIT/Pages/default.aspx":["DSS01.03","DSS03.05","DSS05.04","DSS05.05","DSS05.07","DSS06.03"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["DE.CM-1","DE.CM-3","PR.AC-1","PR.AC-4","PR.AC-6"],"https://public.cyber.mil/stigs/cci/":["CCI-000016","CCI-001682"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000123-GPOS-00064","SRG-OS-000002-GPOS-00002"],"https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf":["1","12","13","14","15","16","18","3","5","7","8"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731":["4.3.3.2.2","4.3.3.5.1","4.3.3.5.2","4.3.3.7.2","4.3.3.7.3","4.3.3.7.4"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785":["SR 1.1","SR 1.2","SR 1.3","SR 1.4","SR 1.5","SR 1.7","SR 1.8","SR 1.9","SR 2.1","SR 6.2"],"ISO 27001-2013":["A.12.4.1","A.12.4.3","A.6.1.2","A.7.1.1","A.9.1.2","A.9.2.1","A.9.2.2","A.9.2.3","A.9.2.4","A.9.2.6","A.9.3.1","A.9.4.1","A.9.4.2","A.9.4.3","A.9.4.4","A.9.4.5"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm45342103143728" onclick="return openRuleDetailsDialog('idm45342103143728')">Assign Expiration Date to Temporary Accounts</a></td><td class="rule-severity" style="text-align: center">unknown</td><td class="rule-result rule-result-notchecked"><div><abbr title="The Rule was not evaluated by the checking engine. This status is designed for Rule elements that have no check elements or that correspond to an unsupported checking system. It may also correspond to a status returned by a checking engine if the checking engine does not support the indicated check code.">notchecked</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_password_storage" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_password_storage" data-tt-parent-id="xccdf_org.ssgproject.content_group_accounts-restrictions"><td colspan="3" style="padding-left: 76px">Verify Proper Storage and Existence of Password Hashes<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_password_storage");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_no_empty_passwords" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_no_empty_passwords" id="rule-overview-leaf-idm45342103140704" data-tt-parent-id="xccdf_org.ssgproject.content_group_password_storage" data-references='{"NIST SP 800-171":["3.1.1","3.1.5"],"NIST SP 800-53":["IA-5(1)(a)","IA-5(c)","CM-6(a)"],"http://www.isaca.org/COBIT/Pages/default.aspx":["APO01.06","DSS05.04","DSS05.05","DSS05.07","DSS05.10","DSS06.02","DSS06.03","DSS06.10"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.AC-1","PR.AC-4","PR.AC-6","PR.AC-7","PR.DS-5"],"https://public.cyber.mil/stigs/cci/":["CCI-000366"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000480-GPOS-00227"],"https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf":["1","12","13","14","15","16","18","3","5"],"FBI CJIS":["5.5.2"],"HIPAA":["164.308(a)(1)(ii)(B)","164.308(a)(7)(i)","164.308(a)(7)(ii)(A)","164.310(a)(1)","164.310(a)(2)(i)","164.310(a)(2)(ii)","164.310(a)(2)(iii)","164.310(b)","164.310(c)","164.310(d)(1)","164.310(d)(2)(iii)"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731":["4.3.3.2.2","4.3.3.5.1","4.3.3.5.2","4.3.3.6.1","4.3.3.6.2","4.3.3.6.3","4.3.3.6.4","4.3.3.6.5","4.3.3.6.6","4.3.3.6.7","4.3.3.6.8","4.3.3.6.9","4.3.3.7.2","4.3.3.7.3","4.3.3.7.4"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785":["SR 1.1","SR 1.10","SR 1.2","SR 1.3","SR 1.4","SR 1.5","SR 1.7","SR 1.8","SR 1.9","SR 2.1","SR 5.2"],"ISO 27001-2013":["A.10.1.1","A.11.1.4","A.11.1.5","A.11.2.1","A.13.1.1","A.13.1.3","A.13.2.1","A.13.2.3","A.13.2.4","A.14.1.2","A.14.1.3","A.18.1.4","A.6.1.2","A.7.1.1","A.7.1.2","A.7.3.1","A.8.2.2","A.8.2.3","A.9.1.1","A.9.1.2","A.9.2.1","A.9.2.2","A.9.2.3","A.9.2.4","A.9.2.6","A.9.3.1","A.9.4.1","A.9.4.2","A.9.4.3","A.9.4.4","A.9.4.5"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FIA_AFL.1"],"PCI-DSS Requirement":["Req-8.2.3"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm45342103140704" onclick="return openRuleDetailsDialog('idm45342103140704')">Prevent Login to Accounts With Empty Password</a></td><td class="rule-severity" style="text-align: center">high</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_selinux" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_selinux" data-tt-parent-id="xccdf_org.ssgproject.content_group_system"><td colspan="3" style="padding-left: 38px">SELinux<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_selinux");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_package_policycoreutils_installed" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_package_policycoreutils_installed" id="rule-overview-leaf-idm45342103128752" data-tt-parent-id="xccdf_org.ssgproject.content_group_selinux" data-references='{"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000480-GPOS-00227"]}'><td style="padding-left: 57px"><a href="#rule-detail-idm45342103128752" onclick="return openRuleDetailsDialog('idm45342103128752')">Install policycoreutils Package</a></td><td class="rule-severity" style="text-align: center">high</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_selinux_policytype" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_selinux_policytype" id="rule-overview-leaf-idm45342103115088" data-tt-parent-id="xccdf_org.ssgproject.content_group_selinux" data-references='{"":["1.6.1.3","SRG-OS-000445-VMM-001780"],"NIST SP 800-171":["3.1.2","3.7.2"],"NIST SP 800-53":["AC-3","AC-3(3)(a)","AU-9","SC-7(21)"],"http://www.isaca.org/COBIT/Pages/default.aspx":["APO01.06","APO11.04","APO13.01","BAI03.05","DSS01.05","DSS03.01","DSS05.02","DSS05.04","DSS05.05","DSS05.07","DSS06.02","DSS06.03","DSS06.06","MEA02.01"],"ANSSI":["NT28(R66)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["DE.AE-1","ID.AM-3","PR.AC-4","PR.AC-5","PR.AC-6","PR.DS-5","PR.PT-1","PR.PT-3","PR.PT-4"],"https://public.cyber.mil/stigs/cci/":["CCI-002696"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000445-GPOS-00199"],"https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf":["1","11","12","13","14","15","16","18","3","4","5","6","8","9"],"HIPAA":["164.308(a)(1)(ii)(D)","164.308(a)(3)","164.308(a)(4)","164.310(b)","164.310(c)","164.312(a)","164.312(e)"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731":["4.2.3.4","4.3.3.2.2","4.3.3.3.9","4.3.3.4","4.3.3.5.1","4.3.3.5.2","4.3.3.5.3","4.3.3.5.4","4.3.3.5.5","4.3.3.5.6","4.3.3.5.7","4.3.3.5.8","4.3.3.6.1","4.3.3.6.2","4.3.3.6.3","4.3.3.6.4","4.3.3.6.5","4.3.3.6.6","4.3.3.6.7","4.3.3.6.8","4.3.3.6.9","4.3.3.7.1","4.3.3.7.2","4.3.3.7.3","4.3.3.7.4","4.3.4.4.7","4.4.2.1","4.4.2.2","4.4.2.4","4.4.3.3"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785":["SR 1.1","SR 1.10","SR 1.11","SR 1.12","SR 1.13","SR 1.2","SR 1.3","SR 1.4","SR 1.5","SR 1.6","SR 1.7","SR 1.8","SR 1.9","SR 2.1","SR 2.10","SR 2.11","SR 2.12","SR 2.2","SR 2.3","SR 2.4","SR 2.5","SR 2.6","SR 2.7","SR 2.8","SR 2.9","SR 3.1","SR 3.5","SR 3.8","SR 4.1","SR 4.3","SR 5.1","SR 5.2","SR 5.3","SR 7.1","SR 7.6"],"ISO 27001-2013":["A.10.1.1","A.11.1.4","A.11.1.5","A.11.2.1","A.12.1.1","A.12.1.2","A.12.4.1","A.12.4.2","A.12.4.3","A.12.4.4","A.12.7.1","A.13.1.1","A.13.1.2","A.13.1.3","A.13.2.1","A.13.2.2","A.13.2.3","A.13.2.4","A.14.1.2","A.14.1.3","A.6.1.2","A.7.1.1","A.7.1.2","A.7.3.1","A.8.2.2","A.8.2.3","A.9.1.1","A.9.1.2","A.9.2.1","A.9.2.3","A.9.4.1","A.9.4.4","A.9.4.5"]}'><td style="padding-left: 57px"><a href="#rule-detail-idm45342103115088" onclick="return openRuleDetailsDialog('idm45342103115088')">Configure SELinux Policy</a></td><td class="rule-severity" style="text-align: center">high</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_selinux_state" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_selinux_state" id="rule-overview-leaf-idm45342103108224" data-tt-parent-id="xccdf_org.ssgproject.content_group_selinux" data-references='{"":["1.6.1.2","SRG-OS-000445-VMM-001780"],"NIST SP 800-171":["3.1.2","3.7.2"],"NIST SP 800-53":["AC-3","AC-3(3)(a)","AU-9","SC-7(21)"],"http://www.isaca.org/COBIT/Pages/default.aspx":["APO01.06","APO11.04","APO13.01","BAI03.05","DSS01.05","DSS03.01","DSS05.02","DSS05.04","DSS05.05","DSS05.07","DSS06.02","DSS06.03","DSS06.06","MEA02.01"],"ANSSI":["NT28(R4)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["DE.AE-1","ID.AM-3","PR.AC-4","PR.AC-5","PR.AC-6","PR.DS-5","PR.PT-1","PR.PT-3","PR.PT-4"],"https://public.cyber.mil/stigs/cci/":["CCI-002165","CCI-002696"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000445-GPOS-00199"],"https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf":["1","11","12","13","14","15","16","18","3","4","5","6","8","9"],"HIPAA":["164.308(a)(1)(ii)(D)","164.308(a)(3)","164.308(a)(4)","164.310(b)","164.310(c)","164.312(a)","164.312(e)"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731":["4.2.3.4","4.3.3.2.2","4.3.3.3.9","4.3.3.4","4.3.3.5.1","4.3.3.5.2","4.3.3.5.3","4.3.3.5.4","4.3.3.5.5","4.3.3.5.6","4.3.3.5.7","4.3.3.5.8","4.3.3.6.1","4.3.3.6.2","4.3.3.6.3","4.3.3.6.4","4.3.3.6.5","4.3.3.6.6","4.3.3.6.7","4.3.3.6.8","4.3.3.6.9","4.3.3.7.1","4.3.3.7.2","4.3.3.7.3","4.3.3.7.4","4.3.4.4.7","4.4.2.1","4.4.2.2","4.4.2.4","4.4.3.3"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785":["SR 1.1","SR 1.10","SR 1.11","SR 1.12","SR 1.13","SR 1.2","SR 1.3","SR 1.4","SR 1.5","SR 1.6","SR 1.7","SR 1.8","SR 1.9","SR 2.1","SR 2.10","SR 2.11","SR 2.12","SR 2.2","SR 2.3","SR 2.4","SR 2.5","SR 2.6","SR 2.7","SR 2.8","SR 2.9","SR 3.1","SR 3.5","SR 3.8","SR 4.1","SR 4.3","SR 5.1","SR 5.2","SR 5.3","SR 7.1","SR 7.6"],"ISO 27001-2013":["A.10.1.1","A.11.1.4","A.11.1.5","A.11.2.1","A.12.1.1","A.12.1.2","A.12.4.1","A.12.4.2","A.12.4.3","A.12.4.4","A.12.7.1","A.13.1.1","A.13.1.2","A.13.1.3","A.13.2.1","A.13.2.2","A.13.2.3","A.13.2.4","A.14.1.2","A.14.1.3","A.6.1.2","A.7.1.1","A.7.1.2","A.7.3.1","A.8.2.2","A.8.2.3","A.9.1.1","A.9.1.2","A.9.2.1","A.9.2.3","A.9.4.1","A.9.4.4","A.9.4.5"]}'><td style="padding-left: 57px"><a href="#rule-detail-idm45342103108224" onclick="return openRuleDetailsDialog('idm45342103108224')">Ensure SELinux State is Enforcing</a></td><td class="rule-severity" style="text-align: center">high</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_permissions" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_permissions" data-tt-parent-id="xccdf_org.ssgproject.content_group_system"><td colspan="3" style="padding-left: 38px"><strong>File Permissions and Masks</strong> <span class="badge">1x fail</span> <span class="badge">3x error</span></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_files" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_files" data-tt-parent-id="xccdf_org.ssgproject.content_group_permissions"><td colspan="3" style="padding-left: 57px">Verify Permissions on Important Files and Directories<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_files");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sysctl_fs_protected_symlinks" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_sysctl_fs_protected_symlinks" id="rule-overview-leaf-idm45342102584368" data-tt-parent-id="xccdf_org.ssgproject.content_group_files" data-references='{"":["1.6.1"],"NIST SP 800-53":["CM-6(a)","AC-6(1)"],"ANSSI":["NT28(R23)"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000324-GPOS-00125"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45342102584368" onclick="return openRuleDetailsDialog('idm45342102584368')">Enable Kernel Parameter to Enforce DAC on Symlinks</a></td><td class="rule-severity" style="text-align: center">unknown</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sysctl_fs_protected_hardlinks" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_sysctl_fs_protected_hardlinks" id="rule-overview-leaf-idm45342102574816" data-tt-parent-id="xccdf_org.ssgproject.content_group_files" data-references='{"":["1.6.1"],"NIST SP 800-53":["CM-6(a)","AC-6(1)"],"ANSSI":["NT28(R23)"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000324-GPOS-00125"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45342102574816" onclick="return openRuleDetailsDialog('idm45342102574816')">Enable Kernel Parameter to Enforce DAC on Hardlinks</a></td><td class="rule-severity" style="text-align: center">unknown</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_partitions" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_partitions" data-tt-parent-id="xccdf_org.ssgproject.content_group_permissions"><td colspan="3" style="padding-left: 57px"><strong>Restrict Partition Mount Options</strong> <span class="badge">1x fail</span> <span class="badge">3x error</span></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_mount_option_var_log_nodev" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_mount_option_var_log_nodev" id="rule-overview-leaf-idm45342102524128" data-tt-parent-id="xccdf_org.ssgproject.content_group_partitions" data-references='{"NIST SP 800-53":["CM-7(a)","CM-7(b)","CM-6(a)","AC-6","AC-6(1)","MP-7"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.IP-1","PR.PT-2","PR.PT-3"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45342102524128" onclick="return openRuleDetailsDialog('idm45342102524128')">Add nodev Option to /var/log</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_mount_option_var_log_nosuid" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_mount_option_var_log_nosuid" id="rule-overview-leaf-idm45342102520448" data-tt-parent-id="xccdf_org.ssgproject.content_group_partitions" data-references='{"NIST SP 800-53":["CM-7(a)","CM-7(b)","CM-6(a)","AC-6","AC-6(1)","MP-7"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.IP-1","PR.PT-2","PR.PT-3"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000368-GPOS-00154"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45342102520448" onclick="return openRuleDetailsDialog('idm45342102520448')">Add nosuid Option to /var/log</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_mount_option_boot_nodev" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_mount_option_boot_nodev" id="rule-overview-leaf-idm45342102511824" data-tt-parent-id="xccdf_org.ssgproject.content_group_partitions" data-references='{"NIST SP 800-53":["CM-7(a)","CM-7(b)","CM-6(a)","AC-6","AC-6(1)","MP-7"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.IP-1","PR.PT-2","PR.PT-3"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000368-GPOS-00154"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45342102511824" onclick="return openRuleDetailsDialog('idm45342102511824')">Add nodev Option to /boot</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_mount_option_var_tmp_nodev" class="rule-overview-leaf rule-overview-leaf-error rule-overview-needs-attention" id="rule-overview-leaf-idm45342102503248" data-tt-parent-id="xccdf_org.ssgproject.content_group_partitions" data-references='{"":["1.1.8"],"ANSSI":["NT28(R12)"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000368-GPOS-00154"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45342102503248" onclick="return openRuleDetailsDialog('idm45342102503248')">Add nodev Option to /var/tmp</a></td><td class="rule-severity" style="text-align: center">unknown</td><td class="rule-result rule-result-error"><div><abbr title="The checking engine could not complete the evaluation, therefore the status of the target's compliance with the rule is not certain. This could happen, for example, if a testing tool was run with insufficient privileges and could not gather all of the necessary information.">error</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_mount_option_dev_shm_nosuid" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_mount_option_dev_shm_nosuid" id="rule-overview-leaf-idm45342102493184" data-tt-parent-id="xccdf_org.ssgproject.content_group_partitions" data-references='{"":["1.1.16"],"NIST SP 800-53":["CM-7(a)","CM-7(b)","CM-6(a)","AC-6","AC-6(1)","MP-7"],"http://www.isaca.org/COBIT/Pages/default.aspx":["APO13.01","BAI10.01","BAI10.02","BAI10.03","BAI10.05","DSS05.02","DSS05.05","DSS05.06","DSS06.06"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.IP-1","PR.PT-2","PR.PT-3"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000368-GPOS-00154"],"https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf":["11","13","14","3","8","9"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731":["4.3.3.5.1","4.3.3.5.2","4.3.3.5.3","4.3.3.5.4","4.3.3.5.5","4.3.3.5.6","4.3.3.5.7","4.3.3.5.8","4.3.3.6.1","4.3.3.6.2","4.3.3.6.3","4.3.3.6.4","4.3.3.6.5","4.3.3.6.6","4.3.3.6.7","4.3.3.6.8","4.3.3.6.9","4.3.3.7.1","4.3.3.7.2","4.3.3.7.3","4.3.3.7.4","4.3.4.3.2","4.3.4.3.3"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785":["SR 1.1","SR 1.10","SR 1.11","SR 1.12","SR 1.13","SR 1.2","SR 1.3","SR 1.4","SR 1.5","SR 1.6","SR 1.7","SR 1.8","SR 1.9","SR 2.1","SR 2.2","SR 2.3","SR 2.4","SR 2.5","SR 2.6","SR 2.7","SR 7.6"],"ISO 27001-2013":["A.11.2.9","A.12.1.2","A.12.5.1","A.12.6.2","A.14.2.2","A.14.2.3","A.14.2.4","A.8.2.1","A.8.2.2","A.8.2.3","A.8.3.1","A.8.3.3","A.9.1.2"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45342102493184" onclick="return openRuleDetailsDialog('idm45342102493184')">Add nosuid Option to /dev/shm</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_mount_option_var_tmp_nosuid" class="rule-overview-leaf rule-overview-leaf-error rule-overview-needs-attention" id="rule-overview-leaf-idm45342102489504" data-tt-parent-id="xccdf_org.ssgproject.content_group_partitions" data-references='{"":["1.1.9"],"ANSSI":["NT28(R12)"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000368-GPOS-00154"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45342102489504" onclick="return openRuleDetailsDialog('idm45342102489504')">Add nosuid Option to /var/tmp</a></td><td class="rule-severity" style="text-align: center">unknown</td><td class="rule-result rule-result-error"><div><abbr title="The checking engine could not complete the evaluation, therefore the status of the target's compliance with the rule is not certain. This could happen, for example, if a testing tool was run with insufficient privileges and could not gather all of the necessary information.">error</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_mount_option_home_nosuid" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_mount_option_home_nosuid" id="rule-overview-leaf-idm45342102479440" data-tt-parent-id="xccdf_org.ssgproject.content_group_partitions" data-references='{"":["1.1.3"],"NIST SP 800-53":["CM-7(a)","CM-7(b)","CM-6(a)","AC-6","AC-6(1)","MP-7"],"http://www.isaca.org/COBIT/Pages/default.aspx":["APO13.01","BAI10.01","BAI10.02","BAI10.03","BAI10.05","DSS05.02","DSS05.05","DSS05.06","DSS06.06"],"ANSSI":["NT28(R12)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.IP-1","PR.PT-2","PR.PT-3"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000368-GPOS-00154"],"https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf":["11","13","14","3","8","9"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731":["4.3.3.5.1","4.3.3.5.2","4.3.3.5.3","4.3.3.5.4","4.3.3.5.5","4.3.3.5.6","4.3.3.5.7","4.3.3.5.8","4.3.3.6.1","4.3.3.6.2","4.3.3.6.3","4.3.3.6.4","4.3.3.6.5","4.3.3.6.6","4.3.3.6.7","4.3.3.6.8","4.3.3.6.9","4.3.3.7.1","4.3.3.7.2","4.3.3.7.3","4.3.3.7.4","4.3.4.3.2","4.3.4.3.3"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785":["SR 1.1","SR 1.10","SR 1.11","SR 1.12","SR 1.13","SR 1.2","SR 1.3","SR 1.4","SR 1.5","SR 1.6","SR 1.7","SR 1.8","SR 1.9","SR 2.1","SR 2.2","SR 2.3","SR 2.4","SR 2.5","SR 2.6","SR 2.7","SR 7.6"],"ISO 27001-2013":["A.11.2.9","A.12.1.2","A.12.5.1","A.12.6.2","A.14.2.2","A.14.2.3","A.14.2.4","A.8.2.1","A.8.2.2","A.8.2.3","A.8.3.1","A.8.3.3","A.9.1.2"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45342102479440" onclick="return openRuleDetailsDialog('idm45342102479440')">Add nosuid Option to /home</a></td><td class="rule-severity" style="text-align: center">unknown</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_mount_option_tmp_noexec" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_mount_option_tmp_noexec" id="rule-overview-leaf-idm45342102470832" data-tt-parent-id="xccdf_org.ssgproject.content_group_partitions" data-references='{"":["1.1.5"],"NIST SP 800-53":["CM-7(a)","CM-7(b)","CM-6(a)","AC-6","AC-6(1)","MP-7"],"http://www.isaca.org/COBIT/Pages/default.aspx":["APO13.01","BAI10.01","BAI10.02","BAI10.03","BAI10.05","DSS05.02","DSS05.05","DSS05.06","DSS06.06"],"ANSSI":["NT28(R12)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.IP-1","PR.PT-2","PR.PT-3"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000368-GPOS-00154"],"https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf":["11","13","14","3","8","9"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731":["4.3.3.5.1","4.3.3.5.2","4.3.3.5.3","4.3.3.5.4","4.3.3.5.5","4.3.3.5.6","4.3.3.5.7","4.3.3.5.8","4.3.3.6.1","4.3.3.6.2","4.3.3.6.3","4.3.3.6.4","4.3.3.6.5","4.3.3.6.6","4.3.3.6.7","4.3.3.6.8","4.3.3.6.9","4.3.3.7.1","4.3.3.7.2","4.3.3.7.3","4.3.3.7.4","4.3.4.3.2","4.3.4.3.3"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785":["SR 1.1","SR 1.10","SR 1.11","SR 1.12","SR 1.13","SR 1.2","SR 1.3","SR 1.4","SR 1.5","SR 1.6","SR 1.7","SR 1.8","SR 1.9","SR 2.1","SR 2.2","SR 2.3","SR 2.4","SR 2.5","SR 2.6","SR 2.7","SR 7.6"],"ISO 27001-2013":["A.11.2.9","A.12.1.2","A.12.5.1","A.12.6.2","A.14.2.2","A.14.2.3","A.14.2.4","A.8.2.1","A.8.2.2","A.8.2.3","A.8.3.1","A.8.3.3","A.9.1.2"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45342102470832" onclick="return openRuleDetailsDialog('idm45342102470832')">Add noexec Option to /tmp</a></td><td class="rule-severity" style="text-align: center">unknown</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_mount_option_var_nodev" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_mount_option_var_nodev" id="rule-overview-leaf-idm45342102467168" data-tt-parent-id="xccdf_org.ssgproject.content_group_partitions" data-references='{"NIST SP 800-53":["CM-7(a)","CM-7(b)","CM-6(a)","AC-6","AC-6(1)","MP-7"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.IP-1","PR.PT-2","PR.PT-3"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000368-GPOS-00154"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45342102467168" onclick="return openRuleDetailsDialog('idm45342102467168')">Add nodev Option to /var</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_mount_option_var_log_audit_noexec" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_mount_option_var_log_audit_noexec" id="rule-overview-leaf-idm45342102461744" data-tt-parent-id="xccdf_org.ssgproject.content_group_partitions" data-references='{"NIST SP 800-53":["CM-7(a)","CM-7(b)","CM-6(a)","AC-6","AC-6(1)","MP-7"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.IP-1","PR.PT-2","PR.PT-3"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000368-GPOS-00154"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45342102461744" onclick="return openRuleDetailsDialog('idm45342102461744')">Add noexec Option to /var/log/audit</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_mount_option_var_log_audit_nodev" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_mount_option_var_log_audit_nodev" id="rule-overview-leaf-idm45342102453088" data-tt-parent-id="xccdf_org.ssgproject.content_group_partitions" data-references='{"NIST SP 800-53":["CM-7(a)","CM-7(b)","CM-6(a)","AC-6","AC-6(1)","MP-7"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.IP-1","PR.PT-2","PR.PT-3"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000368-GPOS-00154"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45342102453088" onclick="return openRuleDetailsDialog('idm45342102453088')">Add nodev Option to /var/log/audit</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_mount_option_home_nodev" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_mount_option_home_nodev" id="rule-overview-leaf-idm45342102449408" data-tt-parent-id="xccdf_org.ssgproject.content_group_partitions" data-references='{"":["1.1.14"],"ANSSI":["NT28(R12)"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000368-GPOS-00154"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45342102449408" onclick="return openRuleDetailsDialog('idm45342102449408')">Add nodev Option to /home</a></td><td class="rule-severity" style="text-align: center">unknown</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_mount_option_dev_shm_noexec" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_mount_option_dev_shm_noexec" id="rule-overview-leaf-idm45342102445744" data-tt-parent-id="xccdf_org.ssgproject.content_group_partitions" data-references='{"":["1.1.17"],"NIST SP 800-53":["CM-7(a)","CM-7(b)","CM-6(a)","AC-6","AC-6(1)","MP-7"],"http://www.isaca.org/COBIT/Pages/default.aspx":["APO13.01","BAI10.01","BAI10.02","BAI10.03","BAI10.05","DSS05.02","DSS05.05","DSS05.06","DSS06.06"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.IP-1","PR.PT-2","PR.PT-3"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000368-GPOS-00154"],"https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf":["11","13","14","3","8","9"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731":["4.3.3.5.1","4.3.3.5.2","4.3.3.5.3","4.3.3.5.4","4.3.3.5.5","4.3.3.5.6","4.3.3.5.7","4.3.3.5.8","4.3.3.6.1","4.3.3.6.2","4.3.3.6.3","4.3.3.6.4","4.3.3.6.5","4.3.3.6.6","4.3.3.6.7","4.3.3.6.8","4.3.3.6.9","4.3.3.7.1","4.3.3.7.2","4.3.3.7.3","4.3.3.7.4","4.3.4.3.2","4.3.4.3.3"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785":["SR 1.1","SR 1.10","SR 1.11","SR 1.12","SR 1.13","SR 1.2","SR 1.3","SR 1.4","SR 1.5","SR 1.6","SR 1.7","SR 1.8","SR 1.9","SR 2.1","SR 2.2","SR 2.3","SR 2.4","SR 2.5","SR 2.6","SR 2.7","SR 7.6"],"ISO 27001-2013":["A.11.2.9","A.12.1.2","A.12.5.1","A.12.6.2","A.14.2.2","A.14.2.3","A.14.2.4","A.8.2.1","A.8.2.2","A.8.2.3","A.8.3.1","A.8.3.3","A.9.1.2"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45342102445744" onclick="return openRuleDetailsDialog('idm45342102445744')">Add noexec Option to /dev/shm</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_mount_option_tmp_nodev" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_mount_option_tmp_nodev" id="rule-overview-leaf-idm45342102435344" data-tt-parent-id="xccdf_org.ssgproject.content_group_partitions" data-references='{"":["1.1.3"],"NIST SP 800-53":["CM-7(a)","CM-7(b)","CM-6(a)","AC-6","AC-6(1)","MP-7"],"http://www.isaca.org/COBIT/Pages/default.aspx":["APO13.01","BAI10.01","BAI10.02","BAI10.03","BAI10.05","DSS05.02","DSS05.05","DSS05.06","DSS06.06"],"ANSSI":["NT28(R12)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.IP-1","PR.PT-2","PR.PT-3"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000368-GPOS-00154"],"https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf":["11","13","14","3","8","9"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731":["4.3.3.5.1","4.3.3.5.2","4.3.3.5.3","4.3.3.5.4","4.3.3.5.5","4.3.3.5.6","4.3.3.5.7","4.3.3.5.8","4.3.3.6.1","4.3.3.6.2","4.3.3.6.3","4.3.3.6.4","4.3.3.6.5","4.3.3.6.6","4.3.3.6.7","4.3.3.6.8","4.3.3.6.9","4.3.3.7.1","4.3.3.7.2","4.3.3.7.3","4.3.3.7.4","4.3.4.3.2","4.3.4.3.3"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785":["SR 1.1","SR 1.10","SR 1.11","SR 1.12","SR 1.13","SR 1.2","SR 1.3","SR 1.4","SR 1.5","SR 1.6","SR 1.7","SR 1.8","SR 1.9","SR 2.1","SR 2.2","SR 2.3","SR 2.4","SR 2.5","SR 2.6","SR 2.7","SR 7.6"],"ISO 27001-2013":["A.11.2.9","A.12.1.2","A.12.5.1","A.12.6.2","A.14.2.2","A.14.2.3","A.14.2.4","A.8.2.1","A.8.2.2","A.8.2.3","A.8.3.1","A.8.3.3","A.9.1.2"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45342102435344" onclick="return openRuleDetailsDialog('idm45342102435344')">Add nodev Option to /tmp</a></td><td class="rule-severity" style="text-align: center">unknown</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_mount_option_dev_shm_nodev" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_mount_option_dev_shm_nodev" id="rule-overview-leaf-idm45342102431680" data-tt-parent-id="xccdf_org.ssgproject.content_group_partitions" data-references='{"":["1.1.15"],"NIST SP 800-53":["CM-7(a)","CM-7(b)","CM-6(a)","AC-6","AC-6(1)","MP-7"],"http://www.isaca.org/COBIT/Pages/default.aspx":["APO13.01","BAI10.01","BAI10.02","BAI10.03","BAI10.05","DSS05.02","DSS05.05","DSS05.06","DSS06.06"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.IP-1","PR.PT-2","PR.PT-3"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000368-GPOS-00154"],"https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf":["11","13","14","3","8","9"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731":["4.3.3.5.1","4.3.3.5.2","4.3.3.5.3","4.3.3.5.4","4.3.3.5.5","4.3.3.5.6","4.3.3.5.7","4.3.3.5.8","4.3.3.6.1","4.3.3.6.2","4.3.3.6.3","4.3.3.6.4","4.3.3.6.5","4.3.3.6.6","4.3.3.6.7","4.3.3.6.8","4.3.3.6.9","4.3.3.7.1","4.3.3.7.2","4.3.3.7.3","4.3.3.7.4","4.3.4.3.2","4.3.4.3.3"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785":["SR 1.1","SR 1.10","SR 1.11","SR 1.12","SR 1.13","SR 1.2","SR 1.3","SR 1.4","SR 1.5","SR 1.6","SR 1.7","SR 1.8","SR 1.9","SR 2.1","SR 2.2","SR 2.3","SR 2.4","SR 2.5","SR 2.6","SR 2.7","SR 7.6"],"ISO 27001-2013":["A.11.2.9","A.12.1.2","A.12.5.1","A.12.6.2","A.14.2.2","A.14.2.3","A.14.2.4","A.8.2.1","A.8.2.2","A.8.2.3","A.8.3.1","A.8.3.3","A.9.1.2"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45342102431680" onclick="return openRuleDetailsDialog('idm45342102431680')">Add nodev Option to /dev/shm</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_mount_option_boot_nosuid" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_mount_option_boot_nosuid" id="rule-overview-leaf-idm45342102428000" data-tt-parent-id="xccdf_org.ssgproject.content_group_partitions" data-references='{"NIST SP 800-53":["CM-7(a)","CM-7(b)","CM-6(a)","AC-6","AC-6(1)","MP-7"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.IP-1","PR.PT-2","PR.PT-3"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000368-GPOS-00154"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45342102428000" onclick="return openRuleDetailsDialog('idm45342102428000')">Add nosuid Option to /boot</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_mount_option_nodev_nonroot_local_partitions" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idm45342102419392" data-tt-parent-id="xccdf_org.ssgproject.content_group_partitions" data-references='{"":["1.1.11"],"NIST SP 800-53":["CM-7(a)","CM-7(b)","CM-6(a)","AC-6","AC-6(1)","MP-7"],"http://www.isaca.org/COBIT/Pages/default.aspx":["BAI10.01","BAI10.02","BAI10.03","BAI10.05","DSS05.02","DSS05.05","DSS06.06"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.IP-1","PR.PT-3"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000368-GPOS-00154"],"https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf":["11","14","3","9"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731":["4.3.3.5.1","4.3.3.5.2","4.3.3.5.3","4.3.3.5.4","4.3.3.5.5","4.3.3.5.6","4.3.3.5.7","4.3.3.5.8","4.3.3.6.1","4.3.3.6.2","4.3.3.6.3","4.3.3.6.4","4.3.3.6.5","4.3.3.6.6","4.3.3.6.7","4.3.3.6.8","4.3.3.6.9","4.3.3.7.1","4.3.3.7.2","4.3.3.7.3","4.3.3.7.4","4.3.4.3.2","4.3.4.3.3"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785":["SR 1.1","SR 1.10","SR 1.11","SR 1.12","SR 1.13","SR 1.2","SR 1.3","SR 1.4","SR 1.5","SR 1.6","SR 1.7","SR 1.8","SR 1.9","SR 2.1","SR 2.2","SR 2.3","SR 2.4","SR 2.5","SR 2.6","SR 2.7","SR 7.6"],"ISO 27001-2013":["A.12.1.2","A.12.5.1","A.12.6.2","A.14.2.2","A.14.2.3","A.14.2.4","A.9.1.2"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45342102419392" onclick="return openRuleDetailsDialog('idm45342102419392')">Add nodev Option to Non-Root Local Partitions</a></td><td class="rule-severity" style="text-align: center">unknown</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_mount_option_var_log_noexec" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_mount_option_var_log_noexec" id="rule-overview-leaf-idm45342102415056" data-tt-parent-id="xccdf_org.ssgproject.content_group_partitions" data-references='{"NIST SP 800-53":["CM-7(a)","CM-7(b)","CM-6(a)","AC-6","AC-6(1)","MP-7"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.IP-1","PR.PT-2","PR.PT-3"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000368-GPOS-00154"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45342102415056" onclick="return openRuleDetailsDialog('idm45342102415056')">Add noexec Option to /var/log</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_mount_option_var_log_audit_nosuid" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_mount_option_var_log_audit_nosuid" id="rule-overview-leaf-idm45342102404688" data-tt-parent-id="xccdf_org.ssgproject.content_group_partitions" data-references='{"NIST SP 800-53":["CM-7(a)","CM-7(b)","CM-6(a)","AC-6","AC-6(1)","MP-7"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.IP-1","PR.PT-2","PR.PT-3"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000368-GPOS-00154"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45342102404688" onclick="return openRuleDetailsDialog('idm45342102404688')">Add nosuid Option to /var/log/audit</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_mount_option_var_tmp_noexec" class="rule-overview-leaf rule-overview-leaf-error rule-overview-needs-attention" id="rule-overview-leaf-idm45342102394272" data-tt-parent-id="xccdf_org.ssgproject.content_group_partitions" data-references='{"":["1.1.10"],"ANSSI":["NT28(R12)"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000368-GPOS-00154"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45342102394272" onclick="return openRuleDetailsDialog('idm45342102394272')">Add noexec Option to /var/tmp</a></td><td class="rule-severity" style="text-align: center">unknown</td><td class="rule-result rule-result-error"><div><abbr title="The checking engine could not complete the evaluation, therefore the status of the target's compliance with the rule is not certain. This could happen, for example, if a testing tool was run with insufficient privileges and could not gather all of the necessary information.">error</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_mount_option_tmp_nosuid" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_mount_option_tmp_nosuid" id="rule-overview-leaf-idm45342102384208" data-tt-parent-id="xccdf_org.ssgproject.content_group_partitions" data-references='{"":["1.1.4"],"NIST SP 800-53":["CM-7(a)","CM-7(b)","CM-6(a)","AC-6","AC-6(1)","MP-7"],"http://www.isaca.org/COBIT/Pages/default.aspx":["APO13.01","BAI10.01","BAI10.02","BAI10.03","BAI10.05","DSS05.02","DSS05.05","DSS05.06","DSS06.06"],"ANSSI":["NT28(R12)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.IP-1","PR.PT-2","PR.PT-3"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000368-GPOS-00154"],"https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf":["11","13","14","3","8","9"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731":["4.3.3.5.1","4.3.3.5.2","4.3.3.5.3","4.3.3.5.4","4.3.3.5.5","4.3.3.5.6","4.3.3.5.7","4.3.3.5.8","4.3.3.6.1","4.3.3.6.2","4.3.3.6.3","4.3.3.6.4","4.3.3.6.5","4.3.3.6.6","4.3.3.6.7","4.3.3.6.8","4.3.3.6.9","4.3.3.7.1","4.3.3.7.2","4.3.3.7.3","4.3.3.7.4","4.3.4.3.2","4.3.4.3.3"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785":["SR 1.1","SR 1.10","SR 1.11","SR 1.12","SR 1.13","SR 1.2","SR 1.3","SR 1.4","SR 1.5","SR 1.6","SR 1.7","SR 1.8","SR 1.9","SR 2.1","SR 2.2","SR 2.3","SR 2.4","SR 2.5","SR 2.6","SR 2.7","SR 7.6"],"ISO 27001-2013":["A.11.2.9","A.12.1.2","A.12.5.1","A.12.6.2","A.14.2.2","A.14.2.3","A.14.2.4","A.8.2.1","A.8.2.2","A.8.2.3","A.8.3.1","A.8.3.3","A.9.1.2"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45342102384208" onclick="return openRuleDetailsDialog('idm45342102384208')">Add nosuid Option to /tmp</a></td><td class="rule-severity" style="text-align: center">unknown</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_restrictions" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_restrictions" data-tt-parent-id="xccdf_org.ssgproject.content_group_permissions"><td colspan="3" style="padding-left: 57px">Restrict Programs from Dangerous Execution Patterns<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_restrictions");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_poisoning" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_poisoning" data-tt-parent-id="xccdf_org.ssgproject.content_group_restrictions"><td colspan="3" style="padding-left: 76px">Memory Poisoning<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_poisoning");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_grub2_page_poison_argument" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_grub2_page_poison_argument" id="rule-overview-leaf-idm45342102301552" data-tt-parent-id="xccdf_org.ssgproject.content_group_poisoning" data-references='{"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000480-GPOS-00227"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm45342102301552" onclick="return openRuleDetailsDialog('idm45342102301552')">Enable page allocator poisoning</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_grub2_slub_debug_argument" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_grub2_slub_debug_argument" id="rule-overview-leaf-idm45342102296032" data-tt-parent-id="xccdf_org.ssgproject.content_group_poisoning" data-references='{"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000433-GPOS-00192"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm45342102296032" onclick="return openRuleDetailsDialog('idm45342102296032')">Enable SLUB/SLAB allocator poisoning</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_enable_execshield_settings" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_enable_execshield_settings" data-tt-parent-id="xccdf_org.ssgproject.content_group_restrictions"><td colspan="3" style="padding-left: 76px">Enable ExecShield<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_enable_execshield_settings");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sysctl_kernel_kptr_restrict" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_sysctl_kernel_kptr_restrict" id="rule-overview-leaf-idm45342102282256" data-tt-parent-id="xccdf_org.ssgproject.content_group_enable_execshield_settings" data-references='{"NIST SP 800-53":["SC-30","SC-30(2)","SC-30(5)","CM-6(a)"],"ANSSI":["NT28(R23)"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000132-GPOS-00067"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm45342102282256" onclick="return openRuleDetailsDialog('idm45342102282256')">Restrict Exposed Kernel Pointer Addresses Access</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_coredumps" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_coredumps" data-tt-parent-id="xccdf_org.ssgproject.content_group_restrictions"><td colspan="3" style="padding-left: 76px">Disable Core Dumps<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_coredumps");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_service_systemd-coredump_disabled" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_service_systemd-coredump_disabled" id="rule-overview-leaf-idm45342102276848" data-tt-parent-id="xccdf_org.ssgproject.content_group_coredumps" data-references='{"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000480-GPOS-00227"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FMT_SMF_EXT.1"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm45342102276848" onclick="return openRuleDetailsDialog('idm45342102276848')">Disable acquiring, saving, and processing core dumps</a></td><td class="rule-severity" style="text-align: center">unknown</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_coredump_disable_backtraces" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_coredump_disable_backtraces" id="rule-overview-leaf-idm45342102268704" data-tt-parent-id="xccdf_org.ssgproject.content_group_coredumps" data-references='{"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000480-GPOS-00227"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FMT_SMF_EXT.1"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm45342102268704" onclick="return openRuleDetailsDialog('idm45342102268704')">Disable core dump backtraces</a></td><td class="rule-severity" style="text-align: center">unknown</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_disable_users_coredumps" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_disable_users_coredumps" id="rule-overview-leaf-idm45342102262000" data-tt-parent-id="xccdf_org.ssgproject.content_group_coredumps" data-references='{"":["1.5.1"],"http://www.isaca.org/COBIT/Pages/default.aspx":["APO13.01","BAI04.04","DSS01.03","DSS03.05","DSS05.07"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["DE.CM-1","PR.DS-4"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000480-GPOS-00227"],"https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf":["1","12","13","15","16","2","7","8"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785":["SR 6.2","SR 7.1","SR 7.2"],"ISO 27001-2013":["A.12.1.3","A.17.2.1"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm45342102262000" onclick="return openRuleDetailsDialog('idm45342102262000')">Disable Core Dumps for All Users</a></td><td class="rule-severity" style="text-align: center">unknown</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_coredump_disable_storage" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_coredump_disable_storage" id="rule-overview-leaf-idm45342102254000" data-tt-parent-id="xccdf_org.ssgproject.content_group_coredumps" data-references='{"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000480-GPOS-00227"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FMT_SMF_EXT.1"]}'><td style="padding-left: 95px"><a href="#rule-detail-idm45342102254000" onclick="return openRuleDetailsDialog('idm45342102254000')">Disable storing core dump</a></td><td class="rule-severity" style="text-align: center">unknown</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sysctl_kernel_yama_ptrace_scope" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_sysctl_kernel_yama_ptrace_scope" id="rule-overview-leaf-idm45342102380544" data-tt-parent-id="xccdf_org.ssgproject.content_group_restrictions" data-references='{"ANSSI":["NT28(R25)"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000132-GPOS-00067"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45342102380544" onclick="return openRuleDetailsDialog('idm45342102380544')">Restrict usage of ptrace to descendant processes</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sysctl_net_core_bpf_jit_harden" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_sysctl_net_core_bpf_jit_harden" id="rule-overview-leaf-idm45342102370400" data-tt-parent-id="xccdf_org.ssgproject.content_group_restrictions" data-references='{"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000480-GPOS-00227"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FMT_SMF_EXT.1"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45342102370400" onclick="return openRuleDetailsDialog('idm45342102370400')">Harden the operation of the BPF just-in-time compiler</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sysctl_kernel_unprivileged_bpf_disabled" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_sysctl_kernel_unprivileged_bpf_disabled" id="rule-overview-leaf-idm45342102360272" data-tt-parent-id="xccdf_org.ssgproject.content_group_restrictions" data-references='{"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000132-GPOS-00067"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FMT_SMF_EXT.1"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45342102360272" onclick="return openRuleDetailsDialog('idm45342102360272')">Disable Access to Network bpf() Syscall From Unprivileged Processes</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_grub2_vsyscall_argument" class="rule-overview-leaf rule-overview-leaf-informational rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_grub2_vsyscall_argument" id="rule-overview-leaf-idm45342102350080" data-tt-parent-id="xccdf_org.ssgproject.content_group_restrictions" data-references='{"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000480-GPOS-00227"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45342102350080" onclick="return openRuleDetailsDialog('idm45342102350080')">Disable vsyscalls</a></td><td class="rule-severity" style="text-align: center">info</td><td class="rule-result rule-result-informational"><div><abbr title="The Rule was checked, but the output from the checking engine is simply information for auditors or administrators; it is not a compliance category. This status value is designed for Rule elements whose main purpose is to extract information from the target rather than test the target.">informational</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sysctl_kernel_dmesg_restrict" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_sysctl_kernel_dmesg_restrict" id="rule-overview-leaf-idm45342102346112" data-tt-parent-id="xccdf_org.ssgproject.content_group_restrictions" data-references='{"NIST SP 800-171":["3.1.5"],"NIST SP 800-53":["SI-11(a)","SI-11(b)"],"ANSSI":["NT28(R23)"],"https://public.cyber.mil/stigs/cci/":["CCI-001314"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000132-GPOS-00067"],"HIPAA":["164.308(a)(1)(ii)(D)","164.308(a)(3)","164.308(a)(4)","164.310(b)","164.310(c)","164.312(a)","164.312(e)"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45342102346112" onclick="return openRuleDetailsDialog('idm45342102346112')">Restrict Access to Kernel Message Buffer</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sysctl_kernel_kexec_load_disabled" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_sysctl_kernel_kexec_load_disabled" id="rule-overview-leaf-idm45342102335984" data-tt-parent-id="xccdf_org.ssgproject.content_group_restrictions" data-references='{"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000480-GPOS-00227"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45342102335984" onclick="return openRuleDetailsDialog('idm45342102335984')">Disable Kernel Image Loading</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sysctl_kernel_core_pattern" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_sysctl_kernel_core_pattern" id="rule-overview-leaf-idm45342102325840" data-tt-parent-id="xccdf_org.ssgproject.content_group_restrictions" data-references='{"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000480-GPOS-00227"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FMT_SMF_EXT.1"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45342102325840" onclick="return openRuleDetailsDialog('idm45342102325840')">Disable storing core dumps</a></td><td class="rule-severity" style="text-align: center">unknown</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sysctl_kernel_perf_event_paranoid" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_sysctl_kernel_perf_event_paranoid" id="rule-overview-leaf-idm45342102315680" data-tt-parent-id="xccdf_org.ssgproject.content_group_restrictions" data-references='{"ANSSI":["NT28(R23)"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000132-GPOS-00067"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FMT_SMF_EXT.1"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45342102315680" onclick="return openRuleDetailsDialog('idm45342102315680')">Disallow kernel profiling by unprivileged users</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sysctl_user_max_user_namespaces" class="rule-overview-leaf rule-overview-leaf-informational rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_sysctl_user_max_user_namespaces" id="rule-overview-leaf-idm45342102305536" data-tt-parent-id="xccdf_org.ssgproject.content_group_restrictions" data-references='{"NIST SP 800-53":["SC-39","CM-6(a)"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000480-GPOS-00227"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FMT_SMF_EXT.1"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45342102305536" onclick="return openRuleDetailsDialog('idm45342102305536')">Disable the use of user namespaces</a></td><td class="rule-severity" style="text-align: center">info</td><td class="rule-result rule-result-informational"><div><abbr title="The Rule was checked, but the output from the checking engine is simply information for auditors or administrators; it is not a compliance category. This status value is designed for Rule elements whose main purpose is to extract information from the target rather than test the target.">informational</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_mounting" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_mounting" data-tt-parent-id="xccdf_org.ssgproject.content_group_permissions"><td colspan="3" style="padding-left: 57px">Restrict Dynamic Mounting and Unmounting of Filesystems<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_mounting");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_kernel_module_cramfs_disabled" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_kernel_module_cramfs_disabled" id="rule-overview-leaf-idm45342102236720" data-tt-parent-id="xccdf_org.ssgproject.content_group_mounting" data-references='{"":["1.1.1.1"],"NIST SP 800-171":["3.4.6"],"NIST SP 800-53":["CM-7(a)","CM-7(b)","CM-6(a)"],"http://www.isaca.org/COBIT/Pages/default.aspx":["BAI10.01","BAI10.02","BAI10.03","BAI10.05","DSS05.02","DSS05.05","DSS06.06"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.IP-1","PR.PT-3"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000095-GPOS-00049"],"https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf":["11","14","3","9"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731":["4.3.3.5.1","4.3.3.5.2","4.3.3.5.3","4.3.3.5.4","4.3.3.5.5","4.3.3.5.6","4.3.3.5.7","4.3.3.5.8","4.3.3.6.1","4.3.3.6.2","4.3.3.6.3","4.3.3.6.4","4.3.3.6.5","4.3.3.6.6","4.3.3.6.7","4.3.3.6.8","4.3.3.6.9","4.3.3.7.1","4.3.3.7.2","4.3.3.7.3","4.3.3.7.4","4.3.4.3.2","4.3.4.3.3"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785":["SR 1.1","SR 1.10","SR 1.11","SR 1.12","SR 1.13","SR 1.2","SR 1.3","SR 1.4","SR 1.5","SR 1.6","SR 1.7","SR 1.8","SR 1.9","SR 2.1","SR 2.2","SR 2.3","SR 2.4","SR 2.5","SR 2.6","SR 2.7","SR 7.6"],"ISO 27001-2013":["A.12.1.2","A.12.5.1","A.12.6.2","A.14.2.2","A.14.2.3","A.14.2.4","A.9.1.2"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45342102236720" onclick="return openRuleDetailsDialog('idm45342102236720')">Disable Mounting of cramfs</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_logging" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_logging" data-tt-parent-id="xccdf_org.ssgproject.content_group_system"><td colspan="3" style="padding-left: 38px"><strong>Configure Syslog</strong> <span class="badge">2x fail</span> <span class="badge">1x error</span></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_rsyslog_sending_messages" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_rsyslog_sending_messages" data-tt-parent-id="xccdf_org.ssgproject.content_group_logging"><td colspan="3" style="padding-left: 57px"><strong>Rsyslog Logs Sent To Remote Host</strong> <span class="badge">2x fail</span></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_rsyslog_remote_tls_cacert" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idm45342102177248" data-tt-parent-id="xccdf_org.ssgproject.content_group_rsyslog_sending_messages" data-references='{"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000480-GPOS-00227"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FMT_SMF_EXT.1"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45342102177248" onclick="return openRuleDetailsDialog('idm45342102177248')">Configure CA certificate for rsyslog remote logging</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_rsyslog_remote_tls" class="rule-overview-leaf rule-overview-leaf-fail rule-overview-needs-attention" id="rule-overview-leaf-idm45342102170560" data-tt-parent-id="xccdf_org.ssgproject.content_group_rsyslog_sending_messages" data-references='{"NIST SP 800-53":["AU-9(3)","CM-6(a)"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000480-GPOS-00227","SRG-OS-000120-GPOS-00061"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FMT_SMF_EXT.1"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45342102170560" onclick="return openRuleDetailsDialog('idm45342102170560')">Configure TLS for rsyslog remote logging</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_package_rsyslog_installed" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_package_rsyslog_installed" id="rule-overview-leaf-idm45342102216928" data-tt-parent-id="xccdf_org.ssgproject.content_group_logging" data-references='{"":["4.2.3"],"NIST SP 800-53":["CM-6(a)"],"http://www.isaca.org/COBIT/Pages/default.aspx":["APO11.04","BAI03.05","DSS05.04","DSS05.07","MEA02.01"],"ANSSI":["NT28(R5)","NT28(R46)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.PT-1"],"https://public.cyber.mil/stigs/cci/":["CCI-001311","CCI-001312"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000479-GPOS-00224","SRG-OS-000051-GPOS-00024"],"https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf":["1","14","15","16","3","5","6"],"HIPAA":["164.312(a)(2)(ii)"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731":["4.3.3.3.9","4.3.3.5.8","4.3.4.4.7","4.4.2.1","4.4.2.2","4.4.2.4"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785":["SR 2.10","SR 2.11","SR 2.12","SR 2.8","SR 2.9"],"ISO 27001-2013":["A.12.4.1","A.12.4.2","A.12.4.3","A.12.4.4","A.12.7.1"]}'><td style="padding-left: 57px"><a href="#rule-detail-idm45342102216928" onclick="return openRuleDetailsDialog('idm45342102216928')">Ensure rsyslog is Installed</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_package_rsyslog-gnutls_installed" class="rule-overview-leaf rule-overview-leaf-error rule-overview-needs-attention" id="rule-overview-leaf-idm45342102213248" data-tt-parent-id="xccdf_org.ssgproject.content_group_logging" data-references='{"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000480-GPOS-00227","SRG-OS-000120-GPOS-00061"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FMT_SMF_EXT.1"]}'><td style="padding-left: 57px"><a href="#rule-detail-idm45342102213248" onclick="return openRuleDetailsDialog('idm45342102213248')">Ensure rsyslog-gnutls is installed</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-error"><div><abbr title="The checking engine could not complete the evaluation, therefore the status of the target's compliance with the rule is not certain. This could happen, for example, if a testing tool was run with insufficient privileges and could not gather all of the necessary information.">error</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_services" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_services" data-tt-parent-id="xccdf_org.ssgproject.content_benchmark_RHEL-8"><td colspan="3" style="padding-left: 19px"><strong>Services</strong> <span class="badge">6x error</span></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_nfs_and_rpc" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_nfs_and_rpc" data-tt-parent-id="xccdf_org.ssgproject.content_group_services"><td colspan="3" style="padding-left: 38px">NFS and RPC<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_nfs_and_rpc");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_package_nfs-utils_removed" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_package_nfs-utils_removed" id="rule-overview-leaf-idm45342102110016" data-tt-parent-id="xccdf_org.ssgproject.content_group_nfs_and_rpc" data-references='{"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000095-GPOS-00049"]}'><td style="padding-left: 57px"><a href="#rule-detail-idm45342102110016" onclick="return openRuleDetailsDialog('idm45342102110016')">Uninstall nfs-utils Package</a></td><td class="rule-severity" style="text-align: center">low</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_mail" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_mail" data-tt-parent-id="xccdf_org.ssgproject.content_group_services"><td colspan="3" style="padding-left: 38px">Mail Server Software<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_mail");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_package_sendmail_removed" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_package_sendmail_removed" id="rule-overview-leaf-idm45342102064432" data-tt-parent-id="xccdf_org.ssgproject.content_group_mail" data-references='{"NIST SP 800-53":["CM-7(a)","CM-7(b)","CM-6(a)"],"http://www.isaca.org/COBIT/Pages/default.aspx":["BAI10.01","BAI10.02","BAI10.03","BAI10.05","DSS05.02","DSS05.05","DSS06.06"],"ANSSI":["NT28(R1)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.IP-1","PR.PT-3"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000480-GPOS-00227"],"https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf":["11","14","3","9"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731":["4.3.3.5.1","4.3.3.5.2","4.3.3.5.3","4.3.3.5.4","4.3.3.5.5","4.3.3.5.6","4.3.3.5.7","4.3.3.5.8","4.3.3.6.1","4.3.3.6.2","4.3.3.6.3","4.3.3.6.4","4.3.3.6.5","4.3.3.6.6","4.3.3.6.7","4.3.3.6.8","4.3.3.6.9","4.3.3.7.1","4.3.3.7.2","4.3.3.7.3","4.3.3.7.4","4.3.4.3.2","4.3.4.3.3"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785":["SR 1.1","SR 1.10","SR 1.11","SR 1.12","SR 1.13","SR 1.2","SR 1.3","SR 1.4","SR 1.5","SR 1.6","SR 1.7","SR 1.8","SR 1.9","SR 2.1","SR 2.2","SR 2.3","SR 2.4","SR 2.5","SR 2.6","SR 2.7","SR 7.6"],"ISO 27001-2013":["A.12.1.2","A.12.5.1","A.12.6.2","A.14.2.2","A.14.2.3","A.14.2.4","A.9.1.2"]}'><td style="padding-left: 57px"><a href="#rule-detail-idm45342102064432" onclick="return openRuleDetailsDialog('idm45342102064432')">Uninstall Sendmail Package</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_ntp" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_ntp" data-tt-parent-id="xccdf_org.ssgproject.content_group_services"><td colspan="3" style="padding-left: 38px">Network Time Protocol<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_ntp");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_chronyd_client_only" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_chronyd_client_only" id="rule-overview-leaf-idm45342101925168" data-tt-parent-id="xccdf_org.ssgproject.content_group_ntp" data-references='{"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000096-GPOS-00050"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FMT_SMF_EXT.1"]}'><td style="padding-left: 57px"><a href="#rule-detail-idm45342101925168" onclick="return openRuleDetailsDialog('idm45342101925168')">Disable chrony daemon from acting as server</a></td><td class="rule-severity" style="text-align: center">unknown</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_chronyd_no_chronyc_network" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_chronyd_no_chronyc_network" id="rule-overview-leaf-idm45342101914816" data-tt-parent-id="xccdf_org.ssgproject.content_group_ntp" data-references='{"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000096-GPOS-00050"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FMT_SMF_EXT.1"]}'><td style="padding-left: 57px"><a href="#rule-detail-idm45342101914816" onclick="return openRuleDetailsDialog('idm45342101914816')">Disable network management of chrony daemon</a></td><td class="rule-severity" style="text-align: center">unknown</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_fapolicyd" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_fapolicyd" data-tt-parent-id="xccdf_org.ssgproject.content_group_services"><td colspan="3" style="padding-left: 38px"><strong>Application Whitelisting Daemon</strong> <span class="badge">2x error</span></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_package_fapolicyd_installed" class="rule-overview-leaf rule-overview-leaf-error rule-overview-needs-attention" id="rule-overview-leaf-idm45342101897888" data-tt-parent-id="xccdf_org.ssgproject.content_group_fapolicyd" data-references='{"NIST SP 800-53":["CM-6(a)","SI-4(22)"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000370-GPOS-00155"]}'><td style="padding-left: 57px"><a href="#rule-detail-idm45342101897888" onclick="return openRuleDetailsDialog('idm45342101897888')">Install fapolicyd Package</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-error"><div><abbr title="The checking engine could not complete the evaluation, therefore the status of the target's compliance with the rule is not certain. This could happen, for example, if a testing tool was run with insufficient privileges and could not gather all of the necessary information.">error</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_service_fapolicyd_enabled" class="rule-overview-leaf rule-overview-leaf-error rule-overview-needs-attention" id="rule-overview-leaf-idm45342101890112" data-tt-parent-id="xccdf_org.ssgproject.content_group_fapolicyd" data-references='{"NIST SP 800-53":["CM-6(a)","SI-4(22)"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000370-GPOS-00155"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FMT_SMF_EXT.1"]}'><td style="padding-left: 57px"><a href="#rule-detail-idm45342101890112" onclick="return openRuleDetailsDialog('idm45342101890112')">Enable the File Access Policy Service</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-error"><div><abbr title="The checking engine could not complete the evaluation, therefore the status of the target's compliance with the rule is not certain. This could happen, for example, if a testing tool was run with insufficient privileges and could not gather all of the necessary information.">error</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_base" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_base" data-tt-parent-id="xccdf_org.ssgproject.content_group_services"><td colspan="3" style="padding-left: 38px">Base Services<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_base");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_package_abrt_removed" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_package_abrt_removed" id="rule-overview-leaf-idm45342101852992" data-tt-parent-id="xccdf_org.ssgproject.content_group_base" data-references='{"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000095-GPOS-00049"]}'><td style="padding-left: 57px"><a href="#rule-detail-idm45342101852992" onclick="return openRuleDetailsDialog('idm45342101852992')">Uninstall Automatic Bug Reporting Tool (abrt)</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_kerberos" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_kerberos" data-tt-parent-id="xccdf_org.ssgproject.content_group_services"><td colspan="3" style="padding-left: 38px">Kerberos<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_kerberos");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_kerberos_disable_no_keytab" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_kerberos_disable_no_keytab" id="rule-overview-leaf-idm45342101772032" data-tt-parent-id="xccdf_org.ssgproject.content_group_kerberos" data-references='{"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000120-GPOS-00061"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FCS_CKM.1"]}'><td style="padding-left: 57px"><a href="#rule-detail-idm45342101772032" onclick="return openRuleDetailsDialog('idm45342101772032')">Disable Kerberos by removing host keytab</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_ssh" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_ssh" data-tt-parent-id="xccdf_org.ssgproject.content_group_services"><td colspan="3" style="padding-left: 38px">SSH Server<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_ssh");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_ssh_server" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_ssh_server" data-tt-parent-id="xccdf_org.ssgproject.content_group_ssh"><td colspan="3" style="padding-left: 57px">Configure OpenSSH Server if Necessary<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_ssh_server");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sshd_enable_warning_banner" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_sshd_enable_warning_banner" id="rule-overview-leaf-idm45342101745360" data-tt-parent-id="xccdf_org.ssgproject.content_group_ssh_server" data-references='{"":["5.2.16","SRG-OS-000023-VMM-000060","SRG-OS-000024-VMM-000070"],"NIST SP 800-171":["3.1.9"],"NIST SP 800-53":["AC-8(a)","AC-8(c)","AC-17(a)","CM-6(a)"],"http://www.isaca.org/COBIT/Pages/default.aspx":["DSS05.04","DSS05.10","DSS06.10"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.AC-7"],"https://public.cyber.mil/stigs/cci/":["CCI-000048","CCI-000050","CCI-001384","CCI-001385","CCI-001386","CCI-001387","CCI-001388"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000023-GPOS-00006","SRG-OS-000024-GPOS-00007","SRG-OS-000228-GPOS-00088"],"https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf":["1","12","15","16"],"FBI CJIS":["5.5.6"],"HIPAA":["164.308(a)(4)(i)","164.308(b)(1)","164.308(b)(3)","164.310(b)","164.312(e)(1)","164.312(e)(2)(ii)"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731":["4.3.3.6.1","4.3.3.6.2","4.3.3.6.3","4.3.3.6.4","4.3.3.6.5","4.3.3.6.6","4.3.3.6.7","4.3.3.6.8","4.3.3.6.9"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785":["SR 1.1","SR 1.10","SR 1.2","SR 1.5","SR 1.7","SR 1.8","SR 1.9"],"ISO 27001-2013":["A.18.1.4","A.9.2.1","A.9.2.4","A.9.3.1","A.9.4.2","A.9.4.3"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FMT_MOF_EXT.1"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45342101745360" onclick="return openRuleDetailsDialog('idm45342101745360')">Enable SSH Warning Banner</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sshd_disable_root_login" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_sshd_disable_root_login" id="rule-overview-leaf-idm45342101737408" data-tt-parent-id="xccdf_org.ssgproject.content_group_ssh_server" data-references='{"":["5.2.8","SRG-OS-000480-VMM-002000"],"NIST SP 800-171":["3.1.1","3.1.5"],"NIST SP 800-53":["AC-6(2)","AC-17(a)","IA-2","IA-2(5)","CM-7(a)","CM-7(b)","CM-6(a)"],"http://www.isaca.org/COBIT/Pages/default.aspx":["APO01.06","DSS05.02","DSS05.04","DSS05.05","DSS05.07","DSS05.10","DSS06.02","DSS06.03","DSS06.06","DSS06.10"],"ANSSI":["NT28(R19)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.AC-1","PR.AC-4","PR.AC-6","PR.AC-7","PR.DS-5","PR.PT-3"],"https://public.cyber.mil/stigs/cci/":["CCI-000366","CCI-000770"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000480-GPOS-00227","SRG-OS-000109-GPOS-00056"],"https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf":["1","11","12","13","14","15","16","18","3","5"],"FBI CJIS":["5.5.6"],"HIPAA":["164.308(a)(4)(i)","164.308(b)(1)","164.308(b)(3)","164.310(b)","164.312(e)(1)","164.312(e)(2)(ii)"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731":["4.3.3.2.2","4.3.3.5.1","4.3.3.5.2","4.3.3.5.3","4.3.3.5.4","4.3.3.5.5","4.3.3.5.6","4.3.3.5.7","4.3.3.5.8","4.3.3.6.1","4.3.3.6.2","4.3.3.6.3","4.3.3.6.4","4.3.3.6.5","4.3.3.6.6","4.3.3.6.7","4.3.3.6.8","4.3.3.6.9","4.3.3.7.1","4.3.3.7.2","4.3.3.7.3","4.3.3.7.4"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785":["SR 1.1","SR 1.10","SR 1.11","SR 1.12","SR 1.13","SR 1.2","SR 1.3","SR 1.4","SR 1.5","SR 1.6","SR 1.7","SR 1.8","SR 1.9","SR 2.1","SR 2.2","SR 2.3","SR 2.4","SR 2.5","SR 2.6","SR 2.7","SR 5.2"],"ISO 27001-2013":["A.10.1.1","A.11.1.4","A.11.1.5","A.11.2.1","A.13.1.1","A.13.1.3","A.13.2.1","A.13.2.3","A.13.2.4","A.14.1.2","A.14.1.3","A.18.1.4","A.6.1.2","A.7.1.1","A.7.1.2","A.7.3.1","A.8.2.2","A.8.2.3","A.9.1.1","A.9.1.2","A.9.2.1","A.9.2.2","A.9.2.3","A.9.2.4","A.9.2.6","A.9.3.1","A.9.4.1","A.9.4.2","A.9.4.3","A.9.4.4","A.9.4.5"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FIA_AFL.1"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45342101737408" onclick="return openRuleDetailsDialog('idm45342101737408')">Disable SSH Root Login</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout" id="rule-overview-leaf-idm45342101727104" data-tt-parent-id="xccdf_org.ssgproject.content_group_ssh_server" data-references='{"":["5.2.12","SRG-OS-000480-VMM-002000"],"NIST SP 800-171":["3.1.11"],"NIST SP 800-53":["CM-6(a)","AC-17(a)","AC-2(5)","AC-12","AC-17(a)","SC-10","CM-6(a)"],"http://www.isaca.org/COBIT/Pages/default.aspx":["APO13.01","BAI03.01","BAI03.02","BAI03.03","DSS01.03","DSS03.05","DSS05.04","DSS05.05","DSS05.07","DSS05.10","DSS06.03","DSS06.10"],"ANSSI":["NT28(R29)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["DE.CM-1","DE.CM-3","PR.AC-1","PR.AC-4","PR.AC-6","PR.AC-7","PR.IP-2"],"https://public.cyber.mil/stigs/cci/":["CCI-000879","CCI-001133","CCI-002361"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000163-GPOS-00072","SRG-OS-000279-GPOS-00109","SRG-OS-000126-GPOS-00066","SRG-OS-000395-GPOS-00175"],"https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf":["1","12","13","14","15","16","18","3","5","7","8"],"FBI CJIS":["5.5.6"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731":["4.3.3.2.2","4.3.3.5.1","4.3.3.5.2","4.3.3.6.1","4.3.3.6.2","4.3.3.6.3","4.3.3.6.4","4.3.3.6.5","4.3.3.6.6","4.3.3.6.7","4.3.3.6.8","4.3.3.6.9","4.3.3.7.2","4.3.3.7.3","4.3.3.7.4","4.3.4.3.3"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785":["SR 1.1","SR 1.10","SR 1.2","SR 1.3","SR 1.4","SR 1.5","SR 1.7","SR 1.8","SR 1.9","SR 2.1","SR 6.2"],"ISO 27001-2013":["A.12.4.1","A.12.4.3","A.14.1.1","A.14.2.1","A.14.2.5","A.18.1.4","A.6.1.2","A.6.1.5","A.7.1.1","A.9.1.2","A.9.2.1","A.9.2.2","A.9.2.3","A.9.2.4","A.9.2.6","A.9.3.1","A.9.4.1","A.9.4.2","A.9.4.3","A.9.4.4","A.9.4.5"],"PCI-DSS Requirement":["Req-8.1.8"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45342101727104" onclick="return openRuleDetailsDialog('idm45342101727104')">Set SSH Idle Timeout Interval</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sshd_disable_kerb_auth" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_sshd_disable_kerb_auth" id="rule-overview-leaf-idm45342101716768" data-tt-parent-id="xccdf_org.ssgproject.content_group_ssh_server" data-references='{"":["SRG-OS-000480-VMM-002000"],"NIST SP 800-171":["3.1.12"],"NIST SP 800-53":["AC-17(a)","CM-7(a)","CM-7(b)","CM-6(a)"],"http://www.isaca.org/COBIT/Pages/default.aspx":["BAI10.01","BAI10.02","BAI10.03","BAI10.05"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.IP-1"],"https://public.cyber.mil/stigs/cci/":["CCI-000368","CCI-000318","CCI-001812","CCI-001813","CCI-001814"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000364-GPOS-00151"],"https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf":["11","3","9"],"HIPAA":["164.308(a)(4)(i)","164.308(b)(1)","164.308(b)(3)","164.310(b)","164.312(e)(1)","164.312(e)(2)(ii)"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731":["4.3.4.3.2","4.3.4.3.3"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785":["SR 7.6"],"ISO 27001-2013":["A.12.1.2","A.12.5.1","A.12.6.2","A.14.2.2","A.14.2.3","A.14.2.4"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FIA_AFL.1"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45342101716768" onclick="return openRuleDetailsDialog('idm45342101716768')">Disable Kerberos Authentication</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sshd_disable_gssapi_auth" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_sshd_disable_gssapi_auth" id="rule-overview-leaf-idm45342101703392" data-tt-parent-id="xccdf_org.ssgproject.content_group_ssh_server" data-references='{"":["SRG-OS-000480-VMM-002000"],"NIST SP 800-171":["3.1.12"],"NIST SP 800-53":["CM-7(a)","CM-7(b)","CM-6(a)","AC-17(a)"],"http://www.isaca.org/COBIT/Pages/default.aspx":["BAI10.01","BAI10.02","BAI10.03","BAI10.05"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.IP-1"],"https://public.cyber.mil/stigs/cci/":["CCI-000368","CCI-000318","CCI-001812","CCI-001813","CCI-001814"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000364-GPOS-00151"],"https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf":["11","3","9"],"HIPAA":["164.308(a)(4)(i)","164.308(b)(1)","164.308(b)(3)","164.310(b)","164.312(e)(1)","164.312(e)(2)(ii)"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731":["4.3.4.3.2","4.3.4.3.3"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785":["SR 7.6"],"ISO 27001-2013":["A.12.1.2","A.12.5.1","A.12.6.2","A.14.2.2","A.14.2.3","A.14.2.4"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FIA_AFL.1"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45342101703392" onclick="return openRuleDetailsDialog('idm45342101703392')">Disable GSSAPI Authentication</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sshd_rekey_limit" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_sshd_rekey_limit" id="rule-overview-leaf-idm45342101676384" data-tt-parent-id="xccdf_org.ssgproject.content_group_ssh_server" data-references='{"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000480-GPOS-00227"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FCS_SSHS_EXT.1"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45342101676384" onclick="return openRuleDetailsDialog('idm45342101676384')">Force frequent session key renegotiation</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sshd_enable_strictmodes" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_sshd_enable_strictmodes" id="rule-overview-leaf-idm45342101668480" data-tt-parent-id="xccdf_org.ssgproject.content_group_ssh_server" data-references='{"":["SRG-OS-000480-VMM-002000"],"NIST SP 800-171":["3.1.12"],"NIST SP 800-53":["AC-6","AC-17(a)","CM-6(a)"],"http://www.isaca.org/COBIT/Pages/default.aspx":["APO01.06","DSS05.04","DSS05.07","DSS06.02"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.AC-4","PR.DS-5"],"https://public.cyber.mil/stigs/cci/":["CCI-000366"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000480-GPOS-00227"],"https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf":["12","13","14","15","16","18","3","5"],"HIPAA":["164.308(a)(4)(i)","164.308(b)(1)","164.308(b)(3)","164.310(b)","164.312(e)(1)","164.312(e)(2)(ii)"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731":["4.3.3.7.3"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785":["SR 2.1","SR 5.2"],"ISO 27001-2013":["A.10.1.1","A.11.1.4","A.11.1.5","A.11.2.1","A.13.1.1","A.13.1.3","A.13.2.1","A.13.2.3","A.13.2.4","A.14.1.2","A.14.1.3","A.6.1.2","A.7.1.1","A.7.1.2","A.7.3.1","A.8.2.2","A.8.2.3","A.9.1.1","A.9.1.2","A.9.2.3","A.9.4.1","A.9.4.4","A.9.4.5"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45342101668480" onclick="return openRuleDetailsDialog('idm45342101668480')">Enable Use of Strict Mode Checking</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sshd_set_keepalive" class="rule-overview-leaf rule-overview-leaf-fixed rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_sshd_set_keepalive" id="rule-overview-leaf-idm45342101664000" data-tt-parent-id="xccdf_org.ssgproject.content_group_ssh_server" data-references='{"":["5.2.12","SRG-OS-000480-VMM-002000"],"NIST SP 800-171":["3.1.11"],"NIST SP 800-53":["AC-2(5)","AC-12","AC-17(a)","SC-10","CM-6(a)"],"http://www.isaca.org/COBIT/Pages/default.aspx":["APO13.01","BAI03.01","BAI03.02","BAI03.03","DSS01.03","DSS03.05","DSS05.04","DSS05.05","DSS05.07","DSS05.10","DSS06.03","DSS06.10"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["DE.CM-1","DE.CM-3","PR.AC-1","PR.AC-4","PR.AC-6","PR.AC-7","PR.IP-2"],"https://public.cyber.mil/stigs/cci/":["CCI-000879","CCI-001133","CCI-002361"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000163-GPOS-00072","SRG-OS-000279-GPOS-00109"],"https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf":["1","12","13","14","15","16","18","3","5","7","8"],"FBI CJIS":["5.5.6"],"HIPAA":["164.308(a)(4)(i)","164.308(b)(1)","164.308(b)(3)","164.310(b)","164.312(e)(1)","164.312(e)(2)(ii)"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731":["4.3.3.2.2","4.3.3.5.1","4.3.3.5.2","4.3.3.6.1","4.3.3.6.2","4.3.3.6.3","4.3.3.6.4","4.3.3.6.5","4.3.3.6.6","4.3.3.6.7","4.3.3.6.8","4.3.3.6.9","4.3.3.7.2","4.3.3.7.3","4.3.3.7.4","4.3.4.3.3"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785":["SR 1.1","SR 1.10","SR 1.2","SR 1.3","SR 1.4","SR 1.5","SR 1.7","SR 1.8","SR 1.9","SR 2.1","SR 6.2"],"ISO 27001-2013":["A.12.4.1","A.12.4.3","A.14.1.1","A.14.2.1","A.14.2.5","A.18.1.4","A.6.1.2","A.6.1.5","A.7.1.1","A.9.1.2","A.9.2.1","A.9.2.2","A.9.2.3","A.9.2.4","A.9.2.6","A.9.3.1","A.9.4.1","A.9.4.2","A.9.4.3","A.9.4.4","A.9.4.5"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45342101664000" onclick="return openRuleDetailsDialog('idm45342101664000')">Set SSH Client Alive Max Count</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_disable_host_auth" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_disable_host_auth" id="rule-overview-leaf-idm45342101644144" data-tt-parent-id="xccdf_org.ssgproject.content_group_ssh_server" data-references='{"":["5.2.7","SRG-OS-000480-VMM-002000"],"NIST SP 800-171":["3.1.12"],"NIST SP 800-53":["AC-3","AC-17(a)","CM-7(a)","CM-7(b)","CM-6(a)"],"http://www.isaca.org/COBIT/Pages/default.aspx":["BAI10.01","BAI10.02","BAI10.03","BAI10.05","DSS05.02","DSS05.04","DSS05.05","DSS05.07","DSS06.03","DSS06.06"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.AC-4","PR.AC-6","PR.IP-1","PR.PT-3"],"https://public.cyber.mil/stigs/cci/":["CCI-000366"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000480-GPOS-00229"],"https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf":["11","12","14","15","16","18","3","5","9"],"FBI CJIS":["5.5.6"],"HIPAA":["164.308(a)(4)(i)","164.308(b)(1)","164.308(b)(3)","164.310(b)","164.312(e)(1)","164.312(e)(2)(ii)"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731":["4.3.3.2.2","4.3.3.5.1","4.3.3.5.2","4.3.3.5.3","4.3.3.5.4","4.3.3.5.5","4.3.3.5.6","4.3.3.5.7","4.3.3.5.8","4.3.3.6.1","4.3.3.6.2","4.3.3.6.3","4.3.3.6.4","4.3.3.6.5","4.3.3.6.6","4.3.3.6.7","4.3.3.6.8","4.3.3.6.9","4.3.3.7.1","4.3.3.7.2","4.3.3.7.3","4.3.3.7.4","4.3.4.3.2","4.3.4.3.3"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785":["SR 1.1","SR 1.10","SR 1.11","SR 1.12","SR 1.13","SR 1.2","SR 1.3","SR 1.4","SR 1.5","SR 1.6","SR 1.7","SR 1.8","SR 1.9","SR 2.1","SR 2.2","SR 2.3","SR 2.4","SR 2.5","SR 2.6","SR 2.7","SR 7.6"],"ISO 27001-2013":["A.12.1.2","A.12.5.1","A.12.6.2","A.14.2.2","A.14.2.3","A.14.2.4","A.6.1.2","A.7.1.1","A.9.1.2","A.9.2.1","A.9.2.3","A.9.4.1","A.9.4.4","A.9.4.5"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FIA_AFL.1"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45342101644144" onclick="return openRuleDetailsDialog('idm45342101644144')">Disable Host-Based Authentication</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords" id="rule-overview-leaf-idm45342101639680" data-tt-parent-id="xccdf_org.ssgproject.content_group_ssh_server" data-references='{"":["5.2.9","SRG-OS-000480-VMM-002000"],"NIST SP 800-171":["3.1.1","3.1.5"],"NIST SP 800-53":["AC-17(a)","CM-7(a)","CM-7(b)","CM-6(a)"],"http://www.isaca.org/COBIT/Pages/default.aspx":["APO01.06","BAI10.01","BAI10.02","BAI10.03","BAI10.05","DSS05.02","DSS05.04","DSS05.05","DSS05.07","DSS06.02","DSS06.03","DSS06.06"],"ANSSI":["NT007(R17)"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.AC-4","PR.AC-6","PR.DS-5","PR.IP-1","PR.PT-3"],"https://public.cyber.mil/stigs/cci/":["CCI-000366"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000480-GPOS-00229"],"https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf":["11","12","13","14","15","16","18","3","5","9"],"FBI CJIS":["5.5.6"],"HIPAA":["164.308(a)(4)(i)","164.308(b)(1)","164.308(b)(3)","164.310(b)","164.312(e)(1)","164.312(e)(2)(ii)"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731":["4.3.3.2.2","4.3.3.5.1","4.3.3.5.2","4.3.3.5.3","4.3.3.5.4","4.3.3.5.5","4.3.3.5.6","4.3.3.5.7","4.3.3.5.8","4.3.3.6.1","4.3.3.6.2","4.3.3.6.3","4.3.3.6.4","4.3.3.6.5","4.3.3.6.6","4.3.3.6.7","4.3.3.6.8","4.3.3.6.9","4.3.3.7.1","4.3.3.7.2","4.3.3.7.3","4.3.3.7.4","4.3.4.3.2","4.3.4.3.3"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785":["SR 1.1","SR 1.10","SR 1.11","SR 1.12","SR 1.13","SR 1.2","SR 1.3","SR 1.4","SR 1.5","SR 1.6","SR 1.7","SR 1.8","SR 1.9","SR 2.1","SR 2.2","SR 2.3","SR 2.4","SR 2.5","SR 2.6","SR 2.7","SR 5.2","SR 7.6"],"ISO 27001-2013":["A.10.1.1","A.11.1.4","A.11.1.5","A.11.2.1","A.12.1.2","A.12.5.1","A.12.6.2","A.13.1.1","A.13.1.3","A.13.2.1","A.13.2.3","A.13.2.4","A.14.1.2","A.14.1.3","A.14.2.2","A.14.2.3","A.14.2.4","A.6.1.2","A.7.1.1","A.7.1.2","A.7.3.1","A.8.2.2","A.8.2.3","A.9.1.1","A.9.1.2","A.9.2.1","A.9.2.3","A.9.4.1","A.9.4.4","A.9.4.5"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FIA_AFL.1"]}'><td style="padding-left: 76px"><a href="#rule-detail-idm45342101639680" onclick="return openRuleDetailsDialog('idm45342101639680')">Disable SSH Access via Empty Passwords</a></td><td class="rule-severity" style="text-align: center">high</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_usbguard" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_usbguard" data-tt-parent-id="xccdf_org.ssgproject.content_group_services"><td colspan="3" style="padding-left: 38px"><strong>USBGuard daemon</strong> <span class="badge">4x error</span></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_package_usbguard_installed" class="rule-overview-leaf rule-overview-leaf-error rule-overview-needs-attention" id="rule-overview-leaf-idm45342101635184" data-tt-parent-id="xccdf_org.ssgproject.content_group_usbguard" data-references='{"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000378-GPOS-00163"]}'><td style="padding-left: 57px"><a href="#rule-detail-idm45342101635184" onclick="return openRuleDetailsDialog('idm45342101635184')">Install usbguard Package</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-error"><div><abbr title="The checking engine could not complete the evaluation, therefore the status of the target's compliance with the rule is not certain. This could happen, for example, if a testing tool was run with insufficient privileges and could not gather all of the necessary information.">error</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_service_usbguard_enabled" class="rule-overview-leaf rule-overview-leaf-error rule-overview-needs-attention" id="rule-overview-leaf-idm45342101627408" data-tt-parent-id="xccdf_org.ssgproject.content_group_usbguard" data-references='{"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000378-GPOS-00163"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FMT_SMF_EXT.1"]}'><td style="padding-left: 57px"><a href="#rule-detail-idm45342101627408" onclick="return openRuleDetailsDialog('idm45342101627408')">Enable the USBGuard Service</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-error"><div><abbr title="The checking engine could not complete the evaluation, therefore the status of the target's compliance with the rule is not certain. This could happen, for example, if a testing tool was run with insufficient privileges and could not gather all of the necessary information.">error</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_usbguard_allow_hid_and_hub" class="rule-overview-leaf rule-overview-leaf-error rule-overview-needs-attention" id="rule-overview-leaf-idm45342101617216" data-tt-parent-id="xccdf_org.ssgproject.content_group_usbguard" data-references='{"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000114-GPOS-00059"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FMT_SMF_EXT.1"]}'><td style="padding-left: 57px"><a href="#rule-detail-idm45342101617216" onclick="return openRuleDetailsDialog('idm45342101617216')">Authorize Human Interface Devices and USB hubs in USBGuard daemon</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-error"><div><abbr title="The checking engine could not complete the evaluation, therefore the status of the target's compliance with the rule is not certain. This could happen, for example, if a testing tool was run with insufficient privileges and could not gather all of the necessary information.">error</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_configure_usbguard_auditbackend" class="rule-overview-leaf rule-overview-leaf-error rule-overview-needs-attention" id="rule-overview-leaf-idm45342101607984" data-tt-parent-id="xccdf_org.ssgproject.content_group_usbguard" data-references='{"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000062-GPOS-00031"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FMT_SMF_EXT.1"]}'><td style="padding-left: 57px"><a href="#rule-detail-idm45342101607984" onclick="return openRuleDetailsDialog('idm45342101607984')">Log USBGuard daemon audit events using Linux Audit</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-error"><div><abbr title="The checking engine could not complete the evaluation, therefore the status of the target's compliance with the rule is not certain. This could happen, for example, if a testing tool was run with insufficient privileges and could not gather all of the necessary information.">error</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_sssd" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_sssd" data-tt-parent-id="xccdf_org.ssgproject.content_group_services"><td colspan="3" style="padding-left: 38px">System Security Services Daemon<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_sssd");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sssd_enable_smartcards" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_sssd_enable_smartcards" id="rule-overview-leaf-idm45342101482544" data-tt-parent-id="xccdf_org.ssgproject.content_group_sssd" data-references='{"":["SRG-OS-000107-VMM-000530"],"https://public.cyber.mil/stigs/cci/":["CCI-001954"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000375-GPOS-00160"]}'><td style="padding-left: 57px"><a href="#rule-detail-idm45342101482544" onclick="return openRuleDetailsDialog('idm45342101482544')">Enable Smartcards in SSSD</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sssd_offline_cred_expiration" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_sssd_offline_cred_expiration" id="rule-overview-leaf-idm45342101476512" data-tt-parent-id="xccdf_org.ssgproject.content_group_sssd" data-references='{"":["SRG-OS-000383-VMM-001570"],"NIST SP 800-53":["CM-6(a)","IA-5(13)"],"http://www.isaca.org/COBIT/Pages/default.aspx":["DSS05.04","DSS05.05","DSS05.07","DSS05.10","DSS06.03","DSS06.10"],"https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf":["PR.AC-1","PR.AC-6","PR.AC-7"],"https://public.cyber.mil/stigs/cci/":["CCI-002007"],"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000383-GPOS-00166"],"https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf":["1","12","15","16","5"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731":["4.3.3.2.2","4.3.3.5.1","4.3.3.5.2","4.3.3.6.1","4.3.3.6.2","4.3.3.6.3","4.3.3.6.4","4.3.3.6.5","4.3.3.6.6","4.3.3.6.7","4.3.3.6.8","4.3.3.6.9","4.3.3.7.2","4.3.3.7.4"],"https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785":["SR 1.1","SR 1.10","SR 1.2","SR 1.3","SR 1.4","SR 1.5","SR 1.7","SR 1.8","SR 1.9","SR 2.1"],"ISO 27001-2013":["A.18.1.4","A.7.1.1","A.9.2.1","A.9.2.2","A.9.2.3","A.9.2.4","A.9.2.6","A.9.3.1","A.9.4.2","A.9.4.3"]}'><td style="padding-left: 57px"><a href="#rule-detail-idm45342101476512" onclick="return openRuleDetailsDialog('idm45342101476512')">Configure SSSD to Expire Offline Credentials</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_rng" class="rule-overview-inner-node rule-overview-inner-node-id-xccdf_org.ssgproject.content_group_rng" data-tt-parent-id="xccdf_org.ssgproject.content_group_services"><td colspan="3" style="padding-left: 38px">Hardware RNG Entropy Gatherer Daemon<script>$(document).ready(function(){$('.treetable').treetable("collapseNode","xccdf_org.ssgproject.content_group_rng");});</script></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_service_rngd_enabled" class="rule-overview-leaf rule-overview-leaf-pass rule-overview-leaf-id-xccdf_org.ssgproject.content_rule_service_rngd_enabled" id="rule-overview-leaf-idm45342101465696" data-tt-parent-id="xccdf_org.ssgproject.content_group_rng" data-references='{"https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os":["SRG-OS-000480-GPOS-00227"],"https://www.niap-ccevs.org/Profile/PP.cfm":["FCS_RBG_EXT.1"]}'><td style="padding-left: 57px"><a href="#rule-detail-idm45342101465696" onclick="return openRuleDetailsDialog('idm45342101465696')">Enable the Hardware RNG Entropy Gatherer Service</a></td><td class="rule-severity" style="text-align: center">medium</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr></tbody></table></div><div class="js-only hidden-print"><button type="button" class="btn btn-info" onclick="return toggleResultDetails(this)">Show all result details</button></div><div id="result-details"><h2>Result Details</h2><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_package_sudo_installed" id="rule-detail-idm45342104873488"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Install sudo Packagexccdf_org.ssgproject.content_rule_package_sudo_installed mediumCCE-82214-8 </div><div class="panel-heading"><h3 class="panel-title">Install sudo Package</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_package_sudo_installed</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-package_sudo_installed:def:1</td></tr><tr><td>Time</td><td>2020-09-29T11:18:01</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-82214-8">CCE-82214-8</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000324-GPOS-00125</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>The <code>sudo</code> package can be installed with the following command: <pre> $ sudo yum install sudo</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p><code>sudo</code> is a program designed to allow a system administrator to give limited root privileges to users and log root activity. The basic philosophy is to give as few privileges as possible but still allow system users to get their work done.</p></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">package sudo is installed</span> <span class="label label-default">oval:ssg-test_package_sudo_installed:tst:1</span> <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Arch</th><th>Epoch</th><th>Release</th><th>Version</th><th>Evr</th><th>Signature keyid</th><th>Extended name</th></tr></thead><tbody><tr><td>sudo</td><td>x86_64</td><td>(none)</td><td>5.el8</td><td>1.8.29</td><td>0:1.8.29-5.el8</td><td>199e2f91fd431d51</td><td>sudo-0:1.8.29-5.el8.x86_64</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_partition_for_var_log" id="rule-detail-idm45342104860320"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Ensure /var/log Located On Separate Partitionxccdf_org.ssgproject.content_rule_partition_for_var_log mediumCCE-80853-5 </div><div class="panel-heading"><h3 class="panel-title">Ensure /var/log Located On Separate Partition</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_partition_for_var_log</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-partition_for_var_log:def:1</td></tr><tr><td>Time</td><td>2020-09-29T11:18:01</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80853-5">CCE-80853-5</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT28(R12)</a>, <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT28(R47)</a>, <a href="">1.1.11</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">1</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">12</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">14</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">15</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">16</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">3</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">5</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">6</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">8</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">APO11.04</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">APO13.01</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">BAI03.05</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS05.02</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS05.04</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS05.07</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">MEA02.01</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.3.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.4.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.4.2.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.4.2.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.4.2.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.10</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.11</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.12</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 4.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 4.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 5.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 5.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 5.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.6</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.3</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.12.7.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.3</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-4</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-5(2)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-4</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>System logs are stored in the <code>/var/log</code> directory. Ensure that it has its own partition or logical volume at installation time, or migrate it using LVM.</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Placing <code>/var/log</code> in its own partition enables better separation between log files and other files in <code>/var/</code>.</p></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">/var/log on own partition</span> <span class="label label-default">oval:ssg-test_var_log_partition:tst:1</span> <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Mount point</th><th>Device</th><th>Uuid</th><th>Fs type</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Total space</th><th>Space used</th><th>Space left</th></tr></thead><tbody><tr><td>/var/log</td><td>/dev/mapper/ovirt-log</td><td>04ffc7a2-ee25-4207-a1ca-33a1ef8f9021</td><td>xfs</td><td>rw</td><td>seclabel</td><td>nodev</td><td>relatime</td><td>attr2</td><td>inode64</td><td>noquota</td><td>bind</td><td role="num">2618880</td><td role="num">26815</td><td role="num">2592065</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_partition_for_var_log_audit" id="rule-detail-idm45342104856672"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Ensure /var/log/audit Located On Separate Partitionxccdf_org.ssgproject.content_rule_partition_for_var_log_audit lowCCE-80854-3 </div><div class="panel-heading"><h3 class="panel-title">Ensure /var/log/audit Located On Separate Partition</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_partition_for_var_log_audit</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-partition_for_var_log_audit:def:1</td></tr><tr><td>Time</td><td>2020-09-29T11:18:01</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80854-3">CCE-80854-3</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> <a href="">1.1.12</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">1</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">12</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">13</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">14</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">15</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">16</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">2</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">3</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">5</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">6</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">8</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">APO11.04</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">APO13.01</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">BAI03.05</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">BAI04.04</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS05.02</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS05.04</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS05.07</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">MEA02.01</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000366</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(ii)</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.3.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.4.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.4.2.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.4.2.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.4.2.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.10</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.11</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.12</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 4.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 4.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 5.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 5.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 5.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.6</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.3</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.12.7.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.17.2.1</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-4</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-5(2)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-4</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</a>, <a href="">SRG-OS-000341-VMM-001220</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>Audit logs are stored in the <code>/var/log/audit</code> directory. Ensure that it has its own partition or logical volume at installation time, or migrate it later using LVM. Make absolutely certain that it is large enough to store all audit logs that will be created by the auditing daemon.</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Placing <code>/var/log/audit</code> in its own partition enables better separation between audit files and other files, and helps ensure that auditing cannot be halted due to the partition running out of space.</p></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">/var/log/audit on own partition</span> <span class="label label-default">oval:ssg-test_var_log_audit_partition:tst:1</span> <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Mount point</th><th>Device</th><th>Uuid</th><th>Fs type</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Total space</th><th>Space used</th><th>Space left</th></tr></thead><tbody><tr><td>/var/log/audit</td><td>/dev/mapper/ovirt-audit</td><td>3b01f699-5c60-4a28-8941-ddc1a0828164</td><td>xfs</td><td>rw</td><td>seclabel</td><td>nodev</td><td>relatime</td><td>attr2</td><td>inode64</td><td>noquota</td><td>bind</td><td role="num">259584</td><td role="num">10105</td><td role="num">249479</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_partition_for_home" id="rule-detail-idm45342104850624"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Ensure /home Located On Separate Partitionxccdf_org.ssgproject.content_rule_partition_for_home lowCCE-81044-0 </div><div class="panel-heading"><h3 class="panel-title">Ensure /home Located On Separate Partition</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_partition_for_home</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-partition_for_home:def:1</td></tr><tr><td>Time</td><td>2020-09-29T11:18:01</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-81044-0">CCE-81044-0</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT28(R12)</a>, <a href="">1.1.13</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">12</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">15</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">8</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">APO13.01</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS05.02</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000366</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001208</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 4.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 4.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 5.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 5.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 5.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.6</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.3</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-5(2)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-4</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>If user home directories will be stored locally, create a separate partition for <code>/home</code> at installation time (or migrate it later using LVM). If <code>/home</code> will be mounted from another system such as an NFS server, then creating a separate partition is not necessary at installation time, and the mountpoint can instead be configured later.</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Ensuring that <code>/home</code> is mounted on its own partition enables the setting of more restrictive mount options, and also helps ensure that users cannot trivially fill partitions used for log or audit data storage.</p></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">/home on own partition</span> <span class="label label-default">oval:ssg-test_home_partition:tst:1</span> <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Mount point</th><th>Device</th><th>Uuid</th><th>Fs type</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Total space</th><th>Space used</th><th>Space left</th></tr></thead><tbody><tr><td>/home</td><td>/dev/mapper/ovirt-home</td><td>934099b3-b298-4e85-a731-17c9495a92ac</td><td>xfs</td><td>rw</td><td>seclabel</td><td>nodev</td><td>relatime</td><td>attr2</td><td>inode64</td><td>noquota</td><td>bind</td><td role="num">259584</td><td role="num">10084</td><td role="num">249500</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_partition_for_var" id="rule-detail-idm45342104845248"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Ensure /var Located On Separate Partitionxccdf_org.ssgproject.content_rule_partition_for_var lowCCE-80852-7 </div><div class="panel-heading"><h3 class="panel-title">Ensure /var Located On Separate Partition</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_partition_for_var</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-partition_for_var:def:1</td></tr><tr><td>Time</td><td>2020-09-29T11:18:01</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80852-7">CCE-80852-7</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT28(R12)</a>, <a href="">1.1.6</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">12</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">15</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">8</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">APO13.01</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS05.02</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000366</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 4.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 4.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 5.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 5.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 5.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.6</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.3</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-5(2)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-4</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</a>, <a href="">SRG-OS-000341-VMM-001220</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>The <code>/var</code> directory is used by daemons and other system services to store frequently-changing data. Ensure that <code>/var</code> has its own partition or logical volume at installation time, or migrate it using LVM.</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Ensuring that <code>/var</code> is mounted on its own partition enables the setting of more restrictive mount options. This helps protect system services such as daemons or other programs which use it. It is not uncommon for the <code>/var</code> directory to contain world-writable directories installed by other software packages.</p></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">/var on own partition</span> <span class="label label-default">oval:ssg-test_var_partition:tst:1</span> <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Mount point</th><th>Device</th><th>Uuid</th><th>Fs type</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Total space</th><th>Space used</th><th>Space left</th></tr></thead><tbody><tr><td>/var</td><td>/dev/mapper/ovirt-var</td><td>64bf7634-bdbb-40e1-a2b8-0b7865630c92</td><td>xfs</td><td>rw</td><td>seclabel</td><td>nodev</td><td>relatime</td><td>attr2</td><td>inode64</td><td>noquota</td><td>bind</td><td role="num">5240320</td><td role="num">82432</td><td role="num">5157888</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-notchecked rule-detail-id-xccdf_org.ssgproject.content_rule_encrypt_partitions" id="rule-detail-idm45342104841600"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Encrypt Partitionsxccdf_org.ssgproject.content_rule_encrypt_partitions highCCE-80789-1 </div><div class="panel-heading"><h3 class="panel-title">Encrypt Partitions</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_encrypt_partitions</td></tr><tr><td>Result</td><td class="rule-result rule-result-notchecked"><div><abbr title="The Rule was not evaluated by the checking engine. This status is designed for Rule elements that have no check elements or that correspond to an unsupported checking system. It may also correspond to a status returned by a checking engine if the checking engine does not support the indicated check code.">notchecked</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>Time</td><td>2020-09-29T11:18:01</td></tr><tr><td>Severity</td><td>high</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80789-1">CCE-80789-1</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">13</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">14</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">APO01.06</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">BAI02.01</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">BAI06.01</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS04.07</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS05.03</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS05.04</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS05.07</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS06.02</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS06.06</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.13.16</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001199</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-002475</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-002476</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(d)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(iii)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(iv)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(c)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.314(b)(2)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(d)</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 4.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 5.2</a>, <a href="https://www.iso.org/standard/54534.html">A.10.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.11.1.4</a>, <a href="https://www.iso.org/standard/54534.html">A.11.1.5</a>, <a href="https://www.iso.org/standard/54534.html">A.11.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.6.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.7.3.1</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.5</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-28</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-28(1)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-13</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-9(3)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-5</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000405-GPOS-00184</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000185-GPOS-00079</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000404-GPOS-00183</a>, <a href="">SRG-OS-000404-VMM-001650</a>, <a href="">SRG-OS-000405-VMM-001660</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>Red Hat Enterprise Linux 8 natively supports partition encryption through the Linux Unified Key Setup-on-disk-format (LUKS) technology. The easiest way to encrypt a partition is during installation time. <br><br> For manual installations, select the <code>Encrypt</code> checkbox during partition creation to encrypt the partition. When this option is selected the system will prompt for a passphrase to use in decrypting the partition. The passphrase will subsequently need to be entered manually every time the system boots. <br><br> For automated/unattended installations, it is possible to use Kickstart by adding the <code>--encrypted</code> and <code>--passphrase=</code> options to the definition of each partition to be encrypted. For example, the following line would encrypt the root partition: <pre>part / --fstype=ext4 --size=100 --onpart=hda1 --encrypted --passphrase=<i>PASSPHRASE</i></pre> Any <i>PASSPHRASE</i> is stored in the Kickstart in plaintext, and the Kickstart must then be protected accordingly. Omitting the <code>--passphrase=</code> option from the partition definition will cause the installer to pause and interactively ask for the passphrase during installation. <br><br> By default, the <code>Anaconda</code> installer uses <code>aes-xts-plain64</code> cipher with a minimum <code>512</code> bit key size which should be compatible with FIPS enabled. <br><br> Detailed information on encrypting partitions using LUKS or LUKS ciphers can be found on the Red Hat Enterprise Linux 8 Documentation web site:<br> <a href="https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Security_Guide/sec-Encryption.html">https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Security_Guide/sec-Encryption.html</a>.</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>The risk of a system's physical compromise, particularly mobile systems such as laptops, places its data at risk of compromise. Encrypting this data mitigates the risk of its loss if the system is lost.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span> <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">No candidate or applicable check found.</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-error rule-detail-id-xccdf_org.ssgproject.content_rule_package_dnf-automatic_installed" id="rule-detail-idm45342104836864"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Install dnf-automatic Packagexccdf_org.ssgproject.content_rule_package_dnf-automatic_installed mediumCCE-82985-3 </div><div class="panel-heading"><h3 class="panel-title">Install dnf-automatic Package</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_package_dnf-automatic_installed</td></tr><tr><td>Result</td><td class="rule-result rule-result-error"><div><abbr title="The checking engine could not complete the evaluation, therefore the status of the target's compliance with the rule is not certain. This could happen, for example, if a testing tool was run with insufficient privileges and could not gather all of the necessary information.">error</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-package_dnf-automatic_installed:def:1</td></tr><tr><td>Time</td><td>2020-09-29T11:18:07</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-82985-3">CCE-82985-3</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000191-GPOS-00080</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>The <code>dnf-automatic</code> package can be installed with the following command: <pre> $ sudo yum install dnf-automatic</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p><code>dnf-automatic</code> is an alternative command line interface (CLI) to <code>dnf upgrade</code> suitable for automatic, regular execution.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span> <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 1</message></pre><span class="label label-primary">info</span> <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Error: There are no enabled repositories in "/etc/yum.repos.d", "/etc/yum/repos.d", "/etc/distro.repos.d". </message></pre><span class="label label-primary">info</span> <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Failed to verify applied fix: Checking engine returns: fail</message></pre></div></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm45342161795984" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Shell script â²</a><br></br><div class="panel-collapse collapse" id="idm45342161795984"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code> if ! rpm -q --quiet "dnf-automatic" ; then yum install -y "dnf-automatic" fi </code></pre></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm45342161793904" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet â²</a><br></br><div class="panel-collapse collapse" id="idm45342161793904"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure dnf-automatic is installed package: name: dnf-automatic state: present tags: - package_dnf-automatic_installed - medium_severity - enable_strategy - low_complexity - low_disruption - no_reboot_needed - CCE-82985-3 </code></pre></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm45342161791616" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet â²</a><br></br><div class="panel-collapse collapse" id="idm45342161791616"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_dnf-automatic class install_dnf-automatic { package { 'dnf-automatic': ensure => 'installed', } } </code></pre></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm45342161789472" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet â²</a><br></br><div class="panel-collapse collapse" id="idm45342161789472"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code> package --add=dnf-automatic </code></pre></div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">package dnf-automatic is installed</span> <span class="label label-default">oval:ssg-test_package_dnf-automatic_installed:tst:1</span> <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_test_package_dnf-automatic_installed:obj:1</abbr></strong> of type <strong>rpminfo_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th></tr></thead><tbody><tr><td>dnf-automatic</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_ensure_redhat_gpgkey_installed" id="rule-detail-idm45342104829040"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Ensure Red Hat GPG Key Installedxccdf_org.ssgproject.content_rule_ensure_redhat_gpgkey_installed highCCE-80795-8 </div><div class="panel-heading"><h3 class="panel-title">Ensure Red Hat GPG Key Installed</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_ensure_redhat_gpgkey_installed</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-ensure_redhat_gpgkey_installed:def:1</td></tr><tr><td>Time</td><td>2020-09-29T11:18:07</td></tr><tr><td>Severity</td><td>high</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80795-8">CCE-80795-8</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT28(R15)</a>, <a href="">1.2.3</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">11</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">2</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">3</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">9</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.10.4.1</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">APO01.06</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">BAI03.05</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">BAI06.01</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">BAI10.01</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">BAI10.02</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">BAI10.03</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">BAI10.05</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS06.02</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.8</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001749</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(c)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(c)(2)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(i)</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.3.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.3.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.4.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.6</a>, <a href="https://www.iso.org/standard/54534.html">A.11.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.5.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.6.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.4</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-5(3)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SI-7</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-12</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-12(3)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-6</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-8</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1.1.c</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-6.2</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000366-GPOS-00153</a>, <a href="">SRG-OS-000366-VMM-001430</a>, <a href="">SRG-OS-000370-VMM-001460</a>, <a href="">SRG-OS-000404-VMM-001650</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>To ensure the system can cryptographically verify base software packages come from Red Hat (and to connect to the Red Hat Network to receive them), the Red Hat GPG key must properly be installed. To install the Red Hat GPG key, run: <pre>$ sudo subscription-manager register</pre> If the system is not connected to the Internet or an RHN Satellite, then install the Red Hat GPG key from trusted media such as the Red Hat installation CD-ROM or DVD. Assuming the disc is mounted in <code>/media/cdrom</code>, use the following command as the root user to import it into the keyring: <pre>$ sudo rpm --import /media/cdrom/RPM-GPG-KEY</pre> Alternatively, the key may be pre-loaded during the RHEL installation. In such cases, the key can be installed by running the following command: <pre>sudo rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Changes to software components can have significant effects on the overall security of the operating system. This requirement ensures the software has not been tampered with and that it has been provided by a trusted vendor. The Red Hat GPG key is necessary to cryptographically verify packages are from Red Hat.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span> <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre><span class="label label-primary">info</span> <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">gpg: directory '/root/.gnupg' created gpg: keybox '/root/.gnupg/pubring.kbx' created gpg: /root/.gnupg/trustdb.gpg: trustdb created </message></pre></div></div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">installed OS part of unix family</span> <span class="label label-default">oval:ssg-test_rhel8_unix_family:tst:1</span> <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Family</th></tr></thead><tbody><tr><td>unix</td></tr></tbody></table><h4><span class="label label-primary">installed OS part of unix family</span> <span class="label label-default">oval:ssg-test_rhel8_unix_family:tst:1</span> <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Family</th></tr></thead><tbody><tr><td>unix</td></tr></tbody></table><h4><span class="label label-primary">redhat-release is version 8</span> <span class="label label-default">oval:ssg-test_rhel8:tst:1</span> <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Arch</th><th>Epoch</th><th>Release</th><th>Version</th><th>Evr</th><th>Signature keyid</th><th>Extended name</th></tr></thead><tbody><tr><td>redhat-release</td><td>x86_64</td><td>(none)</td><td>25.0.el8rhgs</td><td>8.2</td><td>0:8.2-25.0.el8rhgs</td><td>0</td><td>redhat-release-0:8.2-25.0.el8rhgs.x86_64</td></tr></tbody></table><h4><span class="label label-primary">redhat-release is version 8</span> <span class="label label-default">oval:ssg-test_rhel8:tst:1</span> <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Arch</th><th>Epoch</th><th>Release</th><th>Version</th><th>Evr</th><th>Signature keyid</th><th>Extended name</th></tr></thead><tbody><tr><td>redhat-release</td><td>x86_64</td><td>(none)</td><td>25.0.el8rhgs</td><td>8.2</td><td>0:8.2-25.0.el8rhgs</td><td>0</td><td>redhat-release-0:8.2-25.0.el8rhgs.x86_64</td></tr></tbody></table><h4><span class="label label-primary">redhat-release-coreos is version 8</span> <span class="label label-default">oval:ssg-test_rhel8_coreos:tst:1</span> <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_rhel8_coreos:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/os-release</td><td>^PRETTY_NAME="Red Hat Enterprise Linux CoreOS \d+\.(\d)\d+\.\d+\.\d+ \([\w\s]+\)"$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">redhat-release-coreos is version 8</span> <span class="label label-default">oval:ssg-test_rhel8_coreos:tst:1</span> <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_rhel8_coreos:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/os-release</td><td>^PRETTY_NAME="Red Hat Enterprise Linux CoreOS \d+\.(\d)\d+\.\d+\.\d+ \([\w\s]+\)"$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">redhat-release-virtualization-host RPM package is installed</span> <span class="label label-default">oval:ssg-test_rhvh4_version:tst:1</span> <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_rhvh4_version:obj:1</abbr></strong> of type <strong>rpminfo_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th></tr></thead><tbody><tr><td>redhat-release-virtualization-host</td></tr></tbody></table><h4><span class="label label-primary">redhat-release-virtualization-host RPM package is installed</span> <span class="label label-default">oval:ssg-test_rhvh4_version:tst:1</span> <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_rhvh4_version:obj:1</abbr></strong> of type <strong>rpminfo_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th></tr></thead><tbody><tr><td>redhat-release-virtualization-host</td></tr></tbody></table><h4><span class="label label-primary">RHEVH base RHEL is version 8</span> <span class="label label-default">oval:ssg-test_rhevh_rhel8_version:tst:1</span> <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_rhevh_rhel8_version:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/redhat-release</td><td>^Red Hat Enterprise Linux release (\d)\.\d+$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">RHEVH base RHEL is version 8</span> <span class="label label-default">oval:ssg-test_rhevh_rhel8_version:tst:1</span> <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_rhevh_rhel8_version:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/redhat-release</td><td>^Red Hat Enterprise Linux release (\d)\.\d+$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">installed OS part of unix family</span> <span class="label label-default">oval:ssg-test_rhel8_unix_family:tst:1</span> <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Family</th></tr></thead><tbody><tr><td>unix</td></tr></tbody></table><h4><span class="label label-primary">installed OS part of unix family</span> <span class="label label-default">oval:ssg-test_rhel8_unix_family:tst:1</span> <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Family</th></tr></thead><tbody><tr><td>unix</td></tr></tbody></table><h4><span class="label label-primary">redhat-release is version 8</span> <span class="label label-default">oval:ssg-test_rhel8:tst:1</span> <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Arch</th><th>Epoch</th><th>Release</th><th>Version</th><th>Evr</th><th>Signature keyid</th><th>Extended name</th></tr></thead><tbody><tr><td>redhat-release</td><td>x86_64</td><td>(none)</td><td>25.0.el8rhgs</td><td>8.2</td><td>0:8.2-25.0.el8rhgs</td><td>0</td><td>redhat-release-0:8.2-25.0.el8rhgs.x86_64</td></tr></tbody></table><h4><span class="label label-primary">redhat-release is version 8</span> <span class="label label-default">oval:ssg-test_rhel8:tst:1</span> <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Arch</th><th>Epoch</th><th>Release</th><th>Version</th><th>Evr</th><th>Signature keyid</th><th>Extended name</th></tr></thead><tbody><tr><td>redhat-release</td><td>x86_64</td><td>(none)</td><td>25.0.el8rhgs</td><td>8.2</td><td>0:8.2-25.0.el8rhgs</td><td>0</td><td>redhat-release-0:8.2-25.0.el8rhgs.x86_64</td></tr></tbody></table><h4><span class="label label-primary">redhat-release-coreos is version 8</span> <span class="label label-default">oval:ssg-test_rhel8_coreos:tst:1</span> <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_rhel8_coreos:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/os-release</td><td>^PRETTY_NAME="Red Hat Enterprise Linux CoreOS \d+\.(\d)\d+\.\d+\.\d+ \([\w\s]+\)"$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">redhat-release-coreos is version 8</span> <span class="label label-default">oval:ssg-test_rhel8_coreos:tst:1</span> <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_rhel8_coreos:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/os-release</td><td>^PRETTY_NAME="Red Hat Enterprise Linux CoreOS \d+\.(\d)\d+\.\d+\.\d+ \([\w\s]+\)"$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">redhat-release-virtualization-host RPM package is installed</span> <span class="label label-default">oval:ssg-test_rhvh4_version:tst:1</span> <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_rhvh4_version:obj:1</abbr></strong> of type <strong>rpminfo_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th></tr></thead><tbody><tr><td>redhat-release-virtualization-host</td></tr></tbody></table><h4><span class="label label-primary">redhat-release-virtualization-host RPM package is installed</span> <span class="label label-default">oval:ssg-test_rhvh4_version:tst:1</span> <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_rhvh4_version:obj:1</abbr></strong> of type <strong>rpminfo_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th></tr></thead><tbody><tr><td>redhat-release-virtualization-host</td></tr></tbody></table><h4><span class="label label-primary">RHEVH base RHEL is version 8</span> <span class="label label-default">oval:ssg-test_rhevh_rhel8_version:tst:1</span> <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_rhevh_rhel8_version:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/redhat-release</td><td>^Red Hat Enterprise Linux release (\d)\.\d+$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">RHEVH base RHEL is version 8</span> <span class="label label-default">oval:ssg-test_rhevh_rhel8_version:tst:1</span> <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_rhevh_rhel8_version:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/redhat-release</td><td>^Red Hat Enterprise Linux release (\d)\.\d+$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">Red Hat release key package is installed</span> <span class="label label-default">oval:ssg-test_package_gpgkey-fd431d51-4ae0493b_installed:tst:1</span> <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_package_gpg-pubkey:obj:1</abbr></strong> of type <strong>rpminfo_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th></tr></thead><tbody><tr><td>gpg-pubkey</td></tr></tbody></table><h4><span class="label label-primary">Red Hat auxiliary key package is installed</span> <span class="label label-default">oval:ssg-test_package_gpgkey-d4082792-5b32db75_installed:tst:1</span> <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_package_gpg-pubkey:obj:1</abbr></strong> of type <strong>rpminfo_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th></tr></thead><tbody><tr><td>gpg-pubkey</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_ensure_gpgcheck_never_disabled" id="rule-detail-idm45342104821728"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Ensure gpgcheck Enabled for All yum Package Repositoriesxccdf_org.ssgproject.content_rule_ensure_gpgcheck_never_disabled highCCE-80792-5 </div><div class="panel-heading"><h3 class="panel-title">Ensure gpgcheck Enabled for All yum Package Repositories</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_ensure_gpgcheck_never_disabled</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-ensure_gpgcheck_never_disabled:def:1</td></tr><tr><td>Time</td><td>2020-09-29T11:18:01</td></tr><tr><td>Severity</td><td>high</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80792-5">CCE-80792-5</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT28(R15)</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">11</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">2</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">3</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">9</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.10.4.1</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">APO01.06</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">BAI03.05</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">BAI06.01</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">BAI10.01</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">BAI10.02</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">BAI10.03</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">BAI10.05</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS06.02</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.8</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001749</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(c)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(c)(2)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(i)</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.3.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.3.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.4.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.6</a>, <a href="https://www.iso.org/standard/54534.html">A.11.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.5.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.6.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.4</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-5(3)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SI-7</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-12</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-12(3)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SA-12</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SA-12(10)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-11(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-11(b)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-6</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-8</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1.1.c</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-6.2</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000366-GPOS-00153</a>, <a href="">SRG-OS-000366-VMM-001430</a>, <a href="">SRG-OS-000370-VMM-001460</a>, <a href="">SRG-OS-000404-VMM-001650</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>To ensure signature checking is not disabled for any repos, remove any lines from files in <code>/etc/yum.repos.d</code> of the form: <pre>gpgcheck=0</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Verifying the authenticity of the software prior to installation validates the integrity of the patch or upgrade received from a vendor. This ensures the software has not been tampered with and that it has been provided by a trusted vendor. Self-signed certificates are disallowed by this requirement. Certificates used to verify the software must be from an approved Certificate Authority (CA)."</p></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">check for existence of gpgcheck=0 in /etc/yum.repos.d/ files</span> <span class="label label-default">oval:ssg-test_ensure_gpgcheck_never_disabled:tst:1</span> <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_ensure_gpgcheck_never_disabled:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/yum.repos.d</td><td>.*</td><td>^\s*gpgcheck\s*=\s*0\s*$</td><td>1</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_dnf-automatic_apply_updates" id="rule-detail-idm45342104818048"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Configure dnf-automatic to Install Available Updates Automaticallyxccdf_org.ssgproject.content_rule_dnf-automatic_apply_updates mediumCCE-82494-6 </div><div class="panel-heading"><h3 class="panel-title">Configure dnf-automatic to Install Available Updates Automatically</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_dnf-automatic_apply_updates</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-dnf-automatic_apply_updates:def:1</td></tr><tr><td>Time</td><td>2020-09-29T11:18:07</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-82494-6">CCE-82494-6</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SI-2(5)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SI-2(c)</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FMT_SMF_EXT.1</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000191-GPOS-00080</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>To ensure that the packages comprising the available updates will be automatically installed by <code>dnf-automatic</code>, set <code>apply_updates</code> to <code>yes</code> under <code>[commands]</code> section in <code>/etc/dnf/automatic.conf</code>.</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Installing software updates is a fundamental mitigation against the exploitation of publicly-known vulnerabilities. If the most recent security patches and updates are not installed, unauthorized users may take advantage of weaknesses in the unpatched software. The lack of prompt attention to patching could result in a system compromise. The automated installation of updates ensures that recent security patches are applied in a timely manner.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span> <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">tests the value of apply_updates setting in the /etc/dnf/automatic.conf file</span> <span class="label label-default">oval:ssg-test_dnf-automatic_apply_updates:tst:1</span> <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_dnf-automatic_apply_updates:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/dnf/automatic.conf</td><td>^\s*\[commands\].*(?:\n\s*[^[\s].*)*\n^\s*apply_updates[ \t]*=[ \t]*(.+?)[ \t]*(?:$|#)</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">The configuration file /etc/dnf/automatic.conf exists for dnf-automatic_apply_updates</span> <span class="label label-default">oval:ssg-test_dnf-automatic_apply_updates_config_file_exists:tst:1</span> <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="The configuration file /etc/dnf/automatic.conf for dnf-automatic_apply_updates">oval:ssg-obj_dnf-automatic_apply_updates_config_file:obj:1</abbr></strong> of type <strong>file_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th></tr></thead><tbody><tr><td>^/etc/dnf/automatic.conf</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_ensure_gpgcheck_local_packages" id="rule-detail-idm45342104812048"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Ensure gpgcheck Enabled for Local Packagesxccdf_org.ssgproject.content_rule_ensure_gpgcheck_local_packages highCCE-80791-7 </div><div class="panel-heading"><h3 class="panel-title">Ensure gpgcheck Enabled for Local Packages</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_ensure_gpgcheck_local_packages</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-ensure_gpgcheck_local_packages:def:1</td></tr><tr><td>Time</td><td>2020-09-29T11:18:07</td></tr><tr><td>Severity</td><td>high</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80791-7">CCE-80791-7</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT28(R15)</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">11</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">3</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">9</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">BAI10.01</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">BAI10.02</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">BAI10.03</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">BAI10.05</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.8</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001749</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(c)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(c)(2)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(i)</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.3.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.3.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.6</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.5.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.6.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.4</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-11(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-11(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-5(3)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SA-12</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SA-12(10)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1.1.c</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000366-GPOS-00153</a>, <a href="">SRG-OS-000366-VMM-001430</a>, <a href="">SRG-OS-000370-VMM-001460</a>, <a href="">SRG-OS-000404-VMM-001650</a></p></td></tr><tr><td>Description</td><td><div class="description"><p><code>yum</code> should be configured to verify the signature(s) of local packages prior to installation. To configure <code>yum</code> to verify signatures of local packages, set the <code>localpkg_gpgcheck</code> to <code>1</code> in <code>/etc/yum.conf</code>.</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Changes to any software components can have significant effects to the overall security of the operating system. This requirement ensures the software has not been tampered and has been provided by a trusted vendor. <br><br> Accordingly, patches, service packs, device drivers, or operating system components must be signed with a certificate recognized and approved by the organization.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span> <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">check value of localpkg_gpgcheck in /etc/yum.conf</span> <span class="label label-default">oval:ssg-test_yum_ensure_gpgcheck_local_packages:tst:1</span> <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="localpkg_gpgcheck set in /etc/yum.conf">oval:ssg-object_yum_ensure_gpgcheck_local_packages:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/yum.conf</td><td>^\s*localpkg_gpgcheck\s*=\s*(1|True|yes)\s*$</td><td>1</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_ensure_gpgcheck_globally_activated" id="rule-detail-idm45342104800992"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Ensure gpgcheck Enabled In Main yum Configurationxccdf_org.ssgproject.content_rule_ensure_gpgcheck_globally_activated highCCE-80790-9 </div><div class="panel-heading"><h3 class="panel-title">Ensure gpgcheck Enabled In Main yum Configuration</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_ensure_gpgcheck_globally_activated</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-ensure_gpgcheck_globally_activated:def:1</td></tr><tr><td>Time</td><td>2020-09-29T11:18:01</td></tr><tr><td>Severity</td><td>high</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80790-9">CCE-80790-9</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT28(R15)</a>, <a href="">1.2.2</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">11</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">2</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">3</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">9</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.10.4.1</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">APO01.06</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">BAI03.05</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">BAI06.01</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">BAI10.01</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">BAI10.02</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">BAI10.03</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">BAI10.05</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS06.02</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.8</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001749</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(c)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(c)(2)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(i)</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.3.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.3.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.4.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.6</a>, <a href="https://www.iso.org/standard/54534.html">A.11.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.5.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.6.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.4</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-5(3)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SI-7</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-12</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-12(3)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SA-12</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SA-12(10)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-11(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-11(b)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-6</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-8</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1.1.c</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-6.2</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000366-GPOS-00153</a>, <a href="">SRG-OS-000366-VMM-001430</a>, <a href="">SRG-OS-000370-VMM-001460</a>, <a href="">SRG-OS-000404-VMM-001650</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>The <code>gpgcheck</code> option controls whether RPM packages' signatures are always checked prior to installation. To configure yum to check package signatures before installing them, ensure the following line appears in <code>/etc/yum.conf</code> in the <code>[main]</code> section: <pre>gpgcheck=1</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Changes to any software components can have significant effects on the overall security of the operating system. This requirement ensures the software has not been tampered with and that it has been provided by a trusted vendor. <br> Accordingly, patches, service packs, device drivers, or operating system components must be signed with a certificate recognized and approved by the organization. <br>Verifying the authenticity of the software prior to installation validates the integrity of the patch or upgrade received from a vendor. This ensures the software has not been tampered with and that it has been provided by a trusted vendor. Self-signed certificates are disallowed by this requirement. Certificates used to verify the software must be from an approved Certificate Authority (CA).</p></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">check value of gpgcheck in /etc/yum.conf</span> <span class="label label-default">oval:ssg-test_ensure_gpgcheck_globally_activated:tst:1</span> <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/yum.conf</td><td>gpgcheck=1</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_dnf-automatic_security_updates_only" id="rule-detail-idm45342104797312"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Configure dnf-automatic to Install Only Security Updatesxccdf_org.ssgproject.content_rule_dnf-automatic_security_updates_only lowCCE-82267-6 </div><div class="panel-heading"><h3 class="panel-title">Configure dnf-automatic to Install Only Security Updates</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_dnf-automatic_security_updates_only</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-dnf-automatic_security_updates_only:def:1</td></tr><tr><td>Time</td><td>2020-09-29T11:18:07</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-82267-6">CCE-82267-6</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SI-2(5)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SI-2(c)</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FMT_SMF_EXT.1</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000191-GPOS-00080</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>To configure <code>dnf-automatic</code> to install only security updates automatically, set <code>upgrade_type</code> to <code>security</code> under <code>[commands]</code> section in <code>/etc/dnf/automatic.conf</code>.</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>By default, <code>dnf-automatic</code> installs all available updates. Reducing the amount of updated packages only to updates that were issued as a part of a security advisory increases the system stability.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span> <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">tests the value of upgrade_type setting in the /etc/dnf/automatic.conf file</span> <span class="label label-default">oval:ssg-test_dnf-automatic_security_updates_only:tst:1</span> <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_dnf-automatic_security_updates_only:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/dnf/automatic.conf</td><td>^\s*\[commands\].*(?:\n\s*[^[\s].*)*\n^\s*upgrade_type[ \t]*=[ \t]*(.+?)[ \t]*(?:$|#)</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">The configuration file /etc/dnf/automatic.conf exists for dnf-automatic_security_updates_only</span> <span class="label label-default">oval:ssg-test_dnf-automatic_security_updates_only_config_file_exists:tst:1</span> <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="The configuration file /etc/dnf/automatic.conf for dnf-automatic_security_updates_only">oval:ssg-obj_dnf-automatic_security_updates_only_config_file:obj:1</abbr></strong> of type <strong>file_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th></tr></thead><tbody><tr><td>^/etc/dnf/automatic.conf</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_clean_components_post_updating" id="rule-detail-idm45342104791296"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Ensure yum Removes Previous Package Versionsxccdf_org.ssgproject.content_rule_clean_components_post_updating lowCCE-82476-3 </div><div class="panel-heading"><h3 class="panel-title">Ensure yum Removes Previous Package Versions</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_clean_components_post_updating</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-clean_components_post_updating:def:1</td></tr><tr><td>Time</td><td>2020-09-29T11:18:01</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-82476-3">CCE-82476-3</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">18</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">20</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">4</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">APO12.01</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">APO12.02</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">APO12.03</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">APO12.04</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">BAI03.10</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS05.01</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS05.02</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.8</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-002617</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.2.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.2.3.12</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.2.3.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.2.3.9</a>, <a href="https://www.iso.org/standard/54534.html">A.12.6.1</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.16.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.18.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.18.2.3</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SI-2(6)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-11(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-11(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">ID.RA-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-12</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000437-GPOS-00194</a>, <a href="">SRG-OS-000437-VMM-001760</a></p></td></tr><tr><td>Description</td><td><div class="description"><p><code>yum</code> should be configured to remove previous software components after new versions have been installed. To configure <code>yum</code> to remove the previous software components after updating, set the <code>clean_requirements_on_remove</code> to <code>1</code> in <code>/etc/yum.conf</code>.</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Previous versions of software components that are not removed from the information system after updates have been installed may be exploited by some adversaries.</p></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">check value of clean_requirements_on_remove in /etc/yum.conf</span> <span class="label label-default">oval:ssg-test_yum_clean_components_post_updating:tst:1</span> <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/yum.conf</td><td>clean_requirements_on_remove=True</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-error rule-detail-id-xccdf_org.ssgproject.content_rule_timer_dnf-automatic_enabled" id="rule-detail-idm45342104787616"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Enable dnf-automatic Timerxccdf_org.ssgproject.content_rule_timer_dnf-automatic_enabled mediumCCE-82360-9 </div><div class="panel-heading"><h3 class="panel-title">Enable dnf-automatic Timer</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_timer_dnf-automatic_enabled</td></tr><tr><td>Result</td><td class="rule-result rule-result-error"><div><abbr title="The checking engine could not complete the evaluation, therefore the status of the target's compliance with the rule is not certain. This could happen, for example, if a testing tool was run with insufficient privileges and could not gather all of the necessary information.">error</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-timer_dnf-automatic_enabled:def:1</td></tr><tr><td>Time</td><td>2020-09-29T11:18:07</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-82360-9">CCE-82360-9</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SI-2(5)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SI-2(c)</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FMT_SMF_EXT.1</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000191-GPOS-00080</a></p></td></tr><tr><td>Description</td><td><div class="description"><p> The <code>dnf-automatic</code> timer can be enabled with the following command: <pre>$ sudo systemctl enable dnf-automatic.timer</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>The <code>dnf-automatic</code> is an alternative command line interface (CLI) to <code>dnf upgrade</code> with specific facilities to make it suitable to be executed automatically and regularly from systemd timers, cron jobs and similar. The tool is controlled by <code>dnf-automatic.timer</code> SystemD timer.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span> <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 1</message></pre><span class="label label-primary">info</span> <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Failed to start dnf-automatic.timer: Unit dnf-automatic.timer not found. Failed to enable unit: Unit file dnf-automatic.timer does not exist. </message></pre><span class="label label-primary">info</span> <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Failed to verify applied fix: Checking engine returns: fail</message></pre></div></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm45342161417280" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Shell script â²</a><br></br><div class="panel-collapse collapse" id="idm45342161417280"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code> SYSTEMCTL_EXEC='/usr/bin/systemctl' "$SYSTEMCTL_EXEC" start 'dnf-automatic.timer' "$SYSTEMCTL_EXEC" enable 'dnf-automatic.timer' </code></pre></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm45342161415152" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet â²</a><br></br><div class="panel-collapse collapse" id="idm45342161415152"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Enable timer dnf-automatic block: - name: Gather the package facts package_facts: manager: auto - name: Enable timer dnf-automatic systemd: name: dnf-automatic.timer enabled: 'yes' state: started when: - '"dnf-automatic" in ansible_facts.packages' tags: - timer_dnf-automatic_enabled - medium_severity - enable_strategy - low_complexity - low_disruption - no_reboot_needed - CCE-82360-9 - NIST-800-53-SI-2(5) - NIST-800-53-CM-6(a) - NIST-800-53-SI-2(c) </code></pre></div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">package dnf-automatic is installed</span> <span class="label label-default">oval:ssg-test_package_dnf-automatic_installed:tst:1</span> <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_test_package_dnf-automatic_installed:obj:1</abbr></strong> of type <strong>rpminfo_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th></tr></thead><tbody><tr><td>dnf-automatic</td></tr></tbody></table><h4><span class="label label-primary">Test that the dnf-automatic timer is running</span> <span class="label label-default">oval:ssg-test_timer_running_dnf-automatic:tst:1</span> <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="Retrieve the ActiveState property of dnf-automatic">oval:ssg-obj_timer_running_dnf-automatic:obj:1</abbr></strong> of type <strong>systemdunitproperty_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Unit</th><th>Property</th></tr></thead><tbody><tr><td>dnf-automatic\.timer</td><td>ActiveState</td></tr></tbody></table><h4><span class="label label-primary">systemd test</span> <span class="label label-default">oval:ssg-test_multi_user_wants_dnf-automatic:tst:1</span> <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Unit</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th></tr></thead><tbody><tr><td>multi-user.target</td><td>basic.target</td><td>var.mount</td><td>-.mount</td><td>sysinit.target</td><td>dev-mqueue.mount</td><td>systemd-hwdb-update.service</td><td>cryptsetup.target</td><td>proc-sys-fs-binfmt_misc.automount</td><td>systemd-journal-flush.service</td><td>systemd-random-seed.service</td><td>systemd-update-utmp.service</td><td>systemd-tmpfiles-setup.service</td><td>systemd-udevd.service</td><td>dev-hugepages.mount</td><td>lvm2-lvmpolld.socket</td><td>selinux-autorelabel-mark.service</td><td>loadmodules.service</td><td>local-fs.target</td><td>home.mount</td><td>-.mount</td><td>var-log-audit.mount</td><td>boot.mount</td><td>tmp.mount</td><td>var.mount</td><td>var-log.mount</td><td>systemd-remount-fs.service</td><td>dracut-shutdown.service</td><td>systemd-sysctl.service</td><td>systemd-journal-catalog-update.service</td><td>systemd-update-done.service</td><td>systemd-journald.service</td><td>sys-kernel-debug.mount</td><td>systemd-machine-id-commit.service</td><td>ldconfig.service</td><td>rngd.service</td><td>systemd-binfmt.service</td><td>nis-domainname.service</td><td>sys-kernel-config.mount</td><td>systemd-modules-load.service</td><td>systemd-sysusers.service</td><td>sys-fs-fuse-connections.mount</td><td>swap.target</td><td>dev-mapper-ovirt\x2dswap.swap</td><td>systemd-udev-trigger.service</td><td>import-state.service</td><td>systemd-firstboot.service</td><td>kmod-static-nodes.service</td><td>systemd-ask-password-console.path</td><td>systemd-tmpfiles-setup-dev.service</td><td>lvm2-monitor.service</td><td>microcode.service</td><td>paths.target</td><td>timers.target</td><td>fstrim.timer</td><td>unbound-anchor.timer</td><td>systemd-tmpfiles-clean.timer</td><td>slices.target</td><td>-.slice</td><td>system.slice</td><td>sockets.target</td><td>systemd-udevd-kernel.socket</td><td>dbus.socket</td><td>systemd-coredump.socket</td><td>systemd-initctl.socket</td><td>systemd-udevd-control.socket</td><td>systemd-journald-dev-log.socket</td><td>pcscd.socket</td><td>sssd-kcm.socket</td><td>systemd-journald.socket</td><td>cockpit.socket</td><td>dm-event.socket</td><td>rpcbind.socket</td><td>sssd.service</td><td>kdump.service</td><td>crond.service</td><td>systemd-ask-password-wall.path</td><td>sshd.service</td><td>systemd-user-sessions.service</td><td>auditd.service</td><td>nfs-client.target</td><td>rpc-statd-notify.service</td><td>auth-rpcgss-module.service</td><td>remote-fs-pre.target</td><td>irqbalance.service</td><td>remote-fs.target</td><td>nfs-client.target</td><td>rpc-statd-notify.service</td><td>auth-rpcgss-module.service</td><td>remote-fs-pre.target</td><td>getty.target</td><td>serial-getty@ttyS0.service</td><td>getty@tty1.service</td><td>cloud-init.target</td><td>cloud-init-local.service</td><td>cloud-config.service</td><td>cloud-final.service</td><td>cloud-init.service</td><td>dnf-makecache.timer</td><td>firewalld.service</td><td>rpcbind.service</td><td>systemd-update-utmp-runlevel.service</td><td>chronyd.service</td><td>rsyslog.service</td><td>tuned.service</td><td>systemd-logind.service</td><td>NetworkManager.service</td><td>dbus.service</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_package_openscap-scanner_installed" id="rule-detail-idm45342104775008"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Install openscap-scanner Packagexccdf_org.ssgproject.content_rule_package_openscap-scanner_installed mediumCCE-82220-5 </div><div class="panel-heading"><h3 class="panel-title">Install openscap-scanner Package</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_package_openscap-scanner_installed</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-package_openscap-scanner_installed:def:1</td></tr><tr><td>Time</td><td>2020-09-29T11:18:01</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-82220-5">CCE-82220-5</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000191-GPOS-00080</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>The <code>openscap-scanner</code> package can be installed with the following command: <pre> $ sudo yum install openscap-scanner</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p><code>openscap-scanner</code> contains the <code>oscap</code> command line tool. This tool is a configuration and vulnerability scanner, capable of performing compliance checking using SCAP content.</p></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">package openscap-scanner is installed</span> <span class="label label-default">oval:ssg-test_package_openscap-scanner_installed:tst:1</span> <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Arch</th><th>Epoch</th><th>Release</th><th>Version</th><th>Evr</th><th>Signature keyid</th><th>Extended name</th></tr></thead><tbody><tr><td>openscap-scanner</td><td>x86_64</td><td>(none)</td><td>6.el8</td><td>1.3.2</td><td>0:1.3.2-6.el8</td><td>0</td><td>openscap-scanner-0:1.3.2-6.el8.x86_64</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_package_scap-security-guide_installed" id="rule-detail-idm45342104771328"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Install scap-security-guide Packagexccdf_org.ssgproject.content_rule_package_scap-security-guide_installed mediumCCE-82949-9 </div><div class="panel-heading"><h3 class="panel-title">Install scap-security-guide Package</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_package_scap-security-guide_installed</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-package_scap-security-guide_installed:def:1</td></tr><tr><td>Time</td><td>2020-09-29T11:18:01</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-82949-9">CCE-82949-9</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>The <code>scap-security-guide</code> package can be installed with the following command: <pre> $ sudo yum install scap-security-guide</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>The <code>scap-security-guide</code> package provides a guide for configuration of the system from the final system's security point of view. The guidance is specified in the Security Content Automation Protocol (SCAP) format and constitutes a catalog of practical hardening advice, linked to government requirements where applicable. The SCAP Security Guide project bridges the gap between generalized policy requirements and specific implementation guidelines. A system administrator can use the <code>oscap</code> CLI tool from the <code>openscap-scanner</code> package, or the SCAP Workbench GUI tool from the <code>scap-workbench</code> package, to verify that the system conforms to provided guidelines. Refer to the scap-security-guide(8) manual page for futher information.</p></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">package scap-security-guide is installed</span> <span class="label label-default">oval:ssg-test_package_scap-security-guide_installed:tst:1</span> <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Arch</th><th>Epoch</th><th>Release</th><th>Version</th><th>Evr</th><th>Signature keyid</th><th>Extended name</th></tr></thead><tbody><tr><td>scap-security-guide</td><td>noarch</td><td>(none)</td><td>1.el8ev</td><td>0.1.48</td><td>0:0.1.48-1.el8ev</td><td>0</td><td>scap-security-guide-0:0.1.48-1.el8ev.noarch</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_package_dnf-plugin-subscription-manager_installed" id="rule-detail-idm45342104767648"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Install dnf-plugin-subscription-manager Packagexccdf_org.ssgproject.content_rule_package_dnf-plugin-subscription-manager_installed mediumCCE-82315-3 </div><div class="panel-heading"><h3 class="panel-title">Install dnf-plugin-subscription-manager Package</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_package_dnf-plugin-subscription-manager_installed</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-package_dnf-plugin-subscription-manager_installed:def:1</td></tr><tr><td>Time</td><td>2020-09-29T11:18:01</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-82315-3">CCE-82315-3</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FPT_TUD_EXT.1</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FPT_TUD_EXT.2</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>The <code>dnf-plugin-subscription-manager</code> package can be installed with the following command: <pre> $ sudo yum install dnf-plugin-subscription-manager</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>This package provides plugins to interact with repositories and subscriptions from the Red Hat entitlement platform; contains subscription-manager and product-id plugins.</p></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">package dnf-plugin-subscription-manager is installed</span> <span class="label label-default">oval:ssg-test_package_dnf-plugin-subscription-manager_installed:tst:1</span> <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Arch</th><th>Epoch</th><th>Release</th><th>Version</th><th>Evr</th><th>Signature keyid</th><th>Extended name</th></tr></thead><tbody><tr><td>dnf-plugin-subscription-manager</td><td>x86_64</td><td>(none)</td><td>1.el8_2</td><td>1.26.17</td><td>0:1.26.17-1.el8_2</td><td>199e2f91fd431d51</td><td>dnf-plugin-subscription-manager-0:1.26.17-1.el8_2.x86_64</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_package_gnutls-utils_installed" id="rule-detail-idm45342104763936"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Ensure gnutls-utils is installedxccdf_org.ssgproject.content_rule_package_gnutls-utils_installed mediumCCE-82395-5 </div><div class="panel-heading"><h3 class="panel-title">Ensure gnutls-utils is installed</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_package_gnutls-utils_installed</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-package_gnutls-utils_installed:def:1</td></tr><tr><td>Time</td><td>2020-09-29T11:18:01</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-82395-5">CCE-82395-5</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FMT_SMF_EXT.1</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>The <code>gnutls-utils</code> package can be installed with the following command: <pre> $ sudo yum install gnutls-utils</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>GnuTLS is a secure communications library implementing the SSL, TLS and DTLS protocols and technologies around them. It provides a simple C language application programming interface (API) to access the secure communications protocols as well as APIs to parse and write X.509, PKCS #12, OpenPGP and other required structures. This package contains command line TLS client and server and certificate manipulation tools.</p></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">package gnutls-utils is installed</span> <span class="label label-default">oval:ssg-test_package_gnutls-utils_installed:tst:1</span> <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Arch</th><th>Epoch</th><th>Release</th><th>Version</th><th>Evr</th><th>Signature keyid</th><th>Extended name</th></tr></thead><tbody><tr><td>gnutls-utils</td><td>x86_64</td><td>(none)</td><td>10.el8_2</td><td>3.6.8</td><td>0:3.6.8-10.el8_2</td><td>0</td><td>gnutls-utils-0:3.6.8-10.el8_2.x86_64</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_package_rng-tools_installed" id="rule-detail-idm45342104757888"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Install rng-tools Packagexccdf_org.ssgproject.content_rule_package_rng-tools_installed mediumCCE-82968-9 </div><div class="panel-heading"><h3 class="panel-title">Install rng-tools Package</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_package_rng-tools_installed</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-package_rng-tools_installed:def:1</td></tr><tr><td>Time</td><td>2020-09-29T11:18:01</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-82968-9">CCE-82968-9</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>The <code>rng-tools</code> package can be installed with the following command: <pre> $ sudo yum install rng-tools</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p><code>rng-tools</code> provides hardware random number generator tools, such as those used in the formation of x509/PKI certificates.</p></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">package rng-tools is installed</span> <span class="label label-default">oval:ssg-test_package_rng-tools_installed:tst:1</span> <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Arch</th><th>Epoch</th><th>Release</th><th>Version</th><th>Evr</th><th>Signature keyid</th><th>Extended name</th></tr></thead><tbody><tr><td>rng-tools</td><td>x86_64</td><td>(none)</td><td>3.el8</td><td>6.8</td><td>0:6.8-3.el8</td><td>199e2f91fd431d51</td><td>rng-tools-0:6.8-3.el8.x86_64</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_package_subscription-manager_installed" id="rule-detail-idm45342104754208"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Install subscription-manager Packagexccdf_org.ssgproject.content_rule_package_subscription-manager_installed mediumCCE-82316-1 </div><div class="panel-heading"><h3 class="panel-title">Install subscription-manager Package</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_package_subscription-manager_installed</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-package_subscription-manager_installed:def:1</td></tr><tr><td>Time</td><td>2020-09-29T11:18:01</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-82316-1">CCE-82316-1</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FPT_TUD_EXT.1</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FPT_TUD_EXT.2</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000366-GPOS-00153</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>The <code>subscription-manager</code> package can be installed with the following command: <pre> $ sudo yum install subscription-manager</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Red Hat Subscription Manager is a local service which tracks installed products and subscriptions on a local system to help manage subscription assignments. It communicates with the backend subscription service (the Customer Portal or an on-premise server such as Subscription Asset Manager) and works with content management tools such as yum.</p></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">package subscription-manager is installed</span> <span class="label label-default">oval:ssg-test_package_subscription-manager_installed:tst:1</span> <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Arch</th><th>Epoch</th><th>Release</th><th>Version</th><th>Evr</th><th>Signature keyid</th><th>Extended name</th></tr></thead><tbody><tr><td>subscription-manager</td><td>x86_64</td><td>(none)</td><td>1.el8_2</td><td>1.26.17</td><td>0:1.26.17-1.el8_2</td><td>199e2f91fd431d51</td><td>subscription-manager-0:1.26.17-1.el8_2.x86_64</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-error rule-detail-id-xccdf_org.ssgproject.content_rule_package_nss-tools_installed" id="rule-detail-idm45342104750512"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Ensure nss-tools is installedxccdf_org.ssgproject.content_rule_package_nss-tools_installed mediumCCE-82396-3 </div><div class="panel-heading"><h3 class="panel-title">Ensure nss-tools is installed</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_package_nss-tools_installed</td></tr><tr><td>Result</td><td class="rule-result rule-result-error"><div><abbr title="The checking engine could not complete the evaluation, therefore the status of the target's compliance with the rule is not certain. This could happen, for example, if a testing tool was run with insufficient privileges and could not gather all of the necessary information.">error</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-package_nss-tools_installed:def:1</td></tr><tr><td>Time</td><td>2020-09-29T11:18:08</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-82396-3">CCE-82396-3</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FMT_SMF_EXT.1</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>The <code>nss-tools</code> package can be installed with the following command: <pre> $ sudo yum install nss-tools</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Network Security Services (NSS) is a set of libraries designed to support cross-platform development of security-enabled client and server applications. Install the <code>nss-tools</code> package to install command-line tools to manipulate the NSS certificate and key database.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span> <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 1</message></pre><span class="label label-primary">info</span> <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Error: There are no enabled repositories in "/etc/yum.repos.d", "/etc/yum/repos.d", "/etc/distro.repos.d". </message></pre><span class="label label-primary">info</span> <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Failed to verify applied fix: Checking engine returns: fail</message></pre></div></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm45342161206208" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Shell script â²</a><br></br><div class="panel-collapse collapse" id="idm45342161206208"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code> if ! rpm -q --quiet "nss-tools" ; then yum install -y "nss-tools" fi </code></pre></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm45342161204128" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet â²</a><br></br><div class="panel-collapse collapse" id="idm45342161204128"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure nss-tools is installed package: name: nss-tools state: present tags: - package_nss-tools_installed - medium_severity - enable_strategy - low_complexity - low_disruption - no_reboot_needed - CCE-82396-3 </code></pre></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm45342161201856" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet â²</a><br></br><div class="panel-collapse collapse" id="idm45342161201856"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_nss-tools class install_nss-tools { package { 'nss-tools': ensure => 'installed', } } </code></pre></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm45342161199728" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet â²</a><br></br><div class="panel-collapse collapse" id="idm45342161199728"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code> package --add=nss-tools </code></pre></div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">package nss-tools is installed</span> <span class="label label-default">oval:ssg-test_package_nss-tools_installed:tst:1</span> <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_test_package_nss-tools_installed:obj:1</abbr></strong> of type <strong>rpminfo_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th></tr></thead><tbody><tr><td>nss-tools</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-error rule-detail-id-xccdf_org.ssgproject.content_rule_package_libcap-ng-utils_installed" id="rule-detail-idm45342104740352"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Install libcap-ng-utils Packagexccdf_org.ssgproject.content_rule_package_libcap-ng-utils_installed mediumCCE-82979-6 </div><div class="panel-heading"><h3 class="panel-title">Install libcap-ng-utils Package</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_package_libcap-ng-utils_installed</td></tr><tr><td>Result</td><td class="rule-result rule-result-error"><div><abbr title="The checking engine could not complete the evaluation, therefore the status of the target's compliance with the rule is not certain. This could happen, for example, if a testing tool was run with insufficient privileges and could not gather all of the necessary information.">error</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-package_libcap-ng-utils_installed:def:1</td></tr><tr><td>Time</td><td>2020-09-29T11:18:09</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-82979-6">CCE-82979-6</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000445-GPOS-00199</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>The <code>libcap-ng-utils</code> package can be installed with the following command: <pre> $ sudo yum install libcap-ng-utils</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p><code>libcap-ng-utils</code> contains applications to analyze the posix posix capabilities of all the programs running on a system. <code>libcap-ng-utils</code> also lets system operators set the file system based capabilities.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span> <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 1</message></pre><span class="label label-primary">info</span> <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Error: There are no enabled repositories in "/etc/yum.repos.d", "/etc/yum/repos.d", "/etc/distro.repos.d". </message></pre><span class="label label-primary">info</span> <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Failed to verify applied fix: Checking engine returns: fail</message></pre></div></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm45342161167024" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Shell script â²</a><br></br><div class="panel-collapse collapse" id="idm45342161167024"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code> if ! rpm -q --quiet "libcap-ng-utils" ; then yum install -y "libcap-ng-utils" fi </code></pre></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm45342161164944" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet â²</a><br></br><div class="panel-collapse collapse" id="idm45342161164944"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure libcap-ng-utils is installed package: name: libcap-ng-utils state: present tags: - package_libcap-ng-utils_installed - medium_severity - enable_strategy - low_complexity - low_disruption - no_reboot_needed - CCE-82979-6 </code></pre></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm45342161162656" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet â²</a><br></br><div class="panel-collapse collapse" id="idm45342161162656"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_libcap-ng-utils class install_libcap-ng-utils { package { 'libcap-ng-utils': ensure => 'installed', } } </code></pre></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm45342161160512" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet â²</a><br></br><div class="panel-collapse collapse" id="idm45342161160512"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code> package --add=libcap-ng-utils </code></pre></div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">package libcap-ng-utils is installed</span> <span class="label label-default">oval:ssg-test_package_libcap-ng-utils_installed:tst:1</span> <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_test_package_libcap-ng-utils_installed:obj:1</abbr></strong> of type <strong>rpminfo_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th></tr></thead><tbody><tr><td>libcap-ng-utils</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_package_abrt-addon-python_removed" id="rule-detail-idm45342104732576"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Uninstall abrt-addon-python Packagexccdf_org.ssgproject.content_rule_package_abrt-addon-python_removed lowCCE-82923-4 </div><div class="panel-heading"><h3 class="panel-title">Uninstall abrt-addon-python Package</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_package_abrt-addon-python_removed</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-package_abrt-addon-python_removed:def:1</td></tr><tr><td>Time</td><td>2020-09-29T11:18:01</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-82923-4">CCE-82923-4</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000095-GPOS-00049</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>The <code>abrt-addon-python</code> package can be removed with the following command: <pre> $ sudo yum erase abrt-addon-python</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p><code>abrt-addon-python</code> contains python hook and python analyzer plugin for handling uncaught exceptions in python programs.</p></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">package abrt-addon-python is removed</span> <span class="label label-default">oval:ssg-test_package_abrt-addon-python_removed:tst:1</span> <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_test_package_abrt-addon-python_removed:obj:1</abbr></strong> of type <strong>rpminfo_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th></tr></thead><tbody><tr><td>abrt-addon-python</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_package_abrt-plugin-logger_removed" id="rule-detail-idm45342104728896"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Uninstall abrt-plugin-logger Packagexccdf_org.ssgproject.content_rule_package_abrt-plugin-logger_removed lowCCE-82913-5 </div><div class="panel-heading"><h3 class="panel-title">Uninstall abrt-plugin-logger Package</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_package_abrt-plugin-logger_removed</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-package_abrt-plugin-logger_removed:def:1</td></tr><tr><td>Time</td><td>2020-09-29T11:18:01</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-82913-5">CCE-82913-5</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000095-GPOS-00049</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>The <code>abrt-plugin-logger</code> package can be removed with the following command: <pre> $ sudo yum erase abrt-plugin-logger</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p><code>abrt-plugin-logger</code> is an ABRT plugin which writes a report to a specified file.</p></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">package abrt-plugin-logger is removed</span> <span class="label label-default">oval:ssg-test_package_abrt-plugin-logger_removed:tst:1</span> <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_test_package_abrt-plugin-logger_removed:obj:1</abbr></strong> of type <strong>rpminfo_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th></tr></thead><tbody><tr><td>abrt-plugin-logger</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_package_abrt-addon-kerneloops_removed" id="rule-detail-idm45342104722832"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Uninstall abrt-addon-kerneloops Packagexccdf_org.ssgproject.content_rule_package_abrt-addon-kerneloops_removed lowCCE-82926-7 </div><div class="panel-heading"><h3 class="panel-title">Uninstall abrt-addon-kerneloops Package</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_package_abrt-addon-kerneloops_removed</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-package_abrt-addon-kerneloops_removed:def:1</td></tr><tr><td>Time</td><td>2020-09-29T11:18:01</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-82926-7">CCE-82926-7</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000095-GPOS-00049</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>The <code>abrt-addon-kerneloops</code> package can be removed with the following command: <pre> $ sudo yum erase abrt-addon-kerneloops</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p><code>abrt-addon-kerneloops</code> contains plugins for collecting kernel crash information and reporter plugin which sends this information to a specified server, usually to kerneloops.org.</p></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">package abrt-addon-kerneloops is removed</span> <span class="label label-default">oval:ssg-test_package_abrt-addon-kerneloops_removed:tst:1</span> <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_test_package_abrt-addon-kerneloops_removed:obj:1</abbr></strong> of type <strong>rpminfo_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th></tr></thead><tbody><tr><td>abrt-addon-kerneloops</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_package_abrt-cli_removed" id="rule-detail-idm45342104719152"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Uninstall abrt-cli Packagexccdf_org.ssgproject.content_rule_package_abrt-cli_removed lowCCE-82907-7 </div><div class="panel-heading"><h3 class="panel-title">Uninstall abrt-cli Package</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_package_abrt-cli_removed</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-package_abrt-cli_removed:def:1</td></tr><tr><td>Time</td><td>2020-09-29T11:18:01</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-82907-7">CCE-82907-7</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000095-GPOS-00049</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>The <code>abrt-cli</code> package can be removed with the following command: <pre> $ sudo yum erase abrt-cli</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p><code>abrt-cli</code> contains a command line client for controlling abrt daemon over sockets.</p></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">package abrt-cli is removed</span> <span class="label label-default">oval:ssg-test_package_abrt-cli_removed:tst:1</span> <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_test_package_abrt-cli_removed:obj:1</abbr></strong> of type <strong>rpminfo_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th></tr></thead><tbody><tr><td>abrt-cli</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_package_gssproxy_removed" id="rule-detail-idm45342104715488"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Uninstall gssproxy Packagexccdf_org.ssgproject.content_rule_package_gssproxy_removed lowCCE-82943-2 </div><div class="panel-heading"><h3 class="panel-title">Uninstall gssproxy Package</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_package_gssproxy_removed</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-package_gssproxy_removed:def:1</td></tr><tr><td>Time</td><td>2020-09-29T11:19:38</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-82943-2">CCE-82943-2</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000095-GPOS-00049</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>The <code>gssproxy</code> package can be removed with the following command: <pre> $ sudo yum erase gssproxy</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p><code>gssproxy</code> is a proxy for GSS API credential handling.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span> <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre><span class="label label-primary">info</span> <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Dependencies resolved. ===================================================================================================================================== Package Arch Version Repository Size ===================================================================================================================================== Removing: gssproxy x86_64 0.8.0-15.el8 @anaconda 266 k Removing dependent packages: rhvm-branding-rhv noarch 4.4.3-1.el8ev @koji-override-1 364 k Removing unused dependencies: adobe-mappings-cmap noarch 20171205-3.el8 @koji-override-1 13 M adobe-mappings-cmap-deprecated noarch 20171205-3.el8 @koji-override-1 583 k adobe-mappings-pdf noarch 20180407-1.el8 @koji-override-1 4.2 M ansible noarch 2.9.9-1.el8ae @koji-override-1 96 M ansible-runner noarch 1.4.5-1.el8ar @koji-override-1 0 ansible-runner-service noarch 1.0.2-1.el8ev @koji-override-1 252 k aopalliance noarch 1.0-17.module+el8+2598+06babf2e @koji-override-1 11 k apache-commons-codec noarch 1.11-3.module+el8+2598+06babf2e @koji-override-1 361 k apache-commons-collections noarch 3.2.2-10.module+el8.1.0+3366+6dfb954c @koji-override-1 616 k apache-commons-compress noarch 1.18-1.el8ev @koji-override-1 593 k apache-commons-configuration noarch 1.10-1.el8ev @koji-override-1 408 k apache-commons-io noarch 1:2.6-3.module+el8+2598+06babf2e @koji-override-1 281 k apache-commons-jxpath noarch 1.3-29.el8ev @koji-override-1 325 k apache-commons-lang noarch 2.6-21.module+el8.1.0+3366+6dfb954c @koji-override-1 314 k apache-commons-logging noarch 1.2-13.module+el8+2598+06babf2e @koji-override-1 180 k apache-sshd noarch 2.2.0-1.el8ev @koji-override-1 3.3 M apr x86_64 1.6.3-9.el8 @koji-override-1 293 k apr-util x86_64 1.6.1-6.el8 @koji-override-1 230 k asciidoc noarch 8.6.10-0.5.20180627gitf7c2274.el8 @koji-override-1 790 k atk x86_64 2.28.1-1.el8 @koji-override-1 1.2 M autogen-libopts x86_64 5.18.12-7.el8 @koji-override-1 146 k bea-stax-api noarch 1.2.0-16.module+el8.1.0+3366+6dfb954c @koji-override-1 39 k boost-regex x86_64 1.66.0-7.el8 @koji-override-1 1.1 M cockpit-dashboard noarch 211.3-1.el8 @koji-override-1 172 k collectd x86_64 5.11.0-2.el8ost @koji-override-1 2.0 M collectd-disk x86_64 5.11.0-2.el8ost @koji-override-1 20 k collectd-postgresql x86_64 5.11.0-2.el8ost @koji-override-1 48 k collectd-write_http x86_64 5.11.0-2.el8ost @koji-override-1 40 k collectd-write_syslog x86_64 5.11.0-2.el8ost @koji-override-1 19 k ctags x86_64 5.8-22.el8 @koji-override-1 403 k docbook-dtds noarch 1.0-69.el8 @koji-override-1 8.3 M docbook-style-xsl noarch 1.79.2-7.el8 @koji-override-1 16 M eap7-FastInfoset noarch 1.2.13-10.redhat_1.1.el8eap @koji-override-1 557 k eap7-activemq-artemis-cli noarch 2.9.0-4.redhat_00010.1.el8eap @koji-override-1 472 k eap7-activemq-artemis-commons noarch 2.9.0-4.redhat_00010.1.el8eap @koji-override-1 613 k eap7-activemq-artemis-core-client noarch 2.9.0-4.redhat_00010.1.el8eap @koji-override-1 1.2 M eap7-activemq-artemis-dto noarch 2.9.0-4.redhat_00010.1.el8eap @koji-override-1 54 k eap7-activemq-artemis-hornetq-protocol noarch 2.9.0-4.redhat_00010.1.el8eap @koji-override-1 27 k eap7-activemq-artemis-hqclient-protocol noarch 2.9.0-4.redhat_00010.1.el8eap @koji-override-1 37 k eap7-activemq-artemis-jdbc-store noarch 2.9.0-4.redhat_00010.1.el8eap @koji-override-1 158 k eap7-activemq-artemis-jms-client noarch 2.9.0-4.redhat_00010.1.el8eap @koji-override-1 312 k eap7-activemq-artemis-jms-server noarch 2.9.0-4.redhat_00010.1.el8eap @koji-override-1 211 k eap7-activemq-artemis-journal noarch 2.9.0-4.redhat_00010.1.el8eap @koji-override-1 353 k eap7-activemq-artemis-native noarch 1:1.0.0.00003-2.redhat_00001.1.el8eap @koji-override-1 43 k eap7-activemq-artemis-ra noarch 2.9.0-4.redhat_00010.1.el8eap @koji-override-1 269 k eap7-activemq-artemis-selector noarch 2.9.0-4.redhat_00010.1.el8eap @koji-override-1 177 k eap7-activemq-artemis-server noarch 2.9.0-4.redhat_00010.1.el8eap @koji-override-1 2.9 M eap7-activemq-artemis-service-extensions noarch 2.9.0-4.redhat_00010.1.el8eap @koji-override-1 64 k eap7-activemq-artemis-tools noarch 2.9.0-4.redhat_00010.1.el8eap @koji-override-1 29 k eap7-aesh-extensions noarch 1.8.0-1.redhat_00001.1.el8eap @koji-override-1 280 k eap7-aesh-readline noarch 2.0.0-1.redhat_00001.1.el8eap @koji-override-1 527 k eap7-agroal-api noarch 1.3.0-1.redhat_00001.1.el8eap @koji-override-1 65 k eap7-agroal-narayana noarch 1.3.0-1.redhat_00001.1.el8eap @koji-override-1 18 k eap7-agroal-pool noarch 1.3.0-1.redhat_00001.1.el8eap @koji-override-1 134 k eap7-antlr noarch 2.7.7-54.redhat_7.1.el8eap @koji-override-1 1.0 M eap7-apache-commons-beanutils noarch 1.9.4-1.redhat_00002.1.el8eap @koji-override-1 577 k eap7-apache-commons-cli noarch 1.3.1-3.redhat_2.1.el8eap @koji-override-1 142 k eap7-apache-commons-codec noarch 1.11.0-2.redhat_00001.1.el8eap @koji-override-1 682 k eap7-apache-commons-collections noarch 3.2.2-9.redhat_2.1.el8eap @koji-override-1 1.2 M eap7-apache-commons-io noarch 2.5.0-4.redhat_3.1.el8eap @koji-override-1 524 k eap7-apache-commons-lang noarch 3.9.0-1.redhat_00001.1.el8eap @koji-override-1 1.1 M eap7-apache-commons-lang2 noarch 2.6.0-1.redhat_7.1.el8eap @koji-override-1 667 k eap7-apache-cxf noarch 3.3.5-1.redhat_00001.1.el8eap @koji-override-1 2.4 M eap7-apache-cxf-rt noarch 3.3.5-1.redhat_00001.1.el8eap @koji-override-1 5.8 M eap7-apache-cxf-services noarch 3.3.5-1.redhat_00001.1.el8eap @koji-override-1 664 k eap7-apache-cxf-tools noarch 3.3.5-1.redhat_00001.1.el8eap @koji-override-1 1.1 M eap7-apache-mime4j noarch 0.6.0-4.redhat_7.1.el8eap @koji-override-1 697 k eap7-artemis-wildfly-integration noarch 1.0.2-4.redhat_1.1.el8eap @koji-override-1 70 k eap7-atinject noarch 1.0.0-4.redhat_00002.1.el8eap @koji-override-1 34 k eap7-avro noarch 1.7.6-7.redhat_2.1.el8eap @koji-override-1 776 k eap7-azure-storage noarch 6.1.0-1.redhat_1.1.el8eap @koji-override-1 1.3 M eap7-bouncycastle-mail noarch 1.60.0-2.redhat_00002.1.el8eap @koji-override-1 205 k eap7-bouncycastle-pkix noarch 1.60.0-2.redhat_00002.1.el8eap @koji-override-1 1.4 M eap7-bouncycastle-prov noarch 1.60.0-2.redhat_00002.1.el8eap @koji-override-1 8.2 M eap7-byte-buddy noarch 1.9.11-1.redhat_00002.1.el8eap @koji-override-1 4.3 M eap7-caffeine noarch 2.6.2-3.redhat_1.1.el8eap @koji-override-1 1.3 M eap7-cal10n noarch 0.8.1-6.redhat_1.1.el8eap @koji-override-1 75 k eap7-codehaus-jackson-core-asl noarch 1.9.13-10.redhat_00007.1.el8eap @koji-override-1 586 k eap7-codehaus-jackson-jaxrs noarch 1.9.13-10.redhat_00007.1.el8eap @koji-override-1 30 k eap7-codehaus-jackson-mapper-asl noarch 1.9.13-10.redhat_00007.1.el8eap @koji-override-1 1.3 M eap7-codehaus-jackson-xc noarch 1.9.13-10.redhat_00007.1.el8eap @koji-override-1 43 k eap7-codemodel noarch 2.3.3-4.b02_redhat_00001.1.el8eap @koji-override-1 279 k eap7-commons-logging-jboss-logging noarch 1.0.0-1.Final_redhat_1.1.el8eap @koji-override-1 40 k eap7-cryptacular noarch 1.2.4-1.redhat_00001.1.el8eap @koji-override-1 311 k eap7-cxf-xjc-boolean noarch 3.3.0-1.redhat_00001.1.el8eap @koji-override-1 27 k eap7-cxf-xjc-bug986 noarch 3.3.0-1.redhat_00001.1.el8eap @koji-override-1 23 k eap7-cxf-xjc-dv noarch 3.3.0-1.redhat_00001.1.el8eap @koji-override-1 33 k eap7-cxf-xjc-runtime noarch 3.3.0-1.redhat_00001.1.el8eap @koji-override-1 21 k eap7-cxf-xjc-ts noarch 3.3.0-1.redhat_00001.1.el8eap @koji-override-1 24 k eap7-dom4j noarch 2.1.1-2.redhat_00001.1.el8eap @koji-override-1 751 k eap7-ecj noarch 4.6.1-3.redhat_1.1.el8eap @koji-override-1 4.0 M eap7-eclipse-jgit noarch 5.0.2.201807311906-2.r_redhat_00001.1.el8eap @koji-override-1 4.8 M eap7-glassfish-concurrent noarch 1.0.0-4.redhat_1.1.el8eap @koji-override-1 55 k eap7-glassfish-jaf noarch 1.2.1-1.redhat_00002.1.el8eap @koji-override-1 134 k eap7-glassfish-javamail noarch 1.6.4-2.redhat_00001.1.el8eap @koji-override-1 732 k eap7-glassfish-jsf noarch 2.3.9-10.SP09_redhat_00001.1.el8eap @koji-override-1 4.8 M eap7-glassfish-json noarch 1.1.6-2.redhat_00001.1.el8eap @koji-override-1 216 k eap7-gnu-getopt noarch 1.0.13-6.redhat_5.1.el8eap @koji-override-1 79 k eap7-gson noarch 2.8.2-1.redhat_5.1.el8eap @koji-override-1 449 k eap7-guava noarch 25.0.0-2.redhat_1.1.el8eap @koji-override-1 4.2 M eap7-h2database noarch 1.4.193-6.redhat_2.1.el8eap @koji-override-1 3.4 M eap7-hal-console noarch 3.2.8-1.Final_redhat_00001.1.el8eap @koji-override-1 59 M eap7-hibernate-beanvalidation-api noarch 2.0.2-1.redhat_00001.1.el8eap @koji-override-1 198 k eap7-hibernate-commons-annotations noarch 5.0.5-1.Final_redhat_00002.1.el8eap @koji-override-1 151 k eap7-hibernate-core noarch 5.3.16-1.Final_redhat_00001.1.el8eap @koji-override-1 11 M eap7-hibernate-entitymanager noarch 5.3.16-1.Final_redhat_00001.1.el8eap @koji-override-1 1.4 k eap7-hibernate-envers noarch 5.3.16-1.Final_redhat_00001.1.el8eap @koji-override-1 812 k eap7-hibernate-search-backend-jms noarch 5.10.7-1.Final_redhat_00001.1.el8eap @koji-override-1 30 k eap7-hibernate-search-engine noarch 5.10.7-1.Final_redhat_00001.1.el8eap @koji-override-1 2.2 M eap7-hibernate-search-orm noarch 5.10.7-1.Final_redhat_00001.1.el8eap @koji-override-1 265 k eap7-hibernate-search-serialization-avro noarch 5.10.7-1.Final_redhat_00001.1.el8eap @koji-override-1 124 k eap7-hibernate-validator noarch 6.0.18-1.Final_redhat_00001.1.el8eap @koji-override-1 2.0 M eap7-hibernate-validator-cdi noarch 6.0.18-1.Final_redhat_00001.1.el8eap @koji-override-1 63 k eap7-hornetq-commons noarch 2.4.7-7.Final_redhat_2.1.el8eap @koji-override-1 202 k eap7-hornetq-core-client noarch 2.4.7-7.Final_redhat_2.1.el8eap @koji-override-1 1.0 M eap7-hornetq-jms-client noarch 2.4.7-7.Final_redhat_2.1.el8eap @koji-override-1 242 k eap7-httpcomponents-asyncclient noarch 4.1.4-1.redhat_00001.1.el8eap @koji-override-1 344 k eap7-httpcomponents-client noarch 4.5.4-1.redhat_00001.1.el8eap @koji-override-1 1.7 M eap7-httpcomponents-core noarch 4.4.5-1.redhat_00001.1.el8eap @koji-override-1 1.5 M eap7-infinispan-cachestore-jdbc noarch 9.4.18-1.Final_redhat_00001.1.el8eap @koji-override-1 191 k eap7-infinispan-cachestore-remote noarch 9.4.18-1.Final_redhat_00001.1.el8eap @koji-override-1 145 k eap7-infinispan-client-hotrod noarch 9.4.18-1.Final_redhat_00001.1.el8eap @koji-override-1 945 k eap7-infinispan-commons noarch 9.4.18-1.Final_redhat_00001.1.el8eap @koji-override-1 843 k eap7-infinispan-core noarch 9.4.18-1.Final_redhat_00001.1.el8eap @koji-override-1 6.5 M eap7-infinispan-hibernate-cache-commons noarch 9.4.18-1.Final_redhat_00001.1.el8eap @koji-override-1 226 k eap7-infinispan-hibernate-cache-spi noarch 9.4.18-1.Final_redhat_00001.1.el8eap @koji-override-1 10 k eap7-infinispan-hibernate-cache-v53 noarch 9.4.18-1.Final_redhat_00001.1.el8eap @koji-override-1 96 k eap7-ironjacamar-common-api noarch 1.4.20-1.Final_redhat_00001.1.el8eap @koji-override-1 306 k eap7-ironjacamar-common-impl noarch 1.4.20-1.Final_redhat_00001.1.el8eap @koji-override-1 400 k eap7-ironjacamar-common-spi noarch 1.4.20-1.Final_redhat_00001.1.el8eap @koji-override-1 12 k eap7-ironjacamar-core-api noarch 1.4.20-1.Final_redhat_00001.1.el8eap @koji-override-1 152 k eap7-ironjacamar-core-impl noarch 1.4.20-1.Final_redhat_00001.1.el8eap @koji-override-1 876 k eap7-ironjacamar-deployers-common noarch 1.4.20-1.Final_redhat_00001.1.el8eap @koji-override-1 107 k eap7-ironjacamar-jdbc noarch 1.4.20-1.Final_redhat_00001.1.el8eap @koji-override-1 435 k eap7-ironjacamar-validator noarch 1.4.20-1.Final_redhat_00001.1.el8eap @koji-override-1 137 k eap7-istack-commons-runtime noarch 3.0.10-1.redhat_00001.1.el8eap @koji-override-1 58 k eap7-istack-commons-tools noarch 3.0.10-1.redhat_00001.1.el8eap @koji-override-1 46 k eap7-jackson-annotations noarch 2.10.3-1.redhat_00001.1.el8eap @koji-override-1 153 k eap7-jackson-core noarch 2.10.3-1.redhat_00001.1.el8eap @koji-override-1 733 k eap7-jackson-coreutils noarch 1.0.0-1.redhat_1.1.el8eap @koji-override-1 50 k eap7-jackson-databind noarch 2.10.3-1.redhat_00001.1.el8eap @koji-override-1 2.5 M eap7-jackson-datatype-jdk8 noarch 2.10.3-1.redhat_00001.1.el8eap @koji-override-1 76 k eap7-jackson-datatype-jsr310 noarch 2.10.3-1.redhat_00001.1.el8eap @koji-override-1 196 k eap7-jackson-jaxrs-base noarch 2.10.3-1.redhat_00001.1.el8eap @koji-override-1 86 k eap7-jackson-jaxrs-json-provider noarch 2.10.3-1.redhat_00001.1.el8eap @koji-override-1 30 k eap7-jackson-module-jaxb-annotations noarch 2.10.3-1.redhat_00001.1.el8eap @koji-override-1 68 k eap7-jaegertracing-jaeger-client-java-core noarch 0.34.3-1.redhat_00001.1.el8eap @koji-override-1 217 k eap7-jaegertracing-jaeger-client-java-thrift noarch 0.34.3-1.redhat_00001.1.el8eap @koji-override-1 862 k eap7-jakarta-el noarch 3.0.3-1.redhat_00002.1.el8eap @koji-override-1 482 k eap7-jakarta-security-enterprise-api noarch 1.0.2-3.redhat_00001.1.el8eap @koji-override-1 114 k eap7-jandex noarch 2.1.2-1.Final_redhat_00001.1.el8eap @koji-override-1 338 k eap7-jansi noarch 1.18.0-1.redhat_00001.1.el8eap @koji-override-1 272 k eap7-jasypt noarch 1.9.3-1.redhat_00001.1.el8eap @koji-override-1 382 k eap7-java-classmate noarch 1.3.4-1.redhat_1.1.el8eap @koji-override-1 128 k eap7-javaee-jpa-spec noarch 2.2.3-1.redhat_00001.1.el8eap @koji-override-1 421 k eap7-javaee-security-api noarch 1.0.0-2.redhat_1.1.el8eap @koji-override-1 142 k eap7-javaee-security-soteria-enterprise noarch 1.0.1-3.redhat_00002.1.el8eap @koji-override-1 246 k eap7-javaewah noarch 1.1.6-1.redhat_00001.1.el8eap @koji-override-1 269 k eap7-javapackages-tools noarch 3.4.1-5.15.6.el8eap @koji-override-1 145 k eap7-javassist noarch 3.23.2-2.GA_redhat_00001.1.el8eap @koji-override-1 1.3 M eap7-jaxb-jxc noarch 2.3.3-4.b02_redhat_00001.1.el8eap @koji-override-1 201 k eap7-jaxb-runtime noarch 2.3.3-4.b02_redhat_00001.1.el8eap @koji-override-1 1.7 M eap7-jaxb-xjc noarch 2.3.3-4.b02_redhat_00001.1.el8eap @koji-override-1 1.5 M eap7-jaxbintros noarch 1.0.3-1.GA_redhat_00001.1.el8eap @koji-override-1 65 k eap7-jaxen noarch 1.1.6-14.redhat_2.1.el8eap @koji-override-1 621 k eap7-jberet-core noarch 1.3.5-1.Final_redhat_00001.1.el8eap @koji-override-1 545 k eap7-jboss-aesh noarch 2.4.0-1.redhat_00001.1.el8eap @koji-override-1 653 k eap7-jboss-annotations-api_1.3_spec noarch 2.0.1-2.Final_redhat_00001.1.el8eap @koji-override-1 65 k eap7-jboss-batch-api_1.0_spec noarch 2.0.0-1.Final_redhat_00001.1.el8eap @koji-override-1 117 k eap7-jboss-classfilewriter noarch 1.2.4-1.Final_redhat_00001.1.el8eap @koji-override-1 207 k eap7-jboss-common-beans noarch 2.0.1-1.Final_redhat_00001.1.el8eap @koji-override-1 89 k eap7-jboss-concurrency-api_1.0_spec noarch 2.0.0-1.Final_redhat_00001.1.el8eap @koji-override-1 65 k eap7-jboss-connector-api_1.7_spec noarch 2.0.0-2.Final_redhat_00001.1.el8eap @koji-override-1 199 k eap7-jboss-dmr noarch 1.5.0-2.Final_redhat_1.1.el8eap @koji-override-1 567 k eap7-jboss-ejb-api_3.2_spec noarch 2.0.0-1.Final_redhat_00001.1.el8eap @koji-override-1 175 k eap7-jboss-ejb-client noarch 4.0.31-1.Final_redhat_00001.1.el8eap @koji-override-1 700 k eap7-jboss-ejb3-ext-api noarch 2.3.0-1.Final_redhat_00001.1.el8eap @koji-override-1 29 k eap7-jboss-el-api_3.0_spec noarch 2.0.0-2.Final_redhat_00001.1.el8eap @koji-override-1 219 k eap7-jboss-genericjms noarch 2.0.4-1.Final_redhat_00001.1.el8eap @koji-override-1 395 k eap7-jboss-iiop-client noarch 1.0.1-3.Final_redhat_1.1.el8eap @koji-override-1 16 k eap7-jboss-interceptors-api_1.2_spec noarch 2.0.0-3.Final_redhat_00002.1.el8eap @koji-override-1 62 k eap7-jboss-invocation noarch 1.5.2-1.Final_redhat_00001.1.el8eap @koji-override-1 140 k eap7-jboss-j2eemgmt-api_1.1_spec noarch 2.0.0-2.Final_redhat_00001.1.el8eap @koji-override-1 53 k eap7-jboss-jacc-api_1.5_spec noarch 2.0.0-2.Final_redhat_00001.1.el8eap @koji-override-1 137 k eap7-jboss-jaspi-api_1.1_spec noarch 2.0.1-2.Final_redhat_00001.1.el8eap @koji-override-1 141 k eap7-jboss-jaxb-api_2.3_spec noarch 1.0.1-1.Final_redhat_1.1.el8eap @koji-override-1 410 k eap7-jboss-jaxrpc-api_1.1_spec noarch 2.0.0-1.Final_redhat_00001.1.el8eap @koji-override-1 99 k eap7-jboss-jaxrs-api_2.1_spec noarch 2.0.1-1.Final_redhat_00001.1.el8eap @koji-override-1 387 k eap7-jboss-jaxws-api_2.3_spec noarch 1.0.0-1.Final_redhat_1.1.el8eap @koji-override-1 224 k eap7-jboss-jms-api_2.0_spec noarch 2.0.0-1.Final_redhat_00001.1.el8eap @koji-override-1 234 k eap7-jboss-jsf-api_2.3_spec noarch 3.0.0-3.SP02_redhat_00001.1.el8eap @koji-override-1 1.8 M eap7-jboss-jsp-api_2.3_spec noarch 2.0.0-1.Final_redhat_00001.1.el8eap @koji-override-1 148 k eap7-jboss-logging noarch 3.4.1-2.Final_redhat_00001.1.el8eap @koji-override-1 108 k eap7-jboss-logmanager noarch 2.1.14-1.Final_redhat_00001.1.el8eap @koji-override-1 656 k eap7-jboss-marshalling noarch 2.0.9-1.Final_redhat_00001.1.el8eap @koji-override-1 389 k eap7-jboss-marshalling-river noarch 2.0.9-1.Final_redhat_00001.1.el8eap @koji-override-1 134 k eap7-jboss-metadata-appclient noarch 13.0.0-1.Final_redhat_00001.1.el8eap @koji-override-1 55 k eap7-jboss-metadata-common noarch 13.0.0-1.Final_redhat_00001.1.el8eap @koji-override-1 967 k eap7-jboss-metadata-ear noarch 13.0.0-1.Final_redhat_00001.1.el8eap @koji-override-1 167 k eap7-jboss-metadata-ejb noarch 13.0.0-1.Final_redhat_00001.1.el8eap @koji-override-1 1.0 M eap7-jboss-metadata-web noarch 13.0.0-1.Final_redhat_00001.1.el8eap @koji-override-1 955 k eap7-jboss-modules noarch 1.10.0-1.Final_redhat_00001.1.el8eap @koji-override-1 849 k eap7-jboss-msc noarch 1.4.11-1.Final_redhat_00001.1.el8eap @koji-override-1 409 k eap7-jboss-openjdk-orb noarch 8.1.4-3.Final_redhat_00002.1.el8eap @koji-override-1 7.8 M eap7-jboss-remoting noarch 5.0.18-1.Final_redhat_00001.1.el8eap @koji-override-1 519 k eap7-jboss-remoting-jmx noarch 3.0.4-1.Final_redhat_00001.1.el8eap @koji-override-1 433 k eap7-jboss-saaj-api_1.3_spec noarch 1.0.6-1.Final_redhat_1.1.el8eap @koji-override-1 151 k eap7-jboss-saaj-api_1.4_spec noarch 1.0.1-1.Final_redhat_00001.1.el8eap @koji-override-1 107 k eap7-jboss-seam-int noarch 7.0.0-6.GA_redhat_2.1.el8eap @koji-override-1 22 k eap7-jboss-security-negotiation noarch 3.0.6-1.Final_redhat_00001.1.el8eap @koji-override-1 274 k eap7-jboss-security-xacml noarch 2.0.8-17.Final_redhat_8.1.el8eap @koji-override-1 1.2 M eap7-jboss-server-migration noarch 1.7.1-5.Final_redhat_00006.1.el8eap @koji-override-1 0 eap7-jboss-server-migration-cli noarch 1.7.1-5.Final_redhat_00006.1.el8eap @koji-override-1 125 k eap7-jboss-server-migration-core noarch 1.7.1-5.Final_redhat_00006.1.el8eap @koji-override-1 367 k eap7-jboss-server-migration-eap6.4 noarch 1.7.1-5.Final_redhat_00006.1.el8eap @koji-override-1 12 k eap7-jboss-server-migration-eap6.4-to-eap7.3 noarch 1.7.1-5.Final_redhat_00006.1.el8eap @koji-override-1 26 k eap7-jboss-server-migration-eap7.0 noarch 1.7.1-5.Final_redhat_00006.1.el8eap @koji-override-1 29 k eap7-jboss-server-migration-eap7.1 noarch 1.7.1-5.Final_redhat_00006.1.el8eap @koji-override-1 39 k eap7-jboss-server-migration-eap7.2 noarch 1.7.1-5.Final_redhat_00006.1.el8eap @koji-override-1 17 k eap7-jboss-server-migration-eap7.2-to-eap7.3 noarch 1.7.1-5.Final_redhat_00006.1.el8eap @koji-override-1 12 k eap7-jboss-server-migration-eap7.3-server noarch 1.7.1-5.Final_redhat_00006.1.el8eap @koji-override-1 17 k eap7-jboss-server-migration-wildfly10.0 noarch 1.7.1-5.Final_redhat_00006.1.el8eap @koji-override-1 666 k eap7-jboss-server-migration-wildfly10.1 noarch 1.7.1-5.Final_redhat_00006.1.el8eap @koji-override-1 54 k eap7-jboss-server-migration-wildfly11.0 noarch 1.7.1-5.Final_redhat_00006.1.el8eap @koji-override-1 92 k eap7-jboss-server-migration-wildfly12.0 noarch 1.7.1-5.Final_redhat_00006.1.el8eap @koji-override-1 16 k eap7-jboss-server-migration-wildfly13.0-server noarch 1.7.1-5.Final_redhat_00006.1.el8eap @koji-override-1 48 k eap7-jboss-server-migration-wildfly14.0-server noarch 1.7.1-5.Final_redhat_00006.1.el8eap @koji-override-1 29 k eap7-jboss-server-migration-wildfly15.0-server noarch 1.7.1-5.Final_redhat_00006.1.el8eap @koji-override-1 21 k eap7-jboss-server-migration-wildfly16.0-server noarch 1.7.1-5.Final_redhat_00006.1.el8eap @koji-override-1 13 k eap7-jboss-server-migration-wildfly17.0-server noarch 1.7.1-5.Final_redhat_00006.1.el8eap @koji-override-1 16 k eap7-jboss-server-migration-wildfly18.0-server noarch 1.7.1-5.Final_redhat_00006.1.el8eap @koji-override-1 13 k eap7-jboss-server-migration-wildfly8.2 noarch 1.7.1-5.Final_redhat_00006.1.el8eap @koji-override-1 14 k eap7-jboss-server-migration-wildfly9.0 noarch 1.7.1-5.Final_redhat_00006.1.el8eap @koji-override-1 12 k eap7-jboss-servlet-api_4.0_spec noarch 2.0.0-2.Final_redhat_00001.1.el8eap @koji-override-1 254 k eap7-jboss-stdio noarch 1.1.0-1.Final_redhat_00001.1.el8eap @koji-override-1 37 k eap7-jboss-threads noarch 2.3.3-1.Final_redhat_00001.1.el8eap @koji-override-1 288 k eap7-jboss-transaction-api_1.3_spec noarch 2.0.0-3.Final_redhat_00002.1.el8eap @koji-override-1 48 k eap7-jboss-transaction-spi noarch 7.6.0-2.Final_redhat_1.1.el8eap @koji-override-1 85 k eap7-jboss-vfs noarch 3.2.15-1.Final_redhat_00001.1.el8eap @koji-override-1 250 k eap7-jboss-websocket-api_1.1_spec noarch 2.0.0-1.Final_redhat_00001.1.el8eap @koji-override-1 78 k eap7-jboss-weld-3.1-api-weld-api noarch 3.1.0-6.SP2_redhat_00001.1.el8eap @koji-override-1 77 k eap7-jboss-weld-3.1-api-weld-spi noarch 3.1.0-6.SP2_redhat_00001.1.el8eap @koji-override-1 195 k eap7-jboss-xnio-base noarch 3.7.7-1.Final_redhat_00001.1.el8eap @koji-override-1 1.1 M eap7-jbossws-api noarch 1.1.2-1.Final_redhat_00001.1.el8eap @koji-override-1 120 k eap7-jbossws-common noarch 3.2.3-1.Final_redhat_00001.1.el8eap @koji-override-1 464 k eap7-jbossws-common-tools noarch 1.3.2-1.Final_redhat_00001.1.el8eap @koji-override-1 66 k eap7-jbossws-cxf noarch 5.3.0-1.Final_redhat_00001.1.el8eap @koji-override-1 1.0 M eap7-jbossws-jaxws-undertow-httpspi noarch 1.0.1-3.Final_redhat_1.1.el8eap @koji-override-1 23 k eap7-jbossws-spi noarch 3.2.3-1.Final_redhat_00001.1.el8eap @koji-override-1 295 k eap7-jcip-annotations noarch 1.0.0-5.redhat_8.1.el8eap @koji-override-1 10 k eap7-jettison noarch 1.4.0-1.redhat_00001.1.el8eap @koji-override-1 173 k eap7-jgroups noarch 4.1.4-1.Final_redhat_00001.1.el8eap @koji-override-1 3.4 M eap7-jgroups-azure noarch 1.2.1-1.Final_redhat_00001.1.el8eap @koji-override-1 31 k eap7-jgroups-kubernetes noarch 1.0.13-1.Final_redhat_00001.1.el8eap @koji-override-1 179 k eap7-joda-time noarch 2.9.7-2.redhat_1.1.el8eap @koji-override-1 1.4 M eap7-jsch noarch 0.1.54-7.redhat_00001.1.el8eap @koji-override-1 572 k eap7-json-patch noarch 1.9.0-1.redhat_00002.1.el8eap @koji-override-1 83 k eap7-jsonb-spec noarch 1.0.2-1.redhat_00001.1.el8eap @koji-override-1 79 k eap7-jsoup noarch 1.8.3-4.redhat_2.1.el8eap @koji-override-1 453 k eap7-jul-to-slf4j-stub noarch 1.0.1-7.Final_redhat_3.1.el8eap @koji-override-1 8.2 k eap7-jzlib noarch 1.1.1-7.redhat_00001.1.el8eap @koji-override-1 155 k eap7-log4j-jboss-logmanager noarch 1.2.0-1.Final_redhat_00001.1.el8eap @koji-override-1 943 k eap7-lucene-analyzers-common noarch 5.5.5-3.redhat_2.1.el8eap @koji-override-1 3.0 M eap7-lucene-backward-codecs noarch 5.5.5-3.redhat_2.1.el8eap @koji-override-1 641 k eap7-lucene-core noarch 5.5.5-3.redhat_2.1.el8eap @koji-override-1 4.0 M eap7-lucene-facet noarch 5.5.5-3.redhat_2.1.el8eap @koji-override-1 314 k eap7-lucene-misc noarch 5.5.5-3.redhat_2.1.el8eap @koji-override-1 276 k eap7-lucene-queries noarch 5.5.5-3.redhat_2.1.el8eap @koji-override-1 386 k eap7-lucene-queryparser noarch 5.5.5-3.redhat_2.1.el8eap @koji-override-1 779 k eap7-microprofile-config-api noarch 1.4.0-1.redhat_00003.1.el8eap @koji-override-1 43 k eap7-microprofile-health noarch 2.2.0-1.redhat_00001.1.el8eap @koji-override-1 49 k eap7-microprofile-metrics-api noarch 2.3.0-1.redhat_00001.1.el8eap @koji-override-1 80 k eap7-microprofile-opentracing-api noarch 1.3.3-1.redhat_00001.1.el8eap @koji-override-1 22 k eap7-microprofile-rest-client-api noarch 1.4.0-1.redhat_00004.1.el8eap @koji-override-1 53 k eap7-mod_cluster noarch 1.4.1-1.Final_redhat_00001.1.el8eap @koji-override-1 283 k eap7-mustache-java-compiler noarch 0.9.4-2.redhat_1.1.el8eap @koji-override-1 162 k eap7-narayana-compensations noarch 5.9.8-1.Final_redhat_00002.1.el8eap @koji-override-1 121 k eap7-narayana-jbosstxbridge noarch 5.9.8-1.Final_redhat_00002.1.el8eap @koji-override-1 90 k eap7-narayana-jbossxts noarch 5.9.8-1.Final_redhat_00002.1.el8eap @koji-override-1 1.8 M eap7-narayana-jts-idlj noarch 5.9.8-1.Final_redhat_00002.1.el8eap @koji-override-1 3.0 M eap7-narayana-jts-integration noarch 5.9.8-1.Final_redhat_00002.1.el8eap @koji-override-1 97 k eap7-narayana-restat-api noarch 5.9.8-1.Final_redhat_00002.1.el8eap @koji-override-1 71 k eap7-narayana-restat-bridge noarch 5.9.8-1.Final_redhat_00002.1.el8eap @koji-override-1 46 k eap7-narayana-restat-integration noarch 5.9.8-1.Final_redhat_00002.1.el8eap @koji-override-1 54 k eap7-narayana-restat-util noarch 5.9.8-1.Final_redhat_00002.1.el8eap @koji-override-1 61 k eap7-narayana-txframework noarch 5.9.8-1.Final_redhat_00002.1.el8eap @koji-override-1 83 k eap7-neethi noarch 3.1.1-1.redhat_1.1.el8eap @koji-override-1 137 k eap7-netty-all noarch 4.1.45-1.Final_redhat_00001.1.el8eap @koji-override-1 7.2 M eap7-netty-xnio-transport noarch 0.1.6-1.Final_redhat_00001.1.el8eap @koji-override-1 107 k eap7-objectweb-asm noarch 7.1.0-1.redhat_00001.1.el8eap @koji-override-1 714 k eap7-okhttp noarch 3.9.0-3.redhat_3.1.el8eap @koji-override-1 779 k eap7-okio noarch 1.13.0-2.redhat_3.1.el8eap @koji-override-1 178 k eap7-opensaml-core noarch 3.3.1-1.redhat_00002.1.el8eap @koji-override-1 373 k eap7-opensaml-profile-api noarch 3.3.1-1.redhat_00002.1.el8eap @koji-override-1 62 k eap7-opensaml-saml-api noarch 3.3.1-1.redhat_00002.1.el8eap @koji-override-1 917 k eap7-opensaml-saml-impl noarch 3.3.1-1.redhat_00002.1.el8eap @koji-override-1 2.3 M eap7-opensaml-security-api noarch 3.3.1-1.redhat_00002.1.el8eap @koji-override-1 138 k eap7-opensaml-security-impl noarch 3.3.1-1.redhat_00002.1.el8eap @koji-override-1 193 k eap7-opensaml-soap-api noarch 3.3.1-1.redhat_00002.1.el8eap @koji-override-1 383 k eap7-opensaml-xacml-api noarch 3.3.1-1.redhat_00002.1.el8eap @koji-override-1 112 k eap7-opensaml-xacml-impl noarch 3.3.1-1.redhat_00002.1.el8eap @koji-override-1 435 k eap7-opensaml-xacml-saml-api noarch 3.3.1-1.redhat_00002.1.el8eap @koji-override-1 19 k eap7-opensaml-xacml-saml-impl noarch 3.3.1-1.redhat_00002.1.el8eap @koji-override-1 56 k eap7-opensaml-xmlsec-api noarch 3.3.1-1.redhat_00002.1.el8eap @koji-override-1 464 k eap7-opensaml-xmlsec-impl noarch 3.3.1-1.redhat_00002.1.el8eap @koji-override-1 624 k eap7-opentracing-contrib-java-concurrent noarch 0.2.1-1.redhat_00001.1.el8eap @koji-override-1 17 k eap7-opentracing-contrib-java-jaxrs noarch 0.4.1-1.redhat_00006.1.el8eap @koji-override-1 62 k eap7-opentracing-contrib-java-tracerresolver noarch 0.1.5-1.redhat_00001.1.el8eap @koji-override-1 16 k eap7-opentracing-contrib-java-web-servlet-filter noarch 0.2.3-1.redhat_00001.1.el8eap @koji-override-1 27 k eap7-opentracing-interceptors noarch 0.0.4-1.redhat_00004.1.el8eap @koji-override-1 25 k eap7-opentracing-java-api noarch 0.31.0-1.redhat_00008.1.el8eap @koji-override-1 35 k eap7-opentracing-java-noop noarch 0.31.0-1.redhat_00008.1.el8eap @koji-override-1 17 k eap7-opentracing-java-util noarch 0.31.0-1.redhat_00008.1.el8eap @koji-override-1 16 k eap7-picketbox noarch 5.0.3-7.Final_redhat_00006.1.el8eap @koji-override-1 1.7 M eap7-picketbox-commons noarch 1.0.0-4.final_redhat_5.1.el8eap @koji-override-1 41 k eap7-picketbox-infinispan noarch 5.0.3-7.Final_redhat_00006.1.el8eap @koji-override-1 35 k eap7-picketlink-api noarch 2.5.5-20.SP12_redhat_00009.1.el8eap @koji-override-1 221 k eap7-picketlink-common noarch 2.5.5-20.SP12_redhat_00009.1.el8eap @koji-override-1 266 k eap7-picketlink-config noarch 2.5.5-20.SP12_redhat_00009.1.el8eap @koji-override-1 100 k eap7-picketlink-federation noarch 2.5.5-20.SP12_redhat_00009.1.el8eap @koji-override-1 2.2 M eap7-picketlink-idm-api noarch 2.5.5-20.SP12_redhat_00009.1.el8eap @koji-override-1 445 k eap7-picketlink-idm-impl noarch 2.5.5-20.SP12_redhat_00009.1.el8eap @koji-override-1 419 k eap7-picketlink-idm-simple-schema noarch 2.5.5-20.SP12_redhat_00009.1.el8eap @koji-override-1 39 k eap7-picketlink-impl noarch 2.5.5-20.SP12_redhat_00009.1.el8eap @koji-override-1 163 k eap7-picketlink-wildfly8 noarch 2.5.5-23.SP12_redhat_00012.1.el8eap @koji-override-1 511 k eap7-python3-javapackages noarch 3.4.1-5.15.6.el8eap @koji-override-1 60 k eap7-reactive-streams noarch 1.0.2-2.redhat_1.1.el8eap @koji-override-1 79 k eap7-reactivex-rxjava noarch 2.2.5-1.redhat_00001.1.el8eap @koji-override-1 3.8 M eap7-relaxng-datatype noarch 2.3.3-4.b02_redhat_00001.1.el8eap @koji-override-1 47 k eap7-resteasy-atom-provider noarch 3.11.2-3.Final_redhat_00002.1.el8eap @koji-override-1 85 k eap7-resteasy-cdi noarch 3.11.2-3.Final_redhat_00002.1.el8eap @koji-override-1 51 k eap7-resteasy-client noarch 3.11.2-3.Final_redhat_00002.1.el8eap @koji-override-1 335 k eap7-resteasy-client-microprofile noarch 3.11.2-3.Final_redhat_00002.1.el8eap @koji-override-1 122 k eap7-resteasy-crypto noarch 3.11.2-3.Final_redhat_00002.1.el8eap @koji-override-1 153 k eap7-resteasy-jackson-provider noarch 3.11.2-3.Final_redhat_00002.1.el8eap @koji-override-1 16 k eap7-resteasy-jackson2-provider noarch 3.11.2-3.Final_redhat_00002.1.el8eap @koji-override-1 45 k eap7-resteasy-jaxb-provider noarch 3.11.2-3.Final_redhat_00002.1.el8eap @koji-override-1 141 k eap7-resteasy-jaxrs noarch 3.11.2-3.Final_redhat_00002.1.el8eap @koji-override-1 1.6 M eap7-resteasy-jettison-provider noarch 3.11.2-3.Final_redhat_00002.1.el8eap @koji-override-1 63 k eap7-resteasy-jose-jwt noarch 3.11.2-3.Final_redhat_00002.1.el8eap @koji-override-1 104 k eap7-resteasy-jsapi noarch 3.11.2-3.Final_redhat_00002.1.el8eap @koji-override-1 55 k eap7-resteasy-json-binding-provider noarch 3.11.2-3.Final_redhat_00002.1.el8eap @koji-override-1 25 k eap7-resteasy-json-p-provider noarch 3.11.2-3.Final_redhat_00002.1.el8eap @koji-override-1 22 k eap7-resteasy-multipart-provider noarch 3.11.2-3.Final_redhat_00002.1.el8eap @koji-override-1 140 k eap7-resteasy-rxjava2 noarch 3.11.2-3.Final_redhat_00002.1.el8eap @koji-override-1 54 k eap7-resteasy-spring noarch 3.11.2-3.Final_redhat_00002.1.el8eap @koji-override-1 97 k eap7-resteasy-validator-provider-11 noarch 3.11.2-3.Final_redhat_00002.1.el8eap @koji-override-1 46 k eap7-resteasy-yaml-provider noarch 3.11.2-3.Final_redhat_00002.1.el8eap @koji-override-1 18 k eap7-rngom noarch 2.3.3-4.b02_redhat_00001.1.el8eap @koji-override-1 569 k eap7-runtime x86_64 1-16.el8eap @koji-override-1 311 eap7-shibboleth-java-support noarch 7.3.0-1.redhat_00001.1.el8eap @koji-override-1 471 k eap7-slf4j-api noarch 1.7.22-4.redhat_2.1.el8eap @koji-override-1 93 k eap7-slf4j-ext noarch 1.7.22-4.redhat_2.1.el8eap @koji-override-1 86 k eap7-slf4j-jboss-logmanager noarch 1.0.4-1.GA_redhat_00001.1.el8eap @koji-override-1 18 k eap7-smallrye-config noarch 1.6.2-3.redhat_00004.1.el8eap @koji-override-1 143 k eap7-smallrye-health noarch 2.2.0-1.redhat_00004.1.el8eap @koji-override-1 40 k eap7-smallrye-metrics noarch 2.4.0-1.redhat_00004.1.el8eap @koji-override-1 249 k eap7-smallrye-opentracing noarch 1.3.4-1.redhat_00004.1.el8eap @koji-override-1 28 k eap7-snakeyaml noarch 1.24.0-2.redhat_00001.1.el8eap @koji-override-1 495 k eap7-stax-ex noarch 1.7.8-1.redhat_00001.1.el8eap @koji-override-1 120 k eap7-stax2-api noarch 4.2.0-1.redhat_00001.1.el8eap @koji-override-1 380 k eap7-staxmapper noarch 1.3.0-2.Final_redhat_1.1.el8eap @koji-override-1 59 k eap7-sun-saaj-1.3-impl noarch 1.3.16-18.SP1_redhat_6.1.el8eap @koji-override-1 647 k eap7-sun-saaj-1.4-impl noarch 1.4.1-1.SP1_redhat_00001.1.el8eap @koji-override-1 1.0 M eap7-sun-ws-metadata-2.0-api noarch 1.0.0-7.MR1_redhat_8.1.el8eap @koji-override-1 63 k eap7-taglibs-standard-compat noarch 1.2.6-2.RC1_redhat_1.1.el8eap @koji-override-1 105 k eap7-taglibs-standard-impl noarch 1.2.6-2.RC1_redhat_1.1.el8eap @koji-override-1 438 k eap7-taglibs-standard-spec noarch 1.2.6-2.RC1_redhat_1.1.el8eap @koji-override-1 110 k eap7-thrift noarch 0.13.0-1.redhat_00002.1.el8eap @koji-override-1 420 k eap7-txw2 noarch 2.3.3-4.b02_redhat_00001.1.el8eap @koji-override-1 140 k eap7-undertow noarch 2.0.30-3.SP3_redhat_00001.1.el8eap @koji-override-1 4.5 M eap7-undertow-jastow noarch 2.0.8-1.Final_redhat_00001.1.el8eap @koji-override-1 1.0 M eap7-undertow-js noarch 1.0.2-2.Final_redhat_1.1.el8eap @koji-override-1 73 k eap7-undertow-server noarch 1.6.1-1.Final_redhat_00001.1.el8eap @koji-override-1 130 k eap7-vdx-core noarch 1.1.6-2.redhat_1.1.el8eap @koji-override-1 155 k eap7-vdx-wildfly noarch 1.1.6-2.redhat_1.1.el8eap @koji-override-1 20 k eap7-velocity noarch 2.1.0-1.redhat_00001.1.el8eap @koji-override-1 78 k eap7-velocity-engine-core noarch 2.1.0-1.redhat_00001.1.el8eap @koji-override-1 955 k eap7-weld-cdi-2.0-api noarch 2.0.2-2.redhat_00002.1.el8eap @koji-override-1 301 k eap7-weld-core-impl noarch 3.1.4-1.Final_redhat_00001.1.el8eap @koji-override-1 2.7 M eap7-weld-core-jsf noarch 3.1.4-1.Final_redhat_00001.1.el8eap @koji-override-1 35 k eap7-weld-ejb noarch 3.1.4-1.Final_redhat_00001.1.el8eap @koji-override-1 110 k eap7-weld-jta noarch 3.1.4-1.Final_redhat_00001.1.el8eap @koji-override-1 40 k eap7-weld-probe-core noarch 3.1.4-1.Final_redhat_00001.1.el8eap @koji-override-1 1.5 M eap7-weld-web noarch 3.1.4-1.Final_redhat_00001.1.el8eap @koji-override-1 149 k eap7-wildfly noarch 7.3.1-5.GA_redhat_00003.1.el8eap @koji-override-1 19 M eap7-wildfly-client-config noarch 1.0.1-2.Final_redhat_00001.1.el8eap @koji-override-1 80 k eap7-wildfly-common noarch 1.5.1-1.Final_redhat_00001.1.el8eap @koji-override-1 503 k eap7-wildfly-discovery-client noarch 1.2.0-1.Final_redhat_00001.1.el8eap @koji-override-1 149 k eap7-wildfly-elytron noarch 1.10.6-1.Final_redhat_00001.1.el8eap @koji-override-1 4.3 M eap7-wildfly-elytron-tool noarch 1.10.6-1.Final_redhat_00001.1.el8eap @koji-override-1 1.3 M eap7-wildfly-http-client-common noarch 1.0.20-1.Final_redhat_00001.1.el8eap @koji-override-1 106 k eap7-wildfly-http-ejb-client noarch 1.0.20-1.Final_redhat_00001.1.el8eap @koji-override-1 90 k eap7-wildfly-http-naming-client noarch 1.0.20-1.Final_redhat_00001.1.el8eap @koji-override-1 57 k eap7-wildfly-http-transaction-client noarch 1.0.20-1.Final_redhat_00001.1.el8eap @koji-override-1 54 k eap7-wildfly-modules noarch 7.3.1-5.GA_redhat_00003.1.el8eap @koji-override-1 56 M eap7-wildfly-naming-client noarch 1.0.12-1.Final_redhat_00001.1.el8eap @koji-override-1 225 k eap7-wildfly-openssl-java noarch 1.0.9-2.SP03_redhat_00001.1.el8eap @koji-override-1 265 k eap7-wildfly-openssl-linux-x86_64 x86_64 1.0.9-2.SP03_redhat_00001.1.el8eap @koji-override-1 68 k eap7-wildfly-transaction-client noarch 1.1.11-1.Final_redhat_00001.1.el8eap @koji-override-1 295 k eap7-woodstox-core noarch 6.0.3-1.redhat_00001.1.el8eap @koji-override-1 2.1 M eap7-ws-commons-XmlSchema noarch 2.2.4-1.redhat_00001.1.el8eap @koji-override-1 328 k eap7-wsdl4j noarch 1.6.3-13.redhat_2.1.el8eap @koji-override-1 368 k eap7-wss4j-bindings noarch 2.2.5-1.redhat_00001.1.el8eap @koji-override-1 108 k eap7-wss4j-policy noarch 2.2.5-1.redhat_00001.1.el8eap @koji-override-1 359 k eap7-wss4j-ws-security-common noarch 2.2.5-1.redhat_00001.1.el8eap @koji-override-1 510 k eap7-wss4j-ws-security-dom noarch 2.2.5-1.redhat_00001.1.el8eap @koji-override-1 591 k eap7-wss4j-ws-security-policy-stax noarch 2.2.5-1.redhat_00001.1.el8eap @koji-override-1 227 k eap7-wss4j-ws-security-stax noarch 2.2.5-1.redhat_00001.1.el8eap @koji-override-1 667 k eap7-xalan-j2 noarch 2.7.1-35.redhat_12.1.el8eap @koji-override-1 6.2 M eap7-xerces-j2 noarch 2.12.0-1.SP02_redhat_00001.1.el8eap @koji-override-1 3.8 M eap7-xml-resolver noarch 1.2.0-7.redhat_12.1.el8eap @koji-override-1 239 k eap7-xml-security noarch 2.1.4-1.redhat_00001.1.el8eap @koji-override-1 2.0 M eap7-xom noarch 1.2.10-4.redhat_1.1.el8eap @koji-override-1 610 k eap7-xsom noarch 2.3.3-4.b02_redhat_00001.1.el8eap @koji-override-1 667 k eap7-yasson noarch 1.0.5-1.redhat_00001.1.el8eap @koji-override-1 610 k ebay-cors-filter noarch 1.0.1-4.el8ev @koji-override-1 119 k engine-db-query noarch 1.5.0-1.el8ev @koji-override-1 41 k environment-modules x86_64 4.1.4-4.el8 @anaconda 1.0 M fribidi x86_64 1.0.4-8.el8 @koji-override-1 312 k gd x86_64 2.2.5-6.el8 @koji-override-1 427 k gdk-pixbuf2-modules x86_64 2.36.12-5.el8 @koji-override-1 308 k giflib x86_64 5.1.4-3.el8 @koji-override-1 103 k glassfish-fastinfoset noarch 1.2.13-9.module+el8.1.0+3366+6dfb954c @koji-override-1 395 k glassfish-jaxb-api noarch 2.2.12-8.module+el8.1.0+3366+6dfb954c @koji-override-1 115 k glassfish-jaxb-core noarch 2.2.11-11.module+el8.1.0+3366+6dfb954c @koji-override-1 236 k glassfish-jaxb-runtime noarch 2.2.11-11.module+el8.1.0+3366+6dfb954c @koji-override-1 1.1 M glassfish-jaxb-txw2 noarch 2.2.11-11.module+el8.1.0+3366+6dfb954c @koji-override-1 153 k gnutls-dane x86_64 3.6.8-10.el8_2 @koji-override-1 36 k gnutls-utils x86_64 3.6.8-10.el8_2 @koji-override-1 1.4 M graphite2 x86_64 1.3.10-10.el8 @koji-override-1 262 k graphviz x86_64 2.40.1-40.el8 @koji-override-1 7.4 M gtk-update-icon-cache x86_64 3.22.30-5.el8 @koji-override-1 59 k gtk2 x86_64 2.24.32-4.el8 @koji-override-1 13 M harfbuzz x86_64 1.7.5-3.el8 @koji-override-1 740 k hicolor-icon-theme noarch 0.17-2.el8 @koji-override-1 72 k httpcomponents-client noarch 4.5.5-4.module+el8+2598+06babf2e @koji-override-1 915 k httpcomponents-core noarch 4.4.10-3.module+el8+2598+06babf2e @koji-override-1 1.1 M httpd x86_64 2.4.37-21.module+el8.2.0+5008+cca404a3 @koji-override-1 4.3 M httpd-filesystem noarch 2.4.37-21.module+el8.2.0+5008+cca404a3 @koji-override-1 400 httpd-tools x86_64 2.4.37-21.module+el8.2.0+5008+cca404a3 @koji-override-1 194 k insights-client noarch 3.0.13-1.el8 @koji-override-1 1.2 M istack-commons-runtime noarch 2.21-9.el8+7 @koji-override-1 63 k jackson-annotations noarch 2.10.0-1.module+el8.2.0+5059+3eb3af25 @koji-override-1 82 k jackson-core noarch 2.10.0-1.module+el8.2.0+5059+3eb3af25 @koji-override-1 376 k jackson-databind noarch 2.10.0-1.module+el8.2.0+5059+3eb3af25 @koji-override-1 1.5 M jackson-jaxrs-json-provider noarch 2.9.9-1.module+el8.1.0+3832+9784644d @koji-override-1 20 k jackson-jaxrs-providers noarch 2.9.9-1.module+el8.1.0+3832+9784644d @koji-override-1 47 k jackson-module-jaxb-annotations noarch 2.7.6-4.module+el8.1.0+3366+6dfb954c @koji-override-1 47 k jasper-libs x86_64 2.0.14-4.el8 @koji-override-1 376 k java-1.8.0-openjdk x86_64 1:1.8.0.252.b09-3.el8_2 @koji-override-1 846 k java-client-kubevirt noarch 0.5.0-1.el8ev @koji-override-1 26 M javapackages-tools noarch 5.3.0-2.module+el8+2598+06babf2e @koji-override-1 63 k jbig2dec-libs x86_64 0.14-2.el8 @koji-override-1 148 k jbigkit-libs x86_64 2.1-14.el8 @koji-override-1 107 k jboss-annotations-1.2-api noarch 1.0.0-4.el8 @koji-override-1 64 k jboss-jaxrs-2.0-api noarch 1.0.0-6.el8 @koji-override-1 135 k jboss-logging noarch 3.3.0-5.el8 @koji-override-1 78 k jboss-logging-tools noarch 2.0.1-6.el8 @koji-override-1 197 k jcl-over-slf4j noarch 1.7.25-4.module+el8.1.0+3366+6dfb954c @koji-override-1 19 k jdeparser noarch 2.0.0-5.el8 @koji-override-1 242 k keyutils x86_64 1.5.10-6.el8 @anaconda 114 k libXaw x86_64 1.0.13-10.el8 @koji-override-1 508 k libXcomposite x86_64 0.4.4-14.el8 @koji-override-1 35 k libXdamage x86_64 1.1.4-14.el8 @koji-override-1 30 k libXft x86_64 2.3.2-10.el8 @koji-override-1 132 k libXpm x86_64 3.5.12-8.el8 @koji-override-1 118 k libXtst x86_64 1.2.3-7.el8 @koji-override-1 34 k libdatrie x86_64 0.2.9-7.el8 @koji-override-1 61 k libestr x86_64 0.1.10-1.el8 @koji-override-1 45 k libfastjson x86_64 0.99.8-2.el8 @koji-override-1 68 k libgfortran x86_64 8.3.1-5.el8 @anaconda 2.5 M libgs x86_64 9.25-5.el8_1.1 @koji-override-1 20 M libicu x86_64 60.3-2.el8_1 @anaconda 32 M libidn x86_64 1.34-5.el8 @koji-override-1 694 k libijs x86_64 0.35-5.el8 @koji-override-1 59 k liblognorm x86_64 2.0.5-1.el8 @koji-override-1 193 k libpaper x86_64 1.1.24-22.el8 @koji-override-1 89 k libpq x86_64 12.1-3.el8 @koji-override-1 808 k libquadmath x86_64 8.3.1-5.el8 @anaconda 298 k librsvg2 x86_64 2.42.7-3.el8 @koji-override-1 1.7 M libsodium x86_64 1.0.18-2.el8ev @koji-override-1 598 k libthai x86_64 0.1.27-2.el8 @koji-override-1 755 k libtiff x86_64 4.0.9-17.el8 @koji-override-1 506 k libverto-libevent x86_64 0.3.0-5.el8 @anaconda 12 k libwebp x86_64 1.0.0-1.el8 @koji-override-1 826 k log4j12 noarch 1.2.17-22.el8ev @koji-override-1 520 k logrotate x86_64 3.14.0-3.el8 @anaconda 143 k mailcap noarch 2.1.48-3.el8 @anaconda 71 k mod_http2 x86_64 1.11.3-3.module+el8.2.0+4377+dc421495 @koji-override-1 479 k mod_ssl x86_64 1:2.4.37-21.module+el8.2.0+5008+cca404a3 @koji-override-1 262 k nfs-utils x86_64 1:2.3.3-31.el8 @anaconda 1.4 M nodejs x86_64 1:10.19.0-2.module+el8.2.0+6232+1df3dc5f @koji-override-1 47 M novnc noarch 1.1.0-1.el8ost @koji-override-1 3.4 M npm x86_64 1:6.13.4-1.10.19.0.2.module+el8.2.0+6232+1df3dc5f @koji-override-1 16 M ongres-scram noarch 1.0.0~beta.2-5.el8 @koji-override-1 44 k ongres-scram-client noarch 1.0.0~beta.2-5.el8 @koji-override-1 20 k openblas x86_64 0.3.3-5.el8 @koji-override-1 27 M openblas-threads x86_64 0.3.3-5.el8 @koji-override-1 27 M openjpeg2 x86_64 2.3.1-6.el8 @koji-override-1 348 k openstack-java-cinder-client noarch 3.2.8-1.el8ev @koji-override-1 43 k openstack-java-cinder-model noarch 3.2.8-1.el8ev @koji-override-1 42 k openstack-java-client noarch 3.2.8-1.el8ev @koji-override-1 28 k openstack-java-glance-client noarch 3.2.8-1.el8ev @koji-override-1 36 k openstack-java-glance-model noarch 3.2.8-1.el8ev @koji-override-1 26 k openstack-java-keystone-client noarch 3.2.8-1.el8ev @koji-override-1 66 k openstack-java-keystone-model noarch 3.2.8-1.el8ev @koji-override-1 68 k openstack-java-quantum-client noarch 3.2.8-1.el8ev @koji-override-1 44 k openstack-java-quantum-model noarch 3.2.8-1.el8ev @koji-override-1 39 k openstack-java-resteasy-connector noarch 3.2.8-1.el8ev @koji-override-1 27 k ovirt-ansible-cluster-upgrade noarch 1.2.2-1.el8ev @koji-override-1 28 k ovirt-ansible-disaster-recovery noarch 1.3.0-0.1.master.20200219155422.el8ev @koji-override-1 149 k ovirt-ansible-engine-setup noarch 1.2.4-1.el8ev @koji-override-1 32 k ovirt-ansible-hosted-engine-setup noarch 1.1.4-1.el8ev @koji-override-1 180 k ovirt-ansible-image-template noarch 1.2.2-1.el8ev @koji-override-1 35 k ovirt-ansible-infra noarch 1.2.1-1.el8ev @koji-override-1 93 k ovirt-ansible-manageiq noarch 1.2.1-2.el8ev @koji-override-1 47 k ovirt-ansible-repositories noarch 1.2.3-1.el8ev @koji-override-1 23 k ovirt-ansible-roles noarch 1.2.3-1.el8ev @koji-override-1 24 k ovirt-ansible-shutdown-env noarch 1.0.4-1.el8ev @koji-override-1 21 k ovirt-ansible-vm-infra noarch 1.2.3-1.el8ev @koji-override-1 59 k ovirt-cockpit-sso noarch 0.1.4-1.el8ev @koji-override-1 23 k ovirt-engine noarch 4.4.1.2-0.10.el8ev @koji-override-1 38 M ovirt-engine-api-explorer noarch 0.0.6-1.el8ev @koji-override-1 1.6 M ovirt-engine-backend noarch 4.4.1.2-0.10.el8ev @koji-override-1 8.1 M ovirt-engine-dbscripts noarch 4.4.1.2-0.10.el8ev @koji-override-1 1.6 M ovirt-engine-dwh noarch 4.4.0.2-1.el8ev @koji-override-1 3.0 M ovirt-engine-dwh-setup noarch 4.4.0.2-1.el8ev @koji-override-1 234 k ovirt-engine-extension-aaa-jdbc noarch 1.2.0-1.el8ev @koji-override-1 243 k ovirt-engine-metrics noarch 1.4.0.2-1.el8ev @koji-override-1 414 k ovirt-engine-restapi noarch 4.4.1.2-0.10.el8ev @koji-override-1 25 M ovirt-engine-setup noarch 4.4.1.2-0.10.el8ev @koji-override-1 671 ovirt-engine-setup-base noarch 4.4.1.2-0.10.el8ev @koji-override-1 319 k ovirt-engine-setup-plugin-cinderlib noarch 4.4.1.2-0.10.el8ev @koji-override-1 66 k ovirt-engine-setup-plugin-imageio noarch 4.4.1.2-0.10.el8ev @koji-override-1 15 k ovirt-engine-setup-plugin-ovirt-engine noarch 4.4.1.2-0.10.el8ev @koji-override-1 744 k ovirt-engine-setup-plugin-ovirt-engine-common noarch 4.4.1.2-0.10.el8ev @koji-override-1 377 k ovirt-engine-setup-plugin-vmconsole-proxy-helper noarch 4.4.1.2-0.10.el8ev @koji-override-1 60 k ovirt-engine-setup-plugin-websocket-proxy noarch 4.4.1.2-0.10.el8ev @koji-override-1 51 k ovirt-engine-tools noarch 4.4.1.2-0.10.el8ev @koji-override-1 450 k ovirt-engine-tools-backup noarch 4.4.1.2-0.10.el8ev @koji-override-1 73 k ovirt-engine-ui-extensions noarch 1.2.0-1.el8ev @koji-override-1 38 M ovirt-engine-vmconsole-proxy-helper noarch 4.4.1.2-0.10.el8ev @koji-override-1 16 k ovirt-engine-webadmin-portal noarch 4.4.1.2-0.10.el8ev @koji-override-1 292 M ovirt-engine-websocket-proxy noarch 4.4.1.2-0.10.el8ev @koji-override-1 36 k ovirt-imageio-common x86_64 2.0.6-0.el8ev @koji-override-1 463 k ovirt-imageio-daemon x86_64 2.0.6-0.el8ev @koji-override-1 4.4 k ovirt-log-collector noarch 4.4.1-3.el8ev @koji-override-1 153 k ovirt-vmconsole noarch 1.0.8-1.el8ev @koji-override-1 261 k ovirt-vmconsole-proxy noarch 1.0.8-1.el8ev @koji-override-1 36 k ovirt-web-ui noarch 1.6.2-1.el8ev @koji-override-1 70 M pango x86_64 1.42.4-6.el8 @koji-override-1 942 k pciutils x86_64 3.5.6-4.el8 @anaconda 220 k pki-servlet-4.0-api noarch 1:9.0.7-16.module+el8.1.0+3366+6dfb954c @koji-override-1 329 k postgresql x86_64 12.1-2.module+el8.1.1+4794+c82b6e09 @koji-override-1 5.7 M postgresql-contrib x86_64 12.1-2.module+el8.1.1+4794+c82b6e09 @koji-override-1 3.4 M postgresql-jdbc noarch 42.2.3-1.el8 @koji-override-1 747 k postgresql-server x86_64 12.1-2.module+el8.1.1+4794+c82b6e09 @koji-override-1 24 M publicsuffix-list noarch 20180723-1.el8 @anaconda 224 k python3-aniso8601 noarch 0.82-4.el8ost @koji-override-1 96 k python3-ansible-runner noarch 1.4.5-1.el8ar @koji-override-1 340 k python3-bcrypt x86_64 3.1.6-2.el8ev @koji-override-1 89 k python3-click noarch 6.7-8.el8 @koji-override-1 521 k python3-daemon noarch 2.1.2-9.el8ar @koji-override-1 106 k python3-dnf-plugin-versionlock noarch 4.0.12-3.el8 @anaconda 23 k python3-docutils noarch 0.14-12.module+el8.1.0+3334+5cb623d7 @koji-override-1 5.9 M python3-flask noarch 1:1.0.2-2.el8ost @koji-override-1 725 k python3-flask-restful noarch 0.3.6-8.el8ost @koji-override-1 299 k python3-itsdangerous noarch 0.24-14.el8 @koji-override-1 93 k python3-jmespath noarch 0.9.0-11.el8 @koji-override-1 117 k python3-lockfile noarch 1:0.11.0-8.el8ar @koji-override-1 81 k python3-lxml x86_64 4.2.3-1.el8 @koji-override-1 4.8 M python3-m2crypto x86_64 0.35.2-5.el8ev @koji-override-1 1.4 M python3-magic noarch 5.33-13.el8 @anaconda 19 k python3-mod_wsgi x86_64 4.6.4-4.el8 @koji-override-1 9.5 M python3-notario noarch 0.0.16-2.el8cp @koji-override-1 351 k python3-numpy x86_64 1:1.14.3-9.el8 @koji-override-1 16 M python3-ovirt-engine-lib noarch 4.4.1.2-0.10.el8ev @koji-override-1 54 k python3-ovirt-engine-sdk4 x86_64 4.4.3-1.el8ev @koji-override-1 5.5 M python3-ovirt-setup-lib noarch 1.3.0-1.el8ev @koji-override-1 48 k python3-paramiko noarch 2.4.3-2.el8ev @koji-override-1 1.2 M python3-passlib noarch 1.7.0-5.el8ost @koji-override-1 3.7 M python3-pexpect noarch 4.6-2.el8ost @koji-override-1 519 k python3-psutil x86_64 5.4.3-10.el8 @koji-override-1 2.0 M python3-psycopg2 x86_64 2.7.5-7.el8 @koji-override-1 544 k python3-ptyprocess noarch 0.5.2-4.el8 @koji-override-1 87 k python3-pwquality x86_64 1.4.0-9.el8 @anaconda 21 k python3-pyOpenSSL noarch 18.0.0-1.el8 @koji-override-1 545 k python3-pycurl x86_64 7.43.0.2-4.el8 @koji-override-1 767 k python3-pynacl x86_64 1.3.0-5.el8ev @koji-override-1 482 k python3-websocket-client noarch 0.54.0-1.el8ost @koji-override-1 176 k python3-websockify noarch 0.8.0-12.el8ev @koji-override-1 133 k python3-werkzeug noarch 0.16.0-1.el8ost @koji-override-1 2.1 M quota x86_64 1:4.04-10.el8 @anaconda 936 k quota-nls noarch 1:4.04-10.el8 @anaconda 277 k redhat-storage-logos-httpd noarch 81.1-1.el8rhgs @koji-override-1 3.3 k relaxngDatatype noarch 2011.1-7.module+el8.1.0+3366+6dfb954c @koji-override-1 30 k resteasy noarch 3.0.26-3.module+el8.1.0+3366+6dfb954c @koji-override-1 1.2 M rhv-log-collector-analyzer noarch 1.0.0-1.el8ev @koji-override-1 379 k rhvm noarch 4.4.1.2-0.10.el8ev @koji-override-1 671 rhvm-dependencies noarch 4.4.0-1.el8ev @koji-override-1 14 M rhvm-setup-plugins noarch 4.4.2-1.el8ev @koji-override-1 48 k rpcbind x86_64 1.2.5-7.el8 @anaconda 108 k rsyslog x86_64 8.1911.0-3.el8 @koji-override-1 2.3 M rsyslog-elasticsearch x86_64 8.1911.0-3.el8 @koji-override-1 49 k rsyslog-mmjsonparse x86_64 8.1911.0-3.el8 @koji-override-1 16 k rsyslog-mmnormalize x86_64 8.1911.0-3.el8 @koji-override-1 20 k scl-utils x86_64 1:2.0.2-12.el8 @koji-override-1 62 k sgml-common noarch 0.6.3-50.el8 @anaconda 168 k snmp4j noarch 2.4.1-1.el8ev @koji-override-1 532 k sos noarch 3.8-6.el8_2 @anaconda 1.5 M source-highlight x86_64 3.1.8-16.el8 @koji-override-1 3.2 M spice-client-win-x64 noarch 8.0-1.el8 @koji-override-1 53 M spice-client-win-x86 noarch 8.0-1.el8 @koji-override-1 51 M sshpass x86_64 1.06-3.el8ae @koji-override-1 40 k stax-ex noarch 1.7.7-8.module+el8.1.0+3366+6dfb954c @koji-override-1 80 k tcl x86_64 1:8.6.8-2.el8 @anaconda 4.2 M ttmkfdir x86_64 3.0.9-54.el8 @koji-override-1 128 k urw-base35-fonts noarch 20170801-10.el8 @koji-override-1 5.3 k urw-base35-standard-symbols-ps-fonts noarch 20170801-10.el8 @koji-override-1 44 k uuid x86_64 1.6.2-42.el8 @koji-override-1 126 k vdsm-jsonrpc-java noarch 1.5.4-1.el8ev @koji-override-1 145 k vim-filesystem noarch 2:8.0.1763-13.el8 @koji-override-1 40 ws-commons-util noarch 1.0.2-1.el8ev @koji-override-1 57 k xmlrpc-client noarch 3.1.3-1.el8ev @koji-override-1 68 k xmlrpc-common noarch 3.1.3-1.el8ev @koji-override-1 148 k xmlstreambuffer noarch 1.5.4-8.module+el8.1.0+3366+6dfb954c @koji-override-1 113 k xorg-x11-fonts-ISO8859-1-100dpi noarch 7.5-19.el8 @koji-override-1 1.0 M xorg-x11-fonts-Type1 noarch 7.5-19.el8 @koji-override-1 863 k xsom noarch 0-19.20110809svn.module+el8.1.0+3366+6dfb954c @koji-override-1 452 k yajl x86_64 2.1.0-10.el8 @koji-override-1 84 k Transaction Summary ===================================================================================================================================== Remove 633 Packages Freed space: 1.5 G Running transaction check Transaction check succeeded. Running transaction test Transaction test succeeded. Running transaction Preparing : 1/1 Running scriptlet: ovirt-engine-dwh-4.4.0.2-1.el8ev.noarch 1/1 Running scriptlet: ovirt-engine-dwh-4.4.0.2-1.el8ev.noarch 1/633 Erasing : ovirt-engine-dwh-4.4.0.2-1.el8ev.noarch 1/633 Running scriptlet: ovirt-engine-dwh-4.4.0.2-1.el8ev.noarch 1/633 Erasing : ovirt-engine-setup-plugin-imageio-4.4.1.2-0.10.e 2/633 Erasing : rhvm-branding-rhv-4.4.3-1.el8ev.noarch 3/633 Running scriptlet: ovirt-engine-backend-4.4.1.2-0.10.el8ev.noarch 4/633 Erasing : ovirt-engine-backend-4.4.1.2-0.10.el8ev.noarch 4/633 Running scriptlet: ovirt-engine-backend-4.4.1.2-0.10.el8ev.noarch 4/633 Erasing : ovirt-engine-setup-plugin-cinderlib-4.4.1.2-0.10 5/633 Erasing : ovirt-engine-setup-plugin-ovirt-engine-4.4.1.2-0 6/633 Erasing : rhvm-setup-plugins-4.4.2-1.el8ev.noarch 7/633 Erasing : ovirt-engine-setup-4.4.1.2-0.10.el8ev.noarch 8/633 Erasing : ovirt-engine-ui-extensions-1.2.0-1.el8ev.noarch 9/633 Erasing : ovirt-engine-webadmin-portal-4.4.1.2-0.10.el8ev. 10/633 Erasing : rhv-log-collector-analyzer-1.0.0-1.el8ev.noarch 11/633 Running scriptlet: ovirt-engine-4.4.1.2-0.10.el8ev.noarch 12/633 Erasing : ovirt-engine-4.4.1.2-0.10.el8ev.noarch 12/633 Running scriptlet: ovirt-engine-4.4.1.2-0.10.el8ev.noarch 12/633 Erasing : rhvm-4.4.1.2-0.10.el8ev.noarch 13/633 Erasing : ovirt-ansible-roles-1.2.3-1.el8ev.noarch 14/633 Erasing : ansible-runner-service-1.0.2-1.el8ev.noarch 15/633 Erasing : ovirt-log-collector-4.4.1-3.el8ev.noarch 16/633 Erasing : openstack-java-resteasy-connector-3.2.8-1.el8ev. 17/633 Erasing : resteasy-3.0.26-3.module+el8.1.0+3366+6dfb954c.n 18/633 Running scriptlet: ovirt-engine-tools-4.4.1.2-0.10.el8ev.noarch 19/633 Erasing : ovirt-engine-tools-4.4.1.2-0.10.el8ev.noarch 19/633 warning: file /var/run/ovirt-engine/notifier: remove failed: No such file or directory Running scriptlet: ovirt-engine-tools-4.4.1.2-0.10.el8ev.noarch 19/633 Running scriptlet: ovirt-engine-websocket-proxy-4.4.1.2-0.10.el8ev. 20/633 Erasing : ovirt-engine-websocket-proxy-4.4.1.2-0.10.el8ev. 20/633 Running scriptlet: ovirt-engine-websocket-proxy-4.4.1.2-0.10.el8ev. 20/633 Erasing : ovirt-engine-metrics-1.4.0.2-1.el8ev.noarch 21/633 Erasing : httpcomponents-client-4.5.5-4.module+el8+2598+06 22/633 Erasing : ovirt-ansible-hosted-engine-setup-1.1.4-1.el8ev. 23/633 Running scriptlet: eap7-wildfly-7.3.1-5.GA_redhat_00003.1.el8eap.no 24/633 Erasing : eap7-wildfly-7.3.1-5.GA_redhat_00003.1.el8eap.no 24/633 Running scriptlet: eap7-wildfly-7.3.1-5.GA_redhat_00003.1.el8eap.no 24/633 Erasing : eap7-wildfly-modules-7.3.1-5.GA_redhat_00003.1.e 25/633 Erasing : eap7-picketlink-federation-2.5.5-20.SP12_redhat_ 26/633 Erasing : eap7-wildfly-transaction-client-1.1.11-1.Final_r 27/633 Erasing : eap7-wildfly-naming-client-1.0.12-1.Final_redhat 28/633 Erasing : eap7-jboss-jsf-api_2.3_spec-3.0.0-3.SP02_redhat_ 29/633 Erasing : eap7-picketlink-impl-2.5.5-20.SP12_redhat_00009. 30/633 Erasing : eap7-activemq-artemis-cli-2.9.0-4.redhat_00010.1 31/633 Erasing : eap7-activemq-artemis-jms-server-2.9.0-4.redhat_ 32/633 Erasing : eap7-ironjacamar-validator-1.4.20-1.Final_redhat 33/633 Erasing : eap7-jackson-datatype-jsr310-2.10.3-1.redhat_000 34/633 Erasing : eap7-shibboleth-java-support-7.3.0-1.redhat_0000 35/633 Erasing : asciidoc-8.6.10-0.5.20180627gitf7c2274.el8.noarc 36/633 Erasing : ovirt-engine-dwh-setup-4.4.0.2-1.el8ev.noarch 37/633 Erasing : ovirt-engine-extension-aaa-jdbc-1.2.0-1.el8ev.no 38/633 Erasing : vdsm-jsonrpc-java-1.5.4-1.el8ev.noarch 39/633 Erasing : eap7-picketlink-config-2.5.5-20.SP12_redhat_0000 40/633 Erasing : eap7-picketlink-idm-impl-2.5.5-20.SP12_redhat_00 41/633 Erasing : eap7-bouncycastle-mail-1.60.0-2.redhat_00002.1.e 42/633 Erasing : eap7-codehaus-jackson-jaxrs-1.9.13-10.redhat_000 43/633 Erasing : eap7-codehaus-jackson-xc-1.9.13-10.redhat_00007. 44/633 Erasing : eap7-hibernate-envers-5.3.16-1.Final_redhat_0000 45/633 Erasing : eap7-hibernate-search-orm-5.10.7-1.Final_redhat_ 46/633 Erasing : eap7-hibernate-search-serialization-avro-5.10.7- 47/633 Erasing : eap7-httpcomponents-asyncclient-4.1.4-1.redhat_0 48/633 Erasing : eap7-infinispan-cachestore-remote-9.4.18-1.Final 49/633 Erasing : eap7-ironjacamar-core-impl-1.4.20-1.Final_redhat 50/633 Erasing : eap7-ironjacamar-common-impl-1.4.20-1.Final_redh 51/633 Erasing : eap7-jackson-datatype-jdk8-2.10.3-1.redhat_00001 52/633 Erasing : eap7-jackson-module-jaxb-annotations-2.10.3-1.re 53/633 Erasing : eap7-jackson-databind-2.10.3-1.redhat_00001.1.el 54/633 Erasing : eap7-jboss-server-migration-eap7.1-1.7.1-5.Final 55/633 Erasing : eap7-jboss-server-migration-eap7.0-1.7.1-5.Final 56/633 Erasing : eap7-jgroups-azure-1.2.1-1.Final_redhat_00001.1. 57/633 Erasing : eap7-azure-storage-6.1.0-1.redhat_1.1.el8eap.noa 58/633 Erasing : eap7-lucene-queryparser-5.5.5-3.redhat_2.1.el8ea 59/633 Erasing : eap7-opensaml-xacml-saml-impl-3.3.1-1.redhat_000 60/633 Erasing : eap7-opensaml-saml-impl-3.3.1-1.redhat_00002.1.e 61/633 Erasing : eap7-opensaml-xmlsec-impl-3.3.1-1.redhat_00002.1 62/633 Erasing : eap7-opensaml-xacml-saml-api-3.3.1-1.redhat_0000 63/633 Erasing : eap7-opensaml-saml-api-3.3.1-1.redhat_00002.1.el 64/633 Erasing : eap7-opensaml-soap-api-3.3.1-1.redhat_00002.1.el 65/633 Erasing : eap7-resteasy-atom-provider-3.11.2-3.Final_redha 66/633 Erasing : eap7-resteasy-crypto-3.11.2-3.Final_redhat_00002 67/633 Erasing : eap7-resteasy-multipart-provider-3.11.2-3.Final_ 68/633 Erasing : eap7-slf4j-ext-1.7.22-4.redhat_2.1.el8eap.noarch 69/633 Erasing : eap7-taglibs-standard-compat-1.2.6-2.RC1_redhat_ 70/633 Erasing : eap7-weld-core-jsf-3.1.4-1.Final_redhat_00001.1. 71/633 Erasing : eap7-weld-probe-core-3.1.4-1.Final_redhat_00001. 72/633 Erasing : eap7-wss4j-ws-security-policy-stax-2.2.5-1.redha 73/633 Erasing : eap7-wss4j-ws-security-stax-2.2.5-1.redhat_00001 74/633 Erasing : eap7-xom-1.2.10-4.redhat_1.1.el8eap.noarch 75/633 Erasing : glassfish-jaxb-runtime-2.2.11-11.module+el8.1.0+ 76/633 Erasing : glassfish-jaxb-core-2.2.11-11.module+el8.1.0+336 77/633 Erasing : openstack-java-cinder-client-3.2.8-1.el8ev.noarc 78/633 Erasing : openstack-java-glance-client-3.2.8-1.el8ev.noarc 79/633 Erasing : openstack-java-keystone-client-3.2.8-1.el8ev.noa 80/633 Erasing : openstack-java-quantum-client-3.2.8-1.el8ev.noar 81/633 Erasing : ovirt-engine-vmconsole-proxy-helper-4.4.1.2-0.10 82/633 Erasing : glassfish-fastinfoset-1.2.13-9.module+el8.1.0+33 83/633 Erasing : eap7-wss4j-bindings-2.2.5-1.redhat_00001.1.el8ea 84/633 Erasing : eap7-wss4j-policy-2.2.5-1.redhat_00001.1.el8eap. 85/633 Erasing : eap7-neethi-3.1.1-1.redhat_1.1.el8eap.noarch 86/633 Erasing : eap7-resteasy-client-3.11.2-3.Final_redhat_00002 87/633 Erasing : eap7-opensaml-xmlsec-api-3.3.1-1.redhat_00002.1. 88/633 Erasing : eap7-opensaml-profile-api-3.3.1-1.redhat_00002.1 89/633 Erasing : eap7-opensaml-security-impl-3.3.1-1.redhat_00002 90/633 Erasing : eap7-opensaml-security-api-3.3.1-1.redhat_00002. 91/633 Erasing : eap7-jboss-server-migration-eap6.4-1.7.1-5.Final 92/633 Erasing : eap7-jboss-server-migration-wildfly10.1-1.7.1-5. 93/633 Erasing : eap7-jboss-server-migration-wildfly10.0-1.7.1-5. 94/633 Erasing : eap7-infinispan-client-hotrod-9.4.18-1.Final_red 95/633 Erasing : eap7-infinispan-core-9.4.18-1.Final_redhat_00001 96/633 Erasing : eap7-hibernate-entitymanager-5.3.16-1.Final_redh 97/633 Erasing : eap7-codehaus-jackson-mapper-asl-1.9.13-10.redha 98/633 Erasing : eap7-bouncycastle-pkix-1.60.0-2.redhat_00002.1.e 99/633 Erasing : eap7-activemq-artemis-dto-2.9.0-4.redhat_00010.1 100/633 Erasing : eap7-picketlink-api-2.5.5-20.SP12_redhat_00009.1 101/633 Erasing : eap7-picketlink-idm-api-2.5.5-20.SP12_redhat_000 102/633 Erasing : eap7-picketlink-common-2.5.5-20.SP12_redhat_0000 103/633 Erasing : eap7-jboss-marshalling-river-2.0.9-1.Final_redha 104/633 Erasing : eap7-wildfly-client-config-1.0.1-2.Final_redhat_ 105/633 Erasing : eap7-activemq-artemis-hornetq-protocol-2.9.0-4.r 106/633 Erasing : eap7-activemq-artemis-hqclient-protocol-2.9.0-4. 107/633 Erasing : eap7-activemq-artemis-server-2.9.0-4.redhat_0001 108/633 Erasing : eap7-activemq-artemis-jdbc-store-2.9.0-4.redhat_ 109/633 Erasing : eap7-activemq-artemis-ra-2.9.0-4.redhat_00010.1. 110/633 Erasing : eap7-activemq-artemis-service-extensions-2.9.0-4 111/633 Erasing : eap7-activemq-artemis-jms-client-2.9.0-4.redhat_ 112/633 Erasing : eap7-activemq-artemis-core-client-2.9.0-4.redhat 113/633 Erasing : eap7-activemq-artemis-journal-2.9.0-4.redhat_000 114/633 Erasing : eap7-activemq-artemis-commons-2.9.0-4.redhat_000 115/633 Erasing : eap7-cxf-xjc-bug986-3.3.0-1.redhat_00001.1.el8ea 116/633 Erasing : eap7-hibernate-search-backend-jms-5.10.7-1.Final 117/633 Erasing : eap7-hibernate-search-engine-5.10.7-1.Final_redh 118/633 Erasing : eap7-lucene-facet-5.5.5-3.redhat_2.1.el8eap.noar 119/633 Erasing : eap7-lucene-queries-5.5.5-3.redhat_2.1.el8eap.no 120/633 Erasing : eap7-hibernate-commons-annotations-5.0.5-1.Final 121/633 Erasing : eap7-lucene-analyzers-common-5.5.5-3.redhat_2.1. 122/633 Erasing : eap7-hibernate-validator-cdi-6.0.18-1.Final_redh 123/633 Erasing : eap7-hibernate-validator-6.0.18-1.Final_redhat_0 124/633 Erasing : eap7-hornetq-jms-client-2.4.7-7.Final_redhat_2.1 125/633 Erasing : eap7-hornetq-core-client-2.4.7-7.Final_redhat_2. 126/633 Erasing : eap7-jboss-server-migration-cli-1.7.1-5.Final_re 127/633 Erasing : eap7-jboss-server-migration-wildfly8.2-1.7.1-5.F 128/633 Erasing : eap7-jboss-server-migration-wildfly9.0-1.7.1-5.F 129/633 Erasing : eap7-lucene-backward-codecs-5.5.5-3.redhat_2.1.e 130/633 Erasing : eap7-lucene-misc-5.5.5-3.redhat_2.1.el8eap.noarc 131/633 Erasing : eap7-mustache-java-compiler-0.9.4-2.redhat_1.1.e 132/633 Erasing : eap7-narayana-restat-api-5.9.8-1.Final_redhat_00 133/633 Erasing : eap7-opensaml-xacml-impl-3.3.1-1.redhat_00002.1. 134/633 Erasing : eap7-opensaml-xacml-api-3.3.1-1.redhat_00002.1.e 135/633 Erasing : eap7-opensaml-core-3.3.1-1.redhat_00002.1.el8eap 136/633 Erasing : eap7-resteasy-cdi-3.11.2-3.Final_redhat_00002.1. 137/633 Erasing : eap7-resteasy-jettison-provider-3.11.2-3.Final_r 138/633 Erasing : eap7-resteasy-jose-jwt-3.11.2-3.Final_redhat_000 139/633 Erasing : eap7-resteasy-jsapi-3.11.2-3.Final_redhat_00002. 140/633 Erasing : eap7-resteasy-rxjava2-3.11.2-3.Final_redhat_0000 141/633 Erasing : eap7-resteasy-spring-3.11.2-3.Final_redhat_00002 142/633 Erasing : eap7-resteasy-yaml-provider-3.11.2-3.Final_redha 143/633 Erasing : eap7-vdx-wildfly-1.1.6-2.redhat_1.1.el8eap.noarc 144/633 Erasing : eap7-weld-ejb-3.1.4-1.Final_redhat_00001.1.el8ea 145/633 Erasing : eap7-weld-jta-3.1.4-1.Final_redhat_00001.1.el8ea 146/633 Erasing : eap7-weld-web-3.1.4-1.Final_redhat_00001.1.el8ea 147/633 Erasing : eap7-weld-core-impl-3.1.4-1.Final_redhat_00001.1 148/633 Erasing : eap7-wildfly-discovery-client-1.2.0-1.Final_redh 149/633 Erasing : eap7-wildfly-common-1.5.1-1.Final_redhat_00001.1 150/633 Erasing : eap7-wss4j-ws-security-dom-2.2.5-1.redhat_00001. 151/633 Erasing : eap7-wss4j-ws-security-common-2.2.5-1.redhat_000 152/633 Erasing : eap7-xml-security-2.1.4-1.redhat_00001.1.el8eap. 153/633 Erasing : eap7-woodstox-core-6.0.3-1.redhat_00001.1.el8eap 154/633 Erasing : ovirt-ansible-vm-infra-1.2.3-1.el8ev.noarch 155/633 Erasing : ovirt-engine-tools-backup-4.4.1.2-0.10.el8ev.noa 156/633 Erasing : jackson-jaxrs-json-provider-2.9.9-1.module+el8.1 157/633 Erasing : jackson-module-jaxb-annotations-2.7.6-4.module+e 158/633 Erasing : jackson-jaxrs-providers-2.9.9-1.module+el8.1.0+3 159/633 Erasing : python3-flask-restful-0.3.6-8.el8ost.noarch 160/633 Erasing : python3-flask-1:1.0.2-2.el8ost.noarch 161/633 Erasing : apache-commons-configuration-1.10-1.el8ev.noarch 162/633 Erasing : xmlrpc-client-3.1.3-1.el8ev.noarch 163/633 Running scriptlet: insights-client-3.0.13-1.el8.noarch 164/633 Erasing : insights-client-3.0.13-1.el8.noarch 164/633 Running scriptlet: insights-client-3.0.13-1.el8.noarch 164/633 Erasing : novnc-1.1.0-1.el8ost.noarch 165/633 Erasing : xmlrpc-common-3.1.3-1.el8ev.noarch 166/633 Erasing : eap7-stax2-api-4.2.0-1.redhat_00001.1.el8eap.noa 167/633 Erasing : eap7-apache-commons-codec-1.11.0-2.redhat_00001. 168/633 Erasing : eap7-slf4j-api-1.7.22-4.redhat_2.1.el8eap.noarch 169/633 Erasing : eap7-jasypt-1.9.3-1.redhat_00001.1.el8eap.noarch 170/633 Erasing : eap7-jboss-logging-3.4.1-2.Final_redhat_00001.1. 171/633 Erasing : eap7-weld-cdi-2.0-api-2.0.2-2.redhat_00002.1.el8 172/633 Erasing : eap7-vdx-core-1.1.6-2.redhat_1.1.el8eap.noarch 173/633 Erasing : eap7-resteasy-jaxrs-3.11.2-3.Final_redhat_00002. 174/633 Erasing : eap7-resteasy-jackson-provider-3.11.2-3.Final_re 175/633 Erasing : eap7-resteasy-jaxb-provider-3.11.2-3.Final_redha 176/633 Erasing : eap7-joda-time-2.9.7-2.redhat_1.1.el8eap.noarch 177/633 Erasing : eap7-narayana-restat-util-5.9.8-1.Final_redhat_0 178/633 Erasing : eap7-guava-25.0.0-2.redhat_1.1.el8eap.noarch 179/633 Erasing : eap7-lucene-core-5.5.5-3.redhat_2.1.el8eap.noarc 180/633 Erasing : eap7-jboss-server-migration-core-1.7.1-5.Final_r 181/633 Erasing : eap7-hornetq-commons-2.4.7-7.Final_redhat_2.1.el 182/633 Erasing : eap7-java-classmate-1.3.4-1.redhat_1.1.el8eap.no 183/633 Erasing : eap7-hibernate-beanvalidation-api-2.0.2-1.redhat 184/633 Erasing : eap7-apache-commons-lang-3.9.0-1.redhat_00001.1. 185/633 Erasing : eap7-apache-commons-beanutils-1.9.4-1.redhat_000 186/633 Erasing : eap7-netty-all-4.1.45-1.Final_redhat_00001.1.el8 187/633 Erasing : eap7-activemq-artemis-selector-2.9.0-4.redhat_00 188/633 Erasing : eap7-jgroups-4.1.4-1.Final_redhat_00001.1.el8eap 189/633 Erasing : eap7-atinject-1.0.0-4.redhat_00002.1.el8eap.noar 190/633 Erasing : eap7-jboss-marshalling-2.0.9-1.Final_redhat_0000 191/633 Erasing : eap7-bouncycastle-prov-1.60.0-2.redhat_00002.1.e 192/633 Erasing : eap7-codehaus-jackson-core-asl-1.9.13-10.redhat_ 193/633 Erasing : eap7-hibernate-core-5.3.16-1.Final_redhat_00001. 194/633 Erasing : eap7-infinispan-commons-9.4.18-1.Final_redhat_00 195/633 Erasing : xmlstreambuffer-1.5.4-8.module+el8.1.0+3366+6dfb 196/633 Erasing : stax-ex-1.7.7-8.module+el8.1.0+3366+6dfb954c.noa 197/633 Erasing : xsom-0-19.20110809svn.module+el8.1.0+3366+6dfb95 198/633 Erasing : ovirt-engine-setup-plugin-vmconsole-proxy-helper 199/633 Running scriptlet: ovirt-vmconsole-proxy-1.0.8-1.el8ev.noarch 200/633 Erasing : ovirt-vmconsole-proxy-1.0.8-1.el8ev.noarch 200/633 Running scriptlet: ovirt-vmconsole-proxy-1.0.8-1.el8ev.noarch 200/633 Erasing : openstack-java-client-3.2.8-1.el8ev.noarch 201/633 Erasing : openstack-java-quantum-model-3.2.8-1.el8ev.noarc 202/633 Erasing : openstack-java-keystone-model-3.2.8-1.el8ev.noar 203/633 Erasing : openstack-java-glance-model-3.2.8-1.el8ev.noarch 204/633 Erasing : openstack-java-cinder-model-3.2.8-1.el8ev.noarch 205/633 Erasing : jackson-databind-2.10.0-1.module+el8.2.0+5059+3e 206/633 Erasing : istack-commons-runtime-2.21-9.el8+7.noarch 207/633 Erasing : eap7-jaxen-1.1.6-14.redhat_2.1.el8eap.noarch 208/633 Erasing : eap7-xerces-j2-2.12.0-1.SP02_redhat_00001.1.el8e 209/633 Erasing : eap7-taglibs-standard-impl-1.2.6-2.RC1_redhat_1. 210/633 Erasing : eap7-taglibs-standard-spec-1.2.6-2.RC1_redhat_1. 211/633 Erasing : eap7-cal10n-0.8.1-6.redhat_1.1.el8eap.noarch 212/633 Erasing : eap7-httpcomponents-client-4.5.4-1.redhat_00001. 213/633 Erasing : eap7-jackson-core-2.10.3-1.redhat_00001.1.el8eap 214/633 Erasing : eap7-jackson-annotations-2.10.3-1.redhat_00001.1 215/633 Erasing : eap7-ironjacamar-common-api-1.4.20-1.Final_redha 216/633 Erasing : eap7-ironjacamar-common-spi-1.4.20-1.Final_redha 217/633 Erasing : eap7-ironjacamar-core-api-1.4.20-1.Final_redhat_ 218/633 Erasing : eap7-httpcomponents-core-4.4.5-1.redhat_00001.1. 219/633 Erasing : eap7-avro-1.7.6-7.redhat_2.1.el8eap.noarch 220/633 Erasing : docbook-style-xsl-1.79.2-7.el8.noarch 221/633 Running scriptlet: docbook-style-xsl-1.79.2-7.el8.noarch 221/633 Erasing : docbook-dtds-1.0-69.el8.noarch 222/633 Running scriptlet: docbook-dtds-1.0-69.el8.noarch 222/633 Erasing : eap7-jboss-el-api_3.0_spec-2.0.0-2.Final_redhat_ 223/633 Erasing : eap7-jboss-jsp-api_2.3_spec-2.0.0-1.Final_redhat 224/633 Erasing : eap7-glassfish-jsf-2.3.9-10.SP09_redhat_00001.1. 225/633 Erasing : eap7-jboss-remoting-5.0.18-1.Final_redhat_00001. 226/633 Erasing : eap7-wildfly-elytron-1.10.6-1.Final_redhat_00001 227/633 Erasing : eap7-jboss-xnio-base-3.7.7-1.Final_redhat_00001. 228/633 Erasing : eap7-jboss-security-xacml-2.0.8-17.Final_redhat_ 229/633 Erasing : eap7-picketlink-idm-simple-schema-2.5.5-20.SP12_ 230/633 Erasing : eap7-FastInfoset-1.2.13-10.redhat_1.1.el8eap.noa 231/633 Erasing : eap7-activemq-artemis-native-1:1.0.0.00003-2.red 232/633 Erasing : eap7-activemq-artemis-tools-2.9.0-4.redhat_00010 233/633 Erasing : eap7-aesh-extensions-1.8.0-1.redhat_00001.1.el8e 234/633 Erasing : eap7-aesh-readline-2.0.0-1.redhat_00001.1.el8eap 235/633 Erasing : eap7-agroal-api-1.3.0-1.redhat_00001.1.el8eap.no 236/633 Erasing : eap7-agroal-narayana-1.3.0-1.redhat_00001.1.el8e 237/633 Erasing : eap7-agroal-pool-1.3.0-1.redhat_00001.1.el8eap.n 238/633 Erasing : eap7-antlr-2.7.7-54.redhat_7.1.el8eap.noarch 239/633 Erasing : eap7-apache-commons-cli-1.3.1-3.redhat_2.1.el8ea 240/633 Erasing : eap7-apache-commons-collections-3.2.2-9.redhat_2 241/633 Erasing : eap7-apache-commons-io-2.5.0-4.redhat_3.1.el8eap 242/633 Erasing : eap7-apache-commons-lang2-2.6.0-1.redhat_7.1.el8 243/633 Erasing : eap7-apache-cxf-3.3.5-1.redhat_00001.1.el8eap.no 244/633 Erasing : eap7-apache-cxf-rt-3.3.5-1.redhat_00001.1.el8eap 245/633 Erasing : eap7-apache-cxf-services-3.3.5-1.redhat_00001.1. 246/633 Erasing : eap7-apache-cxf-tools-3.3.5-1.redhat_00001.1.el8 247/633 Erasing : eap7-apache-mime4j-0.6.0-4.redhat_7.1.el8eap.noa 248/633 Erasing : eap7-artemis-wildfly-integration-1.0.2-4.redhat_ 249/633 Erasing : eap7-byte-buddy-1.9.11-1.redhat_00002.1.el8eap.n 250/633 Erasing : eap7-caffeine-2.6.2-3.redhat_1.1.el8eap.noarch 251/633 Erasing : eap7-codemodel-2.3.3-4.b02_redhat_00001.1.el8eap 252/633 Erasing : eap7-commons-logging-jboss-logging-1.0.0-1.Final 253/633 Erasing : eap7-cryptacular-1.2.4-1.redhat_00001.1.el8eap.n 254/633 Erasing : eap7-cxf-xjc-boolean-3.3.0-1.redhat_00001.1.el8e 255/633 Erasing : eap7-cxf-xjc-dv-3.3.0-1.redhat_00001.1.el8eap.no 256/633 Erasing : eap7-cxf-xjc-runtime-3.3.0-1.redhat_00001.1.el8e 257/633 Erasing : eap7-cxf-xjc-ts-3.3.0-1.redhat_00001.1.el8eap.no 258/633 Erasing : eap7-dom4j-2.1.1-2.redhat_00001.1.el8eap.noarch 259/633 Erasing : eap7-ecj-4.6.1-3.redhat_1.1.el8eap.noarch 260/633 Erasing : eap7-eclipse-jgit-5.0.2.201807311906-2.r_redhat_ 261/633 Erasing : eap7-glassfish-concurrent-1.0.0-4.redhat_1.1.el8 262/633 Erasing : eap7-glassfish-jaf-1.2.1-1.redhat_00002.1.el8eap 263/633 Erasing : eap7-glassfish-javamail-1.6.4-2.redhat_00001.1.e 264/633 Erasing : eap7-glassfish-json-1.1.6-2.redhat_00001.1.el8ea 265/633 Erasing : eap7-gnu-getopt-1.0.13-6.redhat_5.1.el8eap.noarc 266/633 Erasing : eap7-gson-2.8.2-1.redhat_5.1.el8eap.noarch 267/633 Erasing : eap7-h2database-1.4.193-6.redhat_2.1.el8eap.noar 268/633 Erasing : eap7-hal-console-3.2.8-1.Final_redhat_00001.1.el 269/633 Erasing : eap7-infinispan-cachestore-jdbc-9.4.18-1.Final_r 270/633 Erasing : eap7-infinispan-hibernate-cache-commons-9.4.18-1 271/633 Erasing : eap7-infinispan-hibernate-cache-spi-9.4.18-1.Fin 272/633 Erasing : eap7-infinispan-hibernate-cache-v53-9.4.18-1.Fin 273/633 Erasing : eap7-ironjacamar-deployers-common-1.4.20-1.Final 274/633 Erasing : eap7-ironjacamar-jdbc-1.4.20-1.Final_redhat_0000 275/633 Erasing : eap7-istack-commons-runtime-3.0.10-1.redhat_0000 276/633 Erasing : eap7-istack-commons-tools-3.0.10-1.redhat_00001. 277/633 Erasing : eap7-jackson-coreutils-1.0.0-1.redhat_1.1.el8eap 278/633 Erasing : eap7-jackson-jaxrs-base-2.10.3-1.redhat_00001.1. 279/633 Erasing : eap7-jackson-jaxrs-json-provider-2.10.3-1.redhat 280/633 Erasing : eap7-jaegertracing-jaeger-client-java-core-0.34. 281/633 Erasing : eap7-jaegertracing-jaeger-client-java-thrift-0.3 282/633 Erasing : eap7-jakarta-el-3.0.3-1.redhat_00002.1.el8eap.no 283/633 Erasing : eap7-jakarta-security-enterprise-api-1.0.2-3.red 284/633 Erasing : eap7-jandex-2.1.2-1.Final_redhat_00001.1.el8eap. 285/633 Erasing : eap7-jansi-1.18.0-1.redhat_00001.1.el8eap.noarch 286/633 Erasing : eap7-javaee-jpa-spec-2.2.3-1.redhat_00001.1.el8e 287/633 Erasing : eap7-javaee-security-api-1.0.0-2.redhat_1.1.el8e 288/633 Erasing : eap7-javaee-security-soteria-enterprise-1.0.1-3. 289/633 Erasing : eap7-javaewah-1.1.6-1.redhat_00001.1.el8eap.noar 290/633 Erasing : eap7-javassist-3.23.2-2.GA_redhat_00001.1.el8eap 291/633 Erasing : eap7-jaxb-jxc-2.3.3-4.b02_redhat_00001.1.el8eap. 292/633 Erasing : eap7-jaxb-runtime-2.3.3-4.b02_redhat_00001.1.el8 293/633 Erasing : eap7-jaxb-xjc-2.3.3-4.b02_redhat_00001.1.el8eap. 294/633 Erasing : eap7-jaxbintros-1.0.3-1.GA_redhat_00001.1.el8eap 295/633 Erasing : eap7-jberet-core-1.3.5-1.Final_redhat_00001.1.el 296/633 Erasing : eap7-jboss-aesh-2.4.0-1.redhat_00001.1.el8eap.no 297/633 Erasing : eap7-jboss-annotations-api_1.3_spec-2.0.1-2.Fina 298/633 Erasing : eap7-jboss-batch-api_1.0_spec-2.0.0-1.Final_redh 299/633 Erasing : eap7-jboss-classfilewriter-1.2.4-1.Final_redhat_ 300/633 Erasing : eap7-jboss-common-beans-2.0.1-1.Final_redhat_000 301/633 Erasing : eap7-jboss-concurrency-api_1.0_spec-2.0.0-1.Fina 302/633 Erasing : eap7-jboss-connector-api_1.7_spec-2.0.0-2.Final_ 303/633 Erasing : eap7-jboss-dmr-1.5.0-2.Final_redhat_1.1.el8eap.n 304/633 Erasing : eap7-jboss-ejb-api_3.2_spec-2.0.0-1.Final_redhat 305/633 Erasing : eap7-jboss-ejb-client-4.0.31-1.Final_redhat_0000 306/633 Erasing : eap7-jboss-ejb3-ext-api-2.3.0-1.Final_redhat_000 307/633 Erasing : eap7-jboss-genericjms-2.0.4-1.Final_redhat_00001 308/633 Erasing : eap7-jboss-iiop-client-1.0.1-3.Final_redhat_1.1. 309/633 Erasing : eap7-jboss-interceptors-api_1.2_spec-2.0.0-3.Fin 310/633 Erasing : eap7-jboss-invocation-1.5.2-1.Final_redhat_00001 311/633 Erasing : eap7-jboss-j2eemgmt-api_1.1_spec-2.0.0-2.Final_r 312/633 Erasing : eap7-jboss-jacc-api_1.5_spec-2.0.0-2.Final_redha 313/633 Erasing : eap7-jboss-jaspi-api_1.1_spec-2.0.1-2.Final_redh 314/633 Erasing : eap7-jboss-jaxb-api_2.3_spec-1.0.1-1.Final_redha 315/633 Erasing : eap7-jboss-jaxrpc-api_1.1_spec-2.0.0-1.Final_red 316/633 Erasing : eap7-jboss-jaxrs-api_2.1_spec-2.0.1-1.Final_redh 317/633 Erasing : eap7-jboss-jaxws-api_2.3_spec-1.0.0-1.Final_redh 318/633 Erasing : eap7-jboss-jms-api_2.0_spec-2.0.0-1.Final_redhat 319/633 Erasing : eap7-jboss-logmanager-2.1.14-1.Final_redhat_0000 320/633 Erasing : eap7-jboss-metadata-appclient-13.0.0-1.Final_red 321/633 Erasing : eap7-jboss-metadata-common-13.0.0-1.Final_redhat 322/633 Erasing : eap7-jboss-metadata-ear-13.0.0-1.Final_redhat_00 323/633 Erasing : eap7-jboss-metadata-ejb-13.0.0-1.Final_redhat_00 324/633 Erasing : eap7-jboss-metadata-web-13.0.0-1.Final_redhat_00 325/633 Erasing : eap7-jboss-modules-1.10.0-1.Final_redhat_00001.1 326/633 Erasing : eap7-jboss-msc-1.4.11-1.Final_redhat_00001.1.el8 327/633 Erasing : eap7-jboss-openjdk-orb-8.1.4-3.Final_redhat_0000 328/633 Erasing : eap7-jboss-remoting-jmx-3.0.4-1.Final_redhat_000 329/633 Erasing : eap7-jboss-saaj-api_1.3_spec-1.0.6-1.Final_redha 330/633 Erasing : eap7-jboss-saaj-api_1.4_spec-1.0.1-1.Final_redha 331/633 Erasing : eap7-jboss-seam-int-7.0.0-6.GA_redhat_2.1.el8eap 332/633 Erasing : eap7-jboss-security-negotiation-3.0.6-1.Final_re 333/633 Erasing : eap7-jboss-server-migration-eap6.4-to-eap7.3-1.7 334/633 Erasing : eap7-jboss-server-migration-eap7.2-1.7.1-5.Final 335/633 Erasing : eap7-jboss-server-migration-eap7.2-to-eap7.3-1.7 336/633 Erasing : eap7-jboss-server-migration-eap7.3-server-1.7.1- 337/633 Erasing : eap7-jboss-server-migration-wildfly11.0-1.7.1-5. 338/633 Erasing : eap7-jboss-server-migration-wildfly12.0-1.7.1-5. 339/633 Erasing : eap7-jboss-server-migration-wildfly13.0-server-1 340/633 Erasing : eap7-jboss-server-migration-wildfly14.0-server-1 341/633 Erasing : eap7-jboss-server-migration-wildfly15.0-server-1 342/633 Erasing : eap7-jboss-server-migration-wildfly16.0-server-1 343/633 Erasing : eap7-jboss-server-migration-wildfly17.0-server-1 344/633 Erasing : eap7-jboss-server-migration-wildfly18.0-server-1 345/633 Erasing : eap7-jboss-servlet-api_4.0_spec-2.0.0-2.Final_re 346/633 Erasing : eap7-jboss-stdio-1.1.0-1.Final_redhat_00001.1.el 347/633 Erasing : eap7-jboss-threads-2.3.3-1.Final_redhat_00001.1. 348/633 Erasing : eap7-jboss-transaction-api_1.3_spec-2.0.0-3.Fina 349/633 Erasing : eap7-jboss-transaction-spi-7.6.0-2.Final_redhat_ 350/633 Erasing : eap7-jboss-vfs-3.2.15-1.Final_redhat_00001.1.el8 351/633 Erasing : eap7-jboss-websocket-api_1.1_spec-2.0.0-1.Final_ 352/633 Erasing : eap7-jboss-weld-3.1-api-weld-api-3.1.0-6.SP2_red 353/633 Erasing : eap7-jboss-weld-3.1-api-weld-spi-3.1.0-6.SP2_red 354/633 Erasing : eap7-jbossws-api-1.1.2-1.Final_redhat_00001.1.el 355/633 Erasing : eap7-jbossws-common-3.2.3-1.Final_redhat_00001.1 356/633 Erasing : eap7-jbossws-common-tools-1.3.2-1.Final_redhat_0 357/633 Erasing : eap7-jbossws-cxf-5.3.0-1.Final_redhat_00001.1.el 358/633 Erasing : eap7-jbossws-jaxws-undertow-httpspi-1.0.1-3.Fina 359/633 Erasing : eap7-jbossws-spi-3.2.3-1.Final_redhat_00001.1.el 360/633 Erasing : eap7-jcip-annotations-1.0.0-5.redhat_8.1.el8eap. 361/633 Erasing : eap7-jettison-1.4.0-1.redhat_00001.1.el8eap.noar 362/633 Erasing : eap7-jgroups-kubernetes-1.0.13-1.Final_redhat_00 363/633 Erasing : eap7-jsch-0.1.54-7.redhat_00001.1.el8eap.noarch 364/633 Erasing : eap7-json-patch-1.9.0-1.redhat_00002.1.el8eap.no 365/633 Erasing : eap7-jsonb-spec-1.0.2-1.redhat_00001.1.el8eap.no 366/633 Erasing : eap7-jsoup-1.8.3-4.redhat_2.1.el8eap.noarch 367/633 Erasing : eap7-jul-to-slf4j-stub-1.0.1-7.Final_redhat_3.1. 368/633 Erasing : eap7-jzlib-1.1.1-7.redhat_00001.1.el8eap.noarch 369/633 Erasing : eap7-log4j-jboss-logmanager-1.2.0-1.Final_redhat 370/633 Erasing : eap7-microprofile-config-api-1.4.0-1.redhat_0000 371/633 Erasing : eap7-microprofile-health-2.2.0-1.redhat_00001.1. 372/633 Erasing : eap7-microprofile-metrics-api-2.3.0-1.redhat_000 373/633 Erasing : eap7-microprofile-opentracing-api-1.3.3-1.redhat 374/633 Erasing : eap7-microprofile-rest-client-api-1.4.0-1.redhat 375/633 Erasing : eap7-mod_cluster-1.4.1-1.Final_redhat_00001.1.el 376/633 Erasing : eap7-narayana-compensations-5.9.8-1.Final_redhat 377/633 Erasing : eap7-narayana-jbosstxbridge-5.9.8-1.Final_redhat 378/633 Erasing : eap7-narayana-jbossxts-5.9.8-1.Final_redhat_0000 379/633 Erasing : eap7-narayana-jts-idlj-5.9.8-1.Final_redhat_0000 380/633 Erasing : eap7-narayana-jts-integration-5.9.8-1.Final_redh 381/633 Erasing : eap7-narayana-restat-bridge-5.9.8-1.Final_redhat 382/633 Erasing : eap7-narayana-restat-integration-5.9.8-1.Final_r 383/633 Erasing : eap7-narayana-txframework-5.9.8-1.Final_redhat_0 384/633 Erasing : eap7-netty-xnio-transport-0.1.6-1.Final_redhat_0 385/633 Erasing : eap7-objectweb-asm-7.1.0-1.redhat_00001.1.el8eap 386/633 Erasing : eap7-okhttp-3.9.0-3.redhat_3.1.el8eap.noarch 387/633 Erasing : eap7-okio-1.13.0-2.redhat_3.1.el8eap.noarch 388/633 Erasing : eap7-opentracing-contrib-java-concurrent-0.2.1-1 389/633 Erasing : eap7-opentracing-contrib-java-jaxrs-0.4.1-1.redh 390/633 Erasing : eap7-opentracing-contrib-java-tracerresolver-0.1 391/633 Erasing : eap7-opentracing-contrib-java-web-servlet-filter 392/633 Erasing : eap7-opentracing-interceptors-0.0.4-1.redhat_000 393/633 Erasing : eap7-opentracing-java-api-0.31.0-1.redhat_00008. 394/633 Erasing : eap7-opentracing-java-noop-0.31.0-1.redhat_00008 395/633 Erasing : eap7-opentracing-java-util-0.31.0-1.redhat_00008 396/633 Erasing : eap7-picketbox-5.0.3-7.Final_redhat_00006.1.el8e 397/633 Erasing : eap7-picketbox-commons-1.0.0-4.final_redhat_5.1. 398/633 Erasing : eap7-picketbox-infinispan-5.0.3-7.Final_redhat_0 399/633 Erasing : eap7-picketlink-wildfly8-2.5.5-23.SP12_redhat_00 400/633 Erasing : eap7-reactive-streams-1.0.2-2.redhat_1.1.el8eap. 401/633 Erasing : eap7-reactivex-rxjava-2.2.5-1.redhat_00001.1.el8 402/633 Erasing : eap7-relaxng-datatype-2.3.3-4.b02_redhat_00001.1 403/633 Erasing : eap7-resteasy-client-microprofile-3.11.2-3.Final 404/633 Erasing : eap7-resteasy-jackson2-provider-3.11.2-3.Final_r 405/633 Erasing : eap7-resteasy-json-binding-provider-3.11.2-3.Fin 406/633 Erasing : eap7-resteasy-json-p-provider-3.11.2-3.Final_red 407/633 Erasing : eap7-resteasy-validator-provider-11-3.11.2-3.Fin 408/633 Erasing : eap7-rngom-2.3.3-4.b02_redhat_00001.1.el8eap.noa 409/633 Erasing : eap7-slf4j-jboss-logmanager-1.0.4-1.GA_redhat_00 410/633 Erasing : eap7-smallrye-config-1.6.2-3.redhat_00004.1.el8e 411/633 Erasing : eap7-smallrye-health-2.2.0-1.redhat_00004.1.el8e 412/633 Erasing : eap7-smallrye-metrics-2.4.0-1.redhat_00004.1.el8 413/633 Erasing : eap7-smallrye-opentracing-1.3.4-1.redhat_00004.1 414/633 Erasing : eap7-snakeyaml-1.24.0-2.redhat_00001.1.el8eap.no 415/633 Erasing : eap7-stax-ex-1.7.8-1.redhat_00001.1.el8eap.noarc 416/633 Erasing : eap7-staxmapper-1.3.0-2.Final_redhat_1.1.el8eap. 417/633 Erasing : eap7-sun-saaj-1.3-impl-1.3.16-18.SP1_redhat_6.1. 418/633 Erasing : eap7-sun-saaj-1.4-impl-1.4.1-1.SP1_redhat_00001. 419/633 Erasing : eap7-sun-ws-metadata-2.0-api-1.0.0-7.MR1_redhat_ 420/633 Erasing : eap7-thrift-0.13.0-1.redhat_00002.1.el8eap.noarc 421/633 Erasing : eap7-txw2-2.3.3-4.b02_redhat_00001.1.el8eap.noar 422/633 Erasing : eap7-undertow-2.0.30-3.SP3_redhat_00001.1.el8eap 423/633 Erasing : eap7-undertow-jastow-2.0.8-1.Final_redhat_00001. 424/633 Erasing : eap7-undertow-js-1.0.2-2.Final_redhat_1.1.el8eap 425/633 Erasing : eap7-undertow-server-1.6.1-1.Final_redhat_00001. 426/633 Erasing : eap7-velocity-engine-core-2.1.0-1.redhat_00001.1 427/633 Erasing : eap7-wildfly-elytron-tool-1.10.6-1.Final_redhat_ 428/633 Erasing : eap7-wildfly-http-client-common-1.0.20-1.Final_r 429/633 Erasing : eap7-wildfly-http-ejb-client-1.0.20-1.Final_redh 430/633 Erasing : eap7-wildfly-http-naming-client-1.0.20-1.Final_r 431/633 Erasing : eap7-wildfly-http-transaction-client-1.0.20-1.Fi 432/633 Erasing : eap7-wildfly-openssl-java-1.0.9-2.SP03_redhat_00 433/633 Erasing : eap7-ws-commons-XmlSchema-2.2.4-1.redhat_00001.1 434/633 Erasing : eap7-wsdl4j-1.6.3-13.redhat_2.1.el8eap.noarch 435/633 Erasing : eap7-xalan-j2-2.7.1-35.redhat_12.1.el8eap.noarch 436/633 Erasing : eap7-xml-resolver-1.2.0-7.redhat_12.1.el8eap.noa 437/633 Erasing : eap7-xsom-2.3.3-4.b02_redhat_00001.1.el8eap.noar 438/633 Erasing : eap7-yasson-1.0.5-1.redhat_00001.1.el8eap.noarch 439/633 Erasing : ovirt-ansible-engine-setup-1.2.4-1.el8ev.noarch 440/633 Erasing : ovirt-ansible-image-template-1.2.2-1.el8ev.noarc 441/633 Erasing : ovirt-engine-setup-plugin-websocket-proxy-4.4.1. 442/633 Erasing : ovirt-engine-setup-plugin-ovirt-engine-common-4. 443/633 Erasing : ovirt-engine-setup-base-4.4.1.2-0.10.el8ev.noarc 444/633 Erasing : python3-ovirt-engine-lib-4.4.1.2-0.10.el8ev.noar 445/633 Erasing : python3-paramiko-2.4.3-2.el8ev.noarch 446/633 Erasing : jboss-logging-tools-2.0.1-6.el8.noarch 447/633 Erasing : ansible-runner-1.4.5-1.el8ar.noarch 448/633 Erasing : python3-ansible-runner-1.4.5-1.el8ar.noarch 449/633 Erasing : python3-daemon-2.1.2-9.el8ar.noarch 450/633 Erasing : python3-pexpect-4.6-2.el8ost.noarch 451/633 Erasing : ovirt-ansible-cluster-upgrade-1.2.2-1.el8ev.noar 452/633 Erasing : ovirt-ansible-disaster-recovery-1.3.0-0.1.master 453/633 Erasing : ovirt-ansible-infra-1.2.1-1.el8ev.noarch 454/633 Erasing : ovirt-ansible-manageiq-1.2.1-2.el8ev.noarch 455/633 Erasing : ovirt-ansible-repositories-1.2.3-1.el8ev.noarch 456/633 Erasing : ovirt-ansible-shutdown-env-1.0.4-1.el8ev.noarch 457/633 Erasing : ansible-2.9.9-1.el8ae.noarch 458/633 Erasing : ovirt-cockpit-sso-0.1.4-1.el8ev.noarch 459/633 warning: /usr/share/ovirt-cockpit-sso/config/cockpit/cockpit.conf saved as /usr/share/ovirt-cockpit-sso/config/cockpit/cockpit.conf.rpmsave Running scriptlet: ovirt-cockpit-sso-0.1.4-1.el8ev.noarch 459/633 rm: cannot remove '/usr/share/ovirt-cockpit-sso/config/cockpit/ws-certs.d': No such file or directory rm: cannot remove '/usr/share/ovirt-cockpit-sso/ca.pem': No such file or directory Warning: NOT_ENABLED: 9986:tcp Running scriptlet: ovirt-imageio-daemon-2.0.6-0.el8ev.x86_64 460/633 Erasing : ovirt-imageio-daemon-2.0.6-0.el8ev.x86_64 460/633 Running scriptlet: ovirt-imageio-daemon-2.0.6-0.el8ev.x86_64 460/633 Erasing : postgresql-jdbc-42.2.3-1.el8.noarch 461/633 Erasing : ongres-scram-client-1.0.0~beta.2-5.el8.noarch 462/633 Erasing : python3-mod_wsgi-4.6.4-4.el8.x86_64 463/633 Erasing : snmp4j-2.4.1-1.el8ev.noarch 464/633 Erasing : engine-db-query-1.5.0-1.el8ev.noarch 465/633 Running scriptlet: log4j12-1.2.17-22.el8ev.noarch 466/633 Erasing : log4j12-1.2.17-22.el8ev.noarch 466/633 Running scriptlet: log4j12-1.2.17-22.el8ev.noarch 466/633 Erasing : ongres-scram-1.0.0~beta.2-5.el8.noarch 467/633 Erasing : cockpit-dashboard-211.3-1.el8.noarch 468/633 Erasing : python3-jmespath-0.9.0-11.el8.noarch 469/633 Erasing : python3-ptyprocess-0.5.2-4.el8.noarch 470/633 Erasing : python3-docutils-0.14-12.module+el8.1.0+3334+5cb 471/633 Erasing : python3-lockfile-1:0.11.0-8.el8ar.noarch 472/633 Erasing : jdeparser-2.0.0-5.el8.noarch 473/633 Erasing : python3-ovirt-setup-lib-1.3.0-1.el8ev.noarch 474/633 Erasing : sgml-common-0.6.3-50.el8.noarch 475/633 Erasing : javapackages-tools-5.3.0-2.module+el8+2598+06bab 476/633 Erasing : jackson-annotations-2.10.0-1.module+el8.2.0+5059 477/633 Erasing : jackson-core-2.10.0-1.module+el8.2.0+5059+3eb3af 478/633 Erasing : ovirt-vmconsole-1.0.8-1.el8ev.noarch 479/633 Running scriptlet: ovirt-vmconsole-1.0.8-1.el8ev.noarch 479/633 Erasing : relaxngDatatype-2011.1-7.module+el8.1.0+3366+6df 480/633 Erasing : bea-stax-api-1.2.0-16.module+el8.1.0+3366+6dfb95 481/633 Erasing : ws-commons-util-1.0.2-1.el8ev.noarch 482/633 Erasing : python3-websockify-0.8.0-12.el8ev.noarch 483/633 Erasing : python3-magic-5.33-13.el8.noarch 484/633 Erasing : apache-commons-lang-2.6-21.module+el8.1.0+3366+6 485/633 Erasing : apache-commons-logging-1.2-13.module+el8+2598+06 486/633 Erasing : python3-click-6.7-8.el8.noarch 487/633 Erasing : python3-itsdangerous-0.24-14.el8.noarch 488/633 Erasing : python3-werkzeug-0.16.0-1.el8ost.noarch 489/633 Erasing : python3-aniso8601-0.82-4.el8ost.noarch 490/633 Erasing : eap7-jboss-server-migration-1.7.1-5.Final_redhat 491/633 Erasing : glassfish-jaxb-api-2.2.12-8.module+el8.1.0+3366+ 492/633 Erasing : glassfish-jaxb-txw2-2.2.11-11.module+el8.1.0+336 493/633 Erasing : eap7-velocity-2.1.0-1.redhat_00001.1.el8eap.noar 494/633 Erasing : apache-commons-codec-1.11-3.module+el8+2598+06ba 495/633 Erasing : vim-filesystem-2:8.0.1763-13.el8.noarch 496/633 Erasing : python3-passlib-1.7.0-5.el8ost.noarch 497/633 Erasing : httpcomponents-core-4.4.10-3.module+el8+2598+06b 498/633 Erasing : publicsuffix-list-20180723-1.el8.noarch 499/633 Erasing : python3-websocket-client-0.54.0-1.el8ost.noarch 500/633 Erasing : apache-commons-io-1:2.6-3.module+el8+2598+06babf 501/633 Erasing : pki-servlet-4.0-api-1:9.0.7-16.module+el8.1.0+33 502/633 Erasing : jboss-logging-3.3.0-5.el8.noarch 503/633 Erasing : jboss-annotations-1.2-api-1.0.0-4.el8.noarch 504/633 Erasing : jboss-jaxrs-2.0-api-1.0.0-6.el8.noarch 505/633 Erasing : sos-3.8-6.el8_2.noarch 506/633 Erasing : python3-notario-0.0.16-2.el8cp.noarch 507/633 Erasing : python3-pyOpenSSL-18.0.0-1.el8.noarch 508/633 Erasing : spice-client-win-x64-8.0-1.el8.noarch 509/633 Erasing : spice-client-win-x86-8.0-1.el8.noarch 510/633 Erasing : apache-commons-compress-1.18-1.el8ev.noarch 511/633 Erasing : apache-commons-jxpath-1.3-29.el8ev.noarch 512/633 Erasing : apache-sshd-2.2.0-1.el8ev.noarch 513/633 Erasing : jcl-over-slf4j-1.7.25-4.module+el8.1.0+3366+6dfb 514/633 Erasing : ovirt-engine-api-explorer-0.0.6-1.el8ev.noarch 515/633 Erasing : ovirt-engine-dbscripts-4.4.1.2-0.10.el8ev.noarch 516/633 Erasing : ovirt-engine-restapi-4.4.1.2-0.10.el8ev.noarch 517/633 Erasing : ovirt-web-ui-1.6.2-1.el8ev.noarch 518/633 Erasing : python3-dnf-plugin-versionlock-4.0.12-3.el8.noar 519/633 Erasing : rhvm-dependencies-4.4.0-1.el8ev.noarch 520/633 Erasing : aopalliance-1.0-17.module+el8+2598+06babf2e.noar 521/633 Erasing : ebay-cors-filter-1.0.1-4.el8ev.noarch 522/633 Erasing : java-client-kubevirt-0.5.0-1.el8ev.noarch 523/633 Erasing : apache-commons-collections-3.2.2-10.module+el8.1 524/633 Erasing : graphviz-2.40.1-40.el8.x86_64 525/633 Running scriptlet: graphviz-2.40.1-40.el8.x86_64 525/633 Erasing : libgs-9.25-5.el8_1.1.x86_64 526/633 Running scriptlet: postgresql-server-12.1-2.module+el8.1.1+4794+c82 527/633 Erasing : postgresql-server-12.1-2.module+el8.1.1+4794+c82 527/633 Running scriptlet: postgresql-server-12.1-2.module+el8.1.1+4794+c82 527/633 Erasing : java-1.8.0-openjdk-1:1.8.0.252.b09-3.el8_2.x86_6 528/633 Running scriptlet: java-1.8.0-openjdk-1:1.8.0.252.b09-3.el8_2.x86_6 528/633 Erasing : gtk2-2.24.32-4.el8.x86_64 529/633 Running scriptlet: gtk2-2.24.32-4.el8.x86_64 529/633 Erasing : gd-2.2.5-6.el8.x86_64 530/633 Running scriptlet: gd-2.2.5-6.el8.x86_64 530/633 Running scriptlet: nfs-utils-1:2.3.3-31.el8.x86_64 531/633 Erasing : nfs-utils-1:2.3.3-31.el8.x86_64 531/633 warning: file /var/lib/nfs/v4recovery: remove failed: No such file or directory warning: file /var/lib/nfs/statd/sm.bak: remove failed: No such file or directory warning: file /var/lib/nfs/statd/sm: remove failed: No such file or directory warning: file /var/lib/nfs/statd: remove failed: No such file or directory warning: directory /var/lib/nfs/rpc_pipefs: remove failed: Device or resource busy Running scriptlet: nfs-utils-1:2.3.3-31.el8.x86_64 531/633 Erasing : postgresql-contrib-12.1-2.module+el8.1.1+4794+c8 532/633 Erasing : postgresql-12.1-2.module+el8.1.1+4794+c82b6e09.x 533/633 Erasing : gnutls-utils-3.6.8-10.el8_2.x86_64 534/633 Erasing : gdk-pixbuf2-modules-2.36.12-5.el8.x86_64 535/633 Erasing : librsvg2-2.42.7-3.el8.x86_64 536/633 Erasing : pango-1.42.4-6.el8.x86_64 537/633 Running scriptlet: pango-1.42.4-6.el8.x86_64 537/633 Erasing : collectd-postgresql-5.11.0-2.el8ost.x86_64 538/633 Erasing : rsyslog-mmnormalize-8.1911.0-3.el8.x86_64 539/633 Erasing : mod_ssl-1:2.4.37-21.module+el8.2.0+5008+cca404a3 540/633 Running scriptlet: mod_ssl-1:2.4.37-21.module+el8.2.0+5008+cca404a3 540/633 Erasing : xorg-x11-fonts-Type1-7.5-19.el8.noarch 541/633 Running scriptlet: xorg-x11-fonts-Type1-7.5-19.el8.noarch 541/633 Running scriptlet: httpd-2.4.37-21.module+el8.2.0+5008+cca404a3.x86 542/633 Erasing : httpd-2.4.37-21.module+el8.2.0+5008+cca404a3.x86 542/633 Running scriptlet: httpd-2.4.37-21.module+el8.2.0+5008+cca404a3.x86 542/633 Erasing : httpd-tools-2.4.37-21.module+el8.2.0+5008+cca404 543/633 Erasing : liblognorm-2.0.5-1.el8.x86_64 544/633 Running scriptlet: liblognorm-2.0.5-1.el8.x86_64 544/633 Erasing : libthai-0.1.27-2.el8.x86_64 545/633 Running scriptlet: libthai-0.1.27-2.el8.x86_64 545/633 Erasing : python3-psycopg2-2.7.5-7.el8.x86_64 546/633 Running scriptlet: source-highlight-3.1.8-16.el8.x86_64 547/633 Erasing : source-highlight-3.1.8-16.el8.x86_64 547/633 Running scriptlet: source-highlight-3.1.8-16.el8.x86_64 547/633 Erasing : boost-regex-1.66.0-7.el8.x86_64 548/633 Running scriptlet: boost-regex-1.66.0-7.el8.x86_64 548/633 Erasing : python3-numpy-1:1.14.3-9.el8.x86_64 549/633 Erasing : openblas-0.3.3-5.el8.x86_64 550/633 Running scriptlet: openblas-0.3.3-5.el8.x86_64 550/633 Erasing : openblas-threads-0.3.3-5.el8.x86_64 551/633 Running scriptlet: openblas-threads-0.3.3-5.el8.x86_64 551/633 Erasing : libgfortran-8.3.1-5.el8.x86_64 552/633 Running scriptlet: libgfortran-8.3.1-5.el8.x86_64 552/633 Erasing : collectd-write_http-5.11.0-2.el8ost.x86_64 553/633 Erasing : rsyslog-mmjsonparse-8.1911.0-3.el8.x86_64 554/633 Erasing : adobe-mappings-cmap-deprecated-20171205-3.el8.no 555/633 Erasing : urw-base35-fonts-20170801-10.el8.noarch 556/633 Erasing : apr-util-1.6.1-6.el8.x86_64 557/633 Running scriptlet: apr-util-1.6.1-6.el8.x86_64 557/633 Erasing : harfbuzz-1.7.5-3.el8.x86_64 558/633 Running scriptlet: harfbuzz-1.7.5-3.el8.x86_64 558/633 Erasing : libtiff-4.0.9-17.el8.x86_64 559/633 Running scriptlet: gssproxy-0.8.0-15.el8.x86_64 560/633 Erasing : gssproxy-0.8.0-15.el8.x86_64 560/633 Running scriptlet: gssproxy-0.8.0-15.el8.x86_64 560/633 Erasing : quota-1:4.04-10.el8.x86_64 561/633 Erasing : libXaw-1.0.13-10.el8.x86_64 562/633 Erasing : python3-pynacl-1.3.0-5.el8ev.x86_64 563/633 Erasing : nodejs-1:10.19.0-2.module+el8.2.0+6232+1df3dc5f. 564/633 Erasing : eap7-wildfly-openssl-linux-x86_64-1.0.9-2.SP03_r 565/633 Erasing : eap7-python3-javapackages-3.4.1-5.15.6.el8eap.no 566/633 Erasing : eap7-javapackages-tools-3.4.1-5.15.6.el8eap.noar 567/633 Erasing : eap7-runtime-1-16.el8eap.x86_64 568/633 Erasing : scl-utils-1:2.0.2-12.el8.x86_64 569/633 Erasing : environment-modules-4.1.4-4.el8.x86_64 570/633 Running scriptlet: environment-modules-4.1.4-4.el8.x86_64 570/633 Erasing : python3-ovirt-engine-sdk4-4.4.3-1.el8ev.x86_64 571/633 Erasing : collectd-disk-5.11.0-2.el8ost.x86_64 572/633 Erasing : collectd-write_syslog-5.11.0-2.el8ost.x86_64 573/633 Running scriptlet: collectd-5.11.0-2.el8ost.x86_64 574/633 Erasing : collectd-5.11.0-2.el8ost.x86_64 574/633 Running scriptlet: collectd-5.11.0-2.el8ost.x86_64 574/633 Erasing : rsyslog-elasticsearch-8.1911.0-3.el8.x86_64 575/633 Erasing : npm-1:6.13.4-1.10.19.0.2.module+el8.2.0+6232+1df 576/633 Erasing : quota-nls-1:4.04-10.el8.noarch 577/633 Erasing : urw-base35-standard-symbols-ps-fonts-20170801-10 578/633 Running scriptlet: urw-base35-standard-symbols-ps-fonts-20170801-10 578/633 Erasing : adobe-mappings-cmap-20171205-3.el8.noarch 579/633 Erasing : mailcap-2.1.48-3.el8.noarch 580/633 Erasing : httpd-filesystem-2.4.37-21.module+el8.2.0+5008+c 581/633 Running scriptlet: httpd-filesystem-2.4.37-21.module+el8.2.0+5008+c 581/633 Erasing : redhat-storage-logos-httpd-81.1-1.el8rhgs.noarch 582/633 Erasing : hicolor-icon-theme-0.17-2.el8.noarch 583/633 Erasing : adobe-mappings-pdf-20180407-1.el8.noarch 584/633 Erasing : xorg-x11-fonts-ISO8859-1-100dpi-7.5-19.el8.noarc 585/633 Running scriptlet: xorg-x11-fonts-ISO8859-1-100dpi-7.5-19.el8.noarc 585/633 Running scriptlet: rsyslog-8.1911.0-3.el8.x86_64 586/633 Erasing : rsyslog-8.1911.0-3.el8.x86_64 586/633 Running scriptlet: rsyslog-8.1911.0-3.el8.x86_64 586/633 Erasing : libestr-0.1.10-1.el8.x86_64 587/633 Running scriptlet: libestr-0.1.10-1.el8.x86_64 587/633 Erasing : libfastjson-0.99.8-2.el8.x86_64 588/633 Running scriptlet: libfastjson-0.99.8-2.el8.x86_64 588/633 Erasing : logrotate-3.14.0-3.el8.x86_64 589/633 Erasing : yajl-2.1.0-10.el8.x86_64 590/633 Erasing : python3-pycurl-7.43.0.2-4.el8.x86_64 591/633 Erasing : tcl-1:8.6.8-2.el8.x86_64 592/633 Running scriptlet: tcl-1:8.6.8-2.el8.x86_64 592/633 Erasing : python3-lxml-4.2.3-1.el8.x86_64 593/633 Erasing : libsodium-1.0.18-2.el8ev.x86_64 594/633 Erasing : libXpm-3.5.12-8.el8.x86_64 595/633 Erasing : libverto-libevent-0.3.0-5.el8.x86_64 596/633 Erasing : jbigkit-libs-2.1-14.el8.x86_64 597/633 Running scriptlet: jbigkit-libs-2.1-14.el8.x86_64 597/633 Erasing : graphite2-1.3.10-10.el8.x86_64 598/633 Erasing : apr-1.6.3-9.el8.x86_64 599/633 Running scriptlet: apr-1.6.3-9.el8.x86_64 599/633 Running scriptlet: libquadmath-8.3.1-5.el8.x86_64 600/633 Erasing : libquadmath-8.3.1-5.el8.x86_64 600/633 Running scriptlet: libquadmath-8.3.1-5.el8.x86_64 600/633 Erasing : libicu-60.3-2.el8_1.x86_64 601/633 Running scriptlet: libicu-60.3-2.el8_1.x86_64 601/633 Erasing : ctags-5.8-22.el8.x86_64 602/633 Erasing : libpq-12.1-3.el8.x86_64 603/633 Erasing : libdatrie-0.2.9-7.el8.x86_64 604/633 Running scriptlet: libdatrie-0.2.9-7.el8.x86_64 604/633 Erasing : mod_http2-1.11.3-3.module+el8.2.0+4377+dc421495. 605/633 Erasing : ttmkfdir-3.0.9-54.el8.x86_64 606/633 Erasing : fribidi-1.0.4-8.el8.x86_64 607/633 Erasing : libXft-2.3.2-10.el8.x86_64 608/633 Erasing : jasper-libs-2.0.14-4.el8.x86_64 609/633 Erasing : gnutls-dane-3.6.8-10.el8_2.x86_64 610/633 Erasing : autogen-libopts-5.18.12-7.el8.x86_64 611/633 Erasing : uuid-1.6.2-42.el8.x86_64 612/633 Running scriptlet: uuid-1.6.2-42.el8.x86_64 612/633 Erasing : keyutils-1.5.10-6.el8.x86_64 613/633 Running scriptlet: rpcbind-1.2.5-7.el8.x86_64 614/633 Erasing : rpcbind-1.2.5-7.el8.x86_64 614/633 Running scriptlet: rpcbind-1.2.5-7.el8.x86_64 614/633 Erasing : libwebp-1.0.0-1.el8.x86_64 615/633 Erasing : atk-2.28.1-1.el8.x86_64 616/633 Erasing : gtk-update-icon-cache-3.22.30-5.el8.x86_64 617/633 Erasing : libXcomposite-0.4.4-14.el8.x86_64 618/633 Erasing : libXdamage-1.1.4-14.el8.x86_64 619/633 Erasing : libXtst-1.2.3-7.el8.x86_64 620/633 Erasing : giflib-5.1.4-3.el8.x86_64 621/633 Running scriptlet: libidn-1.34-5.el8.x86_64 622/633 install-info: No such file or directory for /usr/share/info/libidn.info.gz Erasing : libidn-1.34-5.el8.x86_64 622/633 Erasing : libijs-0.35-5.el8.x86_64 623/633 Erasing : jbig2dec-libs-0.14-2.el8.x86_64 624/633 Running scriptlet: jbig2dec-libs-0.14-2.el8.x86_64 624/633 Erasing : openjpeg2-2.3.1-6.el8.x86_64 625/633 Erasing : libpaper-1.1.24-22.el8.x86_64 626/633 Erasing : ovirt-imageio-common-2.0.6-0.el8ev.x86_64 627/633 Erasing : sshpass-1.06-3.el8ae.x86_64 628/633 Erasing : python3-psutil-5.4.3-10.el8.x86_64 629/633 Erasing : python3-bcrypt-3.1.6-2.el8ev.x86_64 630/633 Erasing : python3-m2crypto-0.35.2-5.el8ev.x86_64 631/633 Erasing : python3-pwquality-1.4.0-9.el8.x86_64 632/633 Erasing : pciutils-3.5.6-4.el8.x86_64 633/633 Running scriptlet: pciutils-3.5.6-4.el8.x86_64 633/633 Verifying : adobe-mappings-cmap-20171205-3.el8.noarch 1/633 Verifying : adobe-mappings-cmap-deprecated-20171205-3.el8.no 2/633 Verifying : adobe-mappings-pdf-20180407-1.el8.noarch 3/633 Verifying : ansible-2.9.9-1.el8ae.noarch 4/633 Verifying : ansible-runner-1.4.5-1.el8ar.noarch 5/633 Verifying : ansible-runner-service-1.0.2-1.el8ev.noarch 6/633 Verifying : aopalliance-1.0-17.module+el8+2598+06babf2e.noar 7/633 Verifying : apache-commons-codec-1.11-3.module+el8+2598+06ba 8/633 Verifying : apache-commons-collections-3.2.2-10.module+el8.1 9/633 Verifying : apache-commons-compress-1.18-1.el8ev.noarch 10/633 Verifying : apache-commons-configuration-1.10-1.el8ev.noarch 11/633 Verifying : apache-commons-io-1:2.6-3.module+el8+2598+06babf 12/633 Verifying : apache-commons-jxpath-1.3-29.el8ev.noarch 13/633 Verifying : apache-commons-lang-2.6-21.module+el8.1.0+3366+6 14/633 Verifying : apache-commons-logging-1.2-13.module+el8+2598+06 15/633 Verifying : apache-sshd-2.2.0-1.el8ev.noarch 16/633 Verifying : apr-1.6.3-9.el8.x86_64 17/633 Verifying : apr-util-1.6.1-6.el8.x86_64 18/633 Verifying : asciidoc-8.6.10-0.5.20180627gitf7c2274.el8.noarc 19/633 Verifying : atk-2.28.1-1.el8.x86_64 20/633 Verifying : autogen-libopts-5.18.12-7.el8.x86_64 21/633 Verifying : bea-stax-api-1.2.0-16.module+el8.1.0+3366+6dfb95 22/633 Verifying : boost-regex-1.66.0-7.el8.x86_64 23/633 Verifying : cockpit-dashboard-211.3-1.el8.noarch 24/633 Verifying : collectd-5.11.0-2.el8ost.x86_64 25/633 Verifying : collectd-disk-5.11.0-2.el8ost.x86_64 26/633 Verifying : collectd-postgresql-5.11.0-2.el8ost.x86_64 27/633 Verifying : collectd-write_http-5.11.0-2.el8ost.x86_64 28/633 Verifying : collectd-write_syslog-5.11.0-2.el8ost.x86_64 29/633 Verifying : ctags-5.8-22.el8.x86_64 30/633 Verifying : docbook-dtds-1.0-69.el8.noarch 31/633 Verifying : docbook-style-xsl-1.79.2-7.el8.noarch 32/633 Verifying : eap7-FastInfoset-1.2.13-10.redhat_1.1.el8eap.noa 33/633 Verifying : eap7-activemq-artemis-cli-2.9.0-4.redhat_00010.1 34/633 Verifying : eap7-activemq-artemis-commons-2.9.0-4.redhat_000 35/633 Verifying : eap7-activemq-artemis-core-client-2.9.0-4.redhat 36/633 Verifying : eap7-activemq-artemis-dto-2.9.0-4.redhat_00010.1 37/633 Verifying : eap7-activemq-artemis-hornetq-protocol-2.9.0-4.r 38/633 Verifying : eap7-activemq-artemis-hqclient-protocol-2.9.0-4. 39/633 Verifying : eap7-activemq-artemis-jdbc-store-2.9.0-4.redhat_ 40/633 Verifying : eap7-activemq-artemis-jms-client-2.9.0-4.redhat_ 41/633 Verifying : eap7-activemq-artemis-jms-server-2.9.0-4.redhat_ 42/633 Verifying : eap7-activemq-artemis-journal-2.9.0-4.redhat_000 43/633 Verifying : eap7-activemq-artemis-native-1:1.0.0.00003-2.red 44/633 Verifying : eap7-activemq-artemis-ra-2.9.0-4.redhat_00010.1. 45/633 Verifying : eap7-activemq-artemis-selector-2.9.0-4.redhat_00 46/633 Verifying : eap7-activemq-artemis-server-2.9.0-4.redhat_0001 47/633 Verifying : eap7-activemq-artemis-service-extensions-2.9.0-4 48/633 Verifying : eap7-activemq-artemis-tools-2.9.0-4.redhat_00010 49/633 Verifying : eap7-aesh-extensions-1.8.0-1.redhat_00001.1.el8e 50/633 Verifying : eap7-aesh-readline-2.0.0-1.redhat_00001.1.el8eap 51/633 Verifying : eap7-agroal-api-1.3.0-1.redhat_00001.1.el8eap.no 52/633 Verifying : eap7-agroal-narayana-1.3.0-1.redhat_00001.1.el8e 53/633 Verifying : eap7-agroal-pool-1.3.0-1.redhat_00001.1.el8eap.n 54/633 Verifying : eap7-antlr-2.7.7-54.redhat_7.1.el8eap.noarch 55/633 Verifying : eap7-apache-commons-beanutils-1.9.4-1.redhat_000 56/633 Verifying : eap7-apache-commons-cli-1.3.1-3.redhat_2.1.el8ea 57/633 Verifying : eap7-apache-commons-codec-1.11.0-2.redhat_00001. 58/633 Verifying : eap7-apache-commons-collections-3.2.2-9.redhat_2 59/633 Verifying : eap7-apache-commons-io-2.5.0-4.redhat_3.1.el8eap 60/633 Verifying : eap7-apache-commons-lang-3.9.0-1.redhat_00001.1. 61/633 Verifying : eap7-apache-commons-lang2-2.6.0-1.redhat_7.1.el8 62/633 Verifying : eap7-apache-cxf-3.3.5-1.redhat_00001.1.el8eap.no 63/633 Verifying : eap7-apache-cxf-rt-3.3.5-1.redhat_00001.1.el8eap 64/633 Verifying : eap7-apache-cxf-services-3.3.5-1.redhat_00001.1. 65/633 Verifying : eap7-apache-cxf-tools-3.3.5-1.redhat_00001.1.el8 66/633 Verifying : eap7-apache-mime4j-0.6.0-4.redhat_7.1.el8eap.noa 67/633 Verifying : eap7-artemis-wildfly-integration-1.0.2-4.redhat_ 68/633 Verifying : eap7-atinject-1.0.0-4.redhat_00002.1.el8eap.noar 69/633 Verifying : eap7-avro-1.7.6-7.redhat_2.1.el8eap.noarch 70/633 Verifying : eap7-azure-storage-6.1.0-1.redhat_1.1.el8eap.noa 71/633 Verifying : eap7-bouncycastle-mail-1.60.0-2.redhat_00002.1.e 72/633 Verifying : eap7-bouncycastle-pkix-1.60.0-2.redhat_00002.1.e 73/633 Verifying : eap7-bouncycastle-prov-1.60.0-2.redhat_00002.1.e 74/633 Verifying : eap7-byte-buddy-1.9.11-1.redhat_00002.1.el8eap.n 75/633 Verifying : eap7-caffeine-2.6.2-3.redhat_1.1.el8eap.noarch 76/633 Verifying : eap7-cal10n-0.8.1-6.redhat_1.1.el8eap.noarch 77/633 Verifying : eap7-codehaus-jackson-core-asl-1.9.13-10.redhat_ 78/633 Verifying : eap7-codehaus-jackson-jaxrs-1.9.13-10.redhat_000 79/633 Verifying : eap7-codehaus-jackson-mapper-asl-1.9.13-10.redha 80/633 Verifying : eap7-codehaus-jackson-xc-1.9.13-10.redhat_00007. 81/633 Verifying : eap7-codemodel-2.3.3-4.b02_redhat_00001.1.el8eap 82/633 Verifying : eap7-commons-logging-jboss-logging-1.0.0-1.Final 83/633 Verifying : eap7-cryptacular-1.2.4-1.redhat_00001.1.el8eap.n 84/633 Verifying : eap7-cxf-xjc-boolean-3.3.0-1.redhat_00001.1.el8e 85/633 Verifying : eap7-cxf-xjc-bug986-3.3.0-1.redhat_00001.1.el8ea 86/633 Verifying : eap7-cxf-xjc-dv-3.3.0-1.redhat_00001.1.el8eap.no 87/633 Verifying : eap7-cxf-xjc-runtime-3.3.0-1.redhat_00001.1.el8e 88/633 Verifying : eap7-cxf-xjc-ts-3.3.0-1.redhat_00001.1.el8eap.no 89/633 Verifying : eap7-dom4j-2.1.1-2.redhat_00001.1.el8eap.noarch 90/633 Verifying : eap7-ecj-4.6.1-3.redhat_1.1.el8eap.noarch 91/633 Verifying : eap7-eclipse-jgit-5.0.2.201807311906-2.r_redhat_ 92/633 Verifying : eap7-glassfish-concurrent-1.0.0-4.redhat_1.1.el8 93/633 Verifying : eap7-glassfish-jaf-1.2.1-1.redhat_00002.1.el8eap 94/633 Verifying : eap7-glassfish-javamail-1.6.4-2.redhat_00001.1.e 95/633 Verifying : eap7-glassfish-jsf-2.3.9-10.SP09_redhat_00001.1. 96/633 Verifying : eap7-glassfish-json-1.1.6-2.redhat_00001.1.el8ea 97/633 Verifying : eap7-gnu-getopt-1.0.13-6.redhat_5.1.el8eap.noarc 98/633 Verifying : eap7-gson-2.8.2-1.redhat_5.1.el8eap.noarch 99/633 Verifying : eap7-guava-25.0.0-2.redhat_1.1.el8eap.noarch 100/633 Verifying : eap7-h2database-1.4.193-6.redhat_2.1.el8eap.noar 101/633 Verifying : eap7-hal-console-3.2.8-1.Final_redhat_00001.1.el 102/633 Verifying : eap7-hibernate-beanvalidation-api-2.0.2-1.redhat 103/633 Verifying : eap7-hibernate-commons-annotations-5.0.5-1.Final 104/633 Verifying : eap7-hibernate-core-5.3.16-1.Final_redhat_00001. 105/633 Verifying : eap7-hibernate-entitymanager-5.3.16-1.Final_redh 106/633 Verifying : eap7-hibernate-envers-5.3.16-1.Final_redhat_0000 107/633 Verifying : eap7-hibernate-search-backend-jms-5.10.7-1.Final 108/633 Verifying : eap7-hibernate-search-engine-5.10.7-1.Final_redh 109/633 Verifying : eap7-hibernate-search-orm-5.10.7-1.Final_redhat_ 110/633 Verifying : eap7-hibernate-search-serialization-avro-5.10.7- 111/633 Verifying : eap7-hibernate-validator-6.0.18-1.Final_redhat_0 112/633 Verifying : eap7-hibernate-validator-cdi-6.0.18-1.Final_redh 113/633 Verifying : eap7-hornetq-commons-2.4.7-7.Final_redhat_2.1.el 114/633 Verifying : eap7-hornetq-core-client-2.4.7-7.Final_redhat_2. 115/633 Verifying : eap7-hornetq-jms-client-2.4.7-7.Final_redhat_2.1 116/633 Verifying : eap7-httpcomponents-asyncclient-4.1.4-1.redhat_0 117/633 Verifying : eap7-httpcomponents-client-4.5.4-1.redhat_00001. 118/633 Verifying : eap7-httpcomponents-core-4.4.5-1.redhat_00001.1. 119/633 Verifying : eap7-infinispan-cachestore-jdbc-9.4.18-1.Final_r 120/633 Verifying : eap7-infinispan-cachestore-remote-9.4.18-1.Final 121/633 Verifying : eap7-infinispan-client-hotrod-9.4.18-1.Final_red 122/633 Verifying : eap7-infinispan-commons-9.4.18-1.Final_redhat_00 123/633 Verifying : eap7-infinispan-core-9.4.18-1.Final_redhat_00001 124/633 Verifying : eap7-infinispan-hibernate-cache-commons-9.4.18-1 125/633 Verifying : eap7-infinispan-hibernate-cache-spi-9.4.18-1.Fin 126/633 Verifying : eap7-infinispan-hibernate-cache-v53-9.4.18-1.Fin 127/633 Verifying : eap7-ironjacamar-common-api-1.4.20-1.Final_redha 128/633 Verifying : eap7-ironjacamar-common-impl-1.4.20-1.Final_redh 129/633 Verifying : eap7-ironjacamar-common-spi-1.4.20-1.Final_redha 130/633 Verifying : eap7-ironjacamar-core-api-1.4.20-1.Final_redhat_ 131/633 Verifying : eap7-ironjacamar-core-impl-1.4.20-1.Final_redhat 132/633 Verifying : eap7-ironjacamar-deployers-common-1.4.20-1.Final 133/633 Verifying : eap7-ironjacamar-jdbc-1.4.20-1.Final_redhat_0000 134/633 Verifying : eap7-ironjacamar-validator-1.4.20-1.Final_redhat 135/633 Verifying : eap7-istack-commons-runtime-3.0.10-1.redhat_0000 136/633 Verifying : eap7-istack-commons-tools-3.0.10-1.redhat_00001. 137/633 Verifying : eap7-jackson-annotations-2.10.3-1.redhat_00001.1 138/633 Verifying : eap7-jackson-core-2.10.3-1.redhat_00001.1.el8eap 139/633 Verifying : eap7-jackson-coreutils-1.0.0-1.redhat_1.1.el8eap 140/633 Verifying : eap7-jackson-databind-2.10.3-1.redhat_00001.1.el 141/633 Verifying : eap7-jackson-datatype-jdk8-2.10.3-1.redhat_00001 142/633 Verifying : eap7-jackson-datatype-jsr310-2.10.3-1.redhat_000 143/633 Verifying : eap7-jackson-jaxrs-base-2.10.3-1.redhat_00001.1. 144/633 Verifying : eap7-jackson-jaxrs-json-provider-2.10.3-1.redhat 145/633 Verifying : eap7-jackson-module-jaxb-annotations-2.10.3-1.re 146/633 Verifying : eap7-jaegertracing-jaeger-client-java-core-0.34. 147/633 Verifying : eap7-jaegertracing-jaeger-client-java-thrift-0.3 148/633 Verifying : eap7-jakarta-el-3.0.3-1.redhat_00002.1.el8eap.no 149/633 Verifying : eap7-jakarta-security-enterprise-api-1.0.2-3.red 150/633 Verifying : eap7-jandex-2.1.2-1.Final_redhat_00001.1.el8eap. 151/633 Verifying : eap7-jansi-1.18.0-1.redhat_00001.1.el8eap.noarch 152/633 Verifying : eap7-jasypt-1.9.3-1.redhat_00001.1.el8eap.noarch 153/633 Verifying : eap7-java-classmate-1.3.4-1.redhat_1.1.el8eap.no 154/633 Verifying : eap7-javaee-jpa-spec-2.2.3-1.redhat_00001.1.el8e 155/633 Verifying : eap7-javaee-security-api-1.0.0-2.redhat_1.1.el8e 156/633 Verifying : eap7-javaee-security-soteria-enterprise-1.0.1-3. 157/633 Verifying : eap7-javaewah-1.1.6-1.redhat_00001.1.el8eap.noar 158/633 Verifying : eap7-javapackages-tools-3.4.1-5.15.6.el8eap.noar 159/633 Verifying : eap7-javassist-3.23.2-2.GA_redhat_00001.1.el8eap 160/633 Verifying : eap7-jaxb-jxc-2.3.3-4.b02_redhat_00001.1.el8eap. 161/633 Verifying : eap7-jaxb-runtime-2.3.3-4.b02_redhat_00001.1.el8 162/633 Verifying : eap7-jaxb-xjc-2.3.3-4.b02_redhat_00001.1.el8eap. 163/633 Verifying : eap7-jaxbintros-1.0.3-1.GA_redhat_00001.1.el8eap 164/633 Verifying : eap7-jaxen-1.1.6-14.redhat_2.1.el8eap.noarch 165/633 Verifying : eap7-jberet-core-1.3.5-1.Final_redhat_00001.1.el 166/633 Verifying : eap7-jboss-aesh-2.4.0-1.redhat_00001.1.el8eap.no 167/633 Verifying : eap7-jboss-annotations-api_1.3_spec-2.0.1-2.Fina 168/633 Verifying : eap7-jboss-batch-api_1.0_spec-2.0.0-1.Final_redh 169/633 Verifying : eap7-jboss-classfilewriter-1.2.4-1.Final_redhat_ 170/633 Verifying : eap7-jboss-common-beans-2.0.1-1.Final_redhat_000 171/633 Verifying : eap7-jboss-concurrency-api_1.0_spec-2.0.0-1.Fina 172/633 Verifying : eap7-jboss-connector-api_1.7_spec-2.0.0-2.Final_ 173/633 Verifying : eap7-jboss-dmr-1.5.0-2.Final_redhat_1.1.el8eap.n 174/633 Verifying : eap7-jboss-ejb-api_3.2_spec-2.0.0-1.Final_redhat 175/633 Verifying : eap7-jboss-ejb-client-4.0.31-1.Final_redhat_0000 176/633 Verifying : eap7-jboss-ejb3-ext-api-2.3.0-1.Final_redhat_000 177/633 Verifying : eap7-jboss-el-api_3.0_spec-2.0.0-2.Final_redhat_ 178/633 Verifying : eap7-jboss-genericjms-2.0.4-1.Final_redhat_00001 179/633 Verifying : eap7-jboss-iiop-client-1.0.1-3.Final_redhat_1.1. 180/633 Verifying : eap7-jboss-interceptors-api_1.2_spec-2.0.0-3.Fin 181/633 Verifying : eap7-jboss-invocation-1.5.2-1.Final_redhat_00001 182/633 Verifying : eap7-jboss-j2eemgmt-api_1.1_spec-2.0.0-2.Final_r 183/633 Verifying : eap7-jboss-jacc-api_1.5_spec-2.0.0-2.Final_redha 184/633 Verifying : eap7-jboss-jaspi-api_1.1_spec-2.0.1-2.Final_redh 185/633 Verifying : eap7-jboss-jaxb-api_2.3_spec-1.0.1-1.Final_redha 186/633 Verifying : eap7-jboss-jaxrpc-api_1.1_spec-2.0.0-1.Final_red 187/633 Verifying : eap7-jboss-jaxrs-api_2.1_spec-2.0.1-1.Final_redh 188/633 Verifying : eap7-jboss-jaxws-api_2.3_spec-1.0.0-1.Final_redh 189/633 Verifying : eap7-jboss-jms-api_2.0_spec-2.0.0-1.Final_redhat 190/633 Verifying : eap7-jboss-jsf-api_2.3_spec-3.0.0-3.SP02_redhat_ 191/633 Verifying : eap7-jboss-jsp-api_2.3_spec-2.0.0-1.Final_redhat 192/633 Verifying : eap7-jboss-logging-3.4.1-2.Final_redhat_00001.1. 193/633 Verifying : eap7-jboss-logmanager-2.1.14-1.Final_redhat_0000 194/633 Verifying : eap7-jboss-marshalling-2.0.9-1.Final_redhat_0000 195/633 Verifying : eap7-jboss-marshalling-river-2.0.9-1.Final_redha 196/633 Verifying : eap7-jboss-metadata-appclient-13.0.0-1.Final_red 197/633 Verifying : eap7-jboss-metadata-common-13.0.0-1.Final_redhat 198/633 Verifying : eap7-jboss-metadata-ear-13.0.0-1.Final_redhat_00 199/633 Verifying : eap7-jboss-metadata-ejb-13.0.0-1.Final_redhat_00 200/633 Verifying : eap7-jboss-metadata-web-13.0.0-1.Final_redhat_00 201/633 Verifying : eap7-jboss-modules-1.10.0-1.Final_redhat_00001.1 202/633 Verifying : eap7-jboss-msc-1.4.11-1.Final_redhat_00001.1.el8 203/633 Verifying : eap7-jboss-openjdk-orb-8.1.4-3.Final_redhat_0000 204/633 Verifying : eap7-jboss-remoting-5.0.18-1.Final_redhat_00001. 205/633 Verifying : eap7-jboss-remoting-jmx-3.0.4-1.Final_redhat_000 206/633 Verifying : eap7-jboss-saaj-api_1.3_spec-1.0.6-1.Final_redha 207/633 Verifying : eap7-jboss-saaj-api_1.4_spec-1.0.1-1.Final_redha 208/633 Verifying : eap7-jboss-seam-int-7.0.0-6.GA_redhat_2.1.el8eap 209/633 Verifying : eap7-jboss-security-negotiation-3.0.6-1.Final_re 210/633 Verifying : eap7-jboss-security-xacml-2.0.8-17.Final_redhat_ 211/633 Verifying : eap7-jboss-server-migration-1.7.1-5.Final_redhat 212/633 Verifying : eap7-jboss-server-migration-cli-1.7.1-5.Final_re 213/633 Verifying : eap7-jboss-server-migration-core-1.7.1-5.Final_r 214/633 Verifying : eap7-jboss-server-migration-eap6.4-1.7.1-5.Final 215/633 Verifying : eap7-jboss-server-migration-eap6.4-to-eap7.3-1.7 216/633 Verifying : eap7-jboss-server-migration-eap7.0-1.7.1-5.Final 217/633 Verifying : eap7-jboss-server-migration-eap7.1-1.7.1-5.Final 218/633 Verifying : eap7-jboss-server-migration-eap7.2-1.7.1-5.Final 219/633 Verifying : eap7-jboss-server-migration-eap7.2-to-eap7.3-1.7 220/633 Verifying : eap7-jboss-server-migration-eap7.3-server-1.7.1- 221/633 Verifying : eap7-jboss-server-migration-wildfly10.0-1.7.1-5. 222/633 Verifying : eap7-jboss-server-migration-wildfly10.1-1.7.1-5. 223/633 Verifying : eap7-jboss-server-migration-wildfly11.0-1.7.1-5. 224/633 Verifying : eap7-jboss-server-migration-wildfly12.0-1.7.1-5. 225/633 Verifying : eap7-jboss-server-migration-wildfly13.0-server-1 226/633 Verifying : eap7-jboss-server-migration-wildfly14.0-server-1 227/633 Verifying : eap7-jboss-server-migration-wildfly15.0-server-1 228/633 Verifying : eap7-jboss-server-migration-wildfly16.0-server-1 229/633 Verifying : eap7-jboss-server-migration-wildfly17.0-server-1 230/633 Verifying : eap7-jboss-server-migration-wildfly18.0-server-1 231/633 Verifying : eap7-jboss-server-migration-wildfly8.2-1.7.1-5.F 232/633 Verifying : eap7-jboss-server-migration-wildfly9.0-1.7.1-5.F 233/633 Verifying : eap7-jboss-servlet-api_4.0_spec-2.0.0-2.Final_re 234/633 Verifying : eap7-jboss-stdio-1.1.0-1.Final_redhat_00001.1.el 235/633 Verifying : eap7-jboss-threads-2.3.3-1.Final_redhat_00001.1. 236/633 Verifying : eap7-jboss-transaction-api_1.3_spec-2.0.0-3.Fina 237/633 Verifying : eap7-jboss-transaction-spi-7.6.0-2.Final_redhat_ 238/633 Verifying : eap7-jboss-vfs-3.2.15-1.Final_redhat_00001.1.el8 239/633 Verifying : eap7-jboss-websocket-api_1.1_spec-2.0.0-1.Final_ 240/633 Verifying : eap7-jboss-weld-3.1-api-weld-api-3.1.0-6.SP2_red 241/633 Verifying : eap7-jboss-weld-3.1-api-weld-spi-3.1.0-6.SP2_red 242/633 Verifying : eap7-jboss-xnio-base-3.7.7-1.Final_redhat_00001. 243/633 Verifying : eap7-jbossws-api-1.1.2-1.Final_redhat_00001.1.el 244/633 Verifying : eap7-jbossws-common-3.2.3-1.Final_redhat_00001.1 245/633 Verifying : eap7-jbossws-common-tools-1.3.2-1.Final_redhat_0 246/633 Verifying : eap7-jbossws-cxf-5.3.0-1.Final_redhat_00001.1.el 247/633 Verifying : eap7-jbossws-jaxws-undertow-httpspi-1.0.1-3.Fina 248/633 Verifying : eap7-jbossws-spi-3.2.3-1.Final_redhat_00001.1.el 249/633 Verifying : eap7-jcip-annotations-1.0.0-5.redhat_8.1.el8eap. 250/633 Verifying : eap7-jettison-1.4.0-1.redhat_00001.1.el8eap.noar 251/633 Verifying : eap7-jgroups-4.1.4-1.Final_redhat_00001.1.el8eap 252/633 Verifying : eap7-jgroups-azure-1.2.1-1.Final_redhat_00001.1. 253/633 Verifying : eap7-jgroups-kubernetes-1.0.13-1.Final_redhat_00 254/633 Verifying : eap7-joda-time-2.9.7-2.redhat_1.1.el8eap.noarch 255/633 Verifying : eap7-jsch-0.1.54-7.redhat_00001.1.el8eap.noarch 256/633 Verifying : eap7-json-patch-1.9.0-1.redhat_00002.1.el8eap.no 257/633 Verifying : eap7-jsonb-spec-1.0.2-1.redhat_00001.1.el8eap.no 258/633 Verifying : eap7-jsoup-1.8.3-4.redhat_2.1.el8eap.noarch 259/633 Verifying : eap7-jul-to-slf4j-stub-1.0.1-7.Final_redhat_3.1. 260/633 Verifying : eap7-jzlib-1.1.1-7.redhat_00001.1.el8eap.noarch 261/633 Verifying : eap7-log4j-jboss-logmanager-1.2.0-1.Final_redhat 262/633 Verifying : eap7-lucene-analyzers-common-5.5.5-3.redhat_2.1. 263/633 Verifying : eap7-lucene-backward-codecs-5.5.5-3.redhat_2.1.e 264/633 Verifying : eap7-lucene-core-5.5.5-3.redhat_2.1.el8eap.noarc 265/633 Verifying : eap7-lucene-facet-5.5.5-3.redhat_2.1.el8eap.noar 266/633 Verifying : eap7-lucene-misc-5.5.5-3.redhat_2.1.el8eap.noarc 267/633 Verifying : eap7-lucene-queries-5.5.5-3.redhat_2.1.el8eap.no 268/633 Verifying : eap7-lucene-queryparser-5.5.5-3.redhat_2.1.el8ea 269/633 Verifying : eap7-microprofile-config-api-1.4.0-1.redhat_0000 270/633 Verifying : eap7-microprofile-health-2.2.0-1.redhat_00001.1. 271/633 Verifying : eap7-microprofile-metrics-api-2.3.0-1.redhat_000 272/633 Verifying : eap7-microprofile-opentracing-api-1.3.3-1.redhat 273/633 Verifying : eap7-microprofile-rest-client-api-1.4.0-1.redhat 274/633 Verifying : eap7-mod_cluster-1.4.1-1.Final_redhat_00001.1.el 275/633 Verifying : eap7-mustache-java-compiler-0.9.4-2.redhat_1.1.e 276/633 Verifying : eap7-narayana-compensations-5.9.8-1.Final_redhat 277/633 Verifying : eap7-narayana-jbosstxbridge-5.9.8-1.Final_redhat 278/633 Verifying : eap7-narayana-jbossxts-5.9.8-1.Final_redhat_0000 279/633 Verifying : eap7-narayana-jts-idlj-5.9.8-1.Final_redhat_0000 280/633 Verifying : eap7-narayana-jts-integration-5.9.8-1.Final_redh 281/633 Verifying : eap7-narayana-restat-api-5.9.8-1.Final_redhat_00 282/633 Verifying : eap7-narayana-restat-bridge-5.9.8-1.Final_redhat 283/633 Verifying : eap7-narayana-restat-integration-5.9.8-1.Final_r 284/633 Verifying : eap7-narayana-restat-util-5.9.8-1.Final_redhat_0 285/633 Verifying : eap7-narayana-txframework-5.9.8-1.Final_redhat_0 286/633 Verifying : eap7-neethi-3.1.1-1.redhat_1.1.el8eap.noarch 287/633 Verifying : eap7-netty-all-4.1.45-1.Final_redhat_00001.1.el8 288/633 Verifying : eap7-netty-xnio-transport-0.1.6-1.Final_redhat_0 289/633 Verifying : eap7-objectweb-asm-7.1.0-1.redhat_00001.1.el8eap 290/633 Verifying : eap7-okhttp-3.9.0-3.redhat_3.1.el8eap.noarch 291/633 Verifying : eap7-okio-1.13.0-2.redhat_3.1.el8eap.noarch 292/633 Verifying : eap7-opensaml-core-3.3.1-1.redhat_00002.1.el8eap 293/633 Verifying : eap7-opensaml-profile-api-3.3.1-1.redhat_00002.1 294/633 Verifying : eap7-opensaml-saml-api-3.3.1-1.redhat_00002.1.el 295/633 Verifying : eap7-opensaml-saml-impl-3.3.1-1.redhat_00002.1.e 296/633 Verifying : eap7-opensaml-security-api-3.3.1-1.redhat_00002. 297/633 Verifying : eap7-opensaml-security-impl-3.3.1-1.redhat_00002 298/633 Verifying : eap7-opensaml-soap-api-3.3.1-1.redhat_00002.1.el 299/633 Verifying : eap7-opensaml-xacml-api-3.3.1-1.redhat_00002.1.e 300/633 Verifying : eap7-opensaml-xacml-impl-3.3.1-1.redhat_00002.1. 301/633 Verifying : eap7-opensaml-xacml-saml-api-3.3.1-1.redhat_0000 302/633 Verifying : eap7-opensaml-xacml-saml-impl-3.3.1-1.redhat_000 303/633 Verifying : eap7-opensaml-xmlsec-api-3.3.1-1.redhat_00002.1. 304/633 Verifying : eap7-opensaml-xmlsec-impl-3.3.1-1.redhat_00002.1 305/633 Verifying : eap7-opentracing-contrib-java-concurrent-0.2.1-1 306/633 Verifying : eap7-opentracing-contrib-java-jaxrs-0.4.1-1.redh 307/633 Verifying : eap7-opentracing-contrib-java-tracerresolver-0.1 308/633 Verifying : eap7-opentracing-contrib-java-web-servlet-filter 309/633 Verifying : eap7-opentracing-interceptors-0.0.4-1.redhat_000 310/633 Verifying : eap7-opentracing-java-api-0.31.0-1.redhat_00008. 311/633 Verifying : eap7-opentracing-java-noop-0.31.0-1.redhat_00008 312/633 Verifying : eap7-opentracing-java-util-0.31.0-1.redhat_00008 313/633 Verifying : eap7-picketbox-5.0.3-7.Final_redhat_00006.1.el8e 314/633 Verifying : eap7-picketbox-commons-1.0.0-4.final_redhat_5.1. 315/633 Verifying : eap7-picketbox-infinispan-5.0.3-7.Final_redhat_0 316/633 Verifying : eap7-picketlink-api-2.5.5-20.SP12_redhat_00009.1 317/633 Verifying : eap7-picketlink-common-2.5.5-20.SP12_redhat_0000 318/633 Verifying : eap7-picketlink-config-2.5.5-20.SP12_redhat_0000 319/633 Verifying : eap7-picketlink-federation-2.5.5-20.SP12_redhat_ 320/633 Verifying : eap7-picketlink-idm-api-2.5.5-20.SP12_redhat_000 321/633 Verifying : eap7-picketlink-idm-impl-2.5.5-20.SP12_redhat_00 322/633 Verifying : eap7-picketlink-idm-simple-schema-2.5.5-20.SP12_ 323/633 Verifying : eap7-picketlink-impl-2.5.5-20.SP12_redhat_00009. 324/633 Verifying : eap7-picketlink-wildfly8-2.5.5-23.SP12_redhat_00 325/633 Verifying : eap7-python3-javapackages-3.4.1-5.15.6.el8eap.no 326/633 Verifying : eap7-reactive-streams-1.0.2-2.redhat_1.1.el8eap. 327/633 Verifying : eap7-reactivex-rxjava-2.2.5-1.redhat_00001.1.el8 328/633 Verifying : eap7-relaxng-datatype-2.3.3-4.b02_redhat_00001.1 329/633 Verifying : eap7-resteasy-atom-provider-3.11.2-3.Final_redha 330/633 Verifying : eap7-resteasy-cdi-3.11.2-3.Final_redhat_00002.1. 331/633 Verifying : eap7-resteasy-client-3.11.2-3.Final_redhat_00002 332/633 Verifying : eap7-resteasy-client-microprofile-3.11.2-3.Final 333/633 Verifying : eap7-resteasy-crypto-3.11.2-3.Final_redhat_00002 334/633 Verifying : eap7-resteasy-jackson-provider-3.11.2-3.Final_re 335/633 Verifying : eap7-resteasy-jackson2-provider-3.11.2-3.Final_r 336/633 Verifying : eap7-resteasy-jaxb-provider-3.11.2-3.Final_redha 337/633 Verifying : eap7-resteasy-jaxrs-3.11.2-3.Final_redhat_00002. 338/633 Verifying : eap7-resteasy-jettison-provider-3.11.2-3.Final_r 339/633 Verifying : eap7-resteasy-jose-jwt-3.11.2-3.Final_redhat_000 340/633 Verifying : eap7-resteasy-jsapi-3.11.2-3.Final_redhat_00002. 341/633 Verifying : eap7-resteasy-json-binding-provider-3.11.2-3.Fin 342/633 Verifying : eap7-resteasy-json-p-provider-3.11.2-3.Final_red 343/633 Verifying : eap7-resteasy-multipart-provider-3.11.2-3.Final_ 344/633 Verifying : eap7-resteasy-rxjava2-3.11.2-3.Final_redhat_0000 345/633 Verifying : eap7-resteasy-spring-3.11.2-3.Final_redhat_00002 346/633 Verifying : eap7-resteasy-validator-provider-11-3.11.2-3.Fin 347/633 Verifying : eap7-resteasy-yaml-provider-3.11.2-3.Final_redha 348/633 Verifying : eap7-rngom-2.3.3-4.b02_redhat_00001.1.el8eap.noa 349/633 Verifying : eap7-runtime-1-16.el8eap.x86_64 350/633 Verifying : eap7-shibboleth-java-support-7.3.0-1.redhat_0000 351/633 Verifying : eap7-slf4j-api-1.7.22-4.redhat_2.1.el8eap.noarch 352/633 Verifying : eap7-slf4j-ext-1.7.22-4.redhat_2.1.el8eap.noarch 353/633 Verifying : eap7-slf4j-jboss-logmanager-1.0.4-1.GA_redhat_00 354/633 Verifying : eap7-smallrye-config-1.6.2-3.redhat_00004.1.el8e 355/633 Verifying : eap7-smallrye-health-2.2.0-1.redhat_00004.1.el8e 356/633 Verifying : eap7-smallrye-metrics-2.4.0-1.redhat_00004.1.el8 357/633 Verifying : eap7-smallrye-opentracing-1.3.4-1.redhat_00004.1 358/633 Verifying : eap7-snakeyaml-1.24.0-2.redhat_00001.1.el8eap.no 359/633 Verifying : eap7-stax-ex-1.7.8-1.redhat_00001.1.el8eap.noarc 360/633 Verifying : eap7-stax2-api-4.2.0-1.redhat_00001.1.el8eap.noa 361/633 Verifying : eap7-staxmapper-1.3.0-2.Final_redhat_1.1.el8eap. 362/633 Verifying : eap7-sun-saaj-1.3-impl-1.3.16-18.SP1_redhat_6.1. 363/633 Verifying : eap7-sun-saaj-1.4-impl-1.4.1-1.SP1_redhat_00001. 364/633 Verifying : eap7-sun-ws-metadata-2.0-api-1.0.0-7.MR1_redhat_ 365/633 Verifying : eap7-taglibs-standard-compat-1.2.6-2.RC1_redhat_ 366/633 Verifying : eap7-taglibs-standard-impl-1.2.6-2.RC1_redhat_1. 367/633 Verifying : eap7-taglibs-standard-spec-1.2.6-2.RC1_redhat_1. 368/633 Verifying : eap7-thrift-0.13.0-1.redhat_00002.1.el8eap.noarc 369/633 Verifying : eap7-txw2-2.3.3-4.b02_redhat_00001.1.el8eap.noar 370/633 Verifying : eap7-undertow-2.0.30-3.SP3_redhat_00001.1.el8eap 371/633 Verifying : eap7-undertow-jastow-2.0.8-1.Final_redhat_00001. 372/633 Verifying : eap7-undertow-js-1.0.2-2.Final_redhat_1.1.el8eap 373/633 Verifying : eap7-undertow-server-1.6.1-1.Final_redhat_00001. 374/633 Verifying : eap7-vdx-core-1.1.6-2.redhat_1.1.el8eap.noarch 375/633 Verifying : eap7-vdx-wildfly-1.1.6-2.redhat_1.1.el8eap.noarc 376/633 Verifying : eap7-velocity-2.1.0-1.redhat_00001.1.el8eap.noar 377/633 Verifying : eap7-velocity-engine-core-2.1.0-1.redhat_00001.1 378/633 Verifying : eap7-weld-cdi-2.0-api-2.0.2-2.redhat_00002.1.el8 379/633 Verifying : eap7-weld-core-impl-3.1.4-1.Final_redhat_00001.1 380/633 Verifying : eap7-weld-core-jsf-3.1.4-1.Final_redhat_00001.1. 381/633 Verifying : eap7-weld-ejb-3.1.4-1.Final_redhat_00001.1.el8ea 382/633 Verifying : eap7-weld-jta-3.1.4-1.Final_redhat_00001.1.el8ea 383/633 Verifying : eap7-weld-probe-core-3.1.4-1.Final_redhat_00001. 384/633 Verifying : eap7-weld-web-3.1.4-1.Final_redhat_00001.1.el8ea 385/633 Verifying : eap7-wildfly-7.3.1-5.GA_redhat_00003.1.el8eap.no 386/633 Verifying : eap7-wildfly-client-config-1.0.1-2.Final_redhat_ 387/633 Verifying : eap7-wildfly-common-1.5.1-1.Final_redhat_00001.1 388/633 Verifying : eap7-wildfly-discovery-client-1.2.0-1.Final_redh 389/633 Verifying : eap7-wildfly-elytron-1.10.6-1.Final_redhat_00001 390/633 Verifying : eap7-wildfly-elytron-tool-1.10.6-1.Final_redhat_ 391/633 Verifying : eap7-wildfly-http-client-common-1.0.20-1.Final_r 392/633 Verifying : eap7-wildfly-http-ejb-client-1.0.20-1.Final_redh 393/633 Verifying : eap7-wildfly-http-naming-client-1.0.20-1.Final_r 394/633 Verifying : eap7-wildfly-http-transaction-client-1.0.20-1.Fi 395/633 Verifying : eap7-wildfly-modules-7.3.1-5.GA_redhat_00003.1.e 396/633 Verifying : eap7-wildfly-naming-client-1.0.12-1.Final_redhat 397/633 Verifying : eap7-wildfly-openssl-java-1.0.9-2.SP03_redhat_00 398/633 Verifying : eap7-wildfly-openssl-linux-x86_64-1.0.9-2.SP03_r 399/633 Verifying : eap7-wildfly-transaction-client-1.1.11-1.Final_r 400/633 Verifying : eap7-woodstox-core-6.0.3-1.redhat_00001.1.el8eap 401/633 Verifying : eap7-ws-commons-XmlSchema-2.2.4-1.redhat_00001.1 402/633 Verifying : eap7-wsdl4j-1.6.3-13.redhat_2.1.el8eap.noarch 403/633 Verifying : eap7-wss4j-bindings-2.2.5-1.redhat_00001.1.el8ea 404/633 Verifying : eap7-wss4j-policy-2.2.5-1.redhat_00001.1.el8eap. 405/633 Verifying : eap7-wss4j-ws-security-common-2.2.5-1.redhat_000 406/633 Verifying : eap7-wss4j-ws-security-dom-2.2.5-1.redhat_00001. 407/633 Verifying : eap7-wss4j-ws-security-policy-stax-2.2.5-1.redha 408/633 Verifying : eap7-wss4j-ws-security-stax-2.2.5-1.redhat_00001 409/633 Verifying : eap7-xalan-j2-2.7.1-35.redhat_12.1.el8eap.noarch 410/633 Verifying : eap7-xerces-j2-2.12.0-1.SP02_redhat_00001.1.el8e 411/633 Verifying : eap7-xml-resolver-1.2.0-7.redhat_12.1.el8eap.noa 412/633 Verifying : eap7-xml-security-2.1.4-1.redhat_00001.1.el8eap. 413/633 Verifying : eap7-xom-1.2.10-4.redhat_1.1.el8eap.noarch 414/633 Verifying : eap7-xsom-2.3.3-4.b02_redhat_00001.1.el8eap.noar 415/633 Verifying : eap7-yasson-1.0.5-1.redhat_00001.1.el8eap.noarch 416/633 Verifying : ebay-cors-filter-1.0.1-4.el8ev.noarch 417/633 Verifying : engine-db-query-1.5.0-1.el8ev.noarch 418/633 Verifying : environment-modules-4.1.4-4.el8.x86_64 419/633 Verifying : fribidi-1.0.4-8.el8.x86_64 420/633 Verifying : gd-2.2.5-6.el8.x86_64 421/633 Verifying : gdk-pixbuf2-modules-2.36.12-5.el8.x86_64 422/633 Verifying : giflib-5.1.4-3.el8.x86_64 423/633 Verifying : glassfish-fastinfoset-1.2.13-9.module+el8.1.0+33 424/633 Verifying : glassfish-jaxb-api-2.2.12-8.module+el8.1.0+3366+ 425/633 Verifying : glassfish-jaxb-core-2.2.11-11.module+el8.1.0+336 426/633 Verifying : glassfish-jaxb-runtime-2.2.11-11.module+el8.1.0+ 427/633 Verifying : glassfish-jaxb-txw2-2.2.11-11.module+el8.1.0+336 428/633 Verifying : gnutls-dane-3.6.8-10.el8_2.x86_64 429/633 Verifying : gnutls-utils-3.6.8-10.el8_2.x86_64 430/633 Verifying : graphite2-1.3.10-10.el8.x86_64 431/633 Verifying : graphviz-2.40.1-40.el8.x86_64 432/633 Verifying : gssproxy-0.8.0-15.el8.x86_64 433/633 Verifying : gtk-update-icon-cache-3.22.30-5.el8.x86_64 434/633 Verifying : gtk2-2.24.32-4.el8.x86_64 435/633 Verifying : harfbuzz-1.7.5-3.el8.x86_64 436/633 Verifying : hicolor-icon-theme-0.17-2.el8.noarch 437/633 Verifying : httpcomponents-client-4.5.5-4.module+el8+2598+06 438/633 Verifying : httpcomponents-core-4.4.10-3.module+el8+2598+06b 439/633 Verifying : httpd-2.4.37-21.module+el8.2.0+5008+cca404a3.x86 440/633 Verifying : httpd-filesystem-2.4.37-21.module+el8.2.0+5008+c 441/633 Verifying : httpd-tools-2.4.37-21.module+el8.2.0+5008+cca404 442/633 Verifying : insights-client-3.0.13-1.el8.noarch 443/633 Verifying : istack-commons-runtime-2.21-9.el8+7.noarch 444/633 Verifying : jackson-annotations-2.10.0-1.module+el8.2.0+5059 445/633 Verifying : jackson-core-2.10.0-1.module+el8.2.0+5059+3eb3af 446/633 Verifying : jackson-databind-2.10.0-1.module+el8.2.0+5059+3e 447/633 Verifying : jackson-jaxrs-json-provider-2.9.9-1.module+el8.1 448/633 Verifying : jackson-jaxrs-providers-2.9.9-1.module+el8.1.0+3 449/633 Verifying : jackson-module-jaxb-annotations-2.7.6-4.module+e 450/633 Verifying : jasper-libs-2.0.14-4.el8.x86_64 451/633 Verifying : java-1.8.0-openjdk-1:1.8.0.252.b09-3.el8_2.x86_6 452/633 Verifying : java-client-kubevirt-0.5.0-1.el8ev.noarch 453/633 Verifying : javapackages-tools-5.3.0-2.module+el8+2598+06bab 454/633 Verifying : jbig2dec-libs-0.14-2.el8.x86_64 455/633 Verifying : jbigkit-libs-2.1-14.el8.x86_64 456/633 Verifying : jboss-annotations-1.2-api-1.0.0-4.el8.noarch 457/633 Verifying : jboss-jaxrs-2.0-api-1.0.0-6.el8.noarch 458/633 Verifying : jboss-logging-3.3.0-5.el8.noarch 459/633 Verifying : jboss-logging-tools-2.0.1-6.el8.noarch 460/633 Verifying : jcl-over-slf4j-1.7.25-4.module+el8.1.0+3366+6dfb 461/633 Verifying : jdeparser-2.0.0-5.el8.noarch 462/633 Verifying : keyutils-1.5.10-6.el8.x86_64 463/633 Verifying : libXaw-1.0.13-10.el8.x86_64 464/633 Verifying : libXcomposite-0.4.4-14.el8.x86_64 465/633 Verifying : libXdamage-1.1.4-14.el8.x86_64 466/633 Verifying : libXft-2.3.2-10.el8.x86_64 467/633 Verifying : libXpm-3.5.12-8.el8.x86_64 468/633 Verifying : libXtst-1.2.3-7.el8.x86_64 469/633 Verifying : libdatrie-0.2.9-7.el8.x86_64 470/633 Verifying : libestr-0.1.10-1.el8.x86_64 471/633 Verifying : libfastjson-0.99.8-2.el8.x86_64 472/633 Verifying : libgfortran-8.3.1-5.el8.x86_64 473/633 Verifying : libgs-9.25-5.el8_1.1.x86_64 474/633 Verifying : libicu-60.3-2.el8_1.x86_64 475/633 Verifying : libidn-1.34-5.el8.x86_64 476/633 Verifying : libijs-0.35-5.el8.x86_64 477/633 Verifying : liblognorm-2.0.5-1.el8.x86_64 478/633 Verifying : libpaper-1.1.24-22.el8.x86_64 479/633 Verifying : libpq-12.1-3.el8.x86_64 480/633 Verifying : libquadmath-8.3.1-5.el8.x86_64 481/633 Verifying : librsvg2-2.42.7-3.el8.x86_64 482/633 Verifying : libsodium-1.0.18-2.el8ev.x86_64 483/633 Verifying : libthai-0.1.27-2.el8.x86_64 484/633 Verifying : libtiff-4.0.9-17.el8.x86_64 485/633 Verifying : libverto-libevent-0.3.0-5.el8.x86_64 486/633 Verifying : libwebp-1.0.0-1.el8.x86_64 487/633 Verifying : log4j12-1.2.17-22.el8ev.noarch 488/633 Verifying : logrotate-3.14.0-3.el8.x86_64 489/633 Verifying : mailcap-2.1.48-3.el8.noarch 490/633 Verifying : mod_http2-1.11.3-3.module+el8.2.0+4377+dc421495. 491/633 Verifying : mod_ssl-1:2.4.37-21.module+el8.2.0+5008+cca404a3 492/633 Verifying : nfs-utils-1:2.3.3-31.el8.x86_64 493/633 Verifying : nodejs-1:10.19.0-2.module+el8.2.0+6232+1df3dc5f. 494/633 Verifying : novnc-1.1.0-1.el8ost.noarch 495/633 Verifying : npm-1:6.13.4-1.10.19.0.2.module+el8.2.0+6232+1df 496/633 Verifying : ongres-scram-1.0.0~beta.2-5.el8.noarch 497/633 Verifying : ongres-scram-client-1.0.0~beta.2-5.el8.noarch 498/633 Verifying : openblas-0.3.3-5.el8.x86_64 499/633 Verifying : openblas-threads-0.3.3-5.el8.x86_64 500/633 Verifying : openjpeg2-2.3.1-6.el8.x86_64 501/633 Verifying : openstack-java-cinder-client-3.2.8-1.el8ev.noarc 502/633 Verifying : openstack-java-cinder-model-3.2.8-1.el8ev.noarch 503/633 Verifying : openstack-java-client-3.2.8-1.el8ev.noarch 504/633 Verifying : openstack-java-glance-client-3.2.8-1.el8ev.noarc 505/633 Verifying : openstack-java-glance-model-3.2.8-1.el8ev.noarch 506/633 Verifying : openstack-java-keystone-client-3.2.8-1.el8ev.noa 507/633 Verifying : openstack-java-keystone-model-3.2.8-1.el8ev.noar 508/633 Verifying : openstack-java-quantum-client-3.2.8-1.el8ev.noar 509/633 Verifying : openstack-java-quantum-model-3.2.8-1.el8ev.noarc 510/633 Verifying : openstack-java-resteasy-connector-3.2.8-1.el8ev. 511/633 Verifying : ovirt-ansible-cluster-upgrade-1.2.2-1.el8ev.noar 512/633 Verifying : ovirt-ansible-disaster-recovery-1.3.0-0.1.master 513/633 Verifying : ovirt-ansible-engine-setup-1.2.4-1.el8ev.noarch 514/633 Verifying : ovirt-ansible-hosted-engine-setup-1.1.4-1.el8ev. 515/633 Verifying : ovirt-ansible-image-template-1.2.2-1.el8ev.noarc 516/633 Verifying : ovirt-ansible-infra-1.2.1-1.el8ev.noarch 517/633 Verifying : ovirt-ansible-manageiq-1.2.1-2.el8ev.noarch 518/633 Verifying : ovirt-ansible-repositories-1.2.3-1.el8ev.noarch 519/633 Verifying : ovirt-ansible-roles-1.2.3-1.el8ev.noarch 520/633 Verifying : ovirt-ansible-shutdown-env-1.0.4-1.el8ev.noarch 521/633 Verifying : ovirt-ansible-vm-infra-1.2.3-1.el8ev.noarch 522/633 Verifying : ovirt-cockpit-sso-0.1.4-1.el8ev.noarch 523/633 Verifying : ovirt-engine-4.4.1.2-0.10.el8ev.noarch 524/633 Verifying : ovirt-engine-api-explorer-0.0.6-1.el8ev.noarch 525/633 Verifying : ovirt-engine-backend-4.4.1.2-0.10.el8ev.noarch 526/633 Verifying : ovirt-engine-dbscripts-4.4.1.2-0.10.el8ev.noarch 527/633 Verifying : ovirt-engine-dwh-4.4.0.2-1.el8ev.noarch 528/633 Verifying : ovirt-engine-dwh-setup-4.4.0.2-1.el8ev.noarch 529/633 Verifying : ovirt-engine-extension-aaa-jdbc-1.2.0-1.el8ev.no 530/633 Verifying : ovirt-engine-metrics-1.4.0.2-1.el8ev.noarch 531/633 Verifying : ovirt-engine-restapi-4.4.1.2-0.10.el8ev.noarch 532/633 Verifying : ovirt-engine-setup-4.4.1.2-0.10.el8ev.noarch 533/633 Verifying : ovirt-engine-setup-base-4.4.1.2-0.10.el8ev.noarc 534/633 Verifying : ovirt-engine-setup-plugin-cinderlib-4.4.1.2-0.10 535/633 Verifying : ovirt-engine-setup-plugin-imageio-4.4.1.2-0.10.e 536/633 Verifying : ovirt-engine-setup-plugin-ovirt-engine-4.4.1.2-0 537/633 Verifying : ovirt-engine-setup-plugin-ovirt-engine-common-4. 538/633 Verifying : ovirt-engine-setup-plugin-vmconsole-proxy-helper 539/633 Verifying : ovirt-engine-setup-plugin-websocket-proxy-4.4.1. 540/633 Verifying : ovirt-engine-tools-4.4.1.2-0.10.el8ev.noarch 541/633 Verifying : ovirt-engine-tools-backup-4.4.1.2-0.10.el8ev.noa 542/633 Verifying : ovirt-engine-ui-extensions-1.2.0-1.el8ev.noarch 543/633 Verifying : ovirt-engine-vmconsole-proxy-helper-4.4.1.2-0.10 544/633 Verifying : ovirt-engine-webadmin-portal-4.4.1.2-0.10.el8ev. 545/633 Verifying : ovirt-engine-websocket-proxy-4.4.1.2-0.10.el8ev. 546/633 Verifying : ovirt-imageio-common-2.0.6-0.el8ev.x86_64 547/633 Verifying : ovirt-imageio-daemon-2.0.6-0.el8ev.x86_64 548/633 Verifying : ovirt-log-collector-4.4.1-3.el8ev.noarch 549/633 Verifying : ovirt-vmconsole-1.0.8-1.el8ev.noarch 550/633 Verifying : ovirt-vmconsole-proxy-1.0.8-1.el8ev.noarch 551/633 Verifying : ovirt-web-ui-1.6.2-1.el8ev.noarch 552/633 Verifying : pango-1.42.4-6.el8.x86_64 553/633 Verifying : pciutils-3.5.6-4.el8.x86_64 554/633 Verifying : pki-servlet-4.0-api-1:9.0.7-16.module+el8.1.0+33 555/633 Verifying : postgresql-12.1-2.module+el8.1.1+4794+c82b6e09.x 556/633 Verifying : postgresql-contrib-12.1-2.module+el8.1.1+4794+c8 557/633 Verifying : postgresql-jdbc-42.2.3-1.el8.noarch 558/633 Verifying : postgresql-server-12.1-2.module+el8.1.1+4794+c82 559/633 Verifying : publicsuffix-list-20180723-1.el8.noarch 560/633 Verifying : python3-aniso8601-0.82-4.el8ost.noarch 561/633 Verifying : python3-ansible-runner-1.4.5-1.el8ar.noarch 562/633 Verifying : python3-bcrypt-3.1.6-2.el8ev.x86_64 563/633 Verifying : python3-click-6.7-8.el8.noarch 564/633 Verifying : python3-daemon-2.1.2-9.el8ar.noarch 565/633 Verifying : python3-dnf-plugin-versionlock-4.0.12-3.el8.noar 566/633 Verifying : python3-docutils-0.14-12.module+el8.1.0+3334+5cb 567/633 Verifying : python3-flask-1:1.0.2-2.el8ost.noarch 568/633 Verifying : python3-flask-restful-0.3.6-8.el8ost.noarch 569/633 Verifying : python3-itsdangerous-0.24-14.el8.noarch 570/633 Verifying : python3-jmespath-0.9.0-11.el8.noarch 571/633 Verifying : python3-lockfile-1:0.11.0-8.el8ar.noarch 572/633 Verifying : python3-lxml-4.2.3-1.el8.x86_64 573/633 Verifying : python3-m2crypto-0.35.2-5.el8ev.x86_64 574/633 Verifying : python3-magic-5.33-13.el8.noarch 575/633 Verifying : python3-mod_wsgi-4.6.4-4.el8.x86_64 576/633 Verifying : python3-notario-0.0.16-2.el8cp.noarch 577/633 Verifying : python3-numpy-1:1.14.3-9.el8.x86_64 578/633 Verifying : python3-ovirt-engine-lib-4.4.1.2-0.10.el8ev.noar 579/633 Verifying : python3-ovirt-engine-sdk4-4.4.3-1.el8ev.x86_64 580/633 Verifying : python3-ovirt-setup-lib-1.3.0-1.el8ev.noarch 581/633 Verifying : python3-paramiko-2.4.3-2.el8ev.noarch 582/633 Verifying : python3-passlib-1.7.0-5.el8ost.noarch 583/633 Verifying : python3-pexpect-4.6-2.el8ost.noarch 584/633 Verifying : python3-psutil-5.4.3-10.el8.x86_64 585/633 Verifying : python3-psycopg2-2.7.5-7.el8.x86_64 586/633 Verifying : python3-ptyprocess-0.5.2-4.el8.noarch 587/633 Verifying : python3-pwquality-1.4.0-9.el8.x86_64 588/633 Verifying : python3-pyOpenSSL-18.0.0-1.el8.noarch 589/633 Verifying : python3-pycurl-7.43.0.2-4.el8.x86_64 590/633 Verifying : python3-pynacl-1.3.0-5.el8ev.x86_64 591/633 Verifying : python3-websocket-client-0.54.0-1.el8ost.noarch 592/633 Verifying : python3-websockify-0.8.0-12.el8ev.noarch 593/633 Verifying : python3-werkzeug-0.16.0-1.el8ost.noarch 594/633 Verifying : quota-1:4.04-10.el8.x86_64 595/633 Verifying : quota-nls-1:4.04-10.el8.noarch 596/633 Verifying : redhat-storage-logos-httpd-81.1-1.el8rhgs.noarch 597/633 Verifying : relaxngDatatype-2011.1-7.module+el8.1.0+3366+6df 598/633 Verifying : resteasy-3.0.26-3.module+el8.1.0+3366+6dfb954c.n 599/633 Verifying : rhv-log-collector-analyzer-1.0.0-1.el8ev.noarch 600/633 Verifying : rhvm-4.4.1.2-0.10.el8ev.noarch 601/633 Verifying : rhvm-branding-rhv-4.4.3-1.el8ev.noarch 602/633 Verifying : rhvm-dependencies-4.4.0-1.el8ev.noarch 603/633 Verifying : rhvm-setup-plugins-4.4.2-1.el8ev.noarch 604/633 Verifying : rpcbind-1.2.5-7.el8.x86_64 605/633 Verifying : rsyslog-8.1911.0-3.el8.x86_64 606/633 Verifying : rsyslog-elasticsearch-8.1911.0-3.el8.x86_64 607/633 Verifying : rsyslog-mmjsonparse-8.1911.0-3.el8.x86_64 608/633 Verifying : rsyslog-mmnormalize-8.1911.0-3.el8.x86_64 609/633 Verifying : scl-utils-1:2.0.2-12.el8.x86_64 610/633 Verifying : sgml-common-0.6.3-50.el8.noarch 611/633 Verifying : snmp4j-2.4.1-1.el8ev.noarch 612/633 Verifying : sos-3.8-6.el8_2.noarch 613/633 Verifying : source-highlight-3.1.8-16.el8.x86_64 614/633 Verifying : spice-client-win-x64-8.0-1.el8.noarch 615/633 Verifying : spice-client-win-x86-8.0-1.el8.noarch 616/633 Verifying : sshpass-1.06-3.el8ae.x86_64 617/633 Verifying : stax-ex-1.7.7-8.module+el8.1.0+3366+6dfb954c.noa 618/633 Verifying : tcl-1:8.6.8-2.el8.x86_64 619/633 Verifying : ttmkfdir-3.0.9-54.el8.x86_64 620/633 Verifying : urw-base35-fonts-20170801-10.el8.noarch 621/633 Verifying : urw-base35-standard-symbols-ps-fonts-20170801-10 622/633 Verifying : uuid-1.6.2-42.el8.x86_64 623/633 Verifying : vdsm-jsonrpc-java-1.5.4-1.el8ev.noarch 624/633 Verifying : vim-filesystem-2:8.0.1763-13.el8.noarch 625/633 Verifying : ws-commons-util-1.0.2-1.el8ev.noarch 626/633 Verifying : xmlrpc-client-3.1.3-1.el8ev.noarch 627/633 Verifying : xmlrpc-common-3.1.3-1.el8ev.noarch 628/633 Verifying : xmlstreambuffer-1.5.4-8.module+el8.1.0+3366+6dfb 629/633 Verifying : xorg-x11-fonts-ISO8859-1-100dpi-7.5-19.el8.noarc 630/633 Verifying : xorg-x11-fonts-Type1-7.5-19.el8.noarch 631/633 Verifying : xsom-0-19.20110809svn.module+el8.1.0+3366+6dfb95 632/633 Verifying : yajl-2.1.0-10.el8.x86_64 633/633 Removed: adobe-mappings-cmap-20171205-3.el8.noarch adobe-mappings-cmap-deprecated-20171205-3.el8.noarch adobe-mappings-pdf-20180407-1.el8.noarch ansible-2.9.9-1.el8ae.noarch ansible-runner-1.4.5-1.el8ar.noarch ansible-runner-service-1.0.2-1.el8ev.noarch aopalliance-1.0-17.module+el8+2598+06babf2e.noarch apache-commons-codec-1.11-3.module+el8+2598+06babf2e.noarch apache-commons-collections-3.2.2-10.module+el8.1.0+3366+6dfb954c.noarch apache-commons-compress-1.18-1.el8ev.noarch apache-commons-configuration-1.10-1.el8ev.noarch apache-commons-io-1:2.6-3.module+el8+2598+06babf2e.noarch apache-commons-jxpath-1.3-29.el8ev.noarch apache-commons-lang-2.6-21.module+el8.1.0+3366+6dfb954c.noarch apache-commons-logging-1.2-13.module+el8+2598+06babf2e.noarch apache-sshd-2.2.0-1.el8ev.noarch apr-1.6.3-9.el8.x86_64 apr-util-1.6.1-6.el8.x86_64 asciidoc-8.6.10-0.5.20180627gitf7c2274.el8.noarch atk-2.28.1-1.el8.x86_64 autogen-libopts-5.18.12-7.el8.x86_64 bea-stax-api-1.2.0-16.module+el8.1.0+3366+6dfb954c.noarch boost-regex-1.66.0-7.el8.x86_64 cockpit-dashboard-211.3-1.el8.noarch collectd-5.11.0-2.el8ost.x86_64 collectd-disk-5.11.0-2.el8ost.x86_64 collectd-postgresql-5.11.0-2.el8ost.x86_64 collectd-write_http-5.11.0-2.el8ost.x86_64 collectd-write_syslog-5.11.0-2.el8ost.x86_64 ctags-5.8-22.el8.x86_64 docbook-dtds-1.0-69.el8.noarch docbook-style-xsl-1.79.2-7.el8.noarch eap7-FastInfoset-1.2.13-10.redhat_1.1.el8eap.noarch eap7-activemq-artemis-cli-2.9.0-4.redhat_00010.1.el8eap.noarch eap7-activemq-artemis-commons-2.9.0-4.redhat_00010.1.el8eap.noarch eap7-activemq-artemis-core-client-2.9.0-4.redhat_00010.1.el8eap.noarch eap7-activemq-artemis-dto-2.9.0-4.redhat_00010.1.el8eap.noarch eap7-activemq-artemis-hornetq-protocol-2.9.0-4.redhat_00010.1.el8eap.noarch eap7-activemq-artemis-hqclient-protocol-2.9.0-4.redhat_00010.1.el8eap.noarch eap7-activemq-artemis-jdbc-store-2.9.0-4.redhat_00010.1.el8eap.noarch eap7-activemq-artemis-jms-client-2.9.0-4.redhat_00010.1.el8eap.noarch eap7-activemq-artemis-jms-server-2.9.0-4.redhat_00010.1.el8eap.noarch eap7-activemq-artemis-journal-2.9.0-4.redhat_00010.1.el8eap.noarch eap7-activemq-artemis-native-1:1.0.0.00003-2.redhat_00001.1.el8eap.noarch eap7-activemq-artemis-ra-2.9.0-4.redhat_00010.1.el8eap.noarch eap7-activemq-artemis-selector-2.9.0-4.redhat_00010.1.el8eap.noarch eap7-activemq-artemis-server-2.9.0-4.redhat_00010.1.el8eap.noarch eap7-activemq-artemis-service-extensions-2.9.0-4.redhat_00010.1.el8eap.noarch eap7-activemq-artemis-tools-2.9.0-4.redhat_00010.1.el8eap.noarch eap7-aesh-extensions-1.8.0-1.redhat_00001.1.el8eap.noarch eap7-aesh-readline-2.0.0-1.redhat_00001.1.el8eap.noarch eap7-agroal-api-1.3.0-1.redhat_00001.1.el8eap.noarch eap7-agroal-narayana-1.3.0-1.redhat_00001.1.el8eap.noarch eap7-agroal-pool-1.3.0-1.redhat_00001.1.el8eap.noarch eap7-antlr-2.7.7-54.redhat_7.1.el8eap.noarch eap7-apache-commons-beanutils-1.9.4-1.redhat_00002.1.el8eap.noarch eap7-apache-commons-cli-1.3.1-3.redhat_2.1.el8eap.noarch eap7-apache-commons-codec-1.11.0-2.redhat_00001.1.el8eap.noarch eap7-apache-commons-collections-3.2.2-9.redhat_2.1.el8eap.noarch eap7-apache-commons-io-2.5.0-4.redhat_3.1.el8eap.noarch eap7-apache-commons-lang-3.9.0-1.redhat_00001.1.el8eap.noarch eap7-apache-commons-lang2-2.6.0-1.redhat_7.1.el8eap.noarch eap7-apache-cxf-3.3.5-1.redhat_00001.1.el8eap.noarch eap7-apache-cxf-rt-3.3.5-1.redhat_00001.1.el8eap.noarch eap7-apache-cxf-services-3.3.5-1.redhat_00001.1.el8eap.noarch eap7-apache-cxf-tools-3.3.5-1.redhat_00001.1.el8eap.noarch eap7-apache-mime4j-0.6.0-4.redhat_7.1.el8eap.noarch eap7-artemis-wildfly-integration-1.0.2-4.redhat_1.1.el8eap.noarch eap7-atinject-1.0.0-4.redhat_00002.1.el8eap.noarch eap7-avro-1.7.6-7.redhat_2.1.el8eap.noarch eap7-azure-storage-6.1.0-1.redhat_1.1.el8eap.noarch eap7-bouncycastle-mail-1.60.0-2.redhat_00002.1.el8eap.noarch eap7-bouncycastle-pkix-1.60.0-2.redhat_00002.1.el8eap.noarch eap7-bouncycastle-prov-1.60.0-2.redhat_00002.1.el8eap.noarch eap7-byte-buddy-1.9.11-1.redhat_00002.1.el8eap.noarch eap7-caffeine-2.6.2-3.redhat_1.1.el8eap.noarch eap7-cal10n-0.8.1-6.redhat_1.1.el8eap.noarch eap7-codehaus-jackson-core-asl-1.9.13-10.redhat_00007.1.el8eap.noarch eap7-codehaus-jackson-jaxrs-1.9.13-10.redhat_00007.1.el8eap.noarch eap7-codehaus-jackson-mapper-asl-1.9.13-10.redhat_00007.1.el8eap.noarch eap7-codehaus-jackson-xc-1.9.13-10.redhat_00007.1.el8eap.noarch eap7-codemodel-2.3.3-4.b02_redhat_00001.1.el8eap.noarch eap7-commons-logging-jboss-logging-1.0.0-1.Final_redhat_1.1.el8eap.noarch eap7-cryptacular-1.2.4-1.redhat_00001.1.el8eap.noarch eap7-cxf-xjc-boolean-3.3.0-1.redhat_00001.1.el8eap.noarch eap7-cxf-xjc-bug986-3.3.0-1.redhat_00001.1.el8eap.noarch eap7-cxf-xjc-dv-3.3.0-1.redhat_00001.1.el8eap.noarch eap7-cxf-xjc-runtime-3.3.0-1.redhat_00001.1.el8eap.noarch eap7-cxf-xjc-ts-3.3.0-1.redhat_00001.1.el8eap.noarch eap7-dom4j-2.1.1-2.redhat_00001.1.el8eap.noarch eap7-ecj-4.6.1-3.redhat_1.1.el8eap.noarch eap7-eclipse-jgit-5.0.2.201807311906-2.r_redhat_00001.1.el8eap.noarch eap7-glassfish-concurrent-1.0.0-4.redhat_1.1.el8eap.noarch eap7-glassfish-jaf-1.2.1-1.redhat_00002.1.el8eap.noarch eap7-glassfish-javamail-1.6.4-2.redhat_00001.1.el8eap.noarch eap7-glassfish-jsf-2.3.9-10.SP09_redhat_00001.1.el8eap.noarch eap7-glassfish-json-1.1.6-2.redhat_00001.1.el8eap.noarch eap7-gnu-getopt-1.0.13-6.redhat_5.1.el8eap.noarch eap7-gson-2.8.2-1.redhat_5.1.el8eap.noarch eap7-guava-25.0.0-2.redhat_1.1.el8eap.noarch eap7-h2database-1.4.193-6.redhat_2.1.el8eap.noarch eap7-hal-console-3.2.8-1.Final_redhat_00001.1.el8eap.noarch eap7-hibernate-beanvalidation-api-2.0.2-1.redhat_00001.1.el8eap.noarch eap7-hibernate-commons-annotations-5.0.5-1.Final_redhat_00002.1.el8eap.noarch eap7-hibernate-core-5.3.16-1.Final_redhat_00001.1.el8eap.noarch eap7-hibernate-entitymanager-5.3.16-1.Final_redhat_00001.1.el8eap.noarch eap7-hibernate-envers-5.3.16-1.Final_redhat_00001.1.el8eap.noarch eap7-hibernate-search-backend-jms-5.10.7-1.Final_redhat_00001.1.el8eap.noarch eap7-hibernate-search-engine-5.10.7-1.Final_redhat_00001.1.el8eap.noarch eap7-hibernate-search-orm-5.10.7-1.Final_redhat_00001.1.el8eap.noarch eap7-hibernate-search-serialization-avro-5.10.7-1.Final_redhat_00001.1.el8eap.noarch eap7-hibernate-validator-6.0.18-1.Final_redhat_00001.1.el8eap.noarch eap7-hibernate-validator-cdi-6.0.18-1.Final_redhat_00001.1.el8eap.noarch eap7-hornetq-commons-2.4.7-7.Final_redhat_2.1.el8eap.noarch eap7-hornetq-core-client-2.4.7-7.Final_redhat_2.1.el8eap.noarch eap7-hornetq-jms-client-2.4.7-7.Final_redhat_2.1.el8eap.noarch eap7-httpcomponents-asyncclient-4.1.4-1.redhat_00001.1.el8eap.noarch eap7-httpcomponents-client-4.5.4-1.redhat_00001.1.el8eap.noarch eap7-httpcomponents-core-4.4.5-1.redhat_00001.1.el8eap.noarch eap7-infinispan-cachestore-jdbc-9.4.18-1.Final_redhat_00001.1.el8eap.noarch eap7-infinispan-cachestore-remote-9.4.18-1.Final_redhat_00001.1.el8eap.noarch eap7-infinispan-client-hotrod-9.4.18-1.Final_redhat_00001.1.el8eap.noarch eap7-infinispan-commons-9.4.18-1.Final_redhat_00001.1.el8eap.noarch eap7-infinispan-core-9.4.18-1.Final_redhat_00001.1.el8eap.noarch eap7-infinispan-hibernate-cache-commons-9.4.18-1.Final_redhat_00001.1.el8eap.noarch eap7-infinispan-hibernate-cache-spi-9.4.18-1.Final_redhat_00001.1.el8eap.noarch eap7-infinispan-hibernate-cache-v53-9.4.18-1.Final_redhat_00001.1.el8eap.noarch eap7-ironjacamar-common-api-1.4.20-1.Final_redhat_00001.1.el8eap.noarch eap7-ironjacamar-common-impl-1.4.20-1.Final_redhat_00001.1.el8eap.noarch eap7-ironjacamar-common-spi-1.4.20-1.Final_redhat_00001.1.el8eap.noarch eap7-ironjacamar-core-api-1.4.20-1.Final_redhat_00001.1.el8eap.noarch eap7-ironjacamar-core-impl-1.4.20-1.Final_redhat_00001.1.el8eap.noarch eap7-ironjacamar-deployers-common-1.4.20-1.Final_redhat_00001.1.el8eap.noarch eap7-ironjacamar-jdbc-1.4.20-1.Final_redhat_00001.1.el8eap.noarch eap7-ironjacamar-validator-1.4.20-1.Final_redhat_00001.1.el8eap.noarch eap7-istack-commons-runtime-3.0.10-1.redhat_00001.1.el8eap.noarch eap7-istack-commons-tools-3.0.10-1.redhat_00001.1.el8eap.noarch eap7-jackson-annotations-2.10.3-1.redhat_00001.1.el8eap.noarch eap7-jackson-core-2.10.3-1.redhat_00001.1.el8eap.noarch eap7-jackson-coreutils-1.0.0-1.redhat_1.1.el8eap.noarch eap7-jackson-databind-2.10.3-1.redhat_00001.1.el8eap.noarch eap7-jackson-datatype-jdk8-2.10.3-1.redhat_00001.1.el8eap.noarch eap7-jackson-datatype-jsr310-2.10.3-1.redhat_00001.1.el8eap.noarch eap7-jackson-jaxrs-base-2.10.3-1.redhat_00001.1.el8eap.noarch eap7-jackson-jaxrs-json-provider-2.10.3-1.redhat_00001.1.el8eap.noarch eap7-jackson-module-jaxb-annotations-2.10.3-1.redhat_00001.1.el8eap.noarch eap7-jaegertracing-jaeger-client-java-core-0.34.3-1.redhat_00001.1.el8eap.noarch eap7-jaegertracing-jaeger-client-java-thrift-0.34.3-1.redhat_00001.1.el8eap.noarch eap7-jakarta-el-3.0.3-1.redhat_00002.1.el8eap.noarch eap7-jakarta-security-enterprise-api-1.0.2-3.redhat_00001.1.el8eap.noarch eap7-jandex-2.1.2-1.Final_redhat_00001.1.el8eap.noarch eap7-jansi-1.18.0-1.redhat_00001.1.el8eap.noarch eap7-jasypt-1.9.3-1.redhat_00001.1.el8eap.noarch eap7-java-classmate-1.3.4-1.redhat_1.1.el8eap.noarch eap7-javaee-jpa-spec-2.2.3-1.redhat_00001.1.el8eap.noarch eap7-javaee-security-api-1.0.0-2.redhat_1.1.el8eap.noarch eap7-javaee-security-soteria-enterprise-1.0.1-3.redhat_00002.1.el8eap.noarch eap7-javaewah-1.1.6-1.redhat_00001.1.el8eap.noarch eap7-javapackages-tools-3.4.1-5.15.6.el8eap.noarch eap7-javassist-3.23.2-2.GA_redhat_00001.1.el8eap.noarch eap7-jaxb-jxc-2.3.3-4.b02_redhat_00001.1.el8eap.noarch eap7-jaxb-runtime-2.3.3-4.b02_redhat_00001.1.el8eap.noarch eap7-jaxb-xjc-2.3.3-4.b02_redhat_00001.1.el8eap.noarch eap7-jaxbintros-1.0.3-1.GA_redhat_00001.1.el8eap.noarch eap7-jaxen-1.1.6-14.redhat_2.1.el8eap.noarch eap7-jberet-core-1.3.5-1.Final_redhat_00001.1.el8eap.noarch eap7-jboss-aesh-2.4.0-1.redhat_00001.1.el8eap.noarch eap7-jboss-annotations-api_1.3_spec-2.0.1-2.Final_redhat_00001.1.el8eap.noarch eap7-jboss-batch-api_1.0_spec-2.0.0-1.Final_redhat_00001.1.el8eap.noarch eap7-jboss-classfilewriter-1.2.4-1.Final_redhat_00001.1.el8eap.noarch eap7-jboss-common-beans-2.0.1-1.Final_redhat_00001.1.el8eap.noarch eap7-jboss-concurrency-api_1.0_spec-2.0.0-1.Final_redhat_00001.1.el8eap.noarch eap7-jboss-connector-api_1.7_spec-2.0.0-2.Final_redhat_00001.1.el8eap.noarch eap7-jboss-dmr-1.5.0-2.Final_redhat_1.1.el8eap.noarch eap7-jboss-ejb-api_3.2_spec-2.0.0-1.Final_redhat_00001.1.el8eap.noarch eap7-jboss-ejb-client-4.0.31-1.Final_redhat_00001.1.el8eap.noarch eap7-jboss-ejb3-ext-api-2.3.0-1.Final_redhat_00001.1.el8eap.noarch eap7-jboss-el-api_3.0_spec-2.0.0-2.Final_redhat_00001.1.el8eap.noarch eap7-jboss-genericjms-2.0.4-1.Final_redhat_00001.1.el8eap.noarch eap7-jboss-iiop-client-1.0.1-3.Final_redhat_1.1.el8eap.noarch eap7-jboss-interceptors-api_1.2_spec-2.0.0-3.Final_redhat_00002.1.el8eap.noarch eap7-jboss-invocation-1.5.2-1.Final_redhat_00001.1.el8eap.noarch eap7-jboss-j2eemgmt-api_1.1_spec-2.0.0-2.Final_redhat_00001.1.el8eap.noarch eap7-jboss-jacc-api_1.5_spec-2.0.0-2.Final_redhat_00001.1.el8eap.noarch eap7-jboss-jaspi-api_1.1_spec-2.0.1-2.Final_redhat_00001.1.el8eap.noarch eap7-jboss-jaxb-api_2.3_spec-1.0.1-1.Final_redhat_1.1.el8eap.noarch eap7-jboss-jaxrpc-api_1.1_spec-2.0.0-1.Final_redhat_00001.1.el8eap.noarch eap7-jboss-jaxrs-api_2.1_spec-2.0.1-1.Final_redhat_00001.1.el8eap.noarch eap7-jboss-jaxws-api_2.3_spec-1.0.0-1.Final_redhat_1.1.el8eap.noarch eap7-jboss-jms-api_2.0_spec-2.0.0-1.Final_redhat_00001.1.el8eap.noarch eap7-jboss-jsf-api_2.3_spec-3.0.0-3.SP02_redhat_00001.1.el8eap.noarch eap7-jboss-jsp-api_2.3_spec-2.0.0-1.Final_redhat_00001.1.el8eap.noarch eap7-jboss-logging-3.4.1-2.Final_redhat_00001.1.el8eap.noarch eap7-jboss-logmanager-2.1.14-1.Final_redhat_00001.1.el8eap.noarch eap7-jboss-marshalling-2.0.9-1.Final_redhat_00001.1.el8eap.noarch eap7-jboss-marshalling-river-2.0.9-1.Final_redhat_00001.1.el8eap.noarch eap7-jboss-metadata-appclient-13.0.0-1.Final_redhat_00001.1.el8eap.noarch eap7-jboss-metadata-common-13.0.0-1.Final_redhat_00001.1.el8eap.noarch eap7-jboss-metadata-ear-13.0.0-1.Final_redhat_00001.1.el8eap.noarch eap7-jboss-metadata-ejb-13.0.0-1.Final_redhat_00001.1.el8eap.noarch eap7-jboss-metadata-web-13.0.0-1.Final_redhat_00001.1.el8eap.noarch eap7-jboss-modules-1.10.0-1.Final_redhat_00001.1.el8eap.noarch eap7-jboss-msc-1.4.11-1.Final_redhat_00001.1.el8eap.noarch eap7-jboss-openjdk-orb-8.1.4-3.Final_redhat_00002.1.el8eap.noarch eap7-jboss-remoting-5.0.18-1.Final_redhat_00001.1.el8eap.noarch eap7-jboss-remoting-jmx-3.0.4-1.Final_redhat_00001.1.el8eap.noarch eap7-jboss-saaj-api_1.3_spec-1.0.6-1.Final_redhat_1.1.el8eap.noarch eap7-jboss-saaj-api_1.4_spec-1.0.1-1.Final_redhat_00001.1.el8eap.noarch eap7-jboss-seam-int-7.0.0-6.GA_redhat_2.1.el8eap.noarch eap7-jboss-security-negotiation-3.0.6-1.Final_redhat_00001.1.el8eap.noarch eap7-jboss-security-xacml-2.0.8-17.Final_redhat_8.1.el8eap.noarch eap7-jboss-server-migration-1.7.1-5.Final_redhat_00006.1.el8eap.noarch eap7-jboss-server-migration-cli-1.7.1-5.Final_redhat_00006.1.el8eap.noarch eap7-jboss-server-migration-core-1.7.1-5.Final_redhat_00006.1.el8eap.noarch eap7-jboss-server-migration-eap6.4-1.7.1-5.Final_redhat_00006.1.el8eap.noarch eap7-jboss-server-migration-eap6.4-to-eap7.3-1.7.1-5.Final_redhat_00006.1.el8eap.noarch eap7-jboss-server-migration-eap7.0-1.7.1-5.Final_redhat_00006.1.el8eap.noarch eap7-jboss-server-migration-eap7.1-1.7.1-5.Final_redhat_00006.1.el8eap.noarch eap7-jboss-server-migration-eap7.2-1.7.1-5.Final_redhat_00006.1.el8eap.noarch eap7-jboss-server-migration-eap7.2-to-eap7.3-1.7.1-5.Final_redhat_00006.1.el8eap.noarch eap7-jboss-server-migration-eap7.3-server-1.7.1-5.Final_redhat_00006.1.el8eap.noarch eap7-jboss-server-migration-wildfly10.0-1.7.1-5.Final_redhat_00006.1.el8eap.noarch eap7-jboss-server-migration-wildfly10.1-1.7.1-5.Final_redhat_00006.1.el8eap.noarch eap7-jboss-server-migration-wildfly11.0-1.7.1-5.Final_redhat_00006.1.el8eap.noarch eap7-jboss-server-migration-wildfly12.0-1.7.1-5.Final_redhat_00006.1.el8eap.noarch eap7-jboss-server-migration-wildfly13.0-server-1.7.1-5.Final_redhat_00006.1.el8eap.noarch eap7-jboss-server-migration-wildfly14.0-server-1.7.1-5.Final_redhat_00006.1.el8eap.noarch eap7-jboss-server-migration-wildfly15.0-server-1.7.1-5.Final_redhat_00006.1.el8eap.noarch eap7-jboss-server-migration-wildfly16.0-server-1.7.1-5.Final_redhat_00006.1.el8eap.noarch eap7-jboss-server-migration-wildfly17.0-server-1.7.1-5.Final_redhat_00006.1.el8eap.noarch eap7-jboss-server-migration-wildfly18.0-server-1.7.1-5.Final_redhat_00006.1.el8eap.noarch eap7-jboss-server-migration-wildfly8.2-1.7.1-5.Final_redhat_00006.1.el8eap.noarch eap7-jboss-server-migration-wildfly9.0-1.7.1-5.Final_redhat_00006.1.el8eap.noarch eap7-jboss-servlet-api_4.0_spec-2.0.0-2.Final_redhat_00001.1.el8eap.noarch eap7-jboss-stdio-1.1.0-1.Final_redhat_00001.1.el8eap.noarch eap7-jboss-threads-2.3.3-1.Final_redhat_00001.1.el8eap.noarch eap7-jboss-transaction-api_1.3_spec-2.0.0-3.Final_redhat_00002.1.el8eap.noarch eap7-jboss-transaction-spi-7.6.0-2.Final_redhat_1.1.el8eap.noarch eap7-jboss-vfs-3.2.15-1.Final_redhat_00001.1.el8eap.noarch eap7-jboss-websocket-api_1.1_spec-2.0.0-1.Final_redhat_00001.1.el8eap.noarch eap7-jboss-weld-3.1-api-weld-api-3.1.0-6.SP2_redhat_00001.1.el8eap.noarch eap7-jboss-weld-3.1-api-weld-spi-3.1.0-6.SP2_redhat_00001.1.el8eap.noarch eap7-jboss-xnio-base-3.7.7-1.Final_redhat_00001.1.el8eap.noarch eap7-jbossws-api-1.1.2-1.Final_redhat_00001.1.el8eap.noarch eap7-jbossws-common-3.2.3-1.Final_redhat_00001.1.el8eap.noarch eap7-jbossws-common-tools-1.3.2-1.Final_redhat_00001.1.el8eap.noarch eap7-jbossws-cxf-5.3.0-1.Final_redhat_00001.1.el8eap.noarch eap7-jbossws-jaxws-undertow-httpspi-1.0.1-3.Final_redhat_1.1.el8eap.noarch eap7-jbossws-spi-3.2.3-1.Final_redhat_00001.1.el8eap.noarch eap7-jcip-annotations-1.0.0-5.redhat_8.1.el8eap.noarch eap7-jettison-1.4.0-1.redhat_00001.1.el8eap.noarch eap7-jgroups-4.1.4-1.Final_redhat_00001.1.el8eap.noarch eap7-jgroups-azure-1.2.1-1.Final_redhat_00001.1.el8eap.noarch eap7-jgroups-kubernetes-1.0.13-1.Final_redhat_00001.1.el8eap.noarch eap7-joda-time-2.9.7-2.redhat_1.1.el8eap.noarch eap7-jsch-0.1.54-7.redhat_00001.1.el8eap.noarch eap7-json-patch-1.9.0-1.redhat_00002.1.el8eap.noarch eap7-jsonb-spec-1.0.2-1.redhat_00001.1.el8eap.noarch eap7-jsoup-1.8.3-4.redhat_2.1.el8eap.noarch eap7-jul-to-slf4j-stub-1.0.1-7.Final_redhat_3.1.el8eap.noarch eap7-jzlib-1.1.1-7.redhat_00001.1.el8eap.noarch eap7-log4j-jboss-logmanager-1.2.0-1.Final_redhat_00001.1.el8eap.noarch eap7-lucene-analyzers-common-5.5.5-3.redhat_2.1.el8eap.noarch eap7-lucene-backward-codecs-5.5.5-3.redhat_2.1.el8eap.noarch eap7-lucene-core-5.5.5-3.redhat_2.1.el8eap.noarch eap7-lucene-facet-5.5.5-3.redhat_2.1.el8eap.noarch eap7-lucene-misc-5.5.5-3.redhat_2.1.el8eap.noarch eap7-lucene-queries-5.5.5-3.redhat_2.1.el8eap.noarch eap7-lucene-queryparser-5.5.5-3.redhat_2.1.el8eap.noarch eap7-microprofile-config-api-1.4.0-1.redhat_00003.1.el8eap.noarch eap7-microprofile-health-2.2.0-1.redhat_00001.1.el8eap.noarch eap7-microprofile-metrics-api-2.3.0-1.redhat_00001.1.el8eap.noarch eap7-microprofile-opentracing-api-1.3.3-1.redhat_00001.1.el8eap.noarch eap7-microprofile-rest-client-api-1.4.0-1.redhat_00004.1.el8eap.noarch eap7-mod_cluster-1.4.1-1.Final_redhat_00001.1.el8eap.noarch eap7-mustache-java-compiler-0.9.4-2.redhat_1.1.el8eap.noarch eap7-narayana-compensations-5.9.8-1.Final_redhat_00002.1.el8eap.noarch eap7-narayana-jbosstxbridge-5.9.8-1.Final_redhat_00002.1.el8eap.noarch eap7-narayana-jbossxts-5.9.8-1.Final_redhat_00002.1.el8eap.noarch eap7-narayana-jts-idlj-5.9.8-1.Final_redhat_00002.1.el8eap.noarch eap7-narayana-jts-integration-5.9.8-1.Final_redhat_00002.1.el8eap.noarch eap7-narayana-restat-api-5.9.8-1.Final_redhat_00002.1.el8eap.noarch eap7-narayana-restat-bridge-5.9.8-1.Final_redhat_00002.1.el8eap.noarch eap7-narayana-restat-integration-5.9.8-1.Final_redhat_00002.1.el8eap.noarch eap7-narayana-restat-util-5.9.8-1.Final_redhat_00002.1.el8eap.noarch eap7-narayana-txframework-5.9.8-1.Final_redhat_00002.1.el8eap.noarch eap7-neethi-3.1.1-1.redhat_1.1.el8eap.noarch eap7-netty-all-4.1.45-1.Final_redhat_00001.1.el8eap.noarch eap7-netty-xnio-transport-0.1.6-1.Final_redhat_00001.1.el8eap.noarch eap7-objectweb-asm-7.1.0-1.redhat_00001.1.el8eap.noarch eap7-okhttp-3.9.0-3.redhat_3.1.el8eap.noarch eap7-okio-1.13.0-2.redhat_3.1.el8eap.noarch eap7-opensaml-core-3.3.1-1.redhat_00002.1.el8eap.noarch eap7-opensaml-profile-api-3.3.1-1.redhat_00002.1.el8eap.noarch eap7-opensaml-saml-api-3.3.1-1.redhat_00002.1.el8eap.noarch eap7-opensaml-saml-impl-3.3.1-1.redhat_00002.1.el8eap.noarch eap7-opensaml-security-api-3.3.1-1.redhat_00002.1.el8eap.noarch eap7-opensaml-security-impl-3.3.1-1.redhat_00002.1.el8eap.noarch eap7-opensaml-soap-api-3.3.1-1.redhat_00002.1.el8eap.noarch eap7-opensaml-xacml-api-3.3.1-1.redhat_00002.1.el8eap.noarch eap7-opensaml-xacml-impl-3.3.1-1.redhat_00002.1.el8eap.noarch eap7-opensaml-xacml-saml-api-3.3.1-1.redhat_00002.1.el8eap.noarch eap7-opensaml-xacml-saml-impl-3.3.1-1.redhat_00002.1.el8eap.noarch eap7-opensaml-xmlsec-api-3.3.1-1.redhat_00002.1.el8eap.noarch eap7-opensaml-xmlsec-impl-3.3.1-1.redhat_00002.1.el8eap.noarch eap7-opentracing-contrib-java-concurrent-0.2.1-1.redhat_00001.1.el8eap.noarch eap7-opentracing-contrib-java-jaxrs-0.4.1-1.redhat_00006.1.el8eap.noarch eap7-opentracing-contrib-java-tracerresolver-0.1.5-1.redhat_00001.1.el8eap.noarch eap7-opentracing-contrib-java-web-servlet-filter-0.2.3-1.redhat_00001.1.el8eap.noarch eap7-opentracing-interceptors-0.0.4-1.redhat_00004.1.el8eap.noarch eap7-opentracing-java-api-0.31.0-1.redhat_00008.1.el8eap.noarch eap7-opentracing-java-noop-0.31.0-1.redhat_00008.1.el8eap.noarch eap7-opentracing-java-util-0.31.0-1.redhat_00008.1.el8eap.noarch eap7-picketbox-5.0.3-7.Final_redhat_00006.1.el8eap.noarch eap7-picketbox-commons-1.0.0-4.final_redhat_5.1.el8eap.noarch eap7-picketbox-infinispan-5.0.3-7.Final_redhat_00006.1.el8eap.noarch eap7-picketlink-api-2.5.5-20.SP12_redhat_00009.1.el8eap.noarch eap7-picketlink-common-2.5.5-20.SP12_redhat_00009.1.el8eap.noarch eap7-picketlink-config-2.5.5-20.SP12_redhat_00009.1.el8eap.noarch eap7-picketlink-federation-2.5.5-20.SP12_redhat_00009.1.el8eap.noarch eap7-picketlink-idm-api-2.5.5-20.SP12_redhat_00009.1.el8eap.noarch eap7-picketlink-idm-impl-2.5.5-20.SP12_redhat_00009.1.el8eap.noarch eap7-picketlink-idm-simple-schema-2.5.5-20.SP12_redhat_00009.1.el8eap.noarch eap7-picketlink-impl-2.5.5-20.SP12_redhat_00009.1.el8eap.noarch eap7-picketlink-wildfly8-2.5.5-23.SP12_redhat_00012.1.el8eap.noarch eap7-python3-javapackages-3.4.1-5.15.6.el8eap.noarch eap7-reactive-streams-1.0.2-2.redhat_1.1.el8eap.noarch eap7-reactivex-rxjava-2.2.5-1.redhat_00001.1.el8eap.noarch eap7-relaxng-datatype-2.3.3-4.b02_redhat_00001.1.el8eap.noarch eap7-resteasy-atom-provider-3.11.2-3.Final_redhat_00002.1.el8eap.noarch eap7-resteasy-cdi-3.11.2-3.Final_redhat_00002.1.el8eap.noarch eap7-resteasy-client-3.11.2-3.Final_redhat_00002.1.el8eap.noarch eap7-resteasy-client-microprofile-3.11.2-3.Final_redhat_00002.1.el8eap.noarch eap7-resteasy-crypto-3.11.2-3.Final_redhat_00002.1.el8eap.noarch eap7-resteasy-jackson-provider-3.11.2-3.Final_redhat_00002.1.el8eap.noarch eap7-resteasy-jackson2-provider-3.11.2-3.Final_redhat_00002.1.el8eap.noarch eap7-resteasy-jaxb-provider-3.11.2-3.Final_redhat_00002.1.el8eap.noarch eap7-resteasy-jaxrs-3.11.2-3.Final_redhat_00002.1.el8eap.noarch eap7-resteasy-jettison-provider-3.11.2-3.Final_redhat_00002.1.el8eap.noarch eap7-resteasy-jose-jwt-3.11.2-3.Final_redhat_00002.1.el8eap.noarch eap7-resteasy-jsapi-3.11.2-3.Final_redhat_00002.1.el8eap.noarch eap7-resteasy-json-binding-provider-3.11.2-3.Final_redhat_00002.1.el8eap.noarch eap7-resteasy-json-p-provider-3.11.2-3.Final_redhat_00002.1.el8eap.noarch eap7-resteasy-multipart-provider-3.11.2-3.Final_redhat_00002.1.el8eap.noarch eap7-resteasy-rxjava2-3.11.2-3.Final_redhat_00002.1.el8eap.noarch eap7-resteasy-spring-3.11.2-3.Final_redhat_00002.1.el8eap.noarch eap7-resteasy-validator-provider-11-3.11.2-3.Final_redhat_00002.1.el8eap.noarch eap7-resteasy-yaml-provider-3.11.2-3.Final_redhat_00002.1.el8eap.noarch eap7-rngom-2.3.3-4.b02_redhat_00001.1.el8eap.noarch eap7-runtime-1-16.el8eap.x86_64 eap7-shibboleth-java-support-7.3.0-1.redhat_00001.1.el8eap.noarch eap7-slf4j-api-1.7.22-4.redhat_2.1.el8eap.noarch eap7-slf4j-ext-1.7.22-4.redhat_2.1.el8eap.noarch eap7-slf4j-jboss-logmanager-1.0.4-1.GA_redhat_00001.1.el8eap.noarch eap7-smallrye-config-1.6.2-3.redhat_00004.1.el8eap.noarch eap7-smallrye-health-2.2.0-1.redhat_00004.1.el8eap.noarch eap7-smallrye-metrics-2.4.0-1.redhat_00004.1.el8eap.noarch eap7-smallrye-opentracing-1.3.4-1.redhat_00004.1.el8eap.noarch eap7-snakeyaml-1.24.0-2.redhat_00001.1.el8eap.noarch eap7-stax-ex-1.7.8-1.redhat_00001.1.el8eap.noarch eap7-stax2-api-4.2.0-1.redhat_00001.1.el8eap.noarch eap7-staxmapper-1.3.0-2.Final_redhat_1.1.el8eap.noarch eap7-sun-saaj-1.3-impl-1.3.16-18.SP1_redhat_6.1.el8eap.noarch eap7-sun-saaj-1.4-impl-1.4.1-1.SP1_redhat_00001.1.el8eap.noarch eap7-sun-ws-metadata-2.0-api-1.0.0-7.MR1_redhat_8.1.el8eap.noarch eap7-taglibs-standard-compat-1.2.6-2.RC1_redhat_1.1.el8eap.noarch eap7-taglibs-standard-impl-1.2.6-2.RC1_redhat_1.1.el8eap.noarch eap7-taglibs-standard-spec-1.2.6-2.RC1_redhat_1.1.el8eap.noarch eap7-thrift-0.13.0-1.redhat_00002.1.el8eap.noarch eap7-txw2-2.3.3-4.b02_redhat_00001.1.el8eap.noarch eap7-undertow-2.0.30-3.SP3_redhat_00001.1.el8eap.noarch eap7-undertow-jastow-2.0.8-1.Final_redhat_00001.1.el8eap.noarch eap7-undertow-js-1.0.2-2.Final_redhat_1.1.el8eap.noarch eap7-undertow-server-1.6.1-1.Final_redhat_00001.1.el8eap.noarch eap7-vdx-core-1.1.6-2.redhat_1.1.el8eap.noarch eap7-vdx-wildfly-1.1.6-2.redhat_1.1.el8eap.noarch eap7-velocity-2.1.0-1.redhat_00001.1.el8eap.noarch eap7-velocity-engine-core-2.1.0-1.redhat_00001.1.el8eap.noarch eap7-weld-cdi-2.0-api-2.0.2-2.redhat_00002.1.el8eap.noarch eap7-weld-core-impl-3.1.4-1.Final_redhat_00001.1.el8eap.noarch eap7-weld-core-jsf-3.1.4-1.Final_redhat_00001.1.el8eap.noarch eap7-weld-ejb-3.1.4-1.Final_redhat_00001.1.el8eap.noarch eap7-weld-jta-3.1.4-1.Final_redhat_00001.1.el8eap.noarch eap7-weld-probe-core-3.1.4-1.Final_redhat_00001.1.el8eap.noarch eap7-weld-web-3.1.4-1.Final_redhat_00001.1.el8eap.noarch eap7-wildfly-7.3.1-5.GA_redhat_00003.1.el8eap.noarch eap7-wildfly-client-config-1.0.1-2.Final_redhat_00001.1.el8eap.noarch eap7-wildfly-common-1.5.1-1.Final_redhat_00001.1.el8eap.noarch eap7-wildfly-discovery-client-1.2.0-1.Final_redhat_00001.1.el8eap.noarch eap7-wildfly-elytron-1.10.6-1.Final_redhat_00001.1.el8eap.noarch eap7-wildfly-elytron-tool-1.10.6-1.Final_redhat_00001.1.el8eap.noarch eap7-wildfly-http-client-common-1.0.20-1.Final_redhat_00001.1.el8eap.noarch eap7-wildfly-http-ejb-client-1.0.20-1.Final_redhat_00001.1.el8eap.noarch eap7-wildfly-http-naming-client-1.0.20-1.Final_redhat_00001.1.el8eap.noarch eap7-wildfly-http-transaction-client-1.0.20-1.Final_redhat_00001.1.el8eap.noarch eap7-wildfly-modules-7.3.1-5.GA_redhat_00003.1.el8eap.noarch eap7-wildfly-naming-client-1.0.12-1.Final_redhat_00001.1.el8eap.noarch eap7-wildfly-openssl-java-1.0.9-2.SP03_redhat_00001.1.el8eap.noarch eap7-wildfly-openssl-linux-x86_64-1.0.9-2.SP03_redhat_00001.1.el8eap.x86_64 eap7-wildfly-transaction-client-1.1.11-1.Final_redhat_00001.1.el8eap.noarch eap7-woodstox-core-6.0.3-1.redhat_00001.1.el8eap.noarch eap7-ws-commons-XmlSchema-2.2.4-1.redhat_00001.1.el8eap.noarch eap7-wsdl4j-1.6.3-13.redhat_2.1.el8eap.noarch eap7-wss4j-bindings-2.2.5-1.redhat_00001.1.el8eap.noarch eap7-wss4j-policy-2.2.5-1.redhat_00001.1.el8eap.noarch eap7-wss4j-ws-security-common-2.2.5-1.redhat_00001.1.el8eap.noarch eap7-wss4j-ws-security-dom-2.2.5-1.redhat_00001.1.el8eap.noarch eap7-wss4j-ws-security-policy-stax-2.2.5-1.redhat_00001.1.el8eap.noarch eap7-wss4j-ws-security-stax-2.2.5-1.redhat_00001.1.el8eap.noarch eap7-xalan-j2-2.7.1-35.redhat_12.1.el8eap.noarch eap7-xerces-j2-2.12.0-1.SP02_redhat_00001.1.el8eap.noarch eap7-xml-resolver-1.2.0-7.redhat_12.1.el8eap.noarch eap7-xml-security-2.1.4-1.redhat_00001.1.el8eap.noarch eap7-xom-1.2.10-4.redhat_1.1.el8eap.noarch eap7-xsom-2.3.3-4.b02_redhat_00001.1.el8eap.noarch eap7-yasson-1.0.5-1.redhat_00001.1.el8eap.noarch ebay-cors-filter-1.0.1-4.el8ev.noarch engine-db-query-1.5.0-1.el8ev.noarch environment-modules-4.1.4-4.el8.x86_64 fribidi-1.0.4-8.el8.x86_64 gd-2.2.5-6.el8.x86_64 gdk-pixbuf2-modules-2.36.12-5.el8.x86_64 giflib-5.1.4-3.el8.x86_64 glassfish-fastinfoset-1.2.13-9.module+el8.1.0+3366+6dfb954c.noarch glassfish-jaxb-api-2.2.12-8.module+el8.1.0+3366+6dfb954c.noarch glassfish-jaxb-core-2.2.11-11.module+el8.1.0+3366+6dfb954c.noarch glassfish-jaxb-runtime-2.2.11-11.module+el8.1.0+3366+6dfb954c.noarch glassfish-jaxb-txw2-2.2.11-11.module+el8.1.0+3366+6dfb954c.noarch gnutls-dane-3.6.8-10.el8_2.x86_64 gnutls-utils-3.6.8-10.el8_2.x86_64 graphite2-1.3.10-10.el8.x86_64 graphviz-2.40.1-40.el8.x86_64 gssproxy-0.8.0-15.el8.x86_64 gtk-update-icon-cache-3.22.30-5.el8.x86_64 gtk2-2.24.32-4.el8.x86_64 harfbuzz-1.7.5-3.el8.x86_64 hicolor-icon-theme-0.17-2.el8.noarch httpcomponents-client-4.5.5-4.module+el8+2598+06babf2e.noarch httpcomponents-core-4.4.10-3.module+el8+2598+06babf2e.noarch httpd-2.4.37-21.module+el8.2.0+5008+cca404a3.x86_64 httpd-filesystem-2.4.37-21.module+el8.2.0+5008+cca404a3.noarch httpd-tools-2.4.37-21.module+el8.2.0+5008+cca404a3.x86_64 insights-client-3.0.13-1.el8.noarch istack-commons-runtime-2.21-9.el8+7.noarch jackson-annotations-2.10.0-1.module+el8.2.0+5059+3eb3af25.noarch jackson-core-2.10.0-1.module+el8.2.0+5059+3eb3af25.noarch jackson-databind-2.10.0-1.module+el8.2.0+5059+3eb3af25.noarch jackson-jaxrs-json-provider-2.9.9-1.module+el8.1.0+3832+9784644d.noarch jackson-jaxrs-providers-2.9.9-1.module+el8.1.0+3832+9784644d.noarch jackson-module-jaxb-annotations-2.7.6-4.module+el8.1.0+3366+6dfb954c.noarch jasper-libs-2.0.14-4.el8.x86_64 java-1.8.0-openjdk-1:1.8.0.252.b09-3.el8_2.x86_64 java-client-kubevirt-0.5.0-1.el8ev.noarch javapackages-tools-5.3.0-2.module+el8+2598+06babf2e.noarch jbig2dec-libs-0.14-2.el8.x86_64 jbigkit-libs-2.1-14.el8.x86_64 jboss-annotations-1.2-api-1.0.0-4.el8.noarch jboss-jaxrs-2.0-api-1.0.0-6.el8.noarch jboss-logging-3.3.0-5.el8.noarch jboss-logging-tools-2.0.1-6.el8.noarch jcl-over-slf4j-1.7.25-4.module+el8.1.0+3366+6dfb954c.noarch jdeparser-2.0.0-5.el8.noarch keyutils-1.5.10-6.el8.x86_64 libXaw-1.0.13-10.el8.x86_64 libXcomposite-0.4.4-14.el8.x86_64 libXdamage-1.1.4-14.el8.x86_64 libXft-2.3.2-10.el8.x86_64 libXpm-3.5.12-8.el8.x86_64 libXtst-1.2.3-7.el8.x86_64 libdatrie-0.2.9-7.el8.x86_64 libestr-0.1.10-1.el8.x86_64 libfastjson-0.99.8-2.el8.x86_64 libgfortran-8.3.1-5.el8.x86_64 libgs-9.25-5.el8_1.1.x86_64 libicu-60.3-2.el8_1.x86_64 libidn-1.34-5.el8.x86_64 libijs-0.35-5.el8.x86_64 liblognorm-2.0.5-1.el8.x86_64 libpaper-1.1.24-22.el8.x86_64 libpq-12.1-3.el8.x86_64 libquadmath-8.3.1-5.el8.x86_64 librsvg2-2.42.7-3.el8.x86_64 libsodium-1.0.18-2.el8ev.x86_64 libthai-0.1.27-2.el8.x86_64 libtiff-4.0.9-17.el8.x86_64 libverto-libevent-0.3.0-5.el8.x86_64 libwebp-1.0.0-1.el8.x86_64 log4j12-1.2.17-22.el8ev.noarch logrotate-3.14.0-3.el8.x86_64 mailcap-2.1.48-3.el8.noarch mod_http2-1.11.3-3.module+el8.2.0+4377+dc421495.x86_64 mod_ssl-1:2.4.37-21.module+el8.2.0+5008+cca404a3.x86_64 nfs-utils-1:2.3.3-31.el8.x86_64 nodejs-1:10.19.0-2.module+el8.2.0+6232+1df3dc5f.x86_64 novnc-1.1.0-1.el8ost.noarch npm-1:6.13.4-1.10.19.0.2.module+el8.2.0+6232+1df3dc5f.x86_64 ongres-scram-1.0.0~beta.2-5.el8.noarch ongres-scram-client-1.0.0~beta.2-5.el8.noarch openblas-0.3.3-5.el8.x86_64 openblas-threads-0.3.3-5.el8.x86_64 openjpeg2-2.3.1-6.el8.x86_64 openstack-java-cinder-client-3.2.8-1.el8ev.noarch openstack-java-cinder-model-3.2.8-1.el8ev.noarch openstack-java-client-3.2.8-1.el8ev.noarch openstack-java-glance-client-3.2.8-1.el8ev.noarch openstack-java-glance-model-3.2.8-1.el8ev.noarch openstack-java-keystone-client-3.2.8-1.el8ev.noarch openstack-java-keystone-model-3.2.8-1.el8ev.noarch openstack-java-quantum-client-3.2.8-1.el8ev.noarch openstack-java-quantum-model-3.2.8-1.el8ev.noarch openstack-java-resteasy-connector-3.2.8-1.el8ev.noarch ovirt-ansible-cluster-upgrade-1.2.2-1.el8ev.noarch ovirt-ansible-disaster-recovery-1.3.0-0.1.master.20200219155422.el8ev.noarch ovirt-ansible-engine-setup-1.2.4-1.el8ev.noarch ovirt-ansible-hosted-engine-setup-1.1.4-1.el8ev.noarch ovirt-ansible-image-template-1.2.2-1.el8ev.noarch ovirt-ansible-infra-1.2.1-1.el8ev.noarch ovirt-ansible-manageiq-1.2.1-2.el8ev.noarch ovirt-ansible-repositories-1.2.3-1.el8ev.noarch ovirt-ansible-roles-1.2.3-1.el8ev.noarch ovirt-ansible-shutdown-env-1.0.4-1.el8ev.noarch ovirt-ansible-vm-infra-1.2.3-1.el8ev.noarch ovirt-cockpit-sso-0.1.4-1.el8ev.noarch ovirt-engine-4.4.1.2-0.10.el8ev.noarch ovirt-engine-api-explorer-0.0.6-1.el8ev.noarch ovirt-engine-backend-4.4.1.2-0.10.el8ev.noarch ovirt-engine-dbscripts-4.4.1.2-0.10.el8ev.noarch ovirt-engine-dwh-4.4.0.2-1.el8ev.noarch ovirt-engine-dwh-setup-4.4.0.2-1.el8ev.noarch ovirt-engine-extension-aaa-jdbc-1.2.0-1.el8ev.noarch ovirt-engine-metrics-1.4.0.2-1.el8ev.noarch ovirt-engine-restapi-4.4.1.2-0.10.el8ev.noarch ovirt-engine-setup-4.4.1.2-0.10.el8ev.noarch ovirt-engine-setup-base-4.4.1.2-0.10.el8ev.noarch ovirt-engine-setup-plugin-cinderlib-4.4.1.2-0.10.el8ev.noarch ovirt-engine-setup-plugin-imageio-4.4.1.2-0.10.el8ev.noarch ovirt-engine-setup-plugin-ovirt-engine-4.4.1.2-0.10.el8ev.noarch ovirt-engine-setup-plugin-ovirt-engine-common-4.4.1.2-0.10.el8ev.noarch ovirt-engine-setup-plugin-vmconsole-proxy-helper-4.4.1.2-0.10.el8ev.noarch ovirt-engine-setup-plugin-websocket-proxy-4.4.1.2-0.10.el8ev.noarch ovirt-engine-tools-4.4.1.2-0.10.el8ev.noarch ovirt-engine-tools-backup-4.4.1.2-0.10.el8ev.noarch ovirt-engine-ui-extensions-1.2.0-1.el8ev.noarch ovirt-engine-vmconsole-proxy-helper-4.4.1.2-0.10.el8ev.noarch ovirt-engine-webadmin-portal-4.4.1.2-0.10.el8ev.noarch ovirt-engine-websocket-proxy-4.4.1.2-0.10.el8ev.noarch ovirt-imageio-common-2.0.6-0.el8ev.x86_64 ovirt-imageio-daemon-2.0.6-0.el8ev.x86_64 ovirt-log-collector-4.4.1-3.el8ev.noarch ovirt-vmconsole-1.0.8-1.el8ev.noarch ovirt-vmconsole-proxy-1.0.8-1.el8ev.noarch ovirt-web-ui-1.6.2-1.el8ev.noarch pango-1.42.4-6.el8.x86_64 pciutils-3.5.6-4.el8.x86_64 pki-servlet-4.0-api-1:9.0.7-16.module+el8.1.0+3366+6dfb954c.noarch postgresql-12.1-2.module+el8.1.1+4794+c82b6e09.x86_64 postgresql-contrib-12.1-2.module+el8.1.1+4794+c82b6e09.x86_64 postgresql-jdbc-42.2.3-1.el8.noarch postgresql-server-12.1-2.module+el8.1.1+4794+c82b6e09.x86_64 publicsuffix-list-20180723-1.el8.noarch python3-aniso8601-0.82-4.el8ost.noarch python3-ansible-runner-1.4.5-1.el8ar.noarch python3-bcrypt-3.1.6-2.el8ev.x86_64 python3-click-6.7-8.el8.noarch python3-daemon-2.1.2-9.el8ar.noarch python3-dnf-plugin-versionlock-4.0.12-3.el8.noarch python3-docutils-0.14-12.module+el8.1.0+3334+5cb623d7.noarch python3-flask-1:1.0.2-2.el8ost.noarch python3-flask-restful-0.3.6-8.el8ost.noarch python3-itsdangerous-0.24-14.el8.noarch python3-jmespath-0.9.0-11.el8.noarch python3-lockfile-1:0.11.0-8.el8ar.noarch python3-lxml-4.2.3-1.el8.x86_64 python3-m2crypto-0.35.2-5.el8ev.x86_64 python3-magic-5.33-13.el8.noarch python3-mod_wsgi-4.6.4-4.el8.x86_64 python3-notario-0.0.16-2.el8cp.noarch python3-numpy-1:1.14.3-9.el8.x86_64 python3-ovirt-engine-lib-4.4.1.2-0.10.el8ev.noarch python3-ovirt-engine-sdk4-4.4.3-1.el8ev.x86_64 python3-ovirt-setup-lib-1.3.0-1.el8ev.noarch python3-paramiko-2.4.3-2.el8ev.noarch python3-passlib-1.7.0-5.el8ost.noarch python3-pexpect-4.6-2.el8ost.noarch python3-psutil-5.4.3-10.el8.x86_64 python3-psycopg2-2.7.5-7.el8.x86_64 python3-ptyprocess-0.5.2-4.el8.noarch python3-pwquality-1.4.0-9.el8.x86_64 python3-pyOpenSSL-18.0.0-1.el8.noarch python3-pycurl-7.43.0.2-4.el8.x86_64 python3-pynacl-1.3.0-5.el8ev.x86_64 python3-websocket-client-0.54.0-1.el8ost.noarch python3-websockify-0.8.0-12.el8ev.noarch python3-werkzeug-0.16.0-1.el8ost.noarch quota-1:4.04-10.el8.x86_64 quota-nls-1:4.04-10.el8.noarch redhat-storage-logos-httpd-81.1-1.el8rhgs.noarch relaxngDatatype-2011.1-7.module+el8.1.0+3366+6dfb954c.noarch resteasy-3.0.26-3.module+el8.1.0+3366+6dfb954c.noarch rhv-log-collector-analyzer-1.0.0-1.el8ev.noarch rhvm-4.4.1.2-0.10.el8ev.noarch rhvm-branding-rhv-4.4.3-1.el8ev.noarch rhvm-dependencies-4.4.0-1.el8ev.noarch rhvm-setup-plugins-4.4.2-1.el8ev.noarch rpcbind-1.2.5-7.el8.x86_64 rsyslog-8.1911.0-3.el8.x86_64 rsyslog-elasticsearch-8.1911.0-3.el8.x86_64 rsyslog-mmjsonparse-8.1911.0-3.el8.x86_64 rsyslog-mmnormalize-8.1911.0-3.el8.x86_64 scl-utils-1:2.0.2-12.el8.x86_64 sgml-common-0.6.3-50.el8.noarch snmp4j-2.4.1-1.el8ev.noarch sos-3.8-6.el8_2.noarch source-highlight-3.1.8-16.el8.x86_64 spice-client-win-x64-8.0-1.el8.noarch spice-client-win-x86-8.0-1.el8.noarch sshpass-1.06-3.el8ae.x86_64 stax-ex-1.7.7-8.module+el8.1.0+3366+6dfb954c.noarch tcl-1:8.6.8-2.el8.x86_64 ttmkfdir-3.0.9-54.el8.x86_64 urw-base35-fonts-20170801-10.el8.noarch urw-base35-standard-symbols-ps-fonts-20170801-10.el8.noarch uuid-1.6.2-42.el8.x86_64 vdsm-jsonrpc-java-1.5.4-1.el8ev.noarch vim-filesystem-2:8.0.1763-13.el8.noarch ws-commons-util-1.0.2-1.el8ev.noarch xmlrpc-client-3.1.3-1.el8ev.noarch xmlrpc-common-3.1.3-1.el8ev.noarch xmlstreambuffer-1.5.4-8.module+el8.1.0+3366+6dfb954c.noarch xorg-x11-fonts-ISO8859-1-100dpi-7.5-19.el8.noarch xorg-x11-fonts-Type1-7.5-19.el8.noarch xsom-0-19.20110809svn.module+el8.1.0+3366+6dfb954c.noarch yajl-2.1.0-10.el8.x86_64 Complete! </message></pre></div></div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">package gssproxy is removed</span> <span class="label label-default">oval:ssg-test_package_gssproxy_removed:tst:1</span> <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Arch</th><th>Epoch</th><th>Release</th><th>Version</th><th>Evr</th><th>Signature keyid</th><th>Extended name</th></tr></thead><tbody><tr><td>gssproxy</td><td>x86_64</td><td>(none)</td><td>15.el8</td><td>0.8.0</td><td>0:0.8.0-15.el8</td><td>199e2f91fd431d51</td><td>gssproxy-0:0.8.0-15.el8.x86_64</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_package_abrt-addon-ccpp_removed" id="rule-detail-idm45342104461760"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Uninstall abrt-addon-ccpp Packagexccdf_org.ssgproject.content_rule_package_abrt-addon-ccpp_removed lowCCE-82919-2 </div><div class="panel-heading"><h3 class="panel-title">Uninstall abrt-addon-ccpp Package</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_package_abrt-addon-ccpp_removed</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-package_abrt-addon-ccpp_removed:def:1</td></tr><tr><td>Time</td><td>2020-09-29T11:18:01</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-82919-2">CCE-82919-2</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000095-GPOS-00049</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>The <code>abrt-addon-ccpp</code> package can be removed with the following command: <pre> $ sudo yum erase abrt-addon-ccpp</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p><code>abrt-addon-ccpp</code> contains hooks for C/C++ crashed programs and <code>abrt</code>'s C/C++ analyzer plugin.</p></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">package abrt-addon-ccpp is removed</span> <span class="label label-default">oval:ssg-test_package_abrt-addon-ccpp_removed:tst:1</span> <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_test_package_abrt-addon-ccpp_removed:obj:1</abbr></strong> of type <strong>rpminfo_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th></tr></thead><tbody><tr><td>abrt-addon-ccpp</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_package_tuned_removed" id="rule-detail-idm45342104458080"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Uninstall tuned Packagexccdf_org.ssgproject.content_rule_package_tuned_removed lowCCE-82904-4 </div><div class="panel-heading"><h3 class="panel-title">Uninstall tuned Package</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_package_tuned_removed</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-package_tuned_removed:def:1</td></tr><tr><td>Time</td><td>2020-09-29T11:19:41</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-82904-4">CCE-82904-4</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000095-GPOS-00049</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>The <code>tuned</code> package can be removed with the following command: <pre> $ sudo yum erase tuned</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p><code>tuned</code> contains a daemon that tunes the system settings dynamically. It does so by monitoring the usage of several system components periodically. Based on that information, components will then be put into lower or higher power savings modes to adapt to the current usage.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span> <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre><span class="label label-primary">info</span> <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Dependencies resolved. ================================================================================ Package Arch Version Repository Size ================================================================================ Removing: tuned noarch 2.13.0-6.el8 @anaconda 729 k Removing unused dependencies: hdparm x86_64 9.54-2.el8 @anaconda 184 k python3-linux-procfs noarch 0.6-7.el8 @anaconda 91 k python3-perf x86_64 4.18.0-193.7.1.el8_2 @koji-override-1 332 k python3-pyudev noarch 0.21.0-7.el8 @anaconda 315 k python3-schedutils x86_64 0.6-6.el8 @anaconda 44 k Transaction Summary ================================================================================ Remove 6 Packages Freed space: 1.7 M Running transaction check Transaction check succeeded. Running transaction test Transaction test succeeded. Running transaction Preparing : 1/1 Running scriptlet: tuned-2.13.0-6.el8.noarch 1/1 Running scriptlet: tuned-2.13.0-6.el8.noarch 1/6 Erasing : tuned-2.13.0-6.el8.noarch 1/6 warning: /etc/tuned/profile_mode saved as /etc/tuned/profile_mode.rpmsave warning: /etc/tuned/active_profile saved as /etc/tuned/active_profile.rpmsave Running scriptlet: tuned-2.13.0-6.el8.noarch 1/6 Erasing : python3-linux-procfs-0.6-7.el8.noarch 2/6 Erasing : python3-pyudev-0.21.0-7.el8.noarch 3/6 Erasing : hdparm-9.54-2.el8.x86_64 4/6 Erasing : python3-perf-4.18.0-193.7.1.el8_2.x86_64 5/6 Erasing : python3-schedutils-0.6-6.el8.x86_64 6/6 Running scriptlet: python3-schedutils-0.6-6.el8.x86_64 6/6 Verifying : hdparm-9.54-2.el8.x86_64 1/6 Verifying : python3-linux-procfs-0.6-7.el8.noarch 2/6 Verifying : python3-perf-4.18.0-193.7.1.el8_2.x86_64 3/6 Verifying : python3-pyudev-0.21.0-7.el8.noarch 4/6 Verifying : python3-schedutils-0.6-6.el8.x86_64 5/6 Verifying : tuned-2.13.0-6.el8.noarch 6/6 Removed: hdparm-9.54-2.el8.x86_64 python3-linux-procfs-0.6-7.el8.noarch python3-perf-4.18.0-193.7.1.el8_2.x86_64 python3-pyudev-0.21.0-7.el8.noarch python3-schedutils-0.6-6.el8.x86_64 tuned-2.13.0-6.el8.noarch Complete! </message></pre></div></div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">package tuned is removed</span> <span class="label label-default">oval:ssg-test_package_tuned_removed:tst:1</span> <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Arch</th><th>Epoch</th><th>Release</th><th>Version</th><th>Evr</th><th>Signature keyid</th><th>Extended name</th></tr></thead><tbody><tr><td>tuned</td><td>noarch</td><td>(none)</td><td>6.el8</td><td>2.13.0</td><td>0:2.13.0-6.el8</td><td>199e2f91fd431d51</td><td>tuned-0:2.13.0-6.el8.noarch</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_package_abrt-plugin-sosreport_removed" id="rule-detail-idm45342104447856"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Uninstall abrt-plugin-sosreport Packagexccdf_org.ssgproject.content_rule_package_abrt-plugin-sosreport_removed lowCCE-82910-1 </div><div class="panel-heading"><h3 class="panel-title">Uninstall abrt-plugin-sosreport Package</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_package_abrt-plugin-sosreport_removed</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-package_abrt-plugin-sosreport_removed:def:1</td></tr><tr><td>Time</td><td>2020-09-29T11:18:01</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-82910-1">CCE-82910-1</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000095-GPOS-00049</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>The <code>abrt-plugin-sosreport</code> package can be removed with the following command: <pre> $ sudo yum erase abrt-plugin-sosreport</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p><code>abrt-plugin-sosreport</code> provides a plugin to include an sosreport in an ABRT report.</p></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">package abrt-plugin-sosreport is removed</span> <span class="label label-default">oval:ssg-test_package_abrt-plugin-sosreport_removed:tst:1</span> <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_test_package_abrt-plugin-sosreport_removed:obj:1</abbr></strong> of type <strong>rpminfo_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th></tr></thead><tbody><tr><td>abrt-plugin-sosreport</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_package_pigz_removed" id="rule-detail-idm45342104444176"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Uninstall pigz Packagexccdf_org.ssgproject.content_rule_package_pigz_removed lowCCE-82397-1 </div><div class="panel-heading"><h3 class="panel-title">Uninstall pigz Package</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_package_pigz_removed</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-package_pigz_removed:def:1</td></tr><tr><td>Time</td><td>2020-09-29T11:19:43</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-82397-1">CCE-82397-1</abbr></p></td></tr><tr><td>Description</td><td><div class="description"><p>The <code>pigz</code> package can be removed with the following command: <pre> $ sudo yum erase pigz</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Binaries shipped in <code>pigz</code> package in Red Hat Enterprise Linux 8 have not been compiled using recommended compiler flags. The binaries are compiled without sufficient stack protection and its address space layout randomization (ASLR) is weak.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span> <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre><span class="label label-primary">info</span> <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Dependencies resolved. ================================================================================ Package Architecture Version Repository Size ================================================================================ Removing: pigz x86_64 2.4-4.el8 @anaconda 137 k Transaction Summary ================================================================================ Remove 1 Package Freed space: 137 k Running transaction check Transaction check succeeded. Running transaction test Transaction test succeeded. Running transaction Preparing : 1/1 Erasing : pigz-2.4-4.el8.x86_64 1/1 Running scriptlet: pigz-2.4-4.el8.x86_64 1/1 Verifying : pigz-2.4-4.el8.x86_64 1/1 Removed: pigz-2.4-4.el8.x86_64 Complete! </message></pre></div></div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">package pigz is removed</span> <span class="label label-default">oval:ssg-test_package_pigz_removed:tst:1</span> <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Arch</th><th>Epoch</th><th>Release</th><th>Version</th><th>Evr</th><th>Signature keyid</th><th>Extended name</th></tr></thead><tbody><tr><td>pigz</td><td>x86_64</td><td>(none)</td><td>4.el8</td><td>2.4</td><td>0:2.4-4.el8</td><td>199e2f91fd431d51</td><td>pigz-0:2.4-4.el8.x86_64</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_package_krb5-workstation_removed" id="rule-detail-idm45342104435984"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Uninstall krb5-workstation Packagexccdf_org.ssgproject.content_rule_package_krb5-workstation_removed mediumCCE-82931-7 </div><div class="panel-heading"><h3 class="panel-title">Uninstall krb5-workstation Package</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_package_krb5-workstation_removed</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-package_krb5-workstation_removed:def:1</td></tr><tr><td>Time</td><td>2020-09-29T11:18:01</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-82931-7">CCE-82931-7</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000095-GPOS-00049</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000120-GPOS-00061</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>The <code>krb5-workstation</code> package can be removed with the following command: <pre> $ sudo yum erase krb5-workstation</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Kerberos is a network authentication system. The <code>krb5-workstation</code> package contains the basic Kerberos programs (<code>kinit</code>, <code>klist</code>, <code>kdestroy</code>, <code>kpasswd</code>). Currently, Kerberos does not utilize FIPS 140-2 cryptography and is not permitted on Government networks, nor is it permitted in many regulatory environments such as HIPAA.</p></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">package krb5-workstation is removed</span> <span class="label label-default">oval:ssg-test_package_krb5-workstation_removed:tst:1</span> <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_test_package_krb5-workstation_removed:obj:1</abbr></strong> of type <strong>rpminfo_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th></tr></thead><tbody><tr><td>krb5-workstation</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_package_abrt-plugin-rhtsupport_removed" id="rule-detail-idm45342104432304"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Uninstall abrt-plugin-rhtsupport Packagexccdf_org.ssgproject.content_rule_package_abrt-plugin-rhtsupport_removed lowCCE-82916-8 </div><div class="panel-heading"><h3 class="panel-title">Uninstall abrt-plugin-rhtsupport Package</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_package_abrt-plugin-rhtsupport_removed</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-package_abrt-plugin-rhtsupport_removed:def:1</td></tr><tr><td>Time</td><td>2020-09-29T11:18:01</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-82916-8">CCE-82916-8</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000095-GPOS-00049</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>The <code>abrt-plugin-rhtsupport</code> package can be removed with the following command: <pre> $ sudo yum erase abrt-plugin-rhtsupport</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p><code>abrt-plugin-rhtsupport</code> is a ABRT plugin to report bugs into the Red Hat Support system.</p></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">package abrt-plugin-rhtsupport is removed</span> <span class="label label-default">oval:ssg-test_package_abrt-plugin-rhtsupport_removed:tst:1</span> <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_test_package_abrt-plugin-rhtsupport_removed:obj:1</abbr></strong> of type <strong>rpminfo_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th></tr></thead><tbody><tr><td>abrt-plugin-rhtsupport</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_package_iprutils_removed" id="rule-detail-idm45342104426224"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Uninstall iprutils Packagexccdf_org.ssgproject.content_rule_package_iprutils_removed lowCCE-82946-5 </div><div class="panel-heading"><h3 class="panel-title">Uninstall iprutils Package</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_package_iprutils_removed</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-package_iprutils_removed:def:1</td></tr><tr><td>Time</td><td>2020-09-29T11:19:46</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-82946-5">CCE-82946-5</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000095-GPOS-00049</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>The <code>iprutils</code> package can be removed with the following command: <pre> $ sudo yum erase iprutils</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p><code>iprutils</code> provides a suite of utlilities to manage and configure SCSI devices supported by the ipr SCSI storage device driver.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span> <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre><span class="label label-primary">info</span> <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Dependencies resolved. ================================================================================ Package Architecture Version Repository Size ================================================================================ Removing: iprutils x86_64 2.4.18.1-1.el8 @anaconda 995 k Transaction Summary ================================================================================ Remove 1 Package Freed space: 995 k Running transaction check Transaction check succeeded. Running transaction test Transaction test succeeded. Running transaction Preparing : 1/1 Running scriptlet: iprutils-2.4.18.1-1.el8.x86_64 1/1 Erasing : iprutils-2.4.18.1-1.el8.x86_64 1/1 Running scriptlet: iprutils-2.4.18.1-1.el8.x86_64 1/1 Verifying : iprutils-2.4.18.1-1.el8.x86_64 1/1 Removed: iprutils-2.4.18.1-1.el8.x86_64 Complete! </message></pre></div></div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">package iprutils is removed</span> <span class="label label-default">oval:ssg-test_package_iprutils_removed:tst:1</span> <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Arch</th><th>Epoch</th><th>Release</th><th>Version</th><th>Evr</th><th>Signature keyid</th><th>Extended name</th></tr></thead><tbody><tr><td>iprutils</td><td>x86_64</td><td>(none)</td><td>1.el8</td><td>2.4.18.1</td><td>0:2.4.18.1-1.el8</td><td>199e2f91fd431d51</td><td>iprutils-0:2.4.18.1-1.el8.x86_64</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_enable_dracut_fips_module" id="rule-detail-idm45342104415536"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Enable Dracut FIPS Modulexccdf_org.ssgproject.content_rule_enable_dracut_fips_module mediumCCE-82155-3 </div><div class="panel-heading"><h3 class="panel-title">Enable Dracut FIPS Module</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_enable_dracut_fips_module</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-enable_dracut_fips_module:def:1</td></tr><tr><td>Time</td><td>2020-09-29T11:19:46</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-82155-3">CCE-82155-3</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> <a href="https://public.cyber.mil/stigs/cci/">CCI-000068</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000803</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-002450</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-12(2)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-12(3)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-7</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-13</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-12</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000478-GPOS-00223</a>, <a href="">SRG-OS-000120-VMM-000600</a>, <a href="">SRG-OS-000478-VMM-001980</a>, <a href="">SRG-OS-000396-VMM-001590</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>To enable FIPS mode, run the following command: <pre>fips-mode-setup --enable</pre> To enable FIPS, the system requires that the <code>fips</code> module is added in <code>dracut</code> configuration. Check if <code>/etc/dracut.conf.d/40-fips.conf</code> contain <code>add_dracutmodules+=" fips "</code></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. The operating system must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides assurance they have been tested and validated.</p></div></td></tr><tr><td>Warnings</td><td><div class="panel panel-warning"><div class="panel-heading"><span class="label label-warning">warning</span> The system needs to be rebooted for these changes to take effect.</div></div><div class="panel panel-warning"><div class="panel-heading"><span class="label label-warning">warning</span> System Crypto Modules must be provided by a vendor that undergoes FIPS-140 certifications. FIPS-140 is applicable to all Federal agencies that use cryptographic-based security systems to protect sensitive information in computer and telecommunication systems (including voice systems) as defined in Section 5131 of the Information Technology Management Reform Act of 1996, Public Law 104-106. This standard shall be used in designing and implementing cryptographic modules that Federal departments and agencies operate or are operated for them under contract. See <b><a href="https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-2.pdf">https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-2.pdf</a></b> To meet this, the system has to have cryptographic software provided by a vendor that has undergone this certification. This means providing documentation, test results, design information, and independent third party review by an accredited lab. While open source software is capable of meeting this, it does not meet FIPS-140 unless the vendor submits to this process.</div></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span> <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">No suitable fix found.</message></pre></div></div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">add_dracutmodules contains fips</span> <span class="label label-default">oval:ssg-test_enable_dracut_fips_module:tst:1</span> <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_enable_dracut_fips_module:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/dracut.conf.d/40-fips.conf</td><td>^\s*add_dracutmodules\+="\s*(\w*)\s*"\s*(?:#.*)?$</td><td>1</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-error rule-detail-id-xccdf_org.ssgproject.content_rule_enable_fips_mode" id="rule-detail-idm45342104409488"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Enable FIPS Modexccdf_org.ssgproject.content_rule_enable_fips_mode highCCE-80942-6 </div><div class="panel-heading"><h3 class="panel-title">Enable FIPS Mode</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_enable_fips_mode</td></tr><tr><td>Result</td><td class="rule-result rule-result-error"><div><abbr title="The checking engine could not complete the evaluation, therefore the status of the target's compliance with the rule is not certain. This could happen, for example, if a testing tool was run with insufficient privileges and could not gather all of the necessary information.">error</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-enable_fips_mode:def:1</td></tr><tr><td>Time</td><td>2020-09-29T11:21:04</td></tr><tr><td>Severity</td><td>high</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80942-6">CCE-80942-6</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> <a href="https://public.cyber.mil/stigs/cci/">CCI-000068</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000803</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-002450</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-12(2)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-12(3)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-7</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-13</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-12</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000478-GPOS-00223</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000396-GPOS-00176</a>, <a href="">SRG-OS-000120-VMM-000600</a>, <a href="">SRG-OS-000478-VMM-001980</a>, <a href="">SRG-OS-000396-VMM-001590</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>To enable FIPS mode, run the following command: <pre>fips-mode-setup --enable</pre> <br> The <code>fips-mode-setup</code> command will configure the system in FIPS mode by automatically configuring the following: <ul><li>Setting the kernel FIPS mode flag (<code>/proc/sys/crypto/fips_enabled</code>) to <code>1</code></li><li>Creating <code>/etc/system-fips</code></li><li>Setting the system crypto policy in <code>/etc/crypto-policies/config</code> to <code>FIPS</code></li><li>Loading the Dracut <code>fips</code> module</li></ul> Furthermore, the system running in FIPS mode should be FIPS certified by NIST.</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. The operating system must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides assurance they have been tested and validated.</p></div></td></tr><tr><td>Warnings</td><td><div class="panel panel-warning"><div class="panel-heading"><span class="label label-warning">warning</span> The system needs to be rebooted for these changes to take effect.</div></div><div class="panel panel-warning"><div class="panel-heading"><span class="label label-warning">warning</span> System Crypto Modules must be provided by a vendor that undergoes FIPS-140 certifications. FIPS-140 is applicable to all Federal agencies that use cryptographic-based security systems to protect sensitive information in computer and telecommunication systems (including voice systems) as defined in Section 5131 of the Information Technology Management Reform Act of 1996, Public Law 104-106. This standard shall be used in designing and implementing cryptographic modules that Federal departments and agencies operate or are operated for them under contract. See <b><a href="https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-2.pdf">https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-2.pdf</a></b> To meet this, the system has to have cryptographic software provided by a vendor that has undergone this certification. This means providing documentation, test results, design information, and independent third party review by an accredited lab. While open source software is capable of meeting this, it does not meet FIPS-140 unless the vendor submits to this process.</div></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span> <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre><span class="label label-primary">info</span> <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Kernel initramdisks are being regenerated. This might take some time. Setting system policy to FIPS Note: System-wide crypto policies are applied on application start-up. It is recommended to restart the system for the change of policies to fully take place. FIPS mode will be enabled. Please reboot the system for the setting to take effect. </message></pre><span class="label label-primary">info</span> <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Failed to verify applied fix: Checking engine returns: fail</message></pre></div></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm45342160744768" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Shell script â²</a><br></br><div class="panel-collapse collapse" id="idm45342160744768"><pre><code> fips-mode-setup --enable </code></pre></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm45342160743664" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet â²</a><br></br><div class="panel-collapse collapse" id="idm45342160743664"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>medium</td></tr><tr><th>Disruption:</th><td>medium</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: enable fips mode command: /usr/bin/fips-mode-setup --enable when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" tags: - enable_fips_mode - high_severity - restrict_strategy - medium_complexity - medium_disruption - reboot_required - CCE-80942-6 - NIST-800-53-SC-12(2) - NIST-800-53-SC-12(3) - NIST-800-53-IA-7 - NIST-800-53-SC-13 - NIST-800-53-CM-6(a) - NIST-800-53-SC-12 </code></pre></div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">/etc/system-fips exists</span> <span class="label label-default">oval:ssg-test_etc_system_fips:tst:1</span> <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_etc_system_fips:obj:1</abbr></strong> of type <strong>file_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th></tr></thead><tbody><tr><td>/etc/system-fips</td></tr></tbody></table><h4><span class="label label-primary">kernel runtime parameter crypto.fips_enabled set to 1</span> <span class="label label-default">oval:ssg-test_sysctl_crypto_fips_enabled:tst:1</span> <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Value</th></tr></thead><tbody><tr><td>crypto.fips_enabled</td><td>0</td></tr></tbody></table><h4><span class="label label-primary">add_dracutmodules contains fips</span> <span class="label label-default">oval:ssg-test_enable_dracut_fips_module:tst:1</span> <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_enable_dracut_fips_module:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/dracut.conf.d/40-fips.conf</td><td>^\s*add_dracutmodules\+="\s*(\w*)\s*"\s*(?:#.*)?$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">check for crypto policy correctly configured in /etc/crypto-policies/config</span> <span class="label label-default">oval:ssg-test_configure_crypto_policy:tst:1</span> <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/crypto-policies/config</td><td>DEFAULT</td></tr></tbody></table><h4><span class="label label-primary">check for crypto policy correctly configured in /etc/crypto-policies/state/current</span> <span class="label label-default">oval:ssg-test_configure_crypto_policy_current:tst:1</span> <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/crypto-policies/state/current</td><td>DEFAULT</td></tr></tbody></table><h4><span class="label label-primary">Check if update-crypto-policies has been run</span> <span class="label label-default">oval:ssg-test_crypto_policies_updated:tst:1</span> <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Var ref</th><th>Value</th></tr></thead><tbody><tr><td>oval:ssg-variable_crypto_policies_config_file_age:var:1</td><td>26342411</td></tr></tbody></table><h4><span class="label label-primary">Check if /etc/crypto-policies/back-ends/nss.config exists</span> <span class="label label-default">oval:ssg-test_crypto_policy_nss_config:tst:1</span> <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Type</th><th>UID</th><th>GID</th><th>Size (B)</th><th>Permissions</th></tr></thead><tbody><tr><td>/etc/crypto-policies/back-ends/nss.config</td><td>symbolic link</td><td>0</td><td>0</td><td>42</td><td><code>rwxrwxrwx </code></td></tr></tbody></table><h4><span class="label label-primary">Test installed OS is part of the unix family</span> <span class="label label-default">oval:ssg-test_unix_family:tst:1</span> <span class="label label-danger">not evaluated</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_unix_family:obj:1</abbr></strong> of type <strong>family_object</strong></h5><table class="table table-striped table-bordered"><thead><tr></tr></thead><tbody><tr></tr></tbody></table><h4><span class="label label-primary">Test installed OS is part of the unix family</span> <span class="label label-default">oval:ssg-test_unix_family:tst:1</span> <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Family</th></tr></thead><tbody><tr><td>unix</td></tr></tbody></table><h4><span class="label label-primary">Test installed OS is part of the unix family</span> <span class="label label-default">oval:ssg-test_unix_family:tst:1</span> <span class="label label-danger">not evaluated</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_unix_family:obj:1</abbr></strong> of type <strong>family_object</strong></h5><table class="table table-striped table-bordered"><thead><tr></tr></thead><tbody><tr></tr></tbody></table><h4><span class="label label-primary">Test installed OS is part of the unix family</span> <span class="label label-default">oval:ssg-test_unix_family:tst:1</span> <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Family</th></tr></thead><tbody><tr><td>unix</td></tr></tbody></table><h4><span class="label label-primary">redhat-release-client is version 6</span> <span class="label label-default">oval:ssg-test_rhel_client:tst:1</span> <span class="label label-danger">not evaluated</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_rhel_client:obj:1</abbr></strong> of type <strong>rpminfo_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th></tr></thead><tbody><tr><td>redhat-release-client</td></tr></tbody></table><h4><span class="label label-primary">redhat-release-client is version 6</span> <span class="label label-default">oval:ssg-test_rhel_client:tst:1</span> <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_rhel_client:obj:1</abbr></strong> of type <strong>rpminfo_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th></tr></thead><tbody><tr><td>redhat-release-client</td></tr></tbody></table><h4><span class="label label-primary">redhat-release-workstation is version 6</span> <span class="label label-default">oval:ssg-test_rhel_workstation:tst:1</span> <span class="label label-danger">not evaluated</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_rhel_workstation:obj:1</abbr></strong> of type <strong>rpminfo_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th></tr></thead><tbody><tr><td>redhat-release-workstation</td></tr></tbody></table><h4><span class="label label-primary">redhat-release-workstation is version 6</span> <span class="label label-default">oval:ssg-test_rhel_workstation:tst:1</span> <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_rhel_workstation:obj:1</abbr></strong> of type <strong>rpminfo_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th></tr></thead><tbody><tr><td>redhat-release-workstation</td></tr></tbody></table><h4><span class="label label-primary">redhat-release-server is version 6</span> <span class="label label-default">oval:ssg-test_rhel_server:tst:1</span> <span class="label label-danger">not evaluated</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_rhel_server:obj:1</abbr></strong> of type <strong>rpminfo_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th></tr></thead><tbody><tr><td>redhat-release-server</td></tr></tbody></table><h4><span class="label label-primary">redhat-release-server is version 6</span> <span class="label label-default">oval:ssg-test_rhel_server:tst:1</span> <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_rhel_server:obj:1</abbr></strong> of type <strong>rpminfo_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th></tr></thead><tbody><tr><td>redhat-release-server</td></tr></tbody></table><h4><span class="label label-primary">redhat-release-computenode is version 6</span> <span class="label label-default">oval:ssg-test_rhel_computenode:tst:1</span> <span class="label label-danger">not evaluated</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_rhel_computenode:obj:1</abbr></strong> of type <strong>rpminfo_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th></tr></thead><tbody><tr><td>redhat-release-computenode</td></tr></tbody></table><h4><span class="label label-primary">redhat-release-computenode is version 6</span> <span class="label label-default">oval:ssg-test_rhel_computenode:tst:1</span> <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_rhel_computenode:obj:1</abbr></strong> of type <strong>rpminfo_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th></tr></thead><tbody><tr><td>redhat-release-computenode</td></tr></tbody></table><h4><span class="label label-primary">Test installed OS is part of the unix family</span> <span class="label label-default">oval:ssg-test_unix_family:tst:1</span> <span class="label label-danger">not evaluated</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_unix_family:obj:1</abbr></strong> of type <strong>family_object</strong></h5><table class="table table-striped table-bordered"><thead><tr></tr></thead><tbody><tr></tr></tbody></table><h4><span class="label label-primary">Test installed OS is part of the unix family</span> <span class="label label-default">oval:ssg-test_unix_family:tst:1</span> <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Family</th></tr></thead><tbody><tr><td>unix</td></tr></tbody></table><h4><span class="label label-primary">Test installed OS is part of the unix family</span> <span class="label label-default">oval:ssg-test_unix_family:tst:1</span> <span class="label label-danger">not evaluated</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_unix_family:obj:1</abbr></strong> of type <strong>family_object</strong></h5><table class="table table-striped table-bordered"><thead><tr></tr></thead><tbody><tr></tr></tbody></table><h4><span class="label label-primary">Test installed OS is part of the unix family</span> <span class="label label-default">oval:ssg-test_unix_family:tst:1</span> <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Family</th></tr></thead><tbody><tr><td>unix</td></tr></tbody></table><h4><span class="label label-primary">redhat-release-client is version 6</span> <span class="label label-default">oval:ssg-test_rhel_client:tst:1</span> <span class="label label-danger">not evaluated</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_rhel_client:obj:1</abbr></strong> of type <strong>rpminfo_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th></tr></thead><tbody><tr><td>redhat-release-client</td></tr></tbody></table><h4><span class="label label-primary">redhat-release-client is version 6</span> <span class="label label-default">oval:ssg-test_rhel_client:tst:1</span> <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_rhel_client:obj:1</abbr></strong> of type <strong>rpminfo_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th></tr></thead><tbody><tr><td>redhat-release-client</td></tr></tbody></table><h4><span class="label label-primary">redhat-release-workstation is version 6</span> <span class="label label-default">oval:ssg-test_rhel_workstation:tst:1</span> <span class="label label-danger">not evaluated</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_rhel_workstation:obj:1</abbr></strong> of type <strong>rpminfo_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th></tr></thead><tbody><tr><td>redhat-release-workstation</td></tr></tbody></table><h4><span class="label label-primary">redhat-release-workstation is version 6</span> <span class="label label-default">oval:ssg-test_rhel_workstation:tst:1</span> <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_rhel_workstation:obj:1</abbr></strong> of type <strong>rpminfo_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th></tr></thead><tbody><tr><td>redhat-release-workstation</td></tr></tbody></table><h4><span class="label label-primary">redhat-release-server is version 6</span> <span class="label label-default">oval:ssg-test_rhel_server:tst:1</span> <span class="label label-danger">not evaluated</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_rhel_server:obj:1</abbr></strong> of type <strong>rpminfo_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th></tr></thead><tbody><tr><td>redhat-release-server</td></tr></tbody></table><h4><span class="label label-primary">redhat-release-server is version 6</span> <span class="label label-default">oval:ssg-test_rhel_server:tst:1</span> <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_rhel_server:obj:1</abbr></strong> of type <strong>rpminfo_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th></tr></thead><tbody><tr><td>redhat-release-server</td></tr></tbody></table><h4><span class="label label-primary">redhat-release-computenode is version 6</span> <span class="label label-default">oval:ssg-test_rhel_computenode:tst:1</span> <span class="label label-danger">not evaluated</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_rhel_computenode:obj:1</abbr></strong> of type <strong>rpminfo_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th></tr></thead><tbody><tr><td>redhat-release-computenode</td></tr></tbody></table><h4><span class="label label-primary">redhat-release-computenode is version 6</span> <span class="label label-default">oval:ssg-test_rhel_computenode:tst:1</span> <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_rhel_computenode:obj:1</abbr></strong> of type <strong>rpminfo_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th></tr></thead><tbody><tr><td>redhat-release-computenode</td></tr></tbody></table><h4><span class="label label-primary">installed OS part of unix family</span> <span class="label label-default">oval:ssg-test_rhel7_unix_family:tst:1</span> <span class="label label-danger">not evaluated</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_rhel7_unix_family:obj:1</abbr></strong> of type <strong>family_object</strong></h5><table class="table table-striped table-bordered"><thead><tr></tr></thead><tbody><tr></tr></tbody></table><h4><span class="label label-primary">installed OS part of unix family</span> <span class="label label-default">oval:ssg-test_rhel7_unix_family:tst:1</span> <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Family</th></tr></thead><tbody><tr><td>unix</td></tr></tbody></table><h4><span class="label label-primary">redhat-release-client is version 7</span> <span class="label label-default">oval:ssg-test_rhel7_client:tst:1</span> <span class="label label-danger">not evaluated</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_rhel7_client:obj:1</abbr></strong> of type <strong>rpminfo_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th></tr></thead><tbody><tr><td>redhat-release-client</td></tr></tbody></table><h4><span class="label label-primary">redhat-release-client is version 7</span> <span class="label label-default">oval:ssg-test_rhel7_client:tst:1</span> <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_rhel7_client:obj:1</abbr></strong> of type <strong>rpminfo_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th></tr></thead><tbody><tr><td>redhat-release-client</td></tr></tbody></table><h4><span class="label label-primary">redhat-release-workstation is version 7</span> <span class="label label-default">oval:ssg-test_rhel7_workstation:tst:1</span> <span class="label label-danger">not evaluated</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_rhel7_workstation:obj:1</abbr></strong> of type <strong>rpminfo_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th></tr></thead><tbody><tr><td>redhat-release-workstation</td></tr></tbody></table><h4><span class="label label-primary">redhat-release-workstation is version 7</span> <span class="label label-default">oval:ssg-test_rhel7_workstation:tst:1</span> <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_rhel7_workstation:obj:1</abbr></strong> of type <strong>rpminfo_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th></tr></thead><tbody><tr><td>redhat-release-workstation</td></tr></tbody></table><h4><span class="label label-primary">redhat-release-server is version 7</span> <span class="label label-default">oval:ssg-test_rhel7_server:tst:1</span> <span class="label label-danger">not evaluated</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_rhel7_server:obj:1</abbr></strong> of type <strong>rpminfo_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th></tr></thead><tbody><tr><td>redhat-release-server</td></tr></tbody></table><h4><span class="label label-primary">redhat-release-server is version 7</span> <span class="label label-default">oval:ssg-test_rhel7_server:tst:1</span> <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_rhel7_server:obj:1</abbr></strong> of type <strong>rpminfo_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th></tr></thead><tbody><tr><td>redhat-release-server</td></tr></tbody></table><h4><span class="label label-primary">redhat-release-computenode is version 7</span> <span class="label label-default">oval:ssg-test_rhel7_computenode:tst:1</span> <span class="label label-danger">not evaluated</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_rhel7_computenode:obj:1</abbr></strong> of type <strong>rpminfo_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th></tr></thead><tbody><tr><td>redhat-release-computenode</td></tr></tbody></table><h4><span class="label label-primary">redhat-release-computenode is version 7</span> <span class="label label-default">oval:ssg-test_rhel7_computenode:tst:1</span> <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_rhel7_computenode:obj:1</abbr></strong> of type <strong>rpminfo_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th></tr></thead><tbody><tr><td>redhat-release-computenode</td></tr></tbody></table><h4><span class="label label-primary">redhat-release-virtualization-host RPM package is installed</span> <span class="label label-default">oval:ssg-test_rhvh4_version:tst:1</span> <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_rhvh4_version:obj:1</abbr></strong> of type <strong>rpminfo_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th></tr></thead><tbody><tr><td>redhat-release-virtualization-host</td></tr></tbody></table><h4><span class="label label-primary">redhat-release-virtualization-host RPM package is installed</span> <span class="label label-default">oval:ssg-test_rhvh4_version:tst:1</span> <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_rhvh4_version:obj:1</abbr></strong> of type <strong>rpminfo_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th></tr></thead><tbody><tr><td>redhat-release-virtualization-host</td></tr></tbody></table><h4><span class="label label-primary">RHEVH base RHEL is version 7</span> <span class="label label-default">oval:ssg-test_rhevh_rhel7_version:tst:1</span> <span class="label label-danger">not evaluated</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_rhevh_rhel7_version:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/redhat-release</td><td>^Red Hat Enterprise Linux release (\d)\.\d+$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">RHEVH base RHEL is version 7</span> <span class="label label-default">oval:ssg-test_rhevh_rhel7_version:tst:1</span> <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_rhevh_rhel7_version:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/redhat-release</td><td>^Red Hat Enterprise Linux release (\d)\.\d+$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">installed OS part of unix family</span> <span class="label label-default">oval:ssg-test_rhel7_unix_family:tst:1</span> <span class="label label-danger">not evaluated</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_rhel7_unix_family:obj:1</abbr></strong> of type <strong>family_object</strong></h5><table class="table table-striped table-bordered"><thead><tr></tr></thead><tbody><tr></tr></tbody></table><h4><span class="label label-primary">installed OS part of unix family</span> <span class="label label-default">oval:ssg-test_rhel7_unix_family:tst:1</span> <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Family</th></tr></thead><tbody><tr><td>unix</td></tr></tbody></table><h4><span class="label label-primary">redhat-release-client is version 7</span> <span class="label label-default">oval:ssg-test_rhel7_client:tst:1</span> <span class="label label-danger">not evaluated</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_rhel7_client:obj:1</abbr></strong> of type <strong>rpminfo_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th></tr></thead><tbody><tr><td>redhat-release-client</td></tr></tbody></table><h4><span class="label label-primary">redhat-release-client is version 7</span> <span class="label label-default">oval:ssg-test_rhel7_client:tst:1</span> <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_rhel7_client:obj:1</abbr></strong> of type <strong>rpminfo_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th></tr></thead><tbody><tr><td>redhat-release-client</td></tr></tbody></table><h4><span class="label label-primary">redhat-release-workstation is version 7</span> <span class="label label-default">oval:ssg-test_rhel7_workstation:tst:1</span> <span class="label label-danger">not evaluated</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_rhel7_workstation:obj:1</abbr></strong> of type <strong>rpminfo_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th></tr></thead><tbody><tr><td>redhat-release-workstation</td></tr></tbody></table><h4><span class="label label-primary">redhat-release-workstation is version 7</span> <span class="label label-default">oval:ssg-test_rhel7_workstation:tst:1</span> <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_rhel7_workstation:obj:1</abbr></strong> of type <strong>rpminfo_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th></tr></thead><tbody><tr><td>redhat-release-workstation</td></tr></tbody></table><h4><span class="label label-primary">redhat-release-server is version 7</span> <span class="label label-default">oval:ssg-test_rhel7_server:tst:1</span> <span class="label label-danger">not evaluated</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_rhel7_server:obj:1</abbr></strong> of type <strong>rpminfo_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th></tr></thead><tbody><tr><td>redhat-release-server</td></tr></tbody></table><h4><span class="label label-primary">redhat-release-server is version 7</span> <span class="label label-default">oval:ssg-test_rhel7_server:tst:1</span> <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_rhel7_server:obj:1</abbr></strong> of type <strong>rpminfo_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th></tr></thead><tbody><tr><td>redhat-release-server</td></tr></tbody></table><h4><span class="label label-primary">redhat-release-computenode is version 7</span> <span class="label label-default">oval:ssg-test_rhel7_computenode:tst:1</span> <span class="label label-danger">not evaluated</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_rhel7_computenode:obj:1</abbr></strong> of type <strong>rpminfo_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th></tr></thead><tbody><tr><td>redhat-release-computenode</td></tr></tbody></table><h4><span class="label label-primary">redhat-release-computenode is version 7</span> <span class="label label-default">oval:ssg-test_rhel7_computenode:tst:1</span> <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_rhel7_computenode:obj:1</abbr></strong> of type <strong>rpminfo_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th></tr></thead><tbody><tr><td>redhat-release-computenode</td></tr></tbody></table><h4><span class="label label-primary">redhat-release-virtualization-host RPM package is installed</span> <span class="label label-default">oval:ssg-test_rhvh4_version:tst:1</span> <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_rhvh4_version:obj:1</abbr></strong> of type <strong>rpminfo_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th></tr></thead><tbody><tr><td>redhat-release-virtualization-host</td></tr></tbody></table><h4><span class="label label-primary">redhat-release-virtualization-host RPM package is installed</span> <span class="label label-default">oval:ssg-test_rhvh4_version:tst:1</span> <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_rhvh4_version:obj:1</abbr></strong> of type <strong>rpminfo_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th></tr></thead><tbody><tr><td>redhat-release-virtualization-host</td></tr></tbody></table><h4><span class="label label-primary">RHEVH base RHEL is version 7</span> <span class="label label-default">oval:ssg-test_rhevh_rhel7_version:tst:1</span> <span class="label label-danger">not evaluated</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_rhevh_rhel7_version:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/redhat-release</td><td>^Red Hat Enterprise Linux release (\d)\.\d+$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">RHEVH base RHEL is version 7</span> <span class="label label-default">oval:ssg-test_rhevh_rhel7_version:tst:1</span> <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_rhevh_rhel7_version:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/redhat-release</td><td>^Red Hat Enterprise Linux release (\d)\.\d+$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">installed OS part of unix family</span> <span class="label label-default">oval:ssg-test_rhel8_unix_family:tst:1</span> <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Family</th></tr></thead><tbody><tr><td>unix</td></tr></tbody></table><h4><span class="label label-primary">installed OS part of unix family</span> <span class="label label-default">oval:ssg-test_rhel8_unix_family:tst:1</span> <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Family</th></tr></thead><tbody><tr><td>unix</td></tr></tbody></table><h4><span class="label label-primary">redhat-release is version 8</span> <span class="label label-default">oval:ssg-test_rhel8:tst:1</span> <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Arch</th><th>Epoch</th><th>Release</th><th>Version</th><th>Evr</th><th>Signature keyid</th><th>Extended name</th></tr></thead><tbody><tr><td>redhat-release</td><td>x86_64</td><td>(none)</td><td>25.0.el8rhgs</td><td>8.2</td><td>0:8.2-25.0.el8rhgs</td><td>0</td><td>redhat-release-0:8.2-25.0.el8rhgs.x86_64</td></tr></tbody></table><h4><span class="label label-primary">redhat-release is version 8</span> <span class="label label-default">oval:ssg-test_rhel8:tst:1</span> <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Arch</th><th>Epoch</th><th>Release</th><th>Version</th><th>Evr</th><th>Signature keyid</th><th>Extended name</th></tr></thead><tbody><tr><td>redhat-release</td><td>x86_64</td><td>(none)</td><td>25.0.el8rhgs</td><td>8.2</td><td>0:8.2-25.0.el8rhgs</td><td>0</td><td>redhat-release-0:8.2-25.0.el8rhgs.x86_64</td></tr></tbody></table><h4><span class="label label-primary">redhat-release-coreos is version 8</span> <span class="label label-default">oval:ssg-test_rhel8_coreos:tst:1</span> <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_rhel8_coreos:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/os-release</td><td>^PRETTY_NAME="Red Hat Enterprise Linux CoreOS \d+\.(\d)\d+\.\d+\.\d+ \([\w\s]+\)"$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">redhat-release-coreos is version 8</span> <span class="label label-default">oval:ssg-test_rhel8_coreos:tst:1</span> <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_rhel8_coreos:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/os-release</td><td>^PRETTY_NAME="Red Hat Enterprise Linux CoreOS \d+\.(\d)\d+\.\d+\.\d+ \([\w\s]+\)"$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">redhat-release-virtualization-host RPM package is installed</span> <span class="label label-default">oval:ssg-test_rhvh4_version:tst:1</span> <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_rhvh4_version:obj:1</abbr></strong> of type <strong>rpminfo_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th></tr></thead><tbody><tr><td>redhat-release-virtualization-host</td></tr></tbody></table><h4><span class="label label-primary">redhat-release-virtualization-host RPM package is installed</span> <span class="label label-default">oval:ssg-test_rhvh4_version:tst:1</span> <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_rhvh4_version:obj:1</abbr></strong> of type <strong>rpminfo_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th></tr></thead><tbody><tr><td>redhat-release-virtualization-host</td></tr></tbody></table><h4><span class="label label-primary">RHEVH base RHEL is version 8</span> <span class="label label-default">oval:ssg-test_rhevh_rhel8_version:tst:1</span> <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_rhevh_rhel8_version:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/redhat-release</td><td>^Red Hat Enterprise Linux release (\d)\.\d+$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">RHEVH base RHEL is version 8</span> <span class="label label-default">oval:ssg-test_rhevh_rhel8_version:tst:1</span> <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_rhevh_rhel8_version:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/redhat-release</td><td>^Red Hat Enterprise Linux release (\d)\.\d+$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">installed OS part of unix family</span> <span class="label label-default">oval:ssg-test_rhel8_unix_family:tst:1</span> <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Family</th></tr></thead><tbody><tr><td>unix</td></tr></tbody></table><h4><span class="label label-primary">installed OS part of unix family</span> <span class="label label-default">oval:ssg-test_rhel8_unix_family:tst:1</span> <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Family</th></tr></thead><tbody><tr><td>unix</td></tr></tbody></table><h4><span class="label label-primary">redhat-release is version 8</span> <span class="label label-default">oval:ssg-test_rhel8:tst:1</span> <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Arch</th><th>Epoch</th><th>Release</th><th>Version</th><th>Evr</th><th>Signature keyid</th><th>Extended name</th></tr></thead><tbody><tr><td>redhat-release</td><td>x86_64</td><td>(none)</td><td>25.0.el8rhgs</td><td>8.2</td><td>0:8.2-25.0.el8rhgs</td><td>0</td><td>redhat-release-0:8.2-25.0.el8rhgs.x86_64</td></tr></tbody></table><h4><span class="label label-primary">redhat-release is version 8</span> <span class="label label-default">oval:ssg-test_rhel8:tst:1</span> <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Arch</th><th>Epoch</th><th>Release</th><th>Version</th><th>Evr</th><th>Signature keyid</th><th>Extended name</th></tr></thead><tbody><tr><td>redhat-release</td><td>x86_64</td><td>(none)</td><td>25.0.el8rhgs</td><td>8.2</td><td>0:8.2-25.0.el8rhgs</td><td>0</td><td>redhat-release-0:8.2-25.0.el8rhgs.x86_64</td></tr></tbody></table><h4><span class="label label-primary">redhat-release-coreos is version 8</span> <span class="label label-default">oval:ssg-test_rhel8_coreos:tst:1</span> <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_rhel8_coreos:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/os-release</td><td>^PRETTY_NAME="Red Hat Enterprise Linux CoreOS \d+\.(\d)\d+\.\d+\.\d+ \([\w\s]+\)"$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">redhat-release-coreos is version 8</span> <span class="label label-default">oval:ssg-test_rhel8_coreos:tst:1</span> <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_rhel8_coreos:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/os-release</td><td>^PRETTY_NAME="Red Hat Enterprise Linux CoreOS \d+\.(\d)\d+\.\d+\.\d+ \([\w\s]+\)"$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">redhat-release-virtualization-host RPM package is installed</span> <span class="label label-default">oval:ssg-test_rhvh4_version:tst:1</span> <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_rhvh4_version:obj:1</abbr></strong> of type <strong>rpminfo_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th></tr></thead><tbody><tr><td>redhat-release-virtualization-host</td></tr></tbody></table><h4><span class="label label-primary">redhat-release-virtualization-host RPM package is installed</span> <span class="label label-default">oval:ssg-test_rhvh4_version:tst:1</span> <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_rhvh4_version:obj:1</abbr></strong> of type <strong>rpminfo_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th></tr></thead><tbody><tr><td>redhat-release-virtualization-host</td></tr></tbody></table><h4><span class="label label-primary">RHEVH base RHEL is version 8</span> <span class="label label-default">oval:ssg-test_rhevh_rhel8_version:tst:1</span> <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_rhevh_rhel8_version:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/redhat-release</td><td>^Red Hat Enterprise Linux release (\d)\.\d+$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">RHEVH base RHEL is version 8</span> <span class="label label-default">oval:ssg-test_rhevh_rhel8_version:tst:1</span> <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_rhevh_rhel8_version:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/redhat-release</td><td>^Red Hat Enterprise Linux release (\d)\.\d+$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">Test installed OS is part of the unix family</span> <span class="label label-default">oval:ssg-test_unix_family:tst:1</span> <span class="label label-danger">not evaluated</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_unix_family:obj:1</abbr></strong> of type <strong>family_object</strong></h5><table class="table table-striped table-bordered"><thead><tr></tr></thead><tbody><tr></tr></tbody></table><h4><span class="label label-primary">Test installed OS is part of the unix family</span> <span class="label label-default">oval:ssg-test_unix_family:tst:1</span> <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Family</th></tr></thead><tbody><tr><td>unix</td></tr></tbody></table><h4><span class="label label-primary">Test installed OS is part of the unix family</span> <span class="label label-default">oval:ssg-test_unix_family:tst:1</span> <span class="label label-danger">not evaluated</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_unix_family:obj:1</abbr></strong> of type <strong>family_object</strong></h5><table class="table table-striped table-bordered"><thead><tr></tr></thead><tbody><tr></tr></tbody></table><h4><span class="label label-primary">Test installed OS is part of the unix family</span> <span class="label label-default">oval:ssg-test_unix_family:tst:1</span> <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Family</th></tr></thead><tbody><tr><td>unix</td></tr></tbody></table><h4><span class="label label-primary">oraclelinux-release is version 7</span> <span class="label label-default">oval:ssg-test_ol7_system:tst:1</span> <span class="label label-danger">not evaluated</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_ol7_system:obj:1</abbr></strong> of type <strong>rpminfo_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th></tr></thead><tbody><tr><td>oraclelinux-release</td></tr></tbody></table><h4><span class="label label-primary">oraclelinux-release is version 7</span> <span class="label label-default">oval:ssg-test_ol7_system:tst:1</span> <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_ol7_system:obj:1</abbr></strong> of type <strong>rpminfo_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th></tr></thead><tbody><tr><td>oraclelinux-release</td></tr></tbody></table><h4><span class="label label-primary">Test installed OS is part of the unix family</span> <span class="label label-default">oval:ssg-test_unix_family:tst:1</span> <span class="label label-danger">not evaluated</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_unix_family:obj:1</abbr></strong> of type <strong>family_object</strong></h5><table class="table table-striped table-bordered"><thead><tr></tr></thead><tbody><tr></tr></tbody></table><h4><span class="label label-primary">Test installed OS is part of the unix family</span> <span class="label label-default">oval:ssg-test_unix_family:tst:1</span> <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Family</th></tr></thead><tbody><tr><td>unix</td></tr></tbody></table><h4><span class="label label-primary">Test installed OS is part of the unix family</span> <span class="label label-default">oval:ssg-test_unix_family:tst:1</span> <span class="label label-danger">not evaluated</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_unix_family:obj:1</abbr></strong> of type <strong>family_object</strong></h5><table class="table table-striped table-bordered"><thead><tr></tr></thead><tbody><tr></tr></tbody></table><h4><span class="label label-primary">Test installed OS is part of the unix family</span> <span class="label label-default">oval:ssg-test_unix_family:tst:1</span> <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Family</th></tr></thead><tbody><tr><td>unix</td></tr></tbody></table><h4><span class="label label-primary">oraclelinux-release is version 7</span> <span class="label label-default">oval:ssg-test_ol7_system:tst:1</span> <span class="label label-danger">not evaluated</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_ol7_system:obj:1</abbr></strong> of type <strong>rpminfo_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th></tr></thead><tbody><tr><td>oraclelinux-release</td></tr></tbody></table><h4><span class="label label-primary">oraclelinux-release is version 7</span> <span class="label label-default">oval:ssg-test_ol7_system:tst:1</span> <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_ol7_system:obj:1</abbr></strong> of type <strong>rpminfo_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th></tr></thead><tbody><tr><td>oraclelinux-release</td></tr></tbody></table><h4><span class="label label-primary">tests if var_system_crypto_policy is set to FIPS</span> <span class="label label-default">oval:ssg-test_system_crypto_policy_value:tst:1</span> <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Var ref</th><th>Value</th></tr></thead><tbody><tr><td>oval:ssg-var_system_crypto_policy:var:1</td><td>FIPS:OSPP</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_configure_bind_crypto_policy" id="rule-detail-idm45342104399920"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Configure BIND to use System Crypto Policyxccdf_org.ssgproject.content_rule_configure_bind_crypto_policy mediumCCE-80934-3 </div><div class="panel-heading"><h3 class="panel-title">Configure BIND to use System Crypto Policy</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_configure_bind_crypto_policy</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-configure_bind_crypto_policy:def:1</td></tr><tr><td>Time</td><td>2020-09-29T11:18:01</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80934-3">CCE-80934-3</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-13</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-12(2)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-12(3)</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000423-GPOS-00187</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000426-GPOS-00190</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>Crypto Policies provide a centralized control over crypto algorithms usage of many packages. BIND is supported by crypto policy, but the BIND configuration may be set up to ignore it. To check that Crypto Policies settings are configured correctly, ensure that the <code>/etc/named.conf</code> includes the appropriate configuration: In the <code>options</code> section of <code>/etc/named.conf</code>, make sure that the following line is not commented out or superseded by later includes: <code>include "/etc/crypto-policies/back-ends/bind.config";</code></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Overriding the system crypto policy makes the behavior of the BIND service violate expectations, and makes system configuration more fragmented.</p></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">package bind is removed</span> <span class="label label-default">oval:ssg-test_package_bind_removed:tst:1</span> <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_test_package_bind_removed:obj:1</abbr></strong> of type <strong>rpminfo_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th></tr></thead><tbody><tr><td>bind</td></tr></tbody></table><h4><span class="label label-primary">Check that the configuration includes the policy config file.</span> <span class="label label-default">oval:ssg-test_configure_bind_crypto_policy:tst:1</span> <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_configure_bind_crypto_policy:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/named.conf</td><td>^\s*include\s+"/etc/crypto-policies/back-ends/bind.config"\s*;\s*$</td><td>1</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_configure_openssl_crypto_policy" id="rule-detail-idm45342104391472"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Configure OpenSSL library to use System Crypto Policyxccdf_org.ssgproject.content_rule_configure_openssl_crypto_policy mediumCCE-80938-4 </div><div class="panel-heading"><h3 class="panel-title">Configure OpenSSL library to use System Crypto Policy</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_configure_openssl_crypto_policy</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-configure_openssl_crypto_policy:def:1</td></tr><tr><td>Time</td><td>2020-09-29T11:21:04</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80938-4">CCE-80938-4</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(2)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">MA-4(6)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-13</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-12(2)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-12(3)</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000250-GPOS-00093</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>Crypto Policies provide a centralized control over crypto algorithms usage of many packages. OpenSSL is supported by crypto policy, but the OpenSSL configuration may be set up to ignore it. To check that Crypto Policies settings are configured correctly, you have to examine the OpenSSL config file available under <code>/etc/pki/tls/openssl.cnf</code>. This file has the <code>ini</code> format, and it enables crypto policy support if there is a <code>[ crypto_policy ]</code> section that contains the <code>.include /etc/crypto-policies/back-ends/openssl.config</code> directive.</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Overriding the system crypto policy makes the behavior of the Java runtime violates expectations, and makes system configuration more fragmented.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span> <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">Check that the configuration mandates usage of system-wide crypto policies.</span> <span class="label label-default">oval:ssg-test_configure_openssl_crypto_policy:tst:1</span> <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_configure_openssl_crypto_policy:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/pki/tls/openssl.cnf</td><td>^\s*\[\s*crypto_policy\s*\]\s*\n*\s*\.include\s*/etc/crypto-policies/back-ends/openssl.config\s*$</td><td>1</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_configure_libreswan_crypto_policy" id="rule-detail-idm45342104385120"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Configure Libreswan to use System Crypto Policyxccdf_org.ssgproject.content_rule_configure_libreswan_crypto_policy mediumCCE-80937-6 </div><div class="panel-heading"><h3 class="panel-title">Configure Libreswan to use System Crypto Policy</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_configure_libreswan_crypto_policy</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-configure_libreswan_crypto_policy:def:1</td></tr><tr><td>Time</td><td>2020-09-29T11:18:01</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80937-6">CCE-80937-6</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">MA-4(6)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-13</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-12(2)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-12(3)</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000033-GPOS-00014</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>Crypto Policies provide a centralized control over crypto algorithms usage of many packages. Libreswan is supported by system crypto policy, but the Libreswan configuration may be set up to ignore it. To check that Crypto Policies settings are configured correctly, ensure that the <code>/etc/ipsec.conf</code> includes the appropriate configuration file. In <code>/etc/ipsec.conf</code>, make sure that the following line is not commented out or superseded by later includes: <code>include /etc/crypto-policies/back-ends/libreswan.config</code></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Overriding the system crypto policy makes the behavior of the Libreswan service violate expectations, and makes system configuration more fragmented.</p></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">package libreswan is installed</span> <span class="label label-default">oval:ssg-test_package_libreswan_installed:tst:1</span> <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_test_package_libreswan_installed:obj:1</abbr></strong> of type <strong>rpminfo_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th></tr></thead><tbody><tr><td>libreswan</td></tr></tbody></table><h4><span class="label label-primary">Check that the libreswan configuration includes the crypto policy config file</span> <span class="label label-default">oval:ssg-test_configure_libreswan_crypto_policy:tst:1</span> <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_configure_libreswan_crypto_policy:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/ipsec.conf</td><td>^\s*include\s+/etc/crypto-policies/back-ends/libreswan.config\s*(?:#.*)?$</td><td>1</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-error rule-detail-id-xccdf_org.ssgproject.content_rule_configure_crypto_policy" id="rule-detail-idm45342104381440"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Configure System Cryptography Policyxccdf_org.ssgproject.content_rule_configure_crypto_policy highCCE-80935-0 </div><div class="panel-heading"><h3 class="panel-title">Configure System Cryptography Policy</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_configure_crypto_policy</td></tr><tr><td>Result</td><td class="rule-result rule-result-error"><div><abbr title="The checking engine could not complete the evaluation, therefore the status of the target's compliance with the rule is not certain. This could happen, for example, if a testing tool was run with insufficient privileges and could not gather all of the necessary information.">error</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-configure_crypto_policy:def:1</td></tr><tr><td>Time</td><td>2020-09-29T11:21:05</td></tr><tr><td>Severity</td><td>high</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80935-0">CCE-80935-0</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(2)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">MA-4(6)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-13</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-12(2)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-12(3)</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000396-GPOS-00176</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000393-GPOS-00173</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000394-GPOS-00174</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>To configure the system cryptography policy to use ciphers only from the <code><abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_system_crypto_policy">FIPS:OSPP</abbr></code> policy, run the following command: <pre>$ sudo update-crypto-policies --set <abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_system_crypto_policy">FIPS:OSPP</abbr></pre> The rule checks if settings for selected crypto policy are configured as expected. Configuration files in the <code>/etc/crypto-policies/back-ends</code> are either symlinks to correct files provided by Crypto-policies package or they are regular files in case crypto policy customizations are applied. Crypto policies may be customized by crypto policy modules, in which case it is delimited from the base policy using a colon.</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Centralized cryptographic policies simplify applying secure ciphers across an operating system and the applications that run on that operating system. Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data.</p></div></td></tr><tr><td>Warnings</td><td><div class="panel panel-warning"><div class="panel-heading"><span class="label label-warning">warning</span> The system needs to be rebooted for these changes to take effect.</div></div><div class="panel panel-warning"><div class="panel-heading"><span class="label label-warning">warning</span> System Crypto Modules must be provided by a vendor that undergoes FIPS-140 certifications. FIPS-140 is applicable to all Federal agencies that use cryptographic-based security systems to protect sensitive information in computer and telecommunication systems (including voice systems) as defined in Section 5131 of the Information Technology Management Reform Act of 1996, Public Law 104-106. This standard shall be used in designing and implementing cryptographic modules that Federal departments and agencies operate or are operated for them under contract. See <b><a href="https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-2.pdf">https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-2.pdf</a></b> To meet this, the system has to have cryptographic software provided by a vendor that has undergone this certification. This means providing documentation, test results, design information, and independent third party review by an accredited lab. While open source software is capable of meeting this, it does not meet FIPS-140 unless the vendor submits to this process.</div></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span> <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre><span class="label label-primary">info</span> <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Setting system policy to FIPS:OSPP Note: System-wide crypto policies are applied on application start-up. It is recommended to restart the system for the change of policies to fully take place. </message></pre><span class="label label-primary">info</span> <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Failed to verify applied fix: Checking engine returns: fail</message></pre></div></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm45342160581696" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Shell script â²</a><br></br><div class="panel-collapse collapse" id="idm45342160581696"><pre><code> var_system_crypto_policy="<abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_system_crypto_policy">FIPS:OSPP</abbr>" update-crypto-policies --set ${var_system_crypto_policy} </code></pre></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm45342160579568" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet â²</a><br></br><div class="panel-collapse collapse" id="idm45342160579568"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: XCCDF Value var_system_crypto_policy # promote to variable set_fact: var_system_crypto_policy: !!str <abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_system_crypto_policy">FIPS:OSPP</abbr> tags: - always - name: Configure System Cryptography Policy lineinfile: path: /etc/crypto-policies/config regexp: ^(?!#)(\S+)$ line: '{{ var_system_crypto_policy }}' create: true tags: - configure_crypto_policy - high_severity - restrict_strategy - low_complexity - low_disruption - no_reboot_needed - CCE-80935-0 - NIST-800-53-AC-17(a) - NIST-800-53-AC-17(2) - NIST-800-53-CM-6(a) - NIST-800-53-MA-4(6) - NIST-800-53-SC-13 - NIST-800-53-SC-12(2) - NIST-800-53-SC-12(3) - name: Verify that Crypto Policy is Set (runtime) command: /usr/bin/update-crypto-policies --set {{ var_system_crypto_policy }} tags: - configure_crypto_policy - high_severity - restrict_strategy - low_complexity - low_disruption - no_reboot_needed - CCE-80935-0 - NIST-800-53-AC-17(a) - NIST-800-53-AC-17(2) - NIST-800-53-CM-6(a) - NIST-800-53-MA-4(6) - NIST-800-53-SC-13 - NIST-800-53-SC-12(2) - NIST-800-53-SC-12(3) </code></pre></div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">check for crypto policy correctly configured in /etc/crypto-policies/config</span> <span class="label label-default">oval:ssg-test_configure_crypto_policy:tst:1</span> <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/crypto-policies/config</td><td>DEFAULT</td></tr></tbody></table><h4><span class="label label-primary">check for crypto policy correctly configured in /etc/crypto-policies/state/current</span> <span class="label label-default">oval:ssg-test_configure_crypto_policy_current:tst:1</span> <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/crypto-policies/state/current</td><td>DEFAULT</td></tr></tbody></table><h4><span class="label label-primary">Check if update-crypto-policies has been run</span> <span class="label label-default">oval:ssg-test_crypto_policies_updated:tst:1</span> <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Var ref</th><th>Value</th></tr></thead><tbody><tr><td>oval:ssg-variable_crypto_policies_config_file_age:var:1</td><td>26342411</td></tr></tbody></table><h4><span class="label label-primary">Check if /etc/crypto-policies/back-ends/nss.config exists</span> <span class="label label-default">oval:ssg-test_crypto_policy_nss_config:tst:1</span> <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Type</th><th>UID</th><th>GID</th><th>Size (B)</th><th>Permissions</th></tr></thead><tbody><tr><td>/etc/crypto-policies/back-ends/nss.config</td><td>symbolic link</td><td>0</td><td>0</td><td>42</td><td><code>rwxrwxrwx </code></td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_configure_kerberos_crypto_policy" id="rule-detail-idm45342104373680"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Configure Kerberos to use System Crypto Policyxccdf_org.ssgproject.content_rule_configure_kerberos_crypto_policy mediumCCE-80936-8 </div><div class="panel-heading"><h3 class="panel-title">Configure Kerberos to use System Crypto Policy</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_configure_kerberos_crypto_policy</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-configure_kerberos_crypto_policy:def:1</td></tr><tr><td>Time</td><td>2020-09-29T11:18:01</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80936-8">CCE-80936-8</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-13</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-12(2)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-12(3)</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000120-GPOS-00061</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>Crypto Policies provide a centralized control over crypto algorithms usage of many packages. Kerberos is supported by crypto policy, but it's configuration may be set up to ignore it. To check that Crypto Policies settings for Kerberos are configured correctly, examine that there is a symlink at /etc/krb5.conf.d/crypto-policies targeting /etc/cypto-policies/back-ends/krb5.config. If the symlink exists, kerberos is configured to use the system-wide crypto policy settings.</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Overriding the system crypto policy makes the behavior of Kerberos violate expectations, and makes system configuration more fragmented.</p></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">Check if kerberos configuration symlink and crypto policy kerberos backend symlink point to same file</span> <span class="label label-default">oval:ssg-test_configure_kerberos_crypto_policy_symlink:tst:1</span> <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Var ref</th><th>Value</th></tr></thead><tbody><tr><td>oval:ssg-var_symlink_kerberos_crypto_policy_configuration:var:1</td><td>/usr/share/crypto-policies/DEFAULT/krb5.txt</td></tr></tbody></table><h4><span class="label label-primary">Check if kerberos configuration symlink links to the crypto-policy backend file</span> <span class="label label-default">oval:ssg-test_configure_kerberos_crypto_policy_nosymlink:tst:1</span> <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Var ref</th><th>Value</th></tr></thead><tbody><tr><td>oval:ssg-var_symlink_kerberos_crypto_policy_configuration:var:1</td><td>/usr/share/crypto-policies/DEFAULT/krb5.txt</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_package_aide_installed" id="rule-detail-idm45342104344832"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Install AIDExccdf_org.ssgproject.content_rule_package_aide_installed mediumCCE-80844-4 </div><div class="panel-heading"><h3 class="panel-title">Install AIDE</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_package_aide_installed</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-package_aide_installed:def:1</td></tr><tr><td>Time</td><td>2020-09-29T11:18:01</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80844-4">CCE-80844-4</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT28(R51)</a>, <a href="">1.3.1</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">1</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">11</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">12</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">13</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">14</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">15</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">16</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">2</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">3</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">5</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">7</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">8</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">9</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.10.1.3</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">APO01.06</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">BAI01.06</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">BAI02.01</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">BAI03.05</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">BAI06.01</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">BAI10.01</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">BAI10.02</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">BAI10.03</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">BAI10.05</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS01.03</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS03.05</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS04.07</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS05.02</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS05.03</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS05.05</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS05.07</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS06.02</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS06.06</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.3.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.3.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.4.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 4.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 6.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.6</a>, <a href="https://www.iso.org/standard/54534.html">A.11.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.5.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.6.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.7</a>, <a href="https://www.iso.org/standard/54534.html">A.15.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.3</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-7</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-6</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-8</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-3</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-11.5</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000363-GPOS-00150</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>The <code>aide</code> package can be installed with the following command: <pre> $ sudo yum install aide</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>The AIDE package must be installed if it is to be available for integrity checking.</p></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">package aide is installed</span> <span class="label label-default">oval:ssg-test_package_aide_installed:tst:1</span> <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Arch</th><th>Epoch</th><th>Release</th><th>Version</th><th>Evr</th><th>Signature keyid</th><th>Extended name</th></tr></thead><tbody><tr><td>aide</td><td>x86_64</td><td>(none)</td><td>11.el8</td><td>0.16</td><td>0:0.16-11.el8</td><td>0</td><td>aide-0:0.16-11.el8.x86_64</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_grub2_pti_argument" id="rule-detail-idm45342104313008"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Enable Kernel Page-Table Isolation (KPTI)xccdf_org.ssgproject.content_rule_grub2_pti_argument highCCE-82194-2 </div><div class="panel-heading"><h3 class="panel-title">Enable Kernel Page-Table Isolation (KPTI)</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_grub2_pti_argument</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-grub2_pti_argument:def:1</td></tr><tr><td>Time</td><td>2020-09-29T11:21:05</td></tr><tr><td>Severity</td><td>high</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-82194-2">CCE-82194-2</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000433-GPOS-00193</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>To enable Kernel page-table isolation, add the argument <code>pti=on</code> to the default GRUB 2 command line for the Linux operating system in <code>/etc/default/grub</code>, in the manner below: <pre>GRUB_CMDLINE_LINUX="pti=on"</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Kernel page-table isolation is a kernel feature that mitigates the Meltdown security vulnerability and hardens the kernel against attempts to bypass kernel address space layout randomization (KASLR).</p></div></td></tr><tr><td>Warnings</td><td><div class="panel panel-warning"><div class="panel-heading"><span class="label label-warning">warning</span> The GRUB 2 configuration file, <code>grub.cfg</code>, is automatically updated each time a new kernel is installed. Note that any changes to <code>/etc/default/grub</code> require rebuilding the <code>grub.cfg</code> file. To update the GRUB 2 configuration file manually, use the <pre>grub2-mkconfig -o</pre> command as follows: <ul><li>On BIOS-based machines, issue the following command as <code>root</code>: <pre>~]# grub2-mkconfig -o /boot/grub2/grub.cfg</pre></li><li>On UEFI-based machines, issue the following command as <code>root</code>: <pre>~]# grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfg</pre></li></ul></div></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span> <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">check forkernel command line parameters pti=on in /boot/grub2/grubenv for all kernels</span> <span class="label label-default">oval:ssg-test_grub2_pti_argument_grub_env:tst:1</span> <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/boot/grub2/grubenv</td><td>kernelopts=root=/dev/mapper/ovirt-root ro console=tty0 console=ttyS0 crashkernel=auto resume=/dev/mapper/ovirt-swap rd.lvm.lv=ovirt/root rd.lvm.lv=ovirt/swap </td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_grub2_uefi_password" id="rule-detail-idm45342104298656"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Set the UEFI Boot Loader Passwordxccdf_org.ssgproject.content_rule_grub2_uefi_password mediumCCE-80829-5 </div><div class="panel-heading"><h3 class="panel-title">Set the UEFI Boot Loader Password</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_grub2_uefi_password</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-grub2_uefi_password:def:1</td></tr><tr><td>Time</td><td>2020-09-29T11:18:01</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80829-5">CCE-80829-5</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT28(R17)</a>, <a href="">1.4.2</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">11</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">12</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">14</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">15</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">16</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">18</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">3</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">5</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS05.02</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS05.04</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS05.05</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS05.07</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS06.03</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS06.06</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.5</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000213</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(B)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(7)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(7)(ii)(A)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(a)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(a)(2)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(a)(2)(ii)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(a)(2)(iii)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(c)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(d)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(d)(2)(iii)</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.2.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.10</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.11</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.12</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.13</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.7</a>, <a href="https://www.iso.org/standard/54534.html">A.6.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.5</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-6</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-3</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FIA_AFL.1</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000080-GPOS-00048</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>The grub2 boot loader should have a superuser account and password protection enabled to protect boot-time settings. <br><br> To do so, select a superuser account name and password and and modify the <code>/etc/grub.d/01_users</code> configuration file with the new account name. <br><br> Since plaintext passwords are a security risk, generate a hash for the pasword by running the following command: <pre>$ grub2-setpassword</pre> When prompted, enter the password that was selected. <br><br> NOTE: It is recommended not to use common administrator account names like root, admin, or administrator for the grub2 superuser account. <br><br> Change the superuser to a different username (The default is 'root'). <pre>$ sed -i s/root/bootuser/g /etc/grub.d/01_users</pre> <br><br> To meet FISMA Moderate, the bootloader superuser account and password MUST differ from the root account and password. Once the superuser account and password have been added, update the <code>grub.cfg</code> file by running: <pre>grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfg</pre> NOTE: Do NOT manually add the superuser account and password to the <code>grub.cfg</code> file as the grub2-mkconfig command overwrites this file.</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Password protection on the boot loader configuration ensures users with physical access cannot trivially alter important bootloader settings. These include which kernel to use, and whether to enter single-user mode.</p></div></td></tr><tr><td>Warnings</td><td><div class="panel panel-warning"><div class="panel-heading"><span class="label label-warning">warning</span> To prevent hard-coded passwords, automatic remediation of this control is not available. Remediation must be automated as a component of machine provisioning, or followed manually as outlined above.</div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">/boot/efi/EFI/redhat/grub.cfg does not exist</span> <span class="label label-default">oval:ssg-test_bootloader_uefi_grub_cfg:tst:1</span> <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_bootloader_uefi_grub_cfg:obj:1</abbr></strong> of type <strong>file_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th></tr></thead><tbody><tr><td>^/boot/efi/EFI/(redhat|fedora)/grub.cfg$</td></tr></tbody></table><h4><span class="label label-primary">make sure a password is defined in /boot/efi/EFI/redhat/user.cfg</span> <span class="label label-default">oval:ssg-test_grub2_uefi_password_usercfg:tst:1</span> <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_grub2_uefi_password_usercfg:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>^/boot/efi/EFI/(redhat|fedora)/user.cfg$</td><td>^[\s]*GRUB2_PASSWORD=grub\.pbkdf2\.sha512.*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">make sure a password is defined in /boot/efi/EFI/redhat/grub.cfg</span> <span class="label label-default">oval:ssg-test_grub2_uefi_password_grubcfg:tst:1</span> <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_grub2_uefi_password_grubcfg:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>^/boot/efi/EFI/(redhat|fedora)/grub.cfg$</td><td>^[\s]*password_pbkdf2[\s]+.*[\s]+grub\.pbkdf2\.sha512.*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">superuser is defined in /boot/efi/EFI/redhat/grub.cfg. Superuser is not root, admin, or administrator</span> <span class="label label-default">oval:ssg-test_bootloader_uefi_superuser:tst:1</span> <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_bootloader_uefi_superuser:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>^/boot/efi/EFI/(redhat|fedora)/grub.cfg$</td><td>^[\s]*set[\s]+superusers=\"(?i)(?!root|admin|administrator)(?-i).*\"$</td><td>1</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-error rule-detail-id-xccdf_org.ssgproject.content_rule_audit_rules_for_ospp" id="rule-detail-idm45342104267152"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Configure audit according to OSPP requirementsxccdf_org.ssgproject.content_rule_audit_rules_for_ospp mediumCCE-82309-6 </div><div class="panel-heading"><h3 class="panel-title">Configure audit according to OSPP requirements</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_audit_rules_for_ospp</td></tr><tr><td>Result</td><td class="rule-result rule-result-error"><div><abbr title="The checking engine could not complete the evaluation, therefore the status of the target's compliance with the rule is not certain. This could happen, for example, if a testing tool was run with insufficient privileges and could not gather all of the necessary information.">error</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-audit_rules_for_ospp:def:1</td></tr><tr><td>Time</td><td>2020-09-29T11:21:06</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-82309-6">CCE-82309-6</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">NONE</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1.1.c</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000004-GPOS-00004</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000240-GPOS-00090</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000241-GPOS-00091</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000303-GPOS-00120</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000476-GPOS-00221</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000327-GPOS-00127</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000064-GPOS-00033</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000365-GPOS-00152</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000458-GPOS-00203</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000461-GPOS-00205</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000462-GPOS-00206</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000463-GPOS-00207</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000465-GPOS-00209</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000466-GPOS-00210</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000467-GPOS-00211</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000468-GPOS-00212</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000470-GPOS-00214</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000471-GPOS-00215</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000471-GPOS-00216</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000472-GPOS-00217</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000474-GPOS-00219</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000475-GPOS-00220</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000477-GPOS-00222</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>Configure audit to meet requirements for Operating System Protection Profile (OSPP) v4.2.1. Audit defines groups of rules in <code>/usr/share/doc/audit/rules</code> to satisfy specific policies. To fulfill requirements for compliance with OSPP v4.2.1, the following files are necessary: <ul><li>/usr/share/doc/audit/rules/10-base-config.rules</li><li>/usr/share/doc/audit/rules/11-loginuid.rules</li><li>/usr/share/doc/audit/rules/30-ospp-v42.rules</li><li>/usr/share/doc/audit/rules/43-module-load.rules</li></ul> Copy the files from <code>/usr/share/doc/audit/rules</code> to <code>/etc/audit/rules.d</code>: <pre> cp /usr/share/doc/audit*/rules/{10-base-config,11-loginuid,30-ospp-v42,43-module-load}.rules /etc/audit/rules.d/ </pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>The audit rules defined in <code>/usr/share/doc/audit/rules</code> are the recommended way to meet compliance with OSPP v4.2.1.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span> <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre><span class="label label-primary">info</span> <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">cp: cannot stat '/usr/share/doc/audit*/rules/10-base-config.rules': No such file or directory cp: cannot stat '/usr/share/doc/audit*/rules/11-loginuid.rules': No such file or directory cp: cannot stat '/usr/share/doc/audit*/rules/30-ospp-v42.rules': No such file or directory cp: cannot stat '/usr/share/doc/audit*/rules/43-module-load.rules': No such file or directory /sbin/augenrules: No change No rules enabled 1 failure 1 pid 898 rate_limit 0 backlog_limit 8192 lost 0 backlog 0 backlog_wait_time 60000 enabled 1 failure 1 pid 898 rate_limit 0 backlog_limit 8192 lost 0 backlog 1 backlog_wait_time 60000 enabled 1 failure 1 pid 898 rate_limit 0 backlog_limit 8192 lost 0 backlog 0 backlog_wait_time 60000 </message></pre><span class="label label-primary">info</span> <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Failed to verify applied fix: Checking engine returns: fail</message></pre></div></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm45342158184736" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Shell script â²</a><br></br><div class="panel-collapse collapse" id="idm45342158184736"><pre><code> cp /usr/share/doc/audit*/rules/10-base-config.rules /etc/audit/rules.d cp /usr/share/doc/audit*/rules/11-loginuid.rules /etc/audit/rules.d cp /usr/share/doc/audit*/rules/30-ospp-v42.rules /etc/audit/rules.d cp /usr/share/doc/audit*/rules/43-module-load.rules /etc/audit/rules.d augenrules --load </code></pre></div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">Compare 10-base-config.rules file in /etc/audit/rules.d against file in /usr/share/doc/audit/</span> <span class="label label-default">oval:ssg-test_compare_10-base-config:tst:1</span> <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_etc_10-base-config:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/audit/rules.d/10-base-config.rules</td><td>(?:.*\n)*</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">Compare 11-loginuid.rules file in /etc/audit/rules.d against file in /usr/share/doc/audit/</span> <span class="label label-default">oval:ssg-test_compare_11-loginuid:tst:1</span> <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_etc_11-loginuid:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/audit/rules.d/11-loginuid.rules</td><td>(?:.*\n)*</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">Compare 30-ospp-v42.rules file in /etc/audit/rules.d against file in /usr/share/doc/audit/</span> <span class="label label-default">oval:ssg-test_compare_30-ospp-v42:tst:1</span> <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_etc_30-ospp-v42:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/audit/rules.d/30-ospp-v42.rules</td><td>(?:.*\n)*</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">Compare 43-module-load.rules file in /etc/audit/rules.d against file in /usr/share/doc/audit/</span> <span class="label label-default">oval:ssg-test_compare_43-module-load:tst:1</span> <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_etc_43-module-load:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/audit/rules.d/43-module-load.rules</td><td>(?:.*\n)*</td><td>1</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_passwd" id="rule-detail-idm45342104230832"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Record Events that Modify User/Group Information - /etc/passwdxccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_passwd mediumCCE-80761-0 </div><div class="panel-heading"><h3 class="panel-title">Record Events that Modify User/Group Information - /etc/passwd</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_passwd</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-audit_rules_usergroup_modification_passwd:def:1</td></tr><tr><td>Time</td><td>2020-09-29T11:21:06</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80761-0">CCE-80761-0</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> <a href="">5.2.5</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">1</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">11</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">12</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">13</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">14</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">15</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">16</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">18</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">19</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">2</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">3</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">4</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">5</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">6</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">7</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">8</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">9</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.4.1.1</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">APO10.01</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">APO10.03</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">APO10.04</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">APO10.05</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">APO11.04</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">APO12.06</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">APO13.01</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">BAI03.05</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">BAI08.02</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS01.03</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS01.04</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS02.02</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS02.04</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS02.07</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS03.01</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS03.05</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS05.02</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS05.03</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS05.04</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS05.05</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS05.07</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS06.03</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">MEA01.01</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">MEA01.02</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">MEA01.03</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">MEA01.04</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">MEA01.05</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">MEA02.01</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.7</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000018</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000172</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001403</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001404</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001405</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001683</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001684</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001685</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001686</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-002130</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-002132</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)(ii)(A)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(5)(ii)(C)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(d)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.2.3.10</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.2.6.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.2.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.3.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.4.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.5.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.5.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.5.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.4.2.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.4.2.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.4.2.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.13</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.10</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.11</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.12</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 4.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 4.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 5.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 5.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 5.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 6.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 6.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.6</a>, <a href="https://www.iso.org/standard/54534.html">A.11.2.6</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.3</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.12.7.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.7</a>, <a href="https://www.iso.org/standard/54534.html">A.15.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.15.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.16.1.4</a>, <a href="https://www.iso.org/standard/54534.html">A.16.1.5</a>, <a href="https://www.iso.org/standard/54534.html">A.16.1.7</a>, <a href="https://www.iso.org/standard/54534.html">A.6.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.6.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.6.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.6</a>, <a href="https://www.iso.org/standard/54534.html">A.9.3.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.5</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-2(4)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(9)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-5</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-7</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">ID.SC-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-6</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-4</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1.1.c</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.2.5</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000004-GPOS-00004</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000239-GPOS-00089</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000240-GPOS-00090</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000241-GPOS-00091</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000303-GPOS-00120</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000476-GPOS-00221</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000274-GPOS-00104</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000275-GPOS-00105</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000276-GPOS-00106</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000277-GPOS-00107</a>, <a href="">SRG-OS-000004-VMM-000040</a>, <a href="">SRG-OS-000239-VMM-000810</a>, <a href="">SRG-OS-000240-VMM-000820</a>, <a href="">SRG-OS-000241-VMM-000830</a>, <a href="">SRG-OS-000274-VMM-000960</a>, <a href="">SRG-OS-000275-VMM-000970</a>, <a href="">SRG-OS-000276-VMM-000980</a>, <a href="">SRG-OS-000277-VMM-000990</a>, <a href="">SRG-OS-000303-VMM-001090</a>, <a href="">SRG-OS-000304-VMM-001100</a>, <a href="">SRG-OS-000476-VMM-001960</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>If the <code>auditd</code> daemon is configured to use the <code>augenrules</code> program to read audit rules during daemon startup (the default), add the following lines to a file with suffix <code>.rules</code> in the directory <code>/etc/audit/rules.d</code>, in order to capture events that modify account changes: <br><br> <pre>-w /etc/passwd -p wa -k audit_rules_usergroup_modification</pre> <br><br> If the <code>auditd</code> daemon is configured to use the <code>auditctl</code> utility to read audit rules during daemon startup, add the following lines to <code>/etc/audit/audit.rules</code> file, in order to capture events that modify account changes: <br><br> <pre>-w /etc/passwd -p wa -k audit_rules_usergroup_modification</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span> <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">audit augenrules</span> <span class="label label-default">oval:ssg-test_audit_rules_augenrules:tst:1</span> <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/usr/lib/systemd/system/auditd.service</td><td>ExecStartPost=-/sbin/augenrules --load</td></tr></tbody></table><h4><span class="label label-primary">audit augenrules passwd</span> <span class="label label-default">oval:ssg-test_audit_rules_usergroup_modification_passwd_augen:tst:1</span> <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_audit_rules_usergroup_modification_passwd_augen:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>^/etc/audit/rules\.d/.*\.rules$</td><td>^\-w[\s]+\/etc\/passwd[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+(-k[\s]+|-F[\s]+key=)\w+[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">audit auditctl</span> <span class="label label-default">oval:ssg-test_audit_rules_auditctl:tst:1</span> <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_audit_rules_auditctl:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/usr/lib/systemd/system/auditd.service</td><td>^ExecStartPost=\-\/sbin\/auditctl.*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">audit passwd</span> <span class="label label-default">oval:ssg-test_audit_rules_usergroup_modification_passwd_auditctl:tst:1</span> <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_audit_rules_usergroup_modification_passwd_auditctl:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/audit/audit.rules</td><td>^\-w[\s]+\/etc\/passwd[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+(-k[\s]+|-F[\s]+key=)\w+[\s]*$</td><td>1</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_auditd_name_format" id="rule-detail-idm45342103880784"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Set hostname as computer node name in audit logsxccdf_org.ssgproject.content_rule_auditd_name_format mediumCCE-82897-0 </div><div class="panel-heading"><h3 class="panel-title">Set hostname as computer node name in audit logs</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_auditd_name_format</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-auditd_name_format:def:1</td></tr><tr><td>Time</td><td>2020-09-29T11:21:06</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-82897-0">CCE-82897-0</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000039-GPOS-00017</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>To configure Audit daemon to use value returned by gethostname syscall as computer node name in the audit events, set <code>name_format</code> to <code>hostname</code> in <code>/etc/audit/auditd.conf</code>.</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>If option <code>name_format</code> is left at its default value of <code>none</code>, audit events from different computers may be hard to distinguish.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span> <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">tests the value of name_format setting in the /etc/audit/auditd.conf file</span> <span class="label label-default">oval:ssg-test_auditd_name_format:tst:1</span> <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/audit/auditd.conf</td><td>name_format = NONE</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_auditd_local_events" id="rule-detail-idm45342103874160"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Include Local Events in Audit Logsxccdf_org.ssgproject.content_rule_auditd_local_events mediumCCE-82233-8 </div><div class="panel-heading"><h3 class="panel-title">Include Local Events in Audit Logs</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_auditd_local_events</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-auditd_local_events:def:1</td></tr><tr><td>Time</td><td>2020-09-29T11:18:02</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-82233-8">CCE-82233-8</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1.1.c</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000062-GPOS-00031</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>To configure Audit daemon to include local events in Audit logs, set <code>local_events</code> to <code>yes</code> in <code>/etc/audit/auditd.conf</code>. This is the default setting.</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>If option <code>local_events</code> isn't set to <code>yes</code> only events from network will be aggregated.</p></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">tests the value of local_events setting in the /etc/audit/auditd.conf file</span> <span class="label label-default">oval:ssg-test_auditd_local_events:tst:1</span> <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/audit/auditd.conf</td><td>local_events = yes</td></tr></tbody></table><h4><span class="label label-primary">tests the absence of local_events setting in the /etc/audit/auditd.conf file</span> <span class="label label-default">oval:ssg-test_auditd_local_events_default_not_overriden:tst:1</span> <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/audit/auditd.conf</td><td>local_events = </td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_auditd_freq" id="rule-detail-idm45342103870512"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Set number of records to cause an explicit flush to audit logsxccdf_org.ssgproject.content_rule_auditd_freq mediumCCE-82258-5 </div><div class="panel-heading"><h3 class="panel-title">Set number of records to cause an explicit flush to audit logs</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_auditd_freq</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-auditd_freq:def:1</td></tr><tr><td>Time</td><td>2020-09-29T11:18:02</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-82258-5">CCE-82258-5</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000051-GPOS-00024</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>To configure Audit daemon to issue an explicit flush to disk command after writing 50 records, set <code>freq</code> to <code>50</code> in <code>/etc/audit/auditd.conf</code>.</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>If option <code>freq</code> isn't set to <code>50</code>, the flush to disk may happen after higher number of records, increasing the danger of audit loss.</p></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">tests the value of freq setting in the /etc/audit/auditd.conf file</span> <span class="label label-default">oval:ssg-test_auditd_freq:tst:1</span> <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/audit/auditd.conf</td><td>freq = 50</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_auditd_log_format" id="rule-detail-idm45342103856208"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Resolve information before writing to audit logsxccdf_org.ssgproject.content_rule_auditd_log_format mediumCCE-82201-5 </div><div class="panel-heading"><h3 class="panel-title">Resolve information before writing to audit logs</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_auditd_log_format</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-auditd_log_format:def:1</td></tr><tr><td>Time</td><td>2020-09-29T11:18:02</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-82201-5">CCE-82201-5</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000255-GPOS-00096</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>To configure Audit daemon to resolve all uid, gid, syscall, architecture, and socket address information before writing the events to disk, set <code>log_format</code> to <code>ENRICHED</code> in <code>/etc/audit/auditd.conf</code>.</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>If option <code>log_format</code> isn't set to <code>ENRICHED</code>, the audit records will be stored in a format exactly as the kernel sends them.</p></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">tests the value of log_format setting in the /etc/audit/auditd.conf file</span> <span class="label label-default">oval:ssg-test_auditd_log_format:tst:1</span> <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/audit/auditd.conf</td><td>log_format = ENRICHED</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_auditd_write_logs" id="rule-detail-idm45342103846672"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Write Audit Logs to the Diskxccdf_org.ssgproject.content_rule_auditd_write_logs mediumCCE-82366-6 </div><div class="panel-heading"><h3 class="panel-title">Write Audit Logs to the Disk</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_auditd_write_logs</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-auditd_write_logs:def:1</td></tr><tr><td>Time</td><td>2020-09-29T11:18:02</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-82366-6">CCE-82366-6</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1.1.c</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>To configure Audit daemon to write Audit logs to the disk, set <code>write_logs</code> to <code>yes</code> in <code>/etc/audit/auditd.conf</code>. This is the default setting.</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>If <code>write_logs</code> isn't set to <code>yes</code>, the Audit logs will not be written to the disk.</p></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">tests the value of write_logs setting in the /etc/audit/auditd.conf file</span> <span class="label label-default">oval:ssg-test_auditd_write_logs:tst:1</span> <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/audit/auditd.conf</td><td>write_logs = yes</td></tr></tbody></table><h4><span class="label label-primary">tests the absence of write_logs setting in the /etc/audit/auditd.conf file</span> <span class="label label-default">oval:ssg-test_auditd_write_logs_default_not_overriden:tst:1</span> <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/audit/auditd.conf</td><td>write_logs = </td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_auditd_data_retention_flush" id="rule-detail-idm45342103838240"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Configure auditd flush priorityxccdf_org.ssgproject.content_rule_auditd_data_retention_flush mediumCCE-80680-2 </div><div class="panel-heading"><h3 class="panel-title">Configure auditd flush priority</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_auditd_data_retention_flush</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-auditd_data_retention_flush:def:1</td></tr><tr><td>Time</td><td>2020-09-29T11:18:02</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80680-2">CCE-80680-2</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">1</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">12</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">13</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">14</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">15</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">16</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">2</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">3</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">5</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">6</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">7</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">8</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">9</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">APO10.01</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">APO10.03</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">APO10.04</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">APO10.05</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">APO11.04</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">BAI03.05</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS01.03</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS03.05</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS05.02</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS05.04</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS05.05</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS05.07</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">MEA01.01</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">MEA01.02</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">MEA01.03</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">MEA01.04</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">MEA01.05</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">MEA02.01</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.3.1</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001576</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)(ii)(A)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(5)(ii)(C)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(d)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.2.6.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.3.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.4.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.4.2.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.4.2.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.4.2.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.10</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.11</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.12</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 6.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 6.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.3</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.12.7.1</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.7</a>, <a href="https://www.iso.org/standard/54534.html">A.15.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.15.2.2</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-11</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-7</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">ID.SC-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>The <code>auditd</code> service can be configured to synchronously write audit event data to disk. Add or correct the following line in <code>/etc/audit/auditd.conf</code> to ensure that audit event data is fully synchronized with the log files on the disk: <pre>flush = <abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_auditd_flush">incremental_async</abbr></pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Audit data should be synchronously written to disk to ensure log integrity. These parameters assure that all audit event data is fully synchronized with the log files on the disk.</p></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">test the value of flush parameter in /etc/audit/auditd.conf</span> <span class="label label-default">oval:ssg-test_auditd_data_retention_flush:tst:1</span> <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/audit/auditd.conf</td><td>flush = INCREMENTAL_ASYNC</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_auditd_audispd_syslog_plugin_activated" id="rule-detail-idm45342103833744"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Configure auditd to use audispd's syslog pluginxccdf_org.ssgproject.content_rule_auditd_audispd_syslog_plugin_activated mediumCCE-80677-8 </div><div class="panel-heading"><h3 class="panel-title">Configure auditd to use audispd's syslog plugin</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_auditd_audispd_syslog_plugin_activated</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-auditd_audispd_syslog_plugin_activated:def:1</td></tr><tr><td>Time</td><td>2020-09-29T11:21:06</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80677-8">CCE-80677-8</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">1</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">11</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">12</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">13</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">14</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">15</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">16</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">19</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">3</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">4</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">5</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">6</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">7</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">8</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.4.1.1</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">APO11.04</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">APO12.06</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">BAI03.05</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">BAI08.02</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS02.02</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS02.04</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS02.07</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS03.01</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS05.04</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS05.07</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">MEA02.01</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.3.1</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000136</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(5)(ii)(B)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(5)(ii)(C)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(6)(ii)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(8)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(d)(2)(iii)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.314(a)(2)(i)(C)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.314(a)(2)(iii)</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.2.3.10</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.3.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.4.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.5.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.5.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.5.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.4.2.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.4.2.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.4.2.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.10</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.11</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.12</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 6.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.3</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.12.7.1</a>, <a href="https://www.iso.org/standard/54534.html">A.16.1.4</a>, <a href="https://www.iso.org/standard/54534.html">A.16.1.5</a>, <a href="https://www.iso.org/standard/54534.html">A.16.1.7</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-4(1)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-5</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-4</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1.1.c</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.5.3</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000479-GPOS-00224</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000342-GPOS-00133</a>, <a href="">SRG-OS-000051-VMM-000230</a>, <a href="">SRG-OS-000058-VMM-000270</a>, <a href="">SRG-OS-000059-VMM-000280</a>, <a href="">SRG-OS-000479-VMM-001990</a>, <a href="">SRG-OS-000479-VMM-001990</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>To configure the <code>auditd</code> service to use the <code>syslog</code> plug-in of the <code>audispd</code> audit event multiplexor, set the <code>active</code> line in <code>/etc/audit/plugins.d/syslog.conf</code> to <code>yes</code>. Restart the <code>auditd</code> service: <pre>$ sudo service auditd restart</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>The auditd service does not include the ability to send audit records to a centralized server for management directly. It does, however, include a plug-in for audit event multiplexor (audispd) to pass audit records to the local syslog server</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span> <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre><span class="label label-primary">info</span> <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">grep: /etc/audit/plugins.d/syslog.conf: No such file or directory </message></pre></div></div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">audispd syslog plugin activated</span> <span class="label label-default">oval:ssg-test_auditd_audispd_syslog_plugin_activated:tst:1</span> <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_auditd_audispd_syslog_plugin_activated:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/audit/plugins.d/syslog.conf</td><td>^[ ]*active[ ]+=[ ]+yes[ ]*$</td><td>1</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_package_audit_installed" id="rule-detail-idm45342104293264"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Ensure the audit Subsystem is Installedxccdf_org.ssgproject.content_rule_package_audit_installed mediumCCE-81043-2 </div><div class="panel-heading"><h3 class="panel-title">Ensure the audit Subsystem is Installed</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_package_audit_installed</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-package_audit_installed:def:1</td></tr><tr><td>Time</td><td>2020-09-29T11:18:01</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-81043-2">CCE-81043-2</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT28(R50)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-7(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-7(1)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-7(2)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-14</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(2)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000122-GPOS-00063</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>The audit package should be installed.</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>The auditd service is an access monitoring and accounting daemon, watching system calls to audit any access, in comparison with potential local access control policy such as SELinux policy.</p></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">package audit is installed</span> <span class="label label-default">oval:ssg-test_package_audit_installed:tst:1</span> <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Arch</th><th>Epoch</th><th>Release</th><th>Version</th><th>Evr</th><th>Signature keyid</th><th>Extended name</th></tr></thead><tbody><tr><td>audit</td><td>x86_64</td><td>(none)</td><td>0.17.20191104git1c2f876.el8</td><td>3.0</td><td>0:3.0-0.17.20191104git1c2f876.el8</td><td>199e2f91fd431d51</td><td>audit-0:3.0-0.17.20191104git1c2f876.el8.x86_64</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-error rule-detail-id-xccdf_org.ssgproject.content_rule_package_audispd-plugins_installed" id="rule-detail-idm45342104289600"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Install audispd-plugins Packagexccdf_org.ssgproject.content_rule_package_audispd-plugins_installed mediumCCE-82953-1 </div><div class="panel-heading"><h3 class="panel-title">Install audispd-plugins Package</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_package_audispd-plugins_installed</td></tr><tr><td>Result</td><td class="rule-result rule-result-error"><div><abbr title="The checking engine could not complete the evaluation, therefore the status of the target's compliance with the rule is not certain. This could happen, for example, if a testing tool was run with insufficient privileges and could not gather all of the necessary information.">error</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-package_audispd-plugins_installed:def:1</td></tr><tr><td>Time</td><td>2020-09-29T11:21:06</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-82953-1">CCE-82953-1</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000342-GPOS-00133</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>The <code>audispd-plugins</code> package can be installed with the following command: <pre> $ sudo yum install audispd-plugins</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p><code>audispd-plugins</code> provides plugins for the real-time interface to the audit subsystem, <code>audispd</code>. These plugins can do things like relay events to remote machines or analyze events for suspicious behavior.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span> <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 1</message></pre><span class="label label-primary">info</span> <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Error: There are no enabled repositories in "/etc/yum.repos.d", "/etc/yum/repos.d", "/etc/distro.repos.d". </message></pre><span class="label label-primary">info</span> <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Failed to verify applied fix: Checking engine returns: fail</message></pre></div></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm45342158501504" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Shell script â²</a><br></br><div class="panel-collapse collapse" id="idm45342158501504"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code> if ! rpm -q --quiet "audispd-plugins" ; then yum install -y "audispd-plugins" fi </code></pre></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm45342158499424" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet â²</a><br></br><div class="panel-collapse collapse" id="idm45342158499424"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure audispd-plugins is installed package: name: audispd-plugins state: present when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" tags: - package_audispd-plugins_installed - medium_severity - enable_strategy - low_complexity - low_disruption - no_reboot_needed - CCE-82953-1 </code></pre></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm45342158497040" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet â²</a><br></br><div class="panel-collapse collapse" id="idm45342158497040"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_audispd-plugins class install_audispd-plugins { package { 'audispd-plugins': ensure => 'installed', } } </code></pre></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm45342158494896" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet â²</a><br></br><div class="panel-collapse collapse" id="idm45342158494896"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code> package --add=audispd-plugins </code></pre></div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">package audispd-plugins is installed</span> <span class="label label-default">oval:ssg-test_package_audispd-plugins_installed:tst:1</span> <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_test_package_audispd-plugins_installed:obj:1</abbr></strong> of type <strong>rpminfo_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th></tr></thead><tbody><tr><td>audispd-plugins</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_service_auditd_enabled" id="rule-detail-idm45342104281824"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Enable auditd Servicexccdf_org.ssgproject.content_rule_service_auditd_enabled highCCE-80872-5 </div><div class="panel-heading"><h3 class="panel-title">Enable auditd Service</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_service_auditd_enabled</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-service_auditd_enabled:def:1</td></tr><tr><td>Time</td><td>2020-09-29T11:18:02</td></tr><tr><td>Severity</td><td>high</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80872-5">CCE-80872-5</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> <a href="">4.1.2</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">1</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">11</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">12</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">13</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">14</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">15</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">16</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">19</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">2</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">3</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">4</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">5</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">6</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">7</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">8</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">9</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.4.1.1</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">APO10.01</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">APO10.03</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">APO10.04</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">APO10.05</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">APO11.04</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">APO12.06</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">APO13.01</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">BAI03.05</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">BAI08.02</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS01.03</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS01.04</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS02.02</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS02.04</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS02.07</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS03.01</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS03.05</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS05.02</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS05.03</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS05.04</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS05.05</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS05.07</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">MEA01.01</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">MEA01.02</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">MEA01.03</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">MEA01.04</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">MEA01.05</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">MEA02.01</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.3.1</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.3.2</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.3.6</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000126</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000130</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000131</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000132</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000133</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000134</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(5)(ii)(C)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(a)(2)(iv)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(d)(2)(iii)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.2.3.10</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.2.6.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.3.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.4.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.5.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.5.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.5.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.4.2.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.4.2.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.4.2.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.13</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.10</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.11</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.12</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 4.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 4.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 5.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 5.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 5.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 6.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 6.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.6</a>, <a href="https://www.iso.org/standard/54534.html">A.11.2.6</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.3</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.12.7.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.7</a>, <a href="https://www.iso.org/standard/54534.html">A.15.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.15.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.16.1.4</a>, <a href="https://www.iso.org/standard/54534.html">A.16.1.5</a>, <a href="https://www.iso.org/standard/54534.html">A.16.1.7</a>, <a href="https://www.iso.org/standard/54534.html">A.6.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.6.2.2</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-2(g)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-3</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-10</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-14(1)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(9)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-5</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-7</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">ID.SC-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-4</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.1</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000037-GPOS-00015</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000038-GPOS-00016</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000039-GPOS-00017</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000040-GPOS-00018</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000042-GPOS-00021</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000255-GPOS-00096</a>, <a href="">SRG-OS-000037-VMM-000150</a>, <a href="">SRG-OS-000063-VMM-000310</a>, <a href="">SRG-OS-000038-VMM-000160</a>, <a href="">SRG-OS-000039-VMM-000170</a>, <a href="">SRG-OS-000040-VMM-000180</a>, <a href="">SRG-OS-000041-VMM-000190</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>The <code>auditd</code> service is an essential userspace component of the Linux Auditing System, as it is responsible for writing audit records to disk. The <code>auditd</code> service can be enabled with the following command: <pre>$ sudo systemctl enable auditd.service</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Without establishing what type of events occurred, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack. Ensuring the <code>auditd</code> service is active ensures audit records generated by the kernel are appropriately recorded. <br><br> Additionally, a properly configured audit subsystem ensures that actions of individual system users can be uniquely traced to those users so they can be held accountable for their actions.</p></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">package audit is installed</span> <span class="label label-default">oval:ssg-test_service_auditd_package_audit_installed:tst:1</span> <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Arch</th><th>Epoch</th><th>Release</th><th>Version</th><th>Evr</th><th>Signature keyid</th><th>Extended name</th></tr></thead><tbody><tr><td>audit</td><td>x86_64</td><td>(none)</td><td>0.17.20191104git1c2f876.el8</td><td>3.0</td><td>0:3.0-0.17.20191104git1c2f876.el8</td><td>199e2f91fd431d51</td><td>audit-0:3.0-0.17.20191104git1c2f876.el8.x86_64</td></tr></tbody></table><h4><span class="label label-primary">Test that the auditd service is running</span> <span class="label label-default">oval:ssg-test_service_running_auditd:tst:1</span> <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Unit</th><th>Property</th><th>Value</th></tr></thead><tbody><tr><td>auditd.service</td><td>ActiveState</td><td>active</td></tr></tbody></table><h4><span class="label label-primary">systemd test</span> <span class="label label-default">oval:ssg-test_multi_user_wants_auditd:tst:1</span> <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Unit</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th></tr></thead><tbody><tr><td>multi-user.target</td><td>basic.target</td><td>var.mount</td><td>-.mount</td><td>sysinit.target</td><td>dev-mqueue.mount</td><td>systemd-hwdb-update.service</td><td>cryptsetup.target</td><td>proc-sys-fs-binfmt_misc.automount</td><td>systemd-journal-flush.service</td><td>systemd-random-seed.service</td><td>systemd-update-utmp.service</td><td>systemd-tmpfiles-setup.service</td><td>systemd-udevd.service</td><td>dev-hugepages.mount</td><td>lvm2-lvmpolld.socket</td><td>selinux-autorelabel-mark.service</td><td>loadmodules.service</td><td>local-fs.target</td><td>home.mount</td><td>-.mount</td><td>var-log-audit.mount</td><td>boot.mount</td><td>tmp.mount</td><td>var.mount</td><td>var-log.mount</td><td>systemd-remount-fs.service</td><td>dracut-shutdown.service</td><td>systemd-sysctl.service</td><td>systemd-journal-catalog-update.service</td><td>systemd-update-done.service</td><td>systemd-journald.service</td><td>sys-kernel-debug.mount</td><td>systemd-machine-id-commit.service</td><td>ldconfig.service</td><td>rngd.service</td><td>systemd-binfmt.service</td><td>nis-domainname.service</td><td>sys-kernel-config.mount</td><td>systemd-modules-load.service</td><td>systemd-sysusers.service</td><td>sys-fs-fuse-connections.mount</td><td>swap.target</td><td>dev-mapper-ovirt\x2dswap.swap</td><td>systemd-udev-trigger.service</td><td>import-state.service</td><td>systemd-firstboot.service</td><td>kmod-static-nodes.service</td><td>systemd-ask-password-console.path</td><td>systemd-tmpfiles-setup-dev.service</td><td>lvm2-monitor.service</td><td>microcode.service</td><td>paths.target</td><td>timers.target</td><td>fstrim.timer</td><td>unbound-anchor.timer</td><td>systemd-tmpfiles-clean.timer</td><td>slices.target</td><td>-.slice</td><td>system.slice</td><td>sockets.target</td><td>systemd-udevd-kernel.socket</td><td>dbus.socket</td><td>systemd-coredump.socket</td><td>systemd-initctl.socket</td><td>systemd-udevd-control.socket</td><td>systemd-journald-dev-log.socket</td><td>pcscd.socket</td><td>sssd-kcm.socket</td><td>systemd-journald.socket</td><td>cockpit.socket</td><td>dm-event.socket</td><td>rpcbind.socket</td><td>sssd.service</td><td>kdump.service</td><td>crond.service</td><td>systemd-ask-password-wall.path</td><td>sshd.service</td><td>systemd-user-sessions.service</td><td>auditd.service</td><td>nfs-client.target</td><td>rpc-statd-notify.service</td><td>auth-rpcgss-module.service</td><td>remote-fs-pre.target</td><td>irqbalance.service</td><td>remote-fs.target</td><td>nfs-client.target</td><td>rpc-statd-notify.service</td><td>auth-rpcgss-module.service</td><td>remote-fs-pre.target</td><td>getty.target</td><td>serial-getty@ttyS0.service</td><td>getty@tty1.service</td><td>cloud-init.target</td><td>cloud-init-local.service</td><td>cloud-config.service</td><td>cloud-final.service</td><td>cloud-init.service</td><td>dnf-makecache.timer</td><td>firewalld.service</td><td>rpcbind.service</td><td>systemd-update-utmp-runlevel.service</td><td>chronyd.service</td><td>rsyslog.service</td><td>tuned.service</td><td>systemd-logind.service</td><td>NetworkManager.service</td><td>dbus.service</td></tr></tbody></table><h4><span class="label label-primary">systemd test</span> <span class="label label-default">oval:ssg-test_multi_user_wants_auditd_socket:tst:1</span> <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Unit</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th></tr></thead><tbody><tr><td>multi-user.target</td><td>basic.target</td><td>var.mount</td><td>-.mount</td><td>sysinit.target</td><td>dev-mqueue.mount</td><td>systemd-hwdb-update.service</td><td>cryptsetup.target</td><td>proc-sys-fs-binfmt_misc.automount</td><td>systemd-journal-flush.service</td><td>systemd-random-seed.service</td><td>systemd-update-utmp.service</td><td>systemd-tmpfiles-setup.service</td><td>systemd-udevd.service</td><td>dev-hugepages.mount</td><td>lvm2-lvmpolld.socket</td><td>selinux-autorelabel-mark.service</td><td>loadmodules.service</td><td>local-fs.target</td><td>home.mount</td><td>-.mount</td><td>var-log-audit.mount</td><td>boot.mount</td><td>tmp.mount</td><td>var.mount</td><td>var-log.mount</td><td>systemd-remount-fs.service</td><td>dracut-shutdown.service</td><td>systemd-sysctl.service</td><td>systemd-journal-catalog-update.service</td><td>systemd-update-done.service</td><td>systemd-journald.service</td><td>sys-kernel-debug.mount</td><td>systemd-machine-id-commit.service</td><td>ldconfig.service</td><td>rngd.service</td><td>systemd-binfmt.service</td><td>nis-domainname.service</td><td>sys-kernel-config.mount</td><td>systemd-modules-load.service</td><td>systemd-sysusers.service</td><td>sys-fs-fuse-connections.mount</td><td>swap.target</td><td>dev-mapper-ovirt\x2dswap.swap</td><td>systemd-udev-trigger.service</td><td>import-state.service</td><td>systemd-firstboot.service</td><td>kmod-static-nodes.service</td><td>systemd-ask-password-console.path</td><td>systemd-tmpfiles-setup-dev.service</td><td>lvm2-monitor.service</td><td>microcode.service</td><td>paths.target</td><td>timers.target</td><td>fstrim.timer</td><td>unbound-anchor.timer</td><td>systemd-tmpfiles-clean.timer</td><td>slices.target</td><td>-.slice</td><td>system.slice</td><td>sockets.target</td><td>systemd-udevd-kernel.socket</td><td>dbus.socket</td><td>systemd-coredump.socket</td><td>systemd-initctl.socket</td><td>systemd-udevd-control.socket</td><td>systemd-journald-dev-log.socket</td><td>pcscd.socket</td><td>sssd-kcm.socket</td><td>systemd-journald.socket</td><td>cockpit.socket</td><td>dm-event.socket</td><td>rpcbind.socket</td><td>sssd.service</td><td>kdump.service</td><td>crond.service</td><td>systemd-ask-password-wall.path</td><td>sshd.service</td><td>systemd-user-sessions.service</td><td>auditd.service</td><td>nfs-client.target</td><td>rpc-statd-notify.service</td><td>auth-rpcgss-module.service</td><td>remote-fs-pre.target</td><td>irqbalance.service</td><td>remote-fs.target</td><td>nfs-client.target</td><td>rpc-statd-notify.service</td><td>auth-rpcgss-module.service</td><td>remote-fs-pre.target</td><td>getty.target</td><td>serial-getty@ttyS0.service</td><td>getty@tty1.service</td><td>cloud-init.target</td><td>cloud-init-local.service</td><td>cloud-config.service</td><td>cloud-final.service</td><td>cloud-init.service</td><td>dnf-makecache.timer</td><td>firewalld.service</td><td>rpcbind.service</td><td>systemd-update-utmp-runlevel.service</td><td>chronyd.service</td><td>rsyslog.service</td><td>tuned.service</td><td>systemd-logind.service</td><td>NetworkManager.service</td><td>dbus.service</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_grub2_audit_argument" id="rule-detail-idm45342104278160"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Enable Auditing for Processes Which Start Prior to the Audit Daemonxccdf_org.ssgproject.content_rule_grub2_audit_argument mediumCCE-80825-3 </div><div class="panel-heading"><h3 class="panel-title">Enable Auditing for Processes Which Start Prior to the Audit Daemon</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_grub2_audit_argument</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-grub2_audit_argument:def:1</td></tr><tr><td>Time</td><td>2020-09-29T11:21:06</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80825-3">CCE-80825-3</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> <a href="">4.1.3</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">1</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">11</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">12</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">13</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">14</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">15</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">16</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">19</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">3</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">4</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">5</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">6</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">7</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">8</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.4.1.1</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">APO10.01</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">APO10.03</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">APO10.04</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">APO10.05</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">APO11.04</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">APO12.06</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">APO13.01</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">BAI03.05</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">BAI08.02</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS01.04</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS02.02</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS02.04</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS02.07</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS03.01</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS05.02</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS05.03</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS05.04</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS05.07</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">MEA01.01</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">MEA01.02</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">MEA01.03</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">MEA01.04</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">MEA01.05</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">MEA02.01</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.3.1</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001464</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000130</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(5)(ii)(C)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(a)(2)(iv)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(d)(2)(iii)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.2.3.10</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.2.6.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.3.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.4.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.5.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.5.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.5.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.4.2.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.4.2.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.4.2.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.13</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.10</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.11</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.12</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 4.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 4.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 5.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 5.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 5.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 6.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.6</a>, <a href="https://www.iso.org/standard/54534.html">A.11.2.6</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.3</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.12.7.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.15.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.15.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.16.1.4</a>, <a href="https://www.iso.org/standard/54534.html">A.16.1.5</a>, <a href="https://www.iso.org/standard/54534.html">A.16.1.7</a>, <a href="https://www.iso.org/standard/54534.html">A.6.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.6.2.2</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(1)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-14(1)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-10</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IR-5(1)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-5</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">ID.SC-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-4</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.3</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000254-GPOS-00095</a>, <a href="">SRG-OS-000254-VMM-000880</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>To ensure all processes can be audited, even those which start prior to the audit daemon, add the argument <code>audit=1</code> to the default GRUB 2 command line for the Linux operating system in <code>/boot/grub2/grubenv</code>, in the manner below: <pre># grub2-editenv - set "$(grub2-editenv - list | grep kernelopts) audit=1"</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Each process on the system carries an "auditable" flag which indicates whether its activities can be audited. Although <code>auditd</code> takes care of enabling this for all processes which launch after it does, adding the kernel argument ensures it is set for every process during boot.</p></div></td></tr><tr><td>Warnings</td><td><div class="panel panel-warning"><div class="panel-heading"><span class="label label-warning">warning</span> The GRUB 2 configuration file, <code>grub.cfg</code>, is automatically updated each time a new kernel is installed. Note that any changes to <code>/etc/default/grub</code> require rebuilding the <code>grub.cfg</code> file. To update the GRUB 2 configuration file manually, use the <pre>grub2-mkconfig -o</pre> command as follows: <ul><li>On BIOS-based machines, issue the following command as <code>root</code>: <pre>~]# grub2-mkconfig -o /boot/grub2/grub.cfg</pre></li><li>On UEFI-based machines, issue the following command as <code>root</code>: <pre>~]# grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfg</pre></li></ul></div></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span> <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">check forkernel command line parameters audit=1 in /boot/grub2/grubenv for all kernels</span> <span class="label label-default">oval:ssg-test_grub2_audit_argument_grub_env:tst:1</span> <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/boot/grub2/grubenv</td><td>kernelopts=root=/dev/mapper/ovirt-root ro console=tty0 console=ttyS0 crashkernel=auto resume=/dev/mapper/ovirt-swap rd.lvm.lv=ovirt/root rd.lvm.lv=ovirt/swap </td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_grub2_audit_backlog_limit_argument" id="rule-detail-idm45342104272688"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Extend Audit Backlog Limit for the Audit Daemonxccdf_org.ssgproject.content_rule_grub2_audit_backlog_limit_argument mediumCCE-80943-4 </div><div class="panel-heading"><h3 class="panel-title">Extend Audit Backlog Limit for the Audit Daemon</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_grub2_audit_backlog_limit_argument</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-grub2_audit_backlog_limit_argument:def:1</td></tr><tr><td>Time</td><td>2020-09-29T11:21:06</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80943-4">CCE-80943-4</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000254-GPOS-00095</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>To improve the kernel capacity to queue all log events, even those which occurred prior to the audit daemon, add the argument <code>audit_backlog_limit=8192</code> to the default GRUB 2 command line for the Linux operating system in <code>/etc/default/grub</code>, in the manner below: <pre>GRUB_CMDLINE_LINUX="crashkernel=auto rd.lvm.lv=VolGroup/LogVol06 rd.lvm.lv=VolGroup/lv_swap rhgb quiet rd.shell=0 audit=1 audit_backlog_limit=8192"</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>audit_backlog_limit sets the queue length for audit events awaiting transfer to the audit daemon. Until the audit daemon is up and running, all log messages are stored in this queue. If the queue is overrun during boot process, the action defined by audit failure flag is taken.</p></div></td></tr><tr><td>Warnings</td><td><div class="panel panel-warning"><div class="panel-heading"><span class="label label-warning">warning</span> The GRUB 2 configuration file, <code>grub.cfg</code>, is automatically updated each time a new kernel is installed. Note that any changes to <code>/etc/default/grub</code> require rebuilding the <code>grub.cfg</code> file. To update the GRUB 2 configuration file manually, use the <pre>grub2-mkconfig -o</pre> command as follows: <ul><li>On BIOS-based machines, issue the following command as <code>root</code>: <pre>~]# grub2-mkconfig -o /boot/grub2/grub.cfg</pre></li><li>On UEFI-based machines, issue the following command as <code>root</code>: <pre>~]# grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfg</pre></li></ul></div></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span> <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">check forkernel command line parameters audit_backlog_limit=8192 in /boot/grub2/grubenv for all kernels</span> <span class="label label-default">oval:ssg-test_grub2_audit_backlog_limit_argument_grub_env:tst:1</span> <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/boot/grub2/grubenv</td><td>kernelopts=root=/dev/mapper/ovirt-root ro console=tty0 console=ttyS0 crashkernel=auto resume=/dev/mapper/ovirt-swap rd.lvm.lv=ovirt/root rd.lvm.lv=ovirt/swap </td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_kernel_module_sctp_disabled" id="rule-detail-idm45342103814304"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Disable SCTP Supportxccdf_org.ssgproject.content_rule_kernel_module_sctp_disabled mediumCCE-80834-5 </div><div class="panel-heading"><h3 class="panel-title">Disable SCTP Support</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_kernel_module_sctp_disabled</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-kernel_module_sctp_disabled:def:1</td></tr><tr><td>Time</td><td>2020-09-29T11:21:06</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80834-5">CCE-80834-5</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> <a href="">3.5.2</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">11</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">14</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">3</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">9</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.10.1</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">BAI10.01</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">BAI10.02</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">BAI10.03</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">BAI10.05</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS05.02</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS05.05</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS06.06</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.3.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.3.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.10</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.11</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.12</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.13</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.6</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.5.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.6.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.2</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-3</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000095-GPOS-00049</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>The Stream Control Transmission Protocol (SCTP) is a transport layer protocol, designed to support the idea of message-oriented communication, with several streams of messages within one connection. To configure the system to prevent the <code>sctp</code> kernel module from being loaded, add the following line to a file in the directory <code>/etc/modprobe.d</code>: <pre>install sctp /bin/true</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Disabling SCTP protects the system against exploitation of any flaws in its implementation.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span> <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre><span class="label label-primary">info</span> <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">grep: /etc/modprobe.d/sctp.conf: No such file or directory </message></pre></div></div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">kernel module sctp disabled</span> <span class="label label-default">oval:ssg-test_kernmod_sctp_disabled:tst:1</span> <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="kernel module sctp disabled">oval:ssg-obj_kernmod_sctp_disabled:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/modprobe.d</td><td>^.*\.conf$</td><td>^\s*install\s+sctp\s+(/bin/false|/bin/true)$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">kernel module sctp disabled in /etc/modprobe.conf</span> <span class="label label-default">oval:ssg-test_kernmod_sctp_modprobeconf:tst:1</span> <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="Check deprecated /etc/modprobe.conf for disablement of sctp">oval:ssg-obj_kernmod_sctp_modprobeconf:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/modprobe.conf</td><td>^\s*install\s+sctp\s+(/bin/false|/bin/true)$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">kernel module sctp disabled in /etc/modules-load.d</span> <span class="label label-default">oval:ssg-test_kernmod_sctp_etcmodules-load:tst:1</span> <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="kernel module sctp disabled in /etc/modules-load.d">oval:ssg-obj_kernmod_sctp_etcmodules-load:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/modules-load.d</td><td>^.*\.conf$</td><td>^\s*install\s+sctp\s+(/bin/false|/bin/true)$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">kernel module sctp disabled in /run/modules-load.d</span> <span class="label label-default">oval:ssg-test_kernmod_sctp_runmodules-load:tst:1</span> <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="kernel module sctp disabled in /run/modules-load.d">oval:ssg-obj_kernmod_sctp_runmodules-load:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/run/modules-load.d</td><td>^.*\.conf$</td><td>^\s*install\s+sctp\s+(/bin/false|/bin/true)$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">kernel module sctp disabled in /usr/lib/modules-load.d</span> <span class="label label-default">oval:ssg-test_kernmod_sctp_libmodules-load:tst:1</span> <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="kernel module sctp disabled in /usr/lib/modules-load.d">oval:ssg-obj_kernmod_sctp_libmodules-load:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/usr/lib/modules-load.d</td><td>^.*\.conf$</td><td>^\s*install\s+sctp\s+(/bin/false|/bin/true)$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">kernel module sctp disabled in /run/modprobe.d</span> <span class="label label-default">oval:ssg-test_kernmod_sctp_runmodprobed:tst:1</span> <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="kernel module sctp disabled in /run/modprobe.d">oval:ssg-obj_kernmod_sctp_runmodprobed:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/run/modprobe.d</td><td>^.*\.conf$</td><td>^\s*install\s+sctp\s+(/bin/false|/bin/true)$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">kernel module sctp disabled in /usr/lib/modprobe.d</span> <span class="label label-default">oval:ssg-test_kernmod_sctp_libmodprobed:tst:1</span> <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="kernel module sctp disabled in /usr/lib/modprobe.d">oval:ssg-obj_kernmod_sctp_libmodprobed:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/usr/lib/modprobe.d</td><td>^.*\.conf$</td><td>^\s*install\s+sctp\s+(/bin/false|/bin/true)$</td><td>1</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_kernel_module_can_disabled" id="rule-detail-idm45342103804976"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Disable CAN Supportxccdf_org.ssgproject.content_rule_kernel_module_can_disabled mediumCCE-82059-7 </div><div class="panel-heading"><h3 class="panel-title">Disable CAN Support</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_kernel_module_can_disabled</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-kernel_module_can_disabled:def:1</td></tr><tr><td>Time</td><td>2020-09-29T11:21:06</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-82059-7">CCE-82059-7</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FMT_SMF_EXT.1</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000095-GPOS-00049</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>The Controller Area Network (CAN) is a serial communications protocol which was initially developed for automotive and is now also used in marine, industrial, and medical applications. To configure the system to prevent the <code>can</code> kernel module from being loaded, add the following line to a file in the directory <code>/etc/modprobe.d</code>: <pre>install can /bin/true</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Disabling CAN protects the system against exploitation of any flaws in its implementation.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span> <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre><span class="label label-primary">info</span> <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">grep: /etc/modprobe.d/can.conf: No such file or directory </message></pre></div></div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">kernel module can disabled</span> <span class="label label-default">oval:ssg-test_kernmod_can_disabled:tst:1</span> <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="kernel module can disabled">oval:ssg-obj_kernmod_can_disabled:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/modprobe.d</td><td>^.*\.conf$</td><td>^\s*install\s+can\s+(/bin/false|/bin/true)$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">kernel module can disabled in /etc/modprobe.conf</span> <span class="label label-default">oval:ssg-test_kernmod_can_modprobeconf:tst:1</span> <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="Check deprecated /etc/modprobe.conf for disablement of can">oval:ssg-obj_kernmod_can_modprobeconf:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/modprobe.conf</td><td>^\s*install\s+can\s+(/bin/false|/bin/true)$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">kernel module can disabled in /etc/modules-load.d</span> <span class="label label-default">oval:ssg-test_kernmod_can_etcmodules-load:tst:1</span> <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="kernel module can disabled in /etc/modules-load.d">oval:ssg-obj_kernmod_can_etcmodules-load:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/modules-load.d</td><td>^.*\.conf$</td><td>^\s*install\s+can\s+(/bin/false|/bin/true)$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">kernel module can disabled in /run/modules-load.d</span> <span class="label label-default">oval:ssg-test_kernmod_can_runmodules-load:tst:1</span> <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="kernel module can disabled in /run/modules-load.d">oval:ssg-obj_kernmod_can_runmodules-load:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/run/modules-load.d</td><td>^.*\.conf$</td><td>^\s*install\s+can\s+(/bin/false|/bin/true)$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">kernel module can disabled in /usr/lib/modules-load.d</span> <span class="label label-default">oval:ssg-test_kernmod_can_libmodules-load:tst:1</span> <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="kernel module can disabled in /usr/lib/modules-load.d">oval:ssg-obj_kernmod_can_libmodules-load:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/usr/lib/modules-load.d</td><td>^.*\.conf$</td><td>^\s*install\s+can\s+(/bin/false|/bin/true)$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">kernel module can disabled in /run/modprobe.d</span> <span class="label label-default">oval:ssg-test_kernmod_can_runmodprobed:tst:1</span> <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="kernel module can disabled in /run/modprobe.d">oval:ssg-obj_kernmod_can_runmodprobed:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/run/modprobe.d</td><td>^.*\.conf$</td><td>^\s*install\s+can\s+(/bin/false|/bin/true)$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">kernel module can disabled in /usr/lib/modprobe.d</span> <span class="label label-default">oval:ssg-test_kernmod_can_libmodprobed:tst:1</span> <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="kernel module can disabled in /usr/lib/modprobe.d">oval:ssg-obj_kernmod_can_libmodprobed:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/usr/lib/modprobe.d</td><td>^.*\.conf$</td><td>^\s*install\s+can\s+(/bin/false|/bin/true)$</td><td>1</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_kernel_module_tipc_disabled" id="rule-detail-idm45342103797408"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Disable TIPC Supportxccdf_org.ssgproject.content_rule_kernel_module_tipc_disabled mediumCCE-82297-3 </div><div class="panel-heading"><h3 class="panel-title">Disable TIPC Support</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_kernel_module_tipc_disabled</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-kernel_module_tipc_disabled:def:1</td></tr><tr><td>Time</td><td>2020-09-29T11:21:06</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-82297-3">CCE-82297-3</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">11</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">14</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">3</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">9</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">BAI10.01</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">BAI10.02</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">BAI10.03</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">BAI10.05</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS05.02</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS05.05</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS06.06</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.3.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.3.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.10</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.11</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.12</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.13</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.6</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.5.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.6.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.2</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-3</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FMT_SMF_EXT.1</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000095-GPOS-00049</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>The Transparent Inter-Process Communication (TIPC) protocol is designed to provide communications between nodes in a cluster. To configure the system to prevent the <code>tipc</code> kernel module from being loaded, add the following line to a file in the directory <code>/etc/modprobe.d</code>: <pre>install tipc /bin/true</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Disabling TIPC protects the system against exploitation of any flaws in its implementation.</p></div></td></tr><tr><td>Warnings</td><td><div class="panel panel-warning"><div class="panel-heading"><span class="label label-warning">warning</span> This configuration baseline was created to deploy the base operating system for general purpose workloads. When the operating system is configured for certain purposes, such as a node in High Performance Computing cluster, it is expected that the <code>tipc</code> kernel module will be loaded.</div></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span> <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre><span class="label label-primary">info</span> <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">grep: /etc/modprobe.d/tipc.conf: No such file or directory </message></pre></div></div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">kernel module tipc disabled</span> <span class="label label-default">oval:ssg-test_kernmod_tipc_disabled:tst:1</span> <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="kernel module tipc disabled">oval:ssg-obj_kernmod_tipc_disabled:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/modprobe.d</td><td>^.*\.conf$</td><td>^\s*install\s+tipc\s+(/bin/false|/bin/true)$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">kernel module tipc disabled in /etc/modprobe.conf</span> <span class="label label-default">oval:ssg-test_kernmod_tipc_modprobeconf:tst:1</span> <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="Check deprecated /etc/modprobe.conf for disablement of tipc">oval:ssg-obj_kernmod_tipc_modprobeconf:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/modprobe.conf</td><td>^\s*install\s+tipc\s+(/bin/false|/bin/true)$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">kernel module tipc disabled in /etc/modules-load.d</span> <span class="label label-default">oval:ssg-test_kernmod_tipc_etcmodules-load:tst:1</span> <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="kernel module tipc disabled in /etc/modules-load.d">oval:ssg-obj_kernmod_tipc_etcmodules-load:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/modules-load.d</td><td>^.*\.conf$</td><td>^\s*install\s+tipc\s+(/bin/false|/bin/true)$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">kernel module tipc disabled in /run/modules-load.d</span> <span class="label label-default">oval:ssg-test_kernmod_tipc_runmodules-load:tst:1</span> <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="kernel module tipc disabled in /run/modules-load.d">oval:ssg-obj_kernmod_tipc_runmodules-load:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/run/modules-load.d</td><td>^.*\.conf$</td><td>^\s*install\s+tipc\s+(/bin/false|/bin/true)$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">kernel module tipc disabled in /usr/lib/modules-load.d</span> <span class="label label-default">oval:ssg-test_kernmod_tipc_libmodules-load:tst:1</span> <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="kernel module tipc disabled in /usr/lib/modules-load.d">oval:ssg-obj_kernmod_tipc_libmodules-load:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/usr/lib/modules-load.d</td><td>^.*\.conf$</td><td>^\s*install\s+tipc\s+(/bin/false|/bin/true)$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">kernel module tipc disabled in /run/modprobe.d</span> <span class="label label-default">oval:ssg-test_kernmod_tipc_runmodprobed:tst:1</span> <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="kernel module tipc disabled in /run/modprobe.d">oval:ssg-obj_kernmod_tipc_runmodprobed:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/run/modprobe.d</td><td>^.*\.conf$</td><td>^\s*install\s+tipc\s+(/bin/false|/bin/true)$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">kernel module tipc disabled in /usr/lib/modprobe.d</span> <span class="label label-default">oval:ssg-test_kernmod_tipc_libmodprobed:tst:1</span> <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="kernel module tipc disabled in /usr/lib/modprobe.d">oval:ssg-obj_kernmod_tipc_libmodprobed:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/usr/lib/modprobe.d</td><td>^.*\.conf$</td><td>^\s*install\s+tipc\s+(/bin/false|/bin/true)$</td><td>1</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_kernel_module_firewire-core_disabled" id="rule-detail-idm45342103789824"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Disable IEEE 1394 (FireWire) Supportxccdf_org.ssgproject.content_rule_kernel_module_firewire-core_disabled mediumCCE-82005-0 </div><div class="panel-heading"><h3 class="panel-title">Disable IEEE 1394 (FireWire) Support</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_kernel_module_firewire-core_disabled</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-kernel_module_firewire-core_disabled:def:1</td></tr><tr><td>Time</td><td>2020-09-29T11:21:06</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-82005-0">CCE-82005-0</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FMT_SMF_EXT.1</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000095-GPOS-00049</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>The IEEE 1394 (FireWire) is a serial bus standard for high-speed real-time communication. To configure the system to prevent the <code>firewire-core</code> kernel module from being loaded, add the following line to a file in the directory <code>/etc/modprobe.d</code>: <pre>install firewire-core /bin/true</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Disabling FireWire protects the system against exploitation of any flaws in its implementation.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span> <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre><span class="label label-primary">info</span> <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">grep: /etc/modprobe.d/firewire-core.conf: No such file or directory </message></pre></div></div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">kernel module firewire-core disabled</span> <span class="label label-default">oval:ssg-test_kernmod_firewire-core_disabled:tst:1</span> <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="kernel module firewire-core disabled">oval:ssg-obj_kernmod_firewire-core_disabled:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/modprobe.d</td><td>^.*\.conf$</td><td>^\s*install\s+firewire-core\s+(/bin/false|/bin/true)$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">kernel module firewire-core disabled in /etc/modprobe.conf</span> <span class="label label-default">oval:ssg-test_kernmod_firewire-core_modprobeconf:tst:1</span> <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="Check deprecated /etc/modprobe.conf for disablement of firewire-core">oval:ssg-obj_kernmod_firewire-core_modprobeconf:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/modprobe.conf</td><td>^\s*install\s+firewire-core\s+(/bin/false|/bin/true)$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">kernel module firewire-core disabled in /etc/modules-load.d</span> <span class="label label-default">oval:ssg-test_kernmod_firewire-core_etcmodules-load:tst:1</span> <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="kernel module firewire-core disabled in /etc/modules-load.d">oval:ssg-obj_kernmod_firewire-core_etcmodules-load:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/modules-load.d</td><td>^.*\.conf$</td><td>^\s*install\s+firewire-core\s+(/bin/false|/bin/true)$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">kernel module firewire-core disabled in /run/modules-load.d</span> <span class="label label-default">oval:ssg-test_kernmod_firewire-core_runmodules-load:tst:1</span> <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="kernel module firewire-core disabled in /run/modules-load.d">oval:ssg-obj_kernmod_firewire-core_runmodules-load:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/run/modules-load.d</td><td>^.*\.conf$</td><td>^\s*install\s+firewire-core\s+(/bin/false|/bin/true)$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">kernel module firewire-core disabled in /usr/lib/modules-load.d</span> <span class="label label-default">oval:ssg-test_kernmod_firewire-core_libmodules-load:tst:1</span> <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="kernel module firewire-core disabled in /usr/lib/modules-load.d">oval:ssg-obj_kernmod_firewire-core_libmodules-load:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/usr/lib/modules-load.d</td><td>^.*\.conf$</td><td>^\s*install\s+firewire-core\s+(/bin/false|/bin/true)$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">kernel module firewire-core disabled in /run/modprobe.d</span> <span class="label label-default">oval:ssg-test_kernmod_firewire-core_runmodprobed:tst:1</span> <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="kernel module firewire-core disabled in /run/modprobe.d">oval:ssg-obj_kernmod_firewire-core_runmodprobed:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/run/modprobe.d</td><td>^.*\.conf$</td><td>^\s*install\s+firewire-core\s+(/bin/false|/bin/true)$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">kernel module firewire-core disabled in /usr/lib/modprobe.d</span> <span class="label label-default">oval:ssg-test_kernmod_firewire-core_libmodprobed:tst:1</span> <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="kernel module firewire-core disabled in /usr/lib/modprobe.d">oval:ssg-obj_kernmod_firewire-core_libmodprobed:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/usr/lib/modprobe.d</td><td>^.*\.conf$</td><td>^\s*install\s+firewire-core\s+(/bin/false|/bin/true)$</td><td>1</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_kernel_module_atm_disabled" id="rule-detail-idm45342103782176"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Disable ATM Supportxccdf_org.ssgproject.content_rule_kernel_module_atm_disabled mediumCCE-82028-2 </div><div class="panel-heading"><h3 class="panel-title">Disable ATM Support</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_kernel_module_atm_disabled</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-kernel_module_atm_disabled:def:1</td></tr><tr><td>Time</td><td>2020-09-29T11:21:06</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-82028-2">CCE-82028-2</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FMT_SMF_EXT.1</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000095-GPOS-00049</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>The Asynchronous Transfer Mode (ATM) is a protocol operating on network, data link, and physical layers, based on virtual circuits and virtual paths. To configure the system to prevent the <code>atm</code> kernel module from being loaded, add the following line to a file in the directory <code>/etc/modprobe.d</code>: <pre>install atm /bin/true</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Disabling ATM protects the system against exploitation of any flaws in its implementation.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span> <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre><span class="label label-primary">info</span> <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">grep: /etc/modprobe.d/atm.conf: No such file or directory </message></pre></div></div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">kernel module atm disabled</span> <span class="label label-default">oval:ssg-test_kernmod_atm_disabled:tst:1</span> <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="kernel module atm disabled">oval:ssg-obj_kernmod_atm_disabled:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/modprobe.d</td><td>^.*\.conf$</td><td>^\s*install\s+atm\s+(/bin/false|/bin/true)$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">kernel module atm disabled in /etc/modprobe.conf</span> <span class="label label-default">oval:ssg-test_kernmod_atm_modprobeconf:tst:1</span> <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="Check deprecated /etc/modprobe.conf for disablement of atm">oval:ssg-obj_kernmod_atm_modprobeconf:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/modprobe.conf</td><td>^\s*install\s+atm\s+(/bin/false|/bin/true)$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">kernel module atm disabled in /etc/modules-load.d</span> <span class="label label-default">oval:ssg-test_kernmod_atm_etcmodules-load:tst:1</span> <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="kernel module atm disabled in /etc/modules-load.d">oval:ssg-obj_kernmod_atm_etcmodules-load:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/modules-load.d</td><td>^.*\.conf$</td><td>^\s*install\s+atm\s+(/bin/false|/bin/true)$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">kernel module atm disabled in /run/modules-load.d</span> <span class="label label-default">oval:ssg-test_kernmod_atm_runmodules-load:tst:1</span> <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="kernel module atm disabled in /run/modules-load.d">oval:ssg-obj_kernmod_atm_runmodules-load:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/run/modules-load.d</td><td>^.*\.conf$</td><td>^\s*install\s+atm\s+(/bin/false|/bin/true)$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">kernel module atm disabled in /usr/lib/modules-load.d</span> <span class="label label-default">oval:ssg-test_kernmod_atm_libmodules-load:tst:1</span> <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="kernel module atm disabled in /usr/lib/modules-load.d">oval:ssg-obj_kernmod_atm_libmodules-load:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/usr/lib/modules-load.d</td><td>^.*\.conf$</td><td>^\s*install\s+atm\s+(/bin/false|/bin/true)$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">kernel module atm disabled in /run/modprobe.d</span> <span class="label label-default">oval:ssg-test_kernmod_atm_runmodprobed:tst:1</span> <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="kernel module atm disabled in /run/modprobe.d">oval:ssg-obj_kernmod_atm_runmodprobed:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/run/modprobe.d</td><td>^.*\.conf$</td><td>^\s*install\s+atm\s+(/bin/false|/bin/true)$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">kernel module atm disabled in /usr/lib/modprobe.d</span> <span class="label label-default">oval:ssg-test_kernmod_atm_libmodprobed:tst:1</span> <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="kernel module atm disabled in /usr/lib/modprobe.d">oval:ssg-obj_kernmod_atm_libmodprobed:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/usr/lib/modprobe.d</td><td>^.*\.conf$</td><td>^\s*install\s+atm\s+(/bin/false|/bin/true)$</td><td>1</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_redirects" id="rule-detail-idm45342103765248"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Disable Accepting ICMP Redirects for All IPv6 Interfacesxccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_redirects mediumCCE-81009-3 </div><div class="panel-heading"><h3 class="panel-title">Disable Accepting ICMP Redirects for All IPv6 Interfaces</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_redirects</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-sysctl_net_ipv6_conf_all_accept_redirects:def:1</td></tr><tr><td>Time</td><td>2020-09-29T11:21:06</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-81009-3">CCE-81009-3</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT28(R22)</a>, <a href="">3.3.2</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">11</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">14</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">3</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">9</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">BAI10.01</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">BAI10.02</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">BAI10.03</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">BAI10.05</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS05.02</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS05.05</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS06.06</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.20</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001551</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.3.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.3.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.10</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.11</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.12</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.13</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.6</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.5.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.6.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.2</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-3</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>To set the runtime status of the <code>net.ipv6.conf.all.accept_redirects</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w net.ipv6.conf.all.accept_redirects=0</pre> If this is not the system default value, add the following line to a file in the directory <code>/etc/sysctl.d</code>: <pre>net.ipv6.conf.all.accept_redirects = 0</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>An illicit ICMP redirect message could result in a man-in-the-middle attack.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span> <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">net.ipv6.conf.all.disable_ipv6 static configuration</span> <span class="label label-default">oval:ssg-test_static_sysctl_net_ipv6_conf_all_disable_ipv6:tst:1</span> <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/sysctl.conf</td><td>^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*1[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">net.ipv6.conf.all.disable_ipv6 static configuration in /etc/sysctl.d/*.conf</span> <span class="label label-default">oval:ssg-test_static_etc_sysctld_net_ipv6_conf_all_disable_ipv6:tst:1</span> <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_etc_sysctld_net_ipv6_conf_all_disable_ipv6:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/sysctl.d</td><td>^.*\.conf$</td><td>^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*1[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">net.ipv6.conf.all.disable_ipv6 static configuration in /etc/sysctl.d/*.conf</span> <span class="label label-default">oval:ssg-test_static_run_sysctld_net_ipv6_conf_all_disable_ipv6:tst:1</span> <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_run_sysctld_net_ipv6_conf_all_disable_ipv6:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/run/sysctl.d</td><td>^.*\.conf$</td><td>^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*1[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">net.ipv6.conf.all.disable_ipv6 static configuration in /etc/sysctl.d/*.conf</span> <span class="label label-default">oval:ssg-test_static_usr_lib_sysctld_net_ipv6_conf_all_disable_ipv6:tst:1</span> <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_usr_lib_sysctld_net_ipv6_conf_all_disable_ipv6:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/usr/lib/sysctl.d</td><td>^.*\.conf$</td><td>^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*1[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">kernel runtime parameter net.ipv6.conf.all.disable_ipv6 set to 1</span> <span class="label label-default">oval:ssg-test_sysctl_runtime_net_ipv6_conf_all_disable_ipv6:tst:1</span> <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Value</th></tr></thead><tbody><tr><td>net.ipv6.conf.all.disable_ipv6</td><td>0</td></tr></tbody></table><h4><span class="label label-primary">net.ipv6.conf.all.accept_redirects static configuration</span> <span class="label label-default">oval:ssg-test_static_sysctl_net_ipv6_conf_all_accept_redirects:tst:1</span> <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_sysctl_net_ipv6_conf_all_accept_redirects:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/sysctl.conf</td><td>(?:^|.*\n)[^#]*net.ipv6.conf.all.accept_redirects[\s]*=[\s]*(\d+)[\s]*\n</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">net.ipv6.conf.all.accept_redirects static configuration in /etc/sysctl.d/*.conf</span> <span class="label label-default">oval:ssg-test_static_etc_sysctld_net_ipv6_conf_all_accept_redirects:tst:1</span> <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_etc_sysctld_net_ipv6_conf_all_accept_redirects:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/sysctl.d</td><td>^.*\.conf$</td><td>(?:^|.*\n)[^#]*net.ipv6.conf.all.accept_redirects[\s]*=[\s]*(\d+)[\s]*\n</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">net.ipv6.conf.all.accept_redirects static configuration in /etc/sysctl.d/*.conf</span> <span class="label label-default">oval:ssg-test_static_run_sysctld_net_ipv6_conf_all_accept_redirects:tst:1</span> <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_run_sysctld_net_ipv6_conf_all_accept_redirects:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/run/sysctl.d</td><td>^.*\.conf$</td><td>(?:^|.*\n)[^#]*net.ipv6.conf.all.accept_redirects[\s]*=[\s]*(\d+)[\s]*\n</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">net.ipv6.conf.all.accept_redirects static configuration in /etc/sysctl.d/*.conf</span> <span class="label label-default">oval:ssg-test_static_usr_lib_sysctld_net_ipv6_conf_all_accept_redirects:tst:1</span> <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_usr_lib_sysctld_net_ipv6_conf_all_accept_redirects:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/usr/lib/sysctl.d</td><td>^.*\.conf$</td><td>(?:^|.*\n)[^#]*net.ipv6.conf.all.accept_redirects[\s]*=[\s]*(\d+)[\s]*\n</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">kernel runtime parameter net.ipv6.conf.all.accept_redirects set to the appropriate value</span> <span class="label label-default">oval:ssg-test_sysctl_runtime_net_ipv6_conf_all_accept_redirects:tst:1</span> <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Value</th></tr></thead><tbody><tr><td>net.ipv6.conf.all.accept_redirects</td><td>1</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_ra" id="rule-detail-idm45342103752224"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Disable Accepting Router Advertisements on all IPv6 Interfaces by Defaultxccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_ra unknownCCE-81007-7 </div><div class="panel-heading"><h3 class="panel-title">Disable Accepting Router Advertisements on all IPv6 Interfaces by Default</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_ra</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-sysctl_net_ipv6_conf_default_accept_ra:def:1</td></tr><tr><td>Time</td><td>2020-09-29T11:21:06</td></tr><tr><td>Severity</td><td>unknown</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-81007-7">CCE-81007-7</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> <a href="">3.3.1</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">11</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">14</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">3</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">9</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">BAI10.01</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">BAI10.02</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">BAI10.03</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">BAI10.05</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS05.02</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS05.05</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS06.06</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.20</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.3.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.3.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.10</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.11</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.12</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.13</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.6</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.5.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.6.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.2</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-3</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>To set the runtime status of the <code>net.ipv6.conf.default.accept_ra</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w net.ipv6.conf.default.accept_ra=0</pre> If this is not the system default value, add the following line to a file in the directory <code>/etc/sysctl.d</code>: <pre>net.ipv6.conf.default.accept_ra = 0</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>An illicit router advertisement message could result in a man-in-the-middle attack.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span> <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">net.ipv6.conf.all.disable_ipv6 static configuration</span> <span class="label label-default">oval:ssg-test_static_sysctl_net_ipv6_conf_all_disable_ipv6:tst:1</span> <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/sysctl.conf</td><td>^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*1[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">net.ipv6.conf.all.disable_ipv6 static configuration in /etc/sysctl.d/*.conf</span> <span class="label label-default">oval:ssg-test_static_etc_sysctld_net_ipv6_conf_all_disable_ipv6:tst:1</span> <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_etc_sysctld_net_ipv6_conf_all_disable_ipv6:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/sysctl.d</td><td>^.*\.conf$</td><td>^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*1[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">net.ipv6.conf.all.disable_ipv6 static configuration in /etc/sysctl.d/*.conf</span> <span class="label label-default">oval:ssg-test_static_run_sysctld_net_ipv6_conf_all_disable_ipv6:tst:1</span> <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_run_sysctld_net_ipv6_conf_all_disable_ipv6:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/run/sysctl.d</td><td>^.*\.conf$</td><td>^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*1[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">net.ipv6.conf.all.disable_ipv6 static configuration in /etc/sysctl.d/*.conf</span> <span class="label label-default">oval:ssg-test_static_usr_lib_sysctld_net_ipv6_conf_all_disable_ipv6:tst:1</span> <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_usr_lib_sysctld_net_ipv6_conf_all_disable_ipv6:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/usr/lib/sysctl.d</td><td>^.*\.conf$</td><td>^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*1[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">kernel runtime parameter net.ipv6.conf.all.disable_ipv6 set to 1</span> <span class="label label-default">oval:ssg-test_sysctl_runtime_net_ipv6_conf_all_disable_ipv6:tst:1</span> <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Value</th></tr></thead><tbody><tr><td>net.ipv6.conf.all.disable_ipv6</td><td>0</td></tr></tbody></table><h4><span class="label label-primary">net.ipv6.conf.default.accept_ra static configuration</span> <span class="label label-default">oval:ssg-test_static_sysctl_net_ipv6_conf_default_accept_ra:tst:1</span> <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_sysctl_net_ipv6_conf_default_accept_ra:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/sysctl.conf</td><td>(?:^|.*\n)[^#]*net.ipv6.conf.default.accept_ra[\s]*=[\s]*(\d+)[\s]*\n</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">net.ipv6.conf.default.accept_ra static configuration in /etc/sysctl.d/*.conf</span> <span class="label label-default">oval:ssg-test_static_etc_sysctld_net_ipv6_conf_default_accept_ra:tst:1</span> <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_etc_sysctld_net_ipv6_conf_default_accept_ra:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/sysctl.d</td><td>^.*\.conf$</td><td>(?:^|.*\n)[^#]*net.ipv6.conf.default.accept_ra[\s]*=[\s]*(\d+)[\s]*\n</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">net.ipv6.conf.default.accept_ra static configuration in /etc/sysctl.d/*.conf</span> <span class="label label-default">oval:ssg-test_static_run_sysctld_net_ipv6_conf_default_accept_ra:tst:1</span> <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_run_sysctld_net_ipv6_conf_default_accept_ra:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/run/sysctl.d</td><td>^.*\.conf$</td><td>(?:^|.*\n)[^#]*net.ipv6.conf.default.accept_ra[\s]*=[\s]*(\d+)[\s]*\n</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">net.ipv6.conf.default.accept_ra static configuration in /etc/sysctl.d/*.conf</span> <span class="label label-default">oval:ssg-test_static_usr_lib_sysctld_net_ipv6_conf_default_accept_ra:tst:1</span> <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_usr_lib_sysctld_net_ipv6_conf_default_accept_ra:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/usr/lib/sysctl.d</td><td>^.*\.conf$</td><td>(?:^|.*\n)[^#]*net.ipv6.conf.default.accept_ra[\s]*=[\s]*(\d+)[\s]*\n</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">kernel runtime parameter net.ipv6.conf.default.accept_ra set to the appropriate value</span> <span class="label label-default">oval:ssg-test_sysctl_runtime_net_ipv6_conf_default_accept_ra:tst:1</span> <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Value</th></tr></thead><tbody><tr><td>net.ipv6.conf.default.accept_ra</td><td>1</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_ra" id="rule-detail-idm45342103740992"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Configure Accepting Router Advertisements on All IPv6 Interfacesxccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_ra unknownCCE-81006-9 </div><div class="panel-heading"><h3 class="panel-title">Configure Accepting Router Advertisements on All IPv6 Interfaces</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_ra</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-sysctl_net_ipv6_conf_all_accept_ra:def:1</td></tr><tr><td>Time</td><td>2020-09-29T11:21:07</td></tr><tr><td>Severity</td><td>unknown</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-81006-9">CCE-81006-9</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> <a href="">3.3.1</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">11</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">14</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">3</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">9</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">BAI10.01</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">BAI10.02</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">BAI10.03</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">BAI10.05</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS05.02</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS05.05</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS06.06</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.20</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.3.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.3.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.10</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.11</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.12</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.13</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.6</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.5.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.6.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.2</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-3</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>To set the runtime status of the <code>net.ipv6.conf.all.accept_ra</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w net.ipv6.conf.all.accept_ra=0</pre> If this is not the system default value, add the following line to a file in the directory <code>/etc/sysctl.d</code>: <pre>net.ipv6.conf.all.accept_ra = 0</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>An illicit router advertisement message could result in a man-in-the-middle attack.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span> <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">net.ipv6.conf.all.disable_ipv6 static configuration</span> <span class="label label-default">oval:ssg-test_static_sysctl_net_ipv6_conf_all_disable_ipv6:tst:1</span> <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/sysctl.conf</td><td>^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*1[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">net.ipv6.conf.all.disable_ipv6 static configuration in /etc/sysctl.d/*.conf</span> <span class="label label-default">oval:ssg-test_static_etc_sysctld_net_ipv6_conf_all_disable_ipv6:tst:1</span> <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_etc_sysctld_net_ipv6_conf_all_disable_ipv6:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/sysctl.d</td><td>^.*\.conf$</td><td>^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*1[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">net.ipv6.conf.all.disable_ipv6 static configuration in /etc/sysctl.d/*.conf</span> <span class="label label-default">oval:ssg-test_static_run_sysctld_net_ipv6_conf_all_disable_ipv6:tst:1</span> <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_run_sysctld_net_ipv6_conf_all_disable_ipv6:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/run/sysctl.d</td><td>^.*\.conf$</td><td>^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*1[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">net.ipv6.conf.all.disable_ipv6 static configuration in /etc/sysctl.d/*.conf</span> <span class="label label-default">oval:ssg-test_static_usr_lib_sysctld_net_ipv6_conf_all_disable_ipv6:tst:1</span> <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_usr_lib_sysctld_net_ipv6_conf_all_disable_ipv6:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/usr/lib/sysctl.d</td><td>^.*\.conf$</td><td>^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*1[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">kernel runtime parameter net.ipv6.conf.all.disable_ipv6 set to 1</span> <span class="label label-default">oval:ssg-test_sysctl_runtime_net_ipv6_conf_all_disable_ipv6:tst:1</span> <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Value</th></tr></thead><tbody><tr><td>net.ipv6.conf.all.disable_ipv6</td><td>0</td></tr></tbody></table><h4><span class="label label-primary">net.ipv6.conf.all.accept_ra static configuration</span> <span class="label label-default">oval:ssg-test_static_sysctl_net_ipv6_conf_all_accept_ra:tst:1</span> <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_sysctl_net_ipv6_conf_all_accept_ra:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/sysctl.conf</td><td>(?:^|.*\n)[^#]*net.ipv6.conf.all.accept_ra[\s]*=[\s]*(\d+)[\s]*\n</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">net.ipv6.conf.all.accept_ra static configuration in /etc/sysctl.d/*.conf</span> <span class="label label-default">oval:ssg-test_static_etc_sysctld_net_ipv6_conf_all_accept_ra:tst:1</span> <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_etc_sysctld_net_ipv6_conf_all_accept_ra:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/sysctl.d</td><td>^.*\.conf$</td><td>(?:^|.*\n)[^#]*net.ipv6.conf.all.accept_ra[\s]*=[\s]*(\d+)[\s]*\n</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">net.ipv6.conf.all.accept_ra static configuration in /etc/sysctl.d/*.conf</span> <span class="label label-default">oval:ssg-test_static_run_sysctld_net_ipv6_conf_all_accept_ra:tst:1</span> <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_run_sysctld_net_ipv6_conf_all_accept_ra:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/run/sysctl.d</td><td>^.*\.conf$</td><td>(?:^|.*\n)[^#]*net.ipv6.conf.all.accept_ra[\s]*=[\s]*(\d+)[\s]*\n</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">net.ipv6.conf.all.accept_ra static configuration in /etc/sysctl.d/*.conf</span> <span class="label label-default">oval:ssg-test_static_usr_lib_sysctld_net_ipv6_conf_all_accept_ra:tst:1</span> <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_usr_lib_sysctld_net_ipv6_conf_all_accept_ra:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/usr/lib/sysctl.d</td><td>^.*\.conf$</td><td>(?:^|.*\n)[^#]*net.ipv6.conf.all.accept_ra[\s]*=[\s]*(\d+)[\s]*\n</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">kernel runtime parameter net.ipv6.conf.all.accept_ra set to the appropriate value</span> <span class="label label-default">oval:ssg-test_sysctl_runtime_net_ipv6_conf_all_accept_ra:tst:1</span> <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Value</th></tr></thead><tbody><tr><td>net.ipv6.conf.all.accept_ra</td><td>1</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_source_route" id="rule-detail-idm45342103728080"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Disable Kernel Parameter for Accepting Source-Routed Packets on IPv6 Interfaces by Defaultxccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_source_route mediumCCE-81015-0 </div><div class="panel-heading"><h3 class="panel-title">Disable Kernel Parameter for Accepting Source-Routed Packets on IPv6 Interfaces by Default</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_source_route</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-sysctl_net_ipv6_conf_default_accept_source_route:def:1</td></tr><tr><td>Time</td><td>2020-09-29T11:21:07</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-81015-0">CCE-81015-0</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT28(R22)</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">1</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">12</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">13</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">14</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">15</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">16</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">18</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">4</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">6</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">8</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">9</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">APO01.06</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">APO13.01</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS01.05</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS03.01</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS05.02</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS05.04</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS05.07</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS06.02</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.20</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000366</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.2.3.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.4.3.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 4.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 4.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 5.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 5.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 5.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.6</a>, <a href="https://www.iso.org/standard/54534.html">A.10.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.11.1.4</a>, <a href="https://www.iso.org/standard/54534.html">A.11.1.5</a>, <a href="https://www.iso.org/standard/54534.html">A.11.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.6.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.7.3.1</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.5</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">ID.AM-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-5</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-5</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-4</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>To set the runtime status of the <code>net.ipv6.conf.default.accept_source_route</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w net.ipv6.conf.default.accept_source_route=0</pre> If this is not the system default value, add the following line to a file in the directory <code>/etc/sysctl.d</code>: <pre>net.ipv6.conf.default.accept_source_route = 0</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Source-routed packets allow the source of the packet to suggest routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routerd traffic, such as when IPv6 forwarding is enabled and the system is functioning as a router. Accepting source-routed packets in the IPv6 protocol has few legitimate uses. It should be disabled unless it is absolutely required.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span> <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">net.ipv6.conf.all.disable_ipv6 static configuration</span> <span class="label label-default">oval:ssg-test_static_sysctl_net_ipv6_conf_all_disable_ipv6:tst:1</span> <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/sysctl.conf</td><td>^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*1[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">net.ipv6.conf.all.disable_ipv6 static configuration in /etc/sysctl.d/*.conf</span> <span class="label label-default">oval:ssg-test_static_etc_sysctld_net_ipv6_conf_all_disable_ipv6:tst:1</span> <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_etc_sysctld_net_ipv6_conf_all_disable_ipv6:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/sysctl.d</td><td>^.*\.conf$</td><td>^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*1[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">net.ipv6.conf.all.disable_ipv6 static configuration in /etc/sysctl.d/*.conf</span> <span class="label label-default">oval:ssg-test_static_run_sysctld_net_ipv6_conf_all_disable_ipv6:tst:1</span> <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_run_sysctld_net_ipv6_conf_all_disable_ipv6:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/run/sysctl.d</td><td>^.*\.conf$</td><td>^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*1[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">net.ipv6.conf.all.disable_ipv6 static configuration in /etc/sysctl.d/*.conf</span> <span class="label label-default">oval:ssg-test_static_usr_lib_sysctld_net_ipv6_conf_all_disable_ipv6:tst:1</span> <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_usr_lib_sysctld_net_ipv6_conf_all_disable_ipv6:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/usr/lib/sysctl.d</td><td>^.*\.conf$</td><td>^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*1[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">kernel runtime parameter net.ipv6.conf.all.disable_ipv6 set to 1</span> <span class="label label-default">oval:ssg-test_sysctl_runtime_net_ipv6_conf_all_disable_ipv6:tst:1</span> <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Value</th></tr></thead><tbody><tr><td>net.ipv6.conf.all.disable_ipv6</td><td>0</td></tr></tbody></table><h4><span class="label label-primary">net.ipv6.conf.default.accept_source_route static configuration</span> <span class="label label-default">oval:ssg-test_static_sysctl_net_ipv6_conf_default_accept_source_route:tst:1</span> <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_sysctl_net_ipv6_conf_default_accept_source_route:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/sysctl.conf</td><td>(?:^|.*\n)[^#]*net.ipv6.conf.default.accept_source_route[\s]*=[\s]*(\d+)[\s]*\n</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">net.ipv6.conf.default.accept_source_route static configuration in /etc/sysctl.d/*.conf</span> <span class="label label-default">oval:ssg-test_static_etc_sysctld_net_ipv6_conf_default_accept_source_route:tst:1</span> <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_etc_sysctld_net_ipv6_conf_default_accept_source_route:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/sysctl.d</td><td>^.*\.conf$</td><td>(?:^|.*\n)[^#]*net.ipv6.conf.default.accept_source_route[\s]*=[\s]*(\d+)[\s]*\n</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">net.ipv6.conf.default.accept_source_route static configuration in /etc/sysctl.d/*.conf</span> <span class="label label-default">oval:ssg-test_static_run_sysctld_net_ipv6_conf_default_accept_source_route:tst:1</span> <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_run_sysctld_net_ipv6_conf_default_accept_source_route:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/run/sysctl.d</td><td>^.*\.conf$</td><td>(?:^|.*\n)[^#]*net.ipv6.conf.default.accept_source_route[\s]*=[\s]*(\d+)[\s]*\n</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">net.ipv6.conf.default.accept_source_route static configuration in /etc/sysctl.d/*.conf</span> <span class="label label-default">oval:ssg-test_static_usr_lib_sysctld_net_ipv6_conf_default_accept_source_route:tst:1</span> <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_usr_lib_sysctld_net_ipv6_conf_default_accept_source_route:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/usr/lib/sysctl.d</td><td>^.*\.conf$</td><td>(?:^|.*\n)[^#]*net.ipv6.conf.default.accept_source_route[\s]*=[\s]*(\d+)[\s]*\n</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">kernel runtime parameter net.ipv6.conf.default.accept_source_route set to the appropriate value</span> <span class="label label-default">oval:ssg-test_sysctl_runtime_net_ipv6_conf_default_accept_source_route:tst:1</span> <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Value</th></tr></thead><tbody><tr><td>net.ipv6.conf.default.accept_source_route</td><td>0</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_redirects" id="rule-detail-idm45342103713232"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv6 Interfacesxccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_redirects mediumCCE-81010-1 </div><div class="panel-heading"><h3 class="panel-title">Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv6 Interfaces</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_redirects</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-sysctl_net_ipv6_conf_default_accept_redirects:def:1</td></tr><tr><td>Time</td><td>2020-09-29T11:21:07</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-81010-1">CCE-81010-1</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT28(R22)</a>, <a href="">3.3.2</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">11</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">14</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">3</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">9</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">BAI10.01</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">BAI10.02</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">BAI10.03</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">BAI10.05</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS05.02</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS05.05</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS06.06</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.20</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001551</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.3.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.3.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.10</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.11</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.12</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.13</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.6</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.5.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.6.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.2</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-3</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>To set the runtime status of the <code>net.ipv6.conf.default.accept_redirects</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w net.ipv6.conf.default.accept_redirects=0</pre> If this is not the system default value, add the following line to a file in the directory <code>/etc/sysctl.d</code>: <pre>net.ipv6.conf.default.accept_redirects = 0</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>An illicit ICMP redirect message could result in a man-in-the-middle attack.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span> <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">net.ipv6.conf.all.disable_ipv6 static configuration</span> <span class="label label-default">oval:ssg-test_static_sysctl_net_ipv6_conf_all_disable_ipv6:tst:1</span> <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/sysctl.conf</td><td>^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*1[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">net.ipv6.conf.all.disable_ipv6 static configuration in /etc/sysctl.d/*.conf</span> <span class="label label-default">oval:ssg-test_static_etc_sysctld_net_ipv6_conf_all_disable_ipv6:tst:1</span> <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_etc_sysctld_net_ipv6_conf_all_disable_ipv6:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/sysctl.d</td><td>^.*\.conf$</td><td>^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*1[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">net.ipv6.conf.all.disable_ipv6 static configuration in /etc/sysctl.d/*.conf</span> <span class="label label-default">oval:ssg-test_static_run_sysctld_net_ipv6_conf_all_disable_ipv6:tst:1</span> <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_run_sysctld_net_ipv6_conf_all_disable_ipv6:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/run/sysctl.d</td><td>^.*\.conf$</td><td>^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*1[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">net.ipv6.conf.all.disable_ipv6 static configuration in /etc/sysctl.d/*.conf</span> <span class="label label-default">oval:ssg-test_static_usr_lib_sysctld_net_ipv6_conf_all_disable_ipv6:tst:1</span> <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_usr_lib_sysctld_net_ipv6_conf_all_disable_ipv6:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/usr/lib/sysctl.d</td><td>^.*\.conf$</td><td>^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*1[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">kernel runtime parameter net.ipv6.conf.all.disable_ipv6 set to 1</span> <span class="label label-default">oval:ssg-test_sysctl_runtime_net_ipv6_conf_all_disable_ipv6:tst:1</span> <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Value</th></tr></thead><tbody><tr><td>net.ipv6.conf.all.disable_ipv6</td><td>0</td></tr></tbody></table><h4><span class="label label-primary">net.ipv6.conf.default.accept_redirects static configuration</span> <span class="label label-default">oval:ssg-test_static_sysctl_net_ipv6_conf_default_accept_redirects:tst:1</span> <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_sysctl_net_ipv6_conf_default_accept_redirects:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/sysctl.conf</td><td>(?:^|.*\n)[^#]*net.ipv6.conf.default.accept_redirects[\s]*=[\s]*(\d+)[\s]*\n</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">net.ipv6.conf.default.accept_redirects static configuration in /etc/sysctl.d/*.conf</span> <span class="label label-default">oval:ssg-test_static_etc_sysctld_net_ipv6_conf_default_accept_redirects:tst:1</span> <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_etc_sysctld_net_ipv6_conf_default_accept_redirects:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/sysctl.d</td><td>^.*\.conf$</td><td>(?:^|.*\n)[^#]*net.ipv6.conf.default.accept_redirects[\s]*=[\s]*(\d+)[\s]*\n</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">net.ipv6.conf.default.accept_redirects static configuration in /etc/sysctl.d/*.conf</span> <span class="label label-default">oval:ssg-test_static_run_sysctld_net_ipv6_conf_default_accept_redirects:tst:1</span> <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_run_sysctld_net_ipv6_conf_default_accept_redirects:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/run/sysctl.d</td><td>^.*\.conf$</td><td>(?:^|.*\n)[^#]*net.ipv6.conf.default.accept_redirects[\s]*=[\s]*(\d+)[\s]*\n</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">net.ipv6.conf.default.accept_redirects static configuration in /etc/sysctl.d/*.conf</span> <span class="label label-default">oval:ssg-test_static_usr_lib_sysctld_net_ipv6_conf_default_accept_redirects:tst:1</span> <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_usr_lib_sysctld_net_ipv6_conf_default_accept_redirects:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/usr/lib/sysctl.d</td><td>^.*\.conf$</td><td>(?:^|.*\n)[^#]*net.ipv6.conf.default.accept_redirects[\s]*=[\s]*(\d+)[\s]*\n</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">kernel runtime parameter net.ipv6.conf.default.accept_redirects set to the appropriate value</span> <span class="label label-default">oval:ssg-test_sysctl_runtime_net_ipv6_conf_default_accept_redirects:tst:1</span> <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Value</th></tr></thead><tbody><tr><td>net.ipv6.conf.default.accept_redirects</td><td>1</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_source_route" id="rule-detail-idm45342103701920"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv6 Interfacesxccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_source_route mediumCCE-81013-5 </div><div class="panel-heading"><h3 class="panel-title">Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv6 Interfaces</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_source_route</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-sysctl_net_ipv6_conf_all_accept_source_route:def:1</td></tr><tr><td>Time</td><td>2020-09-29T11:21:07</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-81013-5">CCE-81013-5</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT28(R22)</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">1</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">12</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">13</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">14</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">15</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">16</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">18</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">4</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">6</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">8</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">9</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">APO01.06</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">APO13.01</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS01.05</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS03.01</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS05.02</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS05.04</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS05.07</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS06.02</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.20</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000366</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.2.3.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.4.3.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 4.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 4.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 5.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 5.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 5.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.6</a>, <a href="https://www.iso.org/standard/54534.html">A.10.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.11.1.4</a>, <a href="https://www.iso.org/standard/54534.html">A.11.1.5</a>, <a href="https://www.iso.org/standard/54534.html">A.11.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.6.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.7.3.1</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.5</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">ID.AM-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-5</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-5</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-4</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>To set the runtime status of the <code>net.ipv6.conf.all.accept_source_route</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w net.ipv6.conf.all.accept_source_route=0</pre> If this is not the system default value, add the following line to a file in the directory <code>/etc/sysctl.d</code>: <pre>net.ipv6.conf.all.accept_source_route = 0</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Source-routed packets allow the source of the packet to suggest routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routerd traffic, such as when IPv6 forwarding is enabled and the system is functioning as a router. <br><br> Accepting source-routed packets in the IPv6 protocol has few legitimate uses. It should be disabled unless it is absolutely required.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span> <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">net.ipv6.conf.all.disable_ipv6 static configuration</span> <span class="label label-default">oval:ssg-test_static_sysctl_net_ipv6_conf_all_disable_ipv6:tst:1</span> <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/sysctl.conf</td><td>^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*1[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">net.ipv6.conf.all.disable_ipv6 static configuration in /etc/sysctl.d/*.conf</span> <span class="label label-default">oval:ssg-test_static_etc_sysctld_net_ipv6_conf_all_disable_ipv6:tst:1</span> <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_etc_sysctld_net_ipv6_conf_all_disable_ipv6:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/sysctl.d</td><td>^.*\.conf$</td><td>^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*1[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">net.ipv6.conf.all.disable_ipv6 static configuration in /etc/sysctl.d/*.conf</span> <span class="label label-default">oval:ssg-test_static_run_sysctld_net_ipv6_conf_all_disable_ipv6:tst:1</span> <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_run_sysctld_net_ipv6_conf_all_disable_ipv6:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/run/sysctl.d</td><td>^.*\.conf$</td><td>^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*1[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">net.ipv6.conf.all.disable_ipv6 static configuration in /etc/sysctl.d/*.conf</span> <span class="label label-default">oval:ssg-test_static_usr_lib_sysctld_net_ipv6_conf_all_disable_ipv6:tst:1</span> <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_usr_lib_sysctld_net_ipv6_conf_all_disable_ipv6:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/usr/lib/sysctl.d</td><td>^.*\.conf$</td><td>^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*1[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">kernel runtime parameter net.ipv6.conf.all.disable_ipv6 set to 1</span> <span class="label label-default">oval:ssg-test_sysctl_runtime_net_ipv6_conf_all_disable_ipv6:tst:1</span> <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Value</th></tr></thead><tbody><tr><td>net.ipv6.conf.all.disable_ipv6</td><td>0</td></tr></tbody></table><h4><span class="label label-primary">net.ipv6.conf.all.accept_source_route static configuration</span> <span class="label label-default">oval:ssg-test_static_sysctl_net_ipv6_conf_all_accept_source_route:tst:1</span> <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_sysctl_net_ipv6_conf_all_accept_source_route:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/sysctl.conf</td><td>(?:^|.*\n)[^#]*net.ipv6.conf.all.accept_source_route[\s]*=[\s]*(\d+)[\s]*\n</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">net.ipv6.conf.all.accept_source_route static configuration in /etc/sysctl.d/*.conf</span> <span class="label label-default">oval:ssg-test_static_etc_sysctld_net_ipv6_conf_all_accept_source_route:tst:1</span> <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_etc_sysctld_net_ipv6_conf_all_accept_source_route:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/sysctl.d</td><td>^.*\.conf$</td><td>(?:^|.*\n)[^#]*net.ipv6.conf.all.accept_source_route[\s]*=[\s]*(\d+)[\s]*\n</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">net.ipv6.conf.all.accept_source_route static configuration in /etc/sysctl.d/*.conf</span> <span class="label label-default">oval:ssg-test_static_run_sysctld_net_ipv6_conf_all_accept_source_route:tst:1</span> <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_run_sysctld_net_ipv6_conf_all_accept_source_route:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/run/sysctl.d</td><td>^.*\.conf$</td><td>(?:^|.*\n)[^#]*net.ipv6.conf.all.accept_source_route[\s]*=[\s]*(\d+)[\s]*\n</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">net.ipv6.conf.all.accept_source_route static configuration in /etc/sysctl.d/*.conf</span> <span class="label label-default">oval:ssg-test_static_usr_lib_sysctld_net_ipv6_conf_all_accept_source_route:tst:1</span> <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_usr_lib_sysctld_net_ipv6_conf_all_accept_source_route:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/usr/lib/sysctl.d</td><td>^.*\.conf$</td><td>(?:^|.*\n)[^#]*net.ipv6.conf.all.accept_source_route[\s]*=[\s]*(\d+)[\s]*\n</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">kernel runtime parameter net.ipv6.conf.all.accept_source_route set to the appropriate value</span> <span class="label label-default">oval:ssg-test_sysctl_runtime_net_ipv6_conf_all_accept_source_route:tst:1</span> <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Value</th></tr></thead><tbody><tr><td>net.ipv6.conf.all.accept_source_route</td><td>0</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_package_iptables_installed" id="rule-detail-idm45342103690608"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Install iptables Packagexccdf_org.ssgproject.content_rule_package_iptables_installed mediumCCE-82982-0 </div><div class="panel-heading"><h3 class="panel-title">Install iptables Package</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_package_iptables_installed</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-package_iptables_installed:def:1</td></tr><tr><td>Time</td><td>2020-09-29T11:18:02</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-82982-0">CCE-82982-0</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>The <code>iptables</code> package can be installed with the following command: <pre> $ sudo yum install iptables</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p><code>iptables</code> controls the Linux kernel network packet filtering code. <code>iptables</code> allows system operators to set up firewalls and IP masquerading, etc.</p></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">package iptables is installed</span> <span class="label label-default">oval:ssg-test_package_iptables_installed:tst:1</span> <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Arch</th><th>Epoch</th><th>Release</th><th>Version</th><th>Evr</th><th>Signature keyid</th><th>Extended name</th></tr></thead><tbody><tr><td>iptables</td><td>x86_64</td><td>(none)</td><td>10.el8</td><td>1.8.4</td><td>0:1.8.4-10.el8</td><td>199e2f91fd431d51</td><td>iptables-0:1.8.4-10.el8.x86_64</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_rp_filter" id="rule-detail-idm45342103678208"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces by Defaultxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_rp_filter mediumCCE-81022-6 </div><div class="panel-heading"><h3 class="panel-title">Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces by Default</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_rp_filter</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-sysctl_net_ipv4_conf_default_rp_filter:def:1</td></tr><tr><td>Time</td><td>2020-09-29T11:21:07</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-81022-6">CCE-81022-6</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT28(R22)</a>, <a href="">3.2.7</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">1</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">12</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">13</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">14</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">15</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">16</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">18</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">2</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">4</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">6</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">7</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">8</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">9</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">APO01.06</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">APO13.01</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">BAI04.04</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS01.03</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS01.05</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS03.01</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS03.05</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS05.02</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS05.04</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS05.07</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS06.02</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.20</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.2.3.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.4.3.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 4.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 4.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 5.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 5.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 5.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 6.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.6</a>, <a href="https://www.iso.org/standard/54534.html">A.10.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.11.1.4</a>, <a href="https://www.iso.org/standard/54534.html">A.11.1.5</a>, <a href="https://www.iso.org/standard/54534.html">A.11.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.17.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.6.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.7.3.1</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.5</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-7(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">ID.AM-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-5</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-5</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-4</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>To set the runtime status of the <code>net.ipv4.conf.default.rp_filter</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w net.ipv4.conf.default.rp_filter=1</pre> If this is not the system default value, add the following line to a file in the directory <code>/etc/sysctl.d</code>: <pre>net.ipv4.conf.default.rp_filter = 1</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Enabling reverse path filtering drops packets with source addresses that should not have been able to be received on the interface they were received on. It should not be used on systems which are routers for complicated networks, but is helpful for end hosts and routers serving small networks.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span> <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">net.ipv4.conf.default.rp_filter static configuration</span> <span class="label label-default">oval:ssg-test_static_sysctl_net_ipv4_conf_default_rp_filter:tst:1</span> <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_sysctl_net_ipv4_conf_default_rp_filter:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/sysctl.conf</td><td>(?:^|.*\n)[^#]*net.ipv4.conf.default.rp_filter[\s]*=[\s]*(\d+)[\s]*\n</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">net.ipv4.conf.default.rp_filter static configuration in /etc/sysctl.d/*.conf</span> <span class="label label-default">oval:ssg-test_static_etc_sysctld_net_ipv4_conf_default_rp_filter:tst:1</span> <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_etc_sysctld_net_ipv4_conf_default_rp_filter:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/sysctl.d</td><td>^.*\.conf$</td><td>(?:^|.*\n)[^#]*net.ipv4.conf.default.rp_filter[\s]*=[\s]*(\d+)[\s]*\n</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">net.ipv4.conf.default.rp_filter static configuration in /etc/sysctl.d/*.conf</span> <span class="label label-default">oval:ssg-test_static_run_sysctld_net_ipv4_conf_default_rp_filter:tst:1</span> <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_run_sysctld_net_ipv4_conf_default_rp_filter:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/run/sysctl.d</td><td>^.*\.conf$</td><td>(?:^|.*\n)[^#]*net.ipv4.conf.default.rp_filter[\s]*=[\s]*(\d+)[\s]*\n</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">net.ipv4.conf.default.rp_filter static configuration in /etc/sysctl.d/*.conf</span> <span class="label label-default">oval:ssg-test_static_usr_lib_sysctld_net_ipv4_conf_default_rp_filter:tst:1</span> <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_usr_lib_sysctld_net_ipv4_conf_default_rp_filter:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/usr/lib/sysctl.d</td><td>^.*\.conf$</td><td>(?:^|.*\n)[^#]*net.ipv4.conf.default.rp_filter[\s]*=[\s]*(\d+)[\s]*\n</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">kernel runtime parameter net.ipv4.conf.default.rp_filter set to the appropriate value</span> <span class="label label-default">oval:ssg-test_sysctl_runtime_net_ipv4_conf_default_rp_filter:tst:1</span> <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Value</th></tr></thead><tbody><tr><td>net.ipv4.conf.default.rp_filter</td><td>0</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_log_martians" id="rule-detail-idm45342103666976"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Enable Kernel Paremeter to Log Martian Packets on all IPv4 Interfaces by Defaultxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_log_martians unknownCCE-81020-0 </div><div class="panel-heading"><h3 class="panel-title">Enable Kernel Paremeter to Log Martian Packets on all IPv4 Interfaces by Default</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_log_martians</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-sysctl_net_ipv4_conf_default_log_martians:def:1</td></tr><tr><td>Time</td><td>2020-09-29T11:21:07</td></tr><tr><td>Severity</td><td>unknown</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-81020-0">CCE-81020-0</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> <a href="">3.2.4</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">1</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">11</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">12</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">13</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">14</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">15</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">16</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">2</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">3</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">7</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">8</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">9</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">APO13.01</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">BAI04.04</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">BAI10.01</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">BAI10.02</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">BAI10.03</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">BAI10.05</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS01.03</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS01.04</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS03.05</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS05.02</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS05.03</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS05.05</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS05.07</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS06.06</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.20</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000126</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.3.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.3.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.10</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.11</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.12</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.13</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 4.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 4.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 5.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 5.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 5.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 6.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.6</a>, <a href="https://www.iso.org/standard/54534.html">A.11.2.6</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.12.5.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.6.2</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.17.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.6.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.6.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.2</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-5(3)(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-4</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>To set the runtime status of the <code>net.ipv4.conf.default.log_martians</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w net.ipv4.conf.default.log_martians=1</pre> If this is not the system default value, add the following line to a file in the directory <code>/etc/sysctl.d</code>: <pre>net.ipv4.conf.default.log_martians = 1</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>The presence of "martian" packets (which have impossible addresses) as well as spoofed packets, source-routed packets, and redirects could be a sign of nefarious network activity. Logging these packets enables this activity to be detected.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span> <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">net.ipv4.conf.default.log_martians static configuration</span> <span class="label label-default">oval:ssg-test_static_sysctl_net_ipv4_conf_default_log_martians:tst:1</span> <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_sysctl_net_ipv4_conf_default_log_martians:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/sysctl.conf</td><td>(?:^|.*\n)[^#]*net.ipv4.conf.default.log_martians[\s]*=[\s]*(\d+)[\s]*\n</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">net.ipv4.conf.default.log_martians static configuration in /etc/sysctl.d/*.conf</span> <span class="label label-default">oval:ssg-test_static_etc_sysctld_net_ipv4_conf_default_log_martians:tst:1</span> <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_etc_sysctld_net_ipv4_conf_default_log_martians:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/sysctl.d</td><td>^.*\.conf$</td><td>(?:^|.*\n)[^#]*net.ipv4.conf.default.log_martians[\s]*=[\s]*(\d+)[\s]*\n</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">net.ipv4.conf.default.log_martians static configuration in /etc/sysctl.d/*.conf</span> <span class="label label-default">oval:ssg-test_static_run_sysctld_net_ipv4_conf_default_log_martians:tst:1</span> <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_run_sysctld_net_ipv4_conf_default_log_martians:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/run/sysctl.d</td><td>^.*\.conf$</td><td>(?:^|.*\n)[^#]*net.ipv4.conf.default.log_martians[\s]*=[\s]*(\d+)[\s]*\n</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">net.ipv4.conf.default.log_martians static configuration in /etc/sysctl.d/*.conf</span> <span class="label label-default">oval:ssg-test_static_usr_lib_sysctld_net_ipv4_conf_default_log_martians:tst:1</span> <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_usr_lib_sysctld_net_ipv4_conf_default_log_martians:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/usr/lib/sysctl.d</td><td>^.*\.conf$</td><td>(?:^|.*\n)[^#]*net.ipv4.conf.default.log_martians[\s]*=[\s]*(\d+)[\s]*\n</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">kernel runtime parameter net.ipv4.conf.default.log_martians set to the appropriate value</span> <span class="label label-default">oval:ssg-test_sysctl_runtime_net_ipv4_conf_default_log_martians:tst:1</span> <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Value</th></tr></thead><tbody><tr><td>net.ipv4.conf.default.log_martians</td><td>0</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_accept_redirects" id="rule-detail-idm45342103655696"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Disable Accepting ICMP Redirects for All IPv4 Interfacesxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_accept_redirects mediumCCE-80917-8 </div><div class="panel-heading"><h3 class="panel-title">Disable Accepting ICMP Redirects for All IPv4 Interfaces</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_accept_redirects</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-sysctl_net_ipv4_conf_all_accept_redirects:def:1</td></tr><tr><td>Time</td><td>2020-09-29T11:21:07</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80917-8">CCE-80917-8</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT28(R22)</a>, <a href="">3.2.2</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">1</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">11</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">12</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">13</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">14</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">15</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">16</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">2</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">3</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">7</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">8</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">9</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.10.1.1</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">APO13.01</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">BAI04.04</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">BAI10.01</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">BAI10.02</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">BAI10.03</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">BAI10.05</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS01.03</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS03.05</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS05.02</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS05.05</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS05.07</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS06.06</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.20</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000366</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001503</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001551</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.3.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.3.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.10</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.11</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.12</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.13</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 6.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.6</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.12.5.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.6.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.17.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.2</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-7(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-3</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>To set the runtime status of the <code>net.ipv4.conf.all.accept_redirects</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w net.ipv4.conf.all.accept_redirects=0</pre> If this is not the system default value, add the following line to a file in the directory <code>/etc/sysctl.d</code>: <pre>net.ipv4.conf.all.accept_redirects = 0</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack. <br> This feature of the IPv4 protocol has few legitimate uses. It should be disabled unless absolutely required."</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span> <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">net.ipv4.conf.all.accept_redirects static configuration</span> <span class="label label-default">oval:ssg-test_static_sysctl_net_ipv4_conf_all_accept_redirects:tst:1</span> <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_sysctl_net_ipv4_conf_all_accept_redirects:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/sysctl.conf</td><td>(?:^|.*\n)[^#]*net.ipv4.conf.all.accept_redirects[\s]*=[\s]*(\d+)[\s]*\n</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">net.ipv4.conf.all.accept_redirects static configuration in /etc/sysctl.d/*.conf</span> <span class="label label-default">oval:ssg-test_static_etc_sysctld_net_ipv4_conf_all_accept_redirects:tst:1</span> <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_etc_sysctld_net_ipv4_conf_all_accept_redirects:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/sysctl.d</td><td>^.*\.conf$</td><td>(?:^|.*\n)[^#]*net.ipv4.conf.all.accept_redirects[\s]*=[\s]*(\d+)[\s]*\n</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">net.ipv4.conf.all.accept_redirects static configuration in /etc/sysctl.d/*.conf</span> <span class="label label-default">oval:ssg-test_static_run_sysctld_net_ipv4_conf_all_accept_redirects:tst:1</span> <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_run_sysctld_net_ipv4_conf_all_accept_redirects:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/run/sysctl.d</td><td>^.*\.conf$</td><td>(?:^|.*\n)[^#]*net.ipv4.conf.all.accept_redirects[\s]*=[\s]*(\d+)[\s]*\n</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">net.ipv4.conf.all.accept_redirects static configuration in /etc/sysctl.d/*.conf</span> <span class="label label-default">oval:ssg-test_static_usr_lib_sysctld_net_ipv4_conf_all_accept_redirects:tst:1</span> <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_usr_lib_sysctld_net_ipv4_conf_all_accept_redirects:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/usr/lib/sysctl.d</td><td>^.*\.conf$</td><td>(?:^|.*\n)[^#]*net.ipv4.conf.all.accept_redirects[\s]*=[\s]*(\d+)[\s]*\n</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">kernel runtime parameter net.ipv4.conf.all.accept_redirects set to the appropriate value</span> <span class="label label-default">oval:ssg-test_sysctl_runtime_net_ipv4_conf_all_accept_redirects:tst:1</span> <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Value</th></tr></thead><tbody><tr><td>net.ipv4.conf.all.accept_redirects</td><td>1</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_icmp_echo_ignore_broadcasts" id="rule-detail-idm45342103644416"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Enable Kernel Parameter to Ignore ICMP Broadcast Echo Requests on IPv4 Interfacesxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_icmp_echo_ignore_broadcasts mediumCCE-80922-8 </div><div class="panel-heading"><h3 class="panel-title">Enable Kernel Parameter to Ignore ICMP Broadcast Echo Requests on IPv4 Interfaces</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_icmp_echo_ignore_broadcasts</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-sysctl_net_ipv4_icmp_echo_ignore_broadcasts:def:1</td></tr><tr><td>Time</td><td>2020-09-29T11:21:07</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80922-8">CCE-80922-8</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> <a href="">3.2.5</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">1</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">11</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">12</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">13</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">14</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">15</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">16</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">18</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">2</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">3</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">4</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">6</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">7</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">8</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">9</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.10.1.1</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">APO01.06</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">APO13.01</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">BAI04.04</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">BAI10.01</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">BAI10.02</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">BAI10.03</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">BAI10.05</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS01.03</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS01.05</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS03.01</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS03.05</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS05.02</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS05.04</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS05.05</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS05.07</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS06.02</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS06.06</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.20</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000366</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.2.3.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.3.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.3.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.4.3.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.10</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.11</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.12</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.13</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 4.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 4.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 5.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 5.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 5.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 6.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.6</a>, <a href="https://www.iso.org/standard/54534.html">A.10.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.11.1.4</a>, <a href="https://www.iso.org/standard/54534.html">A.11.1.5</a>, <a href="https://www.iso.org/standard/54534.html">A.11.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.12.5.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.6.2</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.17.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.6.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.7.3.1</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.5</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-5</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">ID.AM-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-5</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-5</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-4</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>To set the runtime status of the <code>net.ipv4.icmp_echo_ignore_broadcasts</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1</pre> If this is not the system default value, add the following line to a file in the directory <code>/etc/sysctl.d</code>: <pre>net.ipv4.icmp_echo_ignore_broadcasts = 1</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Responding to broadcast (ICMP) echoes facilitates network mapping and provides a vector for amplification attacks. <br> Ignoring ICMP echo requests (pings) sent to broadcast or multicast addresses makes the system slightly more difficult to enumerate on the network.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span> <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">net.ipv4.icmp_echo_ignore_broadcasts static configuration</span> <span class="label label-default">oval:ssg-test_static_sysctl_net_ipv4_icmp_echo_ignore_broadcasts:tst:1</span> <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_sysctl_net_ipv4_icmp_echo_ignore_broadcasts:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/sysctl.conf</td><td>(?:^|.*\n)[^#]*net.ipv4.icmp_echo_ignore_broadcasts[\s]*=[\s]*(\d+)[\s]*\n</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">net.ipv4.icmp_echo_ignore_broadcasts static configuration in /etc/sysctl.d/*.conf</span> <span class="label label-default">oval:ssg-test_static_etc_sysctld_net_ipv4_icmp_echo_ignore_broadcasts:tst:1</span> <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_etc_sysctld_net_ipv4_icmp_echo_ignore_broadcasts:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/sysctl.d</td><td>^.*\.conf$</td><td>(?:^|.*\n)[^#]*net.ipv4.icmp_echo_ignore_broadcasts[\s]*=[\s]*(\d+)[\s]*\n</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">net.ipv4.icmp_echo_ignore_broadcasts static configuration in /etc/sysctl.d/*.conf</span> <span class="label label-default">oval:ssg-test_static_run_sysctld_net_ipv4_icmp_echo_ignore_broadcasts:tst:1</span> <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_run_sysctld_net_ipv4_icmp_echo_ignore_broadcasts:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/run/sysctl.d</td><td>^.*\.conf$</td><td>(?:^|.*\n)[^#]*net.ipv4.icmp_echo_ignore_broadcasts[\s]*=[\s]*(\d+)[\s]*\n</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">net.ipv4.icmp_echo_ignore_broadcasts static configuration in /etc/sysctl.d/*.conf</span> <span class="label label-default">oval:ssg-test_static_usr_lib_sysctld_net_ipv4_icmp_echo_ignore_broadcasts:tst:1</span> <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_usr_lib_sysctld_net_ipv4_icmp_echo_ignore_broadcasts:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/usr/lib/sysctl.d</td><td>^.*\.conf$</td><td>(?:^|.*\n)[^#]*net.ipv4.icmp_echo_ignore_broadcasts[\s]*=[\s]*(\d+)[\s]*\n</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">kernel runtime parameter net.ipv4.icmp_echo_ignore_broadcasts set to the appropriate value</span> <span class="label label-default">oval:ssg-test_sysctl_runtime_net_ipv4_icmp_echo_ignore_broadcasts:tst:1</span> <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Value</th></tr></thead><tbody><tr><td>net.ipv4.icmp_echo_ignore_broadcasts</td><td>1</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_tcp_syncookies" id="rule-detail-idm45342103633120"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Enable Kernel Parameter to Use TCP Syncookies on IPv4 Interfacesxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_tcp_syncookies mediumCCE-80923-6 </div><div class="panel-heading"><h3 class="panel-title">Enable Kernel Parameter to Use TCP Syncookies on IPv4 Interfaces</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_tcp_syncookies</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-sysctl_net_ipv4_tcp_syncookies:def:1</td></tr><tr><td>Time</td><td>2020-09-29T11:21:07</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80923-6">CCE-80923-6</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT28(R22)</a>, <a href="">3.2.8</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">1</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">12</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">13</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">14</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">15</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">16</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">18</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">2</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">4</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">6</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">7</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">8</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">9</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.10.1.1</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">APO01.06</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">APO13.01</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">BAI04.04</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS01.03</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS01.05</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS03.01</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS03.05</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS05.02</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS05.04</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS05.07</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS06.02</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.20</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000366</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.2.3.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.4.3.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 4.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 4.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 5.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 5.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 5.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 6.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.6</a>, <a href="https://www.iso.org/standard/54534.html">A.10.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.11.1.4</a>, <a href="https://www.iso.org/standard/54534.html">A.11.1.5</a>, <a href="https://www.iso.org/standard/54534.html">A.11.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.17.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.6.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.7.3.1</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.5</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-5(1)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-5(2)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-5(3)(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">ID.AM-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-5</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-5</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-4</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000420-GPOS-00186</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000142-GPOS-00071</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>To set the runtime status of the <code>net.ipv4.tcp_syncookies</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w net.ipv4.tcp_syncookies=1</pre> If this is not the system default value, add the following line to a file in the directory <code>/etc/sysctl.d</code>: <pre>net.ipv4.tcp_syncookies = 1</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>A TCP SYN flood attack can cause a denial of service by filling a system's TCP connection table with connections in the SYN_RCVD state. Syncookies can be used to track a connection when a subsequent ACK is received, verifying the initiator is attempting a valid connection and is not a flood source. This feature is activated when a flood condition is detected, and enables the system to continue servicing valid connection requests.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span> <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">net.ipv4.tcp_syncookies static configuration</span> <span class="label label-default">oval:ssg-test_static_sysctl_net_ipv4_tcp_syncookies:tst:1</span> <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_sysctl_net_ipv4_tcp_syncookies:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/sysctl.conf</td><td>(?:^|.*\n)[^#]*net.ipv4.tcp_syncookies[\s]*=[\s]*(\d+)[\s]*\n</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">net.ipv4.tcp_syncookies static configuration in /etc/sysctl.d/*.conf</span> <span class="label label-default">oval:ssg-test_static_etc_sysctld_net_ipv4_tcp_syncookies:tst:1</span> <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_etc_sysctld_net_ipv4_tcp_syncookies:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/sysctl.d</td><td>^.*\.conf$</td><td>(?:^|.*\n)[^#]*net.ipv4.tcp_syncookies[\s]*=[\s]*(\d+)[\s]*\n</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">net.ipv4.tcp_syncookies static configuration in /etc/sysctl.d/*.conf</span> <span class="label label-default">oval:ssg-test_static_run_sysctld_net_ipv4_tcp_syncookies:tst:1</span> <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_run_sysctld_net_ipv4_tcp_syncookies:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/run/sysctl.d</td><td>^.*\.conf$</td><td>(?:^|.*\n)[^#]*net.ipv4.tcp_syncookies[\s]*=[\s]*(\d+)[\s]*\n</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">net.ipv4.tcp_syncookies static configuration in /etc/sysctl.d/*.conf</span> <span class="label label-default">oval:ssg-test_static_usr_lib_sysctld_net_ipv4_tcp_syncookies:tst:1</span> <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_usr_lib_sysctld_net_ipv4_tcp_syncookies:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/usr/lib/sysctl.d</td><td>^.*\.conf$</td><td>(?:^|.*\n)[^#]*net.ipv4.tcp_syncookies[\s]*=[\s]*(\d+)[\s]*\n</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">kernel runtime parameter net.ipv4.tcp_syncookies set to the appropriate value</span> <span class="label label-default">oval:ssg-test_sysctl_runtime_net_ipv4_tcp_syncookies:tst:1</span> <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Value</th></tr></thead><tbody><tr><td>net.ipv4.tcp_syncookies</td><td>1</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_accept_source_route" id="rule-detail-idm45342103622000"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Disable Kernel Parameter for Accepting Source-Routed Packets on IPv4 Interfaces by Defaultxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_accept_source_route mediumCCE-80920-2 </div><div class="panel-heading"><h3 class="panel-title">Disable Kernel Parameter for Accepting Source-Routed Packets on IPv4 Interfaces by Default</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_accept_source_route</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-sysctl_net_ipv4_conf_default_accept_source_route:def:1</td></tr><tr><td>Time</td><td>2020-09-29T11:21:07</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80920-2">CCE-80920-2</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT28(R22)</a>, <a href="">3.2.1</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">1</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">11</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">12</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">13</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">14</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">15</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">16</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">18</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">2</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">3</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">4</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">6</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">7</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">8</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">9</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.10.1.1</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">APO01.06</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">APO13.01</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">BAI04.04</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">BAI10.01</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">BAI10.02</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">BAI10.03</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">BAI10.05</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS01.03</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS01.05</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS03.01</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS03.05</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS05.02</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS05.04</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS05.05</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS05.07</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS06.02</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS06.06</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.20</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000366</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001551</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.2.3.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.3.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.3.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.4.3.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.10</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.11</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.12</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.13</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 4.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 4.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 5.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 5.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 5.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 6.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.6</a>, <a href="https://www.iso.org/standard/54534.html">A.10.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.11.1.4</a>, <a href="https://www.iso.org/standard/54534.html">A.11.1.5</a>, <a href="https://www.iso.org/standard/54534.html">A.11.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.12.5.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.6.2</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.17.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.6.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.7.3.1</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.5</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-5</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-7(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">ID.AM-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-5</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-5</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-4</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>To set the runtime status of the <code>net.ipv4.conf.default.accept_source_route</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w net.ipv4.conf.default.accept_source_route=0</pre> If this is not the system default value, add the following line to a file in the directory <code>/etc/sysctl.d</code>: <pre>net.ipv4.conf.default.accept_source_route = 0</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Source-routed packets allow the source of the packet to suggest routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. <br> Accepting source-routed packets in the IPv4 protocol has few legitimate uses. It should be disabled unless it is absolutely required, such as when IPv4 forwarding is enabled and the system is legitimately functioning as a router.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span> <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">net.ipv4.conf.default.accept_source_route static configuration</span> <span class="label label-default">oval:ssg-test_static_sysctl_net_ipv4_conf_default_accept_source_route:tst:1</span> <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_sysctl_net_ipv4_conf_default_accept_source_route:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/sysctl.conf</td><td>(?:^|.*\n)[^#]*net.ipv4.conf.default.accept_source_route[\s]*=[\s]*(\d+)[\s]*\n</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">net.ipv4.conf.default.accept_source_route static configuration in /etc/sysctl.d/*.conf</span> <span class="label label-default">oval:ssg-test_static_etc_sysctld_net_ipv4_conf_default_accept_source_route:tst:1</span> <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_etc_sysctld_net_ipv4_conf_default_accept_source_route:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/sysctl.d</td><td>^.*\.conf$</td><td>(?:^|.*\n)[^#]*net.ipv4.conf.default.accept_source_route[\s]*=[\s]*(\d+)[\s]*\n</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">net.ipv4.conf.default.accept_source_route static configuration in /etc/sysctl.d/*.conf</span> <span class="label label-default">oval:ssg-test_static_run_sysctld_net_ipv4_conf_default_accept_source_route:tst:1</span> <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_run_sysctld_net_ipv4_conf_default_accept_source_route:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/run/sysctl.d</td><td>^.*\.conf$</td><td>(?:^|.*\n)[^#]*net.ipv4.conf.default.accept_source_route[\s]*=[\s]*(\d+)[\s]*\n</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">net.ipv4.conf.default.accept_source_route static configuration in /etc/sysctl.d/*.conf</span> <span class="label label-default">oval:ssg-test_static_usr_lib_sysctld_net_ipv4_conf_default_accept_source_route:tst:1</span> <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_usr_lib_sysctld_net_ipv4_conf_default_accept_source_route:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/usr/lib/sysctl.d</td><td>^.*\.conf$</td><td>(?:^|.*\n)[^#]*net.ipv4.conf.default.accept_source_route[\s]*=[\s]*(\d+)[\s]*\n</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">kernel runtime parameter net.ipv4.conf.default.accept_source_route set to the appropriate value</span> <span class="label label-default">oval:ssg-test_sysctl_runtime_net_ipv4_conf_default_accept_source_route:tst:1</span> <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Value</th></tr></thead><tbody><tr><td>net.ipv4.conf.default.accept_source_route</td><td>1</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_rp_filter" id="rule-detail-idm45342103610640"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfacesxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_rp_filter mediumCCE-81021-8 </div><div class="panel-heading"><h3 class="panel-title">Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_rp_filter</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-sysctl_net_ipv4_conf_all_rp_filter:def:1</td></tr><tr><td>Time</td><td>2020-09-29T11:18:02</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-81021-8">CCE-81021-8</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT28(R22)</a>, <a href="">3.2.7</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">1</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">12</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">13</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">14</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">15</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">16</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">18</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">2</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">4</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">6</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">7</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">8</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">9</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">APO01.06</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">APO13.01</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">BAI04.04</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS01.03</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS01.05</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS03.01</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS03.05</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS05.02</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS05.04</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS05.07</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS06.02</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.20</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001551</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.2.3.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.4.3.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 4.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 4.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 5.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 5.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 5.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 6.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.6</a>, <a href="https://www.iso.org/standard/54534.html">A.10.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.11.1.4</a>, <a href="https://www.iso.org/standard/54534.html">A.11.1.5</a>, <a href="https://www.iso.org/standard/54534.html">A.11.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.17.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.6.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.7.3.1</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.5</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-7(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">ID.AM-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-5</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-5</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-4</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>To set the runtime status of the <code>net.ipv4.conf.all.rp_filter</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w net.ipv4.conf.all.rp_filter=1</pre> If this is not the system default value, add the following line to a file in the directory <code>/etc/sysctl.d</code>: <pre>net.ipv4.conf.all.rp_filter = 1</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Enabling reverse path filtering drops packets with source addresses that should not have been able to be received on the interface they were received on. It should not be used on systems which are routers for complicated networks, but is helpful for end hosts and routers serving small networks.</p></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">net.ipv4.conf.all.rp_filter static configuration</span> <span class="label label-default">oval:ssg-test_static_sysctl_net_ipv4_conf_all_rp_filter:tst:1</span> <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_sysctl_net_ipv4_conf_all_rp_filter:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/sysctl.conf</td><td>(?:^|.*\n)[^#]*net.ipv4.conf.all.rp_filter[\s]*=[\s]*(\d+)[\s]*\n</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">net.ipv4.conf.all.rp_filter static configuration in /etc/sysctl.d/*.conf</span> <span class="label label-default">oval:ssg-test_static_etc_sysctld_net_ipv4_conf_all_rp_filter:tst:1</span> <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_etc_sysctld_net_ipv4_conf_all_rp_filter:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/sysctl.d</td><td>^.*\.conf$</td><td>(?:^|.*\n)[^#]*net.ipv4.conf.all.rp_filter[\s]*=[\s]*(\d+)[\s]*\n</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">net.ipv4.conf.all.rp_filter static configuration in /etc/sysctl.d/*.conf</span> <span class="label label-default">oval:ssg-test_static_run_sysctld_net_ipv4_conf_all_rp_filter:tst:1</span> <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_run_sysctld_net_ipv4_conf_all_rp_filter:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/run/sysctl.d</td><td>^.*\.conf$</td><td>(?:^|.*\n)[^#]*net.ipv4.conf.all.rp_filter[\s]*=[\s]*(\d+)[\s]*\n</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">net.ipv4.conf.all.rp_filter static configuration in /etc/sysctl.d/*.conf</span> <span class="label label-default">oval:ssg-test_static_usr_lib_sysctld_net_ipv4_conf_all_rp_filter:tst:1</span> <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/usr/lib/sysctl.d/50-default.conf</td><td># Source route verification net.ipv4.conf.all.rp_filter = 1 </td></tr></tbody></table><h4><span class="label label-primary">kernel runtime parameter net.ipv4.conf.all.rp_filter set to the appropriate value</span> <span class="label label-default">oval:ssg-test_sysctl_runtime_net_ipv4_conf_all_rp_filter:tst:1</span> <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Value</th></tr></thead><tbody><tr><td>net.ipv4.conf.all.rp_filter</td><td>1</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_log_martians" id="rule-detail-idm45342103606096"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Enable Kernel Parameter to Log Martian Packets on all IPv4 Interfacesxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_log_martians unknownCCE-81018-4 </div><div class="panel-heading"><h3 class="panel-title">Enable Kernel Parameter to Log Martian Packets on all IPv4 Interfaces</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_log_martians</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-sysctl_net_ipv4_conf_all_log_martians:def:1</td></tr><tr><td>Time</td><td>2020-09-29T11:21:07</td></tr><tr><td>Severity</td><td>unknown</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-81018-4">CCE-81018-4</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT28(R22)</a>, <a href="">3.2.4</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">1</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">11</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">12</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">13</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">14</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">15</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">16</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">2</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">3</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">7</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">8</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">9</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">APO13.01</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">BAI04.04</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">BAI10.01</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">BAI10.02</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">BAI10.03</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">BAI10.05</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS01.03</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS01.04</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS03.05</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS05.02</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS05.03</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS05.05</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS05.07</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS06.06</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.20</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000126</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.3.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.3.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.10</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.11</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.12</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.13</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 4.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 4.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 5.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 5.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 5.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 6.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.6</a>, <a href="https://www.iso.org/standard/54534.html">A.11.2.6</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.12.5.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.6.2</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.17.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.6.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.6.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.2</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-5(3)(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-4</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>To set the runtime status of the <code>net.ipv4.conf.all.log_martians</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w net.ipv4.conf.all.log_martians=1</pre> If this is not the system default value, add the following line to a file in the directory <code>/etc/sysctl.d</code>: <pre>net.ipv4.conf.all.log_martians = 1</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>The presence of "martian" packets (which have impossible addresses) as well as spoofed packets, source-routed packets, and redirects could be a sign of nefarious network activity. Logging these packets enables this activity to be detected.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span> <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">net.ipv4.conf.all.log_martians static configuration</span> <span class="label label-default">oval:ssg-test_static_sysctl_net_ipv4_conf_all_log_martians:tst:1</span> <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_sysctl_net_ipv4_conf_all_log_martians:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/sysctl.conf</td><td>(?:^|.*\n)[^#]*net.ipv4.conf.all.log_martians[\s]*=[\s]*(\d+)[\s]*\n</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">net.ipv4.conf.all.log_martians static configuration in /etc/sysctl.d/*.conf</span> <span class="label label-default">oval:ssg-test_static_etc_sysctld_net_ipv4_conf_all_log_martians:tst:1</span> <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_etc_sysctld_net_ipv4_conf_all_log_martians:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/sysctl.d</td><td>^.*\.conf$</td><td>(?:^|.*\n)[^#]*net.ipv4.conf.all.log_martians[\s]*=[\s]*(\d+)[\s]*\n</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">net.ipv4.conf.all.log_martians static configuration in /etc/sysctl.d/*.conf</span> <span class="label label-default">oval:ssg-test_static_run_sysctld_net_ipv4_conf_all_log_martians:tst:1</span> <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_run_sysctld_net_ipv4_conf_all_log_martians:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/run/sysctl.d</td><td>^.*\.conf$</td><td>(?:^|.*\n)[^#]*net.ipv4.conf.all.log_martians[\s]*=[\s]*(\d+)[\s]*\n</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">net.ipv4.conf.all.log_martians static configuration in /etc/sysctl.d/*.conf</span> <span class="label label-default">oval:ssg-test_static_usr_lib_sysctld_net_ipv4_conf_all_log_martians:tst:1</span> <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_usr_lib_sysctld_net_ipv4_conf_all_log_martians:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/usr/lib/sysctl.d</td><td>^.*\.conf$</td><td>(?:^|.*\n)[^#]*net.ipv4.conf.all.log_martians[\s]*=[\s]*(\d+)[\s]*\n</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">kernel runtime parameter net.ipv4.conf.all.log_martians set to the appropriate value</span> <span class="label label-default">oval:ssg-test_sysctl_runtime_net_ipv4_conf_all_log_martians:tst:1</span> <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Value</th></tr></thead><tbody><tr><td>net.ipv4.conf.all.log_martians</td><td>0</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_accept_source_route" id="rule-detail-idm45342103594896"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv4 Interfacesxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_accept_source_route mediumCCE-81011-9 </div><div class="panel-heading"><h3 class="panel-title">Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv4 Interfaces</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_accept_source_route</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-sysctl_net_ipv4_conf_all_accept_source_route:def:1</td></tr><tr><td>Time</td><td>2020-09-29T11:18:02</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-81011-9">CCE-81011-9</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT28(R22)</a>, <a href="">3.2.1</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">1</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">11</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">12</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">13</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">14</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">15</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">16</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">18</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">2</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">3</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">4</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">6</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">7</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">8</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">9</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">APO01.06</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">APO13.01</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">BAI04.04</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">BAI10.01</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">BAI10.02</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">BAI10.03</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">BAI10.05</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS01.03</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS01.05</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS03.01</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS03.05</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS05.02</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS05.04</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS05.05</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS05.07</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS06.02</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS06.06</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.20</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000366</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.2.3.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.3.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.3.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.4.3.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.10</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.11</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.12</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.13</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 4.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 4.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 5.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 5.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 5.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 6.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.6</a>, <a href="https://www.iso.org/standard/54534.html">A.10.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.11.1.4</a>, <a href="https://www.iso.org/standard/54534.html">A.11.1.5</a>, <a href="https://www.iso.org/standard/54534.html">A.11.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.12.5.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.6.2</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.17.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.6.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.7.3.1</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.5</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-5CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-7(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">ID.AM-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-5</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-5</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-4</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>To set the runtime status of the <code>net.ipv4.conf.all.accept_source_route</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w net.ipv4.conf.all.accept_source_route=0</pre> If this is not the system default value, add the following line to a file in the directory <code>/etc/sysctl.d</code>: <pre>net.ipv4.conf.all.accept_source_route = 0</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Source-routed packets allow the source of the packet to suggest routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routerd traffic, such as when IPv4 forwarding is enabled and the system is functioning as a router. <br><br> Accepting source-routed packets in the IPv4 protocol has few legitimate uses. It should be disabled unless it is absolutely required.</p></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">net.ipv4.conf.all.accept_source_route static configuration</span> <span class="label label-default">oval:ssg-test_static_sysctl_net_ipv4_conf_all_accept_source_route:tst:1</span> <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_sysctl_net_ipv4_conf_all_accept_source_route:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/sysctl.conf</td><td>(?:^|.*\n)[^#]*net.ipv4.conf.all.accept_source_route[\s]*=[\s]*(\d+)[\s]*\n</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">net.ipv4.conf.all.accept_source_route static configuration in /etc/sysctl.d/*.conf</span> <span class="label label-default">oval:ssg-test_static_etc_sysctld_net_ipv4_conf_all_accept_source_route:tst:1</span> <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_etc_sysctld_net_ipv4_conf_all_accept_source_route:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/sysctl.d</td><td>^.*\.conf$</td><td>(?:^|.*\n)[^#]*net.ipv4.conf.all.accept_source_route[\s]*=[\s]*(\d+)[\s]*\n</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">net.ipv4.conf.all.accept_source_route static configuration in /etc/sysctl.d/*.conf</span> <span class="label label-default">oval:ssg-test_static_run_sysctld_net_ipv4_conf_all_accept_source_route:tst:1</span> <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_run_sysctld_net_ipv4_conf_all_accept_source_route:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/run/sysctl.d</td><td>^.*\.conf$</td><td>(?:^|.*\n)[^#]*net.ipv4.conf.all.accept_source_route[\s]*=[\s]*(\d+)[\s]*\n</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">net.ipv4.conf.all.accept_source_route static configuration in /etc/sysctl.d/*.conf</span> <span class="label label-default">oval:ssg-test_static_usr_lib_sysctld_net_ipv4_conf_all_accept_source_route:tst:1</span> <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/usr/lib/sysctl.d/50-default.conf</td><td># Do not accept source routing net.ipv4.conf.all.accept_source_route = 0 </td></tr></tbody></table><h4><span class="label label-primary">kernel runtime parameter net.ipv4.conf.all.accept_source_route set to the appropriate value</span> <span class="label label-default">oval:ssg-test_sysctl_runtime_net_ipv4_conf_all_accept_source_route:tst:1</span> <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Value</th></tr></thead><tbody><tr><td>net.ipv4.conf.all.accept_source_route</td><td>0</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_icmp_ignore_bogus_error_responses" id="rule-detail-idm45342103590304"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Enable Kernel Parameter to Ignore Bogus ICMP Error Responses on IPv4 Interfacesxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_icmp_ignore_bogus_error_responses unknownCCE-81023-4 </div><div class="panel-heading"><h3 class="panel-title">Enable Kernel Parameter to Ignore Bogus ICMP Error Responses on IPv4 Interfaces</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_icmp_ignore_bogus_error_responses</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-sysctl_net_ipv4_icmp_ignore_bogus_error_responses:def:1</td></tr><tr><td>Time</td><td>2020-09-29T11:21:07</td></tr><tr><td>Severity</td><td>unknown</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-81023-4">CCE-81023-4</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT28(R22)</a>, <a href="">3.2.6</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">1</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">11</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">12</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">13</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">14</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">15</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">16</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">2</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">3</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">7</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">8</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">9</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">APO13.01</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">BAI04.04</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">BAI10.01</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">BAI10.02</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">BAI10.03</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">BAI10.05</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS01.03</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS03.05</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS05.02</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS05.05</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS05.07</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS06.06</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.20</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.3.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.3.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.10</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.11</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.12</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.13</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 6.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.6</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.12.5.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.6.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.17.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.2</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-5</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-3</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>To set the runtime status of the <code>net.ipv4.icmp_ignore_bogus_error_responses</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w net.ipv4.icmp_ignore_bogus_error_responses=1</pre> If this is not the system default value, add the following line to a file in the directory <code>/etc/sysctl.d</code>: <pre>net.ipv4.icmp_ignore_bogus_error_responses = 1</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Ignoring bogus ICMP error responses reduces log size, although some activity would not be logged.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span> <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">net.ipv4.icmp_ignore_bogus_error_responses static configuration</span> <span class="label label-default">oval:ssg-test_static_sysctl_net_ipv4_icmp_ignore_bogus_error_responses:tst:1</span> <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_sysctl_net_ipv4_icmp_ignore_bogus_error_responses:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/sysctl.conf</td><td>(?:^|.*\n)[^#]*net.ipv4.icmp_ignore_bogus_error_responses[\s]*=[\s]*(\d+)[\s]*\n</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">net.ipv4.icmp_ignore_bogus_error_responses static configuration in /etc/sysctl.d/*.conf</span> <span class="label label-default">oval:ssg-test_static_etc_sysctld_net_ipv4_icmp_ignore_bogus_error_responses:tst:1</span> <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_etc_sysctld_net_ipv4_icmp_ignore_bogus_error_responses:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/sysctl.d</td><td>^.*\.conf$</td><td>(?:^|.*\n)[^#]*net.ipv4.icmp_ignore_bogus_error_responses[\s]*=[\s]*(\d+)[\s]*\n</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">net.ipv4.icmp_ignore_bogus_error_responses static configuration in /etc/sysctl.d/*.conf</span> <span class="label label-default">oval:ssg-test_static_run_sysctld_net_ipv4_icmp_ignore_bogus_error_responses:tst:1</span> <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_run_sysctld_net_ipv4_icmp_ignore_bogus_error_responses:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/run/sysctl.d</td><td>^.*\.conf$</td><td>(?:^|.*\n)[^#]*net.ipv4.icmp_ignore_bogus_error_responses[\s]*=[\s]*(\d+)[\s]*\n</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">net.ipv4.icmp_ignore_bogus_error_responses static configuration in /etc/sysctl.d/*.conf</span> <span class="label label-default">oval:ssg-test_static_usr_lib_sysctld_net_ipv4_icmp_ignore_bogus_error_responses:tst:1</span> <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_usr_lib_sysctld_net_ipv4_icmp_ignore_bogus_error_responses:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/usr/lib/sysctl.d</td><td>^.*\.conf$</td><td>(?:^|.*\n)[^#]*net.ipv4.icmp_ignore_bogus_error_responses[\s]*=[\s]*(\d+)[\s]*\n</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">kernel runtime parameter net.ipv4.icmp_ignore_bogus_error_responses set to the appropriate value</span> <span class="label label-default">oval:ssg-test_sysctl_runtime_net_ipv4_icmp_ignore_bogus_error_responses:tst:1</span> <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Value</th></tr></thead><tbody><tr><td>net.ipv4.icmp_ignore_bogus_error_responses</td><td>1</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_accept_redirects" id="rule-detail-idm45342103578944"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv4 Interfacesxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_accept_redirects mediumCCE-80919-4 </div><div class="panel-heading"><h3 class="panel-title">Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv4 Interfaces</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_accept_redirects</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-sysctl_net_ipv4_conf_default_accept_redirects:def:1</td></tr><tr><td>Time</td><td>2020-09-29T11:21:08</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80919-4">CCE-80919-4</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT28(R22)</a>, <a href="">3.2.2</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">1</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">11</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">12</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">13</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">14</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">15</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">16</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">18</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">2</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">3</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">4</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">6</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">7</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">8</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">9</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.10.1.1</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">APO01.06</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">APO13.01</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">BAI04.04</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">BAI10.01</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">BAI10.02</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">BAI10.03</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">BAI10.05</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS01.03</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS01.05</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS03.01</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS03.05</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS05.02</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS05.04</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS05.05</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS05.07</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS06.02</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS06.06</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.20</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001551</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.2.3.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.3.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.3.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.4.3.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.10</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.11</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.12</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.13</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 4.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 4.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 5.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 5.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 5.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 6.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.6</a>, <a href="https://www.iso.org/standard/54534.html">A.10.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.11.1.4</a>, <a href="https://www.iso.org/standard/54534.html">A.11.1.5</a>, <a href="https://www.iso.org/standard/54534.html">A.11.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.12.5.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.6.2</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.17.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.6.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.7.3.1</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.5</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-7(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">ID.AM-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-5</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-5</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-4</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>To set the runtime status of the <code>net.ipv4.conf.default.accept_redirects</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w net.ipv4.conf.default.accept_redirects=0</pre> If this is not the system default value, add the following line to a file in the directory <code>/etc/sysctl.d</code>: <pre>net.ipv4.conf.default.accept_redirects = 0</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack. <br>This feature of the IPv4 protocol has few legitimate uses. It should be disabled unless absolutely required.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span> <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">net.ipv4.conf.default.accept_redirects static configuration</span> <span class="label label-default">oval:ssg-test_static_sysctl_net_ipv4_conf_default_accept_redirects:tst:1</span> <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_sysctl_net_ipv4_conf_default_accept_redirects:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/sysctl.conf</td><td>(?:^|.*\n)[^#]*net.ipv4.conf.default.accept_redirects[\s]*=[\s]*(\d+)[\s]*\n</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">net.ipv4.conf.default.accept_redirects static configuration in /etc/sysctl.d/*.conf</span> <span class="label label-default">oval:ssg-test_static_etc_sysctld_net_ipv4_conf_default_accept_redirects:tst:1</span> <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_etc_sysctld_net_ipv4_conf_default_accept_redirects:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/sysctl.d</td><td>^.*\.conf$</td><td>(?:^|.*\n)[^#]*net.ipv4.conf.default.accept_redirects[\s]*=[\s]*(\d+)[\s]*\n</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">net.ipv4.conf.default.accept_redirects static configuration in /etc/sysctl.d/*.conf</span> <span class="label label-default">oval:ssg-test_static_run_sysctld_net_ipv4_conf_default_accept_redirects:tst:1</span> <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_run_sysctld_net_ipv4_conf_default_accept_redirects:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/run/sysctl.d</td><td>^.*\.conf$</td><td>(?:^|.*\n)[^#]*net.ipv4.conf.default.accept_redirects[\s]*=[\s]*(\d+)[\s]*\n</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">net.ipv4.conf.default.accept_redirects static configuration in /etc/sysctl.d/*.conf</span> <span class="label label-default">oval:ssg-test_static_usr_lib_sysctld_net_ipv4_conf_default_accept_redirects:tst:1</span> <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_usr_lib_sysctld_net_ipv4_conf_default_accept_redirects:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/usr/lib/sysctl.d</td><td>^.*\.conf$</td><td>(?:^|.*\n)[^#]*net.ipv4.conf.default.accept_redirects[\s]*=[\s]*(\d+)[\s]*\n</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">kernel runtime parameter net.ipv4.conf.default.accept_redirects set to the appropriate value</span> <span class="label label-default">oval:ssg-test_sysctl_runtime_net_ipv4_conf_default_accept_redirects:tst:1</span> <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Value</th></tr></thead><tbody><tr><td>net.ipv4.conf.default.accept_redirects</td><td>1</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_secure_redirects" id="rule-detail-idm45342103567632"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Configure Kernel Parameter for Accepting Secure Redirects By Defaultxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_secure_redirects mediumCCE-81017-6 </div><div class="panel-heading"><h3 class="panel-title">Configure Kernel Parameter for Accepting Secure Redirects By Default</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_secure_redirects</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-sysctl_net_ipv4_conf_default_secure_redirects:def:1</td></tr><tr><td>Time</td><td>2020-09-29T11:21:08</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-81017-6">CCE-81017-6</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT28(R22)</a>, <a href="">3.2.3</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">1</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">11</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">12</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">13</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">14</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">15</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">16</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">18</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">2</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">3</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">4</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">6</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">7</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">8</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">9</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">APO01.06</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">APO13.01</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">BAI04.04</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">BAI10.01</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">BAI10.02</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">BAI10.03</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">BAI10.05</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS01.03</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS01.05</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS03.01</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS03.05</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS05.02</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS05.04</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS05.05</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS05.07</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS06.02</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS06.06</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.20</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001551</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.2.3.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.3.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.3.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.4.3.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.10</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.11</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.12</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.13</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 4.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 4.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 5.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 5.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 5.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 6.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.6</a>, <a href="https://www.iso.org/standard/54534.html">A.10.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.11.1.4</a>, <a href="https://www.iso.org/standard/54534.html">A.11.1.5</a>, <a href="https://www.iso.org/standard/54534.html">A.11.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.12.5.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.6.2</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.17.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.6.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.7.3.1</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.5</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-5</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-7(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">ID.AM-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-5</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-5</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-4</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>To set the runtime status of the <code>net.ipv4.conf.default.secure_redirects</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w net.ipv4.conf.default.secure_redirects=0</pre> If this is not the system default value, add the following line to a file in the directory <code>/etc/sysctl.d</code>: <pre>net.ipv4.conf.default.secure_redirects = 0</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Accepting "secure" ICMP redirects (from those gateways listed as default gateways) has few legitimate uses. It should be disabled unless it is absolutely required.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span> <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">net.ipv4.conf.default.secure_redirects static configuration</span> <span class="label label-default">oval:ssg-test_static_sysctl_net_ipv4_conf_default_secure_redirects:tst:1</span> <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_sysctl_net_ipv4_conf_default_secure_redirects:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/sysctl.conf</td><td>(?:^|.*\n)[^#]*net.ipv4.conf.default.secure_redirects[\s]*=[\s]*(\d+)[\s]*\n</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">net.ipv4.conf.default.secure_redirects static configuration in /etc/sysctl.d/*.conf</span> <span class="label label-default">oval:ssg-test_static_etc_sysctld_net_ipv4_conf_default_secure_redirects:tst:1</span> <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_etc_sysctld_net_ipv4_conf_default_secure_redirects:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/sysctl.d</td><td>^.*\.conf$</td><td>(?:^|.*\n)[^#]*net.ipv4.conf.default.secure_redirects[\s]*=[\s]*(\d+)[\s]*\n</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">net.ipv4.conf.default.secure_redirects static configuration in /etc/sysctl.d/*.conf</span> <span class="label label-default">oval:ssg-test_static_run_sysctld_net_ipv4_conf_default_secure_redirects:tst:1</span> <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_run_sysctld_net_ipv4_conf_default_secure_redirects:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/run/sysctl.d</td><td>^.*\.conf$</td><td>(?:^|.*\n)[^#]*net.ipv4.conf.default.secure_redirects[\s]*=[\s]*(\d+)[\s]*\n</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">net.ipv4.conf.default.secure_redirects static configuration in /etc/sysctl.d/*.conf</span> <span class="label label-default">oval:ssg-test_static_usr_lib_sysctld_net_ipv4_conf_default_secure_redirects:tst:1</span> <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_usr_lib_sysctld_net_ipv4_conf_default_secure_redirects:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/usr/lib/sysctl.d</td><td>^.*\.conf$</td><td>(?:^|.*\n)[^#]*net.ipv4.conf.default.secure_redirects[\s]*=[\s]*(\d+)[\s]*\n</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">kernel runtime parameter net.ipv4.conf.default.secure_redirects set to the appropriate value</span> <span class="label label-default">oval:ssg-test_sysctl_runtime_net_ipv4_conf_default_secure_redirects:tst:1</span> <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Value</th></tr></thead><tbody><tr><td>net.ipv4.conf.default.secure_redirects</td><td>1</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_secure_redirects" id="rule-detail-idm45342103556320"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Disable Kernel Parameter for Accepting Secure ICMP Redirects on all IPv4 Interfacesxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_secure_redirects mediumCCE-81016-8 </div><div class="panel-heading"><h3 class="panel-title">Disable Kernel Parameter for Accepting Secure ICMP Redirects on all IPv4 Interfaces</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_secure_redirects</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-sysctl_net_ipv4_conf_all_secure_redirects:def:1</td></tr><tr><td>Time</td><td>2020-09-29T11:21:08</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-81016-8">CCE-81016-8</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT28(R22)</a>, <a href="">3.2.3</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">1</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">11</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">12</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">13</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">14</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">15</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">16</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">18</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">2</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">3</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">4</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">6</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">7</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">8</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">9</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">APO01.06</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">APO13.01</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">BAI04.04</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">BAI10.01</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">BAI10.02</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">BAI10.03</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">BAI10.05</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS01.03</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS01.05</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS03.01</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS03.05</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS05.02</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS05.04</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS05.05</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS05.07</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS06.02</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS06.06</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.20</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001503</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001551</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.2.3.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.3.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.3.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.4.3.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.10</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.11</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.12</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.13</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 4.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 4.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 5.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 5.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 5.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 6.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.6</a>, <a href="https://www.iso.org/standard/54534.html">A.10.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.11.1.4</a>, <a href="https://www.iso.org/standard/54534.html">A.11.1.5</a>, <a href="https://www.iso.org/standard/54534.html">A.11.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.12.5.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.6.2</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.17.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.6.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.7.3.1</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.5</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-7(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">ID.AM-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-5</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-5</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-4</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>To set the runtime status of the <code>net.ipv4.conf.all.secure_redirects</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w net.ipv4.conf.all.secure_redirects=0</pre> If this is not the system default value, add the following line to a file in the directory <code>/etc/sysctl.d</code>: <pre>net.ipv4.conf.all.secure_redirects = 0</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Accepting "secure" ICMP redirects (from those gateways listed as default gateways) has few legitimate uses. It should be disabled unless it is absolutely required.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span> <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">net.ipv4.conf.all.secure_redirects static configuration</span> <span class="label label-default">oval:ssg-test_static_sysctl_net_ipv4_conf_all_secure_redirects:tst:1</span> <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_sysctl_net_ipv4_conf_all_secure_redirects:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/sysctl.conf</td><td>(?:^|.*\n)[^#]*net.ipv4.conf.all.secure_redirects[\s]*=[\s]*(\d+)[\s]*\n</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">net.ipv4.conf.all.secure_redirects static configuration in /etc/sysctl.d/*.conf</span> <span class="label label-default">oval:ssg-test_static_etc_sysctld_net_ipv4_conf_all_secure_redirects:tst:1</span> <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_etc_sysctld_net_ipv4_conf_all_secure_redirects:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/sysctl.d</td><td>^.*\.conf$</td><td>(?:^|.*\n)[^#]*net.ipv4.conf.all.secure_redirects[\s]*=[\s]*(\d+)[\s]*\n</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">net.ipv4.conf.all.secure_redirects static configuration in /etc/sysctl.d/*.conf</span> <span class="label label-default">oval:ssg-test_static_run_sysctld_net_ipv4_conf_all_secure_redirects:tst:1</span> <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_run_sysctld_net_ipv4_conf_all_secure_redirects:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/run/sysctl.d</td><td>^.*\.conf$</td><td>(?:^|.*\n)[^#]*net.ipv4.conf.all.secure_redirects[\s]*=[\s]*(\d+)[\s]*\n</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">net.ipv4.conf.all.secure_redirects static configuration in /etc/sysctl.d/*.conf</span> <span class="label label-default">oval:ssg-test_static_usr_lib_sysctld_net_ipv4_conf_all_secure_redirects:tst:1</span> <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_usr_lib_sysctld_net_ipv4_conf_all_secure_redirects:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/usr/lib/sysctl.d</td><td>^.*\.conf$</td><td>(?:^|.*\n)[^#]*net.ipv4.conf.all.secure_redirects[\s]*=[\s]*(\d+)[\s]*\n</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">kernel runtime parameter net.ipv4.conf.all.secure_redirects set to the appropriate value</span> <span class="label label-default">oval:ssg-test_sysctl_runtime_net_ipv4_conf_all_secure_redirects:tst:1</span> <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Value</th></tr></thead><tbody><tr><td>net.ipv4.conf.all.secure_redirects</td><td>1</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_send_redirects" id="rule-detail-idm45342103545040"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces by Defaultxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_send_redirects mediumCCE-80921-0 </div><div class="panel-heading"><h3 class="panel-title">Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces by Default</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_send_redirects</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-sysctl_net_ipv4_conf_default_send_redirects:def:1</td></tr><tr><td>Time</td><td>2020-09-29T11:21:08</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80921-0">CCE-80921-0</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT28(R22)</a>, <a href="">3.1.2</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">1</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">11</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">12</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">13</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">14</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">15</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">16</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">18</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">2</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">3</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">4</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">6</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">7</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">8</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">9</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.10.1.1</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">APO01.06</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">APO13.01</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">BAI04.04</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">BAI10.01</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">BAI10.02</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">BAI10.03</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">BAI10.05</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS01.03</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS01.05</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS03.01</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS03.05</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS05.02</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS05.04</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS05.05</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS05.07</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS06.02</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS06.06</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.20</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000366</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.2.3.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.3.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.3.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.4.3.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.10</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.11</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.12</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.13</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 4.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 4.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 5.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 5.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 5.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 6.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.6</a>, <a href="https://www.iso.org/standard/54534.html">A.10.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.11.1.4</a>, <a href="https://www.iso.org/standard/54534.html">A.11.1.5</a>, <a href="https://www.iso.org/standard/54534.html">A.11.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.12.5.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.6.2</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.17.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.6.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.7.3.1</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.5</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-5CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-7(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">ID.AM-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-5</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-5</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-4</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>To set the runtime status of the <code>net.ipv4.conf.default.send_redirects</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w net.ipv4.conf.default.send_redirects=0</pre> If this is not the system default value, add the following line to a file in the directory <code>/etc/sysctl.d</code>: <pre>net.ipv4.conf.default.send_redirects = 0</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain information from the system's route table possibly revealing portions of the network topology. <br> The ability to send ICMP redirects is only appropriate for systems acting as routers.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span> <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">net.ipv4.conf.default.send_redirects static configuration</span> <span class="label label-default">oval:ssg-test_static_sysctl_net_ipv4_conf_default_send_redirects:tst:1</span> <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_sysctl_net_ipv4_conf_default_send_redirects:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/sysctl.conf</td><td>^[\s]*net.ipv4.conf.default.send_redirects[\s]*=[\s]*0[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">net.ipv4.conf.default.send_redirects static configuration in /etc/sysctl.d/*.conf</span> <span class="label label-default">oval:ssg-test_static_etc_sysctld_net_ipv4_conf_default_send_redirects:tst:1</span> <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_etc_sysctld_net_ipv4_conf_default_send_redirects:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/sysctl.d</td><td>^.*\.conf$</td><td>^[\s]*net.ipv4.conf.default.send_redirects[\s]*=[\s]*0[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">net.ipv4.conf.default.send_redirects static configuration in /etc/sysctl.d/*.conf</span> <span class="label label-default">oval:ssg-test_static_run_sysctld_net_ipv4_conf_default_send_redirects:tst:1</span> <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_run_sysctld_net_ipv4_conf_default_send_redirects:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/run/sysctl.d</td><td>^.*\.conf$</td><td>^[\s]*net.ipv4.conf.default.send_redirects[\s]*=[\s]*0[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">net.ipv4.conf.default.send_redirects static configuration in /etc/sysctl.d/*.conf</span> <span class="label label-default">oval:ssg-test_static_usr_lib_sysctld_net_ipv4_conf_default_send_redirects:tst:1</span> <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_usr_lib_sysctld_net_ipv4_conf_default_send_redirects:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/usr/lib/sysctl.d</td><td>^.*\.conf$</td><td>^[\s]*net.ipv4.conf.default.send_redirects[\s]*=[\s]*0[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">kernel runtime parameter net.ipv4.conf.default.send_redirects set to 0</span> <span class="label label-default">oval:ssg-test_sysctl_runtime_net_ipv4_conf_default_send_redirects:tst:1</span> <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Value</th></tr></thead><tbody><tr><td>net.ipv4.conf.default.send_redirects</td><td>1</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_ip_forward" id="rule-detail-idm45342103534800"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Disable Kernel Parameter for IP Forwarding on IPv4 Interfacesxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_ip_forward mediumCCE-81024-2 </div><div class="panel-heading"><h3 class="panel-title">Disable Kernel Parameter for IP Forwarding on IPv4 Interfaces</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_ip_forward</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-sysctl_net_ipv4_ip_forward:def:1</td></tr><tr><td>Time</td><td>2020-09-29T11:21:08</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-81024-2">CCE-81024-2</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT28(R22)</a>, <a href="">3.1.1</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">1</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">11</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">12</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">13</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">14</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">15</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">16</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">2</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">3</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">7</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">8</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">9</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">APO13.01</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">BAI04.04</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">BAI10.01</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">BAI10.02</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">BAI10.03</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">BAI10.05</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS01.03</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS03.05</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS05.02</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS05.05</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS05.07</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS06.06</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.20</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000366</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.3.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.3.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.10</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.11</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.12</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.13</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 4.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 4.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 5.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 5.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 5.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 6.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.6</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.12.5.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.6.2</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.17.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.2</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-5CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-7(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-4</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>To set the runtime status of the <code>net.ipv4.ip_forward</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w net.ipv4.ip_forward=0</pre> If this is not the system default value, add the following line to a file in the directory <code>/etc/sysctl.d</code>: <pre>net.ipv4.ip_forward = 0</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this capability is used when not required, system network information may be unnecessarily transmitted across the network.</p></div></td></tr><tr><td>Warnings</td><td><div class="panel panel-warning"><div class="panel-heading"><span class="label label-warning">warning</span> Certain technologies such as virtual machines, containers, etc. rely on IPv4 forwarding to enable and use networking. Disabling IPv4 forwarding would cause those technologies to stop working. Therefore, this rule should not be used in profiles or benchmarks that target usage of IPv4 forwarding.</div></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span> <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">net.ipv4.ip_forward static configuration</span> <span class="label label-default">oval:ssg-test_static_sysctl_net_ipv4_ip_forward:tst:1</span> <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_sysctl_net_ipv4_ip_forward:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/sysctl.conf</td><td>^[\s]*net.ipv4.ip_forward[\s]*=[\s]*0[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">net.ipv4.ip_forward static configuration in /etc/sysctl.d/*.conf</span> <span class="label label-default">oval:ssg-test_static_etc_sysctld_net_ipv4_ip_forward:tst:1</span> <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_etc_sysctld_net_ipv4_ip_forward:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/sysctl.d</td><td>^.*\.conf$</td><td>^[\s]*net.ipv4.ip_forward[\s]*=[\s]*0[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">net.ipv4.ip_forward static configuration in /etc/sysctl.d/*.conf</span> <span class="label label-default">oval:ssg-test_static_run_sysctld_net_ipv4_ip_forward:tst:1</span> <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_run_sysctld_net_ipv4_ip_forward:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/run/sysctl.d</td><td>^.*\.conf$</td><td>^[\s]*net.ipv4.ip_forward[\s]*=[\s]*0[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">net.ipv4.ip_forward static configuration in /etc/sysctl.d/*.conf</span> <span class="label label-default">oval:ssg-test_static_usr_lib_sysctld_net_ipv4_ip_forward:tst:1</span> <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_usr_lib_sysctld_net_ipv4_ip_forward:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/usr/lib/sysctl.d</td><td>^.*\.conf$</td><td>^[\s]*net.ipv4.ip_forward[\s]*=[\s]*0[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">kernel runtime parameter net.ipv4.ip_forward set to 0</span> <span class="label label-default">oval:ssg-test_sysctl_runtime_net_ipv4_ip_forward:tst:1</span> <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Value</th></tr></thead><tbody><tr><td>net.ipv4.ip_forward</td><td>0</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_send_redirects" id="rule-detail-idm45342103524688"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfacesxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_send_redirects mediumCCE-80918-6 </div><div class="panel-heading"><h3 class="panel-title">Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_send_redirects</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-sysctl_net_ipv4_conf_all_send_redirects:def:1</td></tr><tr><td>Time</td><td>2020-09-29T11:21:08</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80918-6">CCE-80918-6</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT28(R22)</a>, <a href="">3.1.2</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">1</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">11</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">12</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">13</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">14</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">15</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">16</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">18</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">2</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">3</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">4</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">6</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">7</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">8</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">9</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.10.1.1</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">APO01.06</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">APO13.01</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">BAI04.04</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">BAI10.01</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">BAI10.02</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">BAI10.03</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">BAI10.05</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS01.03</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS01.05</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS03.01</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS03.05</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS05.02</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS05.04</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS05.05</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS05.07</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS06.02</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS06.06</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.20</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000366</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.2.3.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.3.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.3.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.4.3.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.10</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.11</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.12</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.13</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 4.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 4.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 5.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 5.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 5.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 6.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.6</a>, <a href="https://www.iso.org/standard/54534.html">A.10.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.11.1.4</a>, <a href="https://www.iso.org/standard/54534.html">A.11.1.5</a>, <a href="https://www.iso.org/standard/54534.html">A.11.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.12.5.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.6.2</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.17.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.6.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.7.3.1</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.5</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-5CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-7(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">ID.AM-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-5</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-5</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-4</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>To set the runtime status of the <code>net.ipv4.conf.all.send_redirects</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w net.ipv4.conf.all.send_redirects=0</pre> If this is not the system default value, add the following line to a file in the directory <code>/etc/sysctl.d</code>: <pre>net.ipv4.conf.all.send_redirects = 0</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain information from the system's route table possibly revealing portions of the network topology. <br> The ability to send ICMP redirects is only appropriate for systems acting as routers.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span> <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">net.ipv4.conf.all.send_redirects static configuration</span> <span class="label label-default">oval:ssg-test_static_sysctl_net_ipv4_conf_all_send_redirects:tst:1</span> <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_sysctl_net_ipv4_conf_all_send_redirects:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/sysctl.conf</td><td>^[\s]*net.ipv4.conf.all.send_redirects[\s]*=[\s]*0[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">net.ipv4.conf.all.send_redirects static configuration in /etc/sysctl.d/*.conf</span> <span class="label label-default">oval:ssg-test_static_etc_sysctld_net_ipv4_conf_all_send_redirects:tst:1</span> <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_etc_sysctld_net_ipv4_conf_all_send_redirects:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/sysctl.d</td><td>^.*\.conf$</td><td>^[\s]*net.ipv4.conf.all.send_redirects[\s]*=[\s]*0[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">net.ipv4.conf.all.send_redirects static configuration in /etc/sysctl.d/*.conf</span> <span class="label label-default">oval:ssg-test_static_run_sysctld_net_ipv4_conf_all_send_redirects:tst:1</span> <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_run_sysctld_net_ipv4_conf_all_send_redirects:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/run/sysctl.d</td><td>^.*\.conf$</td><td>^[\s]*net.ipv4.conf.all.send_redirects[\s]*=[\s]*0[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">net.ipv4.conf.all.send_redirects static configuration in /etc/sysctl.d/*.conf</span> <span class="label label-default">oval:ssg-test_static_usr_lib_sysctld_net_ipv4_conf_all_send_redirects:tst:1</span> <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_usr_lib_sysctld_net_ipv4_conf_all_send_redirects:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/usr/lib/sysctl.d</td><td>^.*\.conf$</td><td>^[\s]*net.ipv4.conf.all.send_redirects[\s]*=[\s]*0[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">kernel runtime parameter net.ipv4.conf.all.send_redirects set to 0</span> <span class="label label-default">oval:ssg-test_sysctl_runtime_net_ipv4_conf_all_send_redirects:tst:1</span> <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Value</th></tr></thead><tbody><tr><td>net.ipv4.conf.all.send_redirects</td><td>1</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_package_firewalld_installed" id="rule-detail-idm45342103509728"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Install firewalld Packagexccdf_org.ssgproject.content_rule_package_firewalld_installed mediumCCE-82998-6 </div><div class="panel-heading"><h3 class="panel-title">Install firewalld Package</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_package_firewalld_installed</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-package_firewalld_installed:def:1</td></tr><tr><td>Time</td><td>2020-09-29T11:18:02</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-82998-6">CCE-82998-6</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000298-GPOS-00116</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>The <code>firewalld</code> package can be installed with the following command: <pre> $ sudo yum install firewalld</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>The firewalld package should be installed to provide access control methods.</p></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">package firewalld is installed</span> <span class="label label-default">oval:ssg-test_package_firewalld_installed:tst:1</span> <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Arch</th><th>Epoch</th><th>Release</th><th>Version</th><th>Evr</th><th>Signature keyid</th><th>Extended name</th></tr></thead><tbody><tr><td>firewalld</td><td>noarch</td><td>(none)</td><td>4.el8</td><td>0.8.0</td><td>0:0.8.0-4.el8</td><td>199e2f91fd431d51</td><td>firewalld-0:0.8.0-4.el8.noarch</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_service_firewalld_enabled" id="rule-detail-idm45342103506048"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Verify firewalld Enabledxccdf_org.ssgproject.content_rule_service_firewalld_enabled mediumCCE-80877-4 </div><div class="panel-heading"><h3 class="panel-title">Verify firewalld Enabled</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_service_firewalld_enabled</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-service_firewalld_enabled:def:1</td></tr><tr><td>Time</td><td>2020-09-29T11:18:02</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80877-4">CCE-80877-4</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> <a href="">4.7</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">11</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">3</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">9</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">BAI10.01</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">BAI10.02</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">BAI10.03</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">BAI10.05</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.3</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.7</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000366</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.3.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.3.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.6</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.5.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.6.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.4</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-4</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CA-3(5)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-7(21)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FMT_MOF_EXT.1</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</a></p></td></tr><tr><td>Description</td><td><div class="description"><p> The <code>firewalld</code> service can be enabled with the following command: <pre>$ sudo systemctl enable firewalld.service</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Access control methods provide the ability to enhance system security posture by restricting services and known good IP addresses and address ranges. This prevents connections from unknown hosts and protocols.</p></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">package firewalld is installed</span> <span class="label label-default">oval:ssg-test_service_firewalld_package_firewalld_installed:tst:1</span> <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Arch</th><th>Epoch</th><th>Release</th><th>Version</th><th>Evr</th><th>Signature keyid</th><th>Extended name</th></tr></thead><tbody><tr><td>firewalld</td><td>noarch</td><td>(none)</td><td>4.el8</td><td>0.8.0</td><td>0:0.8.0-4.el8</td><td>199e2f91fd431d51</td><td>firewalld-0:0.8.0-4.el8.noarch</td></tr></tbody></table><h4><span class="label label-primary">Test that the firewalld service is running</span> <span class="label label-default">oval:ssg-test_service_running_firewalld:tst:1</span> <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Unit</th><th>Property</th><th>Value</th></tr></thead><tbody><tr><td>firewalld.service</td><td>ActiveState</td><td>active</td></tr></tbody></table><h4><span class="label label-primary">systemd test</span> <span class="label label-default">oval:ssg-test_multi_user_wants_firewalld:tst:1</span> <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Unit</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th></tr></thead><tbody><tr><td>multi-user.target</td><td>basic.target</td><td>var.mount</td><td>-.mount</td><td>sysinit.target</td><td>dev-mqueue.mount</td><td>systemd-hwdb-update.service</td><td>cryptsetup.target</td><td>proc-sys-fs-binfmt_misc.automount</td><td>systemd-journal-flush.service</td><td>systemd-random-seed.service</td><td>systemd-update-utmp.service</td><td>systemd-tmpfiles-setup.service</td><td>systemd-udevd.service</td><td>dev-hugepages.mount</td><td>lvm2-lvmpolld.socket</td><td>selinux-autorelabel-mark.service</td><td>loadmodules.service</td><td>local-fs.target</td><td>home.mount</td><td>-.mount</td><td>var-log-audit.mount</td><td>boot.mount</td><td>tmp.mount</td><td>var.mount</td><td>var-log.mount</td><td>systemd-remount-fs.service</td><td>dracut-shutdown.service</td><td>systemd-sysctl.service</td><td>systemd-journal-catalog-update.service</td><td>systemd-update-done.service</td><td>systemd-journald.service</td><td>sys-kernel-debug.mount</td><td>systemd-machine-id-commit.service</td><td>ldconfig.service</td><td>rngd.service</td><td>systemd-binfmt.service</td><td>nis-domainname.service</td><td>sys-kernel-config.mount</td><td>systemd-modules-load.service</td><td>systemd-sysusers.service</td><td>sys-fs-fuse-connections.mount</td><td>swap.target</td><td>dev-mapper-ovirt\x2dswap.swap</td><td>systemd-udev-trigger.service</td><td>import-state.service</td><td>systemd-firstboot.service</td><td>kmod-static-nodes.service</td><td>systemd-ask-password-console.path</td><td>systemd-tmpfiles-setup-dev.service</td><td>lvm2-monitor.service</td><td>microcode.service</td><td>paths.target</td><td>timers.target</td><td>fstrim.timer</td><td>unbound-anchor.timer</td><td>systemd-tmpfiles-clean.timer</td><td>slices.target</td><td>-.slice</td><td>system.slice</td><td>sockets.target</td><td>systemd-udevd-kernel.socket</td><td>dbus.socket</td><td>systemd-coredump.socket</td><td>systemd-initctl.socket</td><td>systemd-udevd-control.socket</td><td>systemd-journald-dev-log.socket</td><td>pcscd.socket</td><td>sssd-kcm.socket</td><td>systemd-journald.socket</td><td>cockpit.socket</td><td>dm-event.socket</td><td>rpcbind.socket</td><td>sssd.service</td><td>kdump.service</td><td>crond.service</td><td>systemd-ask-password-wall.path</td><td>sshd.service</td><td>systemd-user-sessions.service</td><td>auditd.service</td><td>nfs-client.target</td><td>rpc-statd-notify.service</td><td>auth-rpcgss-module.service</td><td>remote-fs-pre.target</td><td>irqbalance.service</td><td>remote-fs.target</td><td>nfs-client.target</td><td>rpc-statd-notify.service</td><td>auth-rpcgss-module.service</td><td>remote-fs-pre.target</td><td>getty.target</td><td>serial-getty@ttyS0.service</td><td>getty@tty1.service</td><td>cloud-init.target</td><td>cloud-init-local.service</td><td>cloud-config.service</td><td>cloud-final.service</td><td>cloud-init.service</td><td>dnf-makecache.timer</td><td>firewalld.service</td><td>rpcbind.service</td><td>systemd-update-utmp-runlevel.service</td><td>chronyd.service</td><td>rsyslog.service</td><td>tuned.service</td><td>systemd-logind.service</td><td>NetworkManager.service</td><td>dbus.service</td></tr></tbody></table><h4><span class="label label-primary">systemd test</span> <span class="label label-default">oval:ssg-test_multi_user_wants_firewalld_socket:tst:1</span> <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Unit</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th></tr></thead><tbody><tr><td>multi-user.target</td><td>basic.target</td><td>var.mount</td><td>-.mount</td><td>sysinit.target</td><td>dev-mqueue.mount</td><td>systemd-hwdb-update.service</td><td>cryptsetup.target</td><td>proc-sys-fs-binfmt_misc.automount</td><td>systemd-journal-flush.service</td><td>systemd-random-seed.service</td><td>systemd-update-utmp.service</td><td>systemd-tmpfiles-setup.service</td><td>systemd-udevd.service</td><td>dev-hugepages.mount</td><td>lvm2-lvmpolld.socket</td><td>selinux-autorelabel-mark.service</td><td>loadmodules.service</td><td>local-fs.target</td><td>home.mount</td><td>-.mount</td><td>var-log-audit.mount</td><td>boot.mount</td><td>tmp.mount</td><td>var.mount</td><td>var-log.mount</td><td>systemd-remount-fs.service</td><td>dracut-shutdown.service</td><td>systemd-sysctl.service</td><td>systemd-journal-catalog-update.service</td><td>systemd-update-done.service</td><td>systemd-journald.service</td><td>sys-kernel-debug.mount</td><td>systemd-machine-id-commit.service</td><td>ldconfig.service</td><td>rngd.service</td><td>systemd-binfmt.service</td><td>nis-domainname.service</td><td>sys-kernel-config.mount</td><td>systemd-modules-load.service</td><td>systemd-sysusers.service</td><td>sys-fs-fuse-connections.mount</td><td>swap.target</td><td>dev-mapper-ovirt\x2dswap.swap</td><td>systemd-udev-trigger.service</td><td>import-state.service</td><td>systemd-firstboot.service</td><td>kmod-static-nodes.service</td><td>systemd-ask-password-console.path</td><td>systemd-tmpfiles-setup-dev.service</td><td>lvm2-monitor.service</td><td>microcode.service</td><td>paths.target</td><td>timers.target</td><td>fstrim.timer</td><td>unbound-anchor.timer</td><td>systemd-tmpfiles-clean.timer</td><td>slices.target</td><td>-.slice</td><td>system.slice</td><td>sockets.target</td><td>systemd-udevd-kernel.socket</td><td>dbus.socket</td><td>systemd-coredump.socket</td><td>systemd-initctl.socket</td><td>systemd-udevd-control.socket</td><td>systemd-journald-dev-log.socket</td><td>pcscd.socket</td><td>sssd-kcm.socket</td><td>systemd-journald.socket</td><td>cockpit.socket</td><td>dm-event.socket</td><td>rpcbind.socket</td><td>sssd.service</td><td>kdump.service</td><td>crond.service</td><td>systemd-ask-password-wall.path</td><td>sshd.service</td><td>systemd-user-sessions.service</td><td>auditd.service</td><td>nfs-client.target</td><td>rpc-statd-notify.service</td><td>auth-rpcgss-module.service</td><td>remote-fs-pre.target</td><td>irqbalance.service</td><td>remote-fs.target</td><td>nfs-client.target</td><td>rpc-statd-notify.service</td><td>auth-rpcgss-module.service</td><td>remote-fs-pre.target</td><td>getty.target</td><td>serial-getty@ttyS0.service</td><td>getty@tty1.service</td><td>cloud-init.target</td><td>cloud-init-local.service</td><td>cloud-config.service</td><td>cloud-final.service</td><td>cloud-init.service</td><td>dnf-makecache.timer</td><td>firewalld.service</td><td>rpcbind.service</td><td>systemd-update-utmp-runlevel.service</td><td>chronyd.service</td><td>rsyslog.service</td><td>tuned.service</td><td>systemd-logind.service</td><td>NetworkManager.service</td><td>dbus.service</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_kernel_module_bluetooth_disabled" id="rule-detail-idm45342103493008"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Disable Bluetooth Kernel Modulexccdf_org.ssgproject.content_rule_kernel_module_bluetooth_disabled mediumCCE-80832-9 </div><div class="panel-heading"><h3 class="panel-title">Disable Bluetooth Kernel Module</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_kernel_module_bluetooth_disabled</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-kernel_module_bluetooth_disabled:def:1</td></tr><tr><td>Time</td><td>2020-09-29T11:21:08</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80832-9">CCE-80832-9</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">11</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">12</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">14</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">15</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">3</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">8</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">9</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.13.1.3</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">APO13.01</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">BAI10.01</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">BAI10.02</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">BAI10.03</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">BAI10.05</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS01.04</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS05.02</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS05.03</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS05.05</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS06.06</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.16</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000085</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001551</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.3.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.3.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.10</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.11</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.12</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.13</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 4.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 4.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 5.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 5.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 5.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.6</a>, <a href="https://www.iso.org/standard/54534.html">A.11.2.6</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.5.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.6.2</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.6.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.6.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.2</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-18(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-18(3)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">MP-7</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-4</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000095-GPOS-00049</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>The kernel's module loading system can be configured to prevent loading of the Bluetooth module. Add the following to the appropriate <code>/etc/modprobe.d</code> configuration file to prevent the loading of the Bluetooth module: <pre>install bluetooth /bin/true</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>If Bluetooth functionality must be disabled, preventing the kernel from loading the kernel module provides an additional safeguard against its activation.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span> <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre><span class="label label-primary">info</span> <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">grep: /etc/modprobe.d/bluetooth.conf: No such file or directory </message></pre></div></div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">kernel module bluetooth disabled</span> <span class="label label-default">oval:ssg-test_kernmod_bluetooth_disabled:tst:1</span> <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="kernel module bluetooth disabled">oval:ssg-obj_kernmod_bluetooth_disabled:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/modprobe.d</td><td>^.*\.conf$</td><td>^\s*install\s+bluetooth\s+(/bin/false|/bin/true)$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">kernel module bluetooth disabled in /etc/modprobe.conf</span> <span class="label label-default">oval:ssg-test_kernmod_bluetooth_modprobeconf:tst:1</span> <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="Check deprecated /etc/modprobe.conf for disablement of bluetooth">oval:ssg-obj_kernmod_bluetooth_modprobeconf:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/modprobe.conf</td><td>^\s*install\s+bluetooth\s+(/bin/false|/bin/true)$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">kernel module bluetooth disabled in /etc/modules-load.d</span> <span class="label label-default">oval:ssg-test_kernmod_bluetooth_etcmodules-load:tst:1</span> <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="kernel module bluetooth disabled in /etc/modules-load.d">oval:ssg-obj_kernmod_bluetooth_etcmodules-load:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/modules-load.d</td><td>^.*\.conf$</td><td>^\s*install\s+bluetooth\s+(/bin/false|/bin/true)$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">kernel module bluetooth disabled in /run/modules-load.d</span> <span class="label label-default">oval:ssg-test_kernmod_bluetooth_runmodules-load:tst:1</span> <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="kernel module bluetooth disabled in /run/modules-load.d">oval:ssg-obj_kernmod_bluetooth_runmodules-load:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/run/modules-load.d</td><td>^.*\.conf$</td><td>^\s*install\s+bluetooth\s+(/bin/false|/bin/true)$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">kernel module bluetooth disabled in /usr/lib/modules-load.d</span> <span class="label label-default">oval:ssg-test_kernmod_bluetooth_libmodules-load:tst:1</span> <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="kernel module bluetooth disabled in /usr/lib/modules-load.d">oval:ssg-obj_kernmod_bluetooth_libmodules-load:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/usr/lib/modules-load.d</td><td>^.*\.conf$</td><td>^\s*install\s+bluetooth\s+(/bin/false|/bin/true)$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">kernel module bluetooth disabled in /run/modprobe.d</span> <span class="label label-default">oval:ssg-test_kernmod_bluetooth_runmodprobed:tst:1</span> <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="kernel module bluetooth disabled in /run/modprobe.d">oval:ssg-obj_kernmod_bluetooth_runmodprobed:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/run/modprobe.d</td><td>^.*\.conf$</td><td>^\s*install\s+bluetooth\s+(/bin/false|/bin/true)$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">kernel module bluetooth disabled in /usr/lib/modprobe.d</span> <span class="label label-default">oval:ssg-test_kernmod_bluetooth_libmodprobed:tst:1</span> <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="kernel module bluetooth disabled in /usr/lib/modprobe.d">oval:ssg-obj_kernmod_bluetooth_libmodprobed:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/usr/lib/modprobe.d</td><td>^.*\.conf$</td><td>^\s*install\s+bluetooth\s+(/bin/false|/bin/true)$</td><td>1</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-notchecked rule-detail-id-xccdf_org.ssgproject.content_rule_smartcard_configure_cert_checking" id="rule-detail-idm45342103443424"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Configure Smart Card Certificate Status Checkingxccdf_org.ssgproject.content_rule_smartcard_configure_cert_checking mediumCCE-82475-5 </div><div class="panel-heading"><h3 class="panel-title">Configure Smart Card Certificate Status Checking</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_smartcard_configure_cert_checking</td></tr><tr><td>Result</td><td class="rule-result rule-result-notchecked"><div><abbr title="The Rule was not evaluated by the checking engine. This status is designed for Rule elements that have no check elements or that correspond to an unsupported checking system. It may also correspond to a status returned by a checking engine if the checking engine does not support the indicated check code.">notchecked</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>Time</td><td>2020-09-29T11:18:02</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-82475-5">CCE-82475-5</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> <a href="https://public.cyber.mil/stigs/cci/">CCI-001954</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000375-GPOS-00160</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000384-GPOS-00167</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>Configure the operating system to do certificate status checking for PKI authentication. Modify all of the <code>cert_policy</code> lines in <code>/etc/pam_pkcs11/pam_pkcs11.conf</code> to include <code>ocsp_on</code> like so: <pre>cert_policy = ca, ocsp_on, signature;</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Using an authentication device, such as a CAC or token that is separate from the information system, ensures that even if the information system is compromised, that compromise will not affect credentials stored on the authentication device. <br><br> Multifactor solutions that require devices separate from information systems gaining access include, for example, hardware tokens providing time-based or challenge-response authenticators and smart cards such as the U.S. Government Personal Identity Verification card and the DoD Common Access Card.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span> <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">No candidate or applicable check found.</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_package_tmux_installed" id="rule-detail-idm45342103440400"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Install the tmux Packagexccdf_org.ssgproject.content_rule_package_tmux_installed mediumCCE-80644-8 </div><div class="panel-heading"><h3 class="panel-title">Install the tmux Package</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_package_tmux_installed</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-package_tmux_installed:def:1</td></tr><tr><td>Time</td><td>2020-09-29T11:18:02</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80644-8">CCE-80644-8</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">1</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">12</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">15</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">16</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS05.04</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS05.10</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS06.10</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.10</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000058</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.10</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.9</a>, <a href="https://www.iso.org/standard/54534.html">A.18.1.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.3.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.3</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-7</a>, <a href="">FMT_MOF_EXT.1</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000030-GPOS-00011</a>, <a href="">SRG-OS-000030-VMM-000110</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>To enable console screen locking, install the <code>tmux</code> package. The <code>tmux</code> package can be installed with the following command: <pre> $ sudo yum install tmux</pre> Instruct users to begin new terminal sessions with the following command: <pre>$ tmux</pre> The console can now be locked with the following key combination: <pre>ctrl+b :lock-session</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not logout because of the temporary nature of the absence. Rather than relying on the user to manually lock their operation system session prior to vacating the vicinity, operating systems need to be able to identify when a user's session has idled and take action to initiate the session lock. <br><br> The <code>tmux</code> package allows for a session lock to be implemented and configured.</p></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">package tmux is installed</span> <span class="label label-default">oval:ssg-test_package_tmux_installed:tst:1</span> <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Arch</th><th>Epoch</th><th>Release</th><th>Version</th><th>Evr</th><th>Signature keyid</th><th>Extended name</th></tr></thead><tbody><tr><td>tmux</td><td>x86_64</td><td>(none)</td><td>1.el8</td><td>2.7</td><td>0:2.7-1.el8</td><td>199e2f91fd431d51</td><td>tmux-0:2.7-1.el8.x86_64</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_configure_tmux_lock_after_time" id="rule-detail-idm45342103436736"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Configure tmux to lock session after inactivityxccdf_org.ssgproject.content_rule_configure_tmux_lock_after_time mediumCCE-82199-1 </div><div class="panel-heading"><h3 class="panel-title">Configure tmux to lock session after inactivity</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_configure_tmux_lock_after_time</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-configure_tmux_lock_after_time:def:1</td></tr><tr><td>Time</td><td>2020-09-29T11:21:09</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-82199-1">CCE-82199-1</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FMT_SMF_EXT.1</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000029-GPOS-00010</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>To enable console screen locking in <code>tmux</code> terminal multiplexer after a period of inactivity, the <code>lock-after-time</code> option has to be set to nonzero value in <code>/etc/tmux.conf</code>.</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Locking the session after a period of inactivity limits the potential exposure if the session is left unattended.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span> <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre><span class="label label-primary">info</span> <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">grep: /etc/tmux.conf: No such file or directory </message></pre></div></div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">check lock-after-time is set to 900 in /etc/tmux.conf</span> <span class="label label-default">oval:ssg-test_configure_tmux_lock_after_time:tst:1</span> <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_configure_tmux_lock_after_time:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/tmux.conf</td><td>^\s*set\s+-g\s+lock-after-time\s+900\s*(?:#.*)?$</td><td>1</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_configure_bashrc_exec_tmux" id="rule-detail-idm45342103430432"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Support session locking with tmuxxccdf_org.ssgproject.content_rule_configure_bashrc_exec_tmux mediumCCE-82266-8 </div><div class="panel-heading"><h3 class="panel-title">Support session locking with tmux</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_configure_bashrc_exec_tmux</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-configure_bashrc_exec_tmux:def:1</td></tr><tr><td>Time</td><td>2020-09-29T11:21:09</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-82266-8">CCE-82266-8</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FMT_SMF_EXT.1</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000031-GPOS-00012</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>The <code>tmux</code> terminal multiplexer is used to implement automatic session locking. It should be started from <code>/etc/bashrc</code>.</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Unlike <code>bash</code> itself, the <code>tmux</code> terminal multiplexer provides a mechanism to lock sessions after period of inactivity.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span> <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">check tmux is configured to exec on the last line of /etc/bashrc</span> <span class="label label-default">oval:ssg-test_configure_bashrc_exec_tmux:tst:1</span> <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/bashrc</td><td># /etc/bashrc # System wide functions and aliases # Environment stuff goes in /etc/profile # It's NOT a good idea to change this file unless you know what you # are doing. It's much better to create a custom.sh shell script in # /etc/profile.d/ to make custom changes to your environment, as this # will prevent the need for merging in future updates. # Prevent doublesourcing if [ -z "$BASHRCSOURCED" ]; then BASHRCSOURCED="Y" # are we an interactive shell? if [ "$PS1" ]; then if [ -z "$PROMPT_COMMAND" ]; then case $TERM in xterm*|vte*) if [ -e /etc/sysconfig/bash-prompt-xterm ]; then PROMPT_COMMAND=/etc/sysconfig/bash-prompt-xterm elif [ "${VTE_VERSION:-0}" -ge 3405 ]; then PROMPT_COMMAND="__vte_prompt_command" else PROMPT_COMMAND='printf "\033]0;%s@%s:%s\007" "${USER}" "${HOSTNAME%%.*}" "${PWD/#$HOME/\~}"' fi ;; screen*) if [ -e /etc/sysconfig/bash-prompt-screen ]; then PROMPT_COMMAND=/etc/sysconfig/bash-prompt-screen else PROMPT_COMMAND='printf "\033k%s@%s:%s\033\\" "${USER}" "${HOSTNAME%%.*}" "${PWD/#$HOME/\~}"' fi ;; *) [ -e /etc/sysconfig/bash-prompt-default ] && PROMPT_COMMAND=/etc/sysconfig/bash-prompt-default ;; esac fi # Turn on parallel history shopt -s histappend history -a # Turn on checkwinsize shopt -s checkwinsize [ "$PS1" = "\\s-\\v\\\$ " ] && PS1="[\u@\h \W]\\$ " # You might want to have e.g. tty in prompt (e.g. more virtual machines) # and console windows # If you want to do so, just add e.g. # if [ "$PS1" ]; then # PS1="[\u@\h:\l \W]\\$ " # fi # to your custom modification shell script in /etc/profile.d/ directory fi if ! shopt -q login_shell ; then # We're not a login shell # Need to redefine pathmunge, it gets undefined at the end of /etc/profile pathmunge () { case ":${PATH}:" in *:"$1":*) ;; *) if [ "$2" = "after" ] ; then PATH=$PATH:$1 else PATH=$1:$PATH fi esac } # By default, we want umask to get set. This sets it for non-login shell. # Current threshold for system reserved uid/gids is 200 # You could check uidgid reservation validity in # /usr/share/doc/setup-*/uidgid file if [ $UID -gt 199 ] && [ "`/usr/bin/id -gn`" = "`/usr/bin/id -un`" ]; then umask 002 else umask 022 fi SHELL=/bin/bash # Only display echos from profile.d scripts if we are no login shell # and interactive - otherwise just process them to set envvars for i in /etc/profile.d/*.sh; do if [ -r "$i" ]; then if [ "$PS1" ]; then . "$i" else . "$i" >/dev/null fi fi done unset i unset -f pathmunge fi fi # vim:ts=4:sw=4 </td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_configure_tmux_lock_command" id="rule-detail-idm45342103424784"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Configure the tmux Lock Commandxccdf_org.ssgproject.content_rule_configure_tmux_lock_command mediumCCE-80940-0 </div><div class="panel-heading"><h3 class="panel-title">Configure the tmux Lock Command</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_configure_tmux_lock_command</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-configure_tmux_lock_command:def:1</td></tr><tr><td>Time</td><td>2020-09-29T11:21:09</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80940-0">CCE-80940-0</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> <a href="https://public.cyber.mil/stigs/cci/">CCI-000056</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000058</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-11(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-11(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000028-GPOS-00009</a>, <a href="">SRG-OS-000028-VMM-000090</a>, <a href="">SRG-OS-000030-VMM-000110</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>To enable console screen locking in <code>tmux</code> terminal multiplexer, the <code>vlock</code> command must be configured to be used as a locking mechanism. Add the following line to <code>/etc/tmux.conf</code>: <pre>set -g lock-command vlock</pre>. The console can now be locked with the following key combination: <pre>ctrl+b :lock-session</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>The <code>tmux</code> package allows for a session lock to be implemented and configured. However, the session lock is implemented by an external command. The <code>tmux</code> default configuration does not contain an effective session lock.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span> <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">check lock-command is set to vlock in /etc/tmux.conf</span> <span class="label label-default">oval:ssg-test_configure_tmux_lock_command:tst:1</span> <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_configure_tmux_lock_command:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/tmux.conf</td><td>^\s*set\s+-g\s+lock-command\s+vlock\s*(?:#.*)?$</td><td>1</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_no_tmux_in_shells" id="rule-detail-idm45342103419152"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Prevent user from disabling the screen lockxccdf_org.ssgproject.content_rule_no_tmux_in_shells mediumCCE-82361-7 </div><div class="panel-heading"><h3 class="panel-title">Prevent user from disabling the screen lock</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_no_tmux_in_shells</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-no_tmux_in_shells:def:1</td></tr><tr><td>Time</td><td>2020-09-29T11:21:09</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-82361-7">CCE-82361-7</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FMT_SMF_EXT.1</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000324-GPOS-00125</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>The <code>tmux</code> terminal multiplexer is used to implement autimatic session locking. It should not be listed in <code>/etc/shells</code>.</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Not listing <code>tmux</code> among permitted shells prevents malicious program running as user from lowering security by disabling the screen lock.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span> <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">check that tmux is not listed in /etc/shells</span> <span class="label label-default">oval:ssg-test_no_tmux_in_shells:tst:1</span> <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/shells</td><td>tmux</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_service_debug-shell_disabled" id="rule-detail-idm45342103483648"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Disable debug-shell SystemD Servicexccdf_org.ssgproject.content_rule_service_debug-shell_disabled mediumCCE-80876-6 </div><div class="panel-heading"><h3 class="panel-title">Disable debug-shell SystemD Service</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_service_debug-shell_disabled</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-service_debug-shell_disabled:def:1</td></tr><tr><td>Time</td><td>2020-09-29T11:18:02</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80876-6">CCE-80876-6</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.5</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(B)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(7)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(7)(ii)(A)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(a)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(a)(2)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(a)(2)(ii)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(a)(2)(iii)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(c)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(d)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(d)(2)(iii)</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FIA_AFL.1</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000324-GPOS-00125</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>SystemD's <code>debug-shell</code> service is intended to diagnose SystemD related boot issues with various <code>systemctl</code> commands. Once enabled and following a system reboot, the root shell will be available on <code>tty9</code> which is access by pressing <code>CTRL-ALT-F9</code>. The <code>debug-shell</code> service should only be used for SystemD related issues and should otherwise be disabled. <br><br> By default, the <code>debug-shell</code> SystemD service is already disabled. The <code>debug-shell</code> service can be disabled with the following command: <pre>$ sudo systemctl disable debug-shell.service</pre> The <code>debug-shell</code> service can be masked with the following command: <pre>$ sudo systemctl mask debug-shell.service</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>This prevents attackers with physical access from trivially bypassing security on the machine through valid troubleshooting configurations and gaining root access when the system is rebooted.</p></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">package systemd is removed</span> <span class="label label-default">oval:ssg-test_service_debug-shell_package_systemd_removed:tst:1</span> <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Arch</th><th>Epoch</th><th>Release</th><th>Version</th><th>Evr</th><th>Signature keyid</th><th>Extended name</th></tr></thead><tbody><tr><td>systemd</td><td>x86_64</td><td>(none)</td><td>31.el8_2.2</td><td>239</td><td>0:239-31.el8_2.2</td><td>199e2f91fd431d51</td><td>systemd-0:239-31.el8_2.2.x86_64</td></tr></tbody></table><h4><span class="label label-primary">Test that the debug-shell service is not running</span> <span class="label label-default">oval:ssg-test_service_not_running_debug-shell:tst:1</span> <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="Retrieve the ActiveState property of debug-shell">oval:ssg-obj_service_not_running_debug-shell:obj:1</abbr></strong> of type <strong>systemdunitproperty_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Unit</th><th>Property</th></tr></thead><tbody><tr><td>^debug-shell\.(service|socket)$</td><td>ActiveState</td></tr></tbody></table><h4><span class="label label-primary">Test that the property LoadState from the service debug-shell is masked</span> <span class="label label-default">oval:ssg-test_service_loadstate_is_masked_debug-shell:tst:1</span> <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="Retrieve the LoadState property of debug-shell">oval:ssg-obj_service_loadstate_is_masked_debug-shell:obj:1</abbr></strong> of type <strong>systemdunitproperty_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Unit</th><th>Property</th></tr></thead><tbody><tr><td>^debug-shell\.(service|socket)$</td><td>LoadState</td></tr></tbody></table><h4><span class="label label-primary">Test that the property FragmentPath from the service debug-shell is set to /dev/null</span> <span class="label label-default">oval:ssg-test_service_fragmentpath_is_dev_null_debug-shell:tst:1</span> <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="Retrieve the FragmentPath property of debug-shell">oval:ssg-obj_service_fragmentpath_is_dev_null_debug-shell:obj:1</abbr></strong> of type <strong>systemdunitproperty_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Unit</th><th>Property</th></tr></thead><tbody><tr><td>^debug-shell\.(service|socket)$</td><td>FragmentPath</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_require_singleuser_auth" id="rule-detail-idm45342103479968"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Require Authentication for Single User Modexccdf_org.ssgproject.content_rule_require_singleuser_auth mediumCCE-80855-0 </div><div class="panel-heading"><h3 class="panel-title">Require Authentication for Single User Mode</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_require_singleuser_auth</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-require_singleuser_auth:def:1</td></tr><tr><td>Time</td><td>2020-09-29T11:18:02</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80855-0">CCE-80855-0</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> <a href="">1.5.3</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">1</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">11</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">12</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">14</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">15</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">16</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">18</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">3</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">5</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS05.02</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS05.04</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS05.05</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS05.07</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS05.10</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS06.03</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS06.06</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS06.10</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.1</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.5</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000213</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(B)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(7)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(7)(ii)(A)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(a)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(a)(2)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(a)(2)(ii)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(a)(2)(iii)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(c)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(d)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(d)(2)(iii)</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.2.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.10</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.11</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.12</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.13</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.7</a>, <a href="https://www.iso.org/standard/54534.html">A.18.1.4</a>, <a href="https://www.iso.org/standard/54534.html">A.6.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.6</a>, <a href="https://www.iso.org/standard/54534.html">A.9.3.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.5</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-2</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-3</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-6</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-7</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-3</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FIA_AFL.1</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000080-GPOS-00048</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>Single-user mode is intended as a system recovery method, providing a single user root access to the system by providing a boot option at startup. By default, no authentication is performed if single-user mode is selected. <br><br> By default, single-user mode is protected by requiring a password and is set in <code>/usr/lib/systemd/system/rescue.service</code>.</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>This prevents attackers with physical access from trivially bypassing security on the machine and gaining root access. Such accesses are further prevented by configuring the bootloader password.</p></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">Tests that /usr/lib/systemd/systemd-sulogin-shell was not removed from the default systemd rescue.service to ensure that a password must be entered to access single user mode</span> <span class="label label-default">oval:ssg-test_require_rescue_service:tst:1</span> <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/usr/lib/systemd/system/rescue.service</td><td>ExecStart=-/usr/lib/systemd/systemd-sulogin-shell rescue</td></tr></tbody></table><h4><span class="label label-primary">Tests that the systemd rescue.service is in the runlevel1.target</span> <span class="label label-default">oval:ssg-test_require_rescue_service_runlevel1:tst:1</span> <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/usr/lib/systemd/system/runlevel1.target</td><td>Requires=sysinit.target rescue.service</td></tr></tbody></table><h4><span class="label label-primary">look for runlevel1.target in /etc/systemd/system</span> <span class="label label-default">oval:ssg-test_no_custom_runlevel1_target:tst:1</span> <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="look for runlevel1.target in /etc/systemd/system">oval:ssg-object_no_custom_runlevel1_target:obj:1</abbr></strong> of type <strong>file_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Behaviors</th><th>Path</th><th>Filename</th></tr></thead><tbody><tr><td>no value</td><td>/etc/systemd/system</td><td>^runlevel1.target$</td></tr></tbody></table><h4><span class="label label-primary">look for rescue.service in /etc/systemd/system</span> <span class="label label-default">oval:ssg-test_no_custom_rescue_service:tst:1</span> <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="look for rescue.service in /etc/systemd/system">oval:ssg-object_no_custom_rescue_service:obj:1</abbr></strong> of type <strong>file_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Behaviors</th><th>Path</th><th>Filename</th></tr></thead><tbody><tr><td>no value</td><td>/etc/systemd/system</td><td>^rescue.service$</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_disable_ctrlaltdel_reboot" id="rule-detail-idm45342103473920"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Disable Ctrl-Alt-Del Reboot Activationxccdf_org.ssgproject.content_rule_disable_ctrlaltdel_reboot highCCE-80785-9 </div><div class="panel-heading"><h3 class="panel-title">Disable Ctrl-Alt-Del Reboot Activation</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_disable_ctrlaltdel_reboot</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-disable_ctrlaltdel_reboot:def:1</td></tr><tr><td>Time</td><td>2020-09-29T11:21:09</td></tr><tr><td>Severity</td><td>high</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80785-9">CCE-80785-9</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">12</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">13</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">14</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">15</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">16</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">18</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">3</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">5</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">APO01.06</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS05.04</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS05.07</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS06.02</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.5</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000366</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(B)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(7)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(7)(ii)(A)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(a)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(a)(2)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(a)(2)(ii)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(a)(2)(iii)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(c)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(d)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(d)(2)(iii)</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 5.2</a>, <a href="https://www.iso.org/standard/54534.html">A.10.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.11.1.4</a>, <a href="https://www.iso.org/standard/54534.html">A.11.1.5</a>, <a href="https://www.iso.org/standard/54534.html">A.11.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.6.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.7.3.1</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.5</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(1)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-5</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000324-GPOS-00125</a></p></td></tr><tr><td>Description</td><td><div class="description"><p> By default, <code>SystemD</code> will reboot the system if the <code>Ctrl-Alt-Del</code> key sequence is pressed. <br><br> To configure the system to ignore the <code>Ctrl-Alt-Del</code> key sequence from the command line instead of rebooting the system, do either of the following: <pre>ln -sf /dev/null /etc/systemd/system/ctrl-alt-del.target</pre> or <pre>systemctl mask ctrl-alt-del.target</pre> <br><br> Do not simply delete the <code>/usr/lib/systemd/system/ctrl-alt-del.service</code> file, as this file may be restored during future system updates.</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>A locally logged-in user who presses Ctrl-Alt-Del, when at the console, can reboot the system. If accidentally pressed, as could happen in the case of mixed OS environment, this can create the risk of short-term loss of availability of systems due to unintentional reboot.</p></div></td></tr><tr><td>Warnings</td><td><div class="panel panel-warning"><div class="panel-heading"><span class="label label-warning">warning</span> Disabling the <code>Ctrl-Alt-Del</code> key sequence in <code>/etc/init/control-alt-delete.conf</code> DOES NOT disable the <code>Ctrl-Alt-Del</code> key sequence if running in <code>runlevel 6</code> (e.g. in GNOME, KDE, etc.)! The <code>Ctrl-Alt-Del</code> key sequence will only be disabled if running in the non-graphical <code>runlevel 3</code>.</div></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span> <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre><span class="label label-primary">info</span> <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Created symlink /etc/systemd/system/ctrl-alt-del.target â /dev/null. </message></pre></div></div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">Disable Ctrl-Alt-Del key sequence override exists</span> <span class="label label-default">oval:ssg-test_disable_ctrlaltdel_exists:tst:1</span> <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="Disable Ctrl-Alt-Del key sequence override exists">oval:ssg-object_disable_ctrlaltdel_exists:obj:1</abbr></strong> of type <strong>symlink_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th></tr></thead><tbody><tr><td>/etc/systemd/system/ctrl-alt-del.target</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_grub2_disable_interactive_boot" id="rule-detail-idm45342103467696"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Verify that Interactive Boot is Disabledxccdf_org.ssgproject.content_rule_grub2_disable_interactive_boot mediumCCE-80826-1 </div><div class="panel-heading"><h3 class="panel-title">Verify that Interactive Boot is Disabled</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_grub2_disable_interactive_boot</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-grub2_disable_interactive_boot:def:1</td></tr><tr><td>Time</td><td>2020-09-29T11:18:02</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80826-1">CCE-80826-1</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">11</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">12</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">14</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">15</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">16</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">18</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">3</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">5</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS05.02</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS05.04</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS05.05</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS05.07</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS06.03</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS06.06</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.2</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.5</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000213</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(B)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(7)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(7)(ii)(A)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(a)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(a)(2)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(a)(2)(ii)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(a)(2)(iii)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(c)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(d)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(d)(2)(iii)</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.2.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.10</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.11</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.12</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.13</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.7</a>, <a href="https://www.iso.org/standard/54534.html">A.6.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.5</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-2(1)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-6</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-3</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FIA_AFL.1</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>Red Hat Enterprise Linux 8 systems support an "interactive boot" option that can be used to prevent services from being started. On a Red Hat Enterprise Linux 8 system, interactive boot can be enabled by providing a <code>1</code>, <code>yes</code>, <code>true</code>, or <code>on</code> value to the <code>systemd.confirm_spawn</code> kernel argument in <code>/etc/default/grub</code>. Remove any instance of <pre>systemd.confirm_spawn=(1|yes|true|on)</pre> from the kernel arguments in that file to disable interactive boot. It is also required to change the runtime configuration, run: <pre>/sbin/grubby --update-kernel=ALL --remove-args="systemd.confirm_spawn"</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Using interactive boot, the console user could disable auditing, firewalls, or other services, weakening system security.</p></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">Check systemd.confirm_spawn=(1|true|yes|on) not in GRUB_CMDLINE_LINUX</span> <span class="label label-default">oval:ssg-test_grub2_disable_interactive_boot_grub_cmdline_linux:tst:1</span> <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_grub2_disable_interactive_boot_grub_cmdline_linux:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/default/grub</td><td>^\s*GRUB_CMDLINE_LINUX=".*systemd.confirm_spawn=(?:1|yes|true|on).*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">Check systemd.confirm_spawn=(1|true|yes|on) not in GRUB_CMDLINE_LINUX_DEFAULT</span> <span class="label label-default">oval:ssg-test_grub2_disable_interactive_boot_grub_cmdline_linux_default:tst:1</span> <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_grub2_disable_interactive_boot_grub_cmdline_linux_default:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/default/grub</td><td>^\s*GRUB_CMDLINE_LINUX_DEFAULT=".*systemd.confirm_spawn=(?:1|yes|true|on).*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">Check for GRUB_DISABLE_RECOVERY=true in /etc/default/grub</span> <span class="label label-default">oval:ssg-test_bootloader_disable_recovery_set_to_true:tst:1</span> <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/default/grub</td><td>GRUB_DISABLE_RECOVERY="true"</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_disable_ctrlaltdel_burstaction" id="rule-detail-idm45342103464016"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Disable Ctrl-Alt-Del Burst Actionxccdf_org.ssgproject.content_rule_disable_ctrlaltdel_burstaction highCCE-80784-2 </div><div class="panel-heading"><h3 class="panel-title">Disable Ctrl-Alt-Del Burst Action</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_disable_ctrlaltdel_burstaction</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-disable_ctrlaltdel_burstaction:def:1</td></tr><tr><td>Time</td><td>2020-09-29T11:21:09</td></tr><tr><td>Severity</td><td>high</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80784-2">CCE-80784-2</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">12</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">13</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">14</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">15</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">16</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">18</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">3</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">5</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">APO01.06</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS05.04</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS05.07</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS06.02</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.5</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000366</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(B)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(7)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(7)(ii)(A)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(a)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(a)(2)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(a)(2)(ii)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(a)(2)(iii)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(c)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(d)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(d)(2)(iii)</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 5.2</a>, <a href="https://www.iso.org/standard/54534.html">A.10.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.11.1.4</a>, <a href="https://www.iso.org/standard/54534.html">A.11.1.5</a>, <a href="https://www.iso.org/standard/54534.html">A.11.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.6.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.7.3.1</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.5</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(1)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-5</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000324-GPOS-00125</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>By default, <code>SystemD</code> will reboot the system if the <code>Ctrl-Alt-Del</code> key sequence is pressed Ctrl-Alt-Delete more than 7 times in 2 seconds. <br><br> To configure the system to ignore the <code>CtrlAltDelBurstAction</code> setting, add or modify the following to <code>/etc/systemd/system.conf</code>: <pre>CtrlAltDelBurstAction=none</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>A locally logged-in user who presses Ctrl-Alt-Del, when at the console, can reboot the system. If accidentally pressed, as could happen in the case of mixed OS environment, this can create the risk of short-term loss of availability of systems due to unintentional reboot.</p></div></td></tr><tr><td>Warnings</td><td><div class="panel panel-warning"><div class="panel-heading"><span class="label label-warning">warning</span> Disabling the <code>Ctrl-Alt-Del</code> key sequence in <code>/etc/init/control-alt-delete.conf</code> DOES NOT disable the <code>Ctrl-Alt-Del</code> key sequence if running in <code>runlevel 6</code> (e.g. in GNOME, KDE, etc.)! The <code>Ctrl-Alt-Del</code> key sequence will only be disabled if running in the non-graphical <code>runlevel 3</code>.</div></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span> <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">check if CtrlAltDelBurstAction is set to none</span> <span class="label label-default">oval:ssg-test_disable_ctrlaltdel_burstaction:tst:1</span> <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_disable_ctrlaltdel_burstaction:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/systemd/system.conf</td><td>^[\s]*CtrlAltDelBurstAction[\s]*=[\s]*none$</td><td>1</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-notapplicable rule-detail-id-xccdf_org.ssgproject.content_rule_dconf_gnome_banner_enabled" id="rule-detail-idm45342103399360"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Enable GNOME3 Login Warning Bannerxccdf_org.ssgproject.content_rule_dconf_gnome_banner_enabled mediumCCE-80768-5 </div><div class="panel-heading"><h3 class="panel-title">Enable GNOME3 Login Warning Banner</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_dconf_gnome_banner_enabled</td></tr><tr><td>Result</td><td class="rule-result rule-result-notapplicable"><div><abbr title="The Rule was not applicable to the target of the test. For example, the Rule might have been specific to a different version of the target OS, or it might have been a test against a platform feature that was not installed.">notapplicable</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>Time</td><td>2020-09-29T11:18:02</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80768-5">CCE-80768-5</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> <a href="">1.7.2</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">1</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">12</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">15</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">16</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS05.04</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS05.10</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS06.10</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.9</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000048</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.10</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.9</a>, <a href="https://www.iso.org/standard/54534.html">A.18.1.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.3.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.3</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-8(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-8(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-8(c)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-7</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FMT_MOF_EXT.1</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000023-GPOS-00006</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000024-GPOS-00007</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000228-GPOS-00088</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>In the default graphical environment, displaying a login warning banner in the GNOME Display Manager's login screen can be enabled on the login screen by setting <code>banner-message-enable</code> to <code>true</code>. <br><br> To enable, add or edit <code>banner-message-enable</code> to <code>/etc/dconf/db/gdm.d/00-security-settings</code>. For example: <pre>[org/gnome/login-screen] banner-message-enable=true</pre> Once the setting has been added, add a lock to <code>/etc/dconf/db/gdm.d/locks/00-security-settings-lock</code> to prevent user modification. For example: <pre>/org/gnome/login-screen/banner-message-enable</pre> After the settings have been set, run <code>dconf update</code>. The banner text must also be set.</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. <br><br> For U.S. Government systems, system use notifications are required only for access via login interfaces with human users and are not required when such human interfaces do not exist.</p></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_banner_etc_issue" id="rule-detail-idm45342103413728"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Modify the System Login Bannerxccdf_org.ssgproject.content_rule_banner_etc_issue mediumCCE-80763-6 </div><div class="panel-heading"><h3 class="panel-title">Modify the System Login Banner</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_banner_etc_issue</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-banner_etc_issue:def:1</td></tr><tr><td>Time</td><td>2020-09-29T11:21:09</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80763-6">CCE-80763-6</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> <a href="">1.7.1.2</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">1</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">12</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">15</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">16</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS05.04</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS05.10</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS06.10</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.9</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000048</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000050</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.10</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.9</a>, <a href="https://www.iso.org/standard/54534.html">A.18.1.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.3.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.3</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-8(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-8(c)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-7</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FMT_MOF_EXT.1</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000023-GPOS-00006</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000024-GPOS-00007</a>, <a href="">SRG-OS-000023-VMM-000060</a>, <a href="">SRG-OS-000024-VMM-000070</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>To configure the system login banner edit <code>/etc/issue</code>. Replace the default text with a message compliant with the local site policy or a legal disclaimer. The DoD required text is either: <br><br> <code>You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: <br>-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. <br>-At any time, the USG may inspect and seize data stored on this IS. <br>-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. <br>-This IS includes security measures (e.g., authentication and access controls) to protect USG interests -- not for your personal benefit or privacy. <br>-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.</code> <br><br> OR: <br><br> <code>I've read & consent to terms in IS user agreem't.</code></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. <br><br> System use notifications are required only for access via login interfaces with human users and are not required when such human interfaces do not exist.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span> <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">correct banner in /etc/issue</span> <span class="label label-default">oval:ssg-test_banner_etc_issue:tst:1</span> <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_banner_etc_issue:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>(^You[\s\n]+are[\s\n]+accessing[\s\n]+a[\s\n]+U.S.[\s\n]+Government[\s\n]+\(USG\)[\s\n]+Information[\s\n]+System[\s\n]+\(IS\)[\s\n]+that[\s\n]+is[\s\n]+provided[\s\n]+for[\s\n]+USG-authorized[\s\n]+use[\s\n]+only.[\s\n]*By[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+\(which[\s\n]+includes[\s\n]+any[\s\n]+device[\s\n]+attached[\s\n]+to[\s\n]+this[\s\n]+IS\),[\s\n]+you[\s\n]+consent[\s\n]+to[\s\n]+the[\s\n]+following[\s\n]+conditions\:(\\n)*(\n)*-[\s\n]*The[\s\n]+USG[\s\n]+routinely[\s\n]+intercepts[\s\n]+and[\s\n]+monitors[\s\n]+communications[\s\n]+on[\s\n]+this[\s\n]+IS[\s\n]+for[\s\n]+purposes[\s\n]+including,[\s\n]+but[\s\n]+not[\s\n]+limited[\s\n]+to,[\s\n]+penetration[\s\n]+testing,[\s\n]+COMSEC[\s\n]+monitoring,[\s\n]+network[\s\n]+operations[\s\n]+and[\s\n]+defense,[\s\n]+personnel[\s\n]+misconduct[\s\n]+\(PM\),[\s\n]+law[\s\n]+enforcement[\s\n]+\(LE\),[\s\n]+and[\s\n]+counterintelligence[\s\n]+\(CI\)[\s\n]+investigations.(\\n)*(\n)*-[\s\n]*At[\s\n]+any[\s\n]+time,[\s\n]+the[\s\n]+USG[\s\n]+may[\s\n]+inspect[\s\n]+and[\s\n]+seize[\s\n]+data[\s\n]+stored[\s\n]+on[\s\n]+this[\s\n]+IS.(\\n)*(\n)*-[\s\n]*Communications[\s\n]+using,[\s\n]+or[\s\n]+data[\s\n]+stored[\s\n]+on,[\s\n]+this[\s\n]+IS[\s\n]+are[\s\n]+not[\s\n]+private,[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+routine[\s\n]+monitoring,[\s\n]+interception,[\s\n]+and[\s\n]+search,[\s\n]+and[\s\n]+may[\s\n]+be[\s\n]+disclosed[\s\n]+or[\s\n]+used[\s\n]+for[\s\n]+any[\s\n]+USG-authorized[\s\n]+purpose.(\\n)*(\n)*-[\s\n]*This[\s\n]+IS[\s\n]+includes[\s\n]+security[\s\n]+measures[\s\n]+\(e.g.,[\s\n]+authentication[\s\n]+and[\s\n]+access[\s\n]+controls\)[\s\n]+to[\s\n]+protect[\s\n]+USG[\s\n]+interests--not[\s\n]+for[\s\n]+your[\s\n]+personal[\s\n]+benefit[\s\n]+or[\s\n]+privacy.(\\n)*(\n)*-[\s\n]*Notwithstanding[\s\n]+the[\s\n]+above,[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+does[\s\n]+not[\s\n]+constitute[\s\n]+consent[\s\n]+to[\s\n]+PM,[\s\n]+LE[\s\n]+or[\s\n]+CI[\s\n]+investigative[\s\n]+searching[\s\n]+or[\s\n]+monitoring[\s\n]+of[\s\n]+the[\s\n]+content[\s\n]+of[\s\n]+privileged[\s\n]+communications,[\s\n]+or[\s\n]+work[\s\n]+product,[\s\n]+related[\s\n]+to[\s\n]+personal[\s\n]+representation[\s\n]+or[\s\n]+services[\s\n]+by[\s\n]+attorneys,[\s\n]+psychotherapists,[\s\n]+or[\s\n]+clergy,[\s\n]+and[\s\n]+their[\s\n]+assistants.[\s\n]+Such[\s\n]+communications[\s\n]+and[\s\n]+work[\s\n]+product[\s\n]+are[\s\n]+private[\s\n]+and[\s\n]+confidential.[\s\n]+See[\s\n]+User[\s\n]+Agreement[\s\n]+for[\s\n]+details.$|^I\'ve[\s\n]+read[\s\n]+\&[\s\n]+consent[\s\n]+to[\s\n]+terms[\s\n]+in[\s\n]+IS[\s\n]+user[\s\n]+agreem\'t$)</td><td>/etc/issue</td><td>1</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_accounts_password_pam_lcredit" id="rule-detail-idm45342103389824"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Ensure PAM Enforces Password Requirements - Minimum Lowercase Charactersxccdf_org.ssgproject.content_rule_accounts_password_pam_lcredit mediumCCE-80655-4 </div><div class="panel-heading"><h3 class="panel-title">Ensure PAM Enforces Password Requirements - Minimum Lowercase Characters</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_accounts_password_pam_lcredit</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-accounts_password_pam_lcredit:def:1</td></tr><tr><td>Time</td><td>2020-09-29T11:21:09</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80655-4">CCE-80655-4</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">1</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">12</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">15</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">16</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">5</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS05.04</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS05.05</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS05.07</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS05.10</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS06.03</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS06.10</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000193</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.2.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.10</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.18.1.4</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.6</a>, <a href="https://www.iso.org/standard/54534.html">A.9.3.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.3</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(1)(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(4)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-6</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-7</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FMT_MOF_EXT.1</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-8.2.3</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000070-GPOS-00038</a>, <a href="">SRG-OS-000070-VMM-000370</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>The pam_pwquality module's <code>lcredit</code> parameter controls requirements for usage of lowercase letters in a password. When set to a negative number, any password will be required to contain that many lowercase characters. When set to a positive number, pam_pwquality will grant +1 additional length credit for each lowercase character. Modify the <code>lcredit</code> setting in <code>/etc/security/pwquality.conf</code> to require the use of a lowercase character in passwords.</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. <br><br> Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possble combinations that need to be tested before the password is compromised. Requiring a minimum number of lowercase characters makes password guessing attacks more difficult by ensuring a larger search space.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span> <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">check the configuration of /etc/pam.d/system-auth</span> <span class="label label-default">oval:ssg-test_password_pam_pwquality:tst:1</span> <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/pam.d/system-auth</td><td> password requisite pam_pwquality.so try_first_pass local_users_only</td></tr></tbody></table><h4><span class="label label-primary">check the configuration of /etc/security/pwquality.conf</span> <span class="label label-default">oval:ssg-test_password_pam_pwquality_lcredit:tst:1</span> <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_password_pam_pwquality_lcredit:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/security/pwquality.conf</td><td>^lcredit[\s]*=[\s]*(-?\d+)(?:[\s]|$)</td><td>1</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_accounts_password_pam_ucredit" id="rule-detail-idm45342103379344"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Ensure PAM Enforces Password Requirements - Minimum Uppercase Charactersxccdf_org.ssgproject.content_rule_accounts_password_pam_ucredit mediumCCE-80665-3 </div><div class="panel-heading"><h3 class="panel-title">Ensure PAM Enforces Password Requirements - Minimum Uppercase Characters</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_accounts_password_pam_ucredit</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-accounts_password_pam_ucredit:def:1</td></tr><tr><td>Time</td><td>2020-09-29T11:21:09</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80665-3">CCE-80665-3</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> <a href="">6.3.2</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">1</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">12</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">15</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">16</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">5</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS05.04</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS05.05</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS05.07</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS05.10</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS06.03</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS06.10</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000192</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.2.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.10</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.18.1.4</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.6</a>, <a href="https://www.iso.org/standard/54534.html">A.9.3.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.3</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(1)(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(4)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-6</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-7</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FMT_MOF_EXT.1</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-8.2.3</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000069-GPOS-00037</a>, <a href="">SRG-OS-000069-VMM-000360</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>The pam_pwquality module's <code>ucredit=</code> parameter controls requirements for usage of uppercase letters in a password. When set to a negative number, any password will be required to contain that many uppercase characters. When set to a positive number, pam_pwquality will grant +1 additional length credit for each uppercase character. Modify the <code>ucredit</code> setting in <code>/etc/security/pwquality.conf</code> to require the use of an uppercase character in passwords.</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Use of a complex password helps to increase the time and resources reuiqred to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. <br><br> Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span> <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">check the configuration of /etc/pam.d/system-auth</span> <span class="label label-default">oval:ssg-test_password_pam_pwquality:tst:1</span> <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/pam.d/system-auth</td><td> password requisite pam_pwquality.so try_first_pass local_users_only</td></tr></tbody></table><h4><span class="label label-primary">check the configuration of /etc/security/pwquality.conf</span> <span class="label label-default">oval:ssg-test_password_pam_pwquality_ucredit:tst:1</span> <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_password_pam_pwquality_ucredit:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/security/pwquality.conf</td><td>^ucredit[\s]*=[\s]*(-?\d+)(?:[\s]|$)</td><td>1</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_accounts_password_pam_maxclassrepeat" id="rule-detail-idm45342103366480"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Ensure PAM Enforces Password Requirements - Maximum Consecutive Repeating Characters from Same Character Classxccdf_org.ssgproject.content_rule_accounts_password_pam_maxclassrepeat mediumCCE-81034-1 </div><div class="panel-heading"><h3 class="panel-title">Ensure PAM Enforces Password Requirements - Maximum Consecutive Repeating Characters from Same Character Class</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_accounts_password_pam_maxclassrepeat</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-accounts_password_pam_maxclassrepeat:def:1</td></tr><tr><td>Time</td><td>2020-09-29T11:21:09</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-81034-1">CCE-81034-1</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">1</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">12</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">15</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">16</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">5</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS05.04</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS05.05</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS05.07</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS05.10</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS06.03</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS06.10</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000195</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.2.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.10</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.18.1.4</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.6</a>, <a href="https://www.iso.org/standard/54534.html">A.9.3.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.3</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(1)(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(4)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-6</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-7</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000072-GPOS-00040</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>The pam_pwquality module's <code>maxclassrepeat</code> parameter controls requirements for consecutive repeating characters from the same character class. When set to a positive number, it will reject passwords which contain more than that number of consecutive characters from the same character class. Modify the <code>maxclassrepeat</code> setting in <code>/etc/security/pwquality.conf</code> to equal <abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_password_pam_maxclassrepeat">4</abbr> to prevent a run of (<abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_password_pam_maxclassrepeat">4</abbr> + 1) or more identical characters.</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Use of a complex password helps to increase the time and resources required to comrpomise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. <br> Password complexity is one factor of several that determines how long it takes to crack a password. The more complex a password, the greater the number of possible combinations that need to be tested before the password is compromised.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span> <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">check the configuration of /etc/pam.d/system-auth</span> <span class="label label-default">oval:ssg-test_password_pam_pwquality:tst:1</span> <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/pam.d/system-auth</td><td> password requisite pam_pwquality.so try_first_pass local_users_only</td></tr></tbody></table><h4><span class="label label-primary">check the configuration of /etc/security/pwquality.conf</span> <span class="label label-default">oval:ssg-test_password_pam_pwquality_maxclassrepeat:tst:1</span> <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_password_pam_pwquality_maxclassrepeat:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/security/pwquality.conf</td><td>^maxclassrepeat[\s]*=[\s]*(\d+)(?:[\s]|$)</td><td>1</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_accounts_password_pam_difok" id="rule-detail-idm45342103355968"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Ensure PAM Enforces Password Requirements - Minimum Different Charactersxccdf_org.ssgproject.content_rule_accounts_password_pam_difok mediumCCE-80654-7 </div><div class="panel-heading"><h3 class="panel-title">Ensure PAM Enforces Password Requirements - Minimum Different Characters</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_accounts_password_pam_difok</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-accounts_password_pam_difok:def:1</td></tr><tr><td>Time</td><td>2020-09-29T11:21:09</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80654-7">CCE-80654-7</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">1</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">12</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">15</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">16</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">5</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.6.2.1.1</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS05.04</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS05.05</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS05.07</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS05.10</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS06.03</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS06.10</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000195</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.2.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.10</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.18.1.4</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.6</a>, <a href="https://www.iso.org/standard/54534.html">A.9.3.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.3</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(1)(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(4)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-6</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-7</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000072-GPOS-00040</a>, <a href="">SRG-OS-000072-VMM-000390</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>The pam_pwquality module's <code>difok</code> parameter sets the number of characters in a password that must not be present in and old password during a password change. <br><br> Modify the <code>difok</code> setting in <code>/etc/security/pwquality.conf</code> to equal <abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_password_pam_difok">4</abbr> to require differing characters when changing passwords.</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and bruteâforce attacks. <br><br> Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. <br><br> Requiring a minimum number of different characters during password changes ensures that newly changed passwords should not resemble previously compromised ones. Note that passwords which are changed on compromised systems will still be compromised, however.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span> <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">check the configuration of /etc/pam.d/system-auth</span> <span class="label label-default">oval:ssg-test_password_pam_pwquality:tst:1</span> <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/pam.d/system-auth</td><td> password requisite pam_pwquality.so try_first_pass local_users_only</td></tr></tbody></table><h4><span class="label label-primary">check the configuration of /etc/security/pwquality.conf</span> <span class="label label-default">oval:ssg-test_password_pam_pwquality_difok:tst:1</span> <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_password_pam_pwquality_difok:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/security/pwquality.conf</td><td>^difok[\s]*=[\s]*(\d+)(?:[\s]|$)</td><td>1</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_accounts_password_pam_dcredit" id="rule-detail-idm45342103345504"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Ensure PAM Enforces Password Requirements - Minimum Digit Charactersxccdf_org.ssgproject.content_rule_accounts_password_pam_dcredit mediumCCE-80653-9 </div><div class="panel-heading"><h3 class="panel-title">Ensure PAM Enforces Password Requirements - Minimum Digit Characters</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_accounts_password_pam_dcredit</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-accounts_password_pam_dcredit:def:1</td></tr><tr><td>Time</td><td>2020-09-29T11:21:09</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80653-9">CCE-80653-9</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> <a href="">6.3.2</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">1</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">12</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">15</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">16</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">5</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS05.04</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS05.05</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS05.07</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS05.10</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS06.03</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS06.10</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000194</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.2.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.10</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.18.1.4</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.6</a>, <a href="https://www.iso.org/standard/54534.html">A.9.3.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.3</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(1)(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(4)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-6</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-7</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FMT_MOF_EXT.1</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-8.2.3</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000071-GPOS-00039</a>, <a href="">SRG-OS-000071-VMM-000380</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>The pam_pwquality module's <code>dcredit</code> parameter controls requirements for usage of digits in a password. When set to a negative number, any password will be required to contain that many digits. When set to a positive number, pam_pwquality will grant +1 additional length credit for each digit. Modify the <code>dcredit</code> setting in <code>/etc/security/pwquality.conf</code> to require the use of a digit in passwords.</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. <br><br> Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. Requiring digits makes password guessing attacks more difficult by ensuring a larger search space.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span> <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">check the configuration of /etc/pam.d/system-auth</span> <span class="label label-default">oval:ssg-test_password_pam_pwquality:tst:1</span> <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/pam.d/system-auth</td><td> password requisite pam_pwquality.so try_first_pass local_users_only</td></tr></tbody></table><h4><span class="label label-primary">check the configuration of /etc/security/pwquality.conf</span> <span class="label label-default">oval:ssg-test_password_pam_pwquality_dcredit:tst:1</span> <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_password_pam_pwquality_dcredit:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/security/pwquality.conf</td><td>^dcredit[\s]*=[\s]*(-?\d+)(?:[\s]|$)</td><td>1</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_accounts_password_pam_maxrepeat" id="rule-detail-idm45342103335024"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Set Password Maximum Consecutive Repeating Charactersxccdf_org.ssgproject.content_rule_accounts_password_pam_maxrepeat mediumCCE-82066-2 </div><div class="panel-heading"><h3 class="panel-title">Set Password Maximum Consecutive Repeating Characters</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_accounts_password_pam_maxrepeat</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-accounts_password_pam_maxrepeat:def:1</td></tr><tr><td>Time</td><td>2020-09-29T11:21:09</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-82066-2">CCE-82066-2</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">1</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">12</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">15</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">16</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">5</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS05.04</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS05.05</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS05.07</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS05.10</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS06.03</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS06.10</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000195</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.2.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.10</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.18.1.4</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.6</a>, <a href="https://www.iso.org/standard/54534.html">A.9.3.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.3</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(4)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-6</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-7</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000072-GPOS-00040</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>The pam_pwquality module's <code>maxrepeat</code> parameter controls requirements for consecutive repeating characters. When set to a positive number, it will reject passwords which contain more than that number of consecutive characters. Modify the <code>maxrepeat</code> setting in <code>/etc/security/pwquality.conf</code> to equal <abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_password_pam_maxrepeat">3</abbr> to prevent a run of (<abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_password_pam_maxrepeat">3</abbr> + 1) or more identical characters.</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. <br><br> Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. <br><br> Passwords with excessive repeating characters may be more vulnerable to password-guessing attacks.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span> <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">check the configuration of /etc/pam.d/system-auth</span> <span class="label label-default">oval:ssg-test_password_pam_pwquality:tst:1</span> <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/pam.d/system-auth</td><td> password requisite pam_pwquality.so try_first_pass local_users_only</td></tr></tbody></table><h4><span class="label label-primary">check the configuration of /etc/security/pwquality.conf</span> <span class="label label-default">oval:ssg-test_password_pam_pwquality_maxrepeat:tst:1</span> <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_password_pam_pwquality_maxrepeat:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/security/pwquality.conf</td><td>^maxrepeat[\s]*=[\s]*(\d+)(?:[\s]|$)</td><td>1</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_accounts_password_pam_minlen" id="rule-detail-idm45342103324528"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Ensure PAM Enforces Password Requirements - Minimum Lengthxccdf_org.ssgproject.content_rule_accounts_password_pam_minlen mediumCCE-80656-2 </div><div class="panel-heading"><h3 class="panel-title">Ensure PAM Enforces Password Requirements - Minimum Length</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_accounts_password_pam_minlen</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-accounts_password_pam_minlen:def:1</td></tr><tr><td>Time</td><td>2020-09-29T11:21:09</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80656-2">CCE-80656-2</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> <a href="">6.3.2</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">1</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">12</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">15</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">16</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">5</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.6.2.1.1</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS05.04</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS05.05</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS05.07</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS05.10</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS06.03</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS06.10</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000205</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.2.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.10</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.18.1.4</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.6</a>, <a href="https://www.iso.org/standard/54534.html">A.9.3.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.3</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(1)(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(4)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-6</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-7</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FMT_MOF_EXT.1</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-8.2.3</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000078-GPOS-00046</a>, <a href="">SRG-OS-000072-VMM-000390</a>, <a href="">SRG-OS-000078-VMM-000450</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>The pam_pwquality module's <code>minlen</code> parameter controls requirements for minimum characters required in a password. Add <code>minlen=<abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_password_pam_minlen">12</abbr></code> after pam_pwquality to set minimum password length requirements.</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised. <br> Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password length is one factor of several that helps to determine strength and how long it takes to crack a password. Use of more characters in a password helps to exponentially increase the time and/or resources required to compromose the password.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span> <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">check the configuration of /etc/pam.d/system-auth</span> <span class="label label-default">oval:ssg-test_password_pam_pwquality:tst:1</span> <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/pam.d/system-auth</td><td> password requisite pam_pwquality.so try_first_pass local_users_only</td></tr></tbody></table><h4><span class="label label-primary">check the configuration of /etc/security/pwquality.conf</span> <span class="label label-default">oval:ssg-test_password_pam_pwquality_minlen:tst:1</span> <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_password_pam_pwquality_minlen:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/security/pwquality.conf</td><td>^minlen[\s]*=[\s]*(\d+)(?:[\s]|$)</td><td>1</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_accounts_password_pam_ocredit" id="rule-detail-idm45342103314048"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Ensure PAM Enforces Password Requirements - Minimum Special Charactersxccdf_org.ssgproject.content_rule_accounts_password_pam_ocredit mediumCCE-80663-8 </div><div class="panel-heading"><h3 class="panel-title">Ensure PAM Enforces Password Requirements - Minimum Special Characters</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_accounts_password_pam_ocredit</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-accounts_password_pam_ocredit:def:1</td></tr><tr><td>Time</td><td>2020-09-29T11:21:09</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80663-8">CCE-80663-8</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">1</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">12</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">15</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">16</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">5</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS05.04</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS05.05</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS05.07</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS05.10</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS06.03</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS06.10</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001619</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.2.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.10</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.18.1.4</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.6</a>, <a href="https://www.iso.org/standard/54534.html">A.9.3.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.3</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(1)(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(4)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-6</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-7</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FMT_MOF_EXT.1</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000266-GPOS-00101</a>, <a href="">SRG-OS-000266-VMM-000940</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>The pam_pwquality module's <code>ocredit=</code> parameter controls requirements for usage of special (or "other") characters in a password. When set to a negative number, any password will be required to contain that many special characters. When set to a positive number, pam_pwquality will grant +1 additional length credit for each special character. Modify the <code>ocredit</code> setting in <code>/etc/security/pwquality.conf</code> to equal <abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_password_pam_ocredit">-1</abbr> to require use of a special character in passwords.</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. <br><br> Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possble combinations that need to be tested before the password is compromised. Requiring a minimum number of special characters makes password guessing attacks more difficult by ensuring a larger search space.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span> <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">check the configuration of /etc/pam.d/system-auth</span> <span class="label label-default">oval:ssg-test_password_pam_pwquality:tst:1</span> <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/pam.d/system-auth</td><td> password requisite pam_pwquality.so try_first_pass local_users_only</td></tr></tbody></table><h4><span class="label label-primary">check the configuration of /etc/security/pwquality.conf</span> <span class="label label-default">oval:ssg-test_password_pam_pwquality_ocredit:tst:1</span> <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_password_pam_pwquality_ocredit:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/security/pwquality.conf</td><td>^ocredit[\s]*=[\s]*(-?\d+)(?:[\s]|$)</td><td>1</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny" id="rule-detail-idm45342103296368"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Set Deny For Failed Password Attemptsxccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny mediumCCE-80667-9 </div><div class="panel-heading"><h3 class="panel-title">Set Deny For Failed Password Attempts</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-accounts_passwords_pam_faillock_deny:def:1</td></tr><tr><td>Time</td><td>2020-09-29T11:21:09</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80667-9">CCE-80667-9</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> <a href="">5.3.2</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">1</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">12</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">15</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">16</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.5.3</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS05.04</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS05.10</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS06.10</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.8</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-002238</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000044</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.10</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.9</a>, <a href="https://www.iso.org/standard/54534.html">A.18.1.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.3.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.3</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-7(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-7</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FMT_MOF_EXT.1</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-8.1.6</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000329-GPOS-00128</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000021-GPOS-00005</a>, <a href="">SRG-OS-000021-VMM-000050</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>To configure the system to lock out accounts after a number of incorrect login attempts using <code>pam_faillock.so</code>, modify the content of both <code>/etc/pam.d/system-auth</code> and <code>/etc/pam.d/password-auth</code> as follows: <br><br> <ul><li> add the following line immediately <code>before</code> the <code>pam_unix.so</code> statement in the <code>AUTH</code> section: <pre>auth required pam_faillock.so preauth silent deny=<abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_accounts_passwords_pam_faillock_deny">3</abbr> unlock_time=<abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_accounts_passwords_pam_faillock_unlock_time">0</abbr> fail_interval=<abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_accounts_passwords_pam_faillock_fail_interval">900</abbr></pre></li><li> add the following line immediately <code>after</code> the <code>pam_unix.so</code> statement in the <code>AUTH</code> section: <pre>auth [default=die] pam_faillock.so authfail deny=<abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_accounts_passwords_pam_faillock_deny">3</abbr> unlock_time=<abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_accounts_passwords_pam_faillock_unlock_time">0</abbr> fail_interval=<abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_accounts_passwords_pam_faillock_fail_interval">900</abbr></pre></li><li> add the following line immediately <code>before</code> the <code>pam_unix.so</code> statement in the <code>ACCOUNT</code> section: <pre>account required pam_faillock.so</pre></li></ul></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Locking out user accounts after a number of incorrect attempts prevents direct password guessing attacks.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span> <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">Check pam_faillock.so preauth silent present, with correct deny value, and is followed by pam_unix.</span> <span class="label label-default">oval:ssg-test_accounts_passwords_pam_faillock_preauth_silent_system-auth:tst:1</span> <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_accounts_passwords_pam_faillock_preauth_silent_system-auth:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/pam.d/system-auth</td><td>[\n][\s]*auth[\s]+required[\s]+pam_faillock\.so[\s]+preauth[\s]+[^\n]*silent[\s]+[^\n]*deny=([0-9]+)[\s]*(?s).*[\n][\s]*auth[^\n]+pam_unix\.so[^\n]*[\n]</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">Check if pam_faillock.so is called in account phase before pam_unix</span> <span class="label label-default">oval:ssg-test_accounts_passwords_pam_faillock_account_phase_system-auth:tst:1</span> <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_accounts_passwords_pam_faillock_account_phase_system-auth:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/pam.d/system-auth</td><td>[\n][\s]*account[\s]+required[\s]+pam_faillock\.so[^\n]*[\n][\s]*account[\s]+required[\s]+pam_unix\.so[^\n]*[\n]</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">Check pam_faillock.so preauth silent present in /etc/pam.d/password-auth, has correct deny value, and is followed by pam_unix</span> <span class="label label-default">oval:ssg-test_accounts_passwords_pam_faillock_preauth_silent_password-auth:tst:1</span> <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_accounts_passwords_pam_faillock_preauth_silent_password-auth:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/pam.d/password-auth</td><td>[\n][\s]*auth[\s]+required[\s]+pam_faillock\.so[\s]+preauth[\s]+[^\n]*silent[\s]+[^\n]*deny=([0-9]+)[\s]*(?s).*[\n][\s]*auth[^\n]+pam_unix\.so[^\n]*[\n]</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">Check if pam_faillock_so is called in account phase before pam_unix.</span> <span class="label label-default">oval:ssg-test_accounts_passwords_pam_faillock_account_phase_password-auth:tst:1</span> <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_accounts_passwords_pam_faillock_account_phase_password-auth:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/pam.d/password-auth</td><td>[\n][\s]*account[\s]+required[\s]+pam_faillock\.so[^\n]*[\n][\s]*account[\s]+required[\s]+pam_unix\.so[^\n]*[\n]</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">Checks if pam_faillock authfail is hit even if pam_unix skips lines by defaulting, and also authfail deny value</span> <span class="label label-default">oval:ssg-test_accounts_passwords_pam_faillock_numeric_default_check_system-auth:tst:1</span> <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="Is pam_faillock not skipped?">oval:ssg-object_accounts_passwords_pam_faillock_when_lines_skipped_system-auth:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>3Referenced variable has no values (oval:ssg-var_accounts_passwords_pam_faillock_preauth_default_lin</td><td>/etc/pam.d/system-auth</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">Check control values of pam_unix, that it is followed by pam_faillock.so authfail and deny value of pam_faillock.so authfail</span> <span class="label label-default">oval:ssg-test_accounts_passwords_pam_faillock_authfail_deny_system-auth:tst:1</span> <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_accounts_passwords_pam_faillock_authfail_deny_system-auth:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/pam.d/system-auth</td><td>[\n][\s]*auth[\s]+(?:(?:sufficient)|(?:\[[^\]]*default=ignore[^\]]*\]))[^\n]+pam_unix\.so(?:.*[\n])*auth[\s]+\[default=die\][\s]+pam_faillock\.so[\s]+authfail[^\n]+deny=([0-9]+)</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">Checks if pam_faillock authfail is hit even if pam_unix skips lines by defaulting, and also authfail deny value</span> <span class="label label-default">oval:ssg-test_accounts_passwords_pam_faillock_numeric_default_check_password-auth:tst:1</span> <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="Is pam_faillock not skipped?">oval:ssg-object_accounts_passwords_pam_faillock_when_lines_skipped_password-auth:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>3Referenced variable has no values (oval:ssg-var_accounts_passwords_pam_faillock_preauth_default_lin</td><td>/etc/pam.d/password-auth</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">Check pam_faillock authfail is present after pam_unix, check pam_unix has proper control values, and authfail deny value is correct.</span> <span class="label label-default">oval:ssg-test_accounts_passwords_pam_faillock_authfail_deny_password-auth:tst:1</span> <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_accounts_passwords_pam_faillock_authfail_deny_password-auth:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/pam.d/password-auth</td><td>[\n][\s]*auth[\s]+(?:(?:sufficient)|(?:\[[^\]]*default=ignore[[^\]]*\]))[\s]+pam_unix\.so(?:.*[\n])*[^\n]*auth[\s]+\[default=die\][\s]+pam_faillock\.so[\s]+authfail[\s]+[^\n]*deny=([0-9]+)</td><td>1</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_interval" id="rule-detail-idm45342103287568"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Set Interval For Counting Failed Password Attemptsxccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_interval mediumCCE-80669-5 </div><div class="panel-heading"><h3 class="panel-title">Set Interval For Counting Failed Password Attempts</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_interval</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-accounts_passwords_pam_faillock_interval:def:1</td></tr><tr><td>Time</td><td>2020-09-29T11:21:09</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80669-5">CCE-80669-5</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">1</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">12</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">15</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">16</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS05.04</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS05.10</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS06.10</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-002238</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000044</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.10</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.9</a>, <a href="https://www.iso.org/standard/54534.html">A.18.1.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.3.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.3</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-7(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-7</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FMT_MOF_EXT.1</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000329-GPOS-00128</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000021-GPOS-00005</a>, <a href="">SRG-OS-000021-VMM-000050</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>Utilizing <code>pam_faillock.so</code>, the <code>fail_interval</code> directive configures the system to lock out an account after a number of incorrect login attempts within a specified time period. Modify the content of both <code>/etc/pam.d/system-auth</code> and <code>/etc/pam.d/password-auth</code> as follows: <br><br> <ul><li>Add the following line immediately <code>before</code> the <code>pam_unix.so</code> statement in the <code>AUTH</code> section: <pre>auth required pam_faillock.so preauth silent deny=<abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_accounts_passwords_pam_faillock_deny">3</abbr> unlock_time=<abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_accounts_passwords_pam_faillock_unlock_time">0</abbr> fail_interval=<abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_accounts_passwords_pam_faillock_fail_interval">900</abbr></pre> </li><li>Add the following line immediately <code>after</code> the <code>pam_unix.so</code> statement in the <code>AUTH</code> section: <pre>auth [default=die] pam_faillock.so authfail deny=<abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_accounts_passwords_pam_faillock_deny">3</abbr> unlock_time=<abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_accounts_passwords_pam_faillock_unlock_time">0</abbr> fail_interval=<abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_accounts_passwords_pam_faillock_fail_interval">900</abbr> </pre> </li><li>Add the following line immediately <code>before</code> the <code>pam_unix.so</code> statement in the <code>ACCOUNT</code> section: <pre>account required pam_faillock.so</pre> </li></ul></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>By limiting the number of failed logon attempts the risk of unauthorized system access via user password guessing, otherwise known as brute-forcing, is reduced. Limits are imposed by locking the account.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span> <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">check maximum preauth fail_interval allowed in /etc/pam.d/system-auth</span> <span class="label label-default">oval:ssg-test_accounts_passwords_pam_faillock_fail_interval_system-auth:tst:1</span> <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_accounts_passwords_pam_faillock_fail_interval_system-auth:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/pam.d/system-auth</td><td>^\s*auth\s+(?:(?:required))\s+pam_faillock\.so\s+preauth.*fail_interval=([0-9]*).*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">check maximum authfail fail_interval allowed in /etc/pam.d/system-auth</span> <span class="label label-default">oval:ssg-test_accounts_passwords_pam_faillock_authfail_fail_interval_system-auth:tst:1</span> <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_accounts_passwords_pam_faillock_authfail_fail_interval_system-auth:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/pam.d/system-auth</td><td>^\s*auth\s+(?:(?:sufficient)|(?:\[default=die\]))\s+pam_faillock\.so\s+authfail.*fail_interval=([0-9]*).*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">check maximum authfail fail_interval allowed in /etc/pam.d/password-auth</span> <span class="label label-default">oval:ssg-test_accounts_passwords_pam_faillock_fail_interval_password-auth:tst:1</span> <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_accounts_passwords_pam_faillock_fail_interval_password-auth:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/pam.d/password-auth</td><td>^\s*auth\s+(?:(?:sufficient)|(?:\[default=die\]))\s+pam_faillock\.so\s+authfail.*fail_interval=([0-9]*).*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">check maximum preauth fail_interval allowed in /etc/pam.d/password-auth</span> <span class="label label-default">oval:ssg-test_accounts_passwords_pam_faillock_preauth_fail_interval_password-auth:tst:1</span> <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_accounts_passwords_pam_faillock_preauth_fail_interval_password-auth:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/pam.d/password-auth</td><td>^\s*auth\s+(?:(?:required))\s+pam_faillock\.so\s+preauth.*fail_interval=([0-9]*).*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">check if pam_faillock.so is required in account section in /etc/pam.d/password-auth</span> <span class="label label-default">oval:ssg-test_accounts_passwords_pam_faillock_account_requires_password-auth:tst:1</span> <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_accounts_passwords_pam_faillock_account_requires_password-auth:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/pam.d/password-auth</td><td>^\s*account\s+required\s+pam_faillock\.so.*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">check if pam_faillock.so is required in account section in /etc/pam.d/system-auth</span> <span class="label label-default">oval:ssg-test_accounts_passwords_pam_faillock_account_requires_system-auth:tst:1</span> <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_accounts_passwords_pam_faillock_account_requires_system-auth:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/pam.d/system-auth</td><td>^\s*account\s+required\s+pam_faillock\.so.*$</td><td>1</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_unlock_time" id="rule-detail-idm45342103278592"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Set Lockout Time for Failed Password Attemptsxccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_unlock_time mediumCCE-80670-3 </div><div class="panel-heading"><h3 class="panel-title">Set Lockout Time for Failed Password Attempts</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_unlock_time</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-accounts_passwords_pam_faillock_unlock_time:def:1</td></tr><tr><td>Time</td><td>2020-09-29T11:21:09</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80670-3">CCE-80670-3</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> <a href="">5.3.2</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">1</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">12</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">15</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">16</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.5.3</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS05.04</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS05.10</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS06.10</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.8</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-002238</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.10</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.9</a>, <a href="https://www.iso.org/standard/54534.html">A.18.1.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.3.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.3</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-7(b)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-7</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FMT_MOF_EXT.1</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-8.1.7</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000329-GPOS-00128</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000021-GPOS-00005</a>, <a href="">SRG-OS-000329-VMM-001180</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>To configure the system to lock out accounts after a number of incorrect login attempts and require an administrator to unlock the account using <code>pam_faillock.so</code>, modify the content of both <code>/etc/pam.d/system-auth</code> and <code>/etc/pam.d/password-auth</code> as follows: <br><br> <ul><li> add the following line immediately <code>before</code> the <code>pam_unix.so</code> statement in the <code>AUTH</code> section: <pre>auth required pam_faillock.so preauth silent deny=<abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_accounts_passwords_pam_faillock_deny">3</abbr> unlock_time=<abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_accounts_passwords_pam_faillock_unlock_time">0</abbr> fail_interval=<abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_accounts_passwords_pam_faillock_fail_interval">900</abbr></pre></li><li> add the following line immediately <code>after</code> the <code>pam_unix.so</code> statement in the <code>AUTH</code> section: <pre>auth [default=die] pam_faillock.so authfail deny=<abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_accounts_passwords_pam_faillock_deny">3</abbr> unlock_time=<abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_accounts_passwords_pam_faillock_unlock_time">0</abbr> fail_interval=<abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_accounts_passwords_pam_faillock_fail_interval">900</abbr></pre></li><li> add the following line immediately <code>before</code> the <code>pam_unix.so</code> statement in the <code>ACCOUNT</code> section: <pre>account required pam_faillock.so</pre></li></ul> If <code>unlock_time</code> is set to <code>0</code>, manual intervention by an administrator is required to unlock a user.</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Locking out user accounts after a number of incorrect attempts prevents direct password guessing attacks. Ensuring that an administrator is involved in unlocking locked accounts draws appropriate attention to such situations.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span> <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">check preauth maximum failed login attempts allowed in /etc/pam.d/system-auth</span> <span class="label label-default">oval:ssg-test_accounts_passwords_pam_faillock_unlock_time_system-auth:tst:1</span> <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_accounts_passwords_pam_faillock_unlock_time_system-auth:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/pam.d/system-auth</td><td>^\s*auth\s+(?:(?:required))\s+pam_faillock\.so\s+preauth.*unlock_time=([0-9]*).*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">check authfail maximum failed login attempts allowed in /etc/pam.d/system-auth</span> <span class="label label-default">oval:ssg-test_accounts_passwords_pam_faillock_authfail_unlock_time_system-auth:tst:1</span> <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_accounts_passwords_pam_faillock_authfail_unlock_time_system-auth:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/pam.d/system-auth</td><td>^\s*auth\s+(?:(?:sufficient)|(?:\[default=die\]))\s+pam_faillock\.so\s+authfail.*unlock_time=([0-9]*).*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">check authfail maximum failed login attempts allowed in /etc/pam.d/password-auth</span> <span class="label label-default">oval:ssg-test_accounts_passwords_pam_faillock_unlock_time_password-auth:tst:1</span> <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_accounts_passwords_pam_faillock_unlock_time_password-auth:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/pam.d/password-auth</td><td>^\s*auth\s+(?:(?:sufficient)|(?:\[default=die\]))\s+pam_faillock\.so\s+authfail.*unlock_time=([0-9]*).*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">check preauth maximum failed login attempts allowed in /etc/pam.d/password-auth</span> <span class="label label-default">oval:ssg-test_accounts_passwords_pam_faillock_preauth_unlock_time_password-auth:tst:1</span> <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_accounts_passwords_pam_faillock_preauth_unlock_time_password-auth:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/pam.d/password-auth</td><td>^\s*auth\s+(?:(?:required))\s+pam_faillock\.so\s+preauth.*unlock_time=([0-9]*).*$</td><td>1</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_accounts_password_pam_unix_remember" id="rule-detail-idm45342103267232"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Limit Password Reusexccdf_org.ssgproject.content_rule_accounts_password_pam_unix_remember mediumCCE-80666-1 </div><div class="panel-heading"><h3 class="panel-title">Limit Password Reuse</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_accounts_password_pam_unix_remember</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-accounts_password_pam_unix_remember:def:1</td></tr><tr><td>Time</td><td>2020-09-29T11:21:09</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80666-1">CCE-80666-1</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> <a href="">5.3.3</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">1</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">12</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">15</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">16</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">5</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.6.2.1.1</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS05.04</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS05.05</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS05.07</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS05.10</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS06.03</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS06.10</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.5.8</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000200</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.2.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.10</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.18.1.4</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.6</a>, <a href="https://www.iso.org/standard/54534.html">A.9.3.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.3</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(f)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(1)(e)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-6</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-7</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-8.2.5</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000077-GPOS-00045</a>, <a href="">SRG-OS-000077-VMM-000440</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>Do not allow users to reuse recent passwords. This can be accomplished by using the <code>remember</code> option for the <code>pam_unix</code> or <code>pam_pwhistory</code> PAM modules. <br><br> In the file <code>/etc/pam.d/system-auth</code>, append <code>remember=<abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_password_pam_unix_remember">5</abbr></code> to the line which refers to the <code>pam_unix.so</code> or <code>pam_pwhistory.so</code>module, as shown below: <ul><li>for the <code>pam_unix.so</code> case: <pre>password sufficient pam_unix.so <i>...existing_options...</i> remember=<abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_password_pam_unix_remember">5</abbr></pre> </li><li>for the <code>pam_pwhistory.so</code> case: <pre>password requisite pam_pwhistory.so <i>...existing_options...</i> remember=<abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_password_pam_unix_remember">5</abbr></pre> </li></ul> The DoD STIG requirement is 5 passwords.</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Preventing re-use of previous passwords helps ensure that a compromised password is not re-used by a user.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span> <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">Test if remember attribute of pam_unix.so is set correctly in /etc/pam.d/system-auth</span> <span class="label label-default">oval:ssg-test_accounts_password_pam_unix_remember:tst:1</span> <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_accounts_password_pam_unix_remember:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/pam.d/system-auth</td><td>^\s*password\s+(?:(?:sufficient)|(?:required))\s+pam_unix\.so.*remember=([0-9]*).*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">Test if remember attribute of pam_pwhistory.so is set correctly in /etc/pam.d/system-auth</span> <span class="label label-default">oval:ssg-test_accounts_password_pam_pwhistory_remember:tst:1</span> <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_accounts_password_pam_pwhistory_remember:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/pam.d/system-auth</td><td>^\s*password\s+(?:(?:requisite)|(?:required))\s+pam_pwhistory\.so.*remember=([0-9]*).*$</td><td>1</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_accounts_umask_etc_profile" id="rule-detail-idm45342103218528"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Ensure the Default Umask is Set Correctly in /etc/profilexccdf_org.ssgproject.content_rule_accounts_umask_etc_profile unknownCCE-81035-8 </div><div class="panel-heading"><h3 class="panel-title">Ensure the Default Umask is Set Correctly in /etc/profile</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_accounts_umask_etc_profile</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-accounts_umask_etc_profile:def:1</td></tr><tr><td>Time</td><td>2020-09-29T11:21:09</td></tr><tr><td>Severity</td><td>unknown</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-81035-8">CCE-81035-8</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT28(R35)</a>, <a href="">5.4.4</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">18</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">APO13.01</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">BAI03.01</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">BAI03.02</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">BAI03.03</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000366</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.3.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.5</a>, <a href="https://www.iso.org/standard/54534.html">A.6.1.5</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(1)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-2</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00228</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>To ensure the default umask controlled by <code>/etc/profile</code> is set properly, add or correct the <code>umask</code> setting in <code>/etc/profile</code> to read as follows: <pre>umask <abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_accounts_user_umask">027</abbr></pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>The umask value influences the permissions assigned to files when they are created. A misconfigured umask value could result in files with excessive permissions that can be read or written to by unauthorized users.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span> <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">Verify the existence of var_accounts_user_umask_as_number variable</span> <span class="label label-default">oval:ssg-test_existence_of_var_accounts_user_umask_as_number_variable:tst:1</span> <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Var ref</th><th>Value</th></tr></thead><tbody><tr><td>oval:ssg-var_accounts_user_umask_umask_as_number:var:1</td><td>23</td></tr></tbody></table><h4><span class="label label-primary">Test the retrieved /etc/profile umask value(s) match the var_accounts_user_umask requirement</span> <span class="label label-default">oval:ssg-tst_accounts_umask_etc_profile:tst:1</span> <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Var ref</th><th>Value</th><th>Value</th><th>Value</th><th>Value</th><th>Value</th><th>Value</th><th>Value</th><th>Value</th></tr></thead><tbody><tr><td>oval:ssg-var_etc_profile_umask_as_number:var:1</td><td>18</td><td>18</td><td>2</td><td>2</td><td>18</td><td>18</td><td>2</td><td>2</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_accounts_umask_etc_bashrc" id="rule-detail-idm45342103212080"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Ensure the Default Bash Umask is Set Correctlyxccdf_org.ssgproject.content_rule_accounts_umask_etc_bashrc unknownCCE-81036-6 </div><div class="panel-heading"><h3 class="panel-title">Ensure the Default Bash Umask is Set Correctly</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_accounts_umask_etc_bashrc</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-accounts_umask_etc_bashrc:def:1</td></tr><tr><td>Time</td><td>2020-09-29T11:21:09</td></tr><tr><td>Severity</td><td>unknown</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-81036-6">CCE-81036-6</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> <a href="">5.4.4</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">18</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">APO13.01</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">BAI03.01</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">BAI03.02</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">BAI03.03</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000366</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.3.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.5</a>, <a href="https://www.iso.org/standard/54534.html">A.6.1.5</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(1)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-2</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00228</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>To ensure the default umask for users of the Bash shell is set properly, add or correct the <code>umask</code> setting in <code>/etc/bashrc</code> to read as follows: <pre>umask <abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_accounts_user_umask">027</abbr></pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>The umask value influences the permissions assigned to files when they are created. A misconfigured umask value could result in files with excessive permissions that can be read or written to by unauthorized users.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span> <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">Verify the existence of var_accounts_user_umask_as_number variable</span> <span class="label label-default">oval:ssg-test_existence_of_var_accounts_user_umask_as_number_variable:tst:1</span> <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Var ref</th><th>Value</th></tr></thead><tbody><tr><td>oval:ssg-var_accounts_user_umask_umask_as_number:var:1</td><td>23</td></tr></tbody></table><h4><span class="label label-primary">Test the retrieved /etc/bashrc umask value(s) match the var_accounts_user_umask requirement</span> <span class="label label-default">oval:ssg-tst_accounts_umask_etc_bashrc:tst:1</span> <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Var ref</th><th>Value</th><th>Value</th><th>Value</th><th>Value</th><th>Value</th><th>Value</th><th>Value</th><th>Value</th></tr></thead><tbody><tr><td>oval:ssg-var_etc_bashrc_umask_as_number:var:1</td><td>2</td><td>2</td><td>18</td><td>18</td><td>2</td><td>2</td><td>18</td><td>18</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_accounts_umask_etc_csh_cshrc" id="rule-detail-idm45342103205648"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Ensure the Default C Shell Umask is Set Correctlyxccdf_org.ssgproject.content_rule_accounts_umask_etc_csh_cshrc unknownCCE-81037-4 </div><div class="panel-heading"><h3 class="panel-title">Ensure the Default C Shell Umask is Set Correctly</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_accounts_umask_etc_csh_cshrc</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-accounts_umask_etc_csh_cshrc:def:1</td></tr><tr><td>Time</td><td>2020-09-29T11:21:09</td></tr><tr><td>Severity</td><td>unknown</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-81037-4">CCE-81037-4</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">18</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">APO13.01</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">BAI03.01</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">BAI03.02</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">BAI03.03</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000366</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.3.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.5</a>, <a href="https://www.iso.org/standard/54534.html">A.6.1.5</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(1)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-2</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00228</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>To ensure the default umask for users of the C shell is set properly, add or correct the <code>umask</code> setting in <code>/etc/csh.cshrc</code> to read as follows: <pre>umask <abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_accounts_user_umask">027</abbr></pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>The umask value influences the permissions assigned to files when they are created. A misconfigured umask value could result in files with excessive permissions that can be read or written to by unauthorized users.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span> <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">Verify the existence of var_accounts_user_umask_as_number variable</span> <span class="label label-default">oval:ssg-test_existence_of_var_accounts_user_umask_as_number_variable:tst:1</span> <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Var ref</th><th>Value</th></tr></thead><tbody><tr><td>oval:ssg-var_accounts_user_umask_umask_as_number:var:1</td><td>23</td></tr></tbody></table><h4><span class="label label-primary">Test the retrieved /etc/csh.cshrc umask value(s) match the var_accounts_user_umask requirement</span> <span class="label label-default">oval:ssg-tst_accounts_umask_etc_csh_cshrc:tst:1</span> <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Var ref</th><th>Value</th><th>Value</th><th>Value</th><th>Value</th><th>Value</th><th>Value</th><th>Value</th><th>Value</th></tr></thead><tbody><tr><td>oval:ssg-var_etc_csh_cshrc_umask_as_number:var:1</td><td>2</td><td>2</td><td>18</td><td>18</td><td>2</td><td>2</td><td>18</td><td>18</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_accounts_max_concurrent_login_sessions" id="rule-detail-idm45342103247632"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Limit the Number of Concurrent Login Sessions Allowed Per Userxccdf_org.ssgproject.content_rule_accounts_max_concurrent_login_sessions lowCCE-80955-8 </div><div class="panel-heading"><h3 class="panel-title">Limit the Number of Concurrent Login Sessions Allowed Per User</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_accounts_max_concurrent_login_sessions</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-accounts_max_concurrent_login_sessions:def:1</td></tr><tr><td>Time</td><td>2020-09-29T11:21:09</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80955-8">CCE-80955-8</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">14</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">15</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">18</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">9</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.5.2.2</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS01.05</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS05.02</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000054</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.8</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.3</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-10</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-5</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000027-GPOS-00008</a>, <a href="">SRG-OS-000027-VMM-000080</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>Limiting the number of allowed users and sessions per user can limit risks related to Denial of Service attacks. This addresses concurrent sessions for a single account and does not address concurrent sessions by a single user via multiple accounts. To set the number of concurrent sessions per user add the following line in <code>/etc/security/limits.conf</code>: <pre>* hard maxlogins <abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_accounts_max_concurrent_login_sessions">10</abbr></pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Limiting simultaneous user logins can insulate the system from denial of service problems caused by excessive logins. Automated login processes operating improperly or maliciously may result in an exceptional number of simultaneous login sessions.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span> <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre><span class="label label-primary">info</span> <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">grep: /etc/security/limits.d/*.conf: No such file or directory </message></pre></div></div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">the value maxlogins should be set appropriately in /etc/security/limits.d/*.conf</span> <span class="label label-default">oval:ssg-test_limitsd_maxlogins:tst:1</span> <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_etc_security_limitsd_conf_maxlogins:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/security/limits.d</td><td>^.*\.conf$</td><td>^[\s]*\*[\s]+(?:(?:hard)|(?:-))[\s]+maxlogins[\s]+(\d+)\s*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">the value maxlogins should be set appropriately in /etc/security/limits.d/*.conf</span> <span class="label label-default">oval:ssg-test_limitsd_maxlogins_exists:tst:1</span> <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_etc_security_limitsd_conf_maxlogins_exists:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/security/limits.d</td><td>^.*\.conf$</td><td>^[\s]*\*[\s]+(?:(?:hard)|(?:-))[\s]+maxlogins</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">the value maxlogins should be set appropriately in /etc/security/limits.conf</span> <span class="label label-default">oval:ssg-test_maxlogins:tst:1</span> <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_etc_security_limits_conf_maxlogins:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/security/limits.conf</td><td>^[\s]*\*[\s]+(?:(?:hard)|(?:-))[\s]+maxlogins[\s]+(\d+)\s*$</td><td>1</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-notchecked rule-detail-id-xccdf_org.ssgproject.content_rule_accounts_password_set_min_life_existing" id="rule-detail-idm45342103195712"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Set Existing Passwords Minimum Agexccdf_org.ssgproject.content_rule_accounts_password_set_min_life_existing mediumCCE-82472-2 </div><div class="panel-heading"><h3 class="panel-title">Set Existing Passwords Minimum Age</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_accounts_password_set_min_life_existing</td></tr><tr><td>Result</td><td class="rule-result rule-result-notchecked"><div><abbr title="The Rule was not evaluated by the checking engine. This status is designed for Rule elements that have no check elements or that correspond to an unsupported checking system. It may also correspond to a status returned by a checking engine if the checking engine does not support the indicated check code.">notchecked</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>Time</td><td>2020-09-29T11:18:02</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-82472-2">CCE-82472-2</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> <a href="https://public.cyber.mil/stigs/cci/">CCI-000198</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(f)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(1)(d)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000075-GPOS-00043</a>, <a href="">SRG-OS-000075-VMM000420</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>Configure non-compliant accounts to enforce a 24 hours/1 day minimum password lifetime by running the following command: <pre>$ sudo chage -m 1 <i>USER</i></pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Enforcing a minimum password lifetime helps to prevent repeated password changes to defeat the password reuse or history enforcement requirement. If users are allowed to immediately and continually change their password, the password could be repeatedly changed in a short period of time to defeat the organization's policy regarding password reuse.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span> <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">No candidate or applicable check found.</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_accounts_password_minlen_login_defs" id="rule-detail-idm45342103187904"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Set Password Minimum Length in login.defsxccdf_org.ssgproject.content_rule_accounts_password_minlen_login_defs mediumCCE-80652-1 </div><div class="panel-heading"><h3 class="panel-title">Set Password Minimum Length in login.defs</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_accounts_password_minlen_login_defs</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-accounts_password_minlen_login_defs:def:1</td></tr><tr><td>Time</td><td>2020-09-29T11:21:09</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80652-1">CCE-80652-1</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">1</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">12</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">15</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">16</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">5</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.6.2.1</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS05.04</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS05.05</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS05.07</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS05.10</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS06.03</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS06.10</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.5.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.2.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.10</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.18.1.4</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.6</a>, <a href="https://www.iso.org/standard/54534.html">A.9.3.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.3</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(f)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(1)(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-6</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-7</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FMT_MOF_EXT.1</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000078-GPOS-00046</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>To specify password length requirements for new accounts, edit the file <code>/etc/login.defs</code> and add or correct the following line: <pre>PASS_MIN_LEN <abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_accounts_password_minlen_login_defs">12</abbr></pre> <br><br> The DoD requirement is <code>15</code>. The FISMA requirement is <code>12</code>. The profile requirement is <code><abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_accounts_password_minlen_login_defs">12</abbr></code>. If a program consults <code>/etc/login.defs</code> and also another PAM module (such as <code>pam_pwquality</code>) during a password change operation, then the most restrictive must be satisfied. See PAM section for more information about enforcing password quality requirements.</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Requiring a minimum password length makes password cracking attacks more difficult by ensuring a larger search space. However, any security benefit from an onerous requirement must be carefully weighed against usability problems, support costs, or counterproductive behavior that may result.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span> <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">The value of PASS_MIN_LEN should be set appropriately in /etc/login.defs</span> <span class="label label-default">oval:ssg-test_pass_min_len:tst:1</span> <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Var ref</th><th>Value</th></tr></thead><tbody><tr><td>oval:ssg-variable_last_pass_min_len_instance_value:var:1</td><td>5</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-notchecked rule-detail-id-xccdf_org.ssgproject.content_rule_accounts_password_set_max_life_existing" id="rule-detail-idm45342103181296"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Set Existing Passwords Maximum Agexccdf_org.ssgproject.content_rule_accounts_password_set_max_life_existing mediumCCE-82473-0 </div><div class="panel-heading"><h3 class="panel-title">Set Existing Passwords Maximum Age</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_accounts_password_set_max_life_existing</td></tr><tr><td>Result</td><td class="rule-result rule-result-notchecked"><div><abbr title="The Rule was not evaluated by the checking engine. This status is designed for Rule elements that have no check elements or that correspond to an unsupported checking system. It may also correspond to a status returned by a checking engine if the checking engine does not support the indicated check code.">notchecked</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>Time</td><td>2020-09-29T11:18:02</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-82473-0">CCE-82473-0</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> <a href="https://public.cyber.mil/stigs/cci/">CCI-000199</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(f)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(1)(d)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000076-GPOS-00044</a>, <a href="">SRG-OS-000076-VMM-000430</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>Configure non-compliant accounts to enforce a 60-day maximum password lifetime restriction by running the following command: <pre>$ sudo chage -M 60 <i>USER</i></pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed periodically. If the operating system does not limit the lifetime of passwords and force users to change their passwords, there is the risk that the operating system passwords could be compromised.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span> <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">No candidate or applicable check found.</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_securetty_root_login_console_only" id="rule-detail-idm45342103161152"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Restrict Virtual Console Root Loginsxccdf_org.ssgproject.content_rule_securetty_root_login_console_only mediumCCE-80864-2 </div><div class="panel-heading"><h3 class="panel-title">Restrict Virtual Console Root Logins</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_securetty_root_login_console_only</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-securetty_root_login_console_only:def:1</td></tr><tr><td>Time</td><td>2020-09-29T11:18:02</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80864-2">CCE-80864-2</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">12</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">13</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">14</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">15</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">16</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">18</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">3</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">5</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">APO01.06</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS05.04</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS05.07</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS06.02</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.1</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.5</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000770</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(B)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(7)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(7)(ii)(A)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(a)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(a)(2)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(a)(2)(ii)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(a)(2)(iii)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(c)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(d)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(d)(2)(iii)</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 5.2</a>, <a href="https://www.iso.org/standard/54534.html">A.10.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.11.1.4</a>, <a href="https://www.iso.org/standard/54534.html">A.11.1.5</a>, <a href="https://www.iso.org/standard/54534.html">A.11.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.6.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.7.3.1</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.5</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-5</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000324-GPOS-00125</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>To restrict root logins through the (deprecated) virtual console devices, ensure lines of this form do not appear in <code>/etc/securetty</code>: <pre>vc/1 vc/2 vc/3 vc/4</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Preventing direct root login to virtual console devices helps ensure accountability for actions taken on the system using the root account.</p></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">virtual consoles /etc/securetty</span> <span class="label label-default">oval:ssg-test_virtual_consoles_etc_securetty:tst:1</span> <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="virtual consoles /etc/securetty">oval:ssg-object_virtual_consoles_etc_securetty:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/securetty</td><td>^vc/[0-9]+$</td><td>1</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_account_disable_post_pw_expiration" id="rule-detail-idm45342103155712"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Set Account Expiration Following Inactivityxccdf_org.ssgproject.content_rule_account_disable_post_pw_expiration mediumCCE-80954-1 </div><div class="panel-heading"><h3 class="panel-title">Set Account Expiration Following Inactivity</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_account_disable_post_pw_expiration</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-account_disable_post_pw_expiration:def:1</td></tr><tr><td>Time</td><td>2020-09-29T11:21:09</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span> <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80954-1">CCE-80954-1</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">1</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">12</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">13</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">14</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">15</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">16</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">18</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">3</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">5</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">7</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">8</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.6.2.1.1</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS01.03</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS03.05</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS05.04</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS05.05</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS05.07</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS05.10</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS06.03</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS06.10</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.5.6</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000017</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000795</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.2.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.10</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 6.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.3</a>, <a href="https://www.iso.org/standard/54534.html">A.18.1.4</a>, <a href="https://www.iso.org/standard/54534.html">A.6.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.6</a>, <a href="https://www.iso.org/standard/54534.html">A.9.3.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.5</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-4(e)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-2(3)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-6</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-7</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-8.1.4</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000118-GPOS-00060</a>, <a href="">SRG-OS-000003-VMM-000030</a>, <a href="">SRG-OS-000118-VMM-000590</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>To specify the number of days after a password expires (which signifies inactivity) until an account is permanently disabled, add or correct the following lines in <code>/etc/default/useradd</code>, substituting <code><i>NUM_DAYS</i></code> appropriately: <pre>INACTIVE=<i><abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_account_disable_post_pw_expiration">35</abbr></i></pre> A value of 35 is recommended; however, this profile expects that the value is set to <code><abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_account_disable_post_pw_expiration">35</abbr></code>. If a password is currently on the verge of expiration, then 35 days remain until the account is automatically disabled. However, if the password will not expire for another 60 days, then 95 days could elapse until the account would be automatically disabled. See the <code>useradd</code> man page for more information. Determining the inactivity timeout must be done with careful consideration of the length of a "normal" period of inactivity for users in the particular environment. Setting the timeout too low incurs support costs and also has the potential to impact availability of the system to legitimate users.</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Disabling inactive accounts ensures that accounts which may not have been responsibly removed are not available to attackers who may have compromised their credentials.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span> <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">the value INACTIVE parameter should be set appropriately in /etc/default/useradd</span> <span class="label label-default">oval:ssg-test_etc_default_useradd_inactive:tst:1</span> <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_etc_default_useradd_inactive:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/default/useradd</td><td>^\s*INACTIVE\s*=\s*(\d+)\s*$</td><td>1</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-notchecked rule-detail-id-xccdf_org.ssgproject.content_rule_account_temp_expire_date" id="rule-detail-idm45342103143728"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Assign Expiration Date to Temporary Accountsxccdf_org.ssgproject.content_rule_account_temp_expire_date unknownCCE-82474-8 </div><div class="panel-heading"><h3 class="panel-title">Assign Expiration Date to Temporary Accounts</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_account_temp_expire_date</td></tr><tr><td>Result</td><td class="rule-result rule-result-notchecked"><div><abbr title="The Rule was not evaluated by the checking engine. This status is designed for Rule elements that have no check elements or that correspond to an unsupported checking system. It may also correspond to a status returned by a checking engine if the checking engine does not support the indicated check code.">notchecked</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>Time</td><td>2020-09-29T11:18:03</td></tr><tr><td>Severity</td><td>unknown</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-82474-8">CCE-82474-8</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">1</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">12</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">13</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">14</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">15</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">16</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">18</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">3</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">5</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">7</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">8</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS01.03</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS03.05</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS05.04</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS05.05</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS05.07</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS06.03</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000016</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001682</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.2.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 6.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.3</a>, <a href="https://www.iso.org/standard/54534.html">A.6.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.6</a>, <a href="https://www.iso.org/standard/54534.html">A.9.3.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.5</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-2(2)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-2(3)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-6</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000123-GPOS-00064</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000002-GPOS-00002</a>, <a href="">SRG-OS-000002-VMM-000020</a>, <a href="">SRG-OS-000123-VMM-000620</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>Temporary accounts are established as part of normal account activation procedures when there is a need for short-term accounts. In the event temporary or emergency accounts are required, configure the system to terminate them after a documented time period. For every temporary and emergency account, run the following command to set an expiration date on it, substituting <code><i>USER</i></code> and <code><i>YYYY-MM-DD</i></code> appropriately: <pre>$ sudo chage -E <i>YYYY-MM-DD USER</i></pre> <code><i>YYYY-MM-DD</i></code> indicates the documented expiration date for the account. For U.S. Government systems, the operating system must be configured to automatically terminate these types of accounts after a period of 72 hours.</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>If temporary user accounts remain active when no longer needed or for an excessive period, these accounts may be used to gain unauthorized access. To mitigate this risk, automated termination of all temporary accounts must be set upon account creation. <br></p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span>Â <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">No candidate or applicable check found.</message></pre></div></div></div></td></tr></tbody></table></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_no_empty_passwords" id="rule-detail-idm45342103140704"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Prevent Login to Accounts With Empty Passwordxccdf_org.ssgproject.content_rule_no_empty_passwords highCCE-80841-0 </div><div class="panel-heading"><h3 class="panel-title">Prevent Login to Accounts With Empty Password</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_no_empty_passwords</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-no_empty_passwords:def:1</td></tr><tr><td>Time</td><td>2020-09-29T11:21:09</td></tr><tr><td>Severity</td><td>high</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80841-0">CCE-80841-0</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">1</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">12</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">13</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">14</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">15</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">16</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">18</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">3</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">5</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.5.2</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">APO01.06</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS05.04</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS05.05</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS05.07</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS05.10</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS06.02</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS06.03</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS06.10</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.1</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.5</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000366</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(B)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(7)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(7)(ii)(A)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(a)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(a)(2)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(a)(2)(ii)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(a)(2)(iii)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(c)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(d)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(d)(2)(iii)</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.2.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.10</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 5.2</a>, <a href="https://www.iso.org/standard/54534.html">A.10.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.11.1.4</a>, <a href="https://www.iso.org/standard/54534.html">A.11.1.5</a>, <a href="https://www.iso.org/standard/54534.html">A.11.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.18.1.4</a>, <a href="https://www.iso.org/standard/54534.html">A.6.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.7.3.1</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.6</a>, <a href="https://www.iso.org/standard/54534.html">A.9.3.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.5</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(1)(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-6</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-7</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-5</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FIA_AFL.1</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-8.2.3</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>If an account is configured for password authentication but does not have an assigned password, it may be possible to log into the account without authentication. Remove any instances of the <code>nullok</code> option in <code>/etc/pam.d/system-auth</code> to prevent logins with empty passwords.</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>If an account has an empty password, anyone could log in and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span>Â <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">make sure nullok is not used in /etc/pam.d/system-auth</span>Â <span class="label label-default">oval:ssg-test_no_empty_passwords:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/pam.d/system-auth</td><td> auth required pam_env.so auth required pam_faildelay.so delay=2000000 auth [default=1 ignore=ignore success=ok] pam_succeed_if.so uid >= 1000 quiet auth [default=1 ignore=ignore success=ok] pam_localuser.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 1000 quiet_success auth sufficient pam_sss.so forward_pass auth required pam_deny.so account required pam_unix.so account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 1000 quiet account [default=bad success=ok user_unknown=ignore] pam_sss.so account required pam_permit.so password requisite pam_pwquality.so try_first_pass local_users_only password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_package_policycoreutils_installed" id="rule-detail-idm45342103128752"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Install policycoreutils Packagexccdf_org.ssgproject.content_rule_package_policycoreutils_installed highCCE-82976-2 </div><div class="panel-heading"><h3 class="panel-title">Install policycoreutils Package</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_package_policycoreutils_installed</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-package_policycoreutils_installed:def:1</td></tr><tr><td>Time</td><td>2020-09-29T11:18:03</td></tr><tr><td>Severity</td><td>high</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-82976-2">CCE-82976-2</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>The <code>policycoreutils</code> package can be installed with the following command: <pre> $ sudo yum install policycoreutils</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Security-enhanced Linux is a feature of the Linux kernel and a number of utilities with enhanced security functionality designed to add mandatory access controls to Linux. The Security-enhanced Linux kernel contains new architectural components originally developed to improve security of the Flask operating system. These architectural components provide general support for the enforcement of many kinds of mandatory access control policies, including those based on the concepts of Type Enforcement, Role-based Access Control, and Multi-level Security. <code>policycoreutils</code> contains the policy core utilities that are required for basic operation of an SELinux-enabled system. These utilities include <code>load_policy</code> to load SELinux policies, <code>setfiles</code> to label filesystems, <code>newrole</code> to switch roles, and <code>run_init</code> to run <code>/etc/init.d</code> scripts in the proper context.</p></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">package policycoreutils is installed</span>Â <span class="label label-default">oval:ssg-test_package_policycoreutils_installed:tst:1</span>Â <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Arch</th><th>Epoch</th><th>Release</th><th>Version</th><th>Evr</th><th>Signature keyid</th><th>Extended name</th></tr></thead><tbody><tr><td>policycoreutils</td><td>x86_64</td><td>(none)</td><td>9.el8</td><td>2.9</td><td>0:2.9-9.el8</td><td>199e2f91fd431d51</td><td>policycoreutils-0:2.9-9.el8.x86_64</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_selinux_policytype" id="rule-detail-idm45342103115088"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Configure SELinux Policyxccdf_org.ssgproject.content_rule_selinux_policytype highCCE-80868-3 </div><div class="panel-heading"><h3 class="panel-title">Configure SELinux Policy</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_selinux_policytype</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-selinux_policytype:def:1</td></tr><tr><td>Time</td><td>2020-09-29T11:18:03</td></tr><tr><td>Severity</td><td>high</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80868-3">CCE-80868-3</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT28(R66)</a>, <a href="">1.6.1.3</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">1</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">11</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">12</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">13</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">14</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">15</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">16</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">18</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">3</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">4</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">5</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">6</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">8</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">9</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">APO01.06</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">APO11.04</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">APO13.01</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">BAI03.05</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS01.05</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS03.01</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS05.02</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS05.04</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS05.05</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS05.07</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS06.02</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS06.03</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS06.06</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">MEA02.01</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.2</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.7.2</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-002696</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(c)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.2.3.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.2.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.3.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.4.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.4.2.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.4.2.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.4.2.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.4.3.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.10</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.11</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.12</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.13</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.10</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.11</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.12</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 4.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 4.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 5.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 5.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 5.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.6</a>, <a href="https://www.iso.org/standard/54534.html">A.10.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.11.1.4</a>, <a href="https://www.iso.org/standard/54534.html">A.11.1.5</a>, <a href="https://www.iso.org/standard/54534.html">A.11.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.3</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.12.7.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.6.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.7.3.1</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.5</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-3</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-3(3)(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-9</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-7(21)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">ID.AM-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-5</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-6</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-5</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-4</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000445-GPOS-00199</a>, <a href="">SRG-OS-000445-VMM-001780</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>The SELinux <code>targeted</code> policy is appropriate for general-purpose desktops and servers, as well as systems in many other roles. To configure the system to use this policy, add or correct the following line in <code>/etc/selinux/config</code>: <pre>SELINUXTYPE=<abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_selinux_policy_name">targeted</abbr></pre> Other policies, such as <code>mls</code>, provide additional security labeling and greater confinement but are not compatible with many general-purpose use cases.</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Setting the SELinux policy to <code>targeted</code> or a more specialized policy ensures the system will confine processes that are likely to be targeted for exploitation, such as network or system services. <br><br> Note: During the development or debugging of SELinux modules, it is common to temporarily place non-production systems in <code>permissive</code> mode. In such temporary cases, SELinux policies should be developed, and once work is completed, the system should be reconfigured to <code><abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_selinux_policy_name">targeted</abbr></code>.</p></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">Tests the value of the ^[\s]*SELINUXTYPE[\s]*=[\s]*([^#]*) expression in the /etc/selinux/config file</span>Â <span class="label label-default">oval:ssg-test_selinux_policy:tst:1</span>Â <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/selinux/config</td><td>SELINUXTYPE=targeted</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_selinux_state" id="rule-detail-idm45342103108224"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Ensure SELinux State is Enforcingxccdf_org.ssgproject.content_rule_selinux_state highCCE-80869-1 </div><div class="panel-heading"><h3 class="panel-title">Ensure SELinux State is Enforcing</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_selinux_state</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-selinux_state:def:1</td></tr><tr><td>Time</td><td>2020-09-29T11:18:03</td></tr><tr><td>Severity</td><td>high</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80869-1">CCE-80869-1</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT28(R4)</a>, <a href="">1.6.1.2</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">1</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">11</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">12</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">13</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">14</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">15</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">16</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">18</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">3</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">4</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">5</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">6</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">8</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">9</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">APO01.06</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">APO11.04</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">APO13.01</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">BAI03.05</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS01.05</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS03.01</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS05.02</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS05.04</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS05.05</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS05.07</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS06.02</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS06.03</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS06.06</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">MEA02.01</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.2</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.7.2</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-002165</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-002696</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(c)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.2.3.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.2.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.3.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.4.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.4.2.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.4.2.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.4.2.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.4.3.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.10</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.11</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.12</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.13</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.10</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.11</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.12</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 3.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 4.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 4.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 5.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 5.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 5.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.6</a>, <a href="https://www.iso.org/standard/54534.html">A.10.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.11.1.4</a>, <a href="https://www.iso.org/standard/54534.html">A.11.1.5</a>, <a href="https://www.iso.org/standard/54534.html">A.11.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.3</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.12.7.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.6.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.7.3.1</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.5</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-3</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-3(3)(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-9</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-7(21)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">ID.AM-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-5</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-6</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-5</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-4</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000445-GPOS-00199</a>, <a href="">SRG-OS-000445-VMM-001780</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>The SELinux state should be set to <code><abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_selinux_state">enforcing</abbr></code> at system boot time. In the file <code>/etc/selinux/config</code>, add or correct the following line to configure the system to boot into enforcing mode: <pre>SELINUX=<abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_selinux_state">enforcing</abbr></pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Setting the SELinux state to enforcing ensures SELinux is able to confine potentially compromised processes to the security policy, which is designed to prevent them from causing damage to the system or further elevating their privileges.</p></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">/selinux/enforce is 1</span>Â <span class="label label-default">oval:ssg-test_etc_selinux_config:tst:1</span>Â <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/selinux/config</td><td>SELINUX=enforcing</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_sysctl_fs_protected_symlinks" id="rule-detail-idm45342102584368"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Enable Kernel Parameter to Enforce DAC on Symlinksxccdf_org.ssgproject.content_rule_sysctl_fs_protected_symlinks unknownCCE-81030-9 </div><div class="panel-heading"><h3 class="panel-title">Enable Kernel Parameter to Enforce DAC on Symlinks</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sysctl_fs_protected_symlinks</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-sysctl_fs_protected_symlinks:def:1</td></tr><tr><td>Time</td><td>2020-09-29T11:18:03</td></tr><tr><td>Severity</td><td>unknown</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-81030-9">CCE-81030-9</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT28(R23)</a>, <a href="">1.6.1</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(1)</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000324-GPOS-00125</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>To set the runtime status of the <code>fs.protected_symlinks</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w fs.protected_symlinks=1</pre> If this is not the system default value, add the following line to a file in the directory <code>/etc/sysctl.d</code>: <pre>fs.protected_symlinks = 1</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>By enabling this kernel parameter, symbolic links are permitted to be followed only when outside a sticky world-writable directory, or when the UID of the link and follower match, or when the directory owner matches the symlink's owner. Disallowing such symlinks helps mitigate vulnerabilities based on insecure file system accessed by privileged programs, avoiding an exploitation vector exploiting unsafe use of <code>open()</code> or <code>creat()</code>.</p></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">fs.protected_symlinks static configuration</span>Â <span class="label label-default">oval:ssg-test_static_sysctl_fs_protected_symlinks:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_sysctl_fs_protected_symlinks:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/sysctl.conf</td><td>^[\s]*fs.protected_symlinks[\s]*=[\s]*1[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">fs.protected_symlinks static configuration in /etc/sysctl.d/*.conf</span>Â <span class="label label-default">oval:ssg-test_static_etc_sysctld_fs_protected_symlinks:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_etc_sysctld_fs_protected_symlinks:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/sysctl.d</td><td>^.*\.conf$</td><td>^[\s]*fs.protected_symlinks[\s]*=[\s]*1[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">fs.protected_symlinks static configuration in /etc/sysctl.d/*.conf</span>Â <span class="label label-default">oval:ssg-test_static_run_sysctld_fs_protected_symlinks:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_run_sysctld_fs_protected_symlinks:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/run/sysctl.d</td><td>^.*\.conf$</td><td>^[\s]*fs.protected_symlinks[\s]*=[\s]*1[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">fs.protected_symlinks static configuration in /etc/sysctl.d/*.conf</span>Â <span class="label label-default">oval:ssg-test_static_usr_lib_sysctld_fs_protected_symlinks:tst:1</span>Â <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/usr/lib/sysctl.d/50-default.conf</td><td>fs.protected_symlinks = 1 </td></tr></tbody></table><h4><span class="label label-primary">kernel runtime parameter fs.protected_symlinks set to 1</span>Â <span class="label label-default">oval:ssg-test_sysctl_runtime_fs_protected_symlinks:tst:1</span>Â <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Value</th></tr></thead><tbody><tr><td>fs.protected_symlinks</td><td>1</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_sysctl_fs_protected_hardlinks" id="rule-detail-idm45342102574816"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Enable Kernel Parameter to Enforce DAC on Hardlinksxccdf_org.ssgproject.content_rule_sysctl_fs_protected_hardlinks unknownCCE-81027-5 </div><div class="panel-heading"><h3 class="panel-title">Enable Kernel Parameter to Enforce DAC on Hardlinks</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sysctl_fs_protected_hardlinks</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-sysctl_fs_protected_hardlinks:def:1</td></tr><tr><td>Time</td><td>2020-09-29T11:18:03</td></tr><tr><td>Severity</td><td>unknown</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-81027-5">CCE-81027-5</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT28(R23)</a>, <a href="">1.6.1</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(1)</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000324-GPOS-00125</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>To set the runtime status of the <code>fs.protected_hardlinks</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w fs.protected_hardlinks=1</pre> If this is not the system default value, add the following line to a file in the directory <code>/etc/sysctl.d</code>: <pre>fs.protected_hardlinks = 1</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>By enabling this kernel parameter, users can no longer create soft or hard links to files which they do not own. Disallowing such hardlinks mitigate vulnerabilities based on insecure file system accessed by privileged programs, avoiding an exploitation vector exploiting unsafe use of <code>open()</code> or <code>creat()</code>.</p></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">fs.protected_hardlinks static configuration</span>Â <span class="label label-default">oval:ssg-test_static_sysctl_fs_protected_hardlinks:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_sysctl_fs_protected_hardlinks:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/sysctl.conf</td><td>^[\s]*fs.protected_hardlinks[\s]*=[\s]*1[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">fs.protected_hardlinks static configuration in /etc/sysctl.d/*.conf</span>Â <span class="label label-default">oval:ssg-test_static_etc_sysctld_fs_protected_hardlinks:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_etc_sysctld_fs_protected_hardlinks:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/sysctl.d</td><td>^.*\.conf$</td><td>^[\s]*fs.protected_hardlinks[\s]*=[\s]*1[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">fs.protected_hardlinks static configuration in /etc/sysctl.d/*.conf</span>Â <span class="label label-default">oval:ssg-test_static_run_sysctld_fs_protected_hardlinks:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_run_sysctld_fs_protected_hardlinks:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/run/sysctl.d</td><td>^.*\.conf$</td><td>^[\s]*fs.protected_hardlinks[\s]*=[\s]*1[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">fs.protected_hardlinks static configuration in /etc/sysctl.d/*.conf</span>Â <span class="label label-default">oval:ssg-test_static_usr_lib_sysctld_fs_protected_hardlinks:tst:1</span>Â <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/usr/lib/sysctl.d/50-default.conf</td><td>fs.protected_hardlinks = 1</td></tr></tbody></table><h4><span class="label label-primary">kernel runtime parameter fs.protected_hardlinks set to 1</span>Â <span class="label label-default">oval:ssg-test_sysctl_runtime_fs_protected_hardlinks:tst:1</span>Â <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Value</th></tr></thead><tbody><tr><td>fs.protected_hardlinks</td><td>1</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_mount_option_var_log_nodev" id="rule-detail-idm45342102524128"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Add nodev Option to /var/logxccdf_org.ssgproject.content_rule_mount_option_var_log_nodev mediumCCE-82077-9 </div><div class="panel-heading"><h3 class="panel-title">Add nodev Option to /var/log</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_mount_option_var_log_nodev</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-mount_option_var_log_nodev:def:1</td></tr><tr><td>Time</td><td>2020-09-29T11:18:03</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-82077-9">CCE-82077-9</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(1)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">MP-7</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-2</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-3</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>The <code>nodev</code> mount option can be used to prevent device files from being created in <code>/var/log</code>. Legitimate character and block devices should exist only in the <code>/dev</code> directory on the root partition or within chroot jails built for system services. Add the <code>nodev</code> option to the fourth column of <code>/etc/fstab</code> for the line which controls mounting of <code>/var/log</code>.</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>The only legitimate location for device files is the <code>/dev</code> directory located on the root partition. The only exception to this is chroot jails.</p></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">nodev on /var/log</span>Â <span class="label label-default">oval:ssg-test_var_log_partition_nodev:tst:1</span>Â <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Mount point</th><th>Device</th><th>Uuid</th><th>Fs type</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Total space</th><th>Space used</th><th>Space left</th></tr></thead><tbody><tr><td>/var/log</td><td>/dev/mapper/ovirt-log</td><td>04ffc7a2-ee25-4207-a1ca-33a1ef8f9021</td><td>xfs</td><td>rw</td><td>seclabel</td><td>nodev</td><td>relatime</td><td>attr2</td><td>inode64</td><td>noquota</td><td>bind</td><td role="num">2618880</td><td role="num">26815</td><td role="num">2592065</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_mount_option_var_log_nosuid" id="rule-detail-idm45342102520448"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Add nosuid Option to /var/logxccdf_org.ssgproject.content_rule_mount_option_var_log_nosuid mediumCCE-82065-4 </div><div class="panel-heading"><h3 class="panel-title">Add nosuid Option to /var/log</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_mount_option_var_log_nosuid</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-mount_option_var_log_nosuid:def:1</td></tr><tr><td>Time</td><td>2020-09-29T11:21:10</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-82065-4">CCE-82065-4</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(1)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">MP-7</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-2</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-3</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000368-GPOS-00154</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>The <code>nosuid</code> mount option can be used to prevent execution of setuid programs in <code>/var/log</code>. The SUID and SGID permissions should not be required in directories containing log files. Add the <code>nosuid</code> option to the fourth column of <code>/etc/fstab</code> for the line which controls mounting of <code>/var/log</code>.</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>The presence of SUID and SGID executables should be tightly controlled. Users should not be able to execute SUID or SGID binaries from partitions designated for log files.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span>Â <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">nosuid on /var/log</span>Â <span class="label label-default">oval:ssg-test_var_log_partition_nosuid:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Mount point</th><th>Device</th><th>Uuid</th><th>Fs type</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Total space</th><th>Space used</th><th>Space left</th></tr></thead><tbody><tr><td>/var/log</td><td>/dev/mapper/ovirt-log</td><td>04ffc7a2-ee25-4207-a1ca-33a1ef8f9021</td><td>xfs</td><td>rw</td><td>seclabel</td><td>nodev</td><td>relatime</td><td>attr2</td><td>inode64</td><td>noquota</td><td>bind</td><td role="num">2618880</td><td role="num">26815</td><td role="num">2592065</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_mount_option_boot_nodev" id="rule-detail-idm45342102511824"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Add nodev Option to /bootxccdf_org.ssgproject.content_rule_mount_option_boot_nodev mediumCCE-82941-6 </div><div class="panel-heading"><h3 class="panel-title">Add nodev Option to /boot</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_mount_option_boot_nodev</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-mount_option_boot_nodev:def:1</td></tr><tr><td>Time</td><td>2020-09-29T11:21:10</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-82941-6">CCE-82941-6</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(1)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">MP-7</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-2</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-3</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000368-GPOS-00154</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>The <code>nodev</code> mount option can be used to prevent device files from being created in <code>/boot</code>. Legitimate character and block devices should exist only in the <code>/dev</code> directory on the root partition or within chroot jails built for system services. Add the <code>nodev</code> option to the fourth column of <code>/etc/fstab</code> for the line which controls mounting of <code>/boot</code>.</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>The only legitimate location for device files is the <code>/dev</code> directory located on the root partition. The only exception to this is chroot jails.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span>Â <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">nodev on /boot</span>Â <span class="label label-default">oval:ssg-test_boot_partition_nodev:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Mount point</th><th>Device</th><th>Uuid</th><th>Fs type</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Total space</th><th>Space used</th><th>Space left</th></tr></thead><tbody><tr><td>/boot</td><td>/dev/vda1</td><td>135e3d07-8003-46c7-a76a-829e7270155c</td><td>xfs</td><td>rw</td><td>seclabel</td><td>relatime</td><td>attr2</td><td>inode64</td><td>noquota</td><td>bind</td><td role="num">259584</td><td role="num">42374</td><td role="num">217210</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-error rule-detail-id-xccdf_org.ssgproject.content_rule_mount_option_var_tmp_nodev" id="rule-detail-idm45342102503248"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Add nodev Option to /var/tmpxccdf_org.ssgproject.content_rule_mount_option_var_tmp_nodev unknownCCE-82068-8 </div><div class="panel-heading"><h3 class="panel-title">Add nodev Option to /var/tmp</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_mount_option_var_tmp_nodev</td></tr><tr><td>Result</td><td class="rule-result rule-result-error"><div><abbr title="The checking engine could not complete the evaluation, therefore the status of the target's compliance with the rule is not certain. This could happen, for example, if a testing tool was run with insufficient privileges and could not gather all of the necessary information.">error</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-mount_option_var_tmp_nodev:def:1</td></tr><tr><td>Time</td><td>2020-09-29T11:21:10</td></tr><tr><td>Severity</td><td>unknown</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-82068-8">CCE-82068-8</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT28(R12)</a>, <a href="">1.1.8</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000368-GPOS-00154</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>The <code>nodev</code> mount option can be used to prevent device files from being created in <code>/var/tmp</code>. Legitimate character and block devices should not exist within temporary directories like <code>/var/tmp</code>. Add the <code>nodev</code> option to the fourth column of <code>/etc/fstab</code> for the line which controls mounting of <code>/var/tmp</code>.</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>The only legitimate location for device files is the <code>/dev</code> directory located on the root partition. The only exception to this is chroot jails.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span>Â <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 1</message></pre><span class="label label-primary">info</span>Â <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">The mount point '/var/tmp' is not even in /etc/fstab, so we can't set up mount options Not remediating, because there is no record of /var/tmp in /etc/fstab </message></pre><span class="label label-primary">info</span>Â <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Failed to verify applied fix: Checking engine returns: fail</message></pre></div></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm45342126899248" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Shell script â²</a><br></br><div class="panel-collapse collapse" id="idm45342126899248"><pre><code><abbr title="from TestResult: xccdf_org.ssgproject.content_value_function_include_mount_options_functions">function include_mount_options_functions { : } # $1: type of filesystem # $2: new mount point option # $3: filesystem of new mount point (used when adding new entry in fstab) # $4: mount type of new mount point (used when adding new entry in fstab) function ensure_mount_option_for_vfstype { local _vfstype="$1" _new_opt="$2" _filesystem=$3 _type=$4 _vfstype_points=() readarray -t _vfstype_points < <(grep -E "[[:space:]]${_vfstype}[[:space:]]" /etc/fstab | awk '{print $2}') for _vfstype_point in "${_vfstype_points[@]}" do ensure_mount_option_in_fstab "$_vfstype_point" "$_new_opt" "$_filesystem" "$_type" done } # $1: mount point # $2: new mount point option # $3: device or virtual string (used when adding new entry in fstab) # $4: mount type of mount point (used when adding new entry in fstab) function ensure_mount_option_in_fstab { local _mount_point="$1" _new_opt="$2" _device=$3 _type=$4 local _mount_point_match_regexp="" _previous_mount_opts="" _mount_point_match_regexp="$(get_mount_point_regexp "$_mount_point")" if [ "$(grep -c "$_mount_point_match_regexp" /etc/fstab)" -eq 0 ]; then # runtime opts without some automatic kernel/userspace-added defaults _previous_mount_opts=$(grep "$_mount_point_match_regexp" /etc/mtab | head -1 | awk '{print $4}' \ | sed -E "s/(rw|defaults|seclabel|${_new_opt})(,|$)//g;s/,$//") [ "$_previous_mount_opts" ] && _previous_mount_opts+="," echo "${_device} ${_mount_point} ${_type} defaults,${_previous_mount_opts}${_new_opt} 0 0" >> /etc/fstab elif [ "$(grep "$_mount_point_match_regexp" /etc/fstab | grep -c "$_new_opt")" -eq 0 ]; then _previous_mount_opts=$(grep "$_mount_point_match_regexp" /etc/fstab | awk '{print $4}') sed -i "s|\(${_mount_point_match_regexp}.*${_previous_mount_opts}\)|\1,${_new_opt}|" /etc/fstab fi } # $1: mount point function get_mount_point_regexp { printf "[[:space:]]%s[[:space:]]" "$1" } # $1: mount point function assert_mount_point_in_fstab { local _mount_point_match_regexp _mount_point_match_regexp="$(get_mount_point_regexp "$1")" grep "$_mount_point_match_regexp" -q /etc/fstab \ || { echo "The mount point '$1' is not even in /etc/fstab, so we can't set up mount options" >&2; return 1; } } # $1: mount point function remove_defaults_from_fstab_if_overriden { local _mount_point_match_regexp _mount_point_match_regexp="$(get_mount_point_regexp "$1")" if grep "$_mount_point_match_regexp" /etc/fstab | grep -q "defaults," then sed -i "s|\(${_mount_point_match_regexp}.*\)defaults,|\1|" /etc/fstab fi } # $1: mount point function ensure_partition_is_mounted { local _mount_point="$1" mkdir -p "$_mount_point" || return 1 if mountpoint -q "$_mount_point"; then mount -o remount --target "$_mount_point" else mount --target "$_mount_point" fi }</abbr> include_mount_options_functions function perform_remediation { # test "$mount_has_to_exist" = 'yes' if test "yes" = 'yes'; then assert_mount_point_in_fstab /var/tmp || { echo "Not remediating, because there is no record of /var/tmp in /etc/fstab" >&2; return 1; } fi ensure_mount_option_in_fstab "/var/tmp" "nodev" "" "" ensure_partition_is_mounted "/var/tmp" } perform_remediation </code></pre></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm45342126896928" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet â²</a><br></br><div class="panel-collapse collapse" id="idm45342126896928"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>high</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code>- name: get back mount information associated to mountpoint command: findmnt --fstab '/var/tmp' register: device_name failed_when: device_name.rc > 1 changed_when: false when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" tags: - mount_option_var_tmp_nodev - unknown_severity - configure_strategy - low_complexity - high_disruption - no_reboot_needed - CCE-82068-8 - name: create mount_info dictionary variable set_fact: mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}' with_together: - '{{ device_name.stdout_lines[0].split() | list | lower }}' - '{{ device_name.stdout_lines[1].split() | list }}' when: - device_name.stdout is defined and device_name.stdout_lines is defined - (device_name.stdout | length > 0) - ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" tags: - mount_option_var_tmp_nodev - unknown_severity - configure_strategy - low_complexity - high_disruption - no_reboot_needed - CCE-82068-8 - name: Ensure permission nodev are set on /var/tmp mount: path: /var/tmp src: '{{ mount_info.source }}' opts: '{{ mount_info.options }},nodev' state: mounted fstype: '{{ mount_info.fstype }}' when: - device_name.stdout is defined - (device_name.stdout | length > 0) - ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" tags: - mount_option_var_tmp_nodev - unknown_severity - configure_strategy - low_complexity - high_disruption - no_reboot_needed - CCE-82068-8 </code></pre></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm45342126893248" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet â²</a><br></br><div class="panel-collapse collapse" id="idm45342126893248"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>high</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code> part /var/tmp --mountoptions="nodev" </code></pre></div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">nodev on /var/tmp</span>Â <span class="label label-default">oval:ssg-test_var_tmp_partition_nodev:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_var_tmp_partition_nodev:obj:1</abbr></strong> of type <strong>partition_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Mount point</th></tr></thead><tbody><tr><td>/var/tmp</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_mount_option_dev_shm_nosuid" id="rule-detail-idm45342102493184"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Add nosuid Option to /dev/shmxccdf_org.ssgproject.content_rule_mount_option_dev_shm_nosuid mediumCCE-80839-4 </div><div class="panel-heading"><h3 class="panel-title">Add nosuid Option to /dev/shm</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_mount_option_dev_shm_nosuid</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-mount_option_dev_shm_nosuid:def:1</td></tr><tr><td>Time</td><td>2020-09-29T11:18:03</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80839-4">CCE-80839-4</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="">1.1.16</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">11</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">13</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">14</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">3</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">8</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">9</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">APO13.01</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">BAI10.01</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">BAI10.02</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">BAI10.03</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">BAI10.05</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS05.02</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS05.05</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS05.06</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS06.06</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.3.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.3.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.10</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.11</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.12</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.13</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.6</a>, <a href="https://www.iso.org/standard/54534.html">A.11.2.9</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.5.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.6.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.8.3.1</a>, <a href="https://www.iso.org/standard/54534.html">A.8.3.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.2</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(1)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">MP-7</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-2</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-3</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000368-GPOS-00154</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>The <code>nosuid</code> mount option can be used to prevent execution of setuid programs in <code>/dev/shm</code>. The SUID and SGID permissions should not be required in these world-writable directories. Add the <code>nosuid</code> option to the fourth column of <code>/etc/fstab</code> for the line which controls mounting of <code>/dev/shm</code>.</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>The presence of SUID and SGID executables should be tightly controlled. Users should not be able to execute SUID or SGID binaries from temporary storage partitions.</p></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">nosuid on /dev/shm</span>Â <span class="label label-default">oval:ssg-test_dev_shm_partition_nosuid:tst:1</span>Â <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Mount point</th><th>Device</th><th>Uuid</th><th>Fs type</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Total space</th><th>Space used</th><th>Space left</th></tr></thead><tbody><tr><td>/dev/shm</td><td>tmpfs</td><td></td><td>tmpfs</td><td>rw</td><td>seclabel</td><td>nosuid</td><td>nodev</td><td role="num">483609</td><td role="num">0</td><td role="num">483609</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-error rule-detail-id-xccdf_org.ssgproject.content_rule_mount_option_var_tmp_nosuid" id="rule-detail-idm45342102489504"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Add nosuid Option to /var/tmpxccdf_org.ssgproject.content_rule_mount_option_var_tmp_nosuid unknownCCE-82154-6 </div><div class="panel-heading"><h3 class="panel-title">Add nosuid Option to /var/tmp</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_mount_option_var_tmp_nosuid</td></tr><tr><td>Result</td><td class="rule-result rule-result-error"><div><abbr title="The checking engine could not complete the evaluation, therefore the status of the target's compliance with the rule is not certain. This could happen, for example, if a testing tool was run with insufficient privileges and could not gather all of the necessary information.">error</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-mount_option_var_tmp_nosuid:def:1</td></tr><tr><td>Time</td><td>2020-09-29T11:21:10</td></tr><tr><td>Severity</td><td>unknown</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-82154-6">CCE-82154-6</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT28(R12)</a>, <a href="">1.1.9</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000368-GPOS-00154</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>The <code>nosuid</code> mount option can be used to prevent execution of setuid programs in <code>/var/tmp</code>. The SUID and SGID permissions should not be required in these world-writable directories. Add the <code>nosuid</code> option to the fourth column of <code>/etc/fstab</code> for the line which controls mounting of <code>/var/tmp</code>.</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>The presence of SUID and SGID executables should be tightly controlled. Users should not be able to execute SUID or SGID binaries from temporary storage partitions.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span>Â <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 1</message></pre><span class="label label-primary">info</span>Â <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">The mount point '/var/tmp' is not even in /etc/fstab, so we can't set up mount options Not remediating, because there is no record of /var/tmp in /etc/fstab </message></pre><span class="label label-primary">info</span>Â <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Failed to verify applied fix: Checking engine returns: fail</message></pre></div></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm45342126789888" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Shell script â²</a><br></br><div class="panel-collapse collapse" id="idm45342126789888"><pre><code><abbr title="from TestResult: xccdf_org.ssgproject.content_value_function_include_mount_options_functions">function include_mount_options_functions { : } # $1: type of filesystem # $2: new mount point option # $3: filesystem of new mount point (used when adding new entry in fstab) # $4: mount type of new mount point (used when adding new entry in fstab) function ensure_mount_option_for_vfstype { local _vfstype="$1" _new_opt="$2" _filesystem=$3 _type=$4 _vfstype_points=() readarray -t _vfstype_points < <(grep -E "[[:space:]]${_vfstype}[[:space:]]" /etc/fstab | awk '{print $2}') for _vfstype_point in "${_vfstype_points[@]}" do ensure_mount_option_in_fstab "$_vfstype_point" "$_new_opt" "$_filesystem" "$_type" done } # $1: mount point # $2: new mount point option # $3: device or virtual string (used when adding new entry in fstab) # $4: mount type of mount point (used when adding new entry in fstab) function ensure_mount_option_in_fstab { local _mount_point="$1" _new_opt="$2" _device=$3 _type=$4 local _mount_point_match_regexp="" _previous_mount_opts="" _mount_point_match_regexp="$(get_mount_point_regexp "$_mount_point")" if [ "$(grep -c "$_mount_point_match_regexp" /etc/fstab)" -eq 0 ]; then # runtime opts without some automatic kernel/userspace-added defaults _previous_mount_opts=$(grep "$_mount_point_match_regexp" /etc/mtab | head -1 | awk '{print $4}' \ | sed -E "s/(rw|defaults|seclabel|${_new_opt})(,|$)//g;s/,$//") [ "$_previous_mount_opts" ] && _previous_mount_opts+="," echo "${_device} ${_mount_point} ${_type} defaults,${_previous_mount_opts}${_new_opt} 0 0" >> /etc/fstab elif [ "$(grep "$_mount_point_match_regexp" /etc/fstab | grep -c "$_new_opt")" -eq 0 ]; then _previous_mount_opts=$(grep "$_mount_point_match_regexp" /etc/fstab | awk '{print $4}') sed -i "s|\(${_mount_point_match_regexp}.*${_previous_mount_opts}\)|\1,${_new_opt}|" /etc/fstab fi } # $1: mount point function get_mount_point_regexp { printf "[[:space:]]%s[[:space:]]" "$1" } # $1: mount point function assert_mount_point_in_fstab { local _mount_point_match_regexp _mount_point_match_regexp="$(get_mount_point_regexp "$1")" grep "$_mount_point_match_regexp" -q /etc/fstab \ || { echo "The mount point '$1' is not even in /etc/fstab, so we can't set up mount options" >&2; return 1; } } # $1: mount point function remove_defaults_from_fstab_if_overriden { local _mount_point_match_regexp _mount_point_match_regexp="$(get_mount_point_regexp "$1")" if grep "$_mount_point_match_regexp" /etc/fstab | grep -q "defaults," then sed -i "s|\(${_mount_point_match_regexp}.*\)defaults,|\1|" /etc/fstab fi } # $1: mount point function ensure_partition_is_mounted { local _mount_point="$1" mkdir -p "$_mount_point" || return 1 if mountpoint -q "$_mount_point"; then mount -o remount --target "$_mount_point" else mount --target "$_mount_point" fi }</abbr> include_mount_options_functions function perform_remediation { # test "$mount_has_to_exist" = 'yes' if test "yes" = 'yes'; then assert_mount_point_in_fstab /var/tmp || { echo "Not remediating, because there is no record of /var/tmp in /etc/fstab" >&2; return 1; } fi ensure_mount_option_in_fstab "/var/tmp" "nosuid" "" "" ensure_partition_is_mounted "/var/tmp" } perform_remediation </code></pre></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm45342126787568" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet â²</a><br></br><div class="panel-collapse collapse" id="idm45342126787568"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>high</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code>- name: get back mount information associated to mountpoint command: findmnt --fstab '/var/tmp' register: device_name failed_when: device_name.rc > 1 changed_when: false when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" tags: - mount_option_var_tmp_nosuid - unknown_severity - configure_strategy - low_complexity - high_disruption - no_reboot_needed - CCE-82154-6 - name: create mount_info dictionary variable set_fact: mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}' with_together: - '{{ device_name.stdout_lines[0].split() | list | lower }}' - '{{ device_name.stdout_lines[1].split() | list }}' when: - device_name.stdout is defined and device_name.stdout_lines is defined - (device_name.stdout | length > 0) - ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" tags: - mount_option_var_tmp_nosuid - unknown_severity - configure_strategy - low_complexity - high_disruption - no_reboot_needed - CCE-82154-6 - name: Ensure permission nosuid are set on /var/tmp mount: path: /var/tmp src: '{{ mount_info.source }}' opts: '{{ mount_info.options }},nosuid' state: mounted fstype: '{{ mount_info.fstype }}' when: - device_name.stdout is defined - (device_name.stdout | length > 0) - ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" tags: - mount_option_var_tmp_nosuid - unknown_severity - configure_strategy - low_complexity - high_disruption - no_reboot_needed - CCE-82154-6 </code></pre></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm45342126783888" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet â²</a><br></br><div class="panel-collapse collapse" id="idm45342126783888"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>high</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code> part /var/tmp --mountoptions="nosuid" </code></pre></div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">nosuid on /var/tmp</span>Â <span class="label label-default">oval:ssg-test_var_tmp_partition_nosuid:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_var_tmp_partition_nosuid:obj:1</abbr></strong> of type <strong>partition_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Mount point</th></tr></thead><tbody><tr><td>/var/tmp</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_mount_option_home_nosuid" id="rule-detail-idm45342102479440"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Add nosuid Option to /homexccdf_org.ssgproject.content_rule_mount_option_home_nosuid unknownCCE-81050-7 </div><div class="panel-heading"><h3 class="panel-title">Add nosuid Option to /home</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_mount_option_home_nosuid</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-mount_option_home_nosuid:def:1</td></tr><tr><td>Time</td><td>2020-09-29T11:21:10</td></tr><tr><td>Severity</td><td>unknown</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-81050-7">CCE-81050-7</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT28(R12)</a>, <a href="">1.1.3</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">11</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">13</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">14</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">3</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">8</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">9</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">APO13.01</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">BAI10.01</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">BAI10.02</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">BAI10.03</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">BAI10.05</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS05.02</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS05.05</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS05.06</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS06.06</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.3.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.3.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.10</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.11</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.12</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.13</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.6</a>, <a href="https://www.iso.org/standard/54534.html">A.11.2.9</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.5.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.6.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.8.3.1</a>, <a href="https://www.iso.org/standard/54534.html">A.8.3.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.2</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(1)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">MP-7</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-2</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-3</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000368-GPOS-00154</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>The <code>nosuid</code> mount option can be used to prevent execution of setuid programs in <code>/home</code>. The SUID and SGID permissions should not be required in these user data directories. Add the <code>nosuid</code> option to the fourth column of <code>/etc/fstab</code> for the line which controls mounting of <code>/home</code>.</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>The presence of SUID and SGID executables should be tightly controlled. Users should not be able to execute SUID or SGID binaries from user home directory partitions.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span>Â <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">nosuid on /home</span>Â <span class="label label-default">oval:ssg-test_home_partition_nosuid:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Mount point</th><th>Device</th><th>Uuid</th><th>Fs type</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Total space</th><th>Space used</th><th>Space left</th></tr></thead><tbody><tr><td>/home</td><td>/dev/mapper/ovirt-home</td><td>934099b3-b298-4e85-a731-17c9495a92ac</td><td>xfs</td><td>rw</td><td>seclabel</td><td>nodev</td><td>relatime</td><td>attr2</td><td>inode64</td><td>noquota</td><td>bind</td><td role="num">259584</td><td role="num">10084</td><td role="num">249500</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_mount_option_tmp_noexec" id="rule-detail-idm45342102470832"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Add noexec Option to /tmpxccdf_org.ssgproject.content_rule_mount_option_tmp_noexec unknownCCE-82139-7 </div><div class="panel-heading"><h3 class="panel-title">Add noexec Option to /tmp</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_mount_option_tmp_noexec</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-mount_option_tmp_noexec:def:1</td></tr><tr><td>Time</td><td>2020-09-29T11:18:03</td></tr><tr><td>Severity</td><td>unknown</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-82139-7">CCE-82139-7</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT28(R12)</a>, <a href="">1.1.5</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">11</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">13</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">14</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">3</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">8</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">9</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">APO13.01</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">BAI10.01</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">BAI10.02</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">BAI10.03</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">BAI10.05</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS05.02</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS05.05</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS05.06</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS06.06</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.3.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.3.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.10</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.11</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.12</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.13</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.6</a>, <a href="https://www.iso.org/standard/54534.html">A.11.2.9</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.5.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.6.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.8.3.1</a>, <a href="https://www.iso.org/standard/54534.html">A.8.3.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.2</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(1)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">MP-7</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-2</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-3</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000368-GPOS-00154</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>The <code>noexec</code> mount option can be used to prevent binaries from being executed out of <code>/tmp</code>. Add the <code>noexec</code> option to the fourth column of <code>/etc/fstab</code> for the line which controls mounting of <code>/tmp</code>.</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Allowing users to execute binaries from world-writable directories such as <code>/tmp</code> should never be necessary in normal operation and can expose the system to potential compromise.</p></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">noexec on /tmp</span>Â <span class="label label-default">oval:ssg-test_tmp_partition_noexec:tst:1</span>Â <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Mount point</th><th>Device</th><th>Uuid</th><th>Fs type</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Total space</th><th>Space used</th><th>Space left</th></tr></thead><tbody><tr><td>/tmp</td><td>/dev/mapper/ovirt-tmp</td><td>fe226ba1-b167-4b0f-81b2-d06bb6c1dd78</td><td>xfs</td><td>rw</td><td>seclabel</td><td>nosuid</td><td>nodev</td><td>noexec</td><td>relatime</td><td>attr2</td><td>inode64</td><td>noquota</td><td>bind</td><td role="num">521728</td><td role="num">11962</td><td role="num">509766</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_mount_option_var_nodev" id="rule-detail-idm45342102467168"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Add nodev Option to /varxccdf_org.ssgproject.content_rule_mount_option_var_nodev mediumCCE-82062-1 </div><div class="panel-heading"><h3 class="panel-title">Add nodev Option to /var</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_mount_option_var_nodev</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-mount_option_var_nodev:def:1</td></tr><tr><td>Time</td><td>2020-09-29T11:18:03</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-82062-1">CCE-82062-1</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(1)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">MP-7</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-2</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-3</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000368-GPOS-00154</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>The <code>nodev</code> mount option can be used to prevent device files from being created in <code>/var</code>. Legitimate character and block devices should exist only in the <code>/dev</code> directory on the root partition or within chroot jails built for system services. Add the <code>nodev</code> option to the fourth column of <code>/etc/fstab</code> for the line which controls mounting of <code>/var</code>.</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>The only legitimate location for device files is the <code>/dev</code> directory located on the root partition. The only exception to this is chroot jails.</p></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">nodev on /var</span>Â <span class="label label-default">oval:ssg-test_var_partition_nodev:tst:1</span>Â <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Mount point</th><th>Device</th><th>Uuid</th><th>Fs type</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Total space</th><th>Space used</th><th>Space left</th></tr></thead><tbody><tr><td>/var</td><td>/dev/mapper/ovirt-var</td><td>64bf7634-bdbb-40e1-a2b8-0b7865630c92</td><td>xfs</td><td>rw</td><td>seclabel</td><td>nodev</td><td>relatime</td><td>attr2</td><td>inode64</td><td>noquota</td><td>bind</td><td role="num">5240320</td><td role="num">82745</td><td role="num">5157575</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_mount_option_var_log_audit_noexec" id="rule-detail-idm45342102461744"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Add noexec Option to /var/log/auditxccdf_org.ssgproject.content_rule_mount_option_var_log_audit_noexec mediumCCE-82975-4 </div><div class="panel-heading"><h3 class="panel-title">Add noexec Option to /var/log/audit</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_mount_option_var_log_audit_noexec</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-mount_option_var_log_audit_noexec:def:1</td></tr><tr><td>Time</td><td>2020-09-29T11:21:10</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-82975-4">CCE-82975-4</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(1)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">MP-7</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-2</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-3</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000368-GPOS-00154</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>The <code>noexec</code> mount option can be used to prevent binaries from being executed out of <code>/var/log/audit</code>. Add the <code>noexec</code> option to the fourth column of <code>/etc/fstab</code> for the line which controls mounting of <code>/var/log/audit</code>.</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Allowing users to execute binaries from directories containing audit log files such as <code>/var/log/audit</code> should never be necessary in normal operation and can expose the system to potential compromise.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span>Â <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">noexec on /var/log/audit</span>Â <span class="label label-default">oval:ssg-test_var_log_audit_partition_noexec:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Mount point</th><th>Device</th><th>Uuid</th><th>Fs type</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Total space</th><th>Space used</th><th>Space left</th></tr></thead><tbody><tr><td>/var/log/audit</td><td>/dev/mapper/ovirt-audit</td><td>3b01f699-5c60-4a28-8941-ddc1a0828164</td><td>xfs</td><td>rw</td><td>seclabel</td><td>nodev</td><td>relatime</td><td>attr2</td><td>inode64</td><td>noquota</td><td>bind</td><td role="num">259584</td><td role="num">10105</td><td role="num">249479</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_mount_option_var_log_audit_nodev" id="rule-detail-idm45342102453088"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Add nodev Option to /var/log/auditxccdf_org.ssgproject.content_rule_mount_option_var_log_audit_nodev mediumCCE-82080-3 </div><div class="panel-heading"><h3 class="panel-title">Add nodev Option to /var/log/audit</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_mount_option_var_log_audit_nodev</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-mount_option_var_log_audit_nodev:def:1</td></tr><tr><td>Time</td><td>2020-09-29T11:18:03</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-82080-3">CCE-82080-3</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(1)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">MP-7</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-2</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-3</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000368-GPOS-00154</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>The <code>nodev</code> mount option can be used to prevent device files from being created in <code>/var/log/audit</code>. Legitimate character and block devices should exist only in the <code>/dev</code> directory on the root partition or within chroot jails built for system services. Add the <code>nodev</code> option to the fourth column of <code>/etc/fstab</code> for the line which controls mounting of <code>/var/log/audit</code>.</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>The only legitimate location for device files is the <code>/dev</code> directory located on the root partition. The only exception to this is chroot jails.</p></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">nodev on /var/log/audit</span>Â <span class="label label-default">oval:ssg-test_var_log_audit_partition_nodev:tst:1</span>Â <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Mount point</th><th>Device</th><th>Uuid</th><th>Fs type</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Total space</th><th>Space used</th><th>Space left</th></tr></thead><tbody><tr><td>/var/log/audit</td><td>/dev/mapper/ovirt-audit</td><td>3b01f699-5c60-4a28-8941-ddc1a0828164</td><td>xfs</td><td>rw</td><td>seclabel</td><td>nodev</td><td>relatime</td><td>attr2</td><td>inode64</td><td>noquota</td><td>bind</td><td role="num">259584</td><td role="num">10105</td><td role="num">249479</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_mount_option_home_nodev" id="rule-detail-idm45342102449408"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Add nodev Option to /homexccdf_org.ssgproject.content_rule_mount_option_home_nodev unknownCCE-81048-1 </div><div class="panel-heading"><h3 class="panel-title">Add nodev Option to /home</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_mount_option_home_nodev</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-mount_option_home_nodev:def:1</td></tr><tr><td>Time</td><td>2020-09-29T11:18:03</td></tr><tr><td>Severity</td><td>unknown</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-81048-1">CCE-81048-1</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT28(R12)</a>, <a href="">1.1.14</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000368-GPOS-00154</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>The <code>nodev</code> mount option can be used to prevent device files from being created in <code>/home</code>. Legitimate character and block devices should exist only in the <code>/dev</code> directory on the root partition or within chroot jails built for system services. Add the <code>nodev</code> option to the fourth column of <code>/etc/fstab</code> for the line which controls mounting of <code>/home</code>.</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>The only legitimate location for device files is the <code>/dev</code> directory located on the root partition. The only exception to this is chroot jails.</p></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">nodev on /home</span>Â <span class="label label-default">oval:ssg-test_home_partition_nodev:tst:1</span>Â <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Mount point</th><th>Device</th><th>Uuid</th><th>Fs type</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Total space</th><th>Space used</th><th>Space left</th></tr></thead><tbody><tr><td>/home</td><td>/dev/mapper/ovirt-home</td><td>934099b3-b298-4e85-a731-17c9495a92ac</td><td>xfs</td><td>rw</td><td>seclabel</td><td>nodev</td><td>relatime</td><td>attr2</td><td>inode64</td><td>noquota</td><td>bind</td><td role="num">259584</td><td role="num">10084</td><td role="num">249500</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_mount_option_dev_shm_noexec" id="rule-detail-idm45342102445744"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Add noexec Option to /dev/shmxccdf_org.ssgproject.content_rule_mount_option_dev_shm_noexec mediumCCE-80838-6 </div><div class="panel-heading"><h3 class="panel-title">Add noexec Option to /dev/shm</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_mount_option_dev_shm_noexec</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-mount_option_dev_shm_noexec:def:1</td></tr><tr><td>Time</td><td>2020-09-29T11:21:10</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80838-6">CCE-80838-6</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="">1.1.17</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">11</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">13</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">14</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">3</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">8</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">9</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">APO13.01</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">BAI10.01</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">BAI10.02</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">BAI10.03</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">BAI10.05</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS05.02</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS05.05</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS05.06</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS06.06</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.3.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.3.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.10</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.11</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.12</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.13</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.6</a>, <a href="https://www.iso.org/standard/54534.html">A.11.2.9</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.5.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.6.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.8.3.1</a>, <a href="https://www.iso.org/standard/54534.html">A.8.3.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.2</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(1)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">MP-7</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-2</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-3</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000368-GPOS-00154</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>The <code>noexec</code> mount option can be used to prevent binaries from being executed out of <code>/dev/shm</code>. It can be dangerous to allow the execution of binaries from world-writable temporary storage directories such as <code>/dev/shm</code>. Add the <code>noexec</code> option to the fourth column of <code>/etc/fstab</code> for the line which controls mounting of <code>/dev/shm</code>.</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Allowing users to execute binaries from world-writable directories such as <code>/dev/shm</code> can expose the system to potential compromise.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span>Â <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">noexec on /dev/shm</span>Â <span class="label label-default">oval:ssg-test_dev_shm_partition_noexec:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Mount point</th><th>Device</th><th>Uuid</th><th>Fs type</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Total space</th><th>Space used</th><th>Space left</th></tr></thead><tbody><tr><td>/dev/shm</td><td>tmpfs</td><td></td><td>tmpfs</td><td>rw</td><td>seclabel</td><td>nosuid</td><td>nodev</td><td role="num">483609</td><td role="num">0</td><td role="num">483609</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_mount_option_tmp_nodev" id="rule-detail-idm45342102435344"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Add nodev Option to /tmpxccdf_org.ssgproject.content_rule_mount_option_tmp_nodev unknownCCE-82623-0 </div><div class="panel-heading"><h3 class="panel-title">Add nodev Option to /tmp</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_mount_option_tmp_nodev</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-mount_option_tmp_nodev:def:1</td></tr><tr><td>Time</td><td>2020-09-29T11:18:03</td></tr><tr><td>Severity</td><td>unknown</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-82623-0">CCE-82623-0</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT28(R12)</a>, <a href="">1.1.3</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">11</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">13</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">14</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">3</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">8</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">9</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">APO13.01</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">BAI10.01</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">BAI10.02</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">BAI10.03</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">BAI10.05</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS05.02</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS05.05</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS05.06</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS06.06</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.3.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.3.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.10</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.11</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.12</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.13</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.6</a>, <a href="https://www.iso.org/standard/54534.html">A.11.2.9</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.5.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.6.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.8.3.1</a>, <a href="https://www.iso.org/standard/54534.html">A.8.3.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.2</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(1)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">MP-7</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-2</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-3</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000368-GPOS-00154</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>The <code>nodev</code> mount option can be used to prevent device files from being created in <code>/tmp</code>. Legitimate character and block devices should not exist within temporary directories like <code>/tmp</code>. Add the <code>nodev</code> option to the fourth column of <code>/etc/fstab</code> for the line which controls mounting of <code>/tmp</code>.</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>The only legitimate location for device files is the <code>/dev</code> directory located on the root partition. The only exception to this is chroot jails.</p></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">nodev on /tmp</span>Â <span class="label label-default">oval:ssg-test_tmp_partition_nodev:tst:1</span>Â <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Mount point</th><th>Device</th><th>Uuid</th><th>Fs type</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Total space</th><th>Space used</th><th>Space left</th></tr></thead><tbody><tr><td>/tmp</td><td>/dev/mapper/ovirt-tmp</td><td>fe226ba1-b167-4b0f-81b2-d06bb6c1dd78</td><td>xfs</td><td>rw</td><td>seclabel</td><td>nosuid</td><td>nodev</td><td>noexec</td><td>relatime</td><td>attr2</td><td>inode64</td><td>noquota</td><td>bind</td><td role="num">521728</td><td role="num">11962</td><td role="num">509766</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_mount_option_dev_shm_nodev" id="rule-detail-idm45342102431680"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Add nodev Option to /dev/shmxccdf_org.ssgproject.content_rule_mount_option_dev_shm_nodev mediumCCE-80837-8 </div><div class="panel-heading"><h3 class="panel-title">Add nodev Option to /dev/shm</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_mount_option_dev_shm_nodev</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-mount_option_dev_shm_nodev:def:1</td></tr><tr><td>Time</td><td>2020-09-29T11:18:03</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80837-8">CCE-80837-8</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="">1.1.15</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">11</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">13</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">14</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">3</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">8</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">9</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">APO13.01</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">BAI10.01</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">BAI10.02</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">BAI10.03</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">BAI10.05</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS05.02</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS05.05</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS05.06</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS06.06</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.3.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.3.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.10</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.11</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.12</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.13</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.6</a>, <a href="https://www.iso.org/standard/54534.html">A.11.2.9</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.5.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.6.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.8.3.1</a>, <a href="https://www.iso.org/standard/54534.html">A.8.3.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.2</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(1)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">MP-7</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-2</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-3</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000368-GPOS-00154</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>The <code>nodev</code> mount option can be used to prevent creation of device files in <code>/dev/shm</code>. Legitimate character and block devices should not exist within temporary directories like <code>/dev/shm</code>. Add the <code>nodev</code> option to the fourth column of <code>/etc/fstab</code> for the line which controls mounting of <code>/dev/shm</code>.</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>The only legitimate location for device files is the <code>/dev</code> directory located on the root partition. The only exception to this is chroot jails.</p></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">nodev on /dev/shm</span>Â <span class="label label-default">oval:ssg-test_dev_shm_partition_nodev:tst:1</span>Â <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Mount point</th><th>Device</th><th>Uuid</th><th>Fs type</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Total space</th><th>Space used</th><th>Space left</th></tr></thead><tbody><tr><td>/dev/shm</td><td>tmpfs</td><td></td><td>tmpfs</td><td>rw</td><td>seclabel</td><td>nosuid</td><td>nodev</td><td role="num">483609</td><td role="num">0</td><td role="num">483609</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_mount_option_boot_nosuid" id="rule-detail-idm45342102428000"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Add nosuid Option to /bootxccdf_org.ssgproject.content_rule_mount_option_boot_nosuid mediumCCE-81033-3 </div><div class="panel-heading"><h3 class="panel-title">Add nosuid Option to /boot</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_mount_option_boot_nosuid</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-mount_option_boot_nosuid:def:1</td></tr><tr><td>Time</td><td>2020-09-29T11:21:10</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-81033-3">CCE-81033-3</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(1)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">MP-7</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-2</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-3</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000368-GPOS-00154</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>The <code>nosuid</code> mount option can be used to prevent execution of setuid programs in <code>/boot</code>. The SUID and SGID permissions should not be required on the boot partition. Add the <code>nosuid</code> option to the fourth column of <code>/etc/fstab</code> for the line which controls mounting of <code>/boot</code>.</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>The presence of SUID and SGID executables should be tightly controlled. Users should not be able to execute SUID or SGID binaries from boot partitions.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span>Â <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">nosuid on /boot</span>Â <span class="label label-default">oval:ssg-test_boot_partition_nosuid:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Mount point</th><th>Device</th><th>Uuid</th><th>Fs type</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Total space</th><th>Space used</th><th>Space left</th></tr></thead><tbody><tr><td>/boot</td><td>/dev/vda1</td><td>135e3d07-8003-46c7-a76a-829e7270155c</td><td>xfs</td><td>rw</td><td>seclabel</td><td>relatime</td><td>attr2</td><td>inode64</td><td>noquota</td><td>bind</td><td role="num">259584</td><td role="num">42374</td><td role="num">217210</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_mount_option_nodev_nonroot_local_partitions" id="rule-detail-idm45342102419392"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Add nodev Option to Non-Root Local Partitionsxccdf_org.ssgproject.content_rule_mount_option_nodev_nonroot_local_partitions unknownCCE-82069-6 </div><div class="panel-heading"><h3 class="panel-title">Add nodev Option to Non-Root Local Partitions</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_mount_option_nodev_nonroot_local_partitions</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-mount_option_nodev_nonroot_local_partitions:def:1</td></tr><tr><td>Time</td><td>2020-09-29T11:21:10</td></tr><tr><td>Severity</td><td>unknown</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-82069-6">CCE-82069-6</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="">1.1.11</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">11</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">14</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">3</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">9</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">BAI10.01</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">BAI10.02</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">BAI10.03</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">BAI10.05</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS05.02</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS05.05</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS06.06</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.3.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.3.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.10</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.11</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.12</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.13</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.6</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.5.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.6.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.2</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(1)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">MP-7</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-3</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000368-GPOS-00154</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>The <code>nodev</code> mount option prevents files from being interpreted as character or block devices. Legitimate character and block devices should exist only in the <code>/dev</code> directory on the root partition or within chroot jails built for system services. Add the <code>nodev</code> option to the fourth column of <code>/etc/fstab</code> for the line which controls mounting of any non-root local partitions.</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>The <code>nodev</code> mount option prevents files from being interpreted as character or block devices. The only legitimate location for device files is the <code>/dev</code> directory located on the root partition. The only exception to this is chroot jails, for which it is not advised to set <code>nodev</code> on these filesystems.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span>Â <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">No suitable fix found.</message></pre></div></div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">nodev on local filesystems</span>Â <span class="label label-default">oval:ssg-test_nodev_nonroot_local_partitions:tst:1</span>Â <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Mount point</th><th>Device</th><th>Uuid</th><th>Fs type</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Total space</th><th>Space used</th><th>Space left</th></tr></thead><tbody><tr><td>/boot</td><td>/dev/vda1</td><td>135e3d07-8003-46c7-a76a-829e7270155c</td><td>xfs</td><td>rw</td><td>seclabel</td><td>relatime</td><td>attr2</td><td>inode64</td><td>noquota</td><td>bind</td><td role="num">259584</td><td role="num">42374</td><td role="num">217210</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_mount_option_var_log_noexec" id="rule-detail-idm45342102415056"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Add noexec Option to /var/logxccdf_org.ssgproject.content_rule_mount_option_var_log_noexec mediumCCE-82008-4 </div><div class="panel-heading"><h3 class="panel-title">Add noexec Option to /var/log</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_mount_option_var_log_noexec</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-mount_option_var_log_noexec:def:1</td></tr><tr><td>Time</td><td>2020-09-29T11:21:10</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-82008-4">CCE-82008-4</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(1)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">MP-7</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-2</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-3</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000368-GPOS-00154</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>The <code>noexec</code> mount option can be used to prevent binaries from being executed out of <code>/var/log</code>. Add the <code>noexec</code> option to the fourth column of <code>/etc/fstab</code> for the line which controls mounting of <code>/var/log</code>.</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Allowing users to execute binaries from directories containing log files such as <code>/var/log</code> should never be necessary in normal operation and can expose the system to potential compromise.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span>Â <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">noexec on /var/log</span>Â <span class="label label-default">oval:ssg-test_var_log_partition_noexec:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Mount point</th><th>Device</th><th>Uuid</th><th>Fs type</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Total space</th><th>Space used</th><th>Space left</th></tr></thead><tbody><tr><td>/var/log</td><td>/dev/mapper/ovirt-log</td><td>04ffc7a2-ee25-4207-a1ca-33a1ef8f9021</td><td>xfs</td><td>rw</td><td>seclabel</td><td>nodev</td><td>relatime</td><td>attr2</td><td>inode64</td><td>noquota</td><td>bind</td><td role="num">2618880</td><td role="num">26815</td><td role="num">2592065</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_mount_option_var_log_audit_nosuid" id="rule-detail-idm45342102404688"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Add nosuid Option to /var/log/auditxccdf_org.ssgproject.content_rule_mount_option_var_log_audit_nosuid mediumCCE-82921-8 </div><div class="panel-heading"><h3 class="panel-title">Add nosuid Option to /var/log/audit</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_mount_option_var_log_audit_nosuid</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-mount_option_var_log_audit_nosuid:def:1</td></tr><tr><td>Time</td><td>2020-09-29T11:21:10</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-82921-8">CCE-82921-8</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(1)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">MP-7</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-2</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-3</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000368-GPOS-00154</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>The <code>nosuid</code> mount option can be used to prevent execution of setuid programs in <code>/var/log/audit</code>. The SUID and SGID permissions should not be required in directories containing audit log files. Add the <code>nosuid</code> option to the fourth column of <code>/etc/fstab</code> for the line which controls mounting of <code>/var/log/audit</code>.</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>The presence of SUID and SGID executables should be tightly controlled. Users should not be able to execute SUID or SGID binaries from partitions designated for audit log files.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span>Â <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">nosuid on /var/log/audit</span>Â <span class="label label-default">oval:ssg-test_var_log_audit_partition_nosuid:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Mount point</th><th>Device</th><th>Uuid</th><th>Fs type</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Total space</th><th>Space used</th><th>Space left</th></tr></thead><tbody><tr><td>/var/log/audit</td><td>/dev/mapper/ovirt-audit</td><td>3b01f699-5c60-4a28-8941-ddc1a0828164</td><td>xfs</td><td>rw</td><td>seclabel</td><td>nodev</td><td>relatime</td><td>attr2</td><td>inode64</td><td>noquota</td><td>bind</td><td role="num">259584</td><td role="num">10105</td><td role="num">249479</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-error rule-detail-id-xccdf_org.ssgproject.content_rule_mount_option_var_tmp_noexec" id="rule-detail-idm45342102394272"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Add noexec Option to /var/tmpxccdf_org.ssgproject.content_rule_mount_option_var_tmp_noexec unknownCCE-82151-2 </div><div class="panel-heading"><h3 class="panel-title">Add noexec Option to /var/tmp</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_mount_option_var_tmp_noexec</td></tr><tr><td>Result</td><td class="rule-result rule-result-error"><div><abbr title="The checking engine could not complete the evaluation, therefore the status of the target's compliance with the rule is not certain. This could happen, for example, if a testing tool was run with insufficient privileges and could not gather all of the necessary information.">error</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-mount_option_var_tmp_noexec:def:1</td></tr><tr><td>Time</td><td>2020-09-29T11:21:10</td></tr><tr><td>Severity</td><td>unknown</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-82151-2">CCE-82151-2</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT28(R12)</a>, <a href="">1.1.10</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000368-GPOS-00154</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>The <code>noexec</code> mount option can be used to prevent binaries from being executed out of <code>/var/tmp</code>. Add the <code>noexec</code> option to the fourth column of <code>/etc/fstab</code> for the line which controls mounting of <code>/var/tmp</code>.</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Allowing users to execute binaries from world-writable directories such as <code>/var/tmp</code> should never be necessary in normal operation and can expose the system to potential compromise.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span>Â <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 1</message></pre><span class="label label-primary">info</span>Â <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">The mount point '/var/tmp' is not even in /etc/fstab, so we can't set up mount options Not remediating, because there is no record of /var/tmp in /etc/fstab </message></pre><span class="label label-primary">info</span>Â <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Failed to verify applied fix: Checking engine returns: fail</message></pre></div></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm45342125644928" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Shell script â²</a><br></br><div class="panel-collapse collapse" id="idm45342125644928"><pre><code><abbr title="from TestResult: xccdf_org.ssgproject.content_value_function_include_mount_options_functions">function include_mount_options_functions { : } # $1: type of filesystem # $2: new mount point option # $3: filesystem of new mount point (used when adding new entry in fstab) # $4: mount type of new mount point (used when adding new entry in fstab) function ensure_mount_option_for_vfstype { local _vfstype="$1" _new_opt="$2" _filesystem=$3 _type=$4 _vfstype_points=() readarray -t _vfstype_points < <(grep -E "[[:space:]]${_vfstype}[[:space:]]" /etc/fstab | awk '{print $2}') for _vfstype_point in "${_vfstype_points[@]}" do ensure_mount_option_in_fstab "$_vfstype_point" "$_new_opt" "$_filesystem" "$_type" done } # $1: mount point # $2: new mount point option # $3: device or virtual string (used when adding new entry in fstab) # $4: mount type of mount point (used when adding new entry in fstab) function ensure_mount_option_in_fstab { local _mount_point="$1" _new_opt="$2" _device=$3 _type=$4 local _mount_point_match_regexp="" _previous_mount_opts="" _mount_point_match_regexp="$(get_mount_point_regexp "$_mount_point")" if [ "$(grep -c "$_mount_point_match_regexp" /etc/fstab)" -eq 0 ]; then # runtime opts without some automatic kernel/userspace-added defaults _previous_mount_opts=$(grep "$_mount_point_match_regexp" /etc/mtab | head -1 | awk '{print $4}' \ | sed -E "s/(rw|defaults|seclabel|${_new_opt})(,|$)//g;s/,$//") [ "$_previous_mount_opts" ] && _previous_mount_opts+="," echo "${_device} ${_mount_point} ${_type} defaults,${_previous_mount_opts}${_new_opt} 0 0" >> /etc/fstab elif [ "$(grep "$_mount_point_match_regexp" /etc/fstab | grep -c "$_new_opt")" -eq 0 ]; then _previous_mount_opts=$(grep "$_mount_point_match_regexp" /etc/fstab | awk '{print $4}') sed -i "s|\(${_mount_point_match_regexp}.*${_previous_mount_opts}\)|\1,${_new_opt}|" /etc/fstab fi } # $1: mount point function get_mount_point_regexp { printf "[[:space:]]%s[[:space:]]" "$1" } # $1: mount point function assert_mount_point_in_fstab { local _mount_point_match_regexp _mount_point_match_regexp="$(get_mount_point_regexp "$1")" grep "$_mount_point_match_regexp" -q /etc/fstab \ || { echo "The mount point '$1' is not even in /etc/fstab, so we can't set up mount options" >&2; return 1; } } # $1: mount point function remove_defaults_from_fstab_if_overriden { local _mount_point_match_regexp _mount_point_match_regexp="$(get_mount_point_regexp "$1")" if grep "$_mount_point_match_regexp" /etc/fstab | grep -q "defaults," then sed -i "s|\(${_mount_point_match_regexp}.*\)defaults,|\1|" /etc/fstab fi } # $1: mount point function ensure_partition_is_mounted { local _mount_point="$1" mkdir -p "$_mount_point" || return 1 if mountpoint -q "$_mount_point"; then mount -o remount --target "$_mount_point" else mount --target "$_mount_point" fi }</abbr> include_mount_options_functions function perform_remediation { # test "$mount_has_to_exist" = 'yes' if test "yes" = 'yes'; then assert_mount_point_in_fstab /var/tmp || { echo "Not remediating, because there is no record of /var/tmp in /etc/fstab" >&2; return 1; } fi ensure_mount_option_in_fstab "/var/tmp" "noexec" "" "" ensure_partition_is_mounted "/var/tmp" } perform_remediation </code></pre></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm45342125642608" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet â²</a><br></br><div class="panel-collapse collapse" id="idm45342125642608"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>high</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code>- name: get back mount information associated to mountpoint command: findmnt --fstab '/var/tmp' register: device_name failed_when: device_name.rc > 1 changed_when: false when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" tags: - mount_option_var_tmp_noexec - unknown_severity - configure_strategy - low_complexity - high_disruption - no_reboot_needed - CCE-82151-2 - name: create mount_info dictionary variable set_fact: mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}' with_together: - '{{ device_name.stdout_lines[0].split() | list | lower }}' - '{{ device_name.stdout_lines[1].split() | list }}' when: - device_name.stdout is defined and device_name.stdout_lines is defined - (device_name.stdout | length > 0) - ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" tags: - mount_option_var_tmp_noexec - unknown_severity - configure_strategy - low_complexity - high_disruption - no_reboot_needed - CCE-82151-2 - name: Ensure permission noexec are set on /var/tmp mount: path: /var/tmp src: '{{ mount_info.source }}' opts: '{{ mount_info.options }},noexec' state: mounted fstype: '{{ mount_info.fstype }}' when: - device_name.stdout is defined - (device_name.stdout | length > 0) - ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" tags: - mount_option_var_tmp_noexec - unknown_severity - configure_strategy - low_complexity - high_disruption - no_reboot_needed - CCE-82151-2 </code></pre></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm45342125638928" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet â²</a><br></br><div class="panel-collapse collapse" id="idm45342125638928"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>high</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code> part /var/tmp --mountoptions="noexec" </code></pre></div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">noexec on /var/tmp</span>Â <span class="label label-default">oval:ssg-test_var_tmp_partition_noexec:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_var_tmp_partition_noexec:obj:1</abbr></strong> of type <strong>partition_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Mount point</th></tr></thead><tbody><tr><td>/var/tmp</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_mount_option_tmp_nosuid" id="rule-detail-idm45342102384208"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Add nosuid Option to /tmpxccdf_org.ssgproject.content_rule_mount_option_tmp_nosuid unknownCCE-82140-5 </div><div class="panel-heading"><h3 class="panel-title">Add nosuid Option to /tmp</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_mount_option_tmp_nosuid</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-mount_option_tmp_nosuid:def:1</td></tr><tr><td>Time</td><td>2020-09-29T11:18:03</td></tr><tr><td>Severity</td><td>unknown</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-82140-5">CCE-82140-5</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT28(R12)</a>, <a href="">1.1.4</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">11</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">13</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">14</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">3</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">8</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">9</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">APO13.01</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">BAI10.01</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">BAI10.02</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">BAI10.03</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">BAI10.05</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS05.02</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS05.05</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS05.06</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS06.06</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.3.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.3.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.10</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.11</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.12</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.13</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.6</a>, <a href="https://www.iso.org/standard/54534.html">A.11.2.9</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.5.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.6.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.8.3.1</a>, <a href="https://www.iso.org/standard/54534.html">A.8.3.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.2</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(1)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">MP-7</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-2</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-3</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000368-GPOS-00154</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>The <code>nosuid</code> mount option can be used to prevent execution of setuid programs in <code>/tmp</code>. The SUID and SGID permissions should not be required in these world-writable directories. Add the <code>nosuid</code> option to the fourth column of <code>/etc/fstab</code> for the line which controls mounting of <code>/tmp</code>.</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>The presence of SUID and SGID executables should be tightly controlled. Users should not be able to execute SUID or SGID binaries from temporary storage partitions.</p></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">nosuid on /tmp</span>Â <span class="label label-default">oval:ssg-test_tmp_partition_nosuid:tst:1</span>Â <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Mount point</th><th>Device</th><th>Uuid</th><th>Fs type</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Mount options</th><th>Total space</th><th>Space used</th><th>Space left</th></tr></thead><tbody><tr><td>/tmp</td><td>/dev/mapper/ovirt-tmp</td><td>fe226ba1-b167-4b0f-81b2-d06bb6c1dd78</td><td>xfs</td><td>rw</td><td>seclabel</td><td>nosuid</td><td>nodev</td><td>noexec</td><td>relatime</td><td>attr2</td><td>inode64</td><td>noquota</td><td>bind</td><td role="num">521728</td><td role="num">11962</td><td role="num">509766</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_grub2_page_poison_argument" id="rule-detail-idm45342102301552"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Enable page allocator poisoningxccdf_org.ssgproject.content_rule_grub2_page_poison_argument mediumCCE-80944-2 </div><div class="panel-heading"><h3 class="panel-title">Enable page allocator poisoning</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_grub2_page_poison_argument</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-grub2_page_poison_argument:def:1</td></tr><tr><td>Time</td><td>2020-09-29T11:21:11</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80944-2">CCE-80944-2</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>To enable poisoning of free pages, add the argument <code>page_poison=1</code> to the default GRUB 2 command line for the Linux operating system in <code>/etc/default/grub</code>, in the manner below: <pre>GRUB_CMDLINE_LINUX="page_poison=1"</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Poisoning writes an arbitrary value to freed pages, so any modification or reference to that page after being freed or before being initialized will be detected and prevented. This prevents many types of use-after-free vulnerabilities at little performance cost. Also prevents leak of data and detection of corrupted memory.</p></div></td></tr><tr><td>Warnings</td><td><div class="panel panel-warning"><div class="panel-heading"><span class="label label-warning">warning</span>Â The GRUB 2 configuration file, <code>grub.cfg</code>, is automatically updated each time a new kernel is installed. Note that any changes to <code>/etc/default/grub</code> require rebuilding the <code>grub.cfg</code> file. To update the GRUB 2 configuration file manually, use the <pre>grub2-mkconfig -o</pre> command as follows: <ul><li>On BIOS-based machines, issue the following command as <code>root</code>: <pre>~]# grub2-mkconfig -o /boot/grub2/grub.cfg</pre></li><li>On UEFI-based machines, issue the following command as <code>root</code>: <pre>~]# grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfg</pre></li></ul></div></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span>Â <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">check forkernel command line parameters page_poison=1 in /boot/grub2/grubenv for all kernels</span>Â <span class="label label-default">oval:ssg-test_grub2_page_poison_argument_grub_env:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/boot/grub2/grubenv</td><td>kernelopts=root=/dev/mapper/ovirt-root ro console=tty0 console=ttyS0 crashkernel=auto resume=/dev/mapper/ovirt-swap rd.lvm.lv=ovirt/root rd.lvm.lv=ovirt/swap </td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_grub2_slub_debug_argument" id="rule-detail-idm45342102296032"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Enable SLUB/SLAB allocator poisoningxccdf_org.ssgproject.content_rule_grub2_slub_debug_argument mediumCCE-80945-9 </div><div class="panel-heading"><h3 class="panel-title">Enable SLUB/SLAB allocator poisoning</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_grub2_slub_debug_argument</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-grub2_slub_debug_argument:def:1</td></tr><tr><td>Time</td><td>2020-09-29T11:21:11</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80945-9">CCE-80945-9</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000433-GPOS-00192</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>To enable poisoning of SLUB/SLAB objects, add the argument <code>slub_debug=P</code> to the default GRUB 2 command line for the Linux operating system in <code>/etc/default/grub</code>, in the manner below: <pre>GRUB_CMDLINE_LINUX="slub_debug=P"</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Poisoning writes an arbitrary value to freed objects, so any modification or reference to that object after being freed or before being initialized will be detected and prevented. This prevents many types of use-after-free vulnerabilities at little performance cost. Also prevents leak of data and detection of corrupted memory.</p></div></td></tr><tr><td>Warnings</td><td><div class="panel panel-warning"><div class="panel-heading"><span class="label label-warning">warning</span>Â The GRUB 2 configuration file, <code>grub.cfg</code>, is automatically updated each time a new kernel is installed. Note that any changes to <code>/etc/default/grub</code> require rebuilding the <code>grub.cfg</code> file. To update the GRUB 2 configuration file manually, use the <pre>grub2-mkconfig -o</pre> command as follows: <ul><li>On BIOS-based machines, issue the following command as <code>root</code>: <pre>~]# grub2-mkconfig -o /boot/grub2/grub.cfg</pre></li><li>On UEFI-based machines, issue the following command as <code>root</code>: <pre>~]# grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfg</pre></li></ul></div></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span>Â <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">check forkernel command line parameters slub_debug=P in /boot/grub2/grubenv for all kernels</span>Â <span class="label label-default">oval:ssg-test_grub2_slub_debug_argument_grub_env:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/boot/grub2/grubenv</td><td>kernelopts=root=/dev/mapper/ovirt-root ro console=tty0 console=ttyS0 crashkernel=auto resume=/dev/mapper/ovirt-swap rd.lvm.lv=ovirt/root rd.lvm.lv=ovirt/swap </td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_sysctl_kernel_kptr_restrict" id="rule-detail-idm45342102282256"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Restrict Exposed Kernel Pointer Addresses Accessxccdf_org.ssgproject.content_rule_sysctl_kernel_kptr_restrict mediumCCE-80915-2 </div><div class="panel-heading"><h3 class="panel-title">Restrict Exposed Kernel Pointer Addresses Access</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sysctl_kernel_kptr_restrict</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-sysctl_kernel_kptr_restrict:def:1</td></tr><tr><td>Time</td><td>2020-09-29T11:18:03</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80915-2">CCE-80915-2</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT28(R23)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-30</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-30(2)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-30(5)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000132-GPOS-00067</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>To set the runtime status of the <code>kernel.kptr_restrict</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w kernel.kptr_restrict=1</pre> If this is not the system default value, add the following line to a file in the directory <code>/etc/sysctl.d</code>: <pre>kernel.kptr_restrict = 1</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Exposing kernel pointers (through procfs or <code>seq_printf()</code>) exposes kernel writeable structures that can contain functions pointers. If a write vulnereability occurs in the kernel allowing a write access to any of this structure, the kernel can be compromise. This option disallow any program withtout the CAP_SYSLOG capability from getting the kernel pointers addresses, replacing them with 0.</p></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">kernel.kptr_restrict static configuration</span>Â <span class="label label-default">oval:ssg-test_static_sysctl_kernel_kptr_restrict:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_sysctl_kernel_kptr_restrict:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/sysctl.conf</td><td>^[\s]*kernel.kptr_restrict[\s]*=[\s]*1[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">kernel.kptr_restrict static configuration in /etc/sysctl.d/*.conf</span>Â <span class="label label-default">oval:ssg-test_static_etc_sysctld_kernel_kptr_restrict:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_etc_sysctld_kernel_kptr_restrict:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/sysctl.d</td><td>^.*\.conf$</td><td>^[\s]*kernel.kptr_restrict[\s]*=[\s]*1[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">kernel.kptr_restrict static configuration in /etc/sysctl.d/*.conf</span>Â <span class="label label-default">oval:ssg-test_static_run_sysctld_kernel_kptr_restrict:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_run_sysctld_kernel_kptr_restrict:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/run/sysctl.d</td><td>^.*\.conf$</td><td>^[\s]*kernel.kptr_restrict[\s]*=[\s]*1[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">kernel.kptr_restrict static configuration in /etc/sysctl.d/*.conf</span>Â <span class="label label-default">oval:ssg-test_static_usr_lib_sysctld_kernel_kptr_restrict:tst:1</span>Â <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/usr/lib/sysctl.d/50-default.conf</td><td>kernel.kptr_restrict = 1 </td></tr></tbody></table><h4><span class="label label-primary">kernel runtime parameter kernel.kptr_restrict set to 1</span>Â <span class="label label-default">oval:ssg-test_sysctl_runtime_kernel_kptr_restrict:tst:1</span>Â <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Value</th></tr></thead><tbody><tr><td>kernel.kptr_restrict</td><td>1</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_service_systemd-coredump_disabled" id="rule-detail-idm45342102276848"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Disable acquiring, saving, and processing core dumpsxccdf_org.ssgproject.content_rule_service_systemd-coredump_disabled unknownCCE-82881-4 </div><div class="panel-heading"><h3 class="panel-title">Disable acquiring, saving, and processing core dumps</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_service_systemd-coredump_disabled</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-service_systemd-coredump_disabled:def:1</td></tr><tr><td>Time</td><td>2020-09-29T11:21:14</td></tr><tr><td>Severity</td><td>unknown</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-82881-4">CCE-82881-4</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FMT_SMF_EXT.1</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>The <code>systemd-coredump.socket</code> unit is a socket activation of the <code>systemd-coredump@.service</code> which processes core dumps. By masking the unit, core dump processing is disabled.</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>A core dump includes a memory image taken at the time the operating system terminates an application. The memory image could contain sensitive data and is generally useful only for developers trying to debug problems.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span>Â <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre><span class="label label-primary">info</span>Â <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Failed to stop systemd-coredump.service: Unit systemd-coredump.service not loaded. Failed to disable unit: Unit file systemd-coredump.service does not exist. Unit systemd-coredump.service does not exist, proceeding anyway. Created symlink /etc/systemd/system/systemd-coredump.service â /dev/null. Created symlink /etc/systemd/system/systemd-coredump.socket â /dev/null. Failed to reset failed state of unit systemd-coredump.service: Unit systemd-coredump.service not loaded. </message></pre></div></div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">package systemd is removed</span>Â <span class="label label-default">oval:ssg-test_service_systemd-coredump_package_systemd_removed:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Arch</th><th>Epoch</th><th>Release</th><th>Version</th><th>Evr</th><th>Signature keyid</th><th>Extended name</th></tr></thead><tbody><tr><td>systemd</td><td>x86_64</td><td>(none)</td><td>31.el8_2.2</td><td>239</td><td>0:239-31.el8_2.2</td><td>199e2f91fd431d51</td><td>systemd-0:239-31.el8_2.2.x86_64</td></tr></tbody></table><h4><span class="label label-primary">Test that the systemd-coredump service is not running</span>Â <span class="label label-default">oval:ssg-test_service_not_running_systemd-coredump:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Unit</th><th>Property</th><th>Value</th></tr></thead><tbody><tr><td>systemd-coredump.socket</td><td>ActiveState</td><td>active</td></tr></tbody></table><h4><span class="label label-primary">Test that the property LoadState from the service systemd-coredump is masked</span>Â <span class="label label-default">oval:ssg-test_service_loadstate_is_masked_systemd-coredump:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Unit</th><th>Property</th><th>Value</th></tr></thead><tbody><tr><td>systemd-coredump.socket</td><td>LoadState</td><td>loaded</td></tr></tbody></table><h4><span class="label label-primary">Test that the property FragmentPath from the service systemd-coredump is set to /dev/null</span>Â <span class="label label-default">oval:ssg-test_service_fragmentpath_is_dev_null_systemd-coredump:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Unit</th><th>Property</th><th>Value</th></tr></thead><tbody><tr><td>systemd-coredump.socket</td><td>FragmentPath</td><td>/usr/lib/systemd/system/systemd-coredump.socket</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_coredump_disable_backtraces" id="rule-detail-idm45342102268704"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Disable core dump backtracesxccdf_org.ssgproject.content_rule_coredump_disable_backtraces unknownCCE-82251-0 </div><div class="panel-heading"><h3 class="panel-title">Disable core dump backtraces</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_coredump_disable_backtraces</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-coredump_disable_backtraces:def:1</td></tr><tr><td>Time</td><td>2020-09-29T11:21:14</td></tr><tr><td>Severity</td><td>unknown</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-82251-0">CCE-82251-0</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FMT_SMF_EXT.1</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>The <code>ProcessSizeMax</code> option in <code>[Coredump]</code> section of <code>/etc/systemd/coredump.conf</code> specifies the maximum size in bytes of a core which will be processed. Core dumps exceeding this size may be stored, but the backtrace will not be generated.</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>A core dump includes a memory image taken at the time the operating system terminates an application. The memory image could contain sensitive data and is generally useful only for developers or system operators trying to debug problems. Enabling core dumps on production systems is not recommended, however there may be overriding operational requirements to enable advanced debuging. Permitting temporary enablement of core dumps during such situations should be reviewed through local needs and policy.</p></div></td></tr><tr><td>Warnings</td><td><div class="panel panel-warning"><div class="panel-heading"><span class="label label-warning">warning</span>Â If the <code>/etc/systemd/coredump.conf</code> file does not already contain the <code>[Coredump]</code> section, the value will not be configured correctly.</div></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span>Â <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">tests the value of ProcessSizeMax setting in the /etc/systemd/coredump.conf file</span>Â <span class="label label-default">oval:ssg-test_coredump_disable_backtraces:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_coredump_disable_backtraces:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/systemd/coredump.conf</td><td>^\s*\[Coredump\].*(?:\n\s*[^[\s].*)*\n^[ \t]*(?i)ProcessSizeMax(?-i)[ \t]*=[ \t]*(.+?)[ \t]*(?:$|#)</td><td>1</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_disable_users_coredumps" id="rule-detail-idm45342102262000"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Disable Core Dumps for All Usersxccdf_org.ssgproject.content_rule_disable_users_coredumps unknownCCE-81038-2 </div><div class="panel-heading"><h3 class="panel-title">Disable Core Dumps for All Users</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_disable_users_coredumps</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-disable_users_coredumps:def:1</td></tr><tr><td>Time</td><td>2020-09-29T11:21:14</td></tr><tr><td>Severity</td><td>unknown</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-81038-2">CCE-81038-2</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="">1.5.1</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">1</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">12</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">13</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">15</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">16</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">2</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">7</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">8</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">APO13.01</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">BAI04.04</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS01.03</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS03.05</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS05.07</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 6.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.17.2.1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-4</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>To disable core dumps for all users, add the following line to <code>/etc/security/limits.conf</code>: <pre>* hard core 0</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>A core dump includes a memory image taken at the time the operating system terminates an application. The memory image could contain sensitive data and is generally useful only for developers trying to debug problems.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span>Â <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">Tests the value of the ^[\s]*\*[\s]+(hard|-)[\s]+core[\s]+([\d]+) setting in the /etc/security/limits.d directory</span>Â <span class="label label-default">oval:ssg-test_core_dumps_limits_d:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_core_dumps_limits_d:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/security/limits.d</td><td>^.*\.conf$</td><td>^[\s]*\*[\s]+(?:hard|-)[\s]+core[\s]+([\d]+)</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">Tests for existance of the ^[\s]*\*[\s]+(hard|-)[\s]+core setting in the /etc/security/limits.d directory</span>Â <span class="label label-default">oval:ssg-test_core_dumps_limits_d_exists:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_core_dumps_limits_d_exists:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/security/limits.d</td><td>^.*\.conf$</td><td>^[\s]*\*[\s]+(?:hard|-)[\s]+core</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">Tests the value of the ^[\s]*\*[\s]+(hard|-)[\s]+core[\s]+([\d]+) setting in the /etc/security/limits.conf file</span>Â <span class="label label-default">oval:ssg-test_core_dumps_limitsconf:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_core_dumps_limitsconf:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/security/limits.conf</td><td>^[\s]*\*[\s]+(?:hard|-)[\s]+core[\s]+([\d]+)</td><td>1</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_coredump_disable_storage" id="rule-detail-idm45342102254000"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Disable storing core dumpxccdf_org.ssgproject.content_rule_coredump_disable_storage unknownCCE-82252-8 </div><div class="panel-heading"><h3 class="panel-title">Disable storing core dump</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_coredump_disable_storage</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-coredump_disable_storage:def:1</td></tr><tr><td>Time</td><td>2020-09-29T11:21:14</td></tr><tr><td>Severity</td><td>unknown</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-82252-8">CCE-82252-8</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FMT_SMF_EXT.1</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>The <code>Storage</code> option in <code>[Coredump]</code> section of <code>/etc/systemd/coredump.conf</code> can be set to <code>none</code> to disable storing core dumps permanently.</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>A core dump includes a memory image taken at the time the operating system terminates an application. The memory image could contain sensitive data and is generally useful only for developers or system operators trying to debug problems. Enabling core dumps on production systems is not recommended, however there may be overriding operational requirements to enable advanced debuging. Permitting temporary enablement of core dumps during such situations should be reviewed through local needs and policy. </p></div></td></tr><tr><td>Warnings</td><td><div class="panel panel-warning"><div class="panel-heading"><span class="label label-warning">warning</span>Â If the <code>/etc/systemd/coredump.conf</code> file does not already contain the <code>[Coredump]</code> section, the value will not be configured correctly.</div></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span>Â <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">tests the value of Storage setting in the /etc/systemd/coredump.conf file</span>Â <span class="label label-default">oval:ssg-test_coredump_disable_storage:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_coredump_disable_storage:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/systemd/coredump.conf</td><td>^\s*\[Coredump\].*(?:\n\s*[^[\s].*)*\n^[ \t]*(?i)Storage(?-i)[ \t]*=[ \t]*(.+?)[ \t]*(?:$|#)</td><td>1</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_sysctl_kernel_yama_ptrace_scope" id="rule-detail-idm45342102380544"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Restrict usage of ptrace to descendant processesxccdf_org.ssgproject.content_rule_sysctl_kernel_yama_ptrace_scope mediumCCE-80953-3 </div><div class="panel-heading"><h3 class="panel-title">Restrict usage of ptrace to descendant processes</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sysctl_kernel_yama_ptrace_scope</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-sysctl_kernel_yama_ptrace_scope:def:1</td></tr><tr><td>Time</td><td>2020-09-29T11:21:10</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80953-3">CCE-80953-3</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT28(R25)</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000132-GPOS-00067</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>To set the runtime status of the <code>kernel.yama.ptrace_scope</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w kernel.yama.ptrace_scope=1</pre> If this is not the system default value, add the following line to a file in the directory <code>/etc/sysctl.d</code>: <pre>kernel.yama.ptrace_scope = 1</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Unrestricted usage of ptrace allows compromised binaries to run ptrace on another processes of the user. Like this, the attacker can steal sensitive information from the target processes (e.g. SSH sessions, web browser, ...) without any additional assistance from the user (i.e. without resorting to phishing). </p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span>Â <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">kernel.yama.ptrace_scope static configuration</span>Â <span class="label label-default">oval:ssg-test_static_sysctl_kernel_yama_ptrace_scope:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_sysctl_kernel_yama_ptrace_scope:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/sysctl.conf</td><td>^[\s]*kernel.yama.ptrace_scope[\s]*=[\s]*1[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">kernel.yama.ptrace_scope static configuration in /etc/sysctl.d/*.conf</span>Â <span class="label label-default">oval:ssg-test_static_etc_sysctld_kernel_yama_ptrace_scope:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_etc_sysctld_kernel_yama_ptrace_scope:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/sysctl.d</td><td>^.*\.conf$</td><td>^[\s]*kernel.yama.ptrace_scope[\s]*=[\s]*1[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">kernel.yama.ptrace_scope static configuration in /etc/sysctl.d/*.conf</span>Â <span class="label label-default">oval:ssg-test_static_run_sysctld_kernel_yama_ptrace_scope:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_run_sysctld_kernel_yama_ptrace_scope:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/run/sysctl.d</td><td>^.*\.conf$</td><td>^[\s]*kernel.yama.ptrace_scope[\s]*=[\s]*1[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">kernel.yama.ptrace_scope static configuration in /etc/sysctl.d/*.conf</span>Â <span class="label label-default">oval:ssg-test_static_usr_lib_sysctld_kernel_yama_ptrace_scope:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_usr_lib_sysctld_kernel_yama_ptrace_scope:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/usr/lib/sysctl.d</td><td>^.*\.conf$</td><td>^[\s]*kernel.yama.ptrace_scope[\s]*=[\s]*1[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">kernel runtime parameter kernel.yama.ptrace_scope set to 1</span>Â <span class="label label-default">oval:ssg-test_sysctl_runtime_kernel_yama_ptrace_scope:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Value</th></tr></thead><tbody><tr><td>kernel.yama.ptrace_scope</td><td>0</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_sysctl_net_core_bpf_jit_harden" id="rule-detail-idm45342102370400"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Harden the operation of the BPF just-in-time compilerxccdf_org.ssgproject.content_rule_sysctl_net_core_bpf_jit_harden mediumCCE-82934-1 </div><div class="panel-heading"><h3 class="panel-title">Harden the operation of the BPF just-in-time compiler</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sysctl_net_core_bpf_jit_harden</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-sysctl_net_core_bpf_jit_harden:def:1</td></tr><tr><td>Time</td><td>2020-09-29T11:21:10</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-82934-1">CCE-82934-1</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FMT_SMF_EXT.1</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>To set the runtime status of the <code>net.core.bpf_jit_harden</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w net.core.bpf_jit_harden=2</pre> If this is not the system default value, add the following line to a file in the directory <code>/etc/sysctl.d</code>: <pre>net.core.bpf_jit_harden = 2</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>When hardened, the extended Berkeley Packet Filter just-in-time compiler will randomize any kernel addresses in the BPF programs and maps, and will not expose the JIT addresses in <code>/proc/kallsyms</code>.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span>Â <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">net.core.bpf_jit_harden static configuration</span>Â <span class="label label-default">oval:ssg-test_static_sysctl_net_core_bpf_jit_harden:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_sysctl_net_core_bpf_jit_harden:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/sysctl.conf</td><td>^[\s]*net.core.bpf_jit_harden[\s]*=[\s]*2[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">net.core.bpf_jit_harden static configuration in /etc/sysctl.d/*.conf</span>Â <span class="label label-default">oval:ssg-test_static_etc_sysctld_net_core_bpf_jit_harden:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_etc_sysctld_net_core_bpf_jit_harden:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/sysctl.d</td><td>^.*\.conf$</td><td>^[\s]*net.core.bpf_jit_harden[\s]*=[\s]*2[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">net.core.bpf_jit_harden static configuration in /etc/sysctl.d/*.conf</span>Â <span class="label label-default">oval:ssg-test_static_run_sysctld_net_core_bpf_jit_harden:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_run_sysctld_net_core_bpf_jit_harden:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/run/sysctl.d</td><td>^.*\.conf$</td><td>^[\s]*net.core.bpf_jit_harden[\s]*=[\s]*2[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">net.core.bpf_jit_harden static configuration in /etc/sysctl.d/*.conf</span>Â <span class="label label-default">oval:ssg-test_static_usr_lib_sysctld_net_core_bpf_jit_harden:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_usr_lib_sysctld_net_core_bpf_jit_harden:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/usr/lib/sysctl.d</td><td>^.*\.conf$</td><td>^[\s]*net.core.bpf_jit_harden[\s]*=[\s]*2[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">kernel runtime parameter net.core.bpf_jit_harden set to 2</span>Â <span class="label label-default">oval:ssg-test_sysctl_runtime_net_core_bpf_jit_harden:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Value</th></tr></thead><tbody><tr><td>net.core.bpf_jit_harden</td><td>1</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_sysctl_kernel_unprivileged_bpf_disabled" id="rule-detail-idm45342102360272"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Disable Access to Network bpf() Syscall From Unprivileged Processesxccdf_org.ssgproject.content_rule_sysctl_kernel_unprivileged_bpf_disabled mediumCCE-82974-7 </div><div class="panel-heading"><h3 class="panel-title">Disable Access to Network bpf() Syscall From Unprivileged Processes</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sysctl_kernel_unprivileged_bpf_disabled</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-sysctl_kernel_unprivileged_bpf_disabled:def:1</td></tr><tr><td>Time</td><td>2020-09-29T11:21:10</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-82974-7">CCE-82974-7</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FMT_SMF_EXT.1</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000132-GPOS-00067</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>To set the runtime status of the <code>kernel.unprivileged_bpf_disabled</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w kernel.unprivileged_bpf_disabled=1</pre> If this is not the system default value, add the following line to a file in the directory <code>/etc/sysctl.d</code>: <pre>kernel.unprivileged_bpf_disabled = 1</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Loading and accessing the packet filters programs and maps using the bpf() syscall has the potential of revealing sensitive information about the kernel state.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span>Â <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">kernel.unprivileged_bpf_disabled static configuration</span>Â <span class="label label-default">oval:ssg-test_static_sysctl_kernel_unprivileged_bpf_disabled:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_sysctl_kernel_unprivileged_bpf_disabled:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/sysctl.conf</td><td>^[\s]*kernel.unprivileged_bpf_disabled[\s]*=[\s]*1[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">kernel.unprivileged_bpf_disabled static configuration in /etc/sysctl.d/*.conf</span>Â <span class="label label-default">oval:ssg-test_static_etc_sysctld_kernel_unprivileged_bpf_disabled:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_etc_sysctld_kernel_unprivileged_bpf_disabled:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/sysctl.d</td><td>^.*\.conf$</td><td>^[\s]*kernel.unprivileged_bpf_disabled[\s]*=[\s]*1[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">kernel.unprivileged_bpf_disabled static configuration in /etc/sysctl.d/*.conf</span>Â <span class="label label-default">oval:ssg-test_static_run_sysctld_kernel_unprivileged_bpf_disabled:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_run_sysctld_kernel_unprivileged_bpf_disabled:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/run/sysctl.d</td><td>^.*\.conf$</td><td>^[\s]*kernel.unprivileged_bpf_disabled[\s]*=[\s]*1[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">kernel.unprivileged_bpf_disabled static configuration in /etc/sysctl.d/*.conf</span>Â <span class="label label-default">oval:ssg-test_static_usr_lib_sysctld_kernel_unprivileged_bpf_disabled:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_usr_lib_sysctld_kernel_unprivileged_bpf_disabled:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/usr/lib/sysctl.d</td><td>^.*\.conf$</td><td>^[\s]*kernel.unprivileged_bpf_disabled[\s]*=[\s]*1[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">kernel runtime parameter kernel.unprivileged_bpf_disabled set to 1</span>Â <span class="label label-default">oval:ssg-test_sysctl_runtime_kernel_unprivileged_bpf_disabled:tst:1</span>Â <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Value</th></tr></thead><tbody><tr><td>kernel.unprivileged_bpf_disabled</td><td>1</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-informational rule-detail-id-xccdf_org.ssgproject.content_rule_grub2_vsyscall_argument" id="rule-detail-idm45342102350080"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Disable vsyscallsxccdf_org.ssgproject.content_rule_grub2_vsyscall_argument infoCCE-80946-7 </div><div class="panel-heading"><h3 class="panel-title">Disable vsyscalls</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_grub2_vsyscall_argument</td></tr><tr><td>Result</td><td class="rule-result rule-result-informational"><div><abbr title="The Rule was checked, but the output from the checking engine is simply information for auditors or administrators; it is not a compliance category. This status value is designed for Rule elements whose main purpose is to extract information from the target rather than test the target.">informational</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-grub2_vsyscall_argument:def:1</td></tr><tr><td>Time</td><td>2020-09-29T11:18:03</td></tr><tr><td>Severity</td><td>info</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80946-7">CCE-80946-7</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>To disable use of virtual syscalls, add the argument <code>vsyscall=none</code> to the default GRUB 2 command line for the Linux operating system in <code>/etc/default/grub</code>, in the manner below: <pre>GRUB_CMDLINE_LINUX="vsyscall=none"</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Virtual Syscalls provide an opportunity of attack for a user who has control of the return instruction pointer.</p></div></td></tr><tr><td>Warnings</td><td><div class="panel panel-warning"><div class="panel-heading"><span class="label label-warning">warning</span>Â The GRUB 2 configuration file, <code>grub.cfg</code>, is automatically updated each time a new kernel is installed. Note that any changes to <code>/etc/default/grub</code> require rebuilding the <code>grub.cfg</code> file. To update the GRUB 2 configuration file manually, use the <pre>grub2-mkconfig -o</pre> command as follows: <ul><li>On BIOS-based machines, issue the following command as <code>root</code>: <pre>~]# grub2-mkconfig -o /boot/grub2/grub.cfg</pre></li><li>On UEFI-based machines, issue the following command as <code>root</code>: <pre>~]# grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfg</pre></li></ul></div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">check forkernel command line parameters vsyscall=none in /boot/grub2/grubenv for all kernels</span>Â <span class="label label-default">oval:ssg-test_grub2_vsyscall_argument_grub_env:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/boot/grub2/grubenv</td><td>kernelopts=root=/dev/mapper/ovirt-root ro console=tty0 console=ttyS0 crashkernel=auto resume=/dev/mapper/ovirt-swap rd.lvm.lv=ovirt/root rd.lvm.lv=ovirt/swap </td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_sysctl_kernel_dmesg_restrict" id="rule-detail-idm45342102346112"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Restrict Access to Kernel Message Bufferxccdf_org.ssgproject.content_rule_sysctl_kernel_dmesg_restrict mediumCCE-80913-7 </div><div class="panel-heading"><h3 class="panel-title">Restrict Access to Kernel Message Buffer</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sysctl_kernel_dmesg_restrict</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-sysctl_kernel_dmesg_restrict:def:1</td></tr><tr><td>Time</td><td>2020-09-29T11:21:10</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80913-7">CCE-80913-7</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT28(R23)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.5</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001314</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(c)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SI-11(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SI-11(b)</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000132-GPOS-00067</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>To set the runtime status of the <code>kernel.dmesg_restrict</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w kernel.dmesg_restrict=1</pre> If this is not the system default value, add the following line to a file in the directory <code>/etc/sysctl.d</code>: <pre>kernel.dmesg_restrict = 1</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Unprivileged access to the kernel syslog can expose sensitive kernel address information.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span>Â <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">kernel.dmesg_restrict static configuration</span>Â <span class="label label-default">oval:ssg-test_static_sysctl_kernel_dmesg_restrict:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_sysctl_kernel_dmesg_restrict:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/sysctl.conf</td><td>^[\s]*kernel.dmesg_restrict[\s]*=[\s]*1[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">kernel.dmesg_restrict static configuration in /etc/sysctl.d/*.conf</span>Â <span class="label label-default">oval:ssg-test_static_etc_sysctld_kernel_dmesg_restrict:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_etc_sysctld_kernel_dmesg_restrict:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/sysctl.d</td><td>^.*\.conf$</td><td>^[\s]*kernel.dmesg_restrict[\s]*=[\s]*1[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">kernel.dmesg_restrict static configuration in /etc/sysctl.d/*.conf</span>Â <span class="label label-default">oval:ssg-test_static_run_sysctld_kernel_dmesg_restrict:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_run_sysctld_kernel_dmesg_restrict:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/run/sysctl.d</td><td>^.*\.conf$</td><td>^[\s]*kernel.dmesg_restrict[\s]*=[\s]*1[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">kernel.dmesg_restrict static configuration in /etc/sysctl.d/*.conf</span>Â <span class="label label-default">oval:ssg-test_static_usr_lib_sysctld_kernel_dmesg_restrict:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_usr_lib_sysctld_kernel_dmesg_restrict:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/usr/lib/sysctl.d</td><td>^.*\.conf$</td><td>^[\s]*kernel.dmesg_restrict[\s]*=[\s]*1[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">kernel runtime parameter kernel.dmesg_restrict set to 1</span>Â <span class="label label-default">oval:ssg-test_sysctl_runtime_kernel_dmesg_restrict:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Value</th></tr></thead><tbody><tr><td>kernel.dmesg_restrict</td><td>0</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_sysctl_kernel_kexec_load_disabled" id="rule-detail-idm45342102335984"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Disable Kernel Image Loadingxccdf_org.ssgproject.content_rule_sysctl_kernel_kexec_load_disabled mediumCCE-80952-5 </div><div class="panel-heading"><h3 class="panel-title">Disable Kernel Image Loading</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sysctl_kernel_kexec_load_disabled</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-sysctl_kernel_kexec_load_disabled:def:1</td></tr><tr><td>Time</td><td>2020-09-29T11:21:11</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80952-5">CCE-80952-5</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>To set the runtime status of the <code>kernel.kexec_load_disabled</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w kernel.kexec_load_disabled=1</pre> If this is not the system default value, add the following line to a file in the directory <code>/etc/sysctl.d</code>: <pre>kernel.kexec_load_disabled = 1</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Disabling kexec_load allows greater control of the kernel memory. It makes it impossible to load another kernel image after it has been disabled. </p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span>Â <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">kernel.kexec_load_disabled static configuration</span>Â <span class="label label-default">oval:ssg-test_static_sysctl_kernel_kexec_load_disabled:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_sysctl_kernel_kexec_load_disabled:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/sysctl.conf</td><td>^[\s]*kernel.kexec_load_disabled[\s]*=[\s]*1[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">kernel.kexec_load_disabled static configuration in /etc/sysctl.d/*.conf</span>Â <span class="label label-default">oval:ssg-test_static_etc_sysctld_kernel_kexec_load_disabled:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_etc_sysctld_kernel_kexec_load_disabled:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/sysctl.d</td><td>^.*\.conf$</td><td>^[\s]*kernel.kexec_load_disabled[\s]*=[\s]*1[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">kernel.kexec_load_disabled static configuration in /etc/sysctl.d/*.conf</span>Â <span class="label label-default">oval:ssg-test_static_run_sysctld_kernel_kexec_load_disabled:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_run_sysctld_kernel_kexec_load_disabled:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/run/sysctl.d</td><td>^.*\.conf$</td><td>^[\s]*kernel.kexec_load_disabled[\s]*=[\s]*1[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">kernel.kexec_load_disabled static configuration in /etc/sysctl.d/*.conf</span>Â <span class="label label-default">oval:ssg-test_static_usr_lib_sysctld_kernel_kexec_load_disabled:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_usr_lib_sysctld_kernel_kexec_load_disabled:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/usr/lib/sysctl.d</td><td>^.*\.conf$</td><td>^[\s]*kernel.kexec_load_disabled[\s]*=[\s]*1[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">kernel runtime parameter kernel.kexec_load_disabled set to 1</span>Â <span class="label label-default">oval:ssg-test_sysctl_runtime_kernel_kexec_load_disabled:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Value</th></tr></thead><tbody><tr><td>kernel.kexec_load_disabled</td><td>0</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_sysctl_kernel_core_pattern" id="rule-detail-idm45342102325840"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Disable storing core dumpsxccdf_org.ssgproject.content_rule_sysctl_kernel_core_pattern unknownCCE-82215-5 </div><div class="panel-heading"><h3 class="panel-title">Disable storing core dumps</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sysctl_kernel_core_pattern</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-sysctl_kernel_core_pattern:def:1</td></tr><tr><td>Time</td><td>2020-09-29T11:21:11</td></tr><tr><td>Severity</td><td>unknown</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-82215-5">CCE-82215-5</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FMT_SMF_EXT.1</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>To set the runtime status of the <code>kernel.core_pattern</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w kernel.core_pattern=|/bin/false</pre> If this is not the system default value, add the following line to a file in the directory <code>/etc/sysctl.d</code>: <pre>kernel.core_pattern = |/bin/false</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>A core dump includes a memory image taken at the time the operating system terminates an application. The memory image could contain sensitive data and is generally useful only for developers trying to debug problems.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span>Â <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">kernel.core_pattern static configuration</span>Â <span class="label label-default">oval:ssg-test_static_sysctl_kernel_core_pattern:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_sysctl_kernel_core_pattern:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/sysctl.conf</td><td>^[\s]*kernel.core_pattern[\s]*=[\s]*|/bin/false[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">kernel.core_pattern static configuration in /etc/sysctl.d/*.conf</span>Â <span class="label label-default">oval:ssg-test_static_etc_sysctld_kernel_core_pattern:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_etc_sysctld_kernel_core_pattern:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/sysctl.d</td><td>^.*\.conf$</td><td>^[\s]*kernel.core_pattern[\s]*=[\s]*|/bin/false[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">kernel.core_pattern static configuration in /etc/sysctl.d/*.conf</span>Â <span class="label label-default">oval:ssg-test_static_run_sysctld_kernel_core_pattern:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_run_sysctld_kernel_core_pattern:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/run/sysctl.d</td><td>^.*\.conf$</td><td>^[\s]*kernel.core_pattern[\s]*=[\s]*|/bin/false[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">kernel.core_pattern static configuration in /etc/sysctl.d/*.conf</span>Â <span class="label label-default">oval:ssg-test_static_usr_lib_sysctld_kernel_core_pattern:tst:1</span>Â <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/usr/lib/sysctl.d/50-coredump.conf</td><td> kernel.core_pattern=</td></tr></tbody></table><h4><span class="label label-primary">kernel runtime parameter kernel.core_pattern set to |/bin/false</span>Â <span class="label label-default">oval:ssg-test_sysctl_runtime_kernel_core_pattern:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Value</th></tr></thead><tbody><tr><td>kernel.core_pattern</td><td>|/usr/lib/systemd/systemd-coredump %P %u %g %s %t %c %h %e</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_sysctl_kernel_perf_event_paranoid" id="rule-detail-idm45342102315680"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Disallow kernel profiling by unprivileged usersxccdf_org.ssgproject.content_rule_sysctl_kernel_perf_event_paranoid mediumCCE-81054-9 </div><div class="panel-heading"><h3 class="panel-title">Disallow kernel profiling by unprivileged users</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sysctl_kernel_perf_event_paranoid</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-sysctl_kernel_perf_event_paranoid:def:1</td></tr><tr><td>Time</td><td>2020-09-29T11:21:11</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-81054-9">CCE-81054-9</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT28(R23)</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FMT_SMF_EXT.1</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000132-GPOS-00067</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>To set the runtime status of the <code>kernel.perf_event_paranoid</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w kernel.perf_event_paranoid=2</pre> If this is not the system default value, add the following line to a file in the directory <code>/etc/sysctl.d</code>: <pre>kernel.perf_event_paranoid = 2</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Kernel profiling can reveal sensitive information about kernel behaviour.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span>Â <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">kernel.perf_event_paranoid static configuration</span>Â <span class="label label-default">oval:ssg-test_static_sysctl_kernel_perf_event_paranoid:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_sysctl_kernel_perf_event_paranoid:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/sysctl.conf</td><td>^[\s]*kernel.perf_event_paranoid[\s]*=[\s]*2[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">kernel.perf_event_paranoid static configuration in /etc/sysctl.d/*.conf</span>Â <span class="label label-default">oval:ssg-test_static_etc_sysctld_kernel_perf_event_paranoid:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_etc_sysctld_kernel_perf_event_paranoid:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/sysctl.d</td><td>^.*\.conf$</td><td>^[\s]*kernel.perf_event_paranoid[\s]*=[\s]*2[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">kernel.perf_event_paranoid static configuration in /etc/sysctl.d/*.conf</span>Â <span class="label label-default">oval:ssg-test_static_run_sysctld_kernel_perf_event_paranoid:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_run_sysctld_kernel_perf_event_paranoid:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/run/sysctl.d</td><td>^.*\.conf$</td><td>^[\s]*kernel.perf_event_paranoid[\s]*=[\s]*2[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">kernel.perf_event_paranoid static configuration in /etc/sysctl.d/*.conf</span>Â <span class="label label-default">oval:ssg-test_static_usr_lib_sysctld_kernel_perf_event_paranoid:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_usr_lib_sysctld_kernel_perf_event_paranoid:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/usr/lib/sysctl.d</td><td>^.*\.conf$</td><td>^[\s]*kernel.perf_event_paranoid[\s]*=[\s]*2[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">kernel runtime parameter kernel.perf_event_paranoid set to 2</span>Â <span class="label label-default">oval:ssg-test_sysctl_runtime_kernel_perf_event_paranoid:tst:1</span>Â <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Value</th></tr></thead><tbody><tr><td>kernel.perf_event_paranoid</td><td>2</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-informational rule-detail-id-xccdf_org.ssgproject.content_rule_sysctl_user_max_user_namespaces" id="rule-detail-idm45342102305536"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Disable the use of user namespacesxccdf_org.ssgproject.content_rule_sysctl_user_max_user_namespaces infoCCE-82211-4 </div><div class="panel-heading"><h3 class="panel-title">Disable the use of user namespaces</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sysctl_user_max_user_namespaces</td></tr><tr><td>Result</td><td class="rule-result rule-result-informational"><div><abbr title="The Rule was checked, but the output from the checking engine is simply information for auditors or administrators; it is not a compliance category. This status value is designed for Rule elements whose main purpose is to extract information from the target rather than test the target.">informational</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-sysctl_user_max_user_namespaces:def:1</td></tr><tr><td>Time</td><td>2020-09-29T11:18:03</td></tr><tr><td>Severity</td><td>info</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-82211-4">CCE-82211-4</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-39</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FMT_SMF_EXT.1</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>To set the runtime status of the <code>user.max_user_namespaces</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w user.max_user_namespaces=0</pre> If this is not the system default value, add the following line to a file in the directory <code>/etc/sysctl.d</code>: <pre>user.max_user_namespaces = 0</pre> When containers are deployed on the machine, the value should be set to large non-zero value.</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>User namespaces are used primarily for Linux containers. The value 0 disallows the use of user namespaces.</p></div></td></tr><tr><td>Warnings</td><td><div class="panel panel-warning"><div class="panel-heading"><span class="label label-warning">warning</span>Â This configuration baseline was created to deploy the base operating system for general purpose workloads. When the operating system is configured for certain purposes, such as to host Linux Containers, it is expected that <code>user.max_user_namespaces</code> will be enabled.</div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">user.max_user_namespaces static configuration</span>Â <span class="label label-default">oval:ssg-test_static_sysctl_user_max_user_namespaces:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_sysctl_user_max_user_namespaces:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/sysctl.conf</td><td>^[\s]*user.max_user_namespaces[\s]*=[\s]*0[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">user.max_user_namespaces static configuration in /etc/sysctl.d/*.conf</span>Â <span class="label label-default">oval:ssg-test_static_etc_sysctld_user_max_user_namespaces:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_etc_sysctld_user_max_user_namespaces:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/sysctl.d</td><td>^.*\.conf$</td><td>^[\s]*user.max_user_namespaces[\s]*=[\s]*0[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">user.max_user_namespaces static configuration in /etc/sysctl.d/*.conf</span>Â <span class="label label-default">oval:ssg-test_static_run_sysctld_user_max_user_namespaces:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_run_sysctld_user_max_user_namespaces:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/run/sysctl.d</td><td>^.*\.conf$</td><td>^[\s]*user.max_user_namespaces[\s]*=[\s]*0[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">user.max_user_namespaces static configuration in /etc/sysctl.d/*.conf</span>Â <span class="label label-default">oval:ssg-test_static_usr_lib_sysctld_user_max_user_namespaces:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_static_usr_lib_sysctld_user_max_user_namespaces:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/usr/lib/sysctl.d</td><td>^.*\.conf$</td><td>^[\s]*user.max_user_namespaces[\s]*=[\s]*0[\s]*$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">kernel runtime parameter user.max_user_namespaces set to 0</span>Â <span class="label label-default">oval:ssg-test_sysctl_runtime_user_max_user_namespaces:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Value</th></tr></thead><tbody><tr><td>user.max_user_namespaces</td><td>14976</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_kernel_module_cramfs_disabled" id="rule-detail-idm45342102236720"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Disable Mounting of cramfsxccdf_org.ssgproject.content_rule_kernel_module_cramfs_disabled lowCCE-81031-7 </div><div class="panel-heading"><h3 class="panel-title">Disable Mounting of cramfs</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_kernel_module_cramfs_disabled</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-kernel_module_cramfs_disabled:def:1</td></tr><tr><td>Time</td><td>2020-09-29T11:21:14</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-81031-7">CCE-81031-7</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="">1.1.1.1</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">11</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">14</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">3</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">9</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">BAI10.01</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">BAI10.02</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">BAI10.03</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">BAI10.05</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS05.02</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS05.05</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS06.06</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.3.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.3.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.10</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.11</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.12</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.13</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.6</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.5.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.6.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.2</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-3</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000095-GPOS-00049</a></p></td></tr><tr><td>Description</td><td><div class="description"><p> To configure the system to prevent the <code>cramfs</code> kernel module from being loaded, add the following line to a file in the directory <code>/etc/modprobe.d</code>: <pre>install cramfs /bin/true</pre> This effectively prevents usage of this uncommon filesystem.</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Linux kernel modules which implement filesystems that are not needed by the local system should be disabled.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span>Â <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre><span class="label label-primary">info</span>Â <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">grep: /etc/modprobe.d/cramfs.conf: No such file or directory </message></pre></div></div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">kernel module cramfs disabled</span>Â <span class="label label-default">oval:ssg-test_kernmod_cramfs_disabled:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="kernel module cramfs disabled">oval:ssg-obj_kernmod_cramfs_disabled:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/modprobe.d</td><td>^.*\.conf$</td><td>^\s*install\s+cramfs\s+(/bin/false|/bin/true)$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">kernel module cramfs disabled in /etc/modprobe.conf</span>Â <span class="label label-default">oval:ssg-test_kernmod_cramfs_modprobeconf:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="Check deprecated /etc/modprobe.conf for disablement of cramfs">oval:ssg-obj_kernmod_cramfs_modprobeconf:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/modprobe.conf</td><td>^\s*install\s+cramfs\s+(/bin/false|/bin/true)$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">kernel module cramfs disabled in /etc/modules-load.d</span>Â <span class="label label-default">oval:ssg-test_kernmod_cramfs_etcmodules-load:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="kernel module cramfs disabled in /etc/modules-load.d">oval:ssg-obj_kernmod_cramfs_etcmodules-load:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/modules-load.d</td><td>^.*\.conf$</td><td>^\s*install\s+cramfs\s+(/bin/false|/bin/true)$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">kernel module cramfs disabled in /run/modules-load.d</span>Â <span class="label label-default">oval:ssg-test_kernmod_cramfs_runmodules-load:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="kernel module cramfs disabled in /run/modules-load.d">oval:ssg-obj_kernmod_cramfs_runmodules-load:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/run/modules-load.d</td><td>^.*\.conf$</td><td>^\s*install\s+cramfs\s+(/bin/false|/bin/true)$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">kernel module cramfs disabled in /usr/lib/modules-load.d</span>Â <span class="label label-default">oval:ssg-test_kernmod_cramfs_libmodules-load:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="kernel module cramfs disabled in /usr/lib/modules-load.d">oval:ssg-obj_kernmod_cramfs_libmodules-load:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/usr/lib/modules-load.d</td><td>^.*\.conf$</td><td>^\s*install\s+cramfs\s+(/bin/false|/bin/true)$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">kernel module cramfs disabled in /run/modprobe.d</span>Â <span class="label label-default">oval:ssg-test_kernmod_cramfs_runmodprobed:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="kernel module cramfs disabled in /run/modprobe.d">oval:ssg-obj_kernmod_cramfs_runmodprobed:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/run/modprobe.d</td><td>^.*\.conf$</td><td>^\s*install\s+cramfs\s+(/bin/false|/bin/true)$</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">kernel module cramfs disabled in /usr/lib/modprobe.d</span>Â <span class="label label-default">oval:ssg-test_kernmod_cramfs_libmodprobed:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="kernel module cramfs disabled in /usr/lib/modprobe.d">oval:ssg-obj_kernmod_cramfs_libmodprobed:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Filename</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/usr/lib/modprobe.d</td><td>^.*\.conf$</td><td>^\s*install\s+cramfs\s+(/bin/false|/bin/true)$</td><td>1</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_rsyslog_remote_tls_cacert" id="rule-detail-idm45342102177248"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Configure CA certificate for rsyslog remote loggingxccdf_org.ssgproject.content_rule_rsyslog_remote_tls_cacert mediumCCE-82458-1 </div><div class="panel-heading"><h3 class="panel-title">Configure CA certificate for rsyslog remote logging</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_rsyslog_remote_tls_cacert</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-rsyslog_remote_tls_cacert:def:1</td></tr><tr><td>Time</td><td>2020-09-29T11:21:15</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-82458-1">CCE-82458-1</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FMT_SMF_EXT.1</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>Configure CA certificate for <code>rsyslog</code> logging to remote server using Transport Layer Security (TLS) using correct path for the <code>DefaultNetstreamDriverCAFile</code> global option in <code>/etc/rsyslog.conf</code>, for example with the following command: <pre>echo 'global(DefaultNetstreamDriverCAFile="/etc/pki/tls/cert.pem")' >> /etc/rsyslog.conf</pre> Replace the <code>/etc/pki/tls/cert.pem</code> in the above command with the path to the file with CA certificate generated for the purpose of remote logging.</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>The CA certificate needs to be set or <code>rsyslog.service</code> fails to start with <pre>error: ca certificate is not set, cannot continue</pre></p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span>Â <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">No suitable fix found.</message></pre></div></div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">tests the DefaultNetstreamDriverCAFile configuration</span>Â <span class="label label-default">oval:ssg-test_rsyslog_remote_tls_cacert:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_rsyslog_remote_tls_cacert:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>^/etc/rsyslog\.(conf|d/.+\.conf)$</td><td>^\s*global\(DefaultNetstreamDriverCAFile="(.+?)"\)\s*\n</td><td>0</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-fail rule-detail-id-xccdf_org.ssgproject.content_rule_rsyslog_remote_tls" id="rule-detail-idm45342102170560"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Configure TLS for rsyslog remote loggingxccdf_org.ssgproject.content_rule_rsyslog_remote_tls mediumCCE-82457-3 </div><div class="panel-heading"><h3 class="panel-title">Configure TLS for rsyslog remote logging</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_rsyslog_remote_tls</td></tr><tr><td>Result</td><td class="rule-result rule-result-fail"><div><abbr title="The target system or system component did not satisfy at least one condition of the rule.">fail</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-rsyslog_remote_tls:def:1</td></tr><tr><td>Time</td><td>2020-09-29T11:21:15</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-82457-3">CCE-82457-3</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-9(3)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FMT_SMF_EXT.1</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000120-GPOS-00061</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>Configure <code>rsyslog</code> to use Transport Layer Security (TLS) support for logging to remote server for the Forwarding Output Module in <code>/etc/rsyslog.conf</code> using action. You can use the following command: <pre>echo 'action(type="omfwd" protocol="tcp" Target="<remote system>" port="6514" StreamDriver="gtls" StreamDriverMode="1" StreamDriverAuthMode="x509/name")' >> /etc/rsyslog.conf </pre> Replace the <code><remote system></code> in the above command with an IP address or a host name of the remote logging server.</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>For protection of data being logged, the connection to the remote logging server needs to be authenticated and encrypted.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span>Â <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">No suitable fix found.</message></pre></div></div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">tests the omfwd action configuration</span>Â <span class="label label-default">oval:ssg-test_rsyslog_remote_tls:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_rsyslog_remote_tls:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Behaviors</th><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>no value</td><td>^/etc/rsyslog\.(conf|d/.+\.conf)$</td><td>^\s*action\(type="omfwd"(.+?)\)</td><td>0</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_package_rsyslog_installed" id="rule-detail-idm45342102216928"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Ensure rsyslog is Installedxccdf_org.ssgproject.content_rule_package_rsyslog_installed mediumCCE-80847-7 </div><div class="panel-heading"><h3 class="panel-title">Ensure rsyslog is Installed</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_package_rsyslog_installed</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-package_rsyslog_installed:def:1</td></tr><tr><td>Time</td><td>2020-09-29T11:18:03</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80847-7">CCE-80847-7</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT28(R5)</a>, <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT28(R46)</a>, <a href="">4.2.3</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">1</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">14</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">15</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">16</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">3</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">5</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">6</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">APO11.04</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">BAI03.05</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS05.04</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS05.07</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">MEA02.01</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001311</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001312</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(ii)</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.3.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.4.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.4.2.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.4.2.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.4.2.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.10</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.11</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.12</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.9</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.3</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.12.7.1</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000479-GPOS-00224</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000051-GPOS-00024</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>Rsyslog is installed by default. The <code>rsyslog</code> package can be installed with the following command: <pre> $ sudo yum install rsyslog</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>The rsyslog package provides the rsyslog daemon, which provides system logging services.</p></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">package rsyslog is installed</span>Â <span class="label label-default">oval:ssg-test_package_rsyslog_installed:tst:1</span>Â <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Arch</th><th>Epoch</th><th>Release</th><th>Version</th><th>Evr</th><th>Signature keyid</th><th>Extended name</th></tr></thead><tbody><tr><td>rsyslog</td><td>x86_64</td><td>(none)</td><td>3.el8</td><td>8.1911.0</td><td>0:8.1911.0-3.el8</td><td>0</td><td>rsyslog-0:8.1911.0-3.el8.x86_64</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-error rule-detail-id-xccdf_org.ssgproject.content_rule_package_rsyslog-gnutls_installed" id="rule-detail-idm45342102213248"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Ensure rsyslog-gnutls is installedxccdf_org.ssgproject.content_rule_package_rsyslog-gnutls_installed mediumCCE-82859-0 </div><div class="panel-heading"><h3 class="panel-title">Ensure rsyslog-gnutls is installed</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_package_rsyslog-gnutls_installed</td></tr><tr><td>Result</td><td class="rule-result rule-result-error"><div><abbr title="The checking engine could not complete the evaluation, therefore the status of the target's compliance with the rule is not certain. This could happen, for example, if a testing tool was run with insufficient privileges and could not gather all of the necessary information.">error</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-package_rsyslog-gnutls_installed:def:1</td></tr><tr><td>Time</td><td>2020-09-29T11:21:15</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-82859-0">CCE-82859-0</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FMT_SMF_EXT.1</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000120-GPOS-00061</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>TLS protocol support for rsyslog is installed. The <code>rsyslog-gnutls</code> package can be installed with the following command: <pre> $ sudo yum install rsyslog-gnutls</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>The rsyslog-gnutls package provides Transport Layer Security (TLS) support for the rsyslog daemon, which enables secure remote logging.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span>Â <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 1</message></pre><span class="label label-primary">info</span>Â <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Error: There are no enabled repositories in "/etc/yum.repos.d", "/etc/yum/repos.d", "/etc/distro.repos.d". </message></pre><span class="label label-primary">info</span>Â <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Failed to verify applied fix: Checking engine returns: fail</message></pre></div></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm45342124086960" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Shell script â²</a><br></br><div class="panel-collapse collapse" id="idm45342124086960"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code> if ! rpm -q --quiet "rsyslog-gnutls" ; then yum install -y "rsyslog-gnutls" fi </code></pre></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm45342124084880" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet â²</a><br></br><div class="panel-collapse collapse" id="idm45342124084880"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure rsyslog-gnutls is installed package: name: rsyslog-gnutls state: present when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" tags: - package_rsyslog-gnutls_installed - medium_severity - enable_strategy - low_complexity - low_disruption - no_reboot_needed - CCE-82859-0 </code></pre></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm45342124082496" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet â²</a><br></br><div class="panel-collapse collapse" id="idm45342124082496"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_rsyslog-gnutls class install_rsyslog-gnutls { package { 'rsyslog-gnutls': ensure => 'installed', } } </code></pre></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm45342124080352" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet â²</a><br></br><div class="panel-collapse collapse" id="idm45342124080352"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code> package --add=rsyslog-gnutls </code></pre></div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">package rsyslog-gnutls is installed</span>Â <span class="label label-default">oval:ssg-test_package_rsyslog-gnutls_installed:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_test_package_rsyslog-gnutls_installed:obj:1</abbr></strong> of type <strong>rpminfo_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th></tr></thead><tbody><tr><td>rsyslog-gnutls</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_package_nfs-utils_removed" id="rule-detail-idm45342102110016"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Uninstall nfs-utils Packagexccdf_org.ssgproject.content_rule_package_nfs-utils_removed lowCCE-82932-5 </div><div class="panel-heading"><h3 class="panel-title">Uninstall nfs-utils Package</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_package_nfs-utils_removed</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-package_nfs-utils_removed:def:1</td></tr><tr><td>Time</td><td>2020-09-29T11:21:15</td></tr><tr><td>Severity</td><td>low</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-82932-5">CCE-82932-5</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000095-GPOS-00049</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>The <code>nfs-utils</code> package can be removed with the following command: <pre> $ sudo yum erase nfs-utils</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p><code>nfs-utils</code> provides a daemon for the kernel NFS server and related tools. This package also contains the <code>showmount</code> program. <code>showmount</code> queries the mount daemon on a remote host for information about the Network File System (NFS) server on the remote host. For example, <code>showmount</code> can display the clients which are mounted on that host.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span>Â <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">package nfs-utils is removed</span>Â <span class="label label-default">oval:ssg-test_package_nfs-utils_removed:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Arch</th><th>Epoch</th><th>Release</th><th>Version</th><th>Evr</th><th>Signature keyid</th><th>Extended name</th></tr></thead><tbody><tr><td>nfs-utils</td><td>x86_64</td><td>1</td><td>31.el8</td><td>2.3.3</td><td>1:2.3.3-31.el8</td><td>199e2f91fd431d51</td><td>nfs-utils-1:2.3.3-31.el8.x86_64</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_package_sendmail_removed" id="rule-detail-idm45342102064432"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Uninstall Sendmail Packagexccdf_org.ssgproject.content_rule_package_sendmail_removed mediumCCE-81039-0 </div><div class="panel-heading"><h3 class="panel-title">Uninstall Sendmail Package</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_package_sendmail_removed</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-package_sendmail_removed:def:1</td></tr><tr><td>Time</td><td>2020-09-29T11:18:03</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-81039-0">CCE-81039-0</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT28(R1)</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">11</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">14</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">3</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">9</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">BAI10.01</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">BAI10.02</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">BAI10.03</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">BAI10.05</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS05.02</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS05.05</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS06.06</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.3.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.3.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.10</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.11</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.12</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.13</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.6</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.5.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.6.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.2</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-3</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>Sendmail is not the default mail transfer agent and is not installed by default. The <code>sendmail</code> package can be removed with the following command: <pre> $ sudo yum erase sendmail</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>The sendmail software was not developed with security in mind and its design prevents it from being effectively contained by SELinux. Postfix should be used instead.</p></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">package sendmail is removed</span>Â <span class="label label-default">oval:ssg-test_package_sendmail_removed:tst:1</span>Â <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_test_package_sendmail_removed:obj:1</abbr></strong> of type <strong>rpminfo_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th></tr></thead><tbody><tr><td>sendmail</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_chronyd_client_only" id="rule-detail-idm45342101925168"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Disable chrony daemon from acting as serverxccdf_org.ssgproject.content_rule_chronyd_client_only unknownCCE-82988-7 </div><div class="panel-heading"><h3 class="panel-title">Disable chrony daemon from acting as server</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_chronyd_client_only</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-chronyd_client_only:def:1</td></tr><tr><td>Time</td><td>2020-09-29T11:21:15</td></tr><tr><td>Severity</td><td>unknown</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-82988-7">CCE-82988-7</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FMT_SMF_EXT.1</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000096-GPOS-00050</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>The <code>port</code> option in <code>/etc/chrony.conf</code> can be set to <code>0</code> to make chrony daemon to never open any listening port for server operation and to operate strictly in a client-only mode.</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Minimizing the exposure of the server functionality of the chrony daemon diminishes the attack surface.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span>Â <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">package chrony is installed</span>Â <span class="label label-default">oval:ssg-test_service_chronyd_package_chrony_installed:tst:1</span>Â <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Arch</th><th>Epoch</th><th>Release</th><th>Version</th><th>Evr</th><th>Signature keyid</th><th>Extended name</th></tr></thead><tbody><tr><td>chrony</td><td>x86_64</td><td>(none)</td><td>1.el8</td><td>3.5</td><td>0:3.5-1.el8</td><td>199e2f91fd431d51</td><td>chrony-0:3.5-1.el8.x86_64</td></tr></tbody></table><h4><span class="label label-primary">Test that the chronyd service is running</span>Â <span class="label label-default">oval:ssg-test_service_running_chronyd:tst:1</span>Â <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Unit</th><th>Property</th><th>Value</th></tr></thead><tbody><tr><td>chronyd.service</td><td>ActiveState</td><td>active</td></tr></tbody></table><h4><span class="label label-primary">systemd test</span>Â <span class="label label-default">oval:ssg-test_multi_user_wants_chronyd:tst:1</span>Â <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Unit</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th></tr></thead><tbody><tr><td>multi-user.target</td><td>basic.target</td><td>var.mount</td><td>-.mount</td><td>sysinit.target</td><td>dev-mqueue.mount</td><td>systemd-hwdb-update.service</td><td>cryptsetup.target</td><td>proc-sys-fs-binfmt_misc.automount</td><td>systemd-journal-flush.service</td><td>systemd-random-seed.service</td><td>systemd-update-utmp.service</td><td>systemd-tmpfiles-setup.service</td><td>systemd-udevd.service</td><td>dev-hugepages.mount</td><td>lvm2-lvmpolld.socket</td><td>selinux-autorelabel-mark.service</td><td>loadmodules.service</td><td>local-fs.target</td><td>home.mount</td><td>-.mount</td><td>var-log-audit.mount</td><td>boot.mount</td><td>tmp.mount</td><td>var.mount</td><td>var-log.mount</td><td>systemd-remount-fs.service</td><td>dracut-shutdown.service</td><td>systemd-sysctl.service</td><td>systemd-journal-catalog-update.service</td><td>systemd-update-done.service</td><td>systemd-journald.service</td><td>sys-kernel-debug.mount</td><td>systemd-machine-id-commit.service</td><td>ldconfig.service</td><td>rngd.service</td><td>systemd-binfmt.service</td><td>nis-domainname.service</td><td>sys-kernel-config.mount</td><td>systemd-modules-load.service</td><td>systemd-sysusers.service</td><td>sys-fs-fuse-connections.mount</td><td>swap.target</td><td>dev-mapper-ovirt\x2dswap.swap</td><td>systemd-udev-trigger.service</td><td>import-state.service</td><td>systemd-firstboot.service</td><td>kmod-static-nodes.service</td><td>systemd-ask-password-console.path</td><td>systemd-tmpfiles-setup-dev.service</td><td>lvm2-monitor.service</td><td>microcode.service</td><td>paths.target</td><td>timers.target</td><td>fstrim.timer</td><td>unbound-anchor.timer</td><td>systemd-tmpfiles-clean.timer</td><td>slices.target</td><td>-.slice</td><td>system.slice</td><td>sockets.target</td><td>systemd-udevd-kernel.socket</td><td>dbus.socket</td><td>systemd-coredump.socket</td><td>systemd-initctl.socket</td><td>systemd-udevd-control.socket</td><td>systemd-journald-dev-log.socket</td><td>pcscd.socket</td><td>sssd-kcm.socket</td><td>systemd-journald.socket</td><td>cockpit.socket</td><td>dm-event.socket</td><td>rpcbind.socket</td><td>sssd.service</td><td>kdump.service</td><td>crond.service</td><td>systemd-ask-password-wall.path</td><td>sshd.service</td><td>systemd-user-sessions.service</td><td>auditd.service</td><td>nfs-client.target</td><td>rpc-statd-notify.service</td><td>auth-rpcgss-module.service</td><td>remote-fs-pre.target</td><td>irqbalance.service</td><td>remote-fs.target</td><td>nfs-client.target</td><td>rpc-statd-notify.service</td><td>auth-rpcgss-module.service</td><td>remote-fs-pre.target</td><td>getty.target</td><td>serial-getty@ttyS0.service</td><td>getty@tty1.service</td><td>cloud-init.target</td><td>cloud-init-local.service</td><td>cloud-config.service</td><td>cloud-final.service</td><td>cloud-init.service</td><td>dnf-makecache.timer</td><td>firewalld.service</td><td>rpcbind.service</td><td>systemd-update-utmp-runlevel.service</td><td>chronyd.service</td><td>rsyslog.service</td><td>tuned.service</td><td>systemd-logind.service</td><td>NetworkManager.service</td><td>dbus.service</td></tr></tbody></table><h4><span class="label label-primary">systemd test</span>Â <span class="label label-default">oval:ssg-test_multi_user_wants_chronyd_socket:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Unit</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th></tr></thead><tbody><tr><td>multi-user.target</td><td>basic.target</td><td>var.mount</td><td>-.mount</td><td>sysinit.target</td><td>dev-mqueue.mount</td><td>systemd-hwdb-update.service</td><td>cryptsetup.target</td><td>proc-sys-fs-binfmt_misc.automount</td><td>systemd-journal-flush.service</td><td>systemd-random-seed.service</td><td>systemd-update-utmp.service</td><td>systemd-tmpfiles-setup.service</td><td>systemd-udevd.service</td><td>dev-hugepages.mount</td><td>lvm2-lvmpolld.socket</td><td>selinux-autorelabel-mark.service</td><td>loadmodules.service</td><td>local-fs.target</td><td>home.mount</td><td>-.mount</td><td>var-log-audit.mount</td><td>boot.mount</td><td>tmp.mount</td><td>var.mount</td><td>var-log.mount</td><td>systemd-remount-fs.service</td><td>dracut-shutdown.service</td><td>systemd-sysctl.service</td><td>systemd-journal-catalog-update.service</td><td>systemd-update-done.service</td><td>systemd-journald.service</td><td>sys-kernel-debug.mount</td><td>systemd-machine-id-commit.service</td><td>ldconfig.service</td><td>rngd.service</td><td>systemd-binfmt.service</td><td>nis-domainname.service</td><td>sys-kernel-config.mount</td><td>systemd-modules-load.service</td><td>systemd-sysusers.service</td><td>sys-fs-fuse-connections.mount</td><td>swap.target</td><td>dev-mapper-ovirt\x2dswap.swap</td><td>systemd-udev-trigger.service</td><td>import-state.service</td><td>systemd-firstboot.service</td><td>kmod-static-nodes.service</td><td>systemd-ask-password-console.path</td><td>systemd-tmpfiles-setup-dev.service</td><td>lvm2-monitor.service</td><td>microcode.service</td><td>paths.target</td><td>timers.target</td><td>fstrim.timer</td><td>unbound-anchor.timer</td><td>systemd-tmpfiles-clean.timer</td><td>slices.target</td><td>-.slice</td><td>system.slice</td><td>sockets.target</td><td>systemd-udevd-kernel.socket</td><td>dbus.socket</td><td>systemd-coredump.socket</td><td>systemd-initctl.socket</td><td>systemd-udevd-control.socket</td><td>systemd-journald-dev-log.socket</td><td>pcscd.socket</td><td>sssd-kcm.socket</td><td>systemd-journald.socket</td><td>cockpit.socket</td><td>dm-event.socket</td><td>rpcbind.socket</td><td>sssd.service</td><td>kdump.service</td><td>crond.service</td><td>systemd-ask-password-wall.path</td><td>sshd.service</td><td>systemd-user-sessions.service</td><td>auditd.service</td><td>nfs-client.target</td><td>rpc-statd-notify.service</td><td>auth-rpcgss-module.service</td><td>remote-fs-pre.target</td><td>irqbalance.service</td><td>remote-fs.target</td><td>nfs-client.target</td><td>rpc-statd-notify.service</td><td>auth-rpcgss-module.service</td><td>remote-fs-pre.target</td><td>getty.target</td><td>serial-getty@ttyS0.service</td><td>getty@tty1.service</td><td>cloud-init.target</td><td>cloud-init-local.service</td><td>cloud-config.service</td><td>cloud-final.service</td><td>cloud-init.service</td><td>dnf-makecache.timer</td><td>firewalld.service</td><td>rpcbind.service</td><td>systemd-update-utmp-runlevel.service</td><td>chronyd.service</td><td>rsyslog.service</td><td>tuned.service</td><td>systemd-logind.service</td><td>NetworkManager.service</td><td>dbus.service</td></tr></tbody></table><h4><span class="label label-primary">check if port is 0 in /etc/chrony.conf</span>Â <span class="label label-default">oval:ssg-test_chronyd_client_only:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_chronyd_port_value:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/chrony.conf</td><td>^\s*port[\s]+(\S+)</td><td>1</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_chronyd_no_chronyc_network" id="rule-detail-idm45342101914816"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Disable network management of chrony daemonxccdf_org.ssgproject.content_rule_chronyd_no_chronyc_network unknownCCE-82840-0 </div><div class="panel-heading"><h3 class="panel-title">Disable network management of chrony daemon</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_chronyd_no_chronyc_network</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-chronyd_no_chronyc_network:def:1</td></tr><tr><td>Time</td><td>2020-09-29T11:21:15</td></tr><tr><td>Severity</td><td>unknown</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-82840-0">CCE-82840-0</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FMT_SMF_EXT.1</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000096-GPOS-00050</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>The <code>cmdport</code> option in <code>/etc/chrony.conf</code> can be set to <code>0</code> to stop chrony daemon from listening on the UDP port 323 for management connections made by chronyc.</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Not exposing the management interface of the chrony daemon on the network diminishes the attack space.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span>Â <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">package chrony is installed</span>Â <span class="label label-default">oval:ssg-test_service_chronyd_package_chrony_installed:tst:1</span>Â <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Arch</th><th>Epoch</th><th>Release</th><th>Version</th><th>Evr</th><th>Signature keyid</th><th>Extended name</th></tr></thead><tbody><tr><td>chrony</td><td>x86_64</td><td>(none)</td><td>1.el8</td><td>3.5</td><td>0:3.5-1.el8</td><td>199e2f91fd431d51</td><td>chrony-0:3.5-1.el8.x86_64</td></tr></tbody></table><h4><span class="label label-primary">Test that the chronyd service is running</span>Â <span class="label label-default">oval:ssg-test_service_running_chronyd:tst:1</span>Â <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Unit</th><th>Property</th><th>Value</th></tr></thead><tbody><tr><td>chronyd.service</td><td>ActiveState</td><td>active</td></tr></tbody></table><h4><span class="label label-primary">systemd test</span>Â <span class="label label-default">oval:ssg-test_multi_user_wants_chronyd:tst:1</span>Â <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Unit</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th></tr></thead><tbody><tr><td>multi-user.target</td><td>basic.target</td><td>var.mount</td><td>-.mount</td><td>sysinit.target</td><td>dev-mqueue.mount</td><td>systemd-hwdb-update.service</td><td>cryptsetup.target</td><td>proc-sys-fs-binfmt_misc.automount</td><td>systemd-journal-flush.service</td><td>systemd-random-seed.service</td><td>systemd-update-utmp.service</td><td>systemd-tmpfiles-setup.service</td><td>systemd-udevd.service</td><td>dev-hugepages.mount</td><td>lvm2-lvmpolld.socket</td><td>selinux-autorelabel-mark.service</td><td>loadmodules.service</td><td>local-fs.target</td><td>home.mount</td><td>-.mount</td><td>var-log-audit.mount</td><td>boot.mount</td><td>tmp.mount</td><td>var.mount</td><td>var-log.mount</td><td>systemd-remount-fs.service</td><td>dracut-shutdown.service</td><td>systemd-sysctl.service</td><td>systemd-journal-catalog-update.service</td><td>systemd-update-done.service</td><td>systemd-journald.service</td><td>sys-kernel-debug.mount</td><td>systemd-machine-id-commit.service</td><td>ldconfig.service</td><td>rngd.service</td><td>systemd-binfmt.service</td><td>nis-domainname.service</td><td>sys-kernel-config.mount</td><td>systemd-modules-load.service</td><td>systemd-sysusers.service</td><td>sys-fs-fuse-connections.mount</td><td>swap.target</td><td>dev-mapper-ovirt\x2dswap.swap</td><td>systemd-udev-trigger.service</td><td>import-state.service</td><td>systemd-firstboot.service</td><td>kmod-static-nodes.service</td><td>systemd-ask-password-console.path</td><td>systemd-tmpfiles-setup-dev.service</td><td>lvm2-monitor.service</td><td>microcode.service</td><td>paths.target</td><td>timers.target</td><td>fstrim.timer</td><td>unbound-anchor.timer</td><td>systemd-tmpfiles-clean.timer</td><td>slices.target</td><td>-.slice</td><td>system.slice</td><td>sockets.target</td><td>systemd-udevd-kernel.socket</td><td>dbus.socket</td><td>systemd-coredump.socket</td><td>systemd-initctl.socket</td><td>systemd-udevd-control.socket</td><td>systemd-journald-dev-log.socket</td><td>pcscd.socket</td><td>sssd-kcm.socket</td><td>systemd-journald.socket</td><td>cockpit.socket</td><td>dm-event.socket</td><td>rpcbind.socket</td><td>sssd.service</td><td>kdump.service</td><td>crond.service</td><td>systemd-ask-password-wall.path</td><td>sshd.service</td><td>systemd-user-sessions.service</td><td>auditd.service</td><td>nfs-client.target</td><td>rpc-statd-notify.service</td><td>auth-rpcgss-module.service</td><td>remote-fs-pre.target</td><td>irqbalance.service</td><td>remote-fs.target</td><td>nfs-client.target</td><td>rpc-statd-notify.service</td><td>auth-rpcgss-module.service</td><td>remote-fs-pre.target</td><td>getty.target</td><td>serial-getty@ttyS0.service</td><td>getty@tty1.service</td><td>cloud-init.target</td><td>cloud-init-local.service</td><td>cloud-config.service</td><td>cloud-final.service</td><td>cloud-init.service</td><td>dnf-makecache.timer</td><td>firewalld.service</td><td>rpcbind.service</td><td>systemd-update-utmp-runlevel.service</td><td>chronyd.service</td><td>rsyslog.service</td><td>tuned.service</td><td>systemd-logind.service</td><td>NetworkManager.service</td><td>dbus.service</td></tr></tbody></table><h4><span class="label label-primary">systemd test</span>Â <span class="label label-default">oval:ssg-test_multi_user_wants_chronyd_socket:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Unit</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th></tr></thead><tbody><tr><td>multi-user.target</td><td>basic.target</td><td>var.mount</td><td>-.mount</td><td>sysinit.target</td><td>dev-mqueue.mount</td><td>systemd-hwdb-update.service</td><td>cryptsetup.target</td><td>proc-sys-fs-binfmt_misc.automount</td><td>systemd-journal-flush.service</td><td>systemd-random-seed.service</td><td>systemd-update-utmp.service</td><td>systemd-tmpfiles-setup.service</td><td>systemd-udevd.service</td><td>dev-hugepages.mount</td><td>lvm2-lvmpolld.socket</td><td>selinux-autorelabel-mark.service</td><td>loadmodules.service</td><td>local-fs.target</td><td>home.mount</td><td>-.mount</td><td>var-log-audit.mount</td><td>boot.mount</td><td>tmp.mount</td><td>var.mount</td><td>var-log.mount</td><td>systemd-remount-fs.service</td><td>dracut-shutdown.service</td><td>systemd-sysctl.service</td><td>systemd-journal-catalog-update.service</td><td>systemd-update-done.service</td><td>systemd-journald.service</td><td>sys-kernel-debug.mount</td><td>systemd-machine-id-commit.service</td><td>ldconfig.service</td><td>rngd.service</td><td>systemd-binfmt.service</td><td>nis-domainname.service</td><td>sys-kernel-config.mount</td><td>systemd-modules-load.service</td><td>systemd-sysusers.service</td><td>sys-fs-fuse-connections.mount</td><td>swap.target</td><td>dev-mapper-ovirt\x2dswap.swap</td><td>systemd-udev-trigger.service</td><td>import-state.service</td><td>systemd-firstboot.service</td><td>kmod-static-nodes.service</td><td>systemd-ask-password-console.path</td><td>systemd-tmpfiles-setup-dev.service</td><td>lvm2-monitor.service</td><td>microcode.service</td><td>paths.target</td><td>timers.target</td><td>fstrim.timer</td><td>unbound-anchor.timer</td><td>systemd-tmpfiles-clean.timer</td><td>slices.target</td><td>-.slice</td><td>system.slice</td><td>sockets.target</td><td>systemd-udevd-kernel.socket</td><td>dbus.socket</td><td>systemd-coredump.socket</td><td>systemd-initctl.socket</td><td>systemd-udevd-control.socket</td><td>systemd-journald-dev-log.socket</td><td>pcscd.socket</td><td>sssd-kcm.socket</td><td>systemd-journald.socket</td><td>cockpit.socket</td><td>dm-event.socket</td><td>rpcbind.socket</td><td>sssd.service</td><td>kdump.service</td><td>crond.service</td><td>systemd-ask-password-wall.path</td><td>sshd.service</td><td>systemd-user-sessions.service</td><td>auditd.service</td><td>nfs-client.target</td><td>rpc-statd-notify.service</td><td>auth-rpcgss-module.service</td><td>remote-fs-pre.target</td><td>irqbalance.service</td><td>remote-fs.target</td><td>nfs-client.target</td><td>rpc-statd-notify.service</td><td>auth-rpcgss-module.service</td><td>remote-fs-pre.target</td><td>getty.target</td><td>serial-getty@ttyS0.service</td><td>getty@tty1.service</td><td>cloud-init.target</td><td>cloud-init-local.service</td><td>cloud-config.service</td><td>cloud-final.service</td><td>cloud-init.service</td><td>dnf-makecache.timer</td><td>firewalld.service</td><td>rpcbind.service</td><td>systemd-update-utmp-runlevel.service</td><td>chronyd.service</td><td>rsyslog.service</td><td>tuned.service</td><td>systemd-logind.service</td><td>NetworkManager.service</td><td>dbus.service</td></tr></tbody></table><h4><span class="label label-primary">check if cmdport is 0 in /etc/chrony.conf</span>Â <span class="label label-default">oval:ssg-test_chronyd_no_chronyc_network:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_chronyd_cmdport_value:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/chrony.conf</td><td>^\s*cmdport[\s]+(\S+)</td><td>1</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-error rule-detail-id-xccdf_org.ssgproject.content_rule_package_fapolicyd_installed" id="rule-detail-idm45342101897888"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Install fapolicyd Packagexccdf_org.ssgproject.content_rule_package_fapolicyd_installed mediumCCE-82191-8 </div><div class="panel-heading"><h3 class="panel-title">Install fapolicyd Package</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_package_fapolicyd_installed</td></tr><tr><td>Result</td><td class="rule-result rule-result-error"><div><abbr title="The checking engine could not complete the evaluation, therefore the status of the target's compliance with the rule is not certain. This could happen, for example, if a testing tool was run with insufficient privileges and could not gather all of the necessary information.">error</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-package_fapolicyd_installed:def:1</td></tr><tr><td>Time</td><td>2020-09-29T11:21:16</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-82191-8">CCE-82191-8</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SI-4(22)</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000370-GPOS-00155</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>The <code>fapolicyd</code> package can be installed with the following command: <pre> $ sudo yum install fapolicyd</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p><code>fapolicyd</code> (File Access Policy Daemon) implements application whitelisting to decide file access rights.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span>Â <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 1</message></pre><span class="label label-primary">info</span>Â <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Error: There are no enabled repositories in "/etc/yum.repos.d", "/etc/yum/repos.d", "/etc/distro.repos.d". </message></pre><span class="label label-primary">info</span>Â <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Failed to verify applied fix: Checking engine returns: fail</message></pre></div></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm45342117301424" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Shell script â²</a><br></br><div class="panel-collapse collapse" id="idm45342117301424"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code> if ! rpm -q --quiet "fapolicyd" ; then yum install -y "fapolicyd" fi </code></pre></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm45342117299344" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet â²</a><br></br><div class="panel-collapse collapse" id="idm45342117299344"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure fapolicyd is installed package: name: fapolicyd state: present when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" tags: - package_fapolicyd_installed - medium_severity - enable_strategy - low_complexity - low_disruption - no_reboot_needed - CCE-82191-8 - NIST-800-53-CM-6(a) - NIST-800-53-SI-4(22) </code></pre></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm45342117296928" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet â²</a><br></br><div class="panel-collapse collapse" id="idm45342117296928"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_fapolicyd class install_fapolicyd { package { 'fapolicyd': ensure => 'installed', } } </code></pre></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm45342117294800" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet â²</a><br></br><div class="panel-collapse collapse" id="idm45342117294800"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code> package --add=fapolicyd </code></pre></div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">package fapolicyd is installed</span>Â <span class="label label-default">oval:ssg-test_package_fapolicyd_installed:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_test_package_fapolicyd_installed:obj:1</abbr></strong> of type <strong>rpminfo_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th></tr></thead><tbody><tr><td>fapolicyd</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-error rule-detail-id-xccdf_org.ssgproject.content_rule_service_fapolicyd_enabled" id="rule-detail-idm45342101890112"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Enable the File Access Policy Servicexccdf_org.ssgproject.content_rule_service_fapolicyd_enabled mediumCCE-82249-4 </div><div class="panel-heading"><h3 class="panel-title">Enable the File Access Policy Service</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_service_fapolicyd_enabled</td></tr><tr><td>Result</td><td class="rule-result rule-result-error"><div><abbr title="The checking engine could not complete the evaluation, therefore the status of the target's compliance with the rule is not certain. This could happen, for example, if a testing tool was run with insufficient privileges and could not gather all of the necessary information.">error</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-service_fapolicyd_enabled:def:1</td></tr><tr><td>Time</td><td>2020-09-29T11:21:16</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-82249-4">CCE-82249-4</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SI-4(22)</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FMT_SMF_EXT.1</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000370-GPOS-00155</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>The File Access Policy service should be enabled. The <code>fapolicyd</code> service can be enabled with the following command: <pre>$ sudo systemctl enable fapolicyd.service</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>The <code>fapolicyd</code> service (File Access Policy Daemon) implements application whitelisting to decide file access rights.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span>Â <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 1</message></pre><span class="label label-primary">info</span>Â <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Failed to start fapolicyd.service: Unit fapolicyd.service not found. Failed to enable unit: Unit file fapolicyd.service does not exist. </message></pre><span class="label label-primary">info</span>Â <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Failed to verify applied fix: Checking engine returns: fail</message></pre></div></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm45342117279136" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Shell script â²</a><br></br><div class="panel-collapse collapse" id="idm45342117279136"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code> SYSTEMCTL_EXEC='/usr/bin/systemctl' "$SYSTEMCTL_EXEC" start 'fapolicyd.service' "$SYSTEMCTL_EXEC" enable 'fapolicyd.service' </code></pre></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm45342117277008" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet â²</a><br></br><div class="panel-collapse collapse" id="idm45342117277008"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Enable service fapolicyd block: - name: Gather the package facts package_facts: manager: auto - name: Enable service fapolicyd service: name: fapolicyd enabled: 'yes' state: started when: - '"fapolicyd" in ansible_facts.packages' when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" tags: - service_fapolicyd_enabled - medium_severity - enable_strategy - low_complexity - low_disruption - no_reboot_needed - CCE-82249-4 - NIST-800-53-CM-6(a) - NIST-800-53-SI-4(22) </code></pre></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm45342117274368" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet â²</a><br></br><div class="panel-collapse collapse" id="idm45342117274368"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include enable_fapolicyd class enable_fapolicyd { service {'fapolicyd': enable => true, ensure => 'running', } } </code></pre></div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">package fapolicyd is installed</span>Â <span class="label label-default">oval:ssg-test_service_fapolicyd_package_fapolicyd_installed:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_test_service_fapolicyd_package_fapolicyd_installed:obj:1</abbr></strong> of type <strong>rpminfo_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th></tr></thead><tbody><tr><td>fapolicyd</td></tr></tbody></table><h4><span class="label label-primary">Test that the fapolicyd service is running</span>Â <span class="label label-default">oval:ssg-test_service_running_fapolicyd:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="Retrieve the ActiveState property of fapolicyd">oval:ssg-obj_service_running_fapolicyd:obj:1</abbr></strong> of type <strong>systemdunitproperty_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Unit</th><th>Property</th></tr></thead><tbody><tr><td>^fapolicyd\.(socket|service)$</td><td>ActiveState</td></tr></tbody></table><h4><span class="label label-primary">systemd test</span>Â <span class="label label-default">oval:ssg-test_multi_user_wants_fapolicyd:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Unit</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th></tr></thead><tbody><tr><td>multi-user.target</td><td>basic.target</td><td>var.mount</td><td>-.mount</td><td>sysinit.target</td><td>dev-mqueue.mount</td><td>systemd-hwdb-update.service</td><td>cryptsetup.target</td><td>proc-sys-fs-binfmt_misc.automount</td><td>systemd-journal-flush.service</td><td>systemd-random-seed.service</td><td>systemd-update-utmp.service</td><td>systemd-tmpfiles-setup.service</td><td>systemd-udevd.service</td><td>dev-hugepages.mount</td><td>lvm2-lvmpolld.socket</td><td>selinux-autorelabel-mark.service</td><td>loadmodules.service</td><td>local-fs.target</td><td>home.mount</td><td>-.mount</td><td>var-log-audit.mount</td><td>boot.mount</td><td>tmp.mount</td><td>var.mount</td><td>var-log.mount</td><td>systemd-remount-fs.service</td><td>dracut-shutdown.service</td><td>systemd-sysctl.service</td><td>systemd-journal-catalog-update.service</td><td>systemd-update-done.service</td><td>systemd-journald.service</td><td>sys-kernel-debug.mount</td><td>systemd-machine-id-commit.service</td><td>ldconfig.service</td><td>rngd.service</td><td>systemd-binfmt.service</td><td>nis-domainname.service</td><td>sys-kernel-config.mount</td><td>systemd-modules-load.service</td><td>systemd-sysusers.service</td><td>sys-fs-fuse-connections.mount</td><td>swap.target</td><td>dev-mapper-ovirt\x2dswap.swap</td><td>systemd-udev-trigger.service</td><td>import-state.service</td><td>systemd-firstboot.service</td><td>kmod-static-nodes.service</td><td>systemd-ask-password-console.path</td><td>systemd-tmpfiles-setup-dev.service</td><td>lvm2-monitor.service</td><td>microcode.service</td><td>paths.target</td><td>timers.target</td><td>fstrim.timer</td><td>unbound-anchor.timer</td><td>systemd-tmpfiles-clean.timer</td><td>slices.target</td><td>-.slice</td><td>system.slice</td><td>sockets.target</td><td>systemd-udevd-kernel.socket</td><td>dbus.socket</td><td>systemd-coredump.socket</td><td>systemd-initctl.socket</td><td>systemd-udevd-control.socket</td><td>systemd-journald-dev-log.socket</td><td>pcscd.socket</td><td>sssd-kcm.socket</td><td>systemd-journald.socket</td><td>cockpit.socket</td><td>dm-event.socket</td><td>rpcbind.socket</td><td>sssd.service</td><td>kdump.service</td><td>crond.service</td><td>systemd-ask-password-wall.path</td><td>sshd.service</td><td>systemd-user-sessions.service</td><td>auditd.service</td><td>nfs-client.target</td><td>rpc-statd-notify.service</td><td>auth-rpcgss-module.service</td><td>remote-fs-pre.target</td><td>irqbalance.service</td><td>remote-fs.target</td><td>nfs-client.target</td><td>rpc-statd-notify.service</td><td>auth-rpcgss-module.service</td><td>remote-fs-pre.target</td><td>getty.target</td><td>serial-getty@ttyS0.service</td><td>getty@tty1.service</td><td>cloud-init.target</td><td>cloud-init-local.service</td><td>cloud-config.service</td><td>cloud-final.service</td><td>cloud-init.service</td><td>dnf-makecache.timer</td><td>firewalld.service</td><td>rpcbind.service</td><td>systemd-update-utmp-runlevel.service</td><td>chronyd.service</td><td>rsyslog.service</td><td>tuned.service</td><td>systemd-logind.service</td><td>NetworkManager.service</td><td>dbus.service</td></tr></tbody></table><h4><span class="label label-primary">systemd test</span>Â <span class="label label-default">oval:ssg-test_multi_user_wants_fapolicyd_socket:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Unit</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th></tr></thead><tbody><tr><td>multi-user.target</td><td>basic.target</td><td>var.mount</td><td>-.mount</td><td>sysinit.target</td><td>dev-mqueue.mount</td><td>systemd-hwdb-update.service</td><td>cryptsetup.target</td><td>proc-sys-fs-binfmt_misc.automount</td><td>systemd-journal-flush.service</td><td>systemd-random-seed.service</td><td>systemd-update-utmp.service</td><td>systemd-tmpfiles-setup.service</td><td>systemd-udevd.service</td><td>dev-hugepages.mount</td><td>lvm2-lvmpolld.socket</td><td>selinux-autorelabel-mark.service</td><td>loadmodules.service</td><td>local-fs.target</td><td>home.mount</td><td>-.mount</td><td>var-log-audit.mount</td><td>boot.mount</td><td>tmp.mount</td><td>var.mount</td><td>var-log.mount</td><td>systemd-remount-fs.service</td><td>dracut-shutdown.service</td><td>systemd-sysctl.service</td><td>systemd-journal-catalog-update.service</td><td>systemd-update-done.service</td><td>systemd-journald.service</td><td>sys-kernel-debug.mount</td><td>systemd-machine-id-commit.service</td><td>ldconfig.service</td><td>rngd.service</td><td>systemd-binfmt.service</td><td>nis-domainname.service</td><td>sys-kernel-config.mount</td><td>systemd-modules-load.service</td><td>systemd-sysusers.service</td><td>sys-fs-fuse-connections.mount</td><td>swap.target</td><td>dev-mapper-ovirt\x2dswap.swap</td><td>systemd-udev-trigger.service</td><td>import-state.service</td><td>systemd-firstboot.service</td><td>kmod-static-nodes.service</td><td>systemd-ask-password-console.path</td><td>systemd-tmpfiles-setup-dev.service</td><td>lvm2-monitor.service</td><td>microcode.service</td><td>paths.target</td><td>timers.target</td><td>fstrim.timer</td><td>unbound-anchor.timer</td><td>systemd-tmpfiles-clean.timer</td><td>slices.target</td><td>-.slice</td><td>system.slice</td><td>sockets.target</td><td>systemd-udevd-kernel.socket</td><td>dbus.socket</td><td>systemd-coredump.socket</td><td>systemd-initctl.socket</td><td>systemd-udevd-control.socket</td><td>systemd-journald-dev-log.socket</td><td>pcscd.socket</td><td>sssd-kcm.socket</td><td>systemd-journald.socket</td><td>cockpit.socket</td><td>dm-event.socket</td><td>rpcbind.socket</td><td>sssd.service</td><td>kdump.service</td><td>crond.service</td><td>systemd-ask-password-wall.path</td><td>sshd.service</td><td>systemd-user-sessions.service</td><td>auditd.service</td><td>nfs-client.target</td><td>rpc-statd-notify.service</td><td>auth-rpcgss-module.service</td><td>remote-fs-pre.target</td><td>irqbalance.service</td><td>remote-fs.target</td><td>nfs-client.target</td><td>rpc-statd-notify.service</td><td>auth-rpcgss-module.service</td><td>remote-fs-pre.target</td><td>getty.target</td><td>serial-getty@ttyS0.service</td><td>getty@tty1.service</td><td>cloud-init.target</td><td>cloud-init-local.service</td><td>cloud-config.service</td><td>cloud-final.service</td><td>cloud-init.service</td><td>dnf-makecache.timer</td><td>firewalld.service</td><td>rpcbind.service</td><td>systemd-update-utmp-runlevel.service</td><td>chronyd.service</td><td>rsyslog.service</td><td>tuned.service</td><td>systemd-logind.service</td><td>NetworkManager.service</td><td>dbus.service</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_package_abrt_removed" id="rule-detail-idm45342101852992"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Uninstall Automatic Bug Reporting Tool (abrt)xccdf_org.ssgproject.content_rule_package_abrt_removed mediumCCE-80948-3 </div><div class="panel-heading"><h3 class="panel-title">Uninstall Automatic Bug Reporting Tool (abrt)</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_package_abrt_removed</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-package_abrt_removed:def:1</td></tr><tr><td>Time</td><td>2020-09-29T11:18:03</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80948-3">CCE-80948-3</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000095-GPOS-00049</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>The Automatic Bug Reporting Tool (<code>abrt</code>) collects and reports crash data when an application crash is detected. Using a variety of plugins, abrt can email crash reports to system administrators, log crash reports to files, or forward crash reports to a centralized issue tracking system such as RHTSupport. The <code>abrt</code> package can be removed with the following command: <pre> $ sudo yum erase abrt</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Mishandling crash data could expose sensitive information about vulnerabilities in software executing on the system, as well as sensitive information from within a process's address space or registers.</p></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">package abrt is removed</span>Â <span class="label label-default">oval:ssg-test_package_abrt_removed:tst:1</span>Â <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_test_package_abrt_removed:obj:1</abbr></strong> of type <strong>rpminfo_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th></tr></thead><tbody><tr><td>abrt</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_kerberos_disable_no_keytab" id="rule-detail-idm45342101772032"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Disable Kerberos by removing host keytabxccdf_org.ssgproject.content_rule_kerberos_disable_no_keytab mediumCCE-82175-1 </div><div class="panel-heading"><h3 class="panel-title">Disable Kerberos by removing host keytab</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_kerberos_disable_no_keytab</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-kerberos_disable_no_keytab:def:1</td></tr><tr><td>Time</td><td>2020-09-29T11:18:04</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-82175-1">CCE-82175-1</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FCS_CKM.1</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000120-GPOS-00061</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>Kerberos is not an approved key distribution method for Common Criteria. To prevent using Kerberos by system daemons, remove the Kerberos keytab files, especially <code>/etc/krb5.keytab</code>.</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>The key derivation function (KDF) in Kerberos is not FIPS compatible.</p></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">Ensure a keytab file exists</span>Â <span class="label label-default">oval:ssg-test_kerberos_disable_no_keytab:tst:1</span>Â <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="fapolicyd.mounts">oval:ssg-obj_kerberos_disable_no_keytab:obj:1</abbr></strong> of type <strong>file_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th></tr></thead><tbody><tr><td>^/etc/.+\.keytab$</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_sshd_enable_warning_banner" id="rule-detail-idm45342101745360"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Enable SSH Warning Bannerxccdf_org.ssgproject.content_rule_sshd_enable_warning_banner mediumCCE-80905-3 </div><div class="panel-heading"><h3 class="panel-title">Enable SSH Warning Banner</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sshd_enable_warning_banner</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-sshd_enable_warning_banner:def:1</td></tr><tr><td>Time</td><td>2020-09-29T11:21:16</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80905-3">CCE-80905-3</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="">5.2.16</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">1</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">12</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">15</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">16</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.5.6</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS05.04</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS05.10</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS06.10</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.9</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000048</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000050</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001384</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001385</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001386</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001387</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001388</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.10</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.9</a>, <a href="https://www.iso.org/standard/54534.html">A.18.1.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.3.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.3</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-8(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-8(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-7</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FMT_MOF_EXT.1</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000023-GPOS-00006</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000024-GPOS-00007</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000228-GPOS-00088</a>, <a href="">SRG-OS-000023-VMM-000060</a>, <a href="">SRG-OS-000024-VMM-000070</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>To enable the warning banner and ensure it is consistent across the system, add or correct the following line in <code>/etc/ssh/sshd_config</code>: <pre>Banner /etc/issue</pre> Another section contains information on how to create an appropriate system-wide warning banner.</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>The warning message reinforces policy awareness during the logon process and facilitates possible legal action against attackers. Alternatively, systems whose ownership should not be obvious should ensure usage of a banner that does not provide easy attribution.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span>Â <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">Verify if Profile set Value sshd_required as not required</span>Â <span class="label label-default">oval:ssg-test_sshd_not_required:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Var ref</th><th>Value</th></tr></thead><tbody><tr><td>oval:ssg-sshd_required:var:1</td><td>0</td></tr></tbody></table><h4><span class="label label-primary">Verify if Value of sshd_required is the default</span>Â <span class="label label-default">oval:ssg-test_sshd_requirement_unset:tst:1</span>Â <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Var ref</th><th>Value</th></tr></thead><tbody><tr><td>oval:ssg-sshd_required:var:1</td><td>0</td></tr></tbody></table><h4><span class="label label-primary">package openssh-server is removed</span>Â <span class="label label-default">oval:ssg-test_package_openssh-server_removed:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Arch</th><th>Epoch</th><th>Release</th><th>Version</th><th>Evr</th><th>Signature keyid</th><th>Extended name</th></tr></thead><tbody><tr><td>openssh-server</td><td>x86_64</td><td>(none)</td><td>4.el8_1</td><td>8.0p1</td><td>0:8.0p1-4.el8_1</td><td>199e2f91fd431d51</td><td>openssh-server-0:8.0p1-4.el8_1.x86_64</td></tr></tbody></table><h4><span class="label label-primary">Verify if Profile set Value sshd_required as required</span>Â <span class="label label-default">oval:ssg-test_sshd_required:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Var ref</th><th>Value</th></tr></thead><tbody><tr><td>oval:ssg-sshd_required:var:1</td><td>0</td></tr></tbody></table><h4><span class="label label-primary">Verify if Value of sshd_required is the default</span>Â <span class="label label-default">oval:ssg-test_sshd_requirement_unset:tst:1</span>Â <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Var ref</th><th>Value</th></tr></thead><tbody><tr><td>oval:ssg-sshd_required:var:1</td><td>0</td></tr></tbody></table><h4><span class="label label-primary">package openssh-server is installed</span>Â <span class="label label-default">oval:ssg-test_package_openssh-server_installed:tst:1</span>Â <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Arch</th><th>Epoch</th><th>Release</th><th>Version</th><th>Evr</th><th>Signature keyid</th><th>Extended name</th></tr></thead><tbody><tr><td>openssh-server</td><td>x86_64</td><td>(none)</td><td>4.el8_1</td><td>8.0p1</td><td>0:8.0p1-4.el8_1</td><td>199e2f91fd431d51</td><td>openssh-server-0:8.0p1-4.el8_1.x86_64</td></tr></tbody></table><h4><span class="label label-primary">tests the value of Banner setting in the /etc/ssh/sshd_config file</span>Â <span class="label label-default">oval:ssg-test_sshd_enable_warning_banner:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_sshd_enable_warning_banner:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/ssh/sshd_config</td><td>^[ \t]*(?i)Banner(?-i)[ \t]+(.+?)[ \t]*(?:$|#)</td><td>1</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_sshd_disable_root_login" id="rule-detail-idm45342101737408"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Disable SSH Root Loginxccdf_org.ssgproject.content_rule_sshd_disable_root_login mediumCCE-80901-2 </div><div class="panel-heading"><h3 class="panel-title">Disable SSH Root Login</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sshd_disable_root_login</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-sshd_disable_root_login:def:1</td></tr><tr><td>Time</td><td>2020-09-29T11:21:16</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80901-2">CCE-80901-2</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT28(R19)</a>, <a href="">5.2.8</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">1</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">11</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">12</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">13</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">14</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">15</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">16</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">18</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">3</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">5</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.5.6</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">APO01.06</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS05.02</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS05.04</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS05.05</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS05.07</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS05.10</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS06.02</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS06.03</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS06.06</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS06.10</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.1</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.5</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000366</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000770</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.2.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.10</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.11</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.12</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.13</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 5.2</a>, <a href="https://www.iso.org/standard/54534.html">A.10.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.11.1.4</a>, <a href="https://www.iso.org/standard/54534.html">A.11.1.5</a>, <a href="https://www.iso.org/standard/54534.html">A.11.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.18.1.4</a>, <a href="https://www.iso.org/standard/54534.html">A.6.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.7.3.1</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.6</a>, <a href="https://www.iso.org/standard/54534.html">A.9.3.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.5</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(2)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-2</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-2(5)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-6</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-7</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-5</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-3</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FIA_AFL.1</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000109-GPOS-00056</a>, <a href="">SRG-OS-000480-VMM-002000</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>The root user should never be allowed to login to a system directly over a network. To disable root login via SSH, add or correct the following line in <code>/etc/ssh/sshd_config</code>: <pre>PermitRootLogin no</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Even though the communications channel may be encrypted, an additional layer of security is gained by extending the policy of not logging directly on as root. In addition, logging in with a user-specific account provides individual accountability of actions performed on the system and also helps to minimize direct attack attempts on root's password.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span>Â <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">Verify if Profile set Value sshd_required as not required</span>Â <span class="label label-default">oval:ssg-test_sshd_not_required:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Var ref</th><th>Value</th></tr></thead><tbody><tr><td>oval:ssg-sshd_required:var:1</td><td>0</td></tr></tbody></table><h4><span class="label label-primary">Verify if Value of sshd_required is the default</span>Â <span class="label label-default">oval:ssg-test_sshd_requirement_unset:tst:1</span>Â <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Var ref</th><th>Value</th></tr></thead><tbody><tr><td>oval:ssg-sshd_required:var:1</td><td>0</td></tr></tbody></table><h4><span class="label label-primary">package openssh-server is removed</span>Â <span class="label label-default">oval:ssg-test_package_openssh-server_removed:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Arch</th><th>Epoch</th><th>Release</th><th>Version</th><th>Evr</th><th>Signature keyid</th><th>Extended name</th></tr></thead><tbody><tr><td>openssh-server</td><td>x86_64</td><td>(none)</td><td>4.el8_1</td><td>8.0p1</td><td>0:8.0p1-4.el8_1</td><td>199e2f91fd431d51</td><td>openssh-server-0:8.0p1-4.el8_1.x86_64</td></tr></tbody></table><h4><span class="label label-primary">Verify if Profile set Value sshd_required as required</span>Â <span class="label label-default">oval:ssg-test_sshd_required:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Var ref</th><th>Value</th></tr></thead><tbody><tr><td>oval:ssg-sshd_required:var:1</td><td>0</td></tr></tbody></table><h4><span class="label label-primary">Verify if Value of sshd_required is the default</span>Â <span class="label label-default">oval:ssg-test_sshd_requirement_unset:tst:1</span>Â <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Var ref</th><th>Value</th></tr></thead><tbody><tr><td>oval:ssg-sshd_required:var:1</td><td>0</td></tr></tbody></table><h4><span class="label label-primary">package openssh-server is installed</span>Â <span class="label label-default">oval:ssg-test_package_openssh-server_installed:tst:1</span>Â <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Arch</th><th>Epoch</th><th>Release</th><th>Version</th><th>Evr</th><th>Signature keyid</th><th>Extended name</th></tr></thead><tbody><tr><td>openssh-server</td><td>x86_64</td><td>(none)</td><td>4.el8_1</td><td>8.0p1</td><td>0:8.0p1-4.el8_1</td><td>199e2f91fd431d51</td><td>openssh-server-0:8.0p1-4.el8_1.x86_64</td></tr></tbody></table><h4><span class="label label-primary">tests the value of PermitRootLogin setting in the /etc/ssh/sshd_config file</span>Â <span class="label label-default">oval:ssg-test_sshd_disable_root_login:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/ssh/sshd_config</td><td>PermitRootLogin yes</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout" id="rule-detail-idm45342101727104"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Set SSH Idle Timeout Intervalxccdf_org.ssgproject.content_rule_sshd_set_idle_timeout mediumCCE-80906-1 </div><div class="panel-heading"><h3 class="panel-title">Set SSH Idle Timeout Interval</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-sshd_set_idle_timeout:def:1</td></tr><tr><td>Time</td><td>2020-09-29T11:21:16</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80906-1">CCE-80906-1</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT28(R29)</a>, <a href="">5.2.12</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">1</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">12</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">13</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">14</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">15</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">16</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">18</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">3</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">5</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">7</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">8</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.5.6</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">APO13.01</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">BAI03.01</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">BAI03.02</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">BAI03.03</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS01.03</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS03.05</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS05.04</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS05.05</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS05.07</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS05.10</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS06.03</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS06.10</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.11</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000879</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001133</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-002361</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.2.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.3.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.10</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 6.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.5</a>, <a href="https://www.iso.org/standard/54534.html">A.18.1.4</a>, <a href="https://www.iso.org/standard/54534.html">A.6.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.6.1.5</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.6</a>, <a href="https://www.iso.org/standard/54534.html">A.9.3.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.5</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-2(5)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-12</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-10</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-6</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-7</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-2</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-8.1.8</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000163-GPOS-00072</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000279-GPOS-00109</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000126-GPOS-00066</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000395-GPOS-00175</a>, <a href="">SRG-OS-000480-VMM-002000</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>SSH allows administrators to set an idle timeout interval. After this interval has passed, the idle user will be automatically logged out. <br><br> To set an idle timeout interval, edit the following line in <code>/etc/ssh/sshd_config</code> as follows: <pre>ClientAliveInterval <b><abbr title="from TestResult: xccdf_org.ssgproject.content_value_sshd_idle_timeout_value">840</abbr></b></pre> <br><br> The timeout <b>interval</b> is given in seconds. For example, have a timeout of 10 minutes, set <b>interval</b> to 600. <br><br> If a shorter timeout has already been set for the login shell, that value will preempt any SSH setting made in <code>/etc/ssh/sshd_config</code>. Keep in mind that some processes may stop SSH from correctly detecting that the user is idle.</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Terminating an idle ssh session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been let unattended.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span>Â <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">Verify if Profile set Value sshd_required as not required</span>Â <span class="label label-default">oval:ssg-test_sshd_not_required:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Var ref</th><th>Value</th></tr></thead><tbody><tr><td>oval:ssg-sshd_required:var:1</td><td>0</td></tr></tbody></table><h4><span class="label label-primary">Verify if Value of sshd_required is the default</span>Â <span class="label label-default">oval:ssg-test_sshd_requirement_unset:tst:1</span>Â <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Var ref</th><th>Value</th></tr></thead><tbody><tr><td>oval:ssg-sshd_required:var:1</td><td>0</td></tr></tbody></table><h4><span class="label label-primary">package openssh-server is removed</span>Â <span class="label label-default">oval:ssg-test_package_openssh-server_removed:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Arch</th><th>Epoch</th><th>Release</th><th>Version</th><th>Evr</th><th>Signature keyid</th><th>Extended name</th></tr></thead><tbody><tr><td>openssh-server</td><td>x86_64</td><td>(none)</td><td>4.el8_1</td><td>8.0p1</td><td>0:8.0p1-4.el8_1</td><td>199e2f91fd431d51</td><td>openssh-server-0:8.0p1-4.el8_1.x86_64</td></tr></tbody></table><h4><span class="label label-primary">Verify if Profile set Value sshd_required as required</span>Â <span class="label label-default">oval:ssg-test_sshd_required:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Var ref</th><th>Value</th></tr></thead><tbody><tr><td>oval:ssg-sshd_required:var:1</td><td>0</td></tr></tbody></table><h4><span class="label label-primary">Verify if Value of sshd_required is the default</span>Â <span class="label label-default">oval:ssg-test_sshd_requirement_unset:tst:1</span>Â <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Var ref</th><th>Value</th></tr></thead><tbody><tr><td>oval:ssg-sshd_required:var:1</td><td>0</td></tr></tbody></table><h4><span class="label label-primary">package openssh-server is installed</span>Â <span class="label label-default">oval:ssg-test_package_openssh-server_installed:tst:1</span>Â <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Arch</th><th>Epoch</th><th>Release</th><th>Version</th><th>Evr</th><th>Signature keyid</th><th>Extended name</th></tr></thead><tbody><tr><td>openssh-server</td><td>x86_64</td><td>(none)</td><td>4.el8_1</td><td>8.0p1</td><td>0:8.0p1-4.el8_1</td><td>199e2f91fd431d51</td><td>openssh-server-0:8.0p1-4.el8_1.x86_64</td></tr></tbody></table><h4><span class="label label-primary">timeout is configured</span>Â <span class="label label-default">oval:ssg-test_sshd_idle_timeout:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-object_sshd_idle_timeout:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/ssh/sshd_config</td><td>^[\s]*(?i)ClientAliveInterval[\s]+(\d+)[\s]*(?:#.*)?$</td><td>1</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_sshd_disable_kerb_auth" id="rule-detail-idm45342101716768"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Disable Kerberos Authenticationxccdf_org.ssgproject.content_rule_sshd_disable_kerb_auth mediumCCE-80898-0 </div><div class="panel-heading"><h3 class="panel-title">Disable Kerberos Authentication</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sshd_disable_kerb_auth</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-sshd_disable_kerb_auth:def:1</td></tr><tr><td>Time</td><td>2020-09-29T11:18:04</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80898-0">CCE-80898-0</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">11</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">3</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">9</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">BAI10.01</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">BAI10.02</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">BAI10.03</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">BAI10.05</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.12</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000368</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000318</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001812</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001813</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001814</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.3.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.3.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.6</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.5.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.6.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.4</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FIA_AFL.1</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000364-GPOS-00151</a>, <a href="">SRG-OS-000480-VMM-002000</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>Unless needed, SSH should not permit extraneous or unnecessary authentication mechanisms like Kerberos. To disable Kerberos authentication, add or correct the following line in the <code>/etc/ssh/sshd_config</code> file: <pre>KerberosAuthentication no</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Kerberos authentication for SSH is often implemented using GSSAPI. If Kerberos is enabled through SSH, the SSH daemon provides a means of access to the system's Kerberos implementation. Vulnerabilities in the system's Kerberos implementations may be subject to exploitation.</p></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">Verify if Profile set Value sshd_required as not required</span>Â <span class="label label-default">oval:ssg-test_sshd_not_required:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Var ref</th><th>Value</th></tr></thead><tbody><tr><td>oval:ssg-sshd_required:var:1</td><td>0</td></tr></tbody></table><h4><span class="label label-primary">Verify if Value of sshd_required is the default</span>Â <span class="label label-default">oval:ssg-test_sshd_requirement_unset:tst:1</span>Â <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Var ref</th><th>Value</th></tr></thead><tbody><tr><td>oval:ssg-sshd_required:var:1</td><td>0</td></tr></tbody></table><h4><span class="label label-primary">package openssh-server is removed</span>Â <span class="label label-default">oval:ssg-test_package_openssh-server_removed:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Arch</th><th>Epoch</th><th>Release</th><th>Version</th><th>Evr</th><th>Signature keyid</th><th>Extended name</th></tr></thead><tbody><tr><td>openssh-server</td><td>x86_64</td><td>(none)</td><td>4.el8_1</td><td>8.0p1</td><td>0:8.0p1-4.el8_1</td><td>199e2f91fd431d51</td><td>openssh-server-0:8.0p1-4.el8_1.x86_64</td></tr></tbody></table><h4><span class="label label-primary">Verify if Profile set Value sshd_required as required</span>Â <span class="label label-default">oval:ssg-test_sshd_required:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Var ref</th><th>Value</th></tr></thead><tbody><tr><td>oval:ssg-sshd_required:var:1</td><td>0</td></tr></tbody></table><h4><span class="label label-primary">Verify if Value of sshd_required is the default</span>Â <span class="label label-default">oval:ssg-test_sshd_requirement_unset:tst:1</span>Â <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Var ref</th><th>Value</th></tr></thead><tbody><tr><td>oval:ssg-sshd_required:var:1</td><td>0</td></tr></tbody></table><h4><span class="label label-primary">package openssh-server is installed</span>Â <span class="label label-default">oval:ssg-test_package_openssh-server_installed:tst:1</span>Â <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Arch</th><th>Epoch</th><th>Release</th><th>Version</th><th>Evr</th><th>Signature keyid</th><th>Extended name</th></tr></thead><tbody><tr><td>openssh-server</td><td>x86_64</td><td>(none)</td><td>4.el8_1</td><td>8.0p1</td><td>0:8.0p1-4.el8_1</td><td>199e2f91fd431d51</td><td>openssh-server-0:8.0p1-4.el8_1.x86_64</td></tr></tbody></table><h4><span class="label label-primary">tests the value of KerberosAuthentication setting in the /etc/ssh/sshd_config file</span>Â <span class="label label-default">oval:ssg-test_sshd_disable_kerb_auth:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_sshd_disable_kerb_auth:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/ssh/sshd_config</td><td>^[ \t]*(?i)KerberosAuthentication(?-i)[ \t]+(.+?)[ \t]*(?:$|#)</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">tests the absence of KerberosAuthentication setting in the /etc/ssh/sshd_config file</span>Â <span class="label label-default">oval:ssg-test_sshd_disable_kerb_auth_default_not_overriden:tst:1</span>Â <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_sshd_disable_kerb_auth_default_not_overriden:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/ssh/sshd_config</td><td>^[ \t]*(?i)KerberosAuthentication(?-i)[ \t]+</td><td>1</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_sshd_disable_gssapi_auth" id="rule-detail-idm45342101703392"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Disable GSSAPI Authenticationxccdf_org.ssgproject.content_rule_sshd_disable_gssapi_auth mediumCCE-80897-2 </div><div class="panel-heading"><h3 class="panel-title">Disable GSSAPI Authentication</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sshd_disable_gssapi_auth</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-sshd_disable_gssapi_auth:def:1</td></tr><tr><td>Time</td><td>2020-09-29T11:21:16</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80897-2">CCE-80897-2</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">11</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">3</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">9</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">BAI10.01</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">BAI10.02</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">BAI10.03</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">BAI10.05</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.12</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000368</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000318</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001812</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001813</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001814</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.3.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.3.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.6</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.5.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.6.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.4</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FIA_AFL.1</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000364-GPOS-00151</a>, <a href="">SRG-OS-000480-VMM-002000</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>Unless needed, SSH should not permit extraneous or unnecessary authentication mechanisms like GSSAPI. To disable GSSAPI authentication, add or correct the following line in the <code>/etc/ssh/sshd_config</code> file: <pre>GSSAPIAuthentication no</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>GSSAPI authentication is used to provide additional authentication mechanisms to applications. Allowing GSSAPI authentication through SSH exposes the system's GSSAPI to remote hosts, increasing the attack surface of the system.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span>Â <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">Verify if Profile set Value sshd_required as not required</span>Â <span class="label label-default">oval:ssg-test_sshd_not_required:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Var ref</th><th>Value</th></tr></thead><tbody><tr><td>oval:ssg-sshd_required:var:1</td><td>0</td></tr></tbody></table><h4><span class="label label-primary">Verify if Value of sshd_required is the default</span>Â <span class="label label-default">oval:ssg-test_sshd_requirement_unset:tst:1</span>Â <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Var ref</th><th>Value</th></tr></thead><tbody><tr><td>oval:ssg-sshd_required:var:1</td><td>0</td></tr></tbody></table><h4><span class="label label-primary">package openssh-server is removed</span>Â <span class="label label-default">oval:ssg-test_package_openssh-server_removed:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Arch</th><th>Epoch</th><th>Release</th><th>Version</th><th>Evr</th><th>Signature keyid</th><th>Extended name</th></tr></thead><tbody><tr><td>openssh-server</td><td>x86_64</td><td>(none)</td><td>4.el8_1</td><td>8.0p1</td><td>0:8.0p1-4.el8_1</td><td>199e2f91fd431d51</td><td>openssh-server-0:8.0p1-4.el8_1.x86_64</td></tr></tbody></table><h4><span class="label label-primary">Verify if Profile set Value sshd_required as required</span>Â <span class="label label-default">oval:ssg-test_sshd_required:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Var ref</th><th>Value</th></tr></thead><tbody><tr><td>oval:ssg-sshd_required:var:1</td><td>0</td></tr></tbody></table><h4><span class="label label-primary">Verify if Value of sshd_required is the default</span>Â <span class="label label-default">oval:ssg-test_sshd_requirement_unset:tst:1</span>Â <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Var ref</th><th>Value</th></tr></thead><tbody><tr><td>oval:ssg-sshd_required:var:1</td><td>0</td></tr></tbody></table><h4><span class="label label-primary">package openssh-server is installed</span>Â <span class="label label-default">oval:ssg-test_package_openssh-server_installed:tst:1</span>Â <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Arch</th><th>Epoch</th><th>Release</th><th>Version</th><th>Evr</th><th>Signature keyid</th><th>Extended name</th></tr></thead><tbody><tr><td>openssh-server</td><td>x86_64</td><td>(none)</td><td>4.el8_1</td><td>8.0p1</td><td>0:8.0p1-4.el8_1</td><td>199e2f91fd431d51</td><td>openssh-server-0:8.0p1-4.el8_1.x86_64</td></tr></tbody></table><h4><span class="label label-primary">tests the value of GSSAPIAuthentication setting in the /etc/ssh/sshd_config file</span>Â <span class="label label-default">oval:ssg-test_sshd_disable_gssapi_auth:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/ssh/sshd_config</td><td>GSSAPIAuthentication yes</td></tr></tbody></table><h4><span class="label label-primary">tests the absence of GSSAPIAuthentication setting in the /etc/ssh/sshd_config file</span>Â <span class="label label-default">oval:ssg-test_sshd_disable_gssapi_auth_default_not_overriden:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Path</th><th>Content</th></tr></thead><tbody><tr><td>/etc/ssh/sshd_config</td><td>GSSAPIAuthentication </td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_sshd_rekey_limit" id="rule-detail-idm45342101676384"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Force frequent session key renegotiationxccdf_org.ssgproject.content_rule_sshd_rekey_limit mediumCCE-82177-7 </div><div class="panel-heading"><h3 class="panel-title">Force frequent session key renegotiation</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sshd_rekey_limit</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-sshd_rekey_limit:def:1</td></tr><tr><td>Time</td><td>2020-09-29T11:21:16</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-82177-7">CCE-82177-7</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FCS_SSHS_EXT.1</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>The <code>RekeyLimit</code> parameter specifies how often the session key of the is renegotiated, both in terms of amount of data that may be transmitted and the time elapsed. To decrease the default limits, put line <code>RekeyLimit 512M 1h</code> to file <code>/etc/ssh/sshd_config</code>.</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>By decreasing the limit based on the amount of data and enabling time-based limit, effects of potential attacks against encryption keys are limited.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span>Â <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">Verify if Profile set Value sshd_required as not required</span>Â <span class="label label-default">oval:ssg-test_sshd_not_required:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Var ref</th><th>Value</th></tr></thead><tbody><tr><td>oval:ssg-sshd_required:var:1</td><td>0</td></tr></tbody></table><h4><span class="label label-primary">Verify if Value of sshd_required is the default</span>Â <span class="label label-default">oval:ssg-test_sshd_requirement_unset:tst:1</span>Â <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Var ref</th><th>Value</th></tr></thead><tbody><tr><td>oval:ssg-sshd_required:var:1</td><td>0</td></tr></tbody></table><h4><span class="label label-primary">package openssh-server is removed</span>Â <span class="label label-default">oval:ssg-test_package_openssh-server_removed:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Arch</th><th>Epoch</th><th>Release</th><th>Version</th><th>Evr</th><th>Signature keyid</th><th>Extended name</th></tr></thead><tbody><tr><td>openssh-server</td><td>x86_64</td><td>(none)</td><td>4.el8_1</td><td>8.0p1</td><td>0:8.0p1-4.el8_1</td><td>199e2f91fd431d51</td><td>openssh-server-0:8.0p1-4.el8_1.x86_64</td></tr></tbody></table><h4><span class="label label-primary">Verify if Profile set Value sshd_required as required</span>Â <span class="label label-default">oval:ssg-test_sshd_required:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Var ref</th><th>Value</th></tr></thead><tbody><tr><td>oval:ssg-sshd_required:var:1</td><td>0</td></tr></tbody></table><h4><span class="label label-primary">Verify if Value of sshd_required is the default</span>Â <span class="label label-default">oval:ssg-test_sshd_requirement_unset:tst:1</span>Â <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Var ref</th><th>Value</th></tr></thead><tbody><tr><td>oval:ssg-sshd_required:var:1</td><td>0</td></tr></tbody></table><h4><span class="label label-primary">package openssh-server is installed</span>Â <span class="label label-default">oval:ssg-test_package_openssh-server_installed:tst:1</span>Â <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Arch</th><th>Epoch</th><th>Release</th><th>Version</th><th>Evr</th><th>Signature keyid</th><th>Extended name</th></tr></thead><tbody><tr><td>openssh-server</td><td>x86_64</td><td>(none)</td><td>4.el8_1</td><td>8.0p1</td><td>0:8.0p1-4.el8_1</td><td>199e2f91fd431d51</td><td>openssh-server-0:8.0p1-4.el8_1.x86_64</td></tr></tbody></table><h4><span class="label label-primary">tests the value of RekeyLimit setting in the /etc/ssh/sshd_config file</span>Â <span class="label label-default">oval:ssg-test_sshd_rekey_limit:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_sshd_rekey_limit:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/ssh/sshd_config</td><td>^[ \t]*(?i)RekeyLimit(?-i)[ \t]+(.+?)[ \t]*(?:$|#)</td><td>1</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_sshd_enable_strictmodes" id="rule-detail-idm45342101668480"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Enable Use of Strict Mode Checkingxccdf_org.ssgproject.content_rule_sshd_enable_strictmodes mediumCCE-80904-6 </div><div class="panel-heading"><h3 class="panel-title">Enable Use of Strict Mode Checking</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sshd_enable_strictmodes</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-sshd_enable_strictmodes:def:1</td></tr><tr><td>Time</td><td>2020-09-29T11:18:04</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80904-6">CCE-80904-6</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">12</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">13</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">14</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">15</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">16</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">18</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">3</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">5</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">APO01.06</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS05.04</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS05.07</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS06.02</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.12</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000366</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 5.2</a>, <a href="https://www.iso.org/standard/54534.html">A.10.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.11.1.4</a>, <a href="https://www.iso.org/standard/54534.html">A.11.1.5</a>, <a href="https://www.iso.org/standard/54534.html">A.11.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.6.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.7.3.1</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.5</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-5</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</a>, <a href="">SRG-OS-000480-VMM-002000</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>SSHs <code>StrictModes</code> option checks file and ownership permissions in the user's home directory <code>.ssh</code> folder before accepting login. If world- writable permissions are found, logon is rejected. To enable <code>StrictModes</code> in SSH, add or correct the following line in the <code>/etc/ssh/sshd_config</code> file: <pre>StrictModes yes</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>If other users have access to modify user-specific SSH configuration files, they may be able to log into the system as another user.</p></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">Verify if Profile set Value sshd_required as not required</span>Â <span class="label label-default">oval:ssg-test_sshd_not_required:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Var ref</th><th>Value</th></tr></thead><tbody><tr><td>oval:ssg-sshd_required:var:1</td><td>0</td></tr></tbody></table><h4><span class="label label-primary">Verify if Value of sshd_required is the default</span>Â <span class="label label-default">oval:ssg-test_sshd_requirement_unset:tst:1</span>Â <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Var ref</th><th>Value</th></tr></thead><tbody><tr><td>oval:ssg-sshd_required:var:1</td><td>0</td></tr></tbody></table><h4><span class="label label-primary">package openssh-server is removed</span>Â <span class="label label-default">oval:ssg-test_package_openssh-server_removed:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Arch</th><th>Epoch</th><th>Release</th><th>Version</th><th>Evr</th><th>Signature keyid</th><th>Extended name</th></tr></thead><tbody><tr><td>openssh-server</td><td>x86_64</td><td>(none)</td><td>4.el8_1</td><td>8.0p1</td><td>0:8.0p1-4.el8_1</td><td>199e2f91fd431d51</td><td>openssh-server-0:8.0p1-4.el8_1.x86_64</td></tr></tbody></table><h4><span class="label label-primary">Verify if Profile set Value sshd_required as required</span>Â <span class="label label-default">oval:ssg-test_sshd_required:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Var ref</th><th>Value</th></tr></thead><tbody><tr><td>oval:ssg-sshd_required:var:1</td><td>0</td></tr></tbody></table><h4><span class="label label-primary">Verify if Value of sshd_required is the default</span>Â <span class="label label-default">oval:ssg-test_sshd_requirement_unset:tst:1</span>Â <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Var ref</th><th>Value</th></tr></thead><tbody><tr><td>oval:ssg-sshd_required:var:1</td><td>0</td></tr></tbody></table><h4><span class="label label-primary">package openssh-server is installed</span>Â <span class="label label-default">oval:ssg-test_package_openssh-server_installed:tst:1</span>Â <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Arch</th><th>Epoch</th><th>Release</th><th>Version</th><th>Evr</th><th>Signature keyid</th><th>Extended name</th></tr></thead><tbody><tr><td>openssh-server</td><td>x86_64</td><td>(none)</td><td>4.el8_1</td><td>8.0p1</td><td>0:8.0p1-4.el8_1</td><td>199e2f91fd431d51</td><td>openssh-server-0:8.0p1-4.el8_1.x86_64</td></tr></tbody></table><h4><span class="label label-primary">tests the value of StrictModes setting in the /etc/ssh/sshd_config file</span>Â <span class="label label-default">oval:ssg-test_sshd_enable_strictmodes:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_sshd_enable_strictmodes:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/ssh/sshd_config</td><td>^[ \t]*(?i)StrictModes(?-i)[ \t]+(.+?)[ \t]*(?:$|#)</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">tests the absence of StrictModes setting in the /etc/ssh/sshd_config file</span>Â <span class="label label-default">oval:ssg-test_sshd_enable_strictmodes_default_not_overriden:tst:1</span>Â <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_sshd_enable_strictmodes_default_not_overriden:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/ssh/sshd_config</td><td>^[ \t]*(?i)StrictModes(?-i)[ \t]+</td><td>1</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-fixed rule-detail-id-xccdf_org.ssgproject.content_rule_sshd_set_keepalive" id="rule-detail-idm45342101664000"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Set SSH Client Alive Max Countxccdf_org.ssgproject.content_rule_sshd_set_keepalive mediumCCE-80907-9 </div><div class="panel-heading"><h3 class="panel-title">Set SSH Client Alive Max Count</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sshd_set_keepalive</td></tr><tr><td>Result</td><td class="rule-result rule-result-fixed"><div><abbr title="The Rule had failed, but was then fixed (possibly by a tool that can automatically apply remediation, or possibly by the human auditor).">fixed</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-sshd_set_keepalive:def:1</td></tr><tr><td>Time</td><td>2020-09-29T11:21:16</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80907-9">CCE-80907-9</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="">5.2.12</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">1</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">12</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">13</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">14</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">15</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">16</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">18</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">3</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">5</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">7</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">8</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.5.6</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">APO13.01</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">BAI03.01</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">BAI03.02</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">BAI03.03</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS01.03</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS03.05</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS05.04</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS05.05</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS05.07</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS05.10</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS06.03</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS06.10</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.11</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000879</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001133</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-002361</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.2.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.3.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.10</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 6.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.5</a>, <a href="https://www.iso.org/standard/54534.html">A.18.1.4</a>, <a href="https://www.iso.org/standard/54534.html">A.6.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.6.1.5</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.6</a>, <a href="https://www.iso.org/standard/54534.html">A.9.3.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.5</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-2(5)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-12</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-10</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-6</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-7</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-2</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000163-GPOS-00072</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000279-GPOS-00109</a>, <a href="">SRG-OS-000480-VMM-002000</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>To ensure the SSH idle timeout occurs precisely when the <code>ClientAliveInterval</code> is set, edit <code>/etc/ssh/sshd_config</code> as follows: <pre>ClientAliveCountMax <abbr title="from TestResult: xccdf_org.ssgproject.content_value_var_sshd_set_keepalive">0</abbr></pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>This ensures a user login will be terminated as soon as the <code>ClientAliveInterval</code> is reached.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span>Â <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 0</message></pre></div></div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">Verify if Profile set Value sshd_required as not required</span>Â <span class="label label-default">oval:ssg-test_sshd_not_required:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Var ref</th><th>Value</th></tr></thead><tbody><tr><td>oval:ssg-sshd_required:var:1</td><td>0</td></tr></tbody></table><h4><span class="label label-primary">Verify if Value of sshd_required is the default</span>Â <span class="label label-default">oval:ssg-test_sshd_requirement_unset:tst:1</span>Â <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Var ref</th><th>Value</th></tr></thead><tbody><tr><td>oval:ssg-sshd_required:var:1</td><td>0</td></tr></tbody></table><h4><span class="label label-primary">package openssh-server is removed</span>Â <span class="label label-default">oval:ssg-test_package_openssh-server_removed:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Arch</th><th>Epoch</th><th>Release</th><th>Version</th><th>Evr</th><th>Signature keyid</th><th>Extended name</th></tr></thead><tbody><tr><td>openssh-server</td><td>x86_64</td><td>(none)</td><td>4.el8_1</td><td>8.0p1</td><td>0:8.0p1-4.el8_1</td><td>199e2f91fd431d51</td><td>openssh-server-0:8.0p1-4.el8_1.x86_64</td></tr></tbody></table><h4><span class="label label-primary">Verify if Profile set Value sshd_required as required</span>Â <span class="label label-default">oval:ssg-test_sshd_required:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Var ref</th><th>Value</th></tr></thead><tbody><tr><td>oval:ssg-sshd_required:var:1</td><td>0</td></tr></tbody></table><h4><span class="label label-primary">Verify if Value of sshd_required is the default</span>Â <span class="label label-default">oval:ssg-test_sshd_requirement_unset:tst:1</span>Â <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Var ref</th><th>Value</th></tr></thead><tbody><tr><td>oval:ssg-sshd_required:var:1</td><td>0</td></tr></tbody></table><h4><span class="label label-primary">package openssh-server is installed</span>Â <span class="label label-default">oval:ssg-test_package_openssh-server_installed:tst:1</span>Â <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Arch</th><th>Epoch</th><th>Release</th><th>Version</th><th>Evr</th><th>Signature keyid</th><th>Extended name</th></tr></thead><tbody><tr><td>openssh-server</td><td>x86_64</td><td>(none)</td><td>4.el8_1</td><td>8.0p1</td><td>0:8.0p1-4.el8_1</td><td>199e2f91fd431d51</td><td>openssh-server-0:8.0p1-4.el8_1.x86_64</td></tr></tbody></table><h4><span class="label label-primary">Tests the value of the ClientAliveCountMax setting in the /etc/ssh/sshd_config file</span>Â <span class="label label-default">oval:ssg-test_sshd_clientalivecountmax:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_sshd_clientalivecountmax:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/ssh/sshd_config</td><td>^[\s]*(?i)ClientAliveCountMax[\s]+([\d]+)[\s]*(?:#.*)?$</td><td>1</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_disable_host_auth" id="rule-detail-idm45342101644144"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Disable Host-Based Authenticationxccdf_org.ssgproject.content_rule_disable_host_auth mediumCCE-80786-7 </div><div class="panel-heading"><h3 class="panel-title">Disable Host-Based Authentication</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_disable_host_auth</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-disable_host_auth:def:1</td></tr><tr><td>Time</td><td>2020-09-29T11:18:04</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80786-7">CCE-80786-7</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="">5.2.7</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">11</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">12</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">14</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">15</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">16</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">18</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">3</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">5</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">9</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.5.6</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">BAI10.01</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">BAI10.02</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">BAI10.03</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">BAI10.05</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS05.02</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS05.04</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS05.05</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS05.07</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS06.03</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS06.06</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.12</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000366</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.2.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.3.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.3.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.10</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.11</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.12</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.13</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.6</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.5.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.6.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.6.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.5</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-3</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-6</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-3</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FIA_AFL.1</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00229</a>, <a href="">SRG-OS-000480-VMM-002000</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>SSH's cryptographic host-based authentication is more secure than <code>.rhosts</code> authentication. However, it is not recommended that hosts unilaterally trust one another, even within an organization. <br><br> To disable host-based authentication, add or correct the following line in <code>/etc/ssh/sshd_config</code>: <pre>HostbasedAuthentication no</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>SSH trust relationships mean a compromise on one host can allow an attacker to move trivially to other hosts.</p></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">Verify if Profile set Value sshd_required as not required</span>Â <span class="label label-default">oval:ssg-test_sshd_not_required:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Var ref</th><th>Value</th></tr></thead><tbody><tr><td>oval:ssg-sshd_required:var:1</td><td>0</td></tr></tbody></table><h4><span class="label label-primary">Verify if Value of sshd_required is the default</span>Â <span class="label label-default">oval:ssg-test_sshd_requirement_unset:tst:1</span>Â <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Var ref</th><th>Value</th></tr></thead><tbody><tr><td>oval:ssg-sshd_required:var:1</td><td>0</td></tr></tbody></table><h4><span class="label label-primary">package openssh-server is removed</span>Â <span class="label label-default">oval:ssg-test_package_openssh-server_removed:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Arch</th><th>Epoch</th><th>Release</th><th>Version</th><th>Evr</th><th>Signature keyid</th><th>Extended name</th></tr></thead><tbody><tr><td>openssh-server</td><td>x86_64</td><td>(none)</td><td>4.el8_1</td><td>8.0p1</td><td>0:8.0p1-4.el8_1</td><td>199e2f91fd431d51</td><td>openssh-server-0:8.0p1-4.el8_1.x86_64</td></tr></tbody></table><h4><span class="label label-primary">Verify if Profile set Value sshd_required as required</span>Â <span class="label label-default">oval:ssg-test_sshd_required:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Var ref</th><th>Value</th></tr></thead><tbody><tr><td>oval:ssg-sshd_required:var:1</td><td>0</td></tr></tbody></table><h4><span class="label label-primary">Verify if Value of sshd_required is the default</span>Â <span class="label label-default">oval:ssg-test_sshd_requirement_unset:tst:1</span>Â <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Var ref</th><th>Value</th></tr></thead><tbody><tr><td>oval:ssg-sshd_required:var:1</td><td>0</td></tr></tbody></table><h4><span class="label label-primary">package openssh-server is installed</span>Â <span class="label label-default">oval:ssg-test_package_openssh-server_installed:tst:1</span>Â <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Arch</th><th>Epoch</th><th>Release</th><th>Version</th><th>Evr</th><th>Signature keyid</th><th>Extended name</th></tr></thead><tbody><tr><td>openssh-server</td><td>x86_64</td><td>(none)</td><td>4.el8_1</td><td>8.0p1</td><td>0:8.0p1-4.el8_1</td><td>199e2f91fd431d51</td><td>openssh-server-0:8.0p1-4.el8_1.x86_64</td></tr></tbody></table><h4><span class="label label-primary">tests the value of HostbasedAuthentication setting in the /etc/ssh/sshd_config file</span>Â <span class="label label-default">oval:ssg-test_disable_host_auth:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_disable_host_auth:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/ssh/sshd_config</td><td>^[ \t]*(?i)HostbasedAuthentication(?-i)[ \t]+(.+?)[ \t]*(?:$|#)</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">tests the absence of HostbasedAuthentication setting in the /etc/ssh/sshd_config file</span>Â <span class="label label-default">oval:ssg-test_disable_host_auth_default_not_overriden:tst:1</span>Â <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_disable_host_auth_default_not_overriden:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/ssh/sshd_config</td><td>^[ \t]*(?i)HostbasedAuthentication(?-i)[ \t]+</td><td>1</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords" id="rule-detail-idm45342101639680"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Disable SSH Access via Empty Passwordsxccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords highCCE-80896-4 </div><div class="panel-heading"><h3 class="panel-title">Disable SSH Access via Empty Passwords</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-sshd_disable_empty_passwords:def:1</td></tr><tr><td>Time</td><td>2020-09-29T11:18:04</td></tr><tr><td>Severity</td><td>high</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80896-4">CCE-80896-4</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT007(R17)</a>, <a href="">5.2.9</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">11</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">12</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">13</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">14</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">15</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">16</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">18</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">3</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">5</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">9</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.5.6</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">APO01.06</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">BAI10.01</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">BAI10.02</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">BAI10.03</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">BAI10.05</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS05.02</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS05.04</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS05.05</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS05.07</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS06.02</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS06.03</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS06.06</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.1</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.5</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000366</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.2.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.3.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.4.3.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.10</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.11</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.12</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.13</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 5.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 7.6</a>, <a href="https://www.iso.org/standard/54534.html">A.10.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.11.1.4</a>, <a href="https://www.iso.org/standard/54534.html">A.11.1.5</a>, <a href="https://www.iso.org/standard/54534.html">A.11.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.5.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.6.2</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.6.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.7.3.1</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.8.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.5</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(b)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-6</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-5</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-3</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FIA_AFL.1</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00229</a>, <a href="">SRG-OS-000480-VMM-002000</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>To explicitly disallow SSH login from accounts with empty passwords, add or correct the following line in <code>/etc/ssh/sshd_config</code>: <br> <pre>PermitEmptyPasswords no</pre> <br> Any accounts with empty passwords should be disabled immediately, and PAM configuration should prevent users from being able to assign themselves empty passwords.</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Configuring this setting for the SSH daemon provides additional assurance that remote login via SSH will require a password, even in the event of misconfiguration elsewhere.</p></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">Verify if Profile set Value sshd_required as not required</span>Â <span class="label label-default">oval:ssg-test_sshd_not_required:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Var ref</th><th>Value</th></tr></thead><tbody><tr><td>oval:ssg-sshd_required:var:1</td><td>0</td></tr></tbody></table><h4><span class="label label-primary">Verify if Value of sshd_required is the default</span>Â <span class="label label-default">oval:ssg-test_sshd_requirement_unset:tst:1</span>Â <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Var ref</th><th>Value</th></tr></thead><tbody><tr><td>oval:ssg-sshd_required:var:1</td><td>0</td></tr></tbody></table><h4><span class="label label-primary">package openssh-server is removed</span>Â <span class="label label-default">oval:ssg-test_package_openssh-server_removed:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Arch</th><th>Epoch</th><th>Release</th><th>Version</th><th>Evr</th><th>Signature keyid</th><th>Extended name</th></tr></thead><tbody><tr><td>openssh-server</td><td>x86_64</td><td>(none)</td><td>4.el8_1</td><td>8.0p1</td><td>0:8.0p1-4.el8_1</td><td>199e2f91fd431d51</td><td>openssh-server-0:8.0p1-4.el8_1.x86_64</td></tr></tbody></table><h4><span class="label label-primary">Verify if Profile set Value sshd_required as required</span>Â <span class="label label-default">oval:ssg-test_sshd_required:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Var ref</th><th>Value</th></tr></thead><tbody><tr><td>oval:ssg-sshd_required:var:1</td><td>0</td></tr></tbody></table><h4><span class="label label-primary">Verify if Value of sshd_required is the default</span>Â <span class="label label-default">oval:ssg-test_sshd_requirement_unset:tst:1</span>Â <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Var ref</th><th>Value</th></tr></thead><tbody><tr><td>oval:ssg-sshd_required:var:1</td><td>0</td></tr></tbody></table><h4><span class="label label-primary">package openssh-server is installed</span>Â <span class="label label-default">oval:ssg-test_package_openssh-server_installed:tst:1</span>Â <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Arch</th><th>Epoch</th><th>Release</th><th>Version</th><th>Evr</th><th>Signature keyid</th><th>Extended name</th></tr></thead><tbody><tr><td>openssh-server</td><td>x86_64</td><td>(none)</td><td>4.el8_1</td><td>8.0p1</td><td>0:8.0p1-4.el8_1</td><td>199e2f91fd431d51</td><td>openssh-server-0:8.0p1-4.el8_1.x86_64</td></tr></tbody></table><h4><span class="label label-primary">tests the value of PermitEmptyPasswords setting in the /etc/ssh/sshd_config file</span>Â <span class="label label-default">oval:ssg-test_sshd_disable_empty_passwords:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_sshd_disable_empty_passwords:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/ssh/sshd_config</td><td>^[ \t]*(?i)PermitEmptyPasswords(?-i)[ \t]+(.+?)[ \t]*(?:$|#)</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">tests the absence of PermitEmptyPasswords setting in the /etc/ssh/sshd_config file</span>Â <span class="label label-default">oval:ssg-test_sshd_disable_empty_passwords_default_not_overriden:tst:1</span>Â <span class="label label-success">true</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_sshd_disable_empty_passwords_default_not_overriden:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/ssh/sshd_config</td><td>^[ \t]*(?i)PermitEmptyPasswords(?-i)[ \t]+</td><td>1</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-error rule-detail-id-xccdf_org.ssgproject.content_rule_package_usbguard_installed" id="rule-detail-idm45342101635184"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Install usbguard Packagexccdf_org.ssgproject.content_rule_package_usbguard_installed mediumCCE-82959-8 </div><div class="panel-heading"><h3 class="panel-title">Install usbguard Package</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_package_usbguard_installed</td></tr><tr><td>Result</td><td class="rule-result rule-result-error"><div><abbr title="The checking engine could not complete the evaluation, therefore the status of the target's compliance with the rule is not certain. This could happen, for example, if a testing tool was run with insufficient privileges and could not gather all of the necessary information.">error</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-package_usbguard_installed:def:1</td></tr><tr><td>Time</td><td>2020-09-29T11:21:17</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-82959-8">CCE-82959-8</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000378-GPOS-00163</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>The <code>usbguard</code> package can be installed with the following command: <pre> $ sudo yum install usbguard</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p><code>usbguard</code> is a software framework that helps to protect against rogue USB devices by implementing basic whitelisting/blacklisting capabilities based on USB device attributes.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span>Â <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 1</message></pre><span class="label label-primary">info</span>Â <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Error: There are no enabled repositories in "/etc/yum.repos.d", "/etc/yum/repos.d", "/etc/distro.repos.d". </message></pre><span class="label label-primary">info</span>Â <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Failed to verify applied fix: Checking engine returns: fail</message></pre></div></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm45342111705312" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Shell script â²</a><br></br><div class="panel-collapse collapse" id="idm45342111705312"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code> if ! rpm -q --quiet "usbguard" ; then yum install -y "usbguard" fi </code></pre></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm45342111703232" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet â²</a><br></br><div class="panel-collapse collapse" id="idm45342111703232"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure usbguard is installed package: name: usbguard state: present tags: - package_usbguard_installed - medium_severity - enable_strategy - low_complexity - low_disruption - no_reboot_needed - CCE-82959-8 </code></pre></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm45342111700960" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet â²</a><br></br><div class="panel-collapse collapse" id="idm45342111700960"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_usbguard class install_usbguard { package { 'usbguard': ensure => 'installed', } } </code></pre></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm45342111698832" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet â²</a><br></br><div class="panel-collapse collapse" id="idm45342111698832"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code> package --add=usbguard </code></pre></div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">package usbguard is installed</span>Â <span class="label label-default">oval:ssg-test_package_usbguard_installed:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_test_package_usbguard_installed:obj:1</abbr></strong> of type <strong>rpminfo_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th></tr></thead><tbody><tr><td>usbguard</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-error rule-detail-id-xccdf_org.ssgproject.content_rule_service_usbguard_enabled" id="rule-detail-idm45342101627408"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Enable the USBGuard Servicexccdf_org.ssgproject.content_rule_service_usbguard_enabled mediumCCE-82853-3 </div><div class="panel-heading"><h3 class="panel-title">Enable the USBGuard Service</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_service_usbguard_enabled</td></tr><tr><td>Result</td><td class="rule-result rule-result-error"><div><abbr title="The checking engine could not complete the evaluation, therefore the status of the target's compliance with the rule is not certain. This could happen, for example, if a testing tool was run with insufficient privileges and could not gather all of the necessary information.">error</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-service_usbguard_enabled:def:1</td></tr><tr><td>Time</td><td>2020-09-29T11:21:17</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-82853-3">CCE-82853-3</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FMT_SMF_EXT.1</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000378-GPOS-00163</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>The USBGuard service should be enabled. The <code>usbguard</code> service can be enabled with the following command: <pre>$ sudo systemctl enable usbguard.service</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>The <code>usbguard</code> service must be running in order to enforce the USB device authorization policy for all USB devices.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span>Â <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 1</message></pre><span class="label label-primary">info</span>Â <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Failed to start usbguard.service: Unit usbguard.service not found. Failed to enable unit: Unit file usbguard.service does not exist. </message></pre><span class="label label-primary">info</span>Â <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Failed to verify applied fix: Checking engine returns: fail</message></pre></div></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm45342111684864" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Shell script â²</a><br></br><div class="panel-collapse collapse" id="idm45342111684864"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code> SYSTEMCTL_EXEC='/usr/bin/systemctl' "$SYSTEMCTL_EXEC" start 'usbguard.service' "$SYSTEMCTL_EXEC" enable 'usbguard.service' </code></pre></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm45342111682736" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet â²</a><br></br><div class="panel-collapse collapse" id="idm45342111682736"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Enable service usbguard block: - name: Gather the package facts package_facts: manager: auto - name: Enable service usbguard service: name: usbguard enabled: 'yes' state: started when: - '"usbguard" in ansible_facts.packages' when: ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" tags: - service_usbguard_enabled - medium_severity - enable_strategy - low_complexity - low_disruption - no_reboot_needed - CCE-82853-3 </code></pre></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm45342111680160" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet â²</a><br></br><div class="panel-collapse collapse" id="idm45342111680160"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include enable_usbguard class enable_usbguard { service {'usbguard': enable => true, ensure => 'running', } } </code></pre></div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">package usbguard is installed</span>Â <span class="label label-default">oval:ssg-test_service_usbguard_package_usbguard_installed:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_test_service_usbguard_package_usbguard_installed:obj:1</abbr></strong> of type <strong>rpminfo_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th></tr></thead><tbody><tr><td>usbguard</td></tr></tbody></table><h4><span class="label label-primary">Test that the usbguard service is running</span>Â <span class="label label-default">oval:ssg-test_service_running_usbguard:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="Retrieve the ActiveState property of usbguard">oval:ssg-obj_service_running_usbguard:obj:1</abbr></strong> of type <strong>systemdunitproperty_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Unit</th><th>Property</th></tr></thead><tbody><tr><td>^usbguard\.(socket|service)$</td><td>ActiveState</td></tr></tbody></table><h4><span class="label label-primary">systemd test</span>Â <span class="label label-default">oval:ssg-test_multi_user_wants_usbguard:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Unit</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th></tr></thead><tbody><tr><td>multi-user.target</td><td>basic.target</td><td>var.mount</td><td>-.mount</td><td>sysinit.target</td><td>dev-mqueue.mount</td><td>systemd-hwdb-update.service</td><td>cryptsetup.target</td><td>proc-sys-fs-binfmt_misc.automount</td><td>systemd-journal-flush.service</td><td>systemd-random-seed.service</td><td>systemd-update-utmp.service</td><td>systemd-tmpfiles-setup.service</td><td>systemd-udevd.service</td><td>dev-hugepages.mount</td><td>lvm2-lvmpolld.socket</td><td>selinux-autorelabel-mark.service</td><td>loadmodules.service</td><td>local-fs.target</td><td>home.mount</td><td>-.mount</td><td>var-log-audit.mount</td><td>boot.mount</td><td>tmp.mount</td><td>var.mount</td><td>var-log.mount</td><td>systemd-remount-fs.service</td><td>dracut-shutdown.service</td><td>systemd-sysctl.service</td><td>systemd-journal-catalog-update.service</td><td>systemd-update-done.service</td><td>systemd-journald.service</td><td>sys-kernel-debug.mount</td><td>systemd-machine-id-commit.service</td><td>ldconfig.service</td><td>rngd.service</td><td>systemd-binfmt.service</td><td>nis-domainname.service</td><td>sys-kernel-config.mount</td><td>systemd-modules-load.service</td><td>systemd-sysusers.service</td><td>sys-fs-fuse-connections.mount</td><td>swap.target</td><td>dev-mapper-ovirt\x2dswap.swap</td><td>systemd-udev-trigger.service</td><td>import-state.service</td><td>systemd-firstboot.service</td><td>kmod-static-nodes.service</td><td>systemd-ask-password-console.path</td><td>systemd-tmpfiles-setup-dev.service</td><td>lvm2-monitor.service</td><td>microcode.service</td><td>paths.target</td><td>timers.target</td><td>fstrim.timer</td><td>unbound-anchor.timer</td><td>systemd-tmpfiles-clean.timer</td><td>slices.target</td><td>-.slice</td><td>system.slice</td><td>sockets.target</td><td>systemd-udevd-kernel.socket</td><td>dbus.socket</td><td>systemd-coredump.socket</td><td>systemd-initctl.socket</td><td>systemd-udevd-control.socket</td><td>systemd-journald-dev-log.socket</td><td>pcscd.socket</td><td>sssd-kcm.socket</td><td>systemd-journald.socket</td><td>cockpit.socket</td><td>dm-event.socket</td><td>rpcbind.socket</td><td>sssd.service</td><td>kdump.service</td><td>crond.service</td><td>systemd-ask-password-wall.path</td><td>sshd.service</td><td>systemd-user-sessions.service</td><td>auditd.service</td><td>nfs-client.target</td><td>rpc-statd-notify.service</td><td>auth-rpcgss-module.service</td><td>remote-fs-pre.target</td><td>irqbalance.service</td><td>remote-fs.target</td><td>nfs-client.target</td><td>rpc-statd-notify.service</td><td>auth-rpcgss-module.service</td><td>remote-fs-pre.target</td><td>getty.target</td><td>serial-getty@ttyS0.service</td><td>getty@tty1.service</td><td>cloud-init.target</td><td>cloud-init-local.service</td><td>cloud-config.service</td><td>cloud-final.service</td><td>cloud-init.service</td><td>dnf-makecache.timer</td><td>firewalld.service</td><td>rpcbind.service</td><td>systemd-update-utmp-runlevel.service</td><td>chronyd.service</td><td>rsyslog.service</td><td>tuned.service</td><td>systemd-logind.service</td><td>NetworkManager.service</td><td>dbus.service</td></tr></tbody></table><h4><span class="label label-primary">systemd test</span>Â <span class="label label-default">oval:ssg-test_multi_user_wants_usbguard_socket:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Unit</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th></tr></thead><tbody><tr><td>multi-user.target</td><td>basic.target</td><td>var.mount</td><td>-.mount</td><td>sysinit.target</td><td>dev-mqueue.mount</td><td>systemd-hwdb-update.service</td><td>cryptsetup.target</td><td>proc-sys-fs-binfmt_misc.automount</td><td>systemd-journal-flush.service</td><td>systemd-random-seed.service</td><td>systemd-update-utmp.service</td><td>systemd-tmpfiles-setup.service</td><td>systemd-udevd.service</td><td>dev-hugepages.mount</td><td>lvm2-lvmpolld.socket</td><td>selinux-autorelabel-mark.service</td><td>loadmodules.service</td><td>local-fs.target</td><td>home.mount</td><td>-.mount</td><td>var-log-audit.mount</td><td>boot.mount</td><td>tmp.mount</td><td>var.mount</td><td>var-log.mount</td><td>systemd-remount-fs.service</td><td>dracut-shutdown.service</td><td>systemd-sysctl.service</td><td>systemd-journal-catalog-update.service</td><td>systemd-update-done.service</td><td>systemd-journald.service</td><td>sys-kernel-debug.mount</td><td>systemd-machine-id-commit.service</td><td>ldconfig.service</td><td>rngd.service</td><td>systemd-binfmt.service</td><td>nis-domainname.service</td><td>sys-kernel-config.mount</td><td>systemd-modules-load.service</td><td>systemd-sysusers.service</td><td>sys-fs-fuse-connections.mount</td><td>swap.target</td><td>dev-mapper-ovirt\x2dswap.swap</td><td>systemd-udev-trigger.service</td><td>import-state.service</td><td>systemd-firstboot.service</td><td>kmod-static-nodes.service</td><td>systemd-ask-password-console.path</td><td>systemd-tmpfiles-setup-dev.service</td><td>lvm2-monitor.service</td><td>microcode.service</td><td>paths.target</td><td>timers.target</td><td>fstrim.timer</td><td>unbound-anchor.timer</td><td>systemd-tmpfiles-clean.timer</td><td>slices.target</td><td>-.slice</td><td>system.slice</td><td>sockets.target</td><td>systemd-udevd-kernel.socket</td><td>dbus.socket</td><td>systemd-coredump.socket</td><td>systemd-initctl.socket</td><td>systemd-udevd-control.socket</td><td>systemd-journald-dev-log.socket</td><td>pcscd.socket</td><td>sssd-kcm.socket</td><td>systemd-journald.socket</td><td>cockpit.socket</td><td>dm-event.socket</td><td>rpcbind.socket</td><td>sssd.service</td><td>kdump.service</td><td>crond.service</td><td>systemd-ask-password-wall.path</td><td>sshd.service</td><td>systemd-user-sessions.service</td><td>auditd.service</td><td>nfs-client.target</td><td>rpc-statd-notify.service</td><td>auth-rpcgss-module.service</td><td>remote-fs-pre.target</td><td>irqbalance.service</td><td>remote-fs.target</td><td>nfs-client.target</td><td>rpc-statd-notify.service</td><td>auth-rpcgss-module.service</td><td>remote-fs-pre.target</td><td>getty.target</td><td>serial-getty@ttyS0.service</td><td>getty@tty1.service</td><td>cloud-init.target</td><td>cloud-init-local.service</td><td>cloud-config.service</td><td>cloud-final.service</td><td>cloud-init.service</td><td>dnf-makecache.timer</td><td>firewalld.service</td><td>rpcbind.service</td><td>systemd-update-utmp-runlevel.service</td><td>chronyd.service</td><td>rsyslog.service</td><td>tuned.service</td><td>systemd-logind.service</td><td>NetworkManager.service</td><td>dbus.service</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-error rule-detail-id-xccdf_org.ssgproject.content_rule_usbguard_allow_hid_and_hub" id="rule-detail-idm45342101617216"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Authorize Human Interface Devices and USB hubs in USBGuard daemonxccdf_org.ssgproject.content_rule_usbguard_allow_hid_and_hub mediumCCE-82368-2 </div><div class="panel-heading"><h3 class="panel-title">Authorize Human Interface Devices and USB hubs in USBGuard daemon</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_usbguard_allow_hid_and_hub</td></tr><tr><td>Result</td><td class="rule-result rule-result-error"><div><abbr title="The checking engine could not complete the evaluation, therefore the status of the target's compliance with the rule is not certain. This could happen, for example, if a testing tool was run with insufficient privileges and could not gather all of the necessary information.">error</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-usbguard_allow_hid_and_hub:def:1</td></tr><tr><td>Time</td><td>2020-09-29T11:21:17</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-82368-2">CCE-82368-2</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FMT_SMF_EXT.1</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000114-GPOS-00059</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>To allow authorization of USB devices combining human interface device and hub capabilities by USBGuard daemon, add the line <code>allow with-interface match_all { 03:*:* 09:00:* }</code> to <code>/etc/usbguard/rules.conf</code>.</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Without allowing Human Interface Devices, it might not be possible to interact with the system. Without allowing hubs, it might not be possible to use any USB devices on the system.</p></div></td></tr><tr><td>Warnings</td><td><div class="panel panel-warning"><div class="panel-heading"><span class="label label-warning">warning</span>Â This rule should be understood primarily as a convenience administration feature. This rule ensures that if the USBGuard default rules.conf file is present, it will alter it so that USB human interface devices and hubs are allowed. However, if the rules.conf file is altered by system administrator, the rule does not check if USB human interface devices and hubs are allowed. This assumes that an administrator modified the file with some purpose in mind.</div></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span>Â <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 1</message></pre><span class="label label-primary">info</span>Â <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">/tmp/oscap.ojojh1/fix-XXXxbDNm: line 4: /etc/usbguard/rules.conf: No such file or directory </message></pre><span class="label label-primary">info</span>Â <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Failed to verify applied fix: Checking engine returns: fail</message></pre></div></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm45342111651776" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Shell script â²</a><br></br><div class="panel-collapse collapse" id="idm45342111651776"><pre><code>#!/bin/bash echo "allow with-interface match-all { 03:*:* 09:00:* }" >> /etc/usbguard/rules.conf </code></pre></div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">Check that /etc/usbguard/rules.conf contains at least one non whitespace character and exists</span>Â <span class="label label-default">oval:ssg-test_usbguard_rules_nonempty:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_usbguard_rules_nonempty:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/usbguard/rules.conf</td><td>^.*\S+.*$</td><td>1</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-error rule-detail-id-xccdf_org.ssgproject.content_rule_configure_usbguard_auditbackend" id="rule-detail-idm45342101607984"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Log USBGuard daemon audit events using Linux Auditxccdf_org.ssgproject.content_rule_configure_usbguard_auditbackend mediumCCE-82168-6 </div><div class="panel-heading"><h3 class="panel-title">Log USBGuard daemon audit events using Linux Audit</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_configure_usbguard_auditbackend</td></tr><tr><td>Result</td><td class="rule-result rule-result-error"><div><abbr title="The checking engine could not complete the evaluation, therefore the status of the target's compliance with the rule is not certain. This could happen, for example, if a testing tool was run with insufficient privileges and could not gather all of the necessary information.">error</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-configure_usbguard_auditbackend:def:1</td></tr><tr><td>Time</td><td>2020-09-29T11:21:17</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-82168-6">CCE-82168-6</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FMT_SMF_EXT.1</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000062-GPOS-00031</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>To configure USBGuard daemon to log via Linux Audit (as opposed directly to a file), <code>AuditBackend</code> option in <code>/etc/usbguard/usbguard-daemon.conf</code> needs to be set to <code>LinuxAudit</code>.</p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Using the Linux Audit logging allows for centralized trace of events.</p></div></td></tr><tr><td colspan="2"><div class="evaluation-messages"><span class="label label-default"><abbr title="Messages taken from rule-result">Evaluation messages</abbr></span><div class="panel panel-default"><div class="panel-body"><span class="label label-primary">info</span>Â <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Fix execution completed and returned: 1</message></pre><span class="label label-primary">info</span>Â <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">touch: cannot touch '/etc/usbguard/usbguard-daemon.conf': No such file or directory cp: cannot stat '/etc/usbguard/usbguard-daemon.conf': No such file or directory /tmp/oscap.eJ2dmI/fix-XXRGBPU3: line 8: /etc/usbguard/usbguard-daemon.conf: No such file or directory rm: cannot remove '/etc/usbguard/usbguard-daemon.conf.bak': No such file or directory </message></pre><span class="label label-primary">info</span>Â <pre><message xmlns="http://checklists.nist.gov/xccdf/1.2" severity="info">Failed to verify applied fix: Checking engine returns: fail</message></pre></div></div></div></td></tr><tr class="noprint"><td colspan="2"><div class="remediation"><a class="btn btn-success" data-toggle="collapse" data-target="#idm45342111625440" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Shell script â²</a><br></br><div class="panel-collapse collapse" id="idm45342111625440"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>if [ -e "/etc/usbguard/usbguard-daemon.conf" ] ; then LC_ALL=C sed -i "/^\s*AuditBackend=/d" "/etc/usbguard/usbguard-daemon.conf" else touch "/etc/usbguard/usbguard-daemon.conf" fi cp "/etc/usbguard/usbguard-daemon.conf" "/etc/usbguard/usbguard-daemon.conf.bak" # Insert at the end of the file printf '%s\n' "AuditBackend=LinuxAudit" >> "/etc/usbguard/usbguard-daemon.conf" # Clean up after ourselves. rm "/etc/usbguard/usbguard-daemon.conf.bak" </code></pre></div></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">tests the value of AuditBackend setting in the /etc/usbguard/usbguard-daemon.conf file</span>Â <span class="label label-default">oval:ssg-test_configure_usbguard_auditbackend:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_configure_usbguard_auditbackend:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/usbguard/usbguard-daemon.conf</td><td>^[ \t]*AuditBackend=(.+?)[ \t]*(?:$|#)</td><td>1</td></tr></tbody></table><h4><span class="label label-primary">The configuration file /etc/usbguard/usbguard-daemon.conf exists for configure_usbguard_auditbackend</span>Â <span class="label label-default">oval:ssg-test_configure_usbguard_auditbackend_config_file_exists:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="The configuration file /etc/usbguard/usbguard-daemon.conf for configure_usbguard_auditbackend">oval:ssg-obj_configure_usbguard_auditbackend_config_file:obj:1</abbr></strong> of type <strong>file_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th></tr></thead><tbody><tr><td>^/etc/usbguard/usbguard-daemon.conf</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_sssd_enable_smartcards" id="rule-detail-idm45342101482544"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Enable Smartcards in SSSDxccdf_org.ssgproject.content_rule_sssd_enable_smartcards mediumCCE-80909-5 </div><div class="panel-heading"><h3 class="panel-title">Enable Smartcards in SSSD</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sssd_enable_smartcards</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-sssd_enable_smartcards:def:1</td></tr><tr><td>Time</td><td>2020-09-29T11:18:04</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-80909-5">CCE-80909-5</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="https://public.cyber.mil/stigs/cci/">CCI-001954</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000375-GPOS-00160</a>, <a href="">SRG-OS-000107-VMM-000530</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>SSSD should be configured to authenticate access to the system using smart cards. To enable smart cards in SSSD, set <code>pam_cert_auth</code> to <code>true</code> under the <code>[pam]</code> section in <code>/etc/sssd/sssd.conf</code>. For example: <pre>[pam] pam_cert_auth = true </pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>Using an authentication device, such as a CAC or token that is separate from the information system, ensures that even if the information system is compromised, that compromise will not affect credentials stored on the authentication device. <br><br> Multifactor solutions that require devices separate from information systems gaining access include, for example, hardware tokens providing time-based or challenge-response authenticators and smart cards such as the U.S. Government Personal Identity Verification card and the DoD Common Access Card.</p></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">package sssd-common is removed</span>Â <span class="label label-default">oval:ssg-test_service_sssd_package_sssd-common_removed:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Arch</th><th>Epoch</th><th>Release</th><th>Version</th><th>Evr</th><th>Signature keyid</th><th>Extended name</th></tr></thead><tbody><tr><td>sssd-common</td><td>x86_64</td><td>(none)</td><td>20.el8</td><td>2.2.3</td><td>0:2.2.3-20.el8</td><td>199e2f91fd431d51</td><td>sssd-common-0:2.2.3-20.el8.x86_64</td></tr></tbody></table><h4><span class="label label-primary">Test that the sssd service is not running</span>Â <span class="label label-default">oval:ssg-test_service_not_running_sssd:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Unit</th><th>Property</th><th>Value</th></tr></thead><tbody><tr><td>sssd.service</td><td>ActiveState</td><td>active</td></tr></tbody></table><h4><span class="label label-primary">Test that the property LoadState from the service sssd is masked</span>Â <span class="label label-default">oval:ssg-test_service_loadstate_is_masked_sssd:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Unit</th><th>Property</th><th>Value</th></tr></thead><tbody><tr><td>sssd.service</td><td>LoadState</td><td>loaded</td></tr></tbody></table><h4><span class="label label-primary">Test that the property FragmentPath from the service sssd is set to /dev/null</span>Â <span class="label label-default">oval:ssg-test_service_fragmentpath_is_dev_null_sssd:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Unit</th><th>Property</th><th>Value</th></tr></thead><tbody><tr><td>sssd.service</td><td>FragmentPath</td><td>/usr/lib/systemd/system/sssd.service</td></tr></tbody></table><h4><span class="label label-primary">Testing if /etc/sssd/sssd.conf exists</span>Â <span class="label label-default">oval:ssg-test_sssd_conf_exists:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="/etc/sssd/sssd.conf">oval:ssg-object_sssd_conf_exists:obj:1</abbr></strong> of type <strong>file_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th></tr></thead><tbody><tr><td>/etc/sssd/sssd.conf</td></tr></tbody></table><h4><span class="label label-primary">tests the value of pam_cert_auth setting in the /etc/sssd/sssd.conf file</span>Â <span class="label label-default">oval:ssg-test_sssd_enable_smartcards:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_sssd_enable_smartcards:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/sssd/sssd.conf</td><td>^[\s]*\[pam](?:[^\n\[]*\n+)+?[\s]*pam_cert_auth[\s]*=[\s]*true$</td><td>1</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_sssd_offline_cred_expiration" id="rule-detail-idm45342101476512"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Configure SSSD to Expire Offline Credentialsxccdf_org.ssgproject.content_rule_sssd_offline_cred_expiration mediumCCE-82460-7 </div><div class="panel-heading"><h3 class="panel-title">Configure SSSD to Expire Offline Credentials</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_sssd_offline_cred_expiration</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-sssd_offline_cred_expiration:def:1</td></tr><tr><td>Time</td><td>2020-09-29T11:18:04</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-82460-7">CCE-82460-7</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">1</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">12</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">15</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">16</a>, <a href="https://www.cisecurity.org/wp-content/uploads/2017/03/Poster_Winter2016_CSCs.pdf">5</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS05.04</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS05.05</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS05.07</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS05.10</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS06.03</a>, <a href="http://www.isaca.org/COBIT/Pages/default.aspx">DSS06.10</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-002007</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.2.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.5.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.6</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.6.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116731">4.3.3.7.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.1</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.10</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.2</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.3</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.4</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.5</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.7</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.8</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 1.9</a>, <a href="https://www.isa.org/templates/one-column.aspx?pageid=111294&productId=116785">SR 2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.18.1.4</a>, <a href="https://www.iso.org/standard/54534.html">A.7.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.2.6</a>, <a href="https://www.iso.org/standard/54534.html">A.9.3.1</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.9.4.3</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(13)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-6</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-7</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000383-GPOS-00166</a>, <a href="">SRG-OS-000383-VMM-001570</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>SSSD should be configured to expire offline credentials after 1 day. To configure SSSD to expire offline credentials, set <code>offline_credentials_expiration</code> to <code>1</code> under the <code>[pam]</code> section in <code>/etc/sssd/sssd.conf</code>. For example: <pre>[pam] offline_credentials_expiration = 1 </pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>If cached authentication information is out-of-date, the validity of the authentication information may be questionable.</p></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">package sssd-common is removed</span>Â <span class="label label-default">oval:ssg-test_service_sssd_package_sssd-common_removed:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Arch</th><th>Epoch</th><th>Release</th><th>Version</th><th>Evr</th><th>Signature keyid</th><th>Extended name</th></tr></thead><tbody><tr><td>sssd-common</td><td>x86_64</td><td>(none)</td><td>20.el8</td><td>2.2.3</td><td>0:2.2.3-20.el8</td><td>199e2f91fd431d51</td><td>sssd-common-0:2.2.3-20.el8.x86_64</td></tr></tbody></table><h4><span class="label label-primary">Test that the sssd service is not running</span>Â <span class="label label-default">oval:ssg-test_service_not_running_sssd:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Unit</th><th>Property</th><th>Value</th></tr></thead><tbody><tr><td>sssd.service</td><td>ActiveState</td><td>active</td></tr></tbody></table><h4><span class="label label-primary">Test that the property LoadState from the service sssd is masked</span>Â <span class="label label-default">oval:ssg-test_service_loadstate_is_masked_sssd:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Unit</th><th>Property</th><th>Value</th></tr></thead><tbody><tr><td>sssd.service</td><td>LoadState</td><td>loaded</td></tr></tbody></table><h4><span class="label label-primary">Test that the property FragmentPath from the service sssd is set to /dev/null</span>Â <span class="label label-default">oval:ssg-test_service_fragmentpath_is_dev_null_sssd:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Unit</th><th>Property</th><th>Value</th></tr></thead><tbody><tr><td>sssd.service</td><td>FragmentPath</td><td>/usr/lib/systemd/system/sssd.service</td></tr></tbody></table><h4><span class="label label-primary">Testing if /etc/sssd/sssd.conf exists</span>Â <span class="label label-default">oval:ssg-test_sssd_conf_exists:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr title="/etc/sssd/sssd.conf">oval:ssg-object_sssd_conf_exists:obj:1</abbr></strong> of type <strong>file_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th></tr></thead><tbody><tr><td>/etc/sssd/sssd.conf</td></tr></tbody></table><h4><span class="label label-primary">tests the value of offline_credentials_expiration setting in the /etc/sssd/sssd.conf file</span>Â <span class="label label-default">oval:ssg-test_sssd_offline_cred_expiration:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>No items have been found conforming to the following objects:</h5><h5>Object <strong><abbr>oval:ssg-obj_sssd_offline_cred_expiration:obj:1</abbr></strong> of type <strong>textfilecontent54_object</strong></h5><table class="table table-striped table-bordered"><thead><tr><th>Filepath</th><th>Pattern</th><th>Instance</th></tr></thead><tbody><tr><td>/etc/sssd/sssd.conf</td><td>^[\s]*\[pam](?:[^\n\[]*\n+)+?[\s]*offline_credentials_expiration[\s]*=[\s]*1$</td><td>1</td></tr></tbody></table></div></div></div></div></div><div class="panel panel-default rule-detail rule-detail-pass rule-detail-id-xccdf_org.ssgproject.content_rule_service_rngd_enabled" id="rule-detail-idm45342101465696"><div class="keywords sr-only"><!--This allows OpenSCAP JS to search the report rules-->Enable the Hardware RNG Entropy Gatherer Servicexccdf_org.ssgproject.content_rule_service_rngd_enabled mediumCCE-82831-9 </div><div class="panel-heading"><h3 class="panel-title">Enable the Hardware RNG Entropy Gatherer Service</h3></div><div class="panel-body"><table class="table table-striped table-bordered"><tbody><tr><td class="col-md-3">Rule ID</td><td class="rule-id col-md-9">xccdf_org.ssgproject.content_rule_service_rngd_enabled</td></tr><tr><td>Result</td><td class="rule-result rule-result-pass"><div><abbr title="The target system or system component satisfied all the conditions of the rule.">pass</abbr></div></td></tr><tr><td>Multi-check rule</td><td>no</td></tr><tr><td>OVAL Definition ID</td><td>oval:ssg-service_rngd_enabled:def:1</td></tr><tr><td>Time</td><td>2020-09-29T11:18:04</td></tr><tr><td>Severity</td><td>medium</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-info" title="A globally meaningful identifiers for this rule. MAY be the name or identifier of a security configuration issue or vulnerability that the rule remediates. By setting an identifier on a rule, the benchmark author effectively declares that the rule instantiates, implements, or remediates the issue for which the name was assigned.">Identifiers:</span>Â <abbr title="https://nvd.nist.gov/cce/index.cfm: CCE-82831-9">CCE-82831-9</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span>Â <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FCS_RBG_EXT.1</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</a></p></td></tr><tr><td>Description</td><td><div class="description"><p>The Hardware RNG Entropy Gatherer service should be enabled. The <code>rngd</code> service can be enabled with the following command: <pre>$ sudo systemctl enable rngd.service</pre></p></div></td></tr><tr><td>Rationale</td><td><div class="rationale"><p>The <code>rngd</code> service feeds random data from hardware device to kernel random device.</p></div></td></tr></tbody></table><div class="check-system-details"><span class="label label-default"><abbr title="OVAL details taken from arf:report with id='oval1'">OVAL test results details</abbr></span><div class="panel panel-default"><div class="panel-body"><h4><span class="label label-primary">package rng-tools is installed</span>Â <span class="label label-default">oval:ssg-test_service_rngd_package_rng-tools_installed:tst:1</span>Â <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Name</th><th>Arch</th><th>Epoch</th><th>Release</th><th>Version</th><th>Evr</th><th>Signature keyid</th><th>Extended name</th></tr></thead><tbody><tr><td>rng-tools</td><td>x86_64</td><td>(none)</td><td>3.el8</td><td>6.8</td><td>0:6.8-3.el8</td><td>199e2f91fd431d51</td><td>rng-tools-0:6.8-3.el8.x86_64</td></tr></tbody></table><h4><span class="label label-primary">Test that the rngd service is running</span>Â <span class="label label-default">oval:ssg-test_service_running_rngd:tst:1</span>Â <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Unit</th><th>Property</th><th>Value</th></tr></thead><tbody><tr><td>rngd.service</td><td>ActiveState</td><td>active</td></tr></tbody></table><h4><span class="label label-primary">systemd test</span>Â <span class="label label-default">oval:ssg-test_multi_user_wants_rngd:tst:1</span>Â <span class="label label-success">true</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Unit</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th></tr></thead><tbody><tr><td>multi-user.target</td><td>basic.target</td><td>var.mount</td><td>-.mount</td><td>sysinit.target</td><td>dev-mqueue.mount</td><td>systemd-hwdb-update.service</td><td>cryptsetup.target</td><td>proc-sys-fs-binfmt_misc.automount</td><td>systemd-journal-flush.service</td><td>systemd-random-seed.service</td><td>systemd-update-utmp.service</td><td>systemd-tmpfiles-setup.service</td><td>systemd-udevd.service</td><td>dev-hugepages.mount</td><td>lvm2-lvmpolld.socket</td><td>selinux-autorelabel-mark.service</td><td>loadmodules.service</td><td>local-fs.target</td><td>home.mount</td><td>-.mount</td><td>var-log-audit.mount</td><td>boot.mount</td><td>tmp.mount</td><td>var.mount</td><td>var-log.mount</td><td>systemd-remount-fs.service</td><td>dracut-shutdown.service</td><td>systemd-sysctl.service</td><td>systemd-journal-catalog-update.service</td><td>systemd-update-done.service</td><td>systemd-journald.service</td><td>sys-kernel-debug.mount</td><td>systemd-machine-id-commit.service</td><td>ldconfig.service</td><td>rngd.service</td><td>systemd-binfmt.service</td><td>nis-domainname.service</td><td>sys-kernel-config.mount</td><td>systemd-modules-load.service</td><td>systemd-sysusers.service</td><td>sys-fs-fuse-connections.mount</td><td>swap.target</td><td>dev-mapper-ovirt\x2dswap.swap</td><td>systemd-udev-trigger.service</td><td>import-state.service</td><td>systemd-firstboot.service</td><td>kmod-static-nodes.service</td><td>systemd-ask-password-console.path</td><td>systemd-tmpfiles-setup-dev.service</td><td>lvm2-monitor.service</td><td>microcode.service</td><td>paths.target</td><td>timers.target</td><td>fstrim.timer</td><td>unbound-anchor.timer</td><td>systemd-tmpfiles-clean.timer</td><td>slices.target</td><td>-.slice</td><td>system.slice</td><td>sockets.target</td><td>systemd-udevd-kernel.socket</td><td>dbus.socket</td><td>systemd-coredump.socket</td><td>systemd-initctl.socket</td><td>systemd-udevd-control.socket</td><td>systemd-journald-dev-log.socket</td><td>pcscd.socket</td><td>sssd-kcm.socket</td><td>systemd-journald.socket</td><td>cockpit.socket</td><td>dm-event.socket</td><td>rpcbind.socket</td><td>sssd.service</td><td>kdump.service</td><td>crond.service</td><td>systemd-ask-password-wall.path</td><td>sshd.service</td><td>systemd-user-sessions.service</td><td>auditd.service</td><td>nfs-client.target</td><td>rpc-statd-notify.service</td><td>auth-rpcgss-module.service</td><td>remote-fs-pre.target</td><td>irqbalance.service</td><td>remote-fs.target</td><td>nfs-client.target</td><td>rpc-statd-notify.service</td><td>auth-rpcgss-module.service</td><td>remote-fs-pre.target</td><td>getty.target</td><td>serial-getty@ttyS0.service</td><td>getty@tty1.service</td><td>cloud-init.target</td><td>cloud-init-local.service</td><td>cloud-config.service</td><td>cloud-final.service</td><td>cloud-init.service</td><td>dnf-makecache.timer</td><td>firewalld.service</td><td>rpcbind.service</td><td>systemd-update-utmp-runlevel.service</td><td>chronyd.service</td><td>rsyslog.service</td><td>tuned.service</td><td>systemd-logind.service</td><td>NetworkManager.service</td><td>dbus.service</td></tr></tbody></table><h4><span class="label label-primary">systemd test</span>Â <span class="label label-default">oval:ssg-test_multi_user_wants_rngd_socket:tst:1</span>Â <span class="label label-danger">false</span></h4><h5>Following items have been found on the system:</h5><table class="table table-striped table-bordered"><thead><tr><th>Unit</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th><th>Dependency</th></tr></thead><tbody><tr><td>multi-user.target</td><td>basic.target</td><td>var.mount</td><td>-.mount</td><td>sysinit.target</td><td>dev-mqueue.mount</td><td>systemd-hwdb-update.service</td><td>cryptsetup.target</td><td>proc-sys-fs-binfmt_misc.automount</td><td>systemd-journal-flush.service</td><td>systemd-random-seed.service</td><td>systemd-update-utmp.service</td><td>systemd-tmpfiles-setup.service</td><td>systemd-udevd.service</td><td>dev-hugepages.mount</td><td>lvm2-lvmpolld.socket</td><td>selinux-autorelabel-mark.service</td><td>loadmodules.service</td><td>local-fs.target</td><td>home.mount</td><td>-.mount</td><td>var-log-audit.mount</td><td>boot.mount</td><td>tmp.mount</td><td>var.mount</td><td>var-log.mount</td><td>systemd-remount-fs.service</td><td>dracut-shutdown.service</td><td>systemd-sysctl.service</td><td>systemd-journal-catalog-update.service</td><td>systemd-update-done.service</td><td>systemd-journald.service</td><td>sys-kernel-debug.mount</td><td>systemd-machine-id-commit.service</td><td>ldconfig.service</td><td>rngd.service</td><td>systemd-binfmt.service</td><td>nis-domainname.service</td><td>sys-kernel-config.mount</td><td>systemd-modules-load.service</td><td>systemd-sysusers.service</td><td>sys-fs-fuse-connections.mount</td><td>swap.target</td><td>dev-mapper-ovirt\x2dswap.swap</td><td>systemd-udev-trigger.service</td><td>import-state.service</td><td>systemd-firstboot.service</td><td>kmod-static-nodes.service</td><td>systemd-ask-password-console.path</td><td>systemd-tmpfiles-setup-dev.service</td><td>lvm2-monitor.service</td><td>microcode.service</td><td>paths.target</td><td>timers.target</td><td>fstrim.timer</td><td>unbound-anchor.timer</td><td>systemd-tmpfiles-clean.timer</td><td>slices.target</td><td>-.slice</td><td>system.slice</td><td>sockets.target</td><td>systemd-udevd-kernel.socket</td><td>dbus.socket</td><td>systemd-coredump.socket</td><td>systemd-initctl.socket</td><td>systemd-udevd-control.socket</td><td>systemd-journald-dev-log.socket</td><td>pcscd.socket</td><td>sssd-kcm.socket</td><td>systemd-journald.socket</td><td>cockpit.socket</td><td>dm-event.socket</td><td>rpcbind.socket</td><td>sssd.service</td><td>kdump.service</td><td>crond.service</td><td>systemd-ask-password-wall.path</td><td>sshd.service</td><td>systemd-user-sessions.service</td><td>auditd.service</td><td>nfs-client.target</td><td>rpc-statd-notify.service</td><td>auth-rpcgss-module.service</td><td>remote-fs-pre.target</td><td>irqbalance.service</td><td>remote-fs.target</td><td>nfs-client.target</td><td>rpc-statd-notify.service</td><td>auth-rpcgss-module.service</td><td>remote-fs-pre.target</td><td>getty.target</td><td>serial-getty@ttyS0.service</td><td>getty@tty1.service</td><td>cloud-init.target</td><td>cloud-init-local.service</td><td>cloud-config.service</td><td>cloud-final.service</td><td>cloud-init.service</td><td>dnf-makecache.timer</td><td>firewalld.service</td><td>rpcbind.service</td><td>systemd-update-utmp-runlevel.service</td><td>chronyd.service</td><td>rsyslog.service</td><td>tuned.service</td><td>systemd-logind.service</td><td>NetworkManager.service</td><td>dbus.service</td></tr></tbody></table></div></div></div></div></div><a href="#result-details"><button type="button" class="btn btn-secondary noprint">Scroll back to the first rule</button></a></div><div id="rear-matter"><div class="row top-spacer-10"><div class="col-md-12 well well-lg"><div class="rear-matter">Red Hat and Red Hat Enterprise Linux are either registered trademarks or trademarks of Red Hat, Inc. in the United States and other countries. All other names are registered trademarks or trademarks of their respective companies. </div></div></div></div></div></div><footer id="footer"><div class="container"><p class="muted credit"> Generated using <a href="http://open-scap.org">OpenSCAP</a> 1.3.2</p></div></footer></body></html>